Sendmail Five Second Greeting Delay
perryh at pluto.rain.com
perryh at pluto.rain.com
Sat Apr 3 08:11:18 UTC 2010
Lowell Gilbert <freebsd-questions-local at be-well.ilk.org> wrote:
> Matthew Seaman <m.seaman at infracaninophile.co.uk> writes:
> > Ident queries like this will cause a delay if the other side
> > doesn't respond respond to the ident query ...
> I consider it polite for firewalls to actively refuse to open
> the connection (TCP reset) rather than just dropping the request,
> though. There's really no downside to doing so.
Other than giving port-scanners an affirmative indication that
there is a device of some sort at the IP address involved.
Some firewalls even drop pings for exactly this reason.
If the request comes from an address to which I've recently*
initiated a connection -- so he already knows that my address
is currently alive -- I ought to either respond per protocol
or reset. If it comes from who-knows-where, it may be safer
to drop it.
The ident protocol is useful for the purpose for which it was
designed: to pass "whom to blame" info between servers which have
reason to trust one another's identity (based on, e.g., stable IP
addresses) and administration. Granted the circumstances in which
these conditions are met are a lot less prevalent than they once
were.
* for some resonable definition of recently
More information about the freebsd-questions
mailing list