On Fri, Aug 25, 2000 at 04:00:42PM +0200,
Fat Toolz <[EMAIL PROTECTED]> wrote:
> Hi qmail,
>
> I just opened the firewall on port 113, the logon is quite faster and I'm quite
>lucky to miss this dumb Outlook Express-Screen "Your Server has not responded for 60
>seconds...." :-) . I want to enable POP3 from outside the firewall to the
>qmail-Server but I do not think it's wise to open port 113 from *outer space* to the
>qmail-Server through the firewall (remember that the port is also opened from the
>internal network). If 113 is used by qmail for authorization, probably I'll have to
>open it.
Port 113 is serviced by ident servers. tcpserver can make connections to
ident servers (at the site attempting to connect to tcpserver) if you set
things up that way.
If you don't want to run your own ident server (often a good idea), the best
way to do this is to just not run a service on port 113. If you are really
paranoid you can let syn packets through, but block everything else to
that port. You don't want to use the DENY or REJECT destinations in ipchains
(which is the usual firewall tool with linux 2.2.x) because that can result
in delays.
DENY ignores packets which will almost always result in a delay connecting.
REJECT sends host port unreachable which will sometimes cause delays. Not
all hosts give up right away upon getting that response. Letting the connection
attempt occur to an unserviced port will result in a TCP RST reply which
tells the remote host that ident is definitely not available and there will
be no significant delay. Though some servers might refuse to allow access
if there is no ident server running. I have heard of IRC servers that work
this way. If you need access to such a service there are ident replacements
that return a fixed response that should satisfy these broken servers.
