Tom In your "myfiles.htm" you show allowing auth requests from the net to loc. Why? What requres this? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Wed, 8 May 2002, John Andersen wrote:> Tom > In your "myfiles.htm" you show allowing auth requests > from the net to loc. > > Why? What requres this? >Class is session again :-) The auth protocol dates from the days on the internet when privleged ports (those < 1024) could be trusted because they were controlled by system administrators. The general idea is: Client ------- connect -------> Server Client <------ who are you ---- Server Client ------- I am tom ------> Server In other words, the server asked the client (using a priv port) for the identity of the user who has requested service. That''s what ''auth'' is about and it clearly didn''t anticipate a world where everyone had several computers in their home. The key thing is to NOT DROP auth requests because then you have connection problems (the "who are you" step stalls). I happen to run "identd" (the daemon that handles "auth" requests) everywhere so I allow auth requests. If you look at my sample configuration (see the quick start guide), I REJECT auth requests. One final note. IRC REQUIRES auth to respond with SOME user name so if you do IRC, you MUST run identd and ACCEPT ''auth''. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
So this auth request comes out of the blue (so to speak)? It isn''t considdered RELATED by ipchains? On 8 May 2002 at 18:45, Tom Eastep wrote:> On Wed, 8 May 2002, John Andersen wrote: > > > Tom > > In your "myfiles.htm" you show allowing auth requests > > from the net to loc. > > > > Why? What requres this? > > > > Class is session again :-) > > The auth protocol dates from the days on the internet when privleged ports > (those < 1024) could be trusted because they were controlled by system > administrators. The general idea is: > > Client ------- connect -------> Server > Client <------ who are you ---- Server > Client ------- I am tom ------> Server > > In other words, the server asked the client (using a priv port) for the > identity of the user who has requested service. That''s what ''auth'' is > about and it clearly didn''t anticipate a world where everyone had several > computers in their home. > > The key thing is to NOT DROP auth requests because then you have > connection problems (the "who are you" step stalls). I happen to run > "identd" (the daemon that handles "auth" requests) everywhere so I allow > auth requests. If you look at my sample configuration (see the quick start > guide), I REJECT auth requests. > > One final note. IRC REQUIRES auth to respond with SOME user name so if you > do IRC, you MUST run identd and ACCEPT ''auth''. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Wed, 8 May 2002, John Andersen wrote:> So this auth request comes out of the blue (so to speak)? > It isn''t considdered RELATED by ipchains? >Definitely not. You connect to an FTP server and it returns an auth request to find out who you are -- iptables doesn''t deal with that (and it should not). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, this makes me wonder, can''t i just do something like this to keep from having auth hit all my pcs, and still have thing work corectly? ACCEPT net $FW::113 tcp auth - !66.13.27.62 ACCEPT net $FW tcp auth> The key thing is to NOT DROP auth requests because then you have > connection problems (the "who are you" step stalls). I happen to run > "identd" (the daemon that handles "auth" requests) everywhere so I allow > auth requests. If you look at my sample configuration (see the quick start > guide), I REJECT auth requests. > > One final note. IRC REQUIRES auth to respond with SOME user name so if you > do IRC, you MUST run identd and ACCEPT ''auth''.- -- Brad Wyman |\ _,,,---,,_ bradw@sta-care.com /,`.-''`'' -. ;-;;,_ Network Admin |,4- ) )-,_. ,\ ( `''-'' Sta-Care, Inc. ''---''''(_/--'' `-''_) PGP Fingerprint: 8B1E E12F 3982 0D54 E01C DFD3 898B 6CA3 ED6F 3E56 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE82oloiYtso+1vPlYRAnRvAJwIHcrch3emYdYtOyFutKRY7oQ1owCfYhjN A/dZxZstYy7WNVEsrjC7Ygk=qoEe -----END PGP SIGNATURE-----
On Thu, 9 May 2002, bradw wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > OK, this makes me wonder, can''t i just do something like this to keep from > having auth hit all my pcs, and still have thing work corectly? > > ACCEPT net $FW::113 tcp auth - !66.13.27.62 > ACCEPT net $FW tcp auth > >There is really no point in the first rule since your firewall''s identd can''t answer auth requests on behalf of systems behind the firewall (unless you have a clever server that looks in /proc/net/ip_conntrack if it can''t find a local match for the original connection). If you want to just avoid connection problems, this works: REJECT net fw tcp auth If you have multiple external IPs and are using static NAT, Proxy ARP or simple routing, you will want similar rules for your internal zones. Example: REJECT net loc tcp auth Note that if you run servers, you should either configure them to not use auth or you need to allow auth from your server zone to all client zones. Beware the tcp wrapper and xinetd -- both can use auth. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net