On Tue, Jan 12, 2010 at 10:01 AM, Paul de Weerd <we...@weirdnet.nl> wrote:
> On Tue, Jan 12, 2010 at 09:38:32AM +0100, Tiery DENYS wrote: > | On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck <b...@ualberta.ca> wrote: > | Yes I prefer waiting here instead of sending any response on ident port. > | (silent fw) > > How can you claim 'silent fw' if it was the source of an ftp > connection ? > > | I will not explain the benefit of dropping packets silently. This is > | something we will not change, even if it is only for ident protocol. > | The problem deals with public ftp servers, like university or other > | research/company and we can't reconfigure them. If we keep in mind that > our > | firewall will always drop packets silently, there are not a lot of > | solutions. > > Sure, don't change your firewall, but do realize that your argument is > flawed. There is traffic originatimg from the address, so it must be > alive. Simply sending a RST for attempted connections to the ident > port does not tell anyone anything new. > > What does block drop gain you over block reject in this case ? > > (not a question to debate on the list, just something to think about) > > Cheers, > > Paul 'WEiRD' de Weerd > > -- > >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/ > Hmm, yes it must be alive, it is true. It appears that ident is filtered by an other firewall (which I can't configure, and who drop packets silently) before my network (and my firewall). I know I am going to a very specific case, that's why I was proposing a knob.