"Paul D. Robertson" <[EMAIL PROTECTED]> wrote:
> On Fri, 9 Jun 2000, Brian J. Murrell wrote:
>
> I'm not aware of any exclusive TCP implementations, but if you read
> the
> RFCs, large answer sets are always sent via TCP.
Indeed. I plan to allow TCP responses to my clients' queries back in
and we should not have any datasets that would require a TCP response,
hence my thoughts at just disabling it. The only traffic I have seen
using it so far is network probing (SYNs followed by RSTs).
> AOL used to hand out large answer sets (for MX's I think),
Indeed, the reason why I would allow TCP responses back.
> not sure who
> else specificly, why not log for a while at your border and see?
I have. Like I said, all I got was network probes.
remote:1025 -> my_DNS:53 SYN
my_DNS:53 -> remote:1025 SYN ACK
remote:1025 -> my_DNS:53 RST
I am not a fan of being obscure to network mapping, but I also don't
allow traffic that I can't explicity decide on a reason to allow.
Thanx for the input Paul.
b.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
