Kevin wrote:
I do not think this is technically possible without extensive effort, nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer very useful for the original purpose, but it is still required by IRC servers.
Many systems and firewalls, including OpenBSD (via the '-H' flag), offer an identd work-alike which will provide a reasonable answer to any and all ident queries.
Why not just go into /etc/inetd.conf and change the arguments on identd from '-el' to '-elH'. This will cause identd to always return an answer for *any* ident query, valid or invalid.
Okay. I've enabled this (-elH) and restarted inetd on my firewall and have changed the rule to:
pass in log on fxp0 proto tcp from any to any port = auth
Now, is there a way I can test it myself to see what's being returned? The IRC server to which I'm trying to connect still says no response. I checked my firewall log and see that it's getting blocked on the way out:
Jan 30 15:21:16.438720 rule 0/0(match): block out on fxp0: 24.174.112.98.113 > 66.198.160.2.1928: S 3654633913:3654633913(0) ack 830143768 win 16384 <mss 1460,nop,wscale 0,[|tcp]> (DF)
===================
Ahhhh, while composing this email I figured it out. My rule was: pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA
So, it was being blocked on the way out. I changed it to:
pass out $log_flg on $ext_if proto tcp all modulate state
And now it works. Thanks for helping me realize what was going on. However, I still wish I knew how to see the request from the IRC server and the response from identd. Is there a way? Furthermore, how vulnerable does it make me by not forcing the SYN flag to be set?
rvb
