On Tue, 18 Jul 2000, Rogier Maas wrote:
> That's the third time I see a question about that port. It's not really
> obvious what ident (that's on port 113) does. If I disable it (rfs), my
> logs tell me: "Unable to get canonical name of client, err=2". If I drop
> the packets, the wait is a little longer, but the message seems to be
> the same. If I turn it on (accpt), and clients connect, say on port 110
> (pop3) without the ident-service, I get the same errormsg.
That's probably because the errormsg is DNS-related and has nothing to do
with ident/port 113.
> So it's not really obvious to me what ident is good for. To me it's good
> for nothing, but of course, I could be wrong.
You should always reject port 113 calls, not simply drop them.
Ident works like this:
You have two servers. Server1 makes a TCP connection to server 2 (for
instance smtp and server 2 runs a recent version of sendmail).
Server 2 (sendmail) will make a tcp connection to server1 on port
113. If successful, it will then give the port numbers (sender and
receiver) of the connection it wants to query about. Then the ident server
of server1 will respond with what user "owns" that TCP connection. This
will be included in the log of the transaction on server2 for later
identification.
Ident is an old protocol which was useful back when internet when you
could trust the sysadmins but not the users. Nowadays you can trust no-one
so the protocol doesn't give you any reliability anymore but sometimes it
can be useful.
I believe most programs have a 5 or 10 second timeout before deciding that
there will be no ident connection (the packets were being dropped).
--
Mikael Abrahamsson email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
