Diff for /wikisrc/guide/inetd.mdwn between versions 1.3 and 1.5

version 1.3, 2013/03/05 23:33:53 version 1.5, 2015/06/19 19:18:31
Line 1 Line 1
   **Contents**
   
   [[!toc levels=3]]
   
 # The Internet Super Server inetd  # The Internet Super Server inetd
   
 The *internet super server*, or  The *internet super server*, or
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386), is  [[!template id=man name="inetd" section="8"]], is
 available on all Unix(like) systems, providing many of the basic network  available on all Unix(like) systems, providing many of the basic network
 services available. This chapter describes the relationship between the daemon  services available. This chapter describes the relationship between the daemon
 and several of the config files in the `/etc/` directory.  and several of the config files in the `/etc/` directory.
Line 9  and several of the config files in the ` Line 13  and several of the config files in the `
 ## Overview  ## Overview
   
 In this document we will look at a simple definition of  In this document we will look at a simple definition of
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386), how  [[!template id=man name="inetd" section="8"]], how
 several files that relate to  several files that relate to
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) work  [[!template id=man name="inetd" section="8"]] work
 (not that these files are not related to other software), how to add a service  (not that these files are not related to other software), how to add a service
 to [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386)  to [[!template id=man name="inetd" section="8"]]
 and some considerations both to use  and some considerations both to use
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) for a  [[!template id=man name="inetd" section="8"]] for a
 particular service and times when a service might be better off running outside  particular service and times when a service might be better off running outside
 of [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386).  of [[!template id=man name="inetd" section="8"]].
   
 ## What is inetd?  ## What is inetd?
   
Line 30  it receives a request it then determines Line 34  it receives a request it then determines
 request and starts an instance of that program.  request and starts an instance of that program.
   
 Following is a very simple diagram to illustrate  Following is a very simple diagram to illustrate
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386):  [[!template id=man name="inetd" section="8"]]:
   
     pop3  -------|        pop3  -------|  
                  |                     |  
Line 39  Following is a very simple diagram to il Line 43  Following is a very simple diagram to il
     cvsupserver -|      cvsupserver -|
   
 In the above diagram you can see the general idea. The  In the above diagram you can see the general idea. The
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386)  [[!template id=man name="inetd" section="8"]]
 process receives a request and then starts the appropriate server process. What  process receives a request and then starts the appropriate server process. What
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) is  [[!template id=man name="inetd" section="8"]] is
 doing is software multiplexing. An important note here, regarding security: On  doing is software multiplexing. An important note here, regarding security: On
 many other UNIX-like systems, a package called tcpwrappers is used as a security  many other UNIX-like systems, a package called tcpwrappers is used as a security
 enhancement for  enhancement for
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386). On  [[!template id=man name="inetd" section="8"]]. On
 NetBSD the tcpwrapper functionality is built into  NetBSD the tcpwrapper functionality is built into
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) using  [[!template id=man name="inetd" section="8"]] using
 libwrap.  libwrap.
   
 ## Configuring inetd - /etc/inetd.conf  ## Configuring inetd - /etc/inetd.conf
   
 The operation of  The operation of
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) is  [[!template id=man name="inetd" section="8"]] is
 controlled by its own config file, surprisingly named `/etc/inetd.conf`, see  controlled by its own config file, surprisingly named `/etc/inetd.conf`, see
 [inetd.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd.conf+5+NetBSD-5.0.1+i386).  [[!template id=man name="inetd.conf" section="5"]].
 The `inetd.conf` file basically provides enabling and mapping of services the  The `inetd.conf` file basically provides enabling and mapping of services the
 systems administrator would like to have multiplexed through  systems administrator would like to have multiplexed through
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386),  [[!template id=man name="inetd" section="8"]],
 indicating which program should be started for incoming requests on which port.  indicating which program should be started for incoming requests on which port.
   
 [inetd.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd.conf+5+NetBSD-5.0.1+i386)  [[!template id=man name="inetd.conf" section="5"]]
 is an ascii file containing one service per line, and several fields per line.  is an ascii file containing one service per line, and several fields per line.
 The basic field layout is:  The basic field layout is:
   
     service-name socket-type protocol wait/nowait user:group server-program arguments      service-name socket-type protocol wait/nowait user:group server-program arguments
   
  * `service-name`: The service name indicates the port   * `service-name`: The service name indicates the port
    [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386)     [[!template id=man name="inetd" section="8"]]
    should listen on. It is either a decimal number, or a name matching a service     should listen on. It is either a decimal number, or a name matching a service
    name given in `/etc/services`.     name given in `/etc/services`.
   
Line 86  The basic field layout is: Line 90  The basic field layout is:
    (RPC) can be specified as either `rpc/tcp` or `rpc/udp`.     (RPC) can be specified as either `rpc/tcp` or `rpc/udp`.
   
  * `wait/nowait`: This field tells   * `wait/nowait`: This field tells
    [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) if     [[!template id=man name="inetd" section="8"]] if
    it should wait for a server program to return or to continue processing new     it should wait for a server program to return or to continue processing new
    connections immediately. Many connections to server processes require answers     connections immediately. Many connections to server processes require answers
    after data transfers are complete, where other types can keep transmitting on     after data transfers are complete, where other types can keep transmitting on
Line 97  The basic field layout is: Line 101  The basic field layout is:
   
  * `user[:group]`: This field gives the user name and optionally a group name   * `user[:group]`: This field gives the user name and optionally a group name
    that the server process which     that the server process which
    [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386)     [[!template id=man name="inetd" section="8"]]
    starts up runs as.     starts up runs as.
   
  * `server-program`: This field is the full path of the program that gets   * `server-program`: This field is the full path of the program that gets
Line 115  can do with some of the fields. Here is  Line 119  can do with some of the fields. Here is 
   
 From the left, the service-name is `ftp`, socket-type is `stream`, protocol is  From the left, the service-name is `ftp`, socket-type is `stream`, protocol is
 `tcp`,  `tcp`,
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) won't  [[!template id=man name="inetd" section="8"]] won't
 wait for the server process to terminate (`nowait`), the process runs as user  wait for the server process to terminate (`nowait`), the process runs as user
 `root`, path is `/usr/libexec/ftpd` and program name and arguments are  `root`, path is `/usr/libexec/ftpd` and program name and arguments are
 `ftpd -ll`. Notice in the last field, the program name is different from the  `ftpd -ll`. Notice in the last field, the program name is different from the
Line 146  every protocol a service can use (even o Line 150  every protocol a service can use (even o
 ## Protocols - /etc/protocols  ## Protocols - /etc/protocols
   
 Another file read by  Another file read by
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) is  [[!template id=man name="inetd" section="8"]] is
 `/etc/protocols`. This file has the information pertaining to DARPA Internet  `/etc/protocols`. This file has the information pertaining to DARPA Internet
 protocols. The format of the protocols name data base is:  protocols. The format of the protocols name data base is:
   
Line 168  Protocol as indicated by the comment in  Line 172  Protocol as indicated by the comment in 
   
 The rpc program number data base used by services with the `rpc` protocol type  The rpc program number data base used by services with the `rpc` protocol type
 in  in
 [inetd.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd.conf+5+NetBSD-5.0.1+i386)  [[!template id=man name="inetd.conf" section="5"]]
 is kept in `/etc/rpc` and contains name mappings to rpc program numbers. The  is kept in `/etc/rpc` and contains name mappings to rpc program numbers. The
 format of the file is:  format of the file is:
   
Line 181  For example, here is the nfs entry: Line 185  For example, here is the nfs entry:
 # Allowing and denying hosts - /etc/hosts.allow, /etc/hosts.deny  # Allowing and denying hosts - /etc/hosts.allow, /etc/hosts.deny
   
 As mentioned above, NetBSD's  As mentioned above, NetBSD's
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) has  [[!template id=man name="inetd" section="8"]] has
 the tcpwrapper package built in via the libwrap library. As such,  the tcpwrapper package built in via the libwrap library. As such,
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) can  [[!template id=man name="inetd" section="8"]] can
 allow or deny access to each service on a more fine-grained base than just  allow or deny access to each service on a more fine-grained base than just
 allowing a service to everyone, or not enabling it at all. The access control is  allowing a service to everyone, or not enabling it at all. The access control is
 defined in the files `/etc/hosts.allow` and `/etc/hosts.deny`, see the  defined in the files `/etc/hosts.allow` and `/etc/hosts.deny`, see the
 [hosts\_access(5)](http://netbsd.gw.com/cgi-bin/man-cgi?hosts_access+5+NetBSD-5.0.1+i386)  [[!template id=man name="hosts\_access" section="5"]]
 manpage.  manpage.
   
 Each of the two files contains several lines that describe access restrictions  Each of the two files contains several lines that describe access restrictions
Line 195  for a certain server. Access is allowed  Line 199  for a certain server. Access is allowed 
 `/etc/hosts.allow`. If the service is not listened in `/etc/hosts.allow` but in  `/etc/hosts.allow`. If the service is not listened in `/etc/hosts.allow` but in
 `/etc/hosts.deny`, it is denied. If a service is listed in neither file, it is  `/etc/hosts.deny`, it is denied. If a service is listed in neither file, it is
 allowed, giving standard  allowed, giving standard
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386)  [[!template id=man name="inetd" section="8"]]
 behaviour.  behaviour.
   
 Each line in `/etc/hosts.allow` and `/etc/hosts.deny` contains a service either  Each line in `/etc/hosts.allow` and `/etc/hosts.deny` contains a service either
Line 204  instead of `ftp`), or the special servic Line 208  instead of `ftp`), or the special servic
 services. Following the service name is - separated by a colon - a number of  services. Following the service name is - separated by a colon - a number of
 access restrictions, which can be hostnames, domains, single IP addresses, whole  access restrictions, which can be hostnames, domains, single IP addresses, whole
 IP subnets or some other restrictions, please check  IP subnets or some other restrictions, please check
 [hosts\_access(5)](http://netbsd.gw.com/cgi-bin/man-cgi?hosts_access+5+NetBSD-5.0.1+i386)  [[!template id=man name="hosts\_access" section="5"]]
 for all the details.  for all the details.
   
 An example configuration that is mostly open but denies access to services to a  An example configuration that is mostly open but denies access to services to a
Line 229  The entry to allow a few hosts would be  Line 233  The entry to allow a few hosts would be 
   
 Many times a systems administrator will find that they need to add a service to  Many times a systems administrator will find that they need to add a service to
 their system that is not already in  their system that is not already in
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) or  [[!template id=man name="inetd" section="8"]] or
 they may wish to move a service to it because it does not get very much traffic.  they may wish to move a service to it because it does not get very much traffic.
 This is usually pretty simple, so as an example we will look at adding a version  This is usually pretty simple, so as an example we will look at adding a version
 of POP3 on a NetBSD system.  of POP3 on a NetBSD system.
Line 268  The `pop3` entries here are of interest, Line 272  The `pop3` entries here are of interest,
 `/etc/services` file shipped with NetBSD.  `/etc/services` file shipped with NetBSD.
   
 Now, to have  Now, to have
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) use  [[!template id=man name="inetd" section="8"]] use
 the new entry, we simply restart it using the rc script:  the new entry, we simply restart it using the rc script:
   
     # sh /etc/rc.d/inetd restart      # sh /etc/rc.d/inetd restart
Line 282  borrow the telnet entry and change parts Line 286  borrow the telnet entry and change parts
 ## When to use or not to use inetd  ## When to use or not to use inetd
   
 The decision to add or move a service into or out of  The decision to add or move a service into or out of
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) is  [[!template id=man name="inetd" section="8"]] is
 usually based on server load. As an example, on most systems the telnet daemon  usually based on server load. As an example, on most systems the telnet daemon
 does not require as many new connections as say a mail server. Most of the time  does not require as many new connections as say a mail server. Most of the time
 the administrator has to feel out if a service should be moved.  the administrator has to feel out if a service should be moved.
   
 A good example I have seen is mail services such as smtp and pop. I had setup a  A good example I have seen is mail services such as smtp and pop. I had setup a
 mail server in which pop3 was in  mail server in which pop3 was in
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) and  [[!template id=man name="inetd" section="8"]] and
 exim was running in standalone, I mistakenly assumed it would run fine since  exim was running in standalone, I mistakenly assumed it would run fine since
 there was a low amount of users, namely myself and a diagnostic account. The  there was a low amount of users, namely myself and a diagnostic account. The
 server was also setup to act as a backup MX and relay in case another heavily  server was also setup to act as a backup MX and relay in case another heavily
Line 297  used one went down. When I ran some test Line 301  used one went down. When I ran some test
 connections remotely. This was because of my steady fetching of mail and the  connections remotely. This was because of my steady fetching of mail and the
 diagnostic user constantly mailing diagnostics back and forth. In the end I had  diagnostic user constantly mailing diagnostics back and forth. In the end I had
 to move the pop3 service out of  to move the pop3 service out of
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386).  [[!template id=man name="inetd" section="8"]].
   
 The reason for moving the service is actually quite interesting. When a  The reason for moving the service is actually quite interesting. When a
 particular service becomes heavily used, of course, it causes a load on the  particular service becomes heavily used, of course, it causes a load on the
 system. In the case of a service that runs within the  system. In the case of a service that runs within the
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) meta  [[!template id=man name="inetd" section="8"]] meta
 daemon the effects of a heavily loaded service can also harm other services that  daemon the effects of a heavily loaded service can also harm other services that
 use [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386).  use [[!template id=man name="inetd" section="8"]].
 If the multiplexor is getting too many requests for one particular service, it  If the multiplexor is getting too many requests for one particular service, it
 will begin to affect the performance of other services that use  will begin to affect the performance of other services that use
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386). The  [[!template id=man name="inetd" section="8"]]. The
 fix, in a situation like that, is to make the offending service run outside of  fix, in a situation like that, is to make the offending service run outside of
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) so  [[!template id=man name="inetd" section="8"]] so
 the response time of both the service and  the response time of both the service and
 [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?inetd+8+NetBSD-5.0.1+i386) will  [[!template id=man name="inetd" section="8"]] will
 increase.  increase.
   
 ## Other Resources  ## Other Resources
Line 321  this document. Line 325  this document.
   
 NetBSD manual pages:  NetBSD manual pages:
   
  * [inetd(8)](http://netbsd.gw.com/cgi-bin/man-cgi/man?inetd+8+NetBSD-current)   * [[!template id=man name="inetd" section="8"]]
  * [protocols(5)](http://netbsd.gw.com/cgi-bin/man-cgi/man?protocols+5+NetBSD-current)   * [[!template id=man name="protocols" section="5"]]
  * [rpc(5)](http://netbsd.gw.com/cgi-bin/man-cgi/man?rpc+5+NetBSD-current)   * [[!template id=man name="rpc" section="5"]]
  * [services(5)](http://netbsd.gw.com/cgi-bin/man-cgi/man?services+5+NetBSD-current)   * [[!template id=man name="services" section="5"]]
  * [hosts\_access(5)](http://netbsd.gw.com/cgi-bin/man-cgi/man?hosts_access+5+NetBSD-current)   * [[!template id=man name="hosts\_access" section="5"]]
   
 Miscellaneous links:  Miscellaneous links:
   

Removed from v.1.3  
changed lines
  Added in v.1.5


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb