From owner-freebsd-questions@FreeBSD.ORG Fri May 6 12:09:33 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25A2316A4D4 for ; Fri, 6 May 2005 12:09:33 +0000 (GMT) Received: from orchid.homeunix.org (avl33.neoplus.adsl.tpnet.pl [83.27.45.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBDC343D3F for ; Fri, 6 May 2005 12:09:31 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.1/8.13.1) with ESMTP id j46C9Hgb070093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 6 May 2005 14:09:22 +0200 (CEST) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <427B5E6D.3080001@orchid.homeunix.org> Date: Fri, 06 May 2005 14:09:17 +0200 From: Karol Kwiatkowski User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) X-Accept-Language: en-us, en MIME-Version: 1.0 To: cpghost References: <427AADA0.6060701@orchid.homeunix.org> <427ABB29.6000208@cordula.ws> In-Reply-To: <427ABB29.6000208@cordula.ws> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.84/871/Thu May 5 15:50:45 2005 on orchid.homeunix.org X-Virus-Status: Clean cc: freebsd-questions@freebsd.org Subject: Re: Inetd and a service listening only on localhost X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2005 12:09:33 -0000 cpghost wrote: > Karol Kwiatkowski wrote: > >> I've never used inetd and I'm not sure what will happen if a >> connection is made from outside to a service which is configured to >> listen only on localhost. >> >> > When you use inetd, the spawned process gets its data from stdin, > not from a socket. It is irrelevant that the spawned program listens > on localhost (in addition to stdin). Its the stdin path of that program > that you should watch when using inetd. Ah, that's what I was missing. I guess I was mixing apples and oranges. Now that I know that, I looked at the source and (surprise!) in inetd mode popa3d daemon doesn't even try to open the port, just opens a pipe. Thanks! It's clear to me now it's inetd which must be controlled. The -a option looks best even if this means running two inetd instances as Giorgos explained in other email. The main reason I asked was 'what if someone sets popa3d port to compile in inetd mode with localhost-only option enabled?' and I was worried about TCP connection not being able to reach a service (which is not supposed to do that in the first place). As for the port I think patching the source in such case doesn't make any sense (patch would be applied but that part of the code is never used) so I guess appropriate message will be best. > Of course, you could use TCP Wrappers in inetd. Or check out inetd's -a > flag to bind inetd only to localhost (but check with sockstat -l that inetd > REALLY honors this flag!). Setting -a for inetd is a global change though > that affects everything that you start through inetd! > > But why won't you use a firewall like pf or ipfw to protect the service in > the first place? Just do this in addition to TCP Wrapper's > hosts_access(5) and > inetd's "-a 127.0.0.1" setting. It's better to be safe than sorry :-) > >> Is possible to run a service listening only on localhost with inetd? >> How to configure inetd in such case (an entry in /etc/hosts.allow?) >> or should I disable such configuration? >> >> > If you want to set the -a flag to bind inetd to localhost only, override > inetd_flag in > /etc/rc.conf (from the value it has in /etc/defaults/rc.conf), then > restart inetd. Yes, all that sounds reasonable now. Thanks cpghost and all who replied! Regards, Karol -- Karol Kwiatkowski