svn commit: r43707 - in head/en_US.ISO8859-1/books/handbook: install network-servers
Dru Lavigne
dru at FreeBSD.org
Fri Jan 31 17:03:24 UTC 2014
Author: dru
Date: Fri Jan 31 17:03:23 2014
New Revision: 43707
URL: http://svnweb.freebsd.org/changeset/doc/43707
Log:
Finish up this section.
Some additional shuffling to improve the flow. Fix reference in another chapter.
This section should be much clearer now.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/install/chapter.xml
head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/install/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 15:30:54 2014 (r43706)
+++ head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 17:03:23 2014 (r43707)
@@ -2604,7 +2604,7 @@ Do you want to configure inetd and the n
will not be enabled. These services can be enabled after
installation by editing
<filename>/etc/inetd.conf</filename> with a text editor.
- See <xref linkend="network-inetd-overview"/> for more information.</para>
+ See <xref linkend="network-inetd-conf"/> for more information.</para>
<para>Otherwise, select &gui.yes; to
configure these services during install. An additional
Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 15:30:54 2014 (r43706)
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 17:03:23 2014 (r43707)
@@ -113,6 +113,9 @@
</sect1>
<sect1 xml:id="network-inetd">
+ <title>The <application>inetd</application>
+ Super-Server</title>
+
<!--
<sect1info>
<authorgroup>
@@ -130,12 +133,7 @@
</authorgroup>
</sect1info>
-->
-
- <title>The <application>inetd</application>
- Super-Server</title>
-
- <sect2 xml:id="network-inetd-overview">
-
+
<para>The &man.inetd.8; daemon is sometimes referred to as a
Super-Server because it manages
connections for many services. Instead of starting multiple
@@ -151,13 +149,15 @@
<para>Primarily, <application>inetd</application> is used to
spawn other daemons, but several trivial protocols are handled
- directly, such as <application>chargen</application>,
- <application>auth</application>, and
+ internally, such as <application>chargen</application>,
+ <application>auth</application>,
+ <application>time</application>,
+ <application>echo</application>,
+ <application>discard</application>, and
<application>daytime</application>.</para>
<para>This section covers the basics of configuring
<application>inetd</application>.</para>
- </sect2>
<sect2 xml:id="network-inetd-conf">
<title>Configuration File</title>
@@ -182,13 +182,24 @@
the service you configured, type:</para>
<screen>&prompt.root; <userinput>service inetd start</userinput></screen>
-
+
+ <para>Once <application>inetd</application> is started, it needs
+ to be notified whenever a modification is made to
+ <filename>/etc/inetd.conf</filename>:</para>
+
+ <example xml:id="network-inetd-reread">
+ <title>Reloading the <application>inetd</application>
+ Configuration File</title>
+
+ <screen>&prompt.root; <userinput>service inetd reload</userinput></screen>
+ </example>
+
<para>Typically, the default entry for an application does not
need to be edited beyond removing the <literal>#</literal>.
In some situations, it may be appropriate to edit the default
entry.</para>
- <para>As an example, this is the default entry for &man.ftpd.8; using IPv4:</para>
+ <para>As an example, this is the default entry for &man.ftpd.8; over IPv4:</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
@@ -209,13 +220,13 @@ server-program-arguments</programlisting
<term>service-name</term>
<listitem>
- <para>This is the service name of the particular daemon.
+ <para>The service name of the daemon to start.
It must correspond to a service listed in
<filename>/etc/services</filename>. This determines
- which port <application>inetd</application> must listen
- to. If a new service is being created, it must be
- placed in <filename>/etc/services</filename>
- first.</para>
+ which port <application>inetd</application> listens on
+ for incoming connections to that service.
+ When using a custom service, it must first be
+ added to <filename>/etc/services</filename>.</para>
</listitem>
</varlistentry>
@@ -225,10 +236,10 @@ server-program-arguments</programlisting
<listitem>
<para>Either <literal>stream</literal>,
<literal>dgram</literal>, <literal>raw</literal>, or
- <literal>seqpacket</literal>. <literal>stream</literal>
- must be used for connection-based, TCP daemons, while
- <literal>dgram</literal> is used for daemons utilizing
- the <acronym>UDP</acronym> transport protocol.</para>
+ <literal>seqpacket</literal>. Use <literal>stream</literal>
+ for TCP connections and
+ <literal>dgram</literal> for
+ <acronym>UDP</acronym> services.</para>
</listitem>
</varlistentry>
@@ -236,25 +247,25 @@ server-program-arguments</programlisting
<term>protocol</term>
<listitem>
- <para>One of the following:</para>
+ <para>Use one of the following protocol names:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
<thead>
<row>
- <entry>Protocol</entry>
+ <entry>Protocol Name</entry>
<entry>Explanation</entry>
</row>
</thead>
<tbody>
<row>
- <entry>tcp, tcp4</entry>
+ <entry>tcp or tcp4</entry>
<entry>TCP IPv4</entry>
</row>
<row>
- <entry>udp, udp4</entry>
+ <entry>udp or udp4</entry>
<entry><acronym>UDP</acronym> IPv4</entry>
</row>
@@ -270,12 +281,12 @@ server-program-arguments</programlisting
<row>
<entry>tcp46</entry>
- <entry>Both TCP IPv4 and v6</entry>
+ <entry>Both TCP IPv4 and IPv6</entry>
</row>
<row>
<entry>udp46</entry>
- <entry>Both <acronym>UDP</acronym> IPv4 and v6</entry>
+ <entry>Both <acronym>UDP</acronym> IPv4 and IPv6</entry>
</row>
</tbody>
</tgroup>
@@ -287,11 +298,17 @@ server-program-arguments</programlisting
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term>
<listitem>
- <para><option>wait|nowait</option> indicates whether the
- daemon invoked from <application>inetd</application> is
- able to handle its own socket or not.
+ <para>In this field, <option>wait</option> or
+ <option>nowait</option> must be specified.
+ <option>max-child</option>,
+ <option>max-connections-per-ip-per-minute</option> and
+ <option>max-child-per-ip</option> are optional.</para>
+
+ <para><option>wait|nowait</option> indicates whether or not the
+ service is
+ able to handle its own socket.
<option>dgram</option> socket types must use the
- <option>wait</option> option, while stream socket
+ <option>wait</option> option while <option>stream</option>
daemons, which are usually multi-threaded, should use
<option>nowait</option>. <option>wait</option> usually
hands off multiple sockets to a single daemon, while
@@ -299,60 +316,32 @@ server-program-arguments</programlisting
new socket.</para>
<para>The maximum number of child daemons
- <application>inetd</application> may spawn can be set
- using the <option>max-child</option> option. If a limit
- of ten instances of a particular daemon is needed, a
- <literal>/10</literal> would be placed after
+ <application>inetd</application> may spawn is set by
+ <option>max-child</option>. For example, to limit
+ ten instances of the daemon, place a
+ <literal>/10</literal> after
<option>nowait</option>. Specifying
<literal>/0</literal> allows an unlimited number of
- children</para>
+ children.</para>
- <para>In addition to <option>max-child</option>, two other
- options which limit the maximum connections from a
- single place to a particular daemon can be enabled.
- <option>max-connections-per-ip-per-minute</option>
+ <para><option>max-connections-per-ip-per-minute</option>
limits the number of connections from any particular
- <acronym>IP</acronym> address per minutes, e.g., a value
- of ten would limit any particular <acronym>IP</acronym>
- address connecting to a particular service to ten
- attempts per minute. <option>max-child-per-ip</option>
- limits the number of children that can be started on
+ <acronym>IP</acronym> address per minute. Once the limit
+ is reached, further connections from this IP address
+ will be dropped until the end of the minute. For example, a value
+ of <literal>/10</literal> would limit any particular <acronym>IP</acronym>
+ address to ten
+ connection attempts per minute. <option>max-child-per-ip</option>
+ limits the number of child processes that can be started on
behalf on any single <acronym>IP</acronym> address at
- any moment. These options are useful to prevent
- intentional or unintentional excessive resource
- consumption and Denial of Service (DoS) attacks to a
- machine.</para>
+ any moment. These options can limit
+ excessive resource
+ consumption and help to prevent Denial of Service attacks.</para>
- <para>In this field, either of <option>wait</option> or
- <option>nowait</option> is mandatory.
- <option>max-child</option>,
- <option>max-connections-per-ip-per-minute</option> and
- <option>max-child-per-ip</option> are optional.</para>
+ <para>An example can be seen in the default
+ settings for &man.fingerd.8;:</para>
- <para>A stream-type multi-threaded daemon without any
- <option>max-child</option>,
- <option>max-connections-per-ip-per-minute</option> or
- <option>max-child-per-ip</option> limits would simply
- be: <literal>nowait</literal>.</para>
-
- <para>The same daemon with a maximum limit of ten daemons
- would read: <literal>nowait/10</literal>.</para>
-
- <para>The same setup with a limit of twenty connections
- per <acronym>IP</acronym> address per minute and a
- maximum total limit of ten child daemons would read:
- <literal>nowait/10/20</literal>.</para>
-
- <para>These options are utilized by the default
- settings of the &man.fingerd.8; daemon,
- as seen here:</para>
-
- <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
-
- <para>Finally, an example of this field with a maximum of
- 100 children in total, with a maximum of 5 for any one
- <acronym>IP</acronym> address would read:
- <literal>nowait/100/0/5</literal>.</para>
+ <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting>
</listitem>
</varlistentry>
@@ -360,12 +349,11 @@ server-program-arguments</programlisting
<term>user</term>
<listitem>
- <para>This is the username that the particular daemon
- should run as. Most commonly, daemons run as the
- <systemitem class="username">root</systemitem> user. For security purposes,
- it is common to find some servers running as the
- <systemitem class="username">daemon</systemitem> user, or the least
- privileged <systemitem class="username">nobody</systemitem> user.</para>
+ <para>The username the daemon
+ will run as. Daemons typically run as
+ <systemitem class="username">root</systemitem>,
+ <systemitem class="username">daemon</systemitem>, or
+ <systemitem class="username">nobody</systemitem>.</para>
</listitem>
</varlistentry>
@@ -373,11 +361,10 @@ server-program-arguments</programlisting
<term>server-program</term>
<listitem>
- <para>The full path of the daemon to be executed when a
- connection is received. If the daemon is a service
+ <para>The full path to the daemon.
+ If the daemon is a service
provided by <application>inetd</application> internally,
- then <option>internal</option> should be
- used.</para>
+ use <option>internal</option>.</para>
</listitem>
</varlistentry>
@@ -385,58 +372,36 @@ server-program-arguments</programlisting
<term>server-program-arguments</term>
<listitem>
- <para>This works in conjunction with
- <option>server-program</option> by specifying the
- arguments, starting with <literal>argv[0]</literal>,
+ <para>Used to
+ specify any command
+ arguments to be
passed to the daemon on invocation. If
- <command>mydaemon -d</command> is the command line,
- <literal>mydaemon -d</literal> would be the value of
- <option>server-program-arguments</option>. Again, if
the daemon is an internal service, use
- <option>internal</option> here.</para>
+ <option>internal</option>.</para>
</listitem>
</varlistentry>
</variablelist>
-
- <para>When a modification is made to
- <filename>/etc/inetd.conf</filename>,
- <application>inetd</application> can be forced to re-read its
- configuration file by running the command:</para>
-
- <example xml:id="network-inetd-reread">
- <title>Reloading the <application>inetd</application>
- Configuration File</title>
-
- <screen>&prompt.root; <userinput>service inetd reload</userinput></screen>
- </example>
</sect2>
<sect2 xml:id="network-inetd-cmdline">
<title>Command-Line Options</title>
- <para>Additionally, different command-line options can be passed
- to <application>inetd</application> via the
- <literal>inetd_flags</literal> option.</para>
<para>Like most server daemons, <application>inetd</application>
- has a number of options that it can be passed in order to
- modify its behaviour. Refer to &man.inetd.8; for
- the full list of options.</para>
+ has a number of options that can be used to
+ modify its behaviour. By default,
+ <application>inetd</application> is started with
+ <literal>-wW -C 60</literal>. These options enable TCP wrappers for
+ all services, including internal services, and prevent any
+ <acronym>IP</acronym> address from requesting any
+ service more than 60 times per minute.</para>
+
+ <para>To change the default options which are passed to <application>inetd</application>,
+ add an entry for <literal>inetd_flags</literal> in
+ <filename>/etc/rc.conf</filename>. If
+ <application>inetd</application> is already running, restart
+ it with <command>service inetd restart</command>.</para>
- <para>Options can be passed to <application>inetd</application>
- using the <literal>inetd_flags</literal> option in
- <filename>/etc/rc.conf</filename>. By default,
- <literal>inetd_flags</literal> is set to
- <literal>-wW -C 60</literal>, which turns on TCP wrapping for
- <application>inetd</application>'s services, and prevents any
- single <acronym>IP</acronym> address from requesting any
- service more than 60 times in any given minute.</para>
-
- <para>Although we mention rate-limiting options below, novice
- users may be pleased to note that these parameters usually do
- not need to be modified. These options may be useful if
- an excessive amount of connections are being established.
- A full list of options can be found in
- &man.inetd.8;.</para>
+ <para>The available rate limiting options are:</para>
<variablelist>
<varlistentry>
@@ -444,9 +409,9 @@ server-program-arguments</programlisting
<listitem>
<para>Specify the default maximum number of simultaneous
- invocations of each service; the default is unlimited.
- May be overridden on a per-service basis with the
- <option>max-child</option> parameter.</para>
+ invocations of each service, where the default is unlimited.
+ May be overridden on a per-service basis by using
+ <option>max-child</option> in <filename>/etc/inetd.conf</filename>.</para>
</listitem>
</varlistentry>
@@ -456,11 +421,10 @@ server-program-arguments</programlisting
<listitem>
<para>Specify the default maximum number of times a
service can be invoked from a single
- <acronym>IP</acronym> address in one minute; the default
- is unlimited. May be overridden on a per-service basis
- with the
- <option>max-connections-per-ip-per-minute</option>
- parameter.</para>
+ <acronym>IP</acronym> address per minute. May be overridden on a per-service basis
+ by using
+ <option>max-connections-per-ip-per-minute</option> in
+ <filename>/etc/inetd.conf</filename>.</para>
</listitem>
</varlistentry>
@@ -469,8 +433,8 @@ server-program-arguments</programlisting
<listitem>
<para>Specify the maximum number of times a service can be
- invoked in one minute; the default is 256. A rate of 0
- allows an unlimited number of invocations.</para>
+ invoked in one minute, where the default is <literal>256</literal>. A rate of <literal>0</literal>
+ allows an unlimited number.</para>
</listitem>
</varlistentry>
@@ -480,63 +444,37 @@ server-program-arguments</programlisting
<listitem>
<para>Specify the maximum number of times a service can be
invoked from a single <acronym>IP</acronym> address at
- any one time; the default is unlimited. May be
- overridden on a per-service basis with the
- <option>max-child-per-ip</option> parameter.</para>
+ any one time, where the default is unlimited. May be
+ overridden on a per-service basis by using
+ <option>max-child-per-ip</option> in <filename>/etc/inetd.conf</filename>.</para>
</listitem>
</varlistentry>
</variablelist>
+
+ <para>Additional options are available. Refer to &man.inetd.8; for
+ the full list of options.</para>
</sect2>
<sect2 xml:id="network-inetd-security">
- <title>Security</title>
+ <title>Security Considerations</title>
- <para>Depending on the choices made at install time, many
- of <application>inetd</application>'s services may be enabled
- by default. If there is no apparent need for a particular
- daemon, consider disabling it. Place a <quote>#</quote> in
- front of the daemon in question in
- <filename>/etc/inetd.conf</filename>, and then
- <link linkend="network-inetd-reread">reload the
- inetd configuration</link>. Some daemons, such as
- <application>fingerd</application>, may not be desired at all
- because they provide information that may be useful to an
- attacker.</para>
-
- <para>Some daemons are not security-conscious and have long or
- non-existent timeouts for connection attempts. An attacker
- can send connections to a particular daemon, eventually
- consuming available resources and resulting in a Denial of
- Service (<acronym>DoS</acronym>).
+ <para>Many of the daemons which can be managed by
+ <application>inetd</application> are not security-conscious.
+ Some daemons, such as
+ <application>fingerd</application>, can
+ provide information that may be useful to an
+ attacker. Only enable the services which are needed and
+ monitor the system for excessive connection attempts.
<literal>max-connections-per-ip-per-minute</literal>,
<literal>max-child</literal> and
<literal>max-child-per-ip</literal> can be used to limit such
attacks.</para>
- <para>By default, TCP wrapping is turned on. Consult
+ <para>By default, TCP wrappers is enabled. Consult
&man.hosts.access.5; for more information on
placing TCP restrictions on various
<application>inetd</application> invoked daemons.</para>
</sect2>
-
- <sect2 xml:id="network-inetd-misc">
- <title>Miscellaneous</title>
-
- <para><application>daytime</application>,
- <application>time</application>,
- <application>echo</application>,
- <application>discard</application>,
- <application>chargen</application>, and
- <application>auth</application> are all internally provided
- services of <application>inetd</application>.</para>
-
- <para>The <application>auth</application> service provides
- identity network services, and is configurable to a certain
- degree, whilst the others are simply on or off.</para>
-
- <para>Consult &man.inetd.8; for more in-depth
- information.</para>
- </sect2>
</sect1>
<sect1 xml:id="network-nfs">
More information about the svn-doc-all
mailing list