>> A better solution would be for your firewall to
>> RESET, rather than DROP the connection. This way
>> the remote server tears down it's query, rather than
>> waiting for a timeout.
>Okay, that sounds reasonable. However, this should be done for all IP
>addresses, not just the hosts occupying IP addresses, correct? I'd hate
>to see someone use this as a method to map your network...
>
>How is this accomplished with your everyday packet filter?
access-list 101 deny tcp any any eq 113
..but that drops it and doesn't send a RST. There's no reason
it couldn't reject instead of deny, but they don't offer the option.
Bear in mind that this is for Cisco routers, sans any firewall feature
set stuff. I can't speak for other routers, or whether the firewall
feature set adds it.
On FW-1, I have a reject ident rule for any<->any just before
my drop everything rule. For my couple of exceptions
(a few external mail servers) I have an earlier allow rule
for them.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
