-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

epistula illius MA profluit verbis:
> When an exploit is found and everybody use reject more computers can be
> scanned for the exploitable program/service in the same time... I don't
> see why we should make it easy for the script kids...
> [...]


As shown that's no advantage. One could generate many, many parallel ICMPs 
and wait for the one timeout period. Quite the opposite of Your 
proposition is true: Ident eg. helps You to identify the "bad guys" in 
Your network - supposed You got a propperly configured network. DENY for 
ident renders such information useless, because DENIED packets won't get 
logged anymore. So - one could even say You're going to protect the "bad 
guys".

- From a more or less "psychological point of view" it's even worse 
concerning the traffic load: the curious "bad guy" would try to go on. So 
it's better to explicitly tell him to go away. 

- -- 
mental floss prevents moral decay
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE//XIZwGaWYjpgASMRAs41AKCsOUY0sllFBTmLIrYi9ZxgSH5viACcDyYv
ogd9opzM8Upwwp8BdjaDmJk=
=ogTH
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list