Actually you have several choices on how to handle identd. (there are religious implications about the use of identd, so I'm only addressing the technical aspects) Your choices are to permit identd to pass through your firewall, drop identd, or reject identd. Here are the implications of each:
1. Permit identd. This allows the querying server to try and determine the userid of the requester of a service. In this case, the server falcon is attempting to determine what userid is attached to the process using the pop3 service (specified by the requester's source port). I'll leave the why this is so question to the RFC. Things to think about: If you are doing a many to one masquerade, you'll have to have your firewall link the pop3 (or whatever) service to the identd request or have the firewall itself answer the identd with some canned reply (see Chris's response below). If you have a static NAT (which does not appear to be the case for you), then this isn't really a problem. Another thing to think about is how broadly you permit access to your identd port. If you really want to permit identd, I'd try and limit it to those servers that you trust rather than opening the port to "any". 2. Drop identd. This method simply ignores the request to the identd port and never responds to the sender. This makes your firewall harder to find (port mapping or discovery software), but it also makes things like pop3 servers wait until the TCP time out completes. If performance is an issue, this is not the preferable option. 3. Reject identd. This method sends a response packet to the sender stating that the port is unavailable (usually an ICMP port unreachable packet). The process requesting the identd information will usually return immediately and get on with the transaction. This is a very common thing to do for mail relay servers since most of the time the answer for sendmail or the like will be root or nobody. This lets the sender know that either you don't handle identd or you actively block it. It gives port mapping software a response that you exist and you the port is unavailable or blocked. Hope that helps. David Taylor >Hi, >The auth protocol is a session between identd's on the >respective machines. Its purpose and protocol are >described in RFC-1413. If you specifically disable it, >on the firewall, then the pop3 session will wait until >it times-out (from the server side) before it continues. >Most people don't like that 'wait' period so they >permit it. Other people are more restrictive of the >information allowed through the protocol so they put up >with it. I have heard that there is a replacement for >identd that returns prose rather than relevant user >information. I've also heard that some others hack >away at the pop3 source to exclude the call for ident. >Best of Luck, >Chris >At 12:30 PM 1/14/2002 +0000, Bruno Negr�o wrote: > >Hy, i'm using a redhat linux with 2 ethernet interfaces and iptables + > >ipmasquerading. > >I made a tcpdump of a connection between a masqueraded client machine > >(192.168.13.10) and my external pop3 server (falcon.etcetera). The > >firewall's name is 15bis.etcetera.com.br > > > >What I found interesting was a connection originated from the pop3 server > >to my client "auth" port. Does someone can explain what is this connection > >made for and how it traverses my firewall? (does this new connection (auth) > >have the state "RELATED"?) > > > > > >13:18:20.484479 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: S > >10873842:10873842(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) > >13:18:20.484745 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: S > >3336463748:3336463748(0) ack 10873843 win 32120 <mss 1460,nop,nop,sackOK> > >(DF) > >13:18:20.485471 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: . > >ack 3336463749 win 8760 (DF) > >13:18:20.486676 falcon.etcetera.com.br.4475 > 15bis.etcetera.com.br.auth: S > >3342539285:3342539285(0) win 32120 <mss 1460,sackOK,timestamp 697211801 > >0,nop,wscale 0> (DF) > >13:18:20.486787 15bis.etcetera.com.br.auth > falcon.etcetera.com.br.4475: R > >0:0(0) ack 3342539286 win 0 (DF) > >13:18:20.488595 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P > >1:40(39) ack 1 win 32120 (DF) > >13:18:20.491085 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P > >0:29(29) ack 40 win 8721 (DF) > >13:18:20.491337 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: . ack 30 > >win 32120 (DF) > >13:18:20.491405 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P > >40:46(6) ack 30 win 32120 (DF) > >13:18:20.494094 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P > >29:42(13) ack 46 win 8715 (DF) > >13:18:20.502936 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P > >46:52(6) ack 43 win 32120 (DF) > >13:18:20.505369 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P > >42:48(6) ack 52 win 8709 (DF) > >13:18:20.505645 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P > >52:61(9) ack 49 win 32120 (DF) > >13:18:20.510062 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: P > >48:54(6) ack 61 win 8700 (DF) > >13:18:20.510286 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: P > >61:67(6) ack 55 win 32120 (DF) > >13:18:20.510478 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: F > >67:67(0) ack 55 win 32120 (DF) > >13:18:20.511021 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: . > >ack 68 win 8694 (DF) > >13:18:20.512395 15bis.etcetera.com.br.1257 > falcon.etcetera.com.br.pop3: F > >54:54(0) ack 68 win 8694 (DF) > >13:18:20.512600 falcon.etcetera.com.br.pop3 > 192.168.13.10.1257: . ack 56 > >win 32120 (DF) > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls David Taylor PGP Key ID: 0x0D001246 PGP Fingerprint: 9287 6333 95B3 B2DF 9932 89BD 37FF 7E69 0D00 1246 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
