Re: your mail

[Peter Cordes <peter@llama.nslug.ns.ca>]

On Thu, Mar 16, 2000 at 02:19:53PM -0800, Brian Kimball wrote:
> Peter Cordes wrote:
> 
> >  This isn't specific to identd, but I'm wondering why you would bother
> > filtering the port instead of just not running identd?  (I assume you would
> > have/do turn off identd in /etc/inetd.conf as well as using doing port
> > filtering.)  I've never really understood why people filter all kinds of
> > ports on their own machine when the ports are closed anyway.
> 
> While inetd + tcp_wrappers is sufficient for something like identd, it
> offers no protection for things that aren't launched from inetd -- a
> category that the vast majority of debian daemons falls under (apache,
> lpd, X, etc).

  What you're saying is that if you want to serve web pages to some IPs, but
not the whole internet, then you have a job for ipchains, which is true.

 OTOH, my point was that if you're not running httpd (at all), then you
don't need packet filtering on port 80.  The kernel handles packets to port
80 by replying with "port's closed, have a nice day" (paraphrased :), so you
don't need to use ipchains to make it do that.  (Unless you really want the
packets to be dropped outright with no reply, which is of limited
usefulness, AFAIK.)

-- 
#define X(x,y) x##y
DUPS Secretary ; http://is2.dal.ca/~dups/
Peter Cordes ;  e-mail: X(peter@cordes.phys. , dal.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE