os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

1. Move the section about inetd to the beginning of this chapter, rather

Browse source 
than the end.

2. Also, avoid acronyms in sect1 title's where possible.  Prefer Network
File System (NFS), Network Information System (NIS/YP), etc.. to just
the acronyms alone.

(2) Suggested by:	tom@
This commit is contained in:
Murray Stokely 2004-07-13 05:32:42 +00:00
parent 6f04b3910f
commit 2427cd68b8
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=21465
1 changed files with 456 additions and 454 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

910
en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
View file

@ -19,6 +19,11 @@
<para>After reading this chapter, you will know:</para>
<itemizedlist>
<listitem>
<para>How to manage the <application>inetd</application> daemon.</para>
</listitem>
<listitem>
<para>How to set up a network filesystem.</para>
</listitem>
@ -41,10 +46,6 @@
time server, with the NTP protocol.</para>
</listitem>
<listitem>
<para>How to manage the <application>inetd</application> daemon.</para>
</listitem>
</itemizedlist>
<para>Before reading this chapter, you should:</para>
@ -60,6 +61,452 @@
</itemizedlist>
</sect1>
<sect1 id="network-inetd">
<sect1info>
<authorgroup>
<author>
<firstname>Chern</firstname>
<surname>Lee</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect1info>
<title>The <application>inetd</application> <quote>Super-Server</quote></title>
<sect2 id="network-inetd-overview">
<title>Overview</title>
<para>&man.inetd.8; is referred to as the <quote>Internet
Super-Server</quote> because it manages connections for several
daemons. Programs that provide network service are commonly
known as daemons. <application>inetd</application> serves as a
managing server for other daemons. When a connection is
received by <application>inetd</application>, it determines
which daemon the connection is destined for, spawns the
particular daemon and delegates the socket to it. Running one
instance of <application>inetd</application> reduces the overall
system load as compared to running each daemon individually in
stand-alone mode.</para>
<para>Primarily, <application>inetd</application> is used to
spawn other daemons, but several trivial protocols are handled
directly, such as <application>chargen</application>,
<application>auth</application>, and
<application>daytime</application>.</para>
<para>This section will cover the basics in configuring
<application>inetd</application> through its command-line
options and its configuration file,
<filename>/etc/inetd.conf</filename>.</para>
</sect2>
<sect2 id="network-inetd-settings">
<title>Settings</title>
<para><application>inetd</application> is initialized through
the <filename>/etc/rc.conf</filename> system. The
<literal>inetd_enable</literal> option is set to
<literal>NO</literal> by default, but is often times turned on by
<application>sysinstall</application> with the medium security
profile. Placing:
<programlisting>inetd_enable="YES"</programlisting> or
<programlisting>inetd_enable="NO"</programlisting> into
<filename>/etc/rc.conf</filename> can enable or disable
<application>inetd</application> starting at boot time.</para>
<para>Additionally, different command-line options can be passed
to <application>inetd</application> via the
<literal>inetd_flags</literal> option.</para>
</sect2>
<sect2 id="network-inetd-cmdline">
<title>Command-Line Options</title>
<para><application>inetd</application> synopsis:</para>
<para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
[-p filename] [-R rate] [configuration file]</option></para>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>Turn on debugging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>Turn on logging of successful connections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>Turn on TCP Wrapping for external services (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W</term>
<listitem>
<para>Turn on TCP Wrapping for internal services which are
built into <application>inetd</application> (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c maximum</term>
<listitem>
<para>Specify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
<option>max-child</option> parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C rate</term>
<listitem>
<para>Specify the default maximum number of times a
service can be invoked from a single IP address in one
minute; the default is unlimited. May be overridden on a
per-service basis with the
<option>max-connections-per-ip-per-minute</option>
parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R rate</term>
<listitem>
<para>Specify the maximum number of times a service can be
invoked in one minute; the default is 256. A rate of 0
allows an unlimited number of invocations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>Specify one specific IP address to bind to.
Alternatively, a hostname can be specified, in which case
the IPv4 or IPv6 address which corresponds to that
hostname is used. Usually a hostname is specified when
<application>inetd</application> is run inside a
&man.jail.8;, in which case the hostname corresponds to
the &man.jail.8; environment.</para>
<para>When hostname specification is used and both IPv4
and IPv6 bindings are desired, one entry with the
appropriate protocol type for each binding is required for
each service in <filename>/etc/inetd.conf</filename>. For
example, a TCP-based service would need two entries, one
using <literal>tcp4</literal> for the protocol and the other using
<literal>tcp6</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>Specify an alternate file in which to store the
process ID.</para>
</listitem>
</varlistentry>
</variablelist>
<para>These options can be passed to
<application>inetd</application> using the
<literal>inetd_flags</literal> option in
<filename>/etc/rc.conf</filename>. By default,
<literal>inetd_flags</literal> is set to <literal>-wW</literal>,
which turns on TCP wrapping for
<application>inetd</application>'s internal and external
services. For novice users, these parameters usually do not need
to be modified or even entered in
<filename>/etc/rc.conf</filename>.</para>
<note>
<para>An external service is a daemon outside of
<application>inetd</application>, which is invoked when a
connection is received for it. On the other hand, an internal
service is one that <application>inetd</application> has the
facility of offering within itself.</para>
</note>
</sect2>
<sect2 id="network-inetd-conf">
<title><filename>inetd.conf</filename></title>
<para>Configuration of <application>inetd</application> is
controlled through the <filename>/etc/inetd.conf</filename>
file.</para>
<para>When a modification is made to
<filename>/etc/inetd.conf</filename>,
<application>inetd</application> can be forced to re-read its
configuration file by sending a HangUP signal to the
<application>inetd</application> process as shown:</para>
<example id="network-inetd-hangup">
<title>Sending <application>inetd</application> a HangUP Signal</title>
<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
</example>
<para>Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
<quote>#</quote>. The format of
<filename>/etc/inetd.conf</filename> is as follows:</para>
<programlisting>service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-arguments</programlisting>
<para>An example entry for the <application>ftpd</application> daemon
using IPv4:</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
<variablelist>
<varlistentry>
<term>service-name</term>
<listitem>
<para>This is the service name of the particular daemon.
It must correspond to a service listed in
<filename>/etc/services</filename>. This determines which
port <application>inetd</application> must listen to. If
a new service is being created, it must be placed in
<filename>/etc/services</filename>
first.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>socket-type</term>
<listitem>
<para>Either <literal>stream</literal>,
<literal>dgram</literal>, <literal>raw</literal>, or
<literal>seqpacket</literal>. <literal>stream</literal>
must be used for connection-based, TCP daemons, while
<literal>dgram</literal> is used for daemons utilizing the
UDP transport protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>protocol</term>
<listitem>
<para>One of the following:</para>
<informaltable frame="none">
<tgroup cols="2">
<thead>
<row>
<entry>Protocol</entry>
<entry>Explanation</entry>
</row>
</thead>
<tbody>
<row>
<entry>tcp, tcp4</entry>
<entry>TCP IPv4</entry>
</row>
<row>
<entry>udp, udp4</entry>
<entry>UDP IPv4</entry>
</row>
<row>
<entry>tcp6</entry>
<entry>TCP IPv6</entry>
</row>
<row>
<entry>udp6</entry>
<entry>UDP IPv6</entry>
</row>
<row>
<entry>tcp46</entry>
<entry>Both TCP IPv4 and v6</entry>
</row>
<row>
<entry>udp46</entry>
<entry>Both UDP IPv4 and v6</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</listitem>
</varlistentry>
<varlistentry>
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
<listitem>
<para><option>wait|nowait</option> indicates whether the
daemon invoked from <application>inetd</application> is
able to handle its own socket or not.
<option>dgram</option> socket types must use the <option>wait</option>
option, while stream socket daemons, which are usually
multi-threaded, should use <option>nowait</option>.
<option>wait</option> usually hands off multiple sockets
to a single daemon, while <option>nowait</option> spawns a
child daemon for each new socket.</para>
<para>The maximum number of child daemons
<application>inetd</application> may spawn can be set using
the <option>max-child</option> option. If a limit of ten
instances of a particular daemon is needed, a
<literal>/10</literal> would be placed after
<option>nowait</option>.</para>
<para>In addition to <option>max-child</option>, another
option limiting the maximum connections from a single
place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option> does
just this. A value of ten here would limit any particular
IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent
intentional or unintentional resource consumption and
Denial of Service (DoS) attacks to a machine.</para>
<para>In this field, <option>wait</option> or
<option>nowait</option> is mandatory.
<option>max-child</option> and
<option>max-connections-per-ip-per-minute</option> are
optional.</para>
<para>A stream-type multi-threaded daemon without any
<option>max-child</option> or
<option>max-connections-per-ip-per-minute</option> limits
would simply be: <literal>nowait</literal>.</para>
<para>The same daemon with a maximum limit of ten daemons
would read: <literal>nowait/10</literal>.</para>
<para>Additionally, the same setup with a limit of twenty
connections per IP address per minute and a maximum
total limit of ten child daemons would read:
<literal>nowait/10/20</literal>.</para>
<para>These options are all utilized by the default
settings of the <application>fingerd</application> daemon,
as seen here:</para>
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>user</term>
<listitem>
<para>This is the username that the particular daemon
should run as. Most commonly, daemons run as the
<username>root</username> user. For security purposes, it is
common to find some servers running as the
<username>daemon</username> user, or the least privileged
<username>nobody</username> user.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program</term>
<listitem>
<para>The full path of the daemon to be executed when a
connection is received. If the daemon is a service
provided by <application>inetd</application> internally,
then <option>internal</option> should be
used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program-arguments</term>
<listitem>
<para>This works in conjunction with
<option>server-program</option> by specifying the
arguments, starting with <literal>argv[0]</literal>, passed to the daemon on
invocation. If <command>mydaemon -d</command> is
the command line, <literal>mydaemon -d</literal> would be
the value of <option>server-program-arguments</option>.
Again, if the daemon is an internal service, use
<option>internal</option> here.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="network-inetd-security">
<title>Security</title>
<para>Depending on the security profile chosen at install, many
of <application>inetd</application>'s daemons may be enabled by
default. If there is no apparent need for a particular daemon,
disable it! Place a <quote>#</quote> in front of the daemon in
question, and send a <link linkend="network-inetd-hangup">hangup signal
to inetd</link>.
Some daemons, such as <application>fingerd</application>, may
not be desired at all because they provide an attacker with too
much information.</para>
<para>Some daemons are not security-conscious and have long, or
non-existent timeouts for connection attempts. This allows an
attacker to slowly send connections to a particular daemon, thus
saturating available resources. It may be a good idea to place
<option>max-connections-per-ip-per-minute</option> and <option>max-child</option>
limitations on certain daemons.</para>
<para>By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; manual page for more information on placing
TCP restrictions on various <application>inetd</application>
invoked daemons.</para>
</sect2>
<sect2 id="network-inetd-misc">
<title>Miscellaneous</title>
<para><application>daytime</application>,
<application>time</application>,
<application>echo</application>,
<application>discard</application>,
<application>chargen</application>, and
<application>auth</application> are all internally provided
services of <application>inetd</application>.</para>
<para>The <application>auth</application> service provides identity
(<application>ident</application>, <application>identd</application>) network services, and is configurable to a certain
degree.</para>
<para>Consult the &man.inetd.8; manual page for more in-depth
information.</para>
</sect2>
</sect1>
<sect1 id="network-nfs">
<sect1info>
<authorgroup>
@ -77,7 +524,7 @@
</author>
</authorgroup>
</sect1info>
<title>NFS</title>
<title>Network File System (NFS)</title>
<indexterm><primary>NFS</primary></indexterm>
<para>Among the many different filesystems that FreeBSD supports is
@ -622,7 +1069,7 @@ Exports list on foobar:
</author>
</authorgroup>
</sect1info>
<title>NIS/YP</title>
<title>Network Information System (NIS/YP)</title>
<sect2>
<title>What Is It?</title>
@ -1968,7 +2415,7 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
</author>
</authorgroup>
</sect1info>
<title>DHCP</title>
<title>Automatic Network Configuration (DHCP)</title>
<sect2>
<title>What Is DHCP?</title>
@ -2379,7 +2826,7 @@ host mailhost {
</author>
</authorgroup>
</sect1info>
<title>DNS</title>
<title>Domain Name System (DNS)</title>
<sect2>
<title>Overview</title>
@ -3438,7 +3885,7 @@ zone "10.168.192.in-addr.arpa" in {
</author>
</authorgroup>
</sect1info>
<title>NTP</title>
<title>Clock Synchronization with NTP</title>
<indexterm><primary>NTP</primary></indexterm>
@ -3669,451 +4116,6 @@ driftfile /var/db/ntp.drift</programlisting>
</sect2>
</sect1>
<sect1 id="network-inetd">
<sect1info>
<authorgroup>
<author>
<firstname>Chern</firstname>
<surname>Lee</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect1info>
<title>The <application>inetd</application> <quote>Super-Server</quote></title>
<sect2 id="network-inetd-overview">
<title>Overview</title>
<para>&man.inetd.8; is referred to as the <quote>Internet
Super-Server</quote> because it manages connections for several
daemons. Programs that provide network service are commonly
known as daemons. <application>inetd</application> serves as a
managing server for other daemons. When a connection is
received by <application>inetd</application>, it determines
which daemon the connection is destined for, spawns the
particular daemon and delegates the socket to it. Running one
instance of <application>inetd</application> reduces the overall
system load as compared to running each daemon individually in
stand-alone mode.</para>
<para>Primarily, <application>inetd</application> is used to
spawn other daemons, but several trivial protocols are handled
directly, such as <application>chargen</application>,
<application>auth</application>, and
<application>daytime</application>.</para>
<para>This section will cover the basics in configuring
<application>inetd</application> through its command-line
options and its configuration file,
<filename>/etc/inetd.conf</filename>.</para>
</sect2>
<sect2 id="network-inetd-settings">
<title>Settings</title>
<para><application>inetd</application> is initialized through
the <filename>/etc/rc.conf</filename> system. The
<literal>inetd_enable</literal> option is set to
<literal>NO</literal> by default, but is often times turned on by
<application>sysinstall</application> with the medium security
profile. Placing:
<programlisting>inetd_enable="YES"</programlisting> or
<programlisting>inetd_enable="NO"</programlisting> into
<filename>/etc/rc.conf</filename> can enable or disable
<application>inetd</application> starting at boot time.</para>
<para>Additionally, different command-line options can be passed
to <application>inetd</application> via the
<literal>inetd_flags</literal> option.</para>
</sect2>
<sect2 id="network-inetd-cmdline">
<title>Command-Line Options</title>
<para><application>inetd</application> synopsis:</para>
<para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
[-p filename] [-R rate] [configuration file]</option></para>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>Turn on debugging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>Turn on logging of successful connections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>Turn on TCP Wrapping for external services (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W</term>
<listitem>
<para>Turn on TCP Wrapping for internal services which are
built into <application>inetd</application> (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c maximum</term>
<listitem>
<para>Specify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
<option>max-child</option> parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C rate</term>
<listitem>
<para>Specify the default maximum number of times a
service can be invoked from a single IP address in one
minute; the default is unlimited. May be overridden on a
per-service basis with the
<option>max-connections-per-ip-per-minute</option>
parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R rate</term>
<listitem>
<para>Specify the maximum number of times a service can be
invoked in one minute; the default is 256. A rate of 0
allows an unlimited number of invocations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>Specify one specific IP address to bind to.
Alternatively, a hostname can be specified, in which case
the IPv4 or IPv6 address which corresponds to that
hostname is used. Usually a hostname is specified when
<application>inetd</application> is run inside a
&man.jail.8;, in which case the hostname corresponds to
the &man.jail.8; environment.</para>
<para>When hostname specification is used and both IPv4
and IPv6 bindings are desired, one entry with the
appropriate protocol type for each binding is required for
each service in <filename>/etc/inetd.conf</filename>. For
example, a TCP-based service would need two entries, one
using <literal>tcp4</literal> for the protocol and the other using
<literal>tcp6</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>Specify an alternate file in which to store the
process ID.</para>
</listitem>
</varlistentry>
</variablelist>
<para>These options can be passed to
<application>inetd</application> using the
<literal>inetd_flags</literal> option in
<filename>/etc/rc.conf</filename>. By default,
<literal>inetd_flags</literal> is set to <literal>-wW</literal>,
which turns on TCP wrapping for
<application>inetd</application>'s internal and external
services. For novice users, these parameters usually do not need
to be modified or even entered in
<filename>/etc/rc.conf</filename>.</para>
<note>
<para>An external service is a daemon outside of
<application>inetd</application>, which is invoked when a
connection is received for it. On the other hand, an internal
service is one that <application>inetd</application> has the
facility of offering within itself.</para>
</note>
</sect2>
<sect2 id="network-inetd-conf">
<title><filename>inetd.conf</filename></title>
<para>Configuration of <application>inetd</application> is
controlled through the <filename>/etc/inetd.conf</filename>
file.</para>
<para>When a modification is made to
<filename>/etc/inetd.conf</filename>,
<application>inetd</application> can be forced to re-read its
configuration file by sending a HangUP signal to the
<application>inetd</application> process as shown:</para>
<example id="network-inetd-hangup">
<title>Sending <application>inetd</application> a HangUP Signal</title>
<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
</example>
<para>Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
<quote>#</quote>. The format of
<filename>/etc/inetd.conf</filename> is as follows:</para>
<programlisting>service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-arguments</programlisting>
<para>An example entry for the <application>ftpd</application> daemon
using IPv4:</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
<variablelist>
<varlistentry>
<term>service-name</term>
<listitem>
<para>This is the service name of the particular daemon.
It must correspond to a service listed in
<filename>/etc/services</filename>. This determines which
port <application>inetd</application> must listen to. If
a new service is being created, it must be placed in
<filename>/etc/services</filename>
first.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>socket-type</term>
<listitem>
<para>Either <literal>stream</literal>,
<literal>dgram</literal>, <literal>raw</literal>, or
<literal>seqpacket</literal>. <literal>stream</literal>
must be used for connection-based, TCP daemons, while
<literal>dgram</literal> is used for daemons utilizing the
UDP transport protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>protocol</term>
<listitem>
<para>One of the following:</para>
<informaltable frame="none">
<tgroup cols="2">
<thead>
<row>
<entry>Protocol</entry>
<entry>Explanation</entry>
</row>
</thead>
<tbody>
<row>
<entry>tcp, tcp4</entry>
<entry>TCP IPv4</entry>
</row>
<row>
<entry>udp, udp4</entry>
<entry>UDP IPv4</entry>
</row>
<row>
<entry>tcp6</entry>
<entry>TCP IPv6</entry>
</row>
<row>
<entry>udp6</entry>
<entry>UDP IPv6</entry>
</row>
<row>
<entry>tcp46</entry>
<entry>Both TCP IPv4 and v6</entry>
</row>
<row>
<entry>udp46</entry>
<entry>Both UDP IPv4 and v6</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</listitem>
</varlistentry>
<varlistentry>
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
<listitem>
<para><option>wait|nowait</option> indicates whether the
daemon invoked from <application>inetd</application> is
able to handle its own socket or not.
<option>dgram</option> socket types must use the <option>wait</option>
option, while stream socket daemons, which are usually
multi-threaded, should use <option>nowait</option>.
<option>wait</option> usually hands off multiple sockets
to a single daemon, while <option>nowait</option> spawns a
child daemon for each new socket.</para>
<para>The maximum number of child daemons
<application>inetd</application> may spawn can be set using
the <option>max-child</option> option. If a limit of ten
instances of a particular daemon is needed, a
<literal>/10</literal> would be placed after
<option>nowait</option>.</para>
<para>In addition to <option>max-child</option>, another
option limiting the maximum connections from a single
place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option> does
just this. A value of ten here would limit any particular
IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent
intentional or unintentional resource consumption and
Denial of Service (DoS) attacks to a machine.</para>
<para>In this field, <option>wait</option> or
<option>nowait</option> is mandatory.
<option>max-child</option> and
<option>max-connections-per-ip-per-minute</option> are
optional.</para>
<para>A stream-type multi-threaded daemon without any
<option>max-child</option> or
<option>max-connections-per-ip-per-minute</option> limits
would simply be: <literal>nowait</literal>.</para>
<para>The same daemon with a maximum limit of ten daemons
would read: <literal>nowait/10</literal>.</para>
<para>Additionally, the same setup with a limit of twenty
connections per IP address per minute and a maximum
total limit of ten child daemons would read:
<literal>nowait/10/20</literal>.</para>
<para>These options are all utilized by the default
settings of the <application>fingerd</application> daemon,
as seen here:</para>
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>user</term>
<listitem>
<para>This is the username that the particular daemon
should run as. Most commonly, daemons run as the
<username>root</username> user. For security purposes, it is
common to find some servers running as the
<username>daemon</username> user, or the least privileged
<username>nobody</username> user.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program</term>
<listitem>
<para>The full path of the daemon to be executed when a
connection is received. If the daemon is a service
provided by <application>inetd</application> internally,
then <option>internal</option> should be
used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program-arguments</term>
<listitem>
<para>This works in conjunction with
<option>server-program</option> by specifying the
arguments, starting with <literal>argv[0]</literal>, passed to the daemon on
invocation. If <command>mydaemon -d</command> is
the command line, <literal>mydaemon -d</literal> would be
the value of <option>server-program-arguments</option>.
Again, if the daemon is an internal service, use
<option>internal</option> here.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="network-inetd-security">
<title>Security</title>
<para>Depending on the security profile chosen at install, many
of <application>inetd</application>'s daemons may be enabled by
default. If there is no apparent need for a particular daemon,
disable it! Place a <quote>#</quote> in front of the daemon in
question, and send a <link linkend="network-inetd-hangup">hangup signal
to inetd</link>.
Some daemons, such as <application>fingerd</application>, may
not be desired at all because they provide an attacker with too
much information.</para>
<para>Some daemons are not security-conscious and have long, or
non-existent timeouts for connection attempts. This allows an
attacker to slowly send connections to a particular daemon, thus
saturating available resources. It may be a good idea to place
<option>max-connections-per-ip-per-minute</option> and <option>max-child</option>
limitations on certain daemons.</para>
<para>By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; manual page for more information on placing
TCP restrictions on various <application>inetd</application>
invoked daemons.</para>
</sect2>
<sect2 id="network-inetd-misc">
<title>Miscellaneous</title>
<para><application>daytime</application>,
<application>time</application>,
<application>echo</application>,
<application>discard</application>,
<application>chargen</application>, and
<application>auth</application> are all internally provided
services of <application>inetd</application>.</para>
<para>The <application>auth</application> service provides identity
(<application>ident</application>, <application>identd</application>) network services, and is configurable to a certain
degree.</para>
<para>Consult the &man.inetd.8; manual page for more in-depth
information.</para>
</sect2>
</sect1>
</chapter>
<!--