On Fri, Dec 09, 2005 at 08:25:37AM -0600, Greg Donald wrote: > On 12/9/05, Phil Dibowitz <[EMAIL PROTECTED]> wrote: > > As others have pointed out, your mail was formated poorly... > > #State your problem very clearly. > I am trying to get my ipflter-based firewall to allow ident access on > a pc on my private network. I can telnet to port 113 from a remote > host, but ident cannot reply back even though my incoming rule has > keep state defined. I've read docs, man pages, mailing list archives, > and google'd for a week. I've tried everything I've seen. I'm not a > network guru by any means. > > #Give all error messages. > I don't really have any error messages, other than the fact that when > I login to any irc server my ident does not work. I was previously > using an exclusive ipfw-based firewall. I recently switched to > ipfilter and am trying to get an inclusive ruleset worked up. I have > most everything working at this point, except ident. >
Ident does not work properly when NAT is involved. An ident query contains the remote and local ports of the connection it wants to look up. Without NAT, a connection looks like this: local.host:12345 ------> remote.host:6667 An ident query would contain "12345,6667", indicating the ports that it wants to look up. When NAT is involved, a connection looks like this (note that the gateway host uses a different source port): local.host:12345 ------> gateway.host:23456 ------> remote.host:6667 The remote host sends a query with the ports 23456 and 23456. The gateway forwards this query to the local host. The local host then tries to look up the connection with the requested ports but fails, because it only knows about a connection with the remote host with ports 12345 and 6667. So what you need is a ident proxy like ports/security/oidentd, or you need to configure identd to send out fake replys. -- Peter Postma
