The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

As an Amazon Associate I earn from qualifying purchases.
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Cause of long connection times (IDENT, deny, reject)
Author: Alexander Leidinger 
Date:   13-06-03 11:23


a "deny" rule results in silently discarding a matching packed, a "reject" rule causes the network stack to generate an answer ("not reachable").

So if any program (may it be IRC or sendmail or whatever) tries to connect to the IDENT service of a "deny" protected host, it has to wait until a timeout occours.

With a "reject" rule the program usually doesn't has to wait that long, because it gets an answer before the timeout is reached.

Instead of allowing the access to IDENT (if you haven't it explicitely activated in inetd.conf, there's nothing running anyway) you could "reject" connections while still getting the same benefit.


Reply To This Message
 Re: Cause of long connection times (IDENT, deny, reject)
Author: Dan Langille 
Date:   14-06-03 18:24

Someone people consider the reject rule to be an acknowledgement that yes, the service exists, but not, I'm not going to deal with you. In this regard, from a security point of view, some consider deny better than reject.

Reply To This Message
 Re: Hone your rules (IDENT, deny, reject) or ACCEPT...
Author: Chris Phillips 
Date:   11-07-04 23:30


I would suggest that you investigate the IP address(es) of your favorite IRC servers, then add rules to either REJECT (** or ALLOW), from those IP(s), then another broader rule, to DENY IDENT from any.

That way, you'd be able to connect to your favorite IRC server(s) quickly, while remaining as secure as possible (any nefarious IDENT requests, could go to hell).

As a sweet by-product of your diligence, this is also a little friendlier to your chosen IRC servers.

** You may want to ALLOW IDENT as some IRC servers won't allow you to connect without a valid IDENT.


Chris P

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 

 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum