Hi, The auth protocol is a session between identd's on the respective machines. Its purpose and protocol are described in RFC-1413. If you specifically disable it, on the firewall, then the pop3 session will wait until it times-out (from the server side) before it continues. Most people don't like that 'wait' period so they permit it. Other people are more restrictive of the information allowed through the protocol so they put up with it. I have heard that there is a replacement for identd that returns prose rather than relevant user information. I've also heard that some others hack away at the pop3 source to exclude the call for ident.
Best of Luck, Chris At 12:30 PM 1/14/2002 +0000, Bruno Negr�o wrote: >Hy, i'm using a redhat linux with 2 ethernet interfaces and iptables + >ipmasquerading. >I made a tcpdump of a connection between a masqueraded client machine >(192.168.13.10) and my external pop3 server (falcon.etcetera). The >firewall's name is 15bis.etcetera.com.br > >What I found interesting was a connection originated from the pop3 server >to my client "auth" port. Does someone can explain what is this connection >made for and how it traverses my firewall? (does this new connection (auth) >have the state "RELATED"?) > > >13:18:20.484479 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: S >10873842:10873842(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) >13:18:20.484745 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: S >3336463748:3336463748(0) ack 10873843 win 32120 <mss 1460,nop,nop,sackOK> >(DF) >13:18:20.485471 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: . >ack 3336463749 win 8760 (DF) >13:18:20.486676 falcon.etcetera.com.br.4475 > 15bis.etcetera.com.br.auth: S >3342539285:3342539285(0) win 32120 <mss 1460,sackOK,timestamp 697211801 >0,nop,wscale 0> (DF) >13:18:20.486787 15bis.etcetera.com.br.auth > falcon.etcetera.com.br.4475: R >0:0(0) ack 3342539286 win 0 (DF) >13:18:20.488595 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P >1:40(39) ack 1 win 32120 (DF) >13:18:20.491085 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P >0:29(29) ack 40 win 8721 (DF) >13:18:20.491337 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: . ack 30 >win 32120 (DF) >13:18:20.491405 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P >40:46(6) ack 30 win 32120 (DF) >13:18:20.494094 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P >29:42(13) ack 46 win 8715 (DF) >13:18:20.502936 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P >46:52(6) ack 43 win 32120 (DF) >13:18:20.505369 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P >42:48(6) ack 52 win 8709 (DF) >13:18:20.505645 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P >52:61(9) ack 49 win 32120 (DF) >13:18:20.510062 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P >48:54(6) ack 61 win 8700 (DF) >13:18:20.510286 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P >61:67(6) ack 55 win 32120 (DF) >13:18:20.510478 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: F >67:67(0) ack 55 win 32120 (DF) >13:18:20.511021 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: . >ack 68 win 8694 (DF) >13:18:20.512395 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: F >54:54(0) ack 68 win 8694 (DF) >13:18:20.512600 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: . ack 56 >win 32120 (DF) >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
