On Sun, 30 Jan 2005 15:41:41 -0600, Rick Barter <[EMAIL PROTECTED]> wrote:
> Kevin wrote:
>
> > I do not think this is technically possible without extensive effort,
> > nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer
> > very useful for the original purpose, but it is still required by IRC
> > servers.
> >
> > Many systems and firewalls, including OpenBSD (via the '-H' flag),
> > offer an identd work-alike which will provide a reasonable answer
> > to any and all ident queries.
>
> > Why not just go into /etc/inetd.conf and change the arguments on
> > identd from '-el' to '-elH'. This will cause identd to always return an
> > answer for *any* ident query, valid or invalid.
>
> Okay. I've enabled this (-elH) and restarted inetd on my firewall and
> have changed the rule to:
> pass in log on fxp0 proto tcp from any to any port = auth
Off the cuff, I'd suggest this:
pass in on $ext_if proto tcp from any to ($ext_if) port = auth
keep state flags S/SA
> However, I still wish I knew how to see the request from the IRC
> server and the response from identd. Is there a way?
Using the '-l' flag in /etc/inetd.conf, identd logs to syslog.
You can watch the actual conversation with the remote IRC server via:
tcpdump -i fxp0 -p -n -s 1500 -X port auth
There is no need for "synproxy" or "modulate" on inbound traffic that
terminates on the firewall itself, and with "keep state" you can lock down
the "pass out $log_flg on $ext_if proto tcp all modulate state" line.
> Furthermore, how vulnerable does it make me by not forcing
> the SYN flag to be set?
If your policy includes 'keep state' on the incoming request, state table
entries are created for incoming sessions permitted by the policy,
which avoids extra "pass out ..." entries, and takes care of the SYN flag
question as well.
Kevin Kadow
