[ previous ] [ next ] [ threads ]
 
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] port triggering
 Date:  Thu, 04 Aug 2005 20:02:23 -0600
Chris Buechler wrote:

>On 8/4/05, Dave Warren <maillist at devilsplayground dot net> wrote:
>  
>
>>Chris Buechler wrote:
>>
>>    
>>
>>>yeah, I don't see something of that nature getting added to m0n0wall.
>>>
>>>What the last poster suggested, when something hits a certain port,
>>>open up something based on some rules you've predefined, is more sane.
>>>I don't see that happening either though because of the way it'd have
>>>to be hacked in to work.  Basically it'd be an ugly mess, for
>>>something that practically nobody wants or needs.
>>>
>>>
>>>      
>>>
>>The big advantage of port triggering is that it can work for things like
>>IRC which require IDENTD and other services that need to be dynamically
>>assigned.
>>
>>As you say though, the implementation...
>>
>>    
>>
>
>I don't use a lot of IRC networks, but the ones I do use don't require
>ident anymore.  They all try it first though.  To avoid the delay when
>connecting, I put a reject rule on my WAN for TCP 113 so it
>immediately connects.
>  
>
Many of the major networks absolutely require IDENTD these days because 
if a random PC gets compromised, the virus can't open 113 in the 
firewall so the virus can't connect to the IRC server.

Smaller networks are better, but some still want 113.

There are a few other cases where port triggering is really helpful, but 
it's a pretty minor percentage of overall users I think.

-- 
To the book depository!
 -- Homer