Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Oct 2000 15:15:37 -0700 (PDT)
From:      Dima Dorfman <dima@unixfreak.org>
To:        doomstar@doomstar.com
Cc:        questions@freebsd.org
Subject:   Re: IRC/oidentd problem
Message-ID:  <20001020221537.C53961F28@static.unixfreak.org>
In-Reply-To: <G2QJVX00.EUO@loran.bluestar.net> "from doomstar@doomstar.com at Oct 20, 2000 10:47:56 am"

next in thread | previous in thread | raw e-mail | index | archive | help
> Hi,

Please wrap your lines at ~72 characters.

>  I have a FreeBSD4.1 box set up as a firewall/natd/dhcpd box.  I
> have a windows box behind this firewall.  I can get online and use
> the internet from the windows box but I cannot connect to IRC
> servers.  They all say I'm not authorized.  I installed the oidentd
> package and thought I set it up according to the man page, restarted
> inetd with kill -HUP [pid] but its still not working. I even created

Correct.  I don't know anything about oidentd, but unless it has
provisions to do this exact thing for you, it won't work.

Basically, identd works by taking a local and remote port as input,
and giving back the name of the user to which the process which is
talking on those ports belongs to.  Since your IRC client is running
on a host behind NAT, no process--and hence, no user--is associated
with the ports.  This causes identd to return NO-USER, and the IRC
servers to complain.

The real solution would probably be to somehow identify ident requests
which are for other hosts, and have nat forward those requests
approriatly.  Until somebody implements that, there is a workaround.

Some time ago, when I had the same problem, I wrote a patch for
pidentd to, instead of replying with a NO-USER, reply with a default
user name.  Here's a comment from my web site:

   This patch adds a feature to pidentd-2.8.5 which sends back a default
   username if one was not found for that particular query. I'm pretty
   sure this breaks the RFC (I never bothered to read it), but I can't
   see any real harm.

   I wrote this when I wanted computers behind a network address
   translation gateway to have a valid ident response (mainly to be able
   to get onto EFnet).

If you're okay with this solution (don't mind the possible RFC
breakage and don't mind that one username will be returned for any
host behind NAT) you're welcome to try it out.  You can get the patch
at: 'http://users.unixfreak.org/~dima/files/pidentd-2.8.5+defuser.diff'.

Another solution would be not to use IRC servers which require ident
to be running.  This is probably preferred, but is not always
possible.

Hope this helps

-- 
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.

You have the right to remain silent.  Anything you say can and will be
misquoted, then used against you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001020221537.C53961F28>