On Sat, 29 Jan 2005 09:56:56 -0600, Rick Barter <[EMAIL PROTECTED]> wrote: > I have been racking my brain and reading, but can't figure out how to > setup pf to pass or rdr ident requests to the the proper client > (behind the firewall) that is trying to connect to an irc server. I > want to rdr the auth (port 113) request coming into my firewall to > whichever machine is trying to connect to an irc server. How can I do > this?
I do not think this is technically possible without extensive effort, nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer very useful for the original purpose, but it is still required by IRC servers. Many systems and firewalls, including OpenBSD (via the '-H' flag), offer an identd work-alike which will provide a reasonable answer to any and all ident queries. > Currently I have a rdr rule that handles the ident requests by passing > them to my windows machine running mIRC. mIRC has built-in ident > emulator and works fine. I've tried to setup an ident server on my > firewall that will handle all ident requests. I enabled identd in > /etc/rc.conf and disabled the one running from /etc/inetd, but with no > joy. Why not just go into /etc/inetd.conf and change the arguments on identd from '-el' to '-elH'. This will cause identd to always return an answer for *any* ident query, valid or invalid. > What am I missing here? Does anyone have such a setup working? Technically, it should be *possible* to create an identd service running on a NAT gateway which would answer ident queries by looking up the internal originating IP address and returning an ident token corresponding to the actual source IP address, providing better forensics info than just making up a random reply. The primary drawback in implementing the above would be the requirement for the identd server to run as a privileged user in order to have access to the /dev/pf (root only) device to perform DIOCNATLOOK ioctl calls In reality, the ident protocols is no longer used or trusted to provide valid and useful responses, and exists solely as an added check done by IRC servers (of limited value, IMHO) in their fight against compromised bots and open proxies. Kevin Kadow
