On Tue, Jan 12, 2010 at 09:38:32AM +0100, Tiery DENYS wrote:
| On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck <b...@ualberta.ca> wrote:
| Yes I prefer waiting here instead of sending any response on ident port.
| (silent fw)
How can you claim 'silent fw' if it was the source of an ftp
connection ?
| I will not explain the benefit of dropping packets silently. This is
| something we will not change, even if it is only for ident protocol.
| The problem deals with public ftp servers, like university or other
| research/company and we can't reconfigure them. If we keep in mind that our
| firewall will always drop packets silently, there are not a lot of
| solutions.
Sure, don't change your firewall, but do realize that your argument is
flawed. There is traffic originatimg from the address, so it must be
alive. Simply sending a RST for attempted connections to the ident
port does not tell anyone anything new.
What does block drop gain you over block reject in this case ?
(not a question to debate on the list, just something to think about)
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
