[ previous ] [ next ] [ threads ]
 
 From:  "Quark AV - Hilton Travis" <Hilton at QuarkAV dot com>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Oidentd on m0n0wall
 Date:  Tue, 1 Jun 2004 10:03:00 +1000 
Hi Gary,

> -----Original Message-----
> From: Gary T. Giesen [mailto:mailing dash list at rogers dot com] 
> Sent: Thursday, 27 May 2004 01:25
> To: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: [m0n0wall-dev] Oidentd on m0n0wall
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I know this idea probably won't be well-liked, but I'll run 
> it past you guys anyways. I have managed to get oidentd 
> running on m0n0wall, along with a nice configuration page in 
> the services section of the webGUI. 

Well, I for one don't think that ident needs to be in the default m0n0wall
image, but if you wish to build this as a module/plugin, then feel free to
do it that way.

> I'm sure you'll say that m0n0wall is a firewall only, but the 
> firewall/nat box is the only place you can set up transparent 
> proxying; otherwise you'd have for forward port 113 to 
> another machine, and setup oidentd with a up a bunch of fake 
> mappings that could change. Also, that only gives you one 
> possible ident per machine, as far as Im aware. Having 
> oidentd on m0n0wall would allow you to provide authentic 
> ident responses from client machines, and it would be pretty 
> much maintenance free when adding new clients on the network, 
> as opposed to doing it on another machine. So I'd ask that 
> you consider it. Not to mention the work has already been 
> done for you.

Across a controlled network, such as a LAN, ident can be seen to have some
sense.  Across the Internet, there's no real use/purpose for ident at all as
it can be easily spoofed, faked, or treated with an ident client like
oidentd - resulting in a fake ident response being sent.  Running oidentd on
your m0n0wall effectively provides a faked response to the other end - the
machine that is responding to the ident probe is *generally* not the same
machine that is actually connecting to the remote machine - and yes, I know
the firewall makes the final part of the connection, but the protected
machine initiates this connection.

> 
> Regards,
> 
> Gary T. Giesen
> 
> 
> PS. For anyone interested in testing/using this in the 
> meantime, contact me and I'll be happy to send you the 
> required modified files
> - - it's been setup against the official 1.0 release.

Again, there's a plugin interface for this sort of thing.  I suggest you use
that, as an ident client does not belong in the standard m0n0wall build.

--
 
Regards,
 
Hilton Travis                        Phone: +61-(0)7-3343-3889
Manager,                             Mobile: +61 (0)419 792 394
Quark IT                             http://www.QuarkIT.com.au/
Quark AudioVisual                    http://www.QuarkAV.net/
(Brisbane, Australia)
 
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Non Linear Video Editing Solutions & Digital Audio Workstations
Conference and Seminar AudioVisual Production and Recording
 
 War doesn't determine who is right. War determines who is left.