Slighter, Tim wrote: > you really should try and specify that the rule "drops" instead of reject so > that the potential intruder is not provided with any information about their > attempted connection. tcp 113 (auth) is a common exception because of performance issues with legitimate traffic. Suppose you have a mail relay that sends out a large volume of SMTP e-mail on behalf of users in your organization. If you drop all of the auth requests coming back to your mail relay from servers to which you are delivering outbound mail, each of those connections must wait for the auth attempt to timeout before the mail can be delivered. If you send a reject, the auth fails immediately and the SMTP connection will complete in a timely fashion. True, it is a workaround for what is in my opinion a completely useless protocol. The right fix is to go and rebuild all those versions of sendmail that have it enabled by default. Unfortunately, if you don't use a reject policy and you do send large volumes of outbound e-mail you may find that the mail relay is taking a significant performance hit. -paul ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 13:24:38 PST