Date: Thu, 14 Oct 2004 13:59:25 +0400 From: Denis Peplin <den@FreeBSD.org> To: freebsd-doc@FreeBSD.org, Tom Rhodes <trhodes@FreeBSD.org> Subject: TCP Wrappers section (handbook/security): services is not daemons Message-ID: <416E4DFD.3040203@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello!
Please, look at patch attached.
I will commit it if no objections.
[-- Attachment #2 --]
Index: security/chapter.sgml
===================================================================
RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.228
diff -u -r1.228 chapter.sgml
--- security/chapter.sgml 3 Oct 2004 23:35:59 -0000 1.228
+++ security/chapter.sgml 14 Oct 2004 09:53:40 -0000
@@ -1482,9 +1482,9 @@
<para>The <acronym>TCP</acronym> Wrappers software extends the
abilities of <command>inetd</command> to provide support for
- every server daemon under its control. Using this method it
+ every service under its control. Using this method it
is possible to provide logging support, return messages to
- connections, permit a daemon to only accept internal connections,
+ connections, permit a service to only accept internal connections,
etc. While some of these features can be provided by implementing
a firewall, this will add not only an extra layer of protection
but go beyond the amount of control a firewall can
@@ -1520,16 +1520,16 @@
in <filename>/etc/hosts.allow</filename>.</para>
</note>
- <para>In the simplest configuration, daemon connection policies
+ <para>In the simplest configuration, service connection policies
are set to either be permitted or blocked depending on the
options in <filename>/etc/hosts.allow</filename>. The default
- configuration in &os; is to allow a connection to every daemon
+ configuration in &os; is to allow a connection to every service
started with <command>inetd</command>. Changing this will be
discussed only after the basic configuration is covered.</para>
<para>Basic configuration usually takes the form of
- <literal>daemon : address : action</literal>. Where
- <literal>daemon</literal> is the daemon name which
+ <literal>service : address : action</literal>. Where
+ <literal>service</literal> is the service name which
<command>inetd</command> started. The
<literal>address</literal> can be a valid hostname, an
<acronym>IP</acronym> address or an IPv6 address enclosed in
@@ -1544,7 +1544,7 @@
in a later section. A simple configuration line may easily be
constructed from that information alone. For example, to
allow <acronym>POP</acronym>3 connections via the
- <filename role="package">mail/qpopper</filename> daemon,
+ <filename role="package">mail/qpopper</filename> service,
the following lines should be appended to
<filename>hosts.allow</filename>:</para>
@@ -1564,7 +1564,7 @@
options too; they will allow for more control over the
way connections are handled. In some cases it may be
a good idea to return a comment to certain hosts or
- daemon connections. In other cases, perhaps a log file
+ service connections. In other cases, perhaps a log file
should be recorded or an email sent to the administrator.
Other situations may require the use of a service for local
connections only. This is all possible through the use of
@@ -1584,15 +1584,15 @@
execute a shell command or script. An example already exists
in the <filename>hosts.allow</filename> file:</para>
- <programlisting># The rest of the daemons are protected.
+ <programlisting># The rest of the services are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
<para>This example shows that the message,
- <quote>You are not allowed to use <literal>daemon</literal>
+ <quote>You are not allowed to use <literal>service</literal>
from <literal>hostname</literal>.</quote> will be returned
- for any daemon not previously configured in the access file.
+ for any service not previously configured in the access file.
This is extremely useful for sending a reply back to the
connection initiator right after the established connection
is dropped. Note that any message returned
@@ -1603,7 +1603,7 @@
<warning>
<para>It may be possible to launch a denial of service attack
on the server if an attacker, or group of attackers could
- flood these daemons with connection requests.</para>
+ flood these services with connection requests.</para>
</warning>
<para>Another possibility is to use the <option>spawn</option>
@@ -1624,7 +1624,7 @@
<para>This will deny all connection attempts from the
<hostid role="fqdn">*.example.com</hostid> domain;
simultaneously logging the hostname, <acronym>IP</acronym>
- address and the daemon which they attempted to access in the
+ address and the service which they attempted to access in the
<filename>/var/log/connections.log</filename> file.</para>
<para>Aside from the already explained substitution characters
@@ -1639,7 +1639,7 @@
continuously throughout the examples. Other options exist
which could extend the functionality a bit further. For
instance, <literal>ALL</literal> may be used to match every
- instance of either a daemon, domain or an
+ instance of either a service, domain or an
<acronym>IP</acronym> address. Another wildcard available is
<literal>PARANOID</literal> which may be used to match any
host which provides an <acronym>IP</acronym> address that may
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?416E4DFD.3040203>