network-inetd.html

FreeBSD操作系统的详细使用手册

ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
</pre>

<div class="VARIABLELIST">
<dl>
<dt>service-name</dt>

<dd>
<p>This is the service name of the particular daemon. It must correspond to a service
listed in <tt class="FILENAME">/etc/services</tt>. This determines which port <b
class="APPLICATION">inetd</b> must listen to. If a new service is being created, it must
be placed in <tt class="FILENAME">/etc/services</tt> first.</p>
</dd>

<dt>socket-type</dt>

<dd>
<p>Either <var class="LITERAL">stream</var>, <var class="LITERAL">dgram</var>, <var
class="LITERAL">raw</var>, or <var class="LITERAL">seqpacket</var>. <var
class="LITERAL">stream</var> must be used for connection-based, TCP daemons, while <var
class="LITERAL">dgram</var> is used for daemons utilizing the <acronym
class="ACRONYM">UDP</acronym> transport protocol.</p>
</dd>

<dt>protocol</dt>

<dd>
<p>One of the following:</p>

<div class="INFORMALTABLE"><a id="AEN33306" name="AEN33306"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<thead>
<tr>
<th>Protocol</th>
<th>Explanation</th>
</tr>
</thead>

<tbody>
<tr>
<td>tcp, tcp4</td>
<td>TCP IPv4</td>
</tr>

<tr>
<td>udp, udp4</td>
<td>UDP IPv4</td>
</tr>

<tr>
<td>tcp6</td>
<td>TCP IPv6</td>
</tr>

<tr>
<td>udp6</td>
<td>UDP IPv6</td>
</tr>

<tr>
<td>tcp46</td>
<td>Both TCP IPv4 and v6</td>
</tr>

<tr>
<td>udp46</td>
<td>Both UDP IPv4 and v6</td>
</tr>
</tbody>
</table>
</div>
</dd>

<dt>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</dt>

<dd>
<p><var class="OPTION">wait|nowait</var> indicates whether the daemon invoked from <b
class="APPLICATION">inetd</b> is able to handle its own socket or not. <var
class="OPTION">dgram</var> socket types must use the <var class="OPTION">wait</var>
option, while stream socket daemons, which are usually multi-threaded, should use <var
class="OPTION">nowait</var>. <var class="OPTION">wait</var> usually hands off multiple
sockets to a single daemon, while <var class="OPTION">nowait</var> spawns a child daemon
for each new socket.</p>

<p>The maximum number of child daemons <b class="APPLICATION">inetd</b> may spawn can be
set using the <var class="OPTION">max-child</var> option. If a limit of ten instances of
a particular daemon is needed, a <var class="LITERAL">/10</var> would be placed after
<var class="OPTION">nowait</var>.</p>

<p>In addition to <var class="OPTION">max-child</var>, another option limiting the
maximum connections from a single place to a particular daemon can be enabled. <var
class="OPTION">max-connections-per-ip-per-minute</var> does just this. A value of ten
here would limit any particular IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent intentional or unintentional resource
consumption and Denial of Service (DoS) attacks to a machine.</p>

<p>In this field, <var class="OPTION">wait</var> or <var class="OPTION">nowait</var> is
mandatory. <var class="OPTION">max-child</var> and <var
class="OPTION">max-connections-per-ip-per-minute</var> are optional.</p>

<p>A stream-type multi-threaded daemon without any <var class="OPTION">max-child</var> or
<var class="OPTION">max-connections-per-ip-per-minute</var> limits would simply be: <var
class="LITERAL">nowait</var>.</p>

<p>The same daemon with a maximum limit of ten daemons would read: <var
class="LITERAL">nowait/10</var>.</p>

<p>Additionally, the same setup with a limit of twenty connections per IP address per
minute and a maximum total limit of ten child daemons would read: <var
class="LITERAL">nowait/10/20</var>.</p>

<p>These options are all utilized by the default settings of the <b
class="APPLICATION">fingerd</b> daemon, as seen here:</p>

<pre class="PROGRAMLISTING">
finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
</pre>
</dd>

<dt>user</dt>

<dd>
<p>This is the username that the particular daemon should run as. Most commonly, daemons
run as the <tt class="USERNAME">root</tt> user. For security purposes, it is common to
find some servers running as the <tt class="USERNAME">daemon</tt> user, or the least
privileged <tt class="USERNAME">nobody</tt> user.</p>
</dd>

<dt>server-program</dt>

<dd>
<p>The full path of the daemon to be executed when a connection is received. If the
daemon is a service provided by <b class="APPLICATION">inetd</b> internally, then <var
class="OPTION">internal</var> should be used.</p>
</dd>

<dt>server-program-arguments</dt>

<dd>
<p>This works in conjunction with <var class="OPTION">server-program</var> by specifying
the arguments, starting with <var class="LITERAL">argv[0]</var>, passed to the daemon on
invocation. If <tt class="COMMAND">mydaemon -d</tt> is the command line, <var
class="LITERAL">mydaemon -d</var> would be the value of <var
class="OPTION">server-program-arguments</var>. Again, if the daemon is an internal
service, use <var class="OPTION">internal</var> here.</p>
</dd>
</dl>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-INETD-SECURITY" name="NETWORK-INETD-SECURITY">23.2.5
Security</a></h2>

<p>Depending on the security profile chosen at install, many of <b
class="APPLICATION">inetd</b>'s daemons may be enabled by default. If there is no
apparent need for a particular daemon, disable it! Place a ``#'' in front of the daemon
in question in <tt class="FILENAME">/etc/inetd.conf</tt>, and then send a <a
href="network-inetd.html#NETWORK-INETD-HANGUP">hangup signal to inetd</a>. Some daemons,
such as <b class="APPLICATION">fingerd</b>, may not be desired at all because they
provide an attacker with too much information.</p>

<p>Some daemons are not security-conscious and have long, or non-existent timeouts for
connection attempts. This allows an attacker to slowly send connections to a particular
daemon, thus saturating available resources. It may be a good idea to place <var
class="OPTION">max-connections-per-ip-per-minute</var> and <var
class="OPTION">max-child</var> limitations on certain daemons.</p>

<p>By default, TCP wrapping is turned on. Consult the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=hosts_access&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">hosts_access</span>(5)</span></a> manual
page for more information on placing TCP restrictions on various <b
class="APPLICATION">inetd</b> invoked daemons.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-INETD-MISC" name="NETWORK-INETD-MISC">23.2.6
Miscellaneous</a></h2>

<p><b class="APPLICATION">daytime</b>, <b class="APPLICATION">time</b>, <b
class="APPLICATION">echo</b>, <b class="APPLICATION">discard</b>, <b
class="APPLICATION">chargen</b>, and <b class="APPLICATION">auth</b> are all internally
provided services of <b class="APPLICATION">inetd</b>.</p>

<p>The <b class="APPLICATION">auth</b> service provides identity (<b
class="APPLICATION">ident</b>, <b class="APPLICATION">identd</b>) network services, and
is configurable to a certain degree.</p>

<p>Consult the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=inetd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">inetd</span>(8)</span></a> manual page
for more in-depth information.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-servers.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="network-nfs.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Network Servers</td>
<td width="34%" align="center" valign="top"><a href="network-servers.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Network File System (NFS)</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>