IDENT Proxy...

danielrm26 · #1 (**permalink**) 07-24-2002, 11:05 AM

Is there any way that you guys know of to configure Astaro so that the IDENT proxy will return a CLOSED response rather than open?

Neither open nor stealthed/filtered is desired for me since I need to be able to use Outlook from behind Astaro. If the port is stealthed it takes almost a minute to get my mail.

If it is open...well, it's open.

Is there any way to have it return an RST?

Thanks,

danielrm26

tom · #2 (**permalink**) 07-24-2002, 06:37 PM

3.2 has "reject" and "log reject" packet filter actions.

use

"Any" "IDENT" "external_Interface__"

and you should be set.

/tom

danielrm26 · #3 (**permalink**) 07-25-2002, 07:40 PM

I already tried that; it doesn't work for some reason.

It still stealthes/filters the incoming probes, which bogs down my email checking process as described.

I am going to try again though to make sure I didn't do something dumb.

danielrm26 · #4 (**permalink**) 07-25-2002, 07:59 PM

I think I found the problem. Astaro is using ICMP destination unreachable responses to indicate a 'reject' response.

This, I don't think, is standard. A TCP RST is what both email servers (and less importantly scanners) are looking for to determine whether or not a machine is there. All the email server wants is to know that it is there, which it accepts as true if it gets anything back from the mail requesting machine. The problem seems to be that ICMP is not included in its list of things to watch for.

So, the only things it is waching for are SYN ACK or RST flags, not ICMP 3,3 responses. This is why I can't get my mail faster or come up 'closed' on any scanners when I reject rather than drop. For all intents and purposes I am dropping the requests.

Any thoughts on this?

BarryG · #5 (**permalink**) 07-25-2002, 08:18 PM

Have you tried just turning on the "IDENT Relay" WITHOUT forwarding?

danielrm26 · #6 (**permalink**) 07-25-2002, 08:53 PM

Yes, the relay doesn't need a rule in the packetfilter. If you open the relay the port is open.

BarryG · #7 (**permalink**) 07-25-2002, 09:57 PM

So, what's wrong with that port being open (only on the firewall)?

ISTM the "IDENT Relay" was designed exactly to handle your problem, assuming you're using masquerading for the internal clients.

[ 25 July 2002, 18:00: Message edited by: barrygould ]

BarryG · #8 (**permalink**) 07-25-2002, 10:05 PM

Quote:

Neither open nor stealthed/filtered is desired for me since I need to be able to use Outlook from behind Astaro. If the port is stealthed it takes almost a minute to get my mail.

<font size="2" face="Verdana, Arial">I've had similar problems with POP3, but they turned out to be missing reverse DNS, rather than Ident, but maybe Exchange (or whatever server you're using) does Ident. (IMO, it's stupid if it does. Ident is an almost useless protocol.) You might want to double check the reverse DNS though.

Barry

danielrm26 · #9 (**permalink**) 07-25-2002, 11:15 PM

Quote:

Originally posted by barrygould:
So, what's wrong with that port being open (only on the firewall)?

ISTM the "IDENT Relay" was designed exactly to handle your problem, assuming you're using masquerading for the internal clients.

<font size="2" face="Verdana, Arial">I simply would rather not use the proxy, or have the proxy show closed on that port. I just don't see a reason to allow a complete connection to my firewall box (on any port) when all the stupid legacy IDENT protocol needs is an RST packet.

BarryG · #10 (**permalink**) 07-30-2002, 07:02 PM

Astaro 3.2 uses "oidentd"

fw:/var/chroot-identd/bin # ./oidentd__ -v
oidentd 2.0.3
Ryan McCabe <odin@numb.org>
http://dev.ojnk.net

I don't know if it's vulnerable or not, but it is CHROOTED so root compromise of the entire ASL box is unlikely.

Barry