Date: Mon, 2 Jun 2003 10:39:52 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Alexander <amour@amour.ath.cx> Cc: freebsd-questions@freebsd.org Subject: Re: Changes to hosts.allow do no affect to inetd daemons some times Message-ID: <20030602093952.GA17201@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20030602104323.M24130-100000@amour.ath.cx> References: <20030602072120.GB23430@happy-idiot-talk.infracaninophile.co.uk> <20030602104323.M24130-100000@amour.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jun 02, 2003 at 10:46:25AM +0200, Alexander wrote:
> So what you say is that if I had opened  identd socket for example then
> updating /etc/hosts.allow and changing rules for ftpd won't take affect on
> ftpd after new connection ? (assuming that noone is using my ftpd at all)
Uh -- no.  The ftpd lines in /etc/inetd.conf look like this by default:
    ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
    ftp    stream  tcp6    nowait  root    /usr/libexec/ftpd       ftpd -l
Since the service is marked 'nowait', inetd will handle all incoming
connections to the ftp port and spawn a new copy of ftpd to service
each different session.  inetd will apply the changed tcp wrappers
filters to each new ftp connection as it occurs.  It won't
retrospectively modify any active ftp sessions.
Most things in /etc/inetd.conf are marked 'nowait', and of the things
that are marked 'wait' the vast majority are either 'internal' --
built into inetd -- or they are for RPC based services, in which case
the TCP wrappers support built into portmap(8) (aka rpcbind(8) on
FreeBSD 5.x) will be what's important.  In the default inetd.conf
file, there are only 7 exceptions:
    % grep '\bwait' /etc/inetd.conf | grep -v 'internal\|rpc'
    #comsat dgram   udp     wait    tty:tty /usr/libexec/comsat     comsat
    #ntalk  dgram   udp     wait    tty:tty /usr/libexec/ntalkd     ntalkd
    #tftp   dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -=
s /tftpboot
    #tftp   dgram   udp6    wait    root    /usr/libexec/tftpd      tftpd -=
s /tftpboot
    #bootps dgram   udp     wait    root    /usr/libexec/bootpd     bootpd
    #auth   stream  tcp     wait    root    /usr/local/sbin/identd  identd =
-w -t120
    #netbios-ns dgram udp   wait            root    /usr/local/sbin/nmbd   =
 nmbd
So only if you have enabled one or more of those services and there
are instances of those processes running should you need to kill and
restart them to be sure that your modifications to /etc/hosts.allow
will be applied.  Nb. you don't need to restart inetd itself, just
kill the running instances of ntalkd, bootpd etc. inetd will cope with
starting new ones as required.
For more info about TCP wrappers, look at
    ftp://ftp.porcupine.org/pub/security/tcp_wrapper.ps.Z  -or-
    ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z
       (Wietse Venema's presentation to the 3rd Unix Security Symposium)
    -plus-
    http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/tcp_wrappers/README?r=
ev=3D1.1.1.1.2.1&content-type=3Dtext/x-cvsweb-markup
but bear in mind that the FreeBSD inetd has the tcp_wrappers stuff
built in, so no need for the separate tcpd program.
	Cheers,
	Matthew
--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE+2xtodtESqEQa7a0RAggcAKCZ+2fNbzcfBE9PGEs8bJdYUkAxFwCdFi+d
G4/elI+LoT5nEErisyqm6CI=
=xlEA
-----END PGP SIGNATURE-----
--LQksG6bCIzRHxTLp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602093952.GA17201>
