Inetd and a service listening only on localhost

Karol Kwiatkowski freebsd at orchid.homeunix.org
Fri May 6 05:09:33 PDT 2005


cpghost wrote:
> Karol Kwiatkowski wrote:
> 
>> I've never used inetd and I'm not sure what will happen if a
>> connection is made from outside to a service which is configured to
>> listen only on localhost.
>>  
>>
> When you use inetd, the spawned process gets its data from stdin,
> not from a socket. It is irrelevant that the spawned program listens
> on localhost (in addition to stdin). Its the stdin path of that program
> that you should watch when using inetd.

Ah, that's what I was missing. I guess I was mixing apples and
oranges. Now that I know that, I looked at the source and (surprise!)
in inetd mode popa3d daemon doesn't even try to open the port, just
opens a pipe. Thanks!

It's clear to me now it's inetd which must be controlled. The -a
option looks best even if this means running two inetd instances as
Giorgos explained in other email.

The main reason I asked was 'what if someone sets popa3d port to
compile in inetd mode with localhost-only option enabled?' and I was
worried about TCP connection not being able to reach a service (which
is not supposed to do that in the first place).

As for the port I think patching the source in such case doesn't make
any sense (patch would be applied but that part of the code is never
used) so I guess appropriate message will be best.

> Of course, you could use TCP Wrappers in inetd. Or check out inetd's -a
> flag to bind inetd only to localhost (but check with sockstat -l that inetd
> REALLY honors this flag!). Setting -a for inetd is a global change though
> that affects everything that you start through inetd!
>
> But why won't you use a firewall like pf or ipfw to protect the service in
> the first place? Just do this in addition to TCP Wrapper's
> hosts_access(5) and
> inetd's "-a 127.0.0.1" setting. It's better to be safe than sorry :-)
> 
>> Is  possible to run a service listening only on localhost with inetd?
>> How to configure inetd in such case (an entry in /etc/hosts.allow?)
>> or should I disable such configuration?
>>  
>>
> If you want to set the -a flag to bind inetd to localhost only, override
> inetd_flag in
> /etc/rc.conf (from the value it has in /etc/defaults/rc.conf), then
> restart inetd.

Yes, all that sounds reasonable now.

Thanks cpghost and all who replied!


Regards,

Karol

-- 
Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>


More information about the freebsd-questions mailing list