The default firewall setup uses DENY to block most ports. While this is
generally a good idea, it is bad for the remote IDENT service on port 113.
The result of "denying" this port is that *outgoing* ftp (and perhaps
other) connections can take a very long time to connect. Attempting to
anonymously ftp to a locally connected linux box is very frustrating,
because the remote wu-ftpd "hangs up" while waiting for the IDENT
connection to time out. This is easily solved by using REJECT instead of
DENY for this port. Below is my current copy of /etc/sysconfig/ipchains,
I added the two REJECT lines by hand and everything now works fine.
(On the other hand, the question of whether or not redhat boxes should
respond to IDENT requests by default is something to be considered. There
are certainly arguments to be made both ways.)
$ cat /etc/sysconfig/ipchains
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 113 -j REJECT
-A input -p udp -s 0/0 -d 0/0 113 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j DENY
-A input -p udp -s 0/0 -d 0/0 0:1023 -j DENY
-A input -p udp -s 0/0 -d 0/0 2049 -j DENY
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j DENY
Bill, any ideas?
The current version uses REJECT rules.
(This should be in 0.43-5.)