On Tue, Oct 26, 1999 at 11:25:15PM +0100, Steve Dodd wrote:
> [no personal cc due to Mail-Followup-To hdr]
> On Mon, Oct 25, 1999 at 02:18:13PM -0400, Michael H. Warfield wrote:
> > One is that they are connecting back on auth, looking for the
> > ident service, when you first make a connection to them. If they can't
> > connect to ident because you are behind a firewall, or aren't running
> > auth, and they don't get a RST or some sort of ICMP unreachable back (maybe
> > because you are behind a firewall that doesn't send them) they seem to have
> > a ridiculous timeout before giving up on auth. It's like 5 or 10 minutes
> > long!
> If I was in BOfH mode, I could argue that your firewall needs fixing. But
> I'd never say anything controversial like that ;-) (Especially as I've not
> checked the RFCs to see if this behaviour is really broken or not)
It's not.
1) Response return is not mandatory. Neither ICMP unreachable no
a tcp RST. So, no, the firewall is not "broken" even if it's not behaving
as we might like.
2) ICMP unreachable (preferred response) does not have guarenteed
delivery, so non-receipt of one can not be assumed to imply anything.
3) ICMP packets can be blocked at any point, either by firewalls
or filtering routers, so the problem may not even be "on site".
4) Firewall may not be under control of the individuals experiencing
the problem. Mote point to be screwing over the guys who are trying to get
stuff done when they can't do anything about it.
5) The local BOFHs may be under a security mandate that dictates that
NO ICMP unreachables may be returned to prevent leakage of information
regarding systems and services (ICMP host unreachable - no box. ICMP port
unreachable - box there no service). That's why some of us have to use
passive mode ftp as well (no reverse port connections). Security policy
trumps. Firewall is not considered to be broken when it is implimenting
desired security policy.
6) Auth/ident can be spoofed. Security/identity information returned
by ident can NOT be trusted. Fake "ident" servers are common place on the
net right now. Why bother with ident if you can't trust the data returned?
7) Exploits have existed for versions of identd in the past. Some
sites do not want to run ident because of fears of old versions that may
be lurking around and fears of future exploits. If secure sites are
blocking ident and information returned from insecure sites is suspect,
just how useful is this thing?
> --
> "People get annoyed when you try to debug them."
> -- Larry Wall
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
