From owner-freebsd-questions@FreeBSD.ORG Fri May 12 17:15:18 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F52716A54F for ; Fri, 12 May 2006 17:15:18 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc6-cmbg1-0-0-cust82.cmbg.cable.ntl.com [82.10.236.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id B027D43D45 for ; Fri, 12 May 2006 17:15:17 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: from danielby by catflap.slightlystrange.org with local (Exim 4.62 #0) id 1FebES-000Cqt-54 by authid for ; Fri, 12 May 2006 18:15:16 +0100 Date: Fri, 12 May 2006 18:15:15 +0100 From: Daniel Bye To: FreeBSD Questions Message-ID: <20060512171515.GC34035@catflap.slightlystrange.org> Mail-Followup-To: FreeBSD Questions References: <4464B95D.1040702@computer.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RIYY1s2vRbPFwWeW" Content-Disposition: inline In-Reply-To: <4464B95D.1040702@computer.org> User-Agent: Mutt/1.4.2.1i X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: danielby@slightlystrange.org X-SA-Exim-Scanned: No (on catflap.slightlystrange.org); SAEximRunCond expanded to false Subject: Re: Pros and Cons of running under inetd.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 17:15:18 -0000 --RIYY1s2vRbPFwWeW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote: > Hello, >=20 > I run sshd and ftpd on my laptop. I generally start them via: > sshd_enable=3D"YES" > ftpd_enable=3D"YES" > in my rc.conf. >=20 > What are the pros/cons of running them via inetd? >=20 > This is in no way a high load or production machine. Just my laptop > that I need access to from time to time. >=20 > The one pro I have noticed (which is rather important to me) is that > ftpd does not heed hosts.allow directives when NOT run via inetd. Am I > correct in this? I prefer to use tcpwrappers to further protect my sshd= =20 > and ftpd. I generally keep ftpd firewalled off from the world and when= =20 > someone needs to (anonymous) ftp something to me I open the firewall.=20 > But it would be nice to allow only their IP using hosts.allow (as I just= =20 > enable/disable a generic ruleset in ipfw). So should I forget to=20 > disable the ruleset in ipfw then I am not open all day till I reboot. When sshd starts, it needs to generate keys and set up its cryptographic environment, so you will notice a bit of lag before getting a login prompt. This may or may not mean anything to you, depending on how beefy your laptop is. Check man sshd for the -i option. sshd should, by default, be compiled with tcpwrappers support anyway. You can test whether this is the case by putting something like this at the top of your hosts.allow: sshd : 127.0.0.1 : deny and then try connecting on the loopback interface. If you see `refused connect from localhost' in your /var/log/auth.log, then your sshd uses hosts.allow and running it from inetd won't give you any benefit. I don't know about ftpd, as I don't use it. Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --RIYY1s2vRbPFwWeW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEZMKiixf5fBYiFmoRAunjAJ4yI2t7asNt6x0LzmODryxsh6hUKwCdGXyK DDc8cF18SQTicBkosY2aW4Q= =A1Ol -----END PGP SIGNATURE----- --RIYY1s2vRbPFwWeW--