Date: Fri, 06 May 2005 02:32:41 +0200 From: cpghost <cpghost@cordula.ws> To: freebsd@orchid.homeunix.org Cc: freebsd-questions@freebsd.org Subject: Re: Inetd and a service listening only on localhost Message-ID: <427ABB29.6000208@cordula.ws> In-Reply-To: <427AADA0.6060701@orchid.homeunix.org> References: <427AADA0.6060701@orchid.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Karol Kwiatkowski wrote: >I've never used inetd and I'm not sure what will happen if a >connection is made from outside to a service which is configured to >listen only on localhost. > > When you use inetd, the spawned process gets its data from stdin, not from a socket. It is irrelevant that the spawned program listens on localhost (in addition to stdin). Its the stdin path of that program that you should watch when using inetd. Of course, you could use TCP Wrappers in inetd. Or check out inetd's -a flag to bind inetd only to localhost (but check with sockstat -l that inetd REALLY honors this flag!). Setting -a for inetd is a global change though that affects everything that you start through inetd! But why won't you use a firewall like pf or ipfw to protect the service in the first place? Just do this in addition to TCP Wrapper's hosts_access(5) and inetd's "-a 127.0.0.1" setting. It's better to be safe than sorry :-) >Is possible to run a service listening only on localhost with inetd? > How to configure inetd in such case (an entry in /etc/hosts.allow?) >or should I disable such configuration? > > If you want to set the -a flag to bind inetd to localhost only, override inetd_flag in /etc/rc.conf (from the value it has in /etc/defaults/rc.conf), then restart inetd. >Regards, > >Karol > > Good luck! -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?427ABB29.6000208>