[Chapter 5] 5.4 The Internet Daemon

[Chapter 5] 5.4 The Internet Daemon



are:

stream

The stream delivery service provided by TCP; i.e., TCP byte stream.[9]

[9] Here the reference is to TCP/IP sockets and TCP streams - not to AT&T streams

I/O or BSD socket I/O.

dgram

The packet (datagram) delivery service provided by UDP

raw

Direct IP datagram service

The sample shows that FTP uses a stream socket.

protocol

This is the name of a protocol, as given in the /etc/protocols file. Its value is usually either "tcp" or

"udp." The FTP protocol uses TCP as its transport layer protocol, so the sample entry contains tcp in

this field.

wait-status

The value for this field is either "wait" or "nowait." Generally, but not always, datagram type

servers require "wait," and stream type servers allow "nowait." If the status is "wait," inetd must wait for

the server to release the socket before it begins to listen for more requests on that socket. If the status is

"nowait," inetd can immediately begin to listen for more connection requests on the socket. Servers with

"nowait" status use sockets other than the connection request socket for processing; i.e., they use

dynamically allocated sockets.

uid

The uid is the username under which the server runs. This can be any valid username, but it is

normally root. There are two common exceptions. The finger service often runs as the user nobody or

daemon for security reasons, and the uucp service is sometimes run as the user uucp to save space in the

system's accounting files.

server

This is the full pathname of the server program started by inetd. Because our example is from a

Solaris system, the path is /usr/sbin/in.ftpd. On your system the path may be different. It is more efficient

for inetd to provide some small services directly than it is for inetd to start separate servers for these

functions. For these small services, the value of the server field is the keyword "internal," which means

that this service is an internal inetd service.

arguments



file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (2 of 4) [2001-10-15 09:17:53]



[Chapter 5] 5.4 The Internet Daemon



These are any command-line arguments that should be passed to the server program when it is

invoked. This list always starts with argv[0] (the name of the program being executed). The program's

manpage documents the valid command-line arguments for each program. In the example only

in.ftpd, the server's name, is provided.

There are a few situations in which you need to modify the inetd.conf file. For example, you may wish to

disable a service. The default configuration provides a full array of servers. Not all of them are required

on every system, and for security reasons you may want to disable non-essential services on some

computers. To disable a service, place a # at the beginning of its entry (which turns the line into a

comment) and pass a hang-up signal to the inetd server. When inetd receives a hang-up signal, it re-reads

the configuration file and the new configuration takes effect immediately.

You may also need to add new services. We'll see some examples of that in later chapters. Let's look in

detail at an example of restoring a service that has been previously disabled. We'll begin by looking at the

contents of an /etc/inetd.conf file:

# @(#)inetd.conf 1.17 88/02/07 SMI

ftp

stream tcp nowait root /usr/sbin/in.ftpd

in.ftpd

telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd

shell

stream tcp nowait root /usr/sbin/in.rshd

in.rshd

login

stream tcp nowait root /usr/sbin/in.rlogind in.rlogind

exec

stream tcp nowait root /usr/sbin/in.rexecd in.rexecd

finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd

#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

comsat dgram

udp wait

root /usr/sbin/in.comsat in.comsat

talk

dgram

udp wait

root /usr/sbin/in.talkd

in.talkd

name

dgram

udp wait

root /usr/sbin/in.tnamed in.tnamed

daytime stream tcp nowait root

internal

time

stream tcp nowait root

internal

echo

dgram

udp wait

root

internal

discard dgram

udp wait

root

internal

time

dgram

udp wait

root

internal

This part of the file shows several standard TCP/IP services. One of these, tftp, is commented out. The

TFTP protocol is a special version of FTP that allows file transfers without username/password

verification. Because of this, it is a possible security hole and is often disabled in the inetd.conf file.

As an example of modifying the inetd.conf file, we'll reconfigure the system to provide tftp service,

which is sometimes necessary for supporting diskless devices. First, use your favorite editor to remove

the comment (#) from the tftp entry in inetd.conf. (The example uses sed, everyone's favorite editor!)

Then find out the process ID for inetd and pass it the SIGHUP signal. The following steps show how this

is done on peanut:

#

#

#

#



cd /etc

mv inetd.conf inetd.conf.org

cat inetd.conf.org | sed s/#tftp/tftp/ > inetd.conf

ps -acx | grep inetd



file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (3 of 4) [2001-10-15 09:17:53]



[Chapter 5] 5.4 The Internet Daemon



144 ? I

0:12 inetd

# kill -HUP 144

In some situations, you may also need to modify the pathname of a server or the arguments passed to a

particular server when it is invoked. For example, look again at the tftp entry. This line contains

command-line arguments that are passed to the tftp server when it is started. The -s /tftpboot option

addresses the most obvious tftp security hole. It prevents tftp users from retrieving files that are not

located in the directory specified after the -s option. If you want to use another directory for tftp, you

must change the inetd.conf file. The only command-line arguments passed to servers started by inetd are

those defined in the inetd.conf file.

Security is one of the most important reasons for modifying the inetd.conf file. inetd.conf is used to

implement access control through the wrapper program tcpd. The wrapper program replaces the server

program in the server field of the inetd.conf entry. Then when inetd hears a connection request on the

port, it starts tcpd instead of the application server. tcpd can then enforce extra security before it starts

the application server. How to use the wrapper program for access control is covered in Chapter 12.



Previous: 5.3 The BSD

Kernel Configuration File

5.3 The BSD Kernel

Configuration File



TCP/IP Network

Administration

Book Index



Next: 5.5 Summary

5.5 Summary



[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]



file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (4 of 4) [2001-10-15 09:17:53]



[Chapter 5] 5.3 The BSD Kernel Configuration File



Previous: 5.2 Linux Kernel

Configuration



Chapter 5

Basic Configuration



Next: 5.4 The Internet

Daemon



5.3 The BSD Kernel Configuration File

The BSD UNIX kernel is a C program compiled and installed by make. The config command reads the

kernel configuration file and generates the files (including the Makefile) needed to compile and link the

kernel. On FreeBSD systems, the kernel configuration file is located in the directory /usr/src/sys/i386/conf.

[5]

[5] /usr/src/sys is symbolically linked to /sys. We use /usr/src/sys only as an example. Your

system may use another directory.

A large kernel configuration file named GENERIC is delivered with the FreeBSD system. The GENERIC

kernel file configures all of the standard devices for your system - including everything necessary for

TCP/IP. No modifications are necessary for the GENERIC kernel to run basic TCP/IP services. The reasons

for modifying the BSD kernel are the same as those discussed for the Linux kernel: to make a smaller, more

efficient kernel, or to add new features.

There is no standard name for a BSD kernel configuration file. When you create a configuration file, choose

any name you wish. By convention, BSD kernel configuration filenames use uppercase letters. To create a

new configuration, copy GENERIC to the new file and then edit the newly created file. The following

creates a new configuration file called FILBERT:

# cd /usr/src/sys/i386/conf

# cp GENERIC FILBERT

If the kernel has been modified on your system, the system administrator will have created a new

configuration file in the /usr/src/sys/i386/conf directory. The kernel configuration file contains many

configuration commands that cover all aspects of the system configuration. This text discusses only those

parameters that directly affect TCP/IP configuration. See the documentation that comes with the FreeBSD

system for information about the other configuration commands.



5.3.1 TCP/IP in the BSD Kernel

For a network administrator, it is more important to understand which kernel statements are necessary to

configure TCP/IP than to understand the detailed structure of each statement. Three types of statements are

used to configure TCP/IP in the BSD kernel: options, pseudo-device, and device statements.

5.3.1.1 Options

file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (1 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.3 The BSD Kernel Configuration File



The options statement tells the kernel to compile a software option into the system. The options statement

that is most important to TCP/IP is:

options INET



# basic networking support--mandatory



Every BSD-based system running TCP/IP has an options INET statement in its kernel configuration file.

The statement produces a -DINET argument for the C complier, which in turn causes the IP, ICMP, TCP,

UDP, and ARP modules to be compiled into the kernel. This single statement incorporates the basic

transport and IP datagram services into the system. Never remove this statement from the configuration file.

There are several other options statements in addition to the required INET option. Some of these perform

functions identical to features we have already seen in the Linux configuration. A few have no direct

parallels in the Linux configuration.

options GATEWAY



# internetwork gateway



The GATEWAY option determines whether the system forwards IP datagrams destined for another

computer. When this option is selected, the system forwards datagrams if it has more than one network

interface; i.e., the system is assumed to be a gateway. You don't need GATEWAY on a system with a single

network interface. Hosts - systems with one network interface - do not forward the packets of other systems,

because this would hide configuration problems on other systems on the network. If the other systems are

incorrectly delivering datagrams to a host, forwarding the datagrams makes it appear as if they were

correctly addressed and makes it difficult to detect the real problem. On occasion, you might even want to

force a system that has multiple network interfaces not to forward datagrams by commenting options

GATEWAY out of your configuration. This is useful for preventing a multi-homed host (a host with two

network interfaces) from acting as a gateway.

options IPFIREWALL



# firewall



The IPFIREWALL option prepares the system to act as a firewall. The full firewall implementation requires

application software and other tools. However, certain functions of a firewall, such as address filtering, must

be implemented in the kernel. This option requests those kernel-level services. A variant of this option is

IPFIREWALL_VERBOSE, which enables the same basic kernel services with enhanced error reporting.

The enhanced errors can be useful for detecting intrusions, but they increase the size of the kernel.

options MROUTING



# Multicast routing



The MROUTING option adds multicast routing support to the kernel. A multicast kernel is necessary for the

system to be able to interpret multicast addresses and for the system to support multicast applications like

MBONE and Internet Talk Radio.

options IPACCT



# ipaccounting



The IPACCT option adds additional code and counters that keep track of network usage, which is helpful for

billing purposes.

options ARP_PROXYALL



# global proxy ARP



file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (2 of 6) [2001-10-15 09:17:54]