Re: [SLUG] Firewalls ident service
so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) The advantage of dropping an unwanted packet over rejecting it is that the originator has to wait for the delay, I.E if you drop the packet they don't know if your server is up down or if the connection is just slow, or even if there is a device at that address at all, So it slows down their script. If you reject the packet then they know that there is something there and can decide whether to keep trying to break in. if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Because the act of rejecting tells the smtp something, I.E that there is a device at that address that is doing the rejecting. If you just drop them, then the smtp server is left wondering, gee I just received a request from ip address w.x.y.z but when I try to send an ident request to that address I get no reply. I wonder if that is a real server trying to contact me or just a desktop hacker hiding behind a masqueraded connection. So the problem is that the same technique is being used by the hackers to identify that there is a real device there, as is being used by the smtp service. But given that your mail server has to listen on port 25 anyway's your not giving any infomation away by rejecting idents that the hacker can't get by probing port 25. HTH rgds Pete -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
At the moment I just let then fall thru until they hit the policy, which is DROP, Do you sometimes find that your outbound mail queue is rather full? Had a problem a while back with this, the outbound mail queue on a sendmail server hiding behind a firewall nearly overflowed the disk. Changed the firewall to reject ident requests to that server instead of dropping them and the queue shrank immediately. The explaination seems to be; Your smtp servere contacts the destination smtp server, the destination server doesn't initially respond to the smtp request but instead sends an ident request to your machine. I believe that the purpose of this is to try to estabilish that there is an actual machine sitting at the from ip address in the smtp packet and not just a desktop nat'd from inside an ISP. Because you drop the ident request the destination smtp server has to wait until the ident times out before deciding if it should respond to your original smtp request. If your servers smtp timeout is shorter than the destinations ident timeout, then guess what? Your server decides that the destination server is down and puts the outbound email into the queue. If however instead of dropping the ident you reject it, the destination smtp server gets a response immediately and then responds to your original smtp request before your server reaches the tcp/ip timeout. The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. I just put the following in the iptable iptables -A INPUT --dport 113 -j REJECT HTH Pete -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Sun, 2002-07-28 at 16:42, Peter Rundle wrote: The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. - Original Message - From: David Fitch [EMAIL PROTECTED] To: slug [EMAIL PROTECTED] Sent: Sunday, July 28, 2002 8:01 PM Subject: Re: [SLUG] Firewalls ident service On Sun, 2002-07-28 at 16:42, Peter Rundle wrote: The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Sun, 28 Jul 2002, Ben de Luca wrote: I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. Why would you get a rejection reply from a site that has originated an ident request and received a rejection; it doesn't make sense. I do agree about the DDoS opportunity though. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com I tried having cybersex once, but I kept getting a busy signal. - You've Got Mail -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
I wasnt following the thread to closly, just throwing in my 2c at the last moment. I was refering to packets that match the reject request would get rejected, Im not sure how that would effect ident. Does any one think that Ident is a good service to be running accross the internet? - Original Message - From: Howard Lowndes [EMAIL PROTECTED] To: Ben de Luca [EMAIL PROTECTED] Cc: slug [EMAIL PROTECTED] Sent: Monday, July 29, 2002 3:40 AM Subject: Re: [SLUG] Firewalls ident service On Sun, 28 Jul 2002, Ben de Luca wrote: I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. Why would you get a rejection reply from a site that has originated an ident request and received a rejection; it doesn't make sense. I do agree about the DDoS opportunity though. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com I tried having cybersex once, but I kept getting a busy signal. - You've Got Mail -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Tue, 2002-06-25 at 20:33, Andy Eager wrote: I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. did you get any answers to this? I too have wondered the same thing but currently I allow 113. Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On 28 Jul 2002, David Fitch wrote: On Tue, 2002-06-25 at 20:33, Andy Eager wrote: I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. did you get any answers to this? I too have wondered the same thing but currently I allow 113. At the moment I just let then fall thru until they hit the policy, which is DROP, logging them just before they reach there. I suppose it would be friendlier if I did send a tcp-reset instead, and also for other TCP packets that end up on the floor. What are other folks thoughts on a general REJECT policy (I believe that REJECT is not possible as a -P setting) as opposed to a DROP -P policy. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com He, who will not reason, is a bigot; he, who cannot, is a fool; and he, who dares not, is a slave. - William Drummond, Scottish writer (1585-1649) -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewalls ident service
Hi all, I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. On another point, what about incomming traceroutes. Are they really dangerous? Any thoughts? Regards, Andy E. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug