From be2032ed93eb33c84bd9b753f0a2022bccba236b Mon Sep 17 00:00:00 2001
From: Chern Lee <chern@FreeBSD.org>
Date: Tue, 7 Aug 2001 23:58:38 +0000
Subject: [PATCH] Add section about configuring inetd.
Reviewed by: murray
---
.../handbook/advanced-networking/chapter.sgml | 449 +++++++++++++++++-
1 file changed, 448 insertions(+), 1 deletion(-)
diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
index 454acd28b5..7a024ff915 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.69 2001/08/06 21:25:27 chern Exp $
+ $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.70 2001/08/06 22:50:16 chern Exp $
-->
<chapter id="advanced-networking">
@@ -4076,6 +4076,453 @@ natd_flags=""</programlisting>
</sect2>
</sect1>
+
+ <sect1 id="inetd">
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>Chern</firstname>
+ <surname>Lee</surname>
+ <contrib>Contributed</contrib>
+ </author>
+ </authorgroup>
+ </sect1info>
+
+ <title>inetd <quote>Super-Server</quote></title>
+
+ <sect2 id="inetd-overview">
+ <title>Overview</title>
+
+ <para>&man.inetd.8; is referred to as the <quote>Internet
+ Super-Server</quote> because it manages connections for several
+ daemons. Programs that provide network service are commonly
+ known as daemons. <application>inetd</application> serves as a
+ managing server for other daemons. When a connection is
+ received by <application>inetd</application>, it determines
+ which daemon the connection is destined for, spawns the
+ particular daemon and delegates the socket to it. Running one
+ instance of <application>inetd</application> reduces the overall
+ system load as compared to running each daemon individually in
+ stand-alone mode.</para>
+
+ <para>Primarily, <application>inetd</application> is used to
+ spawn other daemons, but several trivial protocols are handled
+ directly, such as <application>chargen</application>,
+ <application>auth</application>, and
+ <application>daytime</application>.</para>
+
+ <para>This section will cover the basics in configuring
+ <application>inetd</application> through its command-line
+ options and it's configuration file,
+ <filename>/etc/inetd.conf</filename>.</para>
+ </sect2>
+
+ <sect2 id="inetd-settings">
+ <title>Settings</title>
+
+ <para><application>inetd</application> is initialized through
+ the <filename>/etc/rc.conf</filename> system. The
+ <literal>inetd_enable</literal> option is set to
+ <quote>NO</quote> by default, but is often times turned on by
+ <application>sysinstall</application> with the medium security
+ profile. Placing:
+ <programlisting>inetd_enable="YES"</programlisting> or
+ <programlisting>inetd_enable="NO"</programlisting> into
+ <filename>/etc/rc.conf</filename> can enable or disable
+ <application>inetd</application> starting at boot time.</para>
+
+ <para>Additionally, different command-line options can be passed
+ to <application>inetd</application> via the
+ <literal>inetd_flags</literal> option.</para>
+ </sect2>
+
+ <sect2 id="inetd-cmdline">
+ <title>Command-Line Options</title>
+
+ <para><application>inetd</application> sypnosis:</para>
+
+ <para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
+ [-p filename] [-R rate] [configuration file]</option></para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-d</term>
+
+ <listitem>
+ <para>Turn on debugging.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l</term>
+
+ <listitem>
+ <para>Turn on logging of successful connections.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-w</term>
+
+ <listitem>
+ <para>Turn on TCP Wrapping for external services. (on by
+ default)</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-W</term>
+
+ <listitem>
+ <para>Turn on TCP Wrapping for internal services which are
+ built in to <application>inetd</application>. (on by
+ default)</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c maximum</term>
+
+ <listitem>
+ <para>Specify the default maximum number of simultaneous
+ invocations of each service; the default is unlimited.
+ May be overridden on a per-service basis with the
+ <option>max-child</option> parameter.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-C rate</term>
+
+ <listitem>
+ <para>Specify the default maximum number of times a
+ service can be invoked from a single IP address in one
+ minute; the default is unlimited. May be overridden on a
+ per-service basis with the
+ <option>max-connections-per-ip-per-minute</option>
+ parameter.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R rate</term>
+
+ <listitem>
+ <para>Specify the maximum number of times a service can be
+ invoked in one minute; the default is 256. A rate of 0
+ allows an unlimited number of invocations.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a</term>
+
+ <listitem>
+ <para>Specify one specific IP address to bind to.
+ Alternatively, a hostname can be specified, in which case
+ the IPv4 or IPv6 address which corresponds to that
+ hostname is used. Usually a hostname is specified when
+ <application>inetd</application> is run inside a
+ &man.jail.8;, in which case the hostname corresponds to
+ the &man.jail.8; environment.</para>
+
+ <para>When hostname specification is used and both IPv4
+ and IPv6 bindings are desired, one entry with the
+ appropriate protocol type for each binding is required for
+ each service in <filename>/etc/inetd.conf</filename>. For
+ example, a TCP-based service would need two entries, one
+ using ``tcp4'' for the protocol and the other using
+ ``tcp6''.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+
+ <listitem>
+ <para>Specify an alternate file in which to store the
+ process ID.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>These options can be passed to
+ <application>inetd</application> using the
+ <literal>inetd_flags</literal> option in
+ <filename>/etc/rc.conf</filename>. By default,
+ <literal>inetd_flags</literal> is set to <quote>-wW</quote>,
+ which turns on TCP wrapping for
+ <application>inetd</application>'s internal and external
+ services. For novice users, these parameters usually do not need
+ to be modified or even entered in
+ <filename>/etc/rc.conf</filename></para>
+
+ <note>
+ <para>An external service is a daemon outside of
+ <application>inetd</application>, which is invoked when a
+ connection is received for it. On the other hand, an internal
+ service is one that <application>inetd</application> has the
+ facility of offering within itself.</para>
+ </note>
+
+ </sect2>
+
+ <sect2 id="inetd-conf">
+ <title><filename>inetd.conf</filename></title>
+
+ <para>Configuration of <application>inetd</application> is
+ controlled through the <filename>/etc/inetd.conf</filename>
+ file.</para>
+
+ <para>When a modification is made to
+ <filename>/etc/inetd.conf</filename>,
+ <application>inetd</application> can be forced to re-read its
+ configuration file by sending a HangUP signal to the
+ <application>inetd</application> procces as shown:.</para>
+
+ <example id="inetd-hangup">
+ <title>Sending <application>inetd</application> a HangUP signal</title>
+
+ <screen>&prompt.root kill -HUP `cat /var/run/inetd.pid`</screen>
+ </example>
+
+ <para>Each line of the configuration file specifies an
+ individual daemon. Comments in the file are preceded by a
+ <quote>#</quote>. The format of
+ <filename>/etc/inetd.conf</filename> is as follows:</para>
+
+ <programlisting>service-name
+socket-type
+protocol
+{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
+user[:group][/login-class]
+server-program
+server-program-arguments</programlisting>
+
+ <para>An example entry for the <application>ftpd</application> daemon
+ using IPv4:</para>
+
+ <programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
+
+ <variablelist>
+ <varlistentry>
+ <term>service-name</term>
+
+ <listitem>
+ <para>This is the service name of the particular daemon.
+ It must correspond to a service listed in
+ <filename>/etc/services</filename>. This determines which
+ port <application>inetd</application> must listen to. If
+ a new service is being created, it must be placed in
+ <filename>/etc/services</filename>
+ first.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>socket-type</term>
+
+ <listitem>
+ <para>Either <literal>stream</literal>,
+ <literal>dgram</literal>, <literal>raw</literal>, or
+ <literal>seqpacket</literal>. <literal>stream</literal>
+ must be used for connection-based, TCP daemons, while
+ <literal>dgram</literal> is used for daemons utilizing the
+ UDP transport protocol.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>protocol</term>
+
+ <listitem>
+ <para>One of the following:</para>
+
+ <informaltable>
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>Protocol</entry>
+ <entry>Explanation</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>tcp, tcp4</entry>
+ <entry>TCP IPv4</entry>
+ </row>
+ <row>
+ <entry>udp, udp4</entry>
+ <entry>UDP IPv4</entry>
+ </row>
+ <row>
+ <entry>tcp6</entry>
+ <entry>TCP IPv6</entry>
+ </row>
+ <row>
+ <entry>udp6</entry>
+ <entry>UDP IPv6</entry>
+ </row>
+ <row>
+ <entry>tcp46</entry>
+ <entry>Both TCP IPv4 and v6</entry>
+ </row>
+ <row>
+ <entry>udp46</entry>
+ <entry>Both UDP IPv4 and v6</entry>
+ </row>
+ </tgroup>
+ </informaltable>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
+
+ <listitem>
+ <para><option>wait|nowait</option> indicates whether the
+ daemon invoked from <application>inetd</application> is
+ able to handle its own socket or not.
+ <option>dgram</option> socket types must use the wait
+ option, while stream socket daemons, which are usually
+ multi-threaded, should use <option>nowait</option>.
+ <option>wait</option> usually hands off multiple sockets
+ to a single daemon, while <option>nowait</option> spawns a
+ child daemon for each new socket.</para>
+
+ <para>The maximum number of child daemons
+ <application>inetd</application> may spawn can be set using
+ the <option>max-child</option> option. If a limit of ten
+ instances of a particular daemon is needed, a
+ <literal>/10</literal> would be placed after
+ <option>nowait</option>.</para>
+
+ <para>In addition to <option>max-child</option> another
+ option limiting the maximum connections from a single
+ place to a particular daemon can be enabled.
+ <option>max-connections-per-ip-per-minute</option> does
+ just this. A value of ten here would limit any particular
+ IP address connecting to a particular service to ten
+ attempts per minute. This is useful to prevent
+ intentional or unintentional resource consumption and
+ Denial of Service (DoS) attacks to a machine.</para>
+
+ <para>In this field, <option>wait</option> or
+ <option>nowait</option> is mandatory.
+ <option>max-child</option> and
+ <option>max-connections-per-ip-per-minute</option> are
+ optional.</para>
+
+ <para>A stream-type multi-threaded daemon without any
+ <option>max-child</option> or
+ <option>max-connections-per-ip-per-minute</option> limits
+ would simply be: <literal>nowait</literal></para>
+
+ <para>The same daemon with a maximum limit of ten daemons
+ would read: <literal>nowait/10</literal></para>
+
+ <para>Additionally, the same setup with a limit of twenty
+ connections per IP address per minute and a maximum
+ total limit of ten child daemons would read:
+ <literal>nowait/10/20</literal></para>
+
+ <para>These options are all utilized by the default
+ settings of the <application>fingerd</application> daemon,
+ as seen here:</para>
+
+ <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>user</term>
+
+ <listitem>
+ <para>The user is the username that the particular daemon
+ should run as. Most commonly, daemons run as the
+ <username>root</username> user. For security purposes, it is
+ common to find some servers running as the
+ <username>daemon</username> user, or the least privileged
+ <username>nobody</username> user.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>server-program</term>
+
+ <listitem>
+ <para>The full path of the daemon to be executed when a
+ connection is received. If the daemon is a service
+ provided by <application>inetd</application> internally,
+ then <option>internal</option> should be
+ used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>server-program-arguments</term>
+
+ <listitem>
+ <para>This works in conjunction with
+ <option>server-program</option> by specifying the
+ arguments, starting with argv[0], passed to the daemon on
+ invocation. If <application>mydaemon -d</application> is
+ the command line, <literal>mydaemon -d</literal> would be
+ the value of <option>server program arguments</option>.
+ Again, if the daemon is an internal service, use
+ <option>internal</option> here.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect2>
+
+ <sect2 id="inetd-security">
+ <title>Security</title>
+
+ <para>Depending on the security profile chosen at install, many
+ of <application>inetd</application>'s daemons may be enabled by
+ default. If there is no apparent need for a particular daemon,
+ disable it! Place a <quote>#</quote> in front of the daemon in
+ question, and send a <command>kill -HUP `cat
+ /var/run/inetd.pid`</command> to
+ <application>inetd</application>. Some daemons, such as
+ <application>fingerd</application>, may not be desired at all
+ because it provides an attacker with too much
+ information.</para>
+
+ <para>Some daemons are not security-concious and have long, or
+ non-existent timeouts for connection attempts. This allows an
+ attacker to slowly send connections to a particular daemon, thus
+ saturating available resources. It may be a good idea to place
+ <option>ip-per-minute</option> and <option>max-child</option>
+ limitations on certain daemons.</para>
+
+ <para>By default, TCP wrapping is turned on. Consult the
+ &man.hosts.access.5; man page for more information on placing
+ TCP restrictions on various <application>inetd</application>
+ invoked daemons.
+ </sect2>
+
+ <sect2 id="inetd-misc">
+ <title>Miscellaneous</title>
+
+ <para><application>daytime</application>,
+ <application>time</application>,
+ <application>echo</application>,
+ <application>discard</application>,
+ <application>chargen</application>, and
+ <application>auth</application> are all internally provided
+ services of <application>inetd</application>.</para>
+
+ <para>The <application>auth</application> service provides identity
+ (ident, identd) network services, and is configurable to a certain
+ degree.</para>
+
+ <para>Consult the &man.inetd.8; man page for more in-depth
+ information.</para>
+ </sect2>
+ </sect1>
+
</chapter>
<!--