From 2427cd68b8785c8b00bc379e3c8a7a78cebb0059 Mon Sep 17 00:00:00 2001 From: Murray Stokely Date: Tue, 13 Jul 2004 05:32:42 +0000 Subject: [PATCH] 1. Move the section about inetd to the beginning of this chapter, rather than the end. 2. Also, avoid acronyms in sect1 title's where possible. Prefer Network File System (NFS), Network Information System (NIS/YP), etc.. to just the acronyms alone. (2) Suggested by: tom@ --- .../handbook/network-servers/chapter.sgml | 910 +++++++++--------- 1 file changed, 456 insertions(+), 454 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml index 46997346d7..3dd93690dd 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml @@ -19,6 +19,11 @@ After reading this chapter, you will know: + + + How to manage the inetd daemon. + + How to set up a network filesystem. @@ -41,10 +46,6 @@ time server, with the NTP protocol. - - How to manage the inetd daemon. - - Before reading this chapter, you should: @@ -60,6 +61,452 @@ + + + + + Chern + Lee + Contributed by + + + + + The <application>inetd</application> <quote>Super-Server</quote> + + + Overview + + &man.inetd.8; is referred to as the Internet + Super-Server because it manages connections for several + daemons. Programs that provide network service are commonly + known as daemons. inetd serves as a + managing server for other daemons. When a connection is + received by inetd, it determines + which daemon the connection is destined for, spawns the + particular daemon and delegates the socket to it. Running one + instance of inetd reduces the overall + system load as compared to running each daemon individually in + stand-alone mode. + + Primarily, inetd is used to + spawn other daemons, but several trivial protocols are handled + directly, such as chargen, + auth, and + daytime. + + This section will cover the basics in configuring + inetd through its command-line + options and its configuration file, + /etc/inetd.conf. + + + + Settings + + inetd is initialized through + the /etc/rc.conf system. The + inetd_enable option is set to + NO by default, but is often times turned on by + sysinstall with the medium security + profile. Placing: + inetd_enable="YES" or + inetd_enable="NO" into + /etc/rc.conf can enable or disable + inetd starting at boot time. + + Additionally, different command-line options can be passed + to inetd via the + inetd_flags option. + + + + Command-Line Options + + inetd synopsis: + + + + + + -d + + + Turn on debugging. + + + + + -l + + + Turn on logging of successful connections. + + + + + -w + + + Turn on TCP Wrapping for external services (on by + default). + + + + + -W + + + Turn on TCP Wrapping for internal services which are + built into inetd (on by + default). + + + + + -c maximum + + + Specify the default maximum number of simultaneous + invocations of each service; the default is unlimited. + May be overridden on a per-service basis with the + parameter. + + + + + -C rate + + + Specify the default maximum number of times a + service can be invoked from a single IP address in one + minute; the default is unlimited. May be overridden on a + per-service basis with the + + parameter. + + + + + -R rate + + + Specify the maximum number of times a service can be + invoked in one minute; the default is 256. A rate of 0 + allows an unlimited number of invocations. + + + + + -a + + + Specify one specific IP address to bind to. + Alternatively, a hostname can be specified, in which case + the IPv4 or IPv6 address which corresponds to that + hostname is used. Usually a hostname is specified when + inetd is run inside a + &man.jail.8;, in which case the hostname corresponds to + the &man.jail.8; environment. + + When hostname specification is used and both IPv4 + and IPv6 bindings are desired, one entry with the + appropriate protocol type for each binding is required for + each service in /etc/inetd.conf. For + example, a TCP-based service would need two entries, one + using tcp4 for the protocol and the other using + tcp6. + + + + + -p + + + Specify an alternate file in which to store the + process ID. + + + + + These options can be passed to + inetd using the + inetd_flags option in + /etc/rc.conf. By default, + inetd_flags is set to -wW, + which turns on TCP wrapping for + inetd's internal and external + services. For novice users, these parameters usually do not need + to be modified or even entered in + /etc/rc.conf. + + + An external service is a daemon outside of + inetd, which is invoked when a + connection is received for it. On the other hand, an internal + service is one that inetd has the + facility of offering within itself. + + + + + + <filename>inetd.conf</filename> + + Configuration of inetd is + controlled through the /etc/inetd.conf + file. + + When a modification is made to + /etc/inetd.conf, + inetd can be forced to re-read its + configuration file by sending a HangUP signal to the + inetd process as shown: + + + Sending <application>inetd</application> a HangUP Signal + + &prompt.root; kill -HUP `cat /var/run/inetd.pid` + + + Each line of the configuration file specifies an + individual daemon. Comments in the file are preceded by a + #. The format of + /etc/inetd.conf is as follows: + + service-name +socket-type +protocol +{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] +user[:group][/login-class] +server-program +server-program-arguments + + An example entry for the ftpd daemon + using IPv4: + + ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l + + + + service-name + + + This is the service name of the particular daemon. + It must correspond to a service listed in + /etc/services. This determines which + port inetd must listen to. If + a new service is being created, it must be placed in + /etc/services + first. + + + + + socket-type + + + Either stream, + dgram, raw, or + seqpacket. stream + must be used for connection-based, TCP daemons, while + dgram is used for daemons utilizing the + UDP transport protocol. + + + + + protocol + + + One of the following: + + + + + + Protocol + Explanation + + + + + tcp, tcp4 + TCP IPv4 + + + udp, udp4 + UDP IPv4 + + + tcp6 + TCP IPv6 + + + udp6 + UDP IPv6 + + + tcp46 + Both TCP IPv4 and v6 + + + udp46 + Both UDP IPv4 and v6 + + + + + + + + + {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] + + + indicates whether the + daemon invoked from inetd is + able to handle its own socket or not. + socket types must use the + option, while stream socket daemons, which are usually + multi-threaded, should use . + usually hands off multiple sockets + to a single daemon, while spawns a + child daemon for each new socket. + + The maximum number of child daemons + inetd may spawn can be set using + the option. If a limit of ten + instances of a particular daemon is needed, a + /10 would be placed after + . + + In addition to , another + option limiting the maximum connections from a single + place to a particular daemon can be enabled. + does + just this. A value of ten here would limit any particular + IP address connecting to a particular service to ten + attempts per minute. This is useful to prevent + intentional or unintentional resource consumption and + Denial of Service (DoS) attacks to a machine. + + In this field, or + is mandatory. + and + are + optional. + + A stream-type multi-threaded daemon without any + or + limits + would simply be: nowait. + + The same daemon with a maximum limit of ten daemons + would read: nowait/10. + + Additionally, the same setup with a limit of twenty + connections per IP address per minute and a maximum + total limit of ten child daemons would read: + nowait/10/20. + + These options are all utilized by the default + settings of the fingerd daemon, + as seen here: + + finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s + + + + + user + + + This is the username that the particular daemon + should run as. Most commonly, daemons run as the + root user. For security purposes, it is + common to find some servers running as the + daemon user, or the least privileged + nobody user. + + + + + server-program + + + The full path of the daemon to be executed when a + connection is received. If the daemon is a service + provided by inetd internally, + then should be + used. + + + + + server-program-arguments + + + This works in conjunction with + by specifying the + arguments, starting with argv[0], passed to the daemon on + invocation. If mydaemon -d is + the command line, mydaemon -d would be + the value of . + Again, if the daemon is an internal service, use + here. + + + + + + + Security + + Depending on the security profile chosen at install, many + of inetd's daemons may be enabled by + default. If there is no apparent need for a particular daemon, + disable it! Place a # in front of the daemon in + question, and send a hangup signal + to inetd. + Some daemons, such as fingerd, may + not be desired at all because they provide an attacker with too + much information. + + Some daemons are not security-conscious and have long, or + non-existent timeouts for connection attempts. This allows an + attacker to slowly send connections to a particular daemon, thus + saturating available resources. It may be a good idea to place + and + limitations on certain daemons. + + By default, TCP wrapping is turned on. Consult the + &man.hosts.access.5; manual page for more information on placing + TCP restrictions on various inetd + invoked daemons. + + + + Miscellaneous + + daytime, + time, + echo, + discard, + chargen, and + auth are all internally provided + services of inetd. + + The auth service provides identity + (ident, identd) network services, and is configurable to a certain + degree. + + Consult the &man.inetd.8; manual page for more in-depth + information. + + + @@ -77,7 +524,7 @@ - NFS + Network File System (NFS) NFS Among the many different filesystems that FreeBSD supports is @@ -622,7 +1069,7 @@ Exports list on foobar: - NIS/YP + Network Information System (NIS/YP) What Is It? @@ -1968,7 +2415,7 @@ nis_client_flags="-S NIS domain,server - DHCP + Automatic Network Configuration (DHCP) What Is DHCP? @@ -2379,7 +2826,7 @@ host mailhost { - DNS + Domain Name System (DNS) Overview @@ -3438,7 +3885,7 @@ zone "10.168.192.in-addr.arpa" in { - NTP + Clock Synchronization with NTP NTP @@ -3669,451 +4116,6 @@ driftfile /var/db/ntp.drift - - - - - Chern - Lee - Contributed by - - - - - The <application>inetd</application> <quote>Super-Server</quote> - - - Overview - - &man.inetd.8; is referred to as the Internet - Super-Server because it manages connections for several - daemons. Programs that provide network service are commonly - known as daemons. inetd serves as a - managing server for other daemons. When a connection is - received by inetd, it determines - which daemon the connection is destined for, spawns the - particular daemon and delegates the socket to it. Running one - instance of inetd reduces the overall - system load as compared to running each daemon individually in - stand-alone mode. - - Primarily, inetd is used to - spawn other daemons, but several trivial protocols are handled - directly, such as chargen, - auth, and - daytime. - - This section will cover the basics in configuring - inetd through its command-line - options and its configuration file, - /etc/inetd.conf. - - - - Settings - - inetd is initialized through - the /etc/rc.conf system. The - inetd_enable option is set to - NO by default, but is often times turned on by - sysinstall with the medium security - profile. Placing: - inetd_enable="YES" or - inetd_enable="NO" into - /etc/rc.conf can enable or disable - inetd starting at boot time. - - Additionally, different command-line options can be passed - to inetd via the - inetd_flags option. - - - - Command-Line Options - - inetd synopsis: - - - - - - -d - - - Turn on debugging. - - - - - -l - - - Turn on logging of successful connections. - - - - - -w - - - Turn on TCP Wrapping for external services (on by - default). - - - - - -W - - - Turn on TCP Wrapping for internal services which are - built into inetd (on by - default). - - - - - -c maximum - - - Specify the default maximum number of simultaneous - invocations of each service; the default is unlimited. - May be overridden on a per-service basis with the - parameter. - - - - - -C rate - - - Specify the default maximum number of times a - service can be invoked from a single IP address in one - minute; the default is unlimited. May be overridden on a - per-service basis with the - - parameter. - - - - - -R rate - - - Specify the maximum number of times a service can be - invoked in one minute; the default is 256. A rate of 0 - allows an unlimited number of invocations. - - - - - -a - - - Specify one specific IP address to bind to. - Alternatively, a hostname can be specified, in which case - the IPv4 or IPv6 address which corresponds to that - hostname is used. Usually a hostname is specified when - inetd is run inside a - &man.jail.8;, in which case the hostname corresponds to - the &man.jail.8; environment. - - When hostname specification is used and both IPv4 - and IPv6 bindings are desired, one entry with the - appropriate protocol type for each binding is required for - each service in /etc/inetd.conf. For - example, a TCP-based service would need two entries, one - using tcp4 for the protocol and the other using - tcp6. - - - - - -p - - - Specify an alternate file in which to store the - process ID. - - - - - These options can be passed to - inetd using the - inetd_flags option in - /etc/rc.conf. By default, - inetd_flags is set to -wW, - which turns on TCP wrapping for - inetd's internal and external - services. For novice users, these parameters usually do not need - to be modified or even entered in - /etc/rc.conf. - - - An external service is a daemon outside of - inetd, which is invoked when a - connection is received for it. On the other hand, an internal - service is one that inetd has the - facility of offering within itself. - - - - - - <filename>inetd.conf</filename> - - Configuration of inetd is - controlled through the /etc/inetd.conf - file. - - When a modification is made to - /etc/inetd.conf, - inetd can be forced to re-read its - configuration file by sending a HangUP signal to the - inetd process as shown: - - - Sending <application>inetd</application> a HangUP Signal - - &prompt.root; kill -HUP `cat /var/run/inetd.pid` - - - Each line of the configuration file specifies an - individual daemon. Comments in the file are preceded by a - #. The format of - /etc/inetd.conf is as follows: - - service-name -socket-type -protocol -{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] -user[:group][/login-class] -server-program -server-program-arguments - - An example entry for the ftpd daemon - using IPv4: - - ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l - - - - service-name - - - This is the service name of the particular daemon. - It must correspond to a service listed in - /etc/services. This determines which - port inetd must listen to. If - a new service is being created, it must be placed in - /etc/services - first. - - - - - socket-type - - - Either stream, - dgram, raw, or - seqpacket. stream - must be used for connection-based, TCP daemons, while - dgram is used for daemons utilizing the - UDP transport protocol. - - - - - protocol - - - One of the following: - - - - - - Protocol - Explanation - - - - - tcp, tcp4 - TCP IPv4 - - - udp, udp4 - UDP IPv4 - - - tcp6 - TCP IPv6 - - - udp6 - UDP IPv6 - - - tcp46 - Both TCP IPv4 and v6 - - - udp46 - Both UDP IPv4 and v6 - - - - - - - - - {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] - - - indicates whether the - daemon invoked from inetd is - able to handle its own socket or not. - socket types must use the - option, while stream socket daemons, which are usually - multi-threaded, should use . - usually hands off multiple sockets - to a single daemon, while spawns a - child daemon for each new socket. - - The maximum number of child daemons - inetd may spawn can be set using - the option. If a limit of ten - instances of a particular daemon is needed, a - /10 would be placed after - . - - In addition to , another - option limiting the maximum connections from a single - place to a particular daemon can be enabled. - does - just this. A value of ten here would limit any particular - IP address connecting to a particular service to ten - attempts per minute. This is useful to prevent - intentional or unintentional resource consumption and - Denial of Service (DoS) attacks to a machine. - - In this field, or - is mandatory. - and - are - optional. - - A stream-type multi-threaded daemon without any - or - limits - would simply be: nowait. - - The same daemon with a maximum limit of ten daemons - would read: nowait/10. - - Additionally, the same setup with a limit of twenty - connections per IP address per minute and a maximum - total limit of ten child daemons would read: - nowait/10/20. - - These options are all utilized by the default - settings of the fingerd daemon, - as seen here: - - finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s - - - - - user - - - This is the username that the particular daemon - should run as. Most commonly, daemons run as the - root user. For security purposes, it is - common to find some servers running as the - daemon user, or the least privileged - nobody user. - - - - - server-program - - - The full path of the daemon to be executed when a - connection is received. If the daemon is a service - provided by inetd internally, - then should be - used. - - - - - server-program-arguments - - - This works in conjunction with - by specifying the - arguments, starting with argv[0], passed to the daemon on - invocation. If mydaemon -d is - the command line, mydaemon -d would be - the value of . - Again, if the daemon is an internal service, use - here. - - - - - - - Security - - Depending on the security profile chosen at install, many - of inetd's daemons may be enabled by - default. If there is no apparent need for a particular daemon, - disable it! Place a # in front of the daemon in - question, and send a hangup signal - to inetd. - Some daemons, such as fingerd, may - not be desired at all because they provide an attacker with too - much information. - - Some daemons are not security-conscious and have long, or - non-existent timeouts for connection attempts. This allows an - attacker to slowly send connections to a particular daemon, thus - saturating available resources. It may be a good idea to place - and - limitations on certain daemons. - - By default, TCP wrapping is turned on. Consult the - &man.hosts.access.5; manual page for more information on placing - TCP restrictions on various inetd - invoked daemons. - - - - Miscellaneous - - daytime, - time, - echo, - discard, - chargen, and - auth are all internally provided - services of inetd. - - The auth service provides identity - (ident, identd) network services, and is configurable to a certain - degree. - - Consult the &man.inetd.8; manual page for more in-depth - information. - -