Date: Tue, 12 Jan 1999 13:53:46 -0800 (PST) From: Joseph Lee <nugundam@best.com> To: Brian Somers <brian@Awfulhak.org> Cc: Eivind Eklund <eivind@yes.no>, freebsd-hackers@FreeBSD.ORG Subject: Re: libalias and ident Message-ID: <Pine.BSF.4.05.9901121325470.26186-100000@shell2.la.best.com> In-Reply-To: <199901120035.AAA60265@keep.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Jan 1999, Brian Somers wrote: > AFAIK, the problem isn't solvable :-( Libalias needs to rewrite the > ident query, changing the destination IP to that of the correct > machine, and changing the embedded port number to the one originally > sent. To do this, libalias needs to identify the link table entry I've spent an amount of time on it and found it unsolvable due to the way sockets work, and the way ident verifies connections. There might be a way around, but I wouldn't know enough about it yet. Basically, given a query from some remote ip for a remote/local port pair, ident searches the kernel tables for a matching tcp connection out with the same remote ip, on the local port out. That's the crux. You can write something to catch the ident query, rewrite it, and then query the originating ip (bob) behind natd easily, but the tcp connection has to look like, to bob, in accept() that it originated from the remote ip (mary), or otherwise, there's no match in bob's kernel tables... So, the natd host (jack) can recreate the ident tcp connection to bob through a connect() call, as Eivind suggested, or using libident, by forking off libalias and doing so. However, then jack's packet's src ip, needs to be spoofed to look like it came from mary, otherwise bob couldn't match the connection's remote ip to anything in the kernel tables. Then, libalias would have to catch packets coming back without automatically forwarding it to mary first, and it all becomes some really complicated ball of wax for a solution. The other way is to extend bob's ident's PROXY query to support remote/local ip remote/local ip to be specified in query, but then it becomes insecure, and infeasible because all hosts behind jack would have to have their idents extended. So, the original tcp syn packet from mary needs to be directly forwarded to bob by jack, but can't be done because the port pairs are unknown until the connection gets accept()'d, which I think is too late by then... There probably is a solution, but it's beyond my current knowledge of tcp/ip. So, I basically paraphased Brian's comments, but with some extra details.. ^^ p.s. I've actually gotten queries to make it all the way to bob, from mary, by extracting the data from the query by mary, and making another ident query to bob through libident, but bob couldn't match the query because it originated from jack, not mary. -- Joseph nugundam =best=com==/==\=IIGS=/==\=Playstation=/==\=Civic HX CVT=/==\ # Anime Expo 1998 >> www.anime-expo.org/ > # Redline Games >> www.redlinegames.com/ > # Cal-Animage Epsilon >> www.best.com/~nugundam/epsilon/ > # EX: The Online World of Anime & Manga >> www.ex.org/ / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901121325470.26186-100000>