Identd requests through firewall

Identd requests through firewall

[Robby Workman]

Greetings...
IRC servers do an identd lookup when connecting to them, and although 
most of them do not require a response, I'd like to at least have the 
capability to return a response should I need to do so.  I currently 
have all incoming identd requests to the firewall rejected with TCP 
RST, and this is adequate for the time being.

What I would like to do is forward the request to one of the boxes 
behind the firewall (whichever one is attempting a connection with an 
IRC server).  I know how to forward them all to one of the individual 
machines (say box 1), but this does not help if I'm using one of the 
other boxes to connect.

In order for a connection to be considered "RELATED," an helper module 
would have to exist.  In the absence of such a module (the netfilter 
IRC module does not do this iiuc), is there some other way to make 
iptables "know" that box1 has initiated a connection to $IRCSERVER and 
hence forward incoming identd requests from $IRCSERVER to box 1?

It shouldn't matter, but Firewall is Slackware 10.0 +patches, and most 
boxes behind the firewall are Slackware -something...

Thanks in advance...


Network Diagram:

   Dialup
   Internet
      |
      |
------------
| (ppp0)   |
| Firewall |
| (eth0)   |
------------
      |
      |
------------
|          |
|  Switch  |
|          |
------------
      |
      |---------------------------
      |             |            |
      |             |            |
    box 1         box 2        box 3


-- 

http://rlworkman.net

Re: Identd requests through firewall

[/dev/rob0]

On Sunday 2005-November-13 10:45, Robby Workman wrote:
> What I would like to do is forward the request to one of the boxes
> behind the firewall (whichever one is attempting a connection with an
> IRC server).  I know how to forward them all to one of the individual
> machines (say box 1), but this does not help if I'm using one of the
> other boxes to connect.

Perhaps an easier solution than a patch of the IRC helper driver to 
handle auth requests: run midentd on your firewall machine.
    http://freshmeat.net/projects/midentd/
Haven't tried it, myself. You would need to ACCEPT auth at the firewall 
(INPUT chain). Probably the only way around that is the aforementioned 
patch.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Identd requests through firewall

[Robby Workman]

/dev/rob0 wrote:
> On Sunday 2005-November-13 10:45, Robby Workman wrote:
> 
>>What I would like to do is forward the request to one of the boxes
>>behind the firewall (whichever one is attempting a connection with an
>>IRC server).  I know how to forward them all to one of the individual
>>machines (say box 1), but this does not help if I'm using one of the
>>other boxes to connect.
> 
> 
> Perhaps an easier solution than a patch of the IRC helper driver to 
> handle auth requests: run midentd on your firewall machine.
>     http://freshmeat.net/projects/midentd/
> Haven't tried it, myself. You would need to ACCEPT auth at the firewall 
> (INPUT chain). Probably the only way around that is the aforementioned 
> patch.


Thanks for the response; I agree that midentd appears to fit the bill. 
However, I must admit that I'm surprised that a patch for this doesn't 
exist - I wish had a the knowledge to do it...

RW

-- 

http://rlworkman.net