[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Possible to reject ident with tcp-reset ?
 Date:  Tue, 30 Dec 2003 17:48:02 -0800 (PST)
On Tue, 30 Dec 2003, Brandon Holland wrote:
> 
> I was looking for this myself.  IMO, it looks like instead of just
> "Block" and "Accept" maybe present "Block" needs to be renamed "Drop"

That's normally referred to as "deny" though admittedly that's more
ambiguous.

> and a new entry should be added, (to hold true to certain unix-world o/s
> apps) named "Reject."

Indeed it would be useful to select this on a per-rule basis as well as
for the default (for those of us who don't subscribe to Steve Gibson's
rantings about "stealth mdoe" being the ideal).

On Tue, 30 Dec 2003, Chad R. Larson wrote:

> At 02:09 AM 12/30/2003, Mark N. wrote:
> >Is there some way to reject ident requests (with tcp-reset?), so ident 
> >requests doesn't have to timeout ?
> 
> Sure.  Block port 113 inbound.

It's already blocked by default, but with "deny" rather than "reject".

The workaround is simply to *allow* it through the firewall.  In the
absence of NAT redirection, it then tries to connect to the nonexistent
identd on the m0n0wall, and gets a normal TCP RST.

Silently discarding ident requests is almost always a bad idea, since that
usually adds a delay of about 30 seconds to the time to connect to any
server that uses ident.  Then there are a few servers that actually
require *successful* ident, but that's another story.

					Fred Wright