AFA IDENT goes, FTP needs to reject it as well, for the same reasons. On Tue, 2002-01-08 at 18:40, Bourque Daniel wrote: > > Normally, you want your FW to be as invisible as possible (black hole) so > you just drop all incoming packet that are not specifically allowed in by a > rule. What you can't see can only be attack by guessing. Rejecting give > back information to the bad guy... > > In the case of a smtp mail server, it's better to reject incoming IDENT > request otherwise, you will have timeout problem with the smtp delivery of > your mail going out to some servers.. > > -----Message d'origine----- > De: irado furioso com tudo [mailto:[EMAIL PROTECTED]] > Date: 8 janvier, 2002 04:31 > Cc: [EMAIL PROTECTED] > Objet: Re: NAT, Internet access and security > > > I had heard that it is better to have a 'reject' rule instead of a > 'deny' one, as reject will give back an immediate reply to the > interrogator, while just rejecting the query can give you a multitude of > 'retry', which can eat you bandwidth with lots and lots of retries. If > possible, can somebody point me where can I get correct information on > this (white papers, hints, tips, anything..) > > Nick wrote: > > > I was under the impression that the "stealth rule" was to have anything > > going directly to your Firewall dropped, therefore making your FW's > > addess a "black hole". It never answers anything, except what you > > specifically allow for management purposes. > > > > -- > > saudações, > > irado furioso com tudo. > Linux User (SuSE) 179.402 > explicando o padre marcelo ('o mala', the pope's boy, the pope's star): > mer$&^ velha com roupa nova. -- Nick Network Security Consultant CISSP, CCSI, MCSE, CCNA Lucent Technologies/NPS Raleigh, NC
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
