In message <g3u1aovd6e.fsf@sa.vix.com>, Paul Vixie writes:

smb@research.att.com ("Steven M. Bellovin") writes:

...

It might also be port 113 -- some sites try to query your tcp port 113, and wait for a timeout if the port is firewalled. A better solution than blocking it is to send an immediate RST.

people who depend on tcp/113 deserve everything stupid that happens to them. dropping SYN packets or returning a fixed string are both better than sending an immediate RST. (false confidence being valued less than low confidence.) i was rather shocked to discover tcp/113 clientness enabled by default in postfix and sendmail. but even widespread ignorance does not call for widespread coddling such as returning immediate RST's.

I'm not defending the practice, I'm defending myself against the practitioners. My email, etc., was being delayed because the site I was sending to was trying to query my non-existent tcp/113 server, and I was dropping SYNs. Now, I either send an immediate RST or use Erik Fair's identd, depending on my mood. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)