Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Oct 2000 12:05:11 +0300
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        Bjarni Runar Einarsson <bre@netverjar.is>, freebsd-net@FreeBSD.ORG
Subject:   Re: natd & identd cooperation?
Message-ID:  <20001019120511.A4555@sunbay.com>
In-Reply-To: <20001019110110.C98924@sunbay.com>; from ru@FreeBSD.ORG on Thu, Oct 19, 2000 at 11:01:10AM %2B0300
References:  <20001018184017.A1218@klaki.net> <20001019110110.C98924@sunbay.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 19, 2000 at 11:01:10AM +0300, Ruslan Ermilov wrote:
> On Wed, Oct 18, 2000 at 06:40:17PM +0000, Bjarni Runar Einarsson wrote:
> > Hi all,
> > 
> > I'm a relatively new FreeBSD user, lured from the world of Linux by
> > the FreeBSD jails... so far so good.
> > 
> > I'm currently playing with a 4.1.1 box which gives jailed users
> > access to the 'net via natd.  For those users interested in using
> > IRC, the lack of an identd which will correctly either reply on a
> > jail-by-jail basis or relay the ident requests back to a jailed
> > identd is a bit of a problem.
> > 
> > No, I'm not interested in randomizing the ident replies. :-)
> > 
> > So, my question is, am I overlooking something, or is my only
> > option to go ahead and hack up some identd and natd so they will
> > communicate with each other?
> > 
> > My current strategy is to use shared-memory tables to get oidentd
> > and natd to talk to each other, allowing me to set up both static
> > ip<->username mappings and dynamic connection<->user mappings.  I
> > have a ready-to-use library (UDB) designed for just this sort of 
> > thing, so this shouldn't take too much effort.
> > 
> > Am I reinventing the wheel here, or is this a worthwhile project?
> > Please stop me if someone has already solved this problem!
> > 
> > Please CC: any replies directly to me, since I am not at the moment
> > subscribed to this mailing list.
> > 
> I am working on implementing IDENT support for libalias(3) and (as a
> consequence) for natd(8).  Meanwhile, you can do it with inetd(8) as
> follows:
> 
> In /etc/inetd.conf, specify the following string for internal ``auth'':
> auth	stream	tcp	nowait	root	internal	auth -d foo
> 
> Then redirect the TCP port 113 to this machine's inetd like this:
> natd -redirect_port tcp NAT:auth auth
> 
> If you like, I will let you know when my IDENT patch will be ready.
> 
Following up to myself: the IDENT support for NAT is impossible (or,
at least, would be very hard to implement), because IDENT uses TCP as
its transport, and we don't know in advance where we should redirect
the first (incoming) SYN packet, because ports information is missing
from it.  Though this is still seems to be possible with T/TCP.

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001019120511.A4555>