another firewall question.

[Devin Carraway]

On Thu, Jan 27, 2000 at 07:28:13PM -0800, David Johnson wrote:
> I am still unable to connect to most IRC channels.. below is my
> rc.firewall that i adopoted from Tyler Booth (thanks!) and I am trying
> to figure out what I need to add to allow the communications on port
> 113.

	From what machine are you trying to connect to IRC?  Just based on a
cursory examination of the script, if you're trying to connect from one of
your masquerading hosts (as opposed to the firewall host), standard identd
won't work.  Normally identd doesn't do anything for masqueraded hosts; to
connect to IRC in such a setup you have three general options:

	(1) Use oidentd or midentd, both of which have support for
IP masquerading -- when they get a request for ident on a connect coming
from a masqueraded host, they make a query against the origin host and pass
the result back.  This generally requires that [mo]identd be installed on
both the client and firewall hosts, though oidentd at least has workarounds.

	(2) Tell identd to lie (or install one that can; nullidentd and
oidentd at least have those options).  Some identd servers can be instructed
to return a fixed response to any identd query (nullidentd's approach,
oidentd can do it also); alternately they can return a randomized string
that could be a valid username (oidentd can do it, I think others also). 
That's sufficient to pacify most IRC servers.  If you'd like to give an
accurate identd response, and you have one person per masqueraded host, you
can tell oidentd what response to issue for each machine, valid or not at
your discretion.

	(3) Use one of the user-defined/automated masquerade modules that
can be customized to pass the identd request packets through to the
connecting host.  This is probably the sexiest approach, I've never tried it
to be sure.


-- 
Devin  \ aqua(at)devin.com, finger for PGP;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++