On Thu, 16 May 2002, Miky J wrote: > I'm implementing a firewall and try to make it quite secure ;-) ( of course ! ) and >plan to use ftp(client) for my private network > Do you think it's necessary to open port 113 ? What is the most convinient policy >with or without port 113 ?
I have absolutely no use for ident. Many ftp-, smtp- and irc-servers try to use ident but don't require them - but as you write, DROP'ing them gives a pretty big lag. I find the most convenient action to be: iptables -A FORWARD -p tcp --dport 113 --syn -j REJECT --reject-with tcp-reset And possibly the same for INPUT/OUTPUT. This does not allow the connections, but you do not get the long wait. /Rasmus -- -- [ Rasmus "M�ffe" B�g Hansen ] --------------------------------------- Just install Windows. It will crash once a day, and your hardware will no longer be the poblem. ----------------------------------[ moffe at amagerkollegiet dot dk ] --
