1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Filter-IDENT help set up please?

Discussion in 'Tomato Firmware' started by FattysGoneWild, Apr 10, 2009.

  1. FattysGoneWild

    FattysGoneWild LI Guru Member

    I noticed in the Tomato FAQ is says the following: Filter IDENT -- Not supported, but you can use Access Restriction to block destination port 113. Can you please tell me the selection I am suppose to choose in the drop down box?

  2. Kiwi8

    Kiwi8 LI Guru Member

    Destination Port
  3. FattysGoneWild

    FattysGoneWild LI Guru Member

    Thank you much!
  4. mrap

    mrap Addicted to LI Member

    So without that rule, the router responds to IDENT???
  5. FattysGoneWild

    FattysGoneWild LI Guru Member

    Yes it does.

  6. fyellin

    fyellin LI Guru Member

    Are you sure? The page you're looking at is for blocking what internal sites can do, not what outside sites can do. You're blocking internal sites for using IDENT on outside servers.

    I have done absolute nothing to my server in this regard (having never heard of IDENT), and I can vouch that it does not answer port 113.
  7. FattysGoneWild

    FattysGoneWild LI Guru Member

    Really? Hmmm. I went off of the Tomato faq and thought that was good enough info for me. I stand corrected then if you are right about it. I never even tested with out that rule in place. From day 1 I always made that rule because of the faq.


    I also found this in the Linksys WRT54GL user manual.

    Filter IDENT (Port 113) This feature keeps port 113 from
    being scanned by devices outside of your local network.
    This feature is selected by default. Deselect this feature to
    disable it.

    Now that I recall. That was another reason why I had thought it needed to be added.

  8. Trademark

    Trademark Network Guru Member

    I have found in it's default state, Tomato RAF passes the Shield's Up test as Full Stealth with port 113 shown as stealth. When I run an individual port scan on 113 using t1shopper, it does not respond. Just FYI.
  9. RonWessels

    RonWessels Network Guru Member

    For people wondering what IDENT does, here's the rationale.

    The IDENT service stems from the days when the Internet was accessed by people logged into a central server, such as students at University with centralized servers. As such, if mis-use of the Internet was done, having only the time and machine (ie. the IP address) was insufficient to identify the culprit. So an IDENT daemon was created that ran on the central server and identified the user associated with a particular TCP/IP port connection. In that way, the remote site could identify not only the machine performing the malfeasance, but the actual user as well. Various servers were modified to contact the IDENT daemon on a client's machine when accessed.

    Contacting the IDENT daemon would (at the time) result in one of two possibilities: either there was an IDENT daemon running or there was not. In the latter case, the attempt to open the server on port 113 would result in a failure. Either way, the additional overhead was minimized.

    Now, enter the days of stealth ports. With port 113 stealthed, a remote server that was attempting to contact the client's IDENT daemon would have to timeout the connection attempt, resulting in a lengthy delay in completing the original service request. To compensate, people often left port 113 as closed rather than stealth'ed. Even more intelligent routers would adaptively respond on port 113: if a connection was made to a remote site, a query from that remote site on port 113 would show closed, but if there was no previous connection, a query would show port 113 as stealth'ed.

    Now, all of this stuff is pretty much moot nowadays.
  10. jan.n

    jan.n Addicted to LI Member

    No, it doesn't: A vanilla Tomato 1.25 does not - at least not mine.

    IMHO this threat creates quite some FUD and Tomato newbies become really unsure as to Tomato is really secure.

    Please show me the iptables rule and chain, which permit port 113 to be accessed from the wan port.

Share This Page