The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Article Feedback - Firewalls / ipfw - protect your subnet
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Cause of long connection times (IDENT, deny, reject)
Author: Alexander Leidinger 
Date:   13-06-03 11:23

Hi,

a "deny" rule results in silently discarding a matching packed, a "reject" rule causes the network stack to generate an answer ("not reachable").

So if any program (may it be IRC or sendmail or whatever) tries to connect to the IDENT service of a "deny" protected host, it has to wait until a timeout occours.

With a "reject" rule the program usually doesn't has to wait that long, because it gets an answer before the timeout is reached.

Instead of allowing the access to IDENT (if you haven't it explicitely activated in inetd.conf, there's nothing running anyway) you could "reject" connections while still getting the same benefit.

Bye,
Alexander.
 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Cause of long connection times (IDENT, deny, reject)   new
Alexander Leidinger 13-06-03 11:23 
 Re: Cause of long connection times (IDENT, deny, reject)   new
Dan Langille 14-06-03 18:24 
 Re: Hone your rules (IDENT, deny, reject) or ACCEPT...   new
Chris Phillips 11-07-04 23:30 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org


Servers and bandwidth provided by New York Internet, SuperNews, and RootBSD. Valid CSS and RSS.
Copyright © 1997-2012 DVL Software Ltd.
All rights reserved.