oidentd in jail environment.

F

folivora

Hi.

I am trying to get oidentd to work inside the jail. I have confirmed that oidentd is running on jail (nmap).

I have configured global force ident reply to oidentd.conf

Code: 
default {
       default {
       force reply "51"
       }
}

Until now i I can't get ident responses to work.

I have NAT on host system (I am using PF), so I have done portforwarding to pf.conf.

Code: 
nat on $int_if from $oidentd to any -> ($ext_if)

Code: 
rdr pass on $ext_if proto tcp from any to $ext_if port 113 -> $oidentd port 113

Do I need to fix NAT for $oidentd to get packets to get forwarded correctly?

- Folivora
 
Hi,

I changed

Code: 
nat on $int_if from $oidentd to any -> ($ext_if)

to

Code: 
nat on $ext_if from $oidentd to any -> ($ext_if)

I am still having the same problem. I also added following line to allow port 113.

Code: 
pass in quick on $ext_if inet proto tcp from any to $oidentd port 113 keep state

What I understand of PF, these rules should be enough. Please correct me if I am wrong.

-Folivora
 
Make sure oidentd is bound to the jail's IP address and not on all (*) addresses.
 
Hi,

Could you tell me how I can make shure that oidentd is bound to jail's ip-address.
I looked oidentd.conf and it seems that there is no option to change that ?

Folivora
 
Hi.

-a <address|hostname> seems to do the trick.

So i tried:

Code: 
8246  0.0  0.0  5828  1348  ??  IsJ   5:35PM   0:00.00 /usr/local/sbin/oidentd -a 10.10.10.3 -C /usr/local/etc/oidentd.conf

With above PF-rules, ident still not working.

If I telnet my external ip-address to port 113, it answers, so rdr for port 113 is working. Could it be NAT which is causing this problem ?

Any other ideas ?

- Folivora
 
Some more...

It seems that queries are now going to oidentd-daemon:

When I debug it. I see following lines.

Code: 
Starting oidentd.
Connection from 192.98.101.228:52766
[192.98.101.228] 56493 , 6667 : ERROR : NO-USER

I've read man-page, there is info that I should use -m / --masquare option. When I add -m option to rc.conf's oidentd_flags-options, oidentd fails to start up.

Any ideas.

- Folivora
 
You must log in or register to reply here.
Back
Top