Date: Fri, 06 May 2005 14:09:17 +0200 From: Karol Kwiatkowski <freebsd@orchid.homeunix.org> To: cpghost <cpghost@cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: Inetd and a service listening only on localhost Message-ID: <427B5E6D.3080001@orchid.homeunix.org> In-Reply-To: <427ABB29.6000208@cordula.ws> References: <427AADA0.6060701@orchid.homeunix.org> <427ABB29.6000208@cordula.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
cpghost wrote: > Karol Kwiatkowski wrote: > >> I've never used inetd and I'm not sure what will happen if a >> connection is made from outside to a service which is configured to >> listen only on localhost. >> >> > When you use inetd, the spawned process gets its data from stdin, > not from a socket. It is irrelevant that the spawned program listens > on localhost (in addition to stdin). Its the stdin path of that program > that you should watch when using inetd. Ah, that's what I was missing. I guess I was mixing apples and oranges. Now that I know that, I looked at the source and (surprise!) in inetd mode popa3d daemon doesn't even try to open the port, just opens a pipe. Thanks! It's clear to me now it's inetd which must be controlled. The -a option looks best even if this means running two inetd instances as Giorgos explained in other email. The main reason I asked was 'what if someone sets popa3d port to compile in inetd mode with localhost-only option enabled?' and I was worried about TCP connection not being able to reach a service (which is not supposed to do that in the first place). As for the port I think patching the source in such case doesn't make any sense (patch would be applied but that part of the code is never used) so I guess appropriate message will be best. > Of course, you could use TCP Wrappers in inetd. Or check out inetd's -a > flag to bind inetd only to localhost (but check with sockstat -l that inetd > REALLY honors this flag!). Setting -a for inetd is a global change though > that affects everything that you start through inetd! > > But why won't you use a firewall like pf or ipfw to protect the service in > the first place? Just do this in addition to TCP Wrapper's > hosts_access(5) and > inetd's "-a 127.0.0.1" setting. It's better to be safe than sorry :-) > >> Is possible to run a service listening only on localhost with inetd? >> How to configure inetd in such case (an entry in /etc/hosts.allow?) >> or should I disable such configuration? >> >> > If you want to set the -a flag to bind inetd to localhost only, override > inetd_flag in > /etc/rc.conf (from the value it has in /etc/defaults/rc.conf), then > restart inetd. Yes, all that sounds reasonable now. Thanks cpghost and all who replied! Regards, Karol -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?427B5E6D.3080001>