Chris Santerre wrote: > Currently I block port 113 (ident) on the firewall. I block everything and > pick and choose what to let in. Never got around to letting this in :) > Anyway, I have about 6-7 in.identd processes running all the time from > failed ident attempts. Nothing big really. System is working great. Logs get > filled a little much with DENY messages.
DENYing identd ist about the worst thing one can DENY. Suppose you want to poll some mail from a POP3-server and this server wants to contact your identd (yes, that does happen). You don't have one or you REJECT the connection? Everything's fine. You DENY the connection? The POP3-server assumes the packet got lost and sends it again, waiting for timeouts until finally it decides to let you poll the mail anyway. This is just one example why DENYing connections can be bad. Just send a RST. Phil
