IPFW UID match questions

[Jeremy Chadwick]

On Fri, Oct 17, 2008 at 09:10:05AM +0700, Kalpin Erlangga Silaen wrote:
> Dear all,
> 
> I tried to implement IPFW rules like below on my shell server:
> 
> /sbin/ipfw -q add 18600 allow tcp from any to personal_ip in
> /sbin/ipfw -q add 18650 allow tcp from personal_ip to any out uid kalpin
> /sbin/ipfw -q add 18660 allow tcp from personal_ip to any out uid root
> /sbin/ipfw -q add 18670 allow tcp from personal_ip to any out uid nobody
> /sbin/ipfw -q add 18700 deny tcp from personal_ip to any out
> 
> I hope with this rule, only user kalpin could be use the vhost
> personal_ip. Below is brief description
> 
> line 1 will allow all tcp incoming packets into personal_ip
> line 2 will allow tcp outgoing packets from personal_ip to anywhere if
> match uid kalpin
> line 3 same with line 2 if match uid root (to response identd request
> from IRC Network if identd run as root)
> line 4 same with line 3 if match uid nobody (to response identd request
> from IRC Network if identd run as fall into nobody)
> line 5 will deny all tcp outgoing packets
> 
> But, IRC Network still could not get ident response from my server. If I
> removed line 5, then IRC Network get identd response. My identd process is:
> 
> root 63932 0.0 0.1 3136 1028 ?? Ss 1:46AM 0:00.03
> /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf
> 
> Is there anything else should be done to fix this problem?

The problem is that you're not allowing incoming connections to
personal_ip on TCP port 113 (ident/auth).  Add this rule:

/sbin/ipfw -q add 18680 allow tcp from personal_ip 113 to any out

You can also replace "113" with "auth" or "ident" if you want (see
/etc/services).

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |