Update the inetd section.

svn path=/head/; revision=27089
2006-02-11 21:57:46 +00:00 · 2006-02-11 21:57:46 +00:00 · 55c07a15fa · 2020-12-08 03:00:23 +00:00
commit 55c07a15fa
parent 19edfb52f7
1 changed files with 104 additions and 141 deletions
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
@ -102,6 +102,12 @@
          <contrib>Contributed by </contrib>
        </author>
      </authorgroup>
      <authorgroup>
 	<author>
 	  <contrib>Updated for &os; 6.1-RELEASE by </contrib>
 	  <othername>The &os; Documentation Project</othername>
 	</author>
      </authorgroup>
    </sect1info>
    <title>The <application>inetd</application> <quote>Super-Server</quote></title>
@ -109,7 +115,7 @@
    <sect2 id="network-inetd-overview">
      <title>Overview</title>
-      <para>&man.inetd.8; is referred to as the <quote>Internet
+      <para>&man.inetd.8; is sometimes referred to as the <quote>Internet
 	Super-Server</quote> because it manages connections for
 	several services.  When a
 	connection is received by <application>inetd</application>, it
@ -117,8 +123,8 @@
 	the particular process and delegates the socket to it (the program
 	is invoked with the service socket as its standard input, output
 	and error descriptors).  Running
-	one instance of <application>inetd</application> reduces the
+	<application>inetd</application> for servers that are not heavily used can reduce the
-	overall system load as compared to running each daemon
+	overall system load, when compared to running each daemon
 	individually in stand-alone mode.</para>
      <para>Primarily, <application>inetd</application> is used to
@ -137,15 +143,19 @@
      <title>Settings</title>
      <para><application>inetd</application> is initialized through
-	the <filename>/etc/rc.conf</filename> system.  The
+	the &man.rc.8; system.  The
 	<literal>inetd_enable</literal> option is set to
-	<literal>NO</literal> by default, but is often times turned on
+	<literal>NO</literal> by default, but may be turned on
-	by <application>sysinstall</application> with the medium
+	by <application>sysinstall</application> during installation,
-	security profile.  Placing:
+	depending on the configuration chosen by the user.
 	Placing:
 	<programlisting>inetd_enable="YES"</programlisting> or
 	<programlisting>inetd_enable="NO"</programlisting> into
-	<filename>/etc/rc.conf</filename> can enable or disable
+	<filename>/etc/rc.conf</filename> will enable or disable
-	<application>inetd</application> starting at boot time.</para>
+	<application>inetd</application> starting at boot time.
 	The command:
 	<programlisting>/etc/rc.d/inetd rcvar</programlisting>
 	can be run to display the current effective setting.</para>
      <para>Additionally, different command-line options can be passed
 	to <application>inetd</application> via the
@ -155,47 +165,30 @@
    <sect2 id="network-inetd-cmdline">
      <title>Command-Line Options</title>
-      <para><application>inetd</application> synopsis:</para>
+      <para>Like most server daemons, <application>inetd</application>
 	has a number of options that it can be passed in order to
 	modify its behaviour.  The full list of options reads:</para>
-      <para><option>     inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
+      <para><command>inetd</command> <option>[-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
-           [-p filename] [-R rate] [configuration file]</option></para>
+           [-p filename] [-R rate] [-s maximum] [configuration file]</option></para>
      <para>Options can be passed to <application>inetd</application> using the
 	<literal>inetd_flags</literal> option in
 	<filename>/etc/rc.conf</filename>.  By default,
 	<literal>inetd_flags</literal> is set to
 	<literal>-wW -C 60</literal>, which turns on TCP wrapping for
 	<application>inetd</application>'s services, and prevents any
 	single IP address from requesting any service more than 60 times
 	in any given minute.</para>
      <para>Novice users may be pleased to note that
 	these parameters usually do not need to be modified,
 	although we mention the rate-limiting options below as
 	they be useful should you find that you are receiving an
 	excessive amount of connections.  A full list of options
 	can be found in the &man.inetd.8; manual.</para>
      <variablelist>
 	<varlistentry>
 	  <term>-d</term>
 	  <listitem>
 	    <para>Turn on debugging.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>-l</term>
 	  <listitem>
 	    <para>Turn on logging of successful connections.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>-w</term>
 	  <listitem>
 	    <para>Turn on TCP Wrapping for external services (on by
 	      default).</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>-W</term>
 	  <listitem>
 	    <para>Turn on TCP Wrapping for internal services which are
 	      built into <application>inetd</application> (on by
 	      default).</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>-c maximum</term>
@ -231,94 +224,53 @@
 	</varlistentry>
 	<varlistentry>
-	  <term>-a</term>
+	  <term>-s maximum</term>
 	  <listitem>
-	    <para>Specify one specific IP address to bind to.
+	    <para>Specify the maximum number of times a service can be
-	      Alternatively, a hostname can be specified, in which case
+	      invoked from a single IP address at any one time; the
-	      the IPv4 or IPv6 address which corresponds to that
+	      default is unlimited.  May be overridden on a per-service
-	      hostname is used.  Usually a hostname is specified when
+	      basis with the <option>max-child-per-ip</option>
-	      <application>inetd</application> is run inside a
+	      parameter.</para>
 	      &man.jail.8;, in which case the hostname corresponds to
 	      the &man.jail.8; environment.</para>
 	    <para>When hostname specification is used and both IPv4
 	      and IPv6 bindings are desired, one entry with the
 	      appropriate protocol type for each binding is required
 	      for each service in
 	      <filename>/etc/inetd.conf</filename>.  For example, a
 	      TCP-based service would need two entries, one using
 	      <literal>tcp4</literal> for the protocol and the other
 	      using <literal>tcp6</literal>.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>-p</term>
 	  <listitem>
 	    <para>Specify an alternate file in which to store the
 	      process ID.</para>
 	  </listitem>
 	</varlistentry>
      </variablelist>
      <para>These options can be passed to
 	<application>inetd</application> using the
 	<literal>inetd_flags</literal> option in
 	<filename>/etc/rc.conf</filename>.  By default,
 	<literal>inetd_flags</literal> is set to
 	<literal>-wW</literal>, which turns on TCP wrapping for
 	<application>inetd</application>'s internal and external
 	services.  For novice users, these parameters usually do not
 	need to be modified or even entered in
 	<filename>/etc/rc.conf</filename>.</para>
      <note>
 	<para>An external service is a daemon outside of
 	  <application>inetd</application>, which is invoked when a
 	  connection is received for it.  On the other hand, an
 	  internal service is one that
 	  <application>inetd</application> has the facility of
 	  offering within itself.</para>
      </note>
    </sect2>
    <sect2 id="network-inetd-conf">
      <!-- XXX This section isn't very clear, and could do with some lovin' -->
      <title><filename>inetd.conf</filename></title>
      <para>Configuration of <application>inetd</application> is
-	controlled through the <filename>/etc/inetd.conf</filename>
+	done via the file <filename>/etc/inetd.conf</filename>.</para>
 	file.</para>
      <para>When a modification is made to
 	<filename>/etc/inetd.conf</filename>,
 	<application>inetd</application> can be forced to re-read its
-	configuration file by sending a HangUP signal to the
+	configuration file by running the command:</para>
 	<application>inetd</application> process as shown:</para>
-      <example id="network-inetd-hangup">
+      <example id="network-inetd-reread">
-	<title>Sending <application>inetd</application> a HangUP Signal</title>
+	<title>Reloading the <application>inetd</application>
 	  configuration file</title>
-	<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
+	<screen>&prompt.root; <userinput>/etc/rc.d/inetd reload</userinput></screen>
      </example>
      <para>Each line of the configuration file specifies an
 	individual daemon.  Comments in the file are preceded by a
-	<quote>#</quote>.  The format of
+	<quote>#</quote>.  The format of each entry in
 	<filename>/etc/inetd.conf</filename> is as follows:</para>
      <programlisting>service-name
 socket-type
 protocol
-{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
+{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
 user[:group][/login-class]
 server-program
 server-program-arguments</programlisting>
-      <para>An example entry for the <application>ftpd</application> daemon
+      <para>An example entry for the &man.ftpd.8; daemon
-	using IPv4:</para>
+	using IPv4 might read:</para>
      <programlisting>ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l</programlisting>
@ -396,7 +348,7 @@ server-program-arguments</programlisting>
 	</varlistentry>
 	<varlistentry>
-	  <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
+	  <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term>
 	  <listitem>
 	    <para><option>wait|nowait</option> indicates whether the
@ -415,42 +367,54 @@ server-program-arguments</programlisting>
 	      using the <option>max-child</option> option.  If a limit
 	      of ten instances of a particular daemon is needed, a
 	      <literal>/10</literal> would be placed after
-	      <option>nowait</option>.</para>
+	      <option>nowait</option>.  Specifying <literal>/0</literal>
 	      allows an unlimited number of children</para>
-	    <para>In addition to <option>max-child</option>, another
+	    <para>In addition to <option>max-child</option>, two other
-	      option limiting the maximum connections from a single
+	      options which limit the maximum connections from a single
 	      place to a particular daemon can be enabled.
-	      <option>max-connections-per-ip-per-minute</option> does
+	      <option>max-connections-per-ip-per-minute</option> limits
-	      just this.  A value of ten here would limit any particular
+	      the number of connections from any particular IP address
 	      per minutes, e.g. a value of ten would limit any particular
 	      IP address connecting to a particular service to ten
-	      attempts per minute.  This is useful to prevent
+	      attempts per minute.  <option>max-child-per-ip</option>
-	      intentional or unintentional resource consumption and
+	      limits the number of children that can be started on
-	      Denial of Service (DoS) attacks to a machine.</para>
+	      behalf on any single IP address at any moment. These
 	      options are useful to prevent intentional or unintentional
 	      excessive resource consumption and Denial of Service (DoS)
 	      attacks to a machine.</para>
-	    <para>In this field, <option>wait</option> or
+	    <para>In this field, either of <option>wait</option> or
 	      <option>nowait</option> is mandatory.
-	      <option>max-child</option> and
+	      <option>max-child</option>,
-	      <option>max-connections-per-ip-per-minute</option> are
+	      <option>max-connections-per-ip-per-minute</option> and
 	      <option>max-child-per-ip</option> are
 	      optional.</para>
 	    <para>A stream-type multi-threaded daemon without any
-	      <option>max-child</option> or
+	      <option>max-child</option>,
-	      <option>max-connections-per-ip-per-minute</option> limits
+	      <option>max-connections-per-ip-per-minute</option> or
 	      <option>max-child-per-ip</option> limits
 	      would simply be: <literal>nowait</literal>.</para>
 	    <para>The same daemon with a maximum limit of ten daemons
 	      would read: <literal>nowait/10</literal>.</para>
-	    <para>Additionally, the same setup with a limit of twenty
+	    <para>The same setup with a limit of twenty
 	      connections per IP address per minute and a maximum
 	      total limit of ten child daemons would read:
 	      <literal>nowait/10/20</literal>.</para>
-	    <para>These options are all utilized by the default
+	    <para>These options are utilized by the default
-	      settings of the <application>fingerd</application> daemon,
+	      settings of the &man.fingerd.8; daemon,
 	      as seen here:</para>
 	    <programlisting>finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
 	    <para>Finally, an example of this field with a maximum of
 	      100 children in total, with a maximum of 5 for any one
 	      IP address would read:
 	      <literal>nowait/100/0/5</literal>.</para>
 	  </listitem>
 	</varlistentry>
@ -500,24 +464,24 @@ server-program-arguments</programlisting>
    <sect2 id="network-inetd-security">
      <title>Security</title>
-      <para>Depending on the security profile chosen at install, many
+      <para>Depending on the choices made at install time, many
-	of <application>inetd</application>'s daemons may be enabled
+	of <application>inetd</application>'s services may be enabled
 	by default.  If there is no apparent need for a particular
-	daemon, disable it!  Place a <quote>#</quote> in front of the
+	daemon, consider disabling it.  Place a <quote>#</quote> in front of the
 	daemon in question in <filename>/etc/inetd.conf</filename>,
-	and then send a <link linkend="network-inetd-hangup">hangup
+	and then <link linkend="network-inetd-reread">reload the
-	signal to inetd</link>.  Some daemons, such as
+	inetd configuration</link>.  Some daemons, such as
 	<application>fingerd</application>, may not be desired at all
-	because they provide an attacker with too much
+	because they
-	information.</para>
+	information that may be useful to an attacker.</para>
      <para>Some daemons are not security-conscious and have long, or
-	non-existent timeouts for connection attempts.  This allows an
+	non-existent, timeouts for connection attempts.  This allows an
 	attacker to slowly send connections to a particular daemon,
 	thus saturating available resources.  It may be a good idea to
-	place <option>max-connections-per-ip-per-minute</option> and
+	place <option>max-connections-per-ip-per-minute</option>,
-	<option>max-child</option> limitations on certain
+	<option>max-child</option> or <option>max-child-per-ip</option> limitations on certain
-	daemons.</para>
+	daemons if you find that you have too many connections.</para>
      <para>By default, TCP wrapping is turned on.  Consult the
 	&man.hosts.access.5; manual page for more information on placing
@ -537,9 +501,9 @@ server-program-arguments</programlisting>
 	services of <application>inetd</application>.</para>
      <para>The <application>auth</application> service provides
-	identity (<application>ident</application>,
+	identity
-	<application>identd</application>) network services, and is
+	network services, and is
-	configurable to a certain degree.</para>
+	configurable to a certain degree, whilst the others are simply on or off.</para>
      <para>Consult the &man.inetd.8; manual page for more in-depth
 	information.</para>
@ -4661,8 +4625,8 @@ AddModule mod_php5.c
      <programlisting>ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -l</programlisting>
-      <para>As explained in <xref linkend="network-inetd-hangup">, a
+      <para>As explained in <xref linkend="network-inetd-reread">,
-        HangUP Signal must be sent to <application>inetd</application>
+        the <application>inetd</application> configuration must be reloaded
        after this configuration file is changed.</para>
      <para>You can now log on to your FTP server by typing:</para>
@ -4776,9 +4740,8 @@ AddModule mod_php5.c
 	  used to configure <application>Samba</application>:</para>
 	<programlisting>swat   stream  tcp     nowait/400      root    /usr/local/sbin/swat</programlisting>
-        <para>As explained in <xref linkend="network-inetd-hangup">, a
+        <para>As explained in <xref linkend="network-inetd-reread">,
-          HangUP Signal must be sent to
+          the <application>inetd</application> must be reloaded after this configuration
          <application>inetd</application> after this configuration
          file is changed.</para>
 	<para>Once <application>swat</application> has been enabled in