> -----Original Message-----
> From: Gary T. Giesen [mailto:mailing dash list at rogers dot com]
> Sent: Thursday, 27 May 2004 01:25
> To: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: [m0n0wall-dev] Oidentd on m0n0wall
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I know this idea probably won't be well-liked, but I'll run
> it past you guys anyways. I have managed to get oidentd
> running on m0n0wall, along with a nice configuration page in
> the services section of the webGUI.
Well, I for one don't think that ident needs to be in the default m0n0wall
image, but if you wish to build this as a module/plugin, then feel free to
do it that way.
> I'm sure you'll say that m0n0wall is a firewall only, but the
> firewall/nat box is the only place you can set up transparent
> proxying; otherwise you'd have for forward port 113 to
> another machine, and setup oidentd with a up a bunch of fake
> mappings that could change. Also, that only gives you one
> possible ident per machine, as far as Im aware. Having
> oidentd on m0n0wall would allow you to provide authentic
> ident responses from client machines, and it would be pretty
> much maintenance free when adding new clients on the network,
> as opposed to doing it on another machine. So I'd ask that
> you consider it. Not to mention the work has already been
> done for you.
Across a controlled network, such as a LAN, ident can be seen to have some
sense. Across the Internet, there's no real use/purpose for ident at all as
it can be easily spoofed, faked, or treated with an ident client like
oidentd - resulting in a fake ident response being sent. Running oidentd on
your m0n0wall effectively provides a faked response to the other end - the
machine that is responding to the ident probe is *generally* not the same
machine that is actually connecting to the remote machine - and yes, I know
the firewall makes the final part of the connection, but the protected
machine initiates this connection.
> Gary T. Giesen
> PS. For anyone interested in testing/using this in the
> meantime, contact me and I'll be happy to send you the
> required modified files
> - - it's been setup against the official 1.0 release.
Again, there's a plugin interface for this sort of thing. I suggest you use
that, as an ident client does not belong in the standard m0n0wall build.
Hilton Travis Phone: +61-(0)7-3343-3889
Manager, Mobile: +61 (0)419 792 394
Quark IT http://www.QuarkIT.com.au/
Quark AudioVisual http://www.QuarkAV.net/
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Non Linear Video Editing Solutions & Digital Audio Workstations
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.