Gustav Schaffter wrote:
> I have later learnt that it might be smarter to REJECT calls to auth
> than DENY'ing them. Should reduce number of retries and thereby shorten
> any timeouts.
Not really. As I was beginning to see earlier, when I wrote to the list
regarding firewalls, REJECT is identical to DENY, except for the
friendly icmp message which DOES NOTHING!!
It does not send a TCP RST, the way I expected it to. I've considered
patching the kernel to do so, but I thought I'd ask the ipchains guys
why they send ICMP messages rather than protocol-appropirate messages.
I never got around to it. Maybe I'll just patch the kernel first, and
ask questions later :)
> One advantage with running auth from tcp wrappers is of course that it's
> somewhat protected(?). I mean, the standard setup for port sentry is to
> add any port scanning IP's to the tcp wrappers hosts.deny file.
But, the most useful behavior is to use ipchains to deny that IP access
to your own. Not everything uses tcp_wrappers. in.identd doesn't,
AFAIK :)
MSG
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
