[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] windows built in "ident"...
 Date:  Tue, 30 Dec 2003 18:16:19 -0800 (PST)
On Tue, 30 Dec 2003, Mitch (WebCob) wrote:

> I realize that the soft firewall has more than network access to the
> machine, but the linksys router can do a variety of things - block all
> access if zone alarm is not active on the initiating computer and so on -

There must be something kludgy going on to make *that* work.

> not sure where the functionality crosses over... I HAVE seen indentd
> services for windows - maybe they could make the internal api calls
> transparent to a remote device...

Ident only provides a userid, not an application name.  It was intended
for timeshared systems where a number of different users might be
connecting from the same machine.  It's pretty meaningless on a
single-user machine where the user can configure the response.

Of course an identd server *could* return an application name, but that
isn't even remotely standard, and it would be a stretch to say it even
complies with the standard.

> My goal would be centralized management and control of that sort of access -
> I want to allow web browsing, but not other programs which masquerade as a
> web client to evade the firewall (viruses, trojans and so on).

On an unprotected system, you can't keep applications from lying about who
they are.  The best you can do is make it somewhat harder.  The best way
to minimize the risk of viruses and Trojans is not to run Windows. :-)

> So if it doesn't exist now, there may be the requirement of running an agent
> on the client PC. The firewall would reject any outbound connections from a
> PC NOT running the agent, and would only allow those that can be properly
> identified and match a rule set if the agent is present...

One way of doing that is to use SOCKS.  There are transparent SOCKS
wrappers that are fairly configurable with respect to what's allowed, and
SOCKS avoids all the usual NAT problems with remapping addresses and port
numbers (provided that it's a SOCKS-supported protocol).  But you need a
SOCKSd on the firewall.

					Fred Wright