Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (5.07 MB, 753 trang )
[Chapter 5] 5.4 The Internet Daemon
are:
stream
The stream delivery service provided by TCP; i.e., TCP byte stream.[9]
[9] Here the reference is to TCP/IP sockets and TCP streams - not to AT&T streams
I/O or BSD socket I/O.
dgram
The packet (datagram) delivery service provided by UDP
raw
Direct IP datagram service
The sample shows that FTP uses a stream socket.
protocol
This is the name of a protocol, as given in the /etc/protocols file. Its value is usually either "tcp" or
"udp." The FTP protocol uses TCP as its transport layer protocol, so the sample entry contains tcp in
this field.
wait-status
The value for this field is either "wait" or "nowait." Generally, but not always, datagram type
servers require "wait," and stream type servers allow "nowait." If the status is "wait," inetd must wait for
the server to release the socket before it begins to listen for more requests on that socket. If the status is
"nowait," inetd can immediately begin to listen for more connection requests on the socket. Servers with
"nowait" status use sockets other than the connection request socket for processing; i.e., they use
dynamically allocated sockets.
uid
The uid is the username under which the server runs. This can be any valid username, but it is
normally root. There are two common exceptions. The finger service often runs as the user nobody or
daemon for security reasons, and the uucp service is sometimes run as the user uucp to save space in the
system's accounting files.
server
This is the full pathname of the server program started by inetd. Because our example is from a
Solaris system, the path is /usr/sbin/in.ftpd. On your system the path may be different. It is more efficient
for inetd to provide some small services directly than it is for inetd to start separate servers for these
functions. For these small services, the value of the server field is the keyword "internal," which means
that this service is an internal inetd service.
arguments
file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (2 of 4) [2001-10-15 09:17:53]
[Chapter 5] 5.4 The Internet Daemon
These are any command-line arguments that should be passed to the server program when it is
invoked. This list always starts with argv[0] (the name of the program being executed). The program's
manpage documents the valid command-line arguments for each program. In the example only
in.ftpd, the server's name, is provided.
There are a few situations in which you need to modify the inetd.conf file. For example, you may wish to
disable a service. The default configuration provides a full array of servers. Not all of them are required
on every system, and for security reasons you may want to disable non-essential services on some
computers. To disable a service, place a # at the beginning of its entry (which turns the line into a
comment) and pass a hang-up signal to the inetd server. When inetd receives a hang-up signal, it re-reads
the configuration file and the new configuration takes effect immediately.
You may also need to add new services. We'll see some examples of that in later chapters. Let's look in
detail at an example of restoring a service that has been previously disabled. We'll begin by looking at the
contents of an /etc/inetd.conf file:
# @(#)inetd.conf 1.17 88/02/07 SMI
ftp
stream tcp nowait root /usr/sbin/in.ftpd
in.ftpd
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
shell
stream tcp nowait root /usr/sbin/in.rshd
in.rshd
login
stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
exec
stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd
#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
comsat dgram
udp wait
root /usr/sbin/in.comsat in.comsat
talk
dgram
udp wait
root /usr/sbin/in.talkd
in.talkd
name
dgram
udp wait
root /usr/sbin/in.tnamed in.tnamed
daytime stream tcp nowait root
internal
time
stream tcp nowait root
internal
echo
dgram
udp wait
root
internal
discard dgram
udp wait
root
internal
time
dgram
udp wait
root
internal
This part of the file shows several standard TCP/IP services. One of these, tftp, is commented out. The
TFTP protocol is a special version of FTP that allows file transfers without username/password
verification. Because of this, it is a possible security hole and is often disabled in the inetd.conf file.
As an example of modifying the inetd.conf file, we'll reconfigure the system to provide tftp service,
which is sometimes necessary for supporting diskless devices. First, use your favorite editor to remove
the comment (#) from the tftp entry in inetd.conf. (The example uses sed, everyone's favorite editor!)
Then find out the process ID for inetd and pass it the SIGHUP signal. The following steps show how this
is done on peanut:
#
#
#
#
cd /etc
mv inetd.conf inetd.conf.org
cat inetd.conf.org | sed s/#tftp/tftp/ > inetd.conf
ps -acx | grep inetd
file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (3 of 4) [2001-10-15 09:17:53]
[Chapter 5] 5.4 The Internet Daemon
144 ? I
0:12 inetd
# kill -HUP 144
In some situations, you may also need to modify the pathname of a server or the arguments passed to a
particular server when it is invoked. For example, look again at the tftp entry. This line contains
command-line arguments that are passed to the tftp server when it is started. The -s /tftpboot option
addresses the most obvious tftp security hole. It prevents tftp users from retrieving files that are not
located in the directory specified after the -s option. If you want to use another directory for tftp, you
must change the inetd.conf file. The only command-line arguments passed to servers started by inetd are
those defined in the inetd.conf file.
Security is one of the most important reasons for modifying the inetd.conf file. inetd.conf is used to
implement access control through the wrapper program tcpd. The wrapper program replaces the server
program in the server field of the inetd.conf entry. Then when inetd hears a connection request on the
port, it starts tcpd instead of the application server. tcpd can then enforce extra security before it starts
the application server. How to use the wrapper program for access control is covered in Chapter 12.
Previous: 5.3 The BSD
Kernel Configuration File
5.3 The BSD Kernel
Configuration File
TCP/IP Network
Administration
Book Index
Next: 5.5 Summary
5.5 Summary
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
file:///C|/mynapster/Downloads/warez/tcpip/ch05_04.htm (4 of 4) [2001-10-15 09:17:53]
[Chapter 5] 5.3 The BSD Kernel Configuration File
Previous: 5.2 Linux Kernel
Configuration
Chapter 5
Basic Configuration
Next: 5.4 The Internet
Daemon
5.3 The BSD Kernel Configuration File
The BSD UNIX kernel is a C program compiled and installed by make. The config command reads the
kernel configuration file and generates the files (including the Makefile) needed to compile and link the
kernel. On FreeBSD systems, the kernel configuration file is located in the directory /usr/src/sys/i386/conf.
[5]
[5] /usr/src/sys is symbolically linked to /sys. We use /usr/src/sys only as an example. Your
system may use another directory.
A large kernel configuration file named GENERIC is delivered with the FreeBSD system. The GENERIC
kernel file configures all of the standard devices for your system - including everything necessary for
TCP/IP. No modifications are necessary for the GENERIC kernel to run basic TCP/IP services. The reasons
for modifying the BSD kernel are the same as those discussed for the Linux kernel: to make a smaller, more
efficient kernel, or to add new features.
There is no standard name for a BSD kernel configuration file. When you create a configuration file, choose
any name you wish. By convention, BSD kernel configuration filenames use uppercase letters. To create a
new configuration, copy GENERIC to the new file and then edit the newly created file. The following
creates a new configuration file called FILBERT:
# cd /usr/src/sys/i386/conf
# cp GENERIC FILBERT
If the kernel has been modified on your system, the system administrator will have created a new
configuration file in the /usr/src/sys/i386/conf directory. The kernel configuration file contains many
configuration commands that cover all aspects of the system configuration. This text discusses only those
parameters that directly affect TCP/IP configuration. See the documentation that comes with the FreeBSD
system for information about the other configuration commands.
5.3.1 TCP/IP in the BSD Kernel
For a network administrator, it is more important to understand which kernel statements are necessary to
configure TCP/IP than to understand the detailed structure of each statement. Three types of statements are
used to configure TCP/IP in the BSD kernel: options, pseudo-device, and device statements.
5.3.1.1 Options
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (1 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.3 The BSD Kernel Configuration File
The options statement tells the kernel to compile a software option into the system. The options statement
that is most important to TCP/IP is:
options INET
# basic networking support--mandatory
Every BSD-based system running TCP/IP has an options INET statement in its kernel configuration file.
The statement produces a -DINET argument for the C complier, which in turn causes the IP, ICMP, TCP,
UDP, and ARP modules to be compiled into the kernel. This single statement incorporates the basic
transport and IP datagram services into the system. Never remove this statement from the configuration file.
There are several other options statements in addition to the required INET option. Some of these perform
functions identical to features we have already seen in the Linux configuration. A few have no direct
parallels in the Linux configuration.
options GATEWAY
# internetwork gateway
The GATEWAY option determines whether the system forwards IP datagrams destined for another
computer. When this option is selected, the system forwards datagrams if it has more than one network
interface; i.e., the system is assumed to be a gateway. You don't need GATEWAY on a system with a single
network interface. Hosts - systems with one network interface - do not forward the packets of other systems,
because this would hide configuration problems on other systems on the network. If the other systems are
incorrectly delivering datagrams to a host, forwarding the datagrams makes it appear as if they were
correctly addressed and makes it difficult to detect the real problem. On occasion, you might even want to
force a system that has multiple network interfaces not to forward datagrams by commenting options
GATEWAY out of your configuration. This is useful for preventing a multi-homed host (a host with two
network interfaces) from acting as a gateway.
options IPFIREWALL
# firewall
The IPFIREWALL option prepares the system to act as a firewall. The full firewall implementation requires
application software and other tools. However, certain functions of a firewall, such as address filtering, must
be implemented in the kernel. This option requests those kernel-level services. A variant of this option is
IPFIREWALL_VERBOSE, which enables the same basic kernel services with enhanced error reporting.
The enhanced errors can be useful for detecting intrusions, but they increase the size of the kernel.
options MROUTING
# Multicast routing
The MROUTING option adds multicast routing support to the kernel. A multicast kernel is necessary for the
system to be able to interpret multicast addresses and for the system to support multicast applications like
MBONE and Internet Talk Radio.
options IPACCT
# ipaccounting
The IPACCT option adds additional code and counters that keep track of network usage, which is helpful for
billing purposes.
options ARP_PROXYALL
# global proxy ARP
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (2 of 6) [2001-10-15 09:17:54]