Date: Mon, 13 Dec 1999 13:22:47 -0700 From: Davec <Davec@unforgettable.com> To: freebsd-ports@freebsd.org, freebsd-stable@freebsd.org, ipfilter@coombs.anu.edu.au Subject: Re: pidentd Message-ID: <99121216534200.40553@Amber.XtremeDev.com> In-Reply-To: <3.0.6.32.19991212141700.007e2ac0@netcore.home> References: <7101.991211@Home.Com> <3.0.6.32.19991212141700.007e2ac0@netcore.home>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 12 Dec 1999, Pekka Savola wrote: > Hi, > > I encountered the similar problem myself - and asked around for solutions. > I have come to the conclusion that there are _no_ identd implementations > for FreeBSD that would support NAT/Masq'ed connections. There are plenty > of them for Linux, but they seem to use proc filesystem and are of no use.. > > Pidentd doesn't support masqed connections. There is patch for it to do > that, but it is Linux only > (http://www.manpages.org/pidentd/pidentd+fm-1.1.patch.gz). > > Midentd and Oidentd support masqed connections in Linux, but not in *BSD. > There are more like these, just check e.g. freshmeat. > > Ident2 doesn't seem to do masqed connections at all > (http://www.nyct.net/~defile/programs/ident2/). > > Cidentd doesn't seem to have been updated since 1996, and there is a nasty > buffer overflow in it. > > Regards, > > Pekka Savola pekkas@netcore.fi > --- Hello, my setup is as follows: FreeBSD server running IPFIlter/IPNat on DSL for my Win98SE workstation. Now, I've modified ident2 server (very very slight, one line only) to answer for all ident requests, including nat'd connections. If I irc from FreeBSD, ident2 would give the irc server whatever ident I choose (.ident file in my home dir) or my real user name, as it should be doing. But if I irc from the Win98 machine ident2 would give a random ident reply. That was the best I could do right now, as I still don't know (YET) how to get ident2 to query IPNat for the current mappings (ipnat -l shows all current table mappings, and I can theoretically parse through that list to match the port numbers sent by the irc server), and then turn around and have ident2 query the mIRC or Xircon client for ident requests to send back to the irc server. Hopefully someone with more knowledge of IPNat or ipfw programming could give some pointers. Theoretically the events that happen should be: 1. Irc server sends request (of form 6666, 5125) to FreeBSD ident2 2. ident2 checks user and sees that no one is irc'ing from the FreeBSD box. 3. ident2 then checks IPNat's table mappings to match any current ports requested by the irc server (don't know how safe this step is...) 4. If it finds the port ident2 would send out a request of it's own to 113 ip of the mapped ports and query for an ident response. 5. mIRC or whatever irc client is running on the Windows box would reply to the ident request. 6. ident2 would take that reply and bounce it to the irc server on the outside. Hopefully this is understandable. Right now I can get the mapping (system("ipnat -l")) and parse it (if I run ident2 as root user and keep it from dropping to a lesser id), but it's all very insecure. And I'm hoping a better way of interfacing with IPNat, and might work something out when I have more time on my hands. This is all preliminary and I don't even know if this would work or not, just thought I'd toss in my 2 cents and get feedback/help. Please, if this is just a lame brained idea that you know for certain won't work, don't hesitate to let me know. d:) Otherwise I would be wasting mine and everyone else's time. Davec P.S. Oh, and let me know if anyone wants the modified ident2, I have it shar'd as a port, with the added patch. And yes, one of these days I will remember to contact the author to let him know how I've mangled his program... -- Davec@unforgettable.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99121216534200.40553>