On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck <b...@ualberta.ca> wrote: > > ex: > > - There are some public ftp servers missconfigurated who use ident > protocol > > and wait 30 seconds on ident port before sending banner. > > With the default connect_timeout value, it is not possible to connect to > > theses servers with fw filtering ident port. With a higher value, it will > > succeed > > A higher value is stupid, because you then end up waiting forever > for connections to these anyway.. Are you gonna sit there for > 45 seconds before you connect? no, of course not, you're gonna thing > it's screwed. >
Yes I prefer waiting here instead of sending any response on ident port. (silent fw) > > - It can be also usefull to change these value and set it to a lower > value > > in order to drop these kind of servers quickly. > > > > Also stupid - because you either set it to like 20 seconds or 10 seconds > which > is still annoying, or far less and drop legit servers. > > This is not a good example, I agree > > That's why I think adding a knob can be usefull. > > > > Of course, if such a server were configured to try ident - the right > answer would > be to ensure your firewall drops it. You only have a problem with these if > you > have your firewall dropping such connections silently - which is > stupid in the first place. If they know you aren't listening the ident > fails immediately and the connect > works. > I will not explain the benefit of dropping packets silently. This is something we will not change, even if it is only for ident protocol. The problem deals with public ftp servers, like university or other research/company and we can't reconfigure them. If we keep in mind that our firewall will always drop packets silently, there are not a lot of solutions.
