Re: ipchains rules: REJECT vs. DENY

[Alvin Oga <aoga@Maggie.Linux-Consulting.com>]

hi ya

> >Moral of that story is to make sure that you either run an ident
> >server, or set it to REJECT.
> 
> Well, I wouldn´t (and don´t) run identd, since I have no intention of 
>  revealing the name of the user running a particular service (in 

if one runs identd...  any incoming email address to "fake@yourdomain.com"
will get returned/bounced back to the sender as no such user...
( you see a log in maillog etc that they tried to send soemthing )

if you dont run identd... you receive and store that email addressed
to fake.... and bounced locally to root/postmaster as non-deliverable
locally ??

have fun linuxing
alvin
http://www.Linux-Sec.net
** 
** http://www.Linux10.org .... Linux 10th Anniversary Picnic ...
**

>  general this will be either your login-name or root), but there are
>  some interesting other options:
> 
> - accept connections to services like ident (or finger or..) but just 
>  return random garbage. One option for this is via inetd:
>  - ident stream tcp nowait nobody /bin/dd dd if=/dev/urandom bs=64 \
>      count=1
> - or, for ident specifically, use fakeidentd (see freshmeat.net, 
>  excellent software).
> 
> Of course, you would want to log such connections via the 
>  kernel-firewall, just so you´ll now what´s going on.
> 
> cheers,
> &rw
> -- 
> -- Renting airplanes is like renting sex:  It's difficult to arrange
> -- on short notice on Saturday, the fun things always cost more, and
> -- someone's always looking at their watch.      - Paul Tomblin, asr
> ----
> 
> 
>