What to return for AUTH tcp/113 requests?

To: debian-firewall@lists.debian.org
Subject: What to return for AUTH tcp/113 requests?
From: Bulent Murtezaoglu <bm@acm.org>
Date: Thu, 29 May 2003 19:46:51 +0300
Message-id: <[🔎] 16086.14715.300523.236656@gargle.gargle.HOWL>
In-reply-to: <[🔎] 20030529132248.GB401@hank.org>
References: <[🔎] 20030529132248.GB401@hank.org>

>>>>> "M" == moseley  <moseley@hank.org> writes:

    M> I belive it's not good to just drop the auth (ident) requests
    M> -- IIRC it makes mail clients delay.

Correct.

    M> So the question is how should they be rejected?

    M>    reject-with icmp-port-unreachable or reject-with tcp-reset

Tcp reset.  For two reasons: (1) some idiots ban ICMP outright at
firewalls.  (2) common practice (icmp port unreachable for UDP, TCP
reset for tcp)

[...]
    M> BTW -- is there a utility to manually send an auth request?
    M> That would help with testing the rules.

Telnet or netcat + tcpdump if you wish.

cheers,

BM

Reply to:

References:
- What to return for AUTH tcp/113 requests?
  - From: moseley@hank.org

Prev by Date: Re: What to return for AUTH tcp/113 requests?
Next by Date: Re: What to return for AUTH tcp/113 requests?
Previous by thread: Re: What to return for AUTH tcp/113 requests?
Next by thread: Re: What to return for AUTH tcp/113 requests?
Index(es):
- Date
- Thread