On Thu, Nov 15, 2001 at 11:31:15AM +0100, Boris Bierwald wrote: > I would assume that your DROP default policy causes the delay. At least > most smtp- and ftp-servers will send an ident query back to your host > if you try to connect to them. If you simply ignore the queries, those > servers will wait until a timeout occurs. Try to use the --state > RELATED match, or change your default policy to REJECT if you like to > have ident queries blocked. > A simple alternative is to REJECT just identd. The default policy of drop annoys scanners more than a reject. Of course this doesn't make portscanning more difficult, just a little bit slower.
- Einar Karttunen
