[1871] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Services not required?

daemon@ATHENA.MIT.EDU (Keith Owens)
Mon Jun 15 02:53:29 1998

From: Keith Owens <kaos@ocs.com.au>
To: linux-security@redhat.com
In-reply-to: Your message of "Thu, 11 Jun 1998 15:17:12 +0100."
             <Pine.LNX.3.96.980611145912.13628A-100000@limbo.alpha4.com> 
Date: Sun, 14 Jun 1998 23:25:00 +1000
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Thu, 11 Jun 1998 15:17:12 +0100 (BST), 
MushyPea <mushypea@dominion.net.uk> wrote:
>When an outside server decided it wanted to check my ident daemon, it
>attempts a connection, and the Linux packet filtering code  sent back a
>'host administratively unreachable' packet (ICMP type 3, sub-type 10,
>iirc)... Certain OS's don't recognise the packet

And worse, some old OS's incorrectly handle host unreachable or
administratively denied.  Instead of giving up on just the ident
handshake, they give up on *all* connections to your machine.  So you
end up with

 You start to send mail, port SMTP.
 They ident you.
 You reject ident with ICMP.
 They incorrectly hang up all sessions, including SMTP.
 You retry sending mail.
 They ident you ... repeat ad nauseum.

I found it better to allow ident through the firewall and just not run
the ident service.  Immediate TCP RST instead of ICMP, seems to work
for everything.

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post