> ex: > - There are some public ftp servers missconfigurated who use ident protocol > and wait 30 seconds on ident port before sending banner. > With the default connect_timeout value, it is not possible to connect to > theses servers with fw filtering ident port. With a higher value, it will > succeed
A higher value is stupid, because you then end up waiting forever for connections to these anyway.. Are you gonna sit there for 45 seconds before you connect? no, of course not, you're gonna thing it's screwed. > - It can be also usefull to change these value and set it to a lower value > in order to drop these kind of servers quickly. > Also stupid - because you either set it to like 20 seconds or 10 seconds which is still annoying, or far less and drop legit servers. > That's why I think adding a knob can be usefull. > Of course, if such a server were configured to try ident - the right answer would be to ensure your firewall drops it. You only have a problem with these if you have your firewall dropping such connections silently - which is stupid in the first place. If they know you aren't listening the ident fails immediately and the connect works.