For the archives:
No you don't want to make one ident call per new remote IP+port seen by
your firewall, just as you don't want to resolve DNS for each new remote IP
and so on.
You also don't want the kernel to cache the result of each response for 5
minutes times the number of remote ports times the number of remote ips.
Lastly, you can't invalidate your FW cache when my box does vipw. The
remote-add/remove-user-update-all-the-worlds-firewalls-protocol isn't quite
finished yet.
But apart from that, it's neat that you thought out the manpage diff.
2013/8/15 Andres Perera <andre...@zoho.com>
> the kernel can make identd queries with
>
> setenv("remote_port", 123);
> setenv("local_port", 456);
> popen("echo $remote_port, $local_port|nc localhost 113|sed 's,.*:,,'",
> "r");
>
>
> i have diff to change chroot(1) so that it documents the need:
>
> +.Sh
> +needs nc and sed in the chroot for pf usage
>
> or alternatively identc can be implemented as a kernel module
>
> identd responses could be cached for 5 minutes and invalidated when
> the remote host does adduser, or vipw
>
> On Wed, Aug 14, 2013 at 6:55 PM, Henning Brauer
> <lists-openbsdb...@bsws.de> wrote:
> > * Maxim Khitrov <m...@mxcrypt.com> [2013-08-14 22:51]:
> >> On Wed, Aug 14, 2013 at 3:14 PM, Mike Belopuhov <m...@belopuhov.com>
> wrote:
> >> > unless a local socket is found, user or group check will not be
> performed.
> >> That doesn't make sense to me. Are you saying that a user/group
> >> condition is ignored in some cases? That sounds like a bug in itself.
> >
> > think it through: how do you look uo the user owning the socket on a
> > remote machine?
> >
> > --
> > Henning Brauer, h...@bsws.de, henn...@openbsd.org
> > BS Web Services GmbH, http://bsws.de, Full-Service ISP
> > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> > Henning Brauer Consulting, http://henningbrauer.com/
>
>
--
May the most significant bit of your life be positive.
