Lowell Gilbert <freebsd-questions-lo...@be-well.ilk.org> wrote: > Matthew Seaman <m.sea...@infracaninophile.co.uk> writes: > > Ident queries like this will cause a delay if the other side > > doesn't respond respond to the ident query ... > I consider it polite for firewalls to actively refuse to open > the connection (TCP reset) rather than just dropping the request, > though. There's really no downside to doing so.
Other than giving port-scanners an affirmative indication that there is a device of some sort at the IP address involved. Some firewalls even drop pings for exactly this reason. If the request comes from an address to which I've recently* initiated a connection -- so he already knows that my address is currently alive -- I ought to either respond per protocol or reset. If it comes from who-knows-where, it may be safer to drop it. The ident protocol is useful for the purpose for which it was designed: to pass "whom to blame" info between servers which have reason to trust one another's identity (based on, e.g., stable IP addresses) and administration. Granted the circumstances in which these conditions are met are a lot less prevalent than they once were. * for some resonable definition of recently _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"