Re: NAT'd ident support

[Bill Jonas <bill@billjonas.com>]

On Wed, Jan 17, 2001 at 02:16:32AM -0600, Tod McQuillin wrote:
> > This would be a _really_ tough thing to do. How do you propose that
> > such a thing would work? How does a NAT machine know which box to send
> > the incoming ident request?
> 
> There would have to be an identd daemon which could look at the kernel's
> internal state to find currently NATed tcp conenctions.  For instance, on
> Redhat linux there is a 'netstat -M' command which shows currently
> "masqueraded" connections.  I'm sure similar information could be obtained
> from ipf.

I was planning to hack together my own brand of midentd with a perl script
running as either user daemon or user nobody and <somegroup>, to parse the
output of the following C program.  Ownership will be root.<somegroup>,
permissions 4110.  Based on what connections are currently active, my perl
script would send off its own ident request to the internal network.

#include <stdio.h>
#include <unistd.h>

int main (void)
{
    setuid(0); seteuid(0); setgid(0); setegid(0);
    execl("/sbin/ipfstat", "ipfstat", "-s", (char *)0);
    perror("Exec failed");
    exit(1);
}

...but I'm not sure if things are worth the trouble or not.

-- 
Bill Jonas                | "In contrast to the What You See Is What You
bill@billjonas.com        |  Get (WYSIWYG) philosophy, UNIX is the You
http://www.billjonas.com/ |  Asked For It, You Got It operating system."
http://www.debian.org/    |  --Scott Lee, as quoted by Lamb and Robbins