Closing Identd service with Ipchains

RoMaN SoFt / LLFB!!

14 Nov 2000 14 Nov '00

11:33

Hi. I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? Notes: - DENY simply blocks ident service. Nmap will detect the port as "blocked" (after timeout), since no packet is returned in response to SYN attempt. - REJECT works similarly to Deny, except that it will send an ICMP error message. But no tcp packet is sent in response to SYN query. The port will be detected as "blocked". The behaviour I want is NOT one of the above. What I want is a RST to be sent, so services using ident (like ftp or sendmail) doesn't have to wait for tcp request timeout. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Show replies by date

Markus Gaugusch

14 Nov 14 Nov

11:36

New subject: [suse-security] Closing Identd service with Ipchains

...

I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? I think if you leave the port open and don't run identd you will have the desired behaviour ...

bye! Markus -- _____________________________ Markus Gaugusch ICQ 11374583 markus@gaugusch.dhs.org 78

RoMaN SoFt / LLFB!!

14:39

New subject: [suse-security] Closing Identd service with Ipchains

On Tue, 14 Nov 2000 12:36:32 +0100 (CET), you wrote:

...

...
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? I think if you leave the port open and don't run identd you will have the desired behaviour ...

Right. But I cannot do that, identd is running and I don't want to close it. The idea is that some hosts/networks can see the service (opened) and some others not (through packet filtering). BTW, a total different matter. How is produced the Syslog (514/udp) handshaking in a centralized environment? I set up a machine with syslog in listening mode (-r) and configured the other machines to forward logs the the former machine. I though only the first (listening) machine would open the service port (514/udp), but I got surprised when I saw the other machines also had the same port open!!! (these last ones run syslog in normal mode, not listening). I've observed these machines open and begin listening their syslog port inmediately when I add the following line in /etc/syslog.conf and re-start syslog: *.* @logger-machine Why does it happen? I thought logs were sent to the logger machine in an unidirectional fashion so only 514 port *in logger machine* was opened.... PS: Automatic "away" responses should NOT be allowed in mailing-lists (use filters like procmail, dudez). They're annoying. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alexander Reelsen

16:43

New subject: [suse-security] Closing Identd service with Ipchains

Hi On Tue, Nov 14, 2000 at 12:33:06PM +0100, RoMaN SoFt / LLFB!! wrote:

...

I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? README for Return-RST, a Linux 2.2 firewall helper tool -------------------------------------------------------

Written by Nic Bellamy of Bellamy Consulting Limited - http://www.bellamy.co.nz/ Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will tip an attacker off to the fact they're being filtered. I guess that is what you're searching for. In addition it is using the netlink socket and the ability of passing packets over to the userspace, so it cannot handle and endless high amount of connections. However, it should be sufficient without problems for identd only. MfG/Regards, Alexander P.S. Apologises if I sent ealier mails with wrong sender, or if it bounced. My mailsystem was misconfigured and I can't blame it on anyone else. If you've sent me a mail in the last 14 days, please resend it. -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO

Charles Price

16 Nov 16 Nov

22:37

New subject: [suse-security] Closing Identd service with Ipchains

Does the newer iptables packet filter offer a RST return function? Charlie ----- Original Message ----- From: Alexander Reelsen To: RoMaN SoFt / LLFB!! Cc: Sent: Tuesday, November 14, 2000 4:43 PM Subject: Re: [suse-security] Closing Identd service with Ipchains

...

Hi

On Tue, Nov 14, 2000 at 12:33:06PM +0100, RoMaN SoFt / LLFB!! wrote:

...
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? README for Return-RST, a Linux 2.2 firewall helper tool -------------------------------------------------------

Written by Nic Bellamy of Bellamy Consulting Limited - http://www.bellamy.co.nz/

Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will tip an attacker off to the fact they're being filtered.

I guess that is what you're searching for. In addition it is using the netlink socket and the ability of passing packets over to the userspace, so it cannot handle and endless high amount of connections. However, it should be sufficient without problems for identd only.

MfG/Regards, Alexander

P.S. Apologises if I sent ealier mails with wrong sender, or if it bounced. My mailsystem was misconfigured and I can't blame it on anyone else. If you've sent me a mail in the last 14 days, please resend it.

-- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

RoMaN SoFt / LLFB!!

17 Nov 17 Nov

09:18

New subject: [suse-security] Closing Identd service with Ipchains

On Thu, 16 Nov 2000 22:37:06 -0000, you wrote:

...

Does the newer iptables packet filter offer a RST return function?

I haven't checked it for myself, but I was told the answer is yes :-) The problem is that 2.4 kernels are not very stable but experimental/beta. I'd not use it on production systems... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alexander Reelsen

19:27

New subject: [suse-security] Closing Identd service with Ipchains

Hi On Thu, Nov 16, 2000 at 10:37:06PM -0000, Charles Price wrote:

...

Does the newer iptables packet filter offer a RST return function? Just check the manpage. Here's an excerpt of the iptables manpage:

--reject-with type and generates a ping reply. Finally, the option tcp-reset can be used on rules in (or called from) the INPUT chain which only match the TCP protocol: this causes a TCP RST packet to be sent back. However there's another reject patch in the source. I don't know what exactly they do, better you check it out. MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO

8567

Age (days ago)

8570

Last active (days ago)

List overview

Download

6 comments

4 participants

participants (4)

Alexander Reelsen
Charles Price
Markus Gaugusch
RoMaN SoFt / LLFB!!