network-inetd.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

server-program-arguments
</pre>

<p>An example entry for the <b class="APPLICATION">ftpd</b> daemon using IPv4:</p>

<pre class="PROGRAMLISTING">
ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
</pre>

<div class="VARIABLELIST">
<dl>
<dt>service-name</dt>

<dd>
<p>This is the service name of the particular daemon. It must correspond to a service
listed in <tt class="FILENAME">/etc/services</tt>. This determines which port <b
class="APPLICATION">inetd</b> must listen to. If a new service is being created, it must
be placed in <tt class="FILENAME">/etc/services</tt> first.</p>
</dd>

<dt>socket-type</dt>

<dd>
<p>Either <var class="LITERAL">stream</var>, <var class="LITERAL">dgram</var>, <var
class="LITERAL">raw</var>, or <var class="LITERAL">seqpacket</var>. <var
class="LITERAL">stream</var> must be used for connection-based, TCP daemons, while <var
class="LITERAL">dgram</var> is used for daemons utilizing the UDP transport protocol.</p>
</dd>

<dt>protocol</dt>

<dd>
<p>One of the following:</p>

<div class="INFORMALTABLE"><a id="AEN28845" name="AEN28845"></a>
<table border="1" class="CALSTABLE">
<col />
<col />
<thead>
<tr>
<th>Protocol</th>
<th>Explanation</th>
</tr>
</thead>

<tbody>
<tr>
<td>tcp, tcp4</td>
<td>TCP IPv4</td>
</tr>

<tr>
<td>udp, udp4</td>
<td>UDP IPv4</td>
</tr>

<tr>
<td>tcp6</td>
<td>TCP IPv6</td>
</tr>

<tr>
<td>udp6</td>
<td>UDP IPv6</td>
</tr>

<tr>
<td>tcp46</td>
<td>Both TCP IPv4 and v6</td>
</tr>

<tr>
<td>udp46</td>
<td>Both UDP IPv4 and v6</td>
</tr>
</tbody>
</table>
</div>
</dd>

<dt>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</dt>

<dd>
<p><var class="OPTION">wait|nowait</var> indicates whether the daemon invoked from <b
class="APPLICATION">inetd</b> is able to handle its own socket or not. <var
class="OPTION">dgram</var> socket types must use the wait option, while stream socket
daemons, which are usually multi-threaded, should use <var class="OPTION">nowait</var>.
<var class="OPTION">wait</var> usually hands off multiple sockets to a single daemon,
while <var class="OPTION">nowait</var> spawns a child daemon for each new socket.</p>

<p>The maximum number of child daemons <b class="APPLICATION">inetd</b> may spawn can be
set using the <var class="OPTION">max-child</var> option. If a limit of ten instances of
a particular daemon is needed, a <var class="LITERAL">/10</var> would be placed after
<var class="OPTION">nowait</var>.</p>

<p>In addition to <var class="OPTION">max-child</var>, another option limiting the
maximum connections from a single place to a particular daemon can be enabled. <var
class="OPTION">max-connections-per-ip-per-minute</var> does just this. A value of ten
here would limit any particular IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent intentional or unintentional resource
consumption and Denial of Service (DoS) attacks to a machine.</p>

<p>In this field, <var class="OPTION">wait</var> or <var class="OPTION">nowait</var> is
mandatory. <var class="OPTION">max-child</var> and <var
class="OPTION">max-connections-per-ip-per-minute</var> are optional.</p>

<p>A stream-type multi-threaded daemon without any <var class="OPTION">max-child</var> or
<var class="OPTION">max-connections-per-ip-per-minute</var> limits would simply be: <var
class="LITERAL">nowait</var></p>

<p>The same daemon with a maximum limit of ten daemons would read: <var
class="LITERAL">nowait/10</var></p>

<p>Additionally, the same setup with a limit of twenty connections per IP address per
minute and a maximum total limit of ten child daemons would read: <var
class="LITERAL">nowait/10/20</var></p>

<p>These options are all utilized by the default settings of the <b
class="APPLICATION">fingerd</b> daemon, as seen here:</p>

<pre class="PROGRAMLISTING">
finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
</pre>
</dd>

<dt>user</dt>

<dd>
<p>The user is the username that the particular daemon should run as. Most commonly,
daemons run as the <tt class="USERNAME">root</tt> user. For security purposes, it is
common to find some servers running as the <tt class="USERNAME">daemon</tt> user, or the
least privileged <tt class="USERNAME">nobody</tt> user.</p>
</dd>

<dt>server-program</dt>

<dd>
<p>The full path of the daemon to be executed when a connection is received. If the
daemon is a service provided by <b class="APPLICATION">inetd</b> internally, then <var
class="OPTION">internal</var> should be used.</p>
</dd>

<dt>server-program-arguments</dt>

<dd>
<p>This works in conjunction with <var class="OPTION">server-program</var> by specifying
the arguments, starting with argv[0], passed to the daemon on invocation. If <b
class="APPLICATION">mydaemon -d</b> is the command line, <var class="LITERAL">mydaemon
-d</var> would be the value of <var class="OPTION">server program arguments</var>. Again,
if the daemon is an internal service, use <var class="OPTION">internal</var> here.</p>
</dd>
</dl>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-INETD-SECURITY" name="NETWORK-INETD-SECURITY">19.14.5.
Security</a></h2>

<p>Depending on the security profile chosen at install, many of <b
class="APPLICATION">inetd</b>'s daemons may be enabled by default. If there is no
apparent need for a particular daemon, disable it! Place a ``#'' in front of the daemon
in question, and send a <a href="network-inetd.html#NETWORK-INETD-HANGUP">hangup signal
to inetd</a>. Some daemons, such as <b class="APPLICATION">fingerd</b>, may not be
desired at all because they provide an attacker with too much information.</p>

<p>Some daemons are not security-conscious and have long, or non-existent timeouts for
connection attempts. This allows an attacker to slowly send connections to a particular
daemon, thus saturating available resources. It may be a good idea to place <var
class="OPTION">ip-per-minute</var> and <var class="OPTION">max-child</var> limitations on
certain daemons.</p>

<p>By default, TCP wrapping is turned on. Consult the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">hosts_access</span>(5)</span> manual page for more information on
placing TCP restrictions on various <b class="APPLICATION">inetd</b> invoked daemons.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-INETD-MISC" name="NETWORK-INETD-MISC">19.14.6.
Miscellaneous</a></h2>

<p><b class="APPLICATION">daytime</b>, <b class="APPLICATION">time</b>, <b
class="APPLICATION">echo</b>, <b class="APPLICATION">discard</b>, <b
class="APPLICATION">chargen</b>, and <b class="APPLICATION">auth</b> are all internally
provided services of <b class="APPLICATION">inetd</b>.</p>

<p>The <b class="APPLICATION">auth</b> service provides identity (ident, identd) network
services, and is configurable to a certain degree.</p>

<p>Consult the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">inetd</span>(8)</span> manual page for more in-depth
information.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-natd.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="network-plip.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Network Address Translation</td>
<td width="34%" align="center" valign="top"><a href="advanced-networking.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Parallel Line IP (PLIP)</td>
</tr>
</table>
</div>
</body>
</html>