# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	inetd.8
#
echo x - inetd.8
sed 's/^X//' >inetd.8 << 'END-of-inetd.8'
X.\"	$NetBSD: inetd.8,v 1.37 2002/01/19 03:14:33 wiz Exp $
X.\"
X.\" Copyright (c) 1998 The NetBSD Foundation, Inc.
X.\" All rights reserved.
X.\"
X.\" This code is derived from software contributed to The NetBSD Foundation
X.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility,
X.\" NASA Ames Research Center.
X.\"
X.\" Redistribution and use in source and binary forms, with or without
X.\" modification, are permitted provided that the following conditions
X.\" are met:
X.\" 1. Redistributions of source code must retain the above copyright
X.\"    notice, this list of conditions and the following disclaimer.
X.\" 2. Redistributions in binary form must reproduce the above copyright
X.\"    notice, this list of conditions and the following disclaimer in the
X.\"    documentation and/or other materials provided with the distribution.
X.\" 3. All advertising materials mentioning features or use of this software
X.\"    must display the following acknowledgement:
X.\" 	This product includes software developed by the NetBSD
X.\" 	Foundation, Inc. and its contributors.
X.\" 4. Neither the name of The NetBSD Foundation nor the names of its
X.\"    contributors may be used to endorse or promote products derived
X.\"    from this software without specific prior written permission.
X.\"
X.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
X.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
X.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
X.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
X.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
X.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
X.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
X.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
X.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
X.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
X.\" POSSIBILITY OF SUCH DAMAGE.
X.\"
X.\" Copyright (c) 1985, 1991 The Regents of the University of California.
X.\" All rights reserved.
X.\"
X.\" Redistribution and use in source and binary forms, with or without
X.\" modification, are permitted provided that the following conditions
X.\" are met:
X.\" 1. Redistributions of source code must retain the above copyright
X.\"    notice, this list of conditions and the following disclaimer.
X.\" 2. Redistributions in binary form must reproduce the above copyright
X.\"    notice, this list of conditions and the following disclaimer in the
X.\"    documentation and/or other materials provided with the distribution.
X.\" 3. All advertising materials mentioning features or use of this software
X.\"    must display the following acknowledgement:
X.\"	This product includes software developed by the University of
X.\"	California, Berkeley and its contributors.
X.\" 4. Neither the name of the University nor the names of its contributors
X.\"    may be used to endorse or promote products derived from this software
X.\"    without specific prior written permission.
X.\"
X.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
X.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X.\" SUCH DAMAGE.
X.\"
X.\"     from: @(#)inetd.8       8.4 (Berkeley) 6/1/94
X.\"
X.Dd November 3, 2002
X.Dt INETD 8
X.Os
X.\"
X.Sh NAME
X.Nm inetd ,
X.Nm inetd.conf
X.Nd internet
X.Dq super-server
X.\"
X.Sh SYNOPSIS
X.Nm
X.Op Fl R Ar max-rate
X.Op Fl c Ar max-conn
X.Op Fl d
X.Op Fl f
X.Op Fl i Ar rate-interval
X.Op Fl l Op Fl I
X.Op Fl T Ar ident-timeout
X.Op Fl t Ar err-timeout
X.Op Ar configuration_file
X.\"
X.Sh DESCRIPTION
X.Nm
Xshould be run at boot time by
X.Pa /etc/rc
X(see
X.Xr rc 8 ) .
XIt then listens for connections on certain internet sockets.
XWhen a connection is found on one of its sockets, it decides what
Xservice the socket corresponds to, and invokes a program to service
Xthe request.
XAfter the program is finished, it continues to listen on the socket
X(except in some cases which will be described below).
XEssentially,
X.Nm
Xallows running one daemon to invoke several others,
Xreducing load on the system.
X.Ss Options
XThe options available for
X.\" Why doesn't just `.Nm :' work?
X.Nm "" :
X.Bl -tag -width Ds
X.It Fl R Ar rate
XSpecify the maximum number of times a service can be invoked in a given
X.Ar interval
Xof time; the default is 40.
XA rate of 0 allows an unlimited number of invocations.
XMay be overridden on a per-service basis with the
X.Dq max-rate
Xparameter.
X.It Fl c Ar maximum
XSpecify the default maximum number of simultaneous invocations of each
Xservice; the default (0) is unlimited.
XMay be overridden on a per-service basis with the
X.Dq max-conn
Xparameter.
X.It Fl d
XTurns on debugging.  This implies
X.Fl f
Xas otherwise
X.Va stderr
Xwould be closed and no debugging forthcoming.
X.It Fl i Ar interval
Xspecifies the
X.Ar interval
Xin seconds over which only a maximum number of connections is allowed
Xfor any given service.  The maximum number of connections can be
Xspecified on a per-service basis in the configuration file, an the
Xdefault is set with the
X.Fl R Ar rate
Xparameter.
XHowever this interval time is (currently) shared with all services.
X.It Fl f
XRun in the foreground (i.e. do not become a background daemon as is done
Xin the normal case).
X.It Fl l
XTurns on default connection logging for all services.
X.It Fl I
XIf default logging is enabled this flag will cause IDENT (RFC 1413)
Xlookups to be done (unless the service is
X.Dq ident
Xitself) and the resulting information to be included in the connection
Xlog records.
X.It Fl T Ar ident-timeout
Xspecifies the the amount of time in seconds that IDENT replies will be
Xwaited for.
XThe default is five (5) seconds.
X.It Fl t Ar err-timeout
Xspecifies the the amount of time in seconds that
X.Nm
Xwill wait before re-enabling a service that has been suspended because
Xthe number of connections to it had exceeded the maximum over a
Xspecified interval (or because some error was encountered trying to bind
Xa socket to listen on a given port).
X.El
X.Pp
X.Ss Configuration
XUpon execution,
X.Nm
Xreads its configuration information from a configuration
Xfile which, by default, is
X.Pa /etc/inetd.conf .
XThe path given for this configuration file must be absolute, unless
Xthe
X.Fl d
Xoption is also given on the command line.
XThere must be an entry for each field of the configuration
Xfile, with entries for each field separated by a tab or
Xa space.
XComments are denoted by a ``#'' at the beginning of a line.
XThere must be an entry for each field (except for one
Xspecial case, described below).
XThe fields of the configuration file are as follows:
X.Pp
X.Bd -unfilled -offset indent -compact
X[addr:]service-name
Xsocket-type
Xprotocol[,sndbuf=size][,rcvbuf=size]
Xwait/nowait[:[max-rate][:max-conn]]
Xuser[:group]
Xserver-program[:l[priority][:i]]
Xserver program arguments
X.Ed
X.Pp
XTo specify an
X.Em Sun-RPC
Xbased service, the entry would contain these fields.
X.Pp
X.Bd -unfilled -offset indent -compact
Xservice-name/version
Xsocket-type
Xrpc/protocol[,sndbuf=size][,rcvbuf=size]
Xwait/nowait[:[max-rate][:max-conn]]
Xuser[:group]
Xserver-program[:l[priority][:i]]
Xserver program arguments
X.Ed
X.Pp
XFor Internet services, the first field of the line may also have a host
Xaddress specifier prefixed to it, separated from the service name by a colon.
XIf this is done, the string before the colon in the first field
Xindicates what local address
X.Nm
Xshould use when listening for that service, or the single character
X.Dq \&*
Xto indicate
X.Dv INADDR_ANY ,
Xmeaning
X.Sq all local addresses .
XTo avoid repeating an address that occurs frequently, a line with a
Xhost address specifier and colon, but no further fields, causes the
Xhost address specifier to be remembered and used for all further lines
Xwith no explicit host specifier (until another such line or the end of
Xthe file).
XA line
X.Dl *:
Xis implicitly provided at the top of the file; thus, traditional
Xconfiguration files (which have no host address specifiers) will be
Xinterpreted in the traditional manner, with all services listened for
Xon all local addresses.
X.Pp
XThe
X.Em service-name
Xentry is the name of a valid service in
Xthe file
X.Pa /etc/services .
XFor
X.Dq internal
Xservices (discussed below), the service
Xname
X.Em must
Xbe the official name of the service (that is, the first entry in
X.Pa /etc/services ) .
XWhen used to specify a
X.Em Sun-RPC
Xbased service, this field is a valid RPC service name in
Xthe file
X.Pa /etc/rpc .
XThe part on the right of the
X.Dq /
Xis the RPC version number.
XThis can simply be a single numeric argument or a range of versions.
XA range is bounded by the low version to the high version \-
X.Dq rusers/1-3 .
X.Pp
XThe
X.Em socket-type
Xshould be one of
X.Dq stream ,
X.Dq dgram ,
X.Dq raw ,
X.Dq rdm ,
Xor
X.Dq seqpacket ,
Xdepending on whether the socket is a stream, datagram, raw,
Xreliably delivered message, or sequenced packet socket.
X.Pp
XThe
X.Em protocol
Xmust be a valid protocol as given in
X.Pa /etc/protocols .
XExamples might be
X.Dq tcp
Xand
X.Dq udp .
XRpc based services are specified with the
X.Dq rpc/tcp
Xor
X.Dq rpc/udp
Xservice type.
X.Dq tcp
Xand
X.Dq udp
Xwill be recognized as
X.Dq TCP or UDP over default IP version .
XIt is currently IPv4, but in the future it will be IPv6.
XIf you need to specify IPv4 or IPv6 explicitly, use something like
X.Dq tcp4
Xor
X.Dq udp6 .
XIf you would like to enable special support for
X.Xr faithd 8 ,
Xprepend a keyword
X.Dq faith
Xinto
X.Em protocol ,
Xlike
X.Dq faith/tcp6 .
X.Pp
XIn addition to the protocol, the configuration file may specify the
Xsend and receive socket buffer sizes for the listening socket.
XThis is especially useful for
X.Tn TCP
Xas the window scale factor, which is based on the receive socket
Xbuffer size, is advertised when the connection handshake occurs,
Xthus the socket buffer size for the server must be set on the listen socket.
XBy increasing the socket buffer sizes, better
X.Tn TCP
Xperformance may be realized in some situations.
XThe socket buffer sizes are specified by appending their values to
Xthe protocol specification as follows:
X.Bd -literal -offset indent
Xtcp,rcvbuf=16384
Xtcp,sndbuf=64k
Xtcp,rcvbuf=64k,sndbuf=1m
X.Ed
X.Pp
XA literal value may be specified, or modified using
X.Sq k
Xto indicate kilobytes or
X.Sq m
Xto indicate megabytes.
XSocket buffer sizes may be specified for all
Xservices and protocols except for tcpmux services.
X.Pp
XThe
X.Em wait/nowait
Xentry is used to tell
X.Nm
Xif it should wait for the server program to return,
Xor continue processing connections on the socket.
XIf a datagram server connects
Xto its peer, freeing the socket so
X.Nm
Xcan receive further messages on the socket, it is said to be
Xa
X.Dq multi-threaded
Xserver, and should use the
X.Dq nowait
Xentry.
XFor datagram servers which process all incoming datagrams
Xon a socket and eventually time out, the server is said to be
X.Dq single-threaded
Xand should use a
X.Dq wait
Xentry.
X.Xr comsat 8
X.Pq Xr biff 1
Xand
X.Xr talkd 8
Xare both examples of the latter type of
Xdatagram server.
X.Xr tftpd 8
Xis an exception; it is a datagram server that establishes pseudo-connections.
XIt must be listed as
X.Dq wait
Xin order to avoid a race;
Xthe server reads the first packet, creates a new socket,
Xand then forks and exits to allow
X.Nm
Xto check for new service requests to spawn new servers.
X.Pp
XThe optional
X.Em max-rate
Xsuffix (separated from
X.Dq wait
Xor
X.Dq nowait
Xby a period or a colon) specifies the maximum number of server instances that may
Xbe started by
X.Nm
Xwithin the interval specified by the
X.Dq Fl i Ar interval
Xoption, or a default of 60 seconds.
XWhen omitted,
X.Dq max-rate
Xdefaults to the value specified by the
X.DQ Fl R Ar max-rate
Xcommand-line option, or a default count of 40.
XIf the maximum connections per interval limit is exceeded then an error
Xis logged and the service is disabled for the time specified by the
X.Dq Fl r Ar retrytime
Xoption, or a default of ten (10) minutes.
X.Pp
XThe optional
X.Em max-conn
Xsuffix (separated from
X.Dq max-rate
Xby a dot or colon) specifies the maximum number of simultaneous invocations
Xof the service that may be accepted at any one time.
XOnce the maximum is reached, further connection attempts will be queued
Xup until an existing child process exits.
XWhen omitted,
X.Dq max-conn
Xdefaults to the value specified by the
X.Dq Fl c Ar max-conn
Xcommand-line option, or to unlimited by default.
X.Pp
XStream servers are usually marked as
X.Dq nowait
Xbut if a single server process is to handle multiple connections, it may be
Xmarked as
X.Dq wait .
XThe master socket will then be passed as fd 0 to the server, which will then
Xneed to accept the incoming connection.
XThe server should eventually time
Xout and exit when no more connections are active.
X.Nm
Xwill continue to
Xlisten on the master socket for connections, so the server should not close
Xit when it exits.
X.Xr identd 8
Xis usually the only stream server marked as
X.Dq wait .
X.Pp
XThe
X.Em user
Xentry should contain the user name of the user as whom the server should run.
XThis allows for servers to be given less permission than root.
XOptionally, a group can be also specified by appending a colon to the user name,
Xfollowed by the group name (it is possible to use a period (``.'') in lieu of a
Xcolon, however this feature is provided only for backward compatibility).
XThis allows for servers to run with a different (primary) group id than
Xspecified in the password file.
XIf a group is specified and
X.Em user
Xis not root, the supplementary groups associated with that user will still be
Xset and only the default primary group will be replaced with the
Xspecified group.
X.Pp
XThe
X.Em server-program
Xentry should contain the pathname of the program which is to be
Xexecuted by
X.Nm
Xwhen a request is found on its socket.
XIf
X.Nm
Xprovides this service internally, this entry should
Xbe the word
X.Dq internal .
X.Pp
XAn optional set of logging control flags may follow the
X.Dq server-program
Xfield, each separated by a colon.
XThe
X.Dq Em l
Xflag enables logging for this service.
XAn optional numerically encoded (octal, decimal, or hex, as per
X.Xr strtol 3
Xwith a
X.Ar base
Xof zero)
X.Xr syslog 3
Xfacility and/or priority level may follow this flag and can be used to
Xchange the facility and priority level on a per-service basis if global
Xlogging is enabled on the command-line.
XThe
X.Dq Em i
Xflag enables logging with IDENT lookups for this service (unless the
Xservice is
X.Dq ident
Xitself, in which case it is silently ignored to avoid a potential loop
Xshould the remote system accidentally try to IDENT this system's
X.Dq ident
Xlookups).
XNote that the
X.Dq Em l
Xflag alone will disable IDENT lookups if they are enabled globally with
Xthe
X.Fl I
Xcommand-line option.
X.Pp
XThe
X.Em server program arguments
Xshould be just as arguments
Xnormally are, starting with argv[0], which is the name of
Xthe program.
XIf the service is provided internally, the
Xword
X.Dq internal
Xshould take the place of this entry.
X.Ss Internal Services
X.Nm
Xprovides several trivial services internally by use of routines within
Xitself.
XThese services are
X.Dq echo ,
X.Dq discard ,
X.Dq chargen
X(character generator),
X.Dq daytime
X(human readable time), and
X.Dq time
X(machine readable time,
Xin the form of the number of seconds since midnight, January 1, 1900 GMT).
XFor details of these services, consult the appropriate
X.Tn RFC .
X.Pp
XTCP services without official port numbers can be handled with the
XRFC1078-based tcpmux internal service.
XTCPmux listens on port 1 for requests.
XWhen a connection is made from a foreign host, the service name
Xrequested is passed to TCPmux, which performs a lookup in the
Xservice name table provided by
X.Pa /etc/inetd.conf
Xand returns the proper entry for the service.
XTCPmux returns a negative reply if the service doesn't exist,
Xotherwise the invoked server is expected to return the positive
Xreply if the service type in
X.Pa /etc/inetd.conf
Xfile has the prefix
X.Qq tcpmux/ .
XIf the service type has the
Xprefix
X.Qq tcpmux/+ ,
XTCPmux will return the positive reply for the
Xprocess; this is for compatibility with older server code, and also
Xallows you to invoke programs that use stdin/stdout without putting any
Xspecial server code in them.
XServices that use TCPmux are
X.Dq nowait
Xbecause they do not have a well-known port nubmer and hence cannot listen
Xfor new requests.
X.Pp
X.Nm
Xrereads its configuration file when it receives a hangup signal,
X.Dv SIGHUP .
XServices may be added, deleted or modified when the configuration file
Xis reread.
X.Nm
Xcreates a file
X.Em /var/run/inetd.pid
Xthat contains its process identifier.
X.Ss TCP Wrappers / libwrap
XSupport for
X.Tn TCP
Xwrappers
Xis integrated into
X.Nm
Xusing
X.Xr hosts_access 3
Xto provide internal tcpd-like access control functionality for all TCP
Xservices which use the
X.Dq nowait
Xoption (servers marked as
X.Dq wait
Xare expected to listen.
XAn external wrapper program such as
X.Xr tcpd 8
Xis not needed.
XYou do not need to change the
X.Pa /etc/inetd.conf
Xserver-program entry to enable this capability.
X.Nm
Xuses
X.Pa /etc/hosts.allow
Xand
X.Pa /etc/hosts.deny
Xfor access control facility configurations, as described in
X.Xr hosts_access 5 .
X.Ss IPsec
XThe implementation includes a tiny hack to support IPsec policy settings for
Xeach socket.
XA special form of the comment line, starting with
X.Dq Li "#@" ,
Xis used as a policy specifier.
XThe content of the above comment line will be treated as a IPsec policy string,
Xas described in
X.Xr ipsec_set_policy 3 .
XMultiple IPsec policy strings may be specified by using a semicolon
Xas a separator.
XIf conflicting policy strings are found in a single line,
Xthe last string will take effect.
XA
X.Li "#@"
Xline affects all of the following lines in
X.Pa /etc/inetd.conf ,
Xso you may want to reset the IPsec policy by using a comment line containing
Xonly
X.Li "#@"
X.Pq with no policy string .
X.Pp
XIf an invalid IPsec policy string appears in
X.Pa /etc/inetd.conf ,
X.Nm
Xlogs an error message using
X.Xr syslog 3
Xand terminates itself.
X.Ss IPv6 TCP/UDP behavior
XIf you wish to run a server for IPv4 and IPv6 traffic,
Xyou'll need to run two separate process for the same server program,
Xspecified as two separate lines on
X.Pa /etc/inetd.conf ,
Xfor
X.Dq tcp4
Xand
X.Dq tcp6 .
X.Dq tcp
Xmeans TCP on top of currently-default IP version,
Xwhich is, at this moment, IPv4.
X.Pp
XUnder various combination of IPv4/v6 daemon settings,
X.Nm
Xwill behave as follows:
X.Bl -bullet -compact
X.It
XIf you have only one server on
X.Dq tcp4 ,
XIPv4 traffic will be routed to the server.
XIPv6 traffic will not be accepted.
X.It
XIf you have two servers on
X.Dq tcp4
Xand
X.Dq tcp6 ,
XIPv4 traffic will be routed to the server on
X.Dq tcp4 ,
Xand IPv6 traffic will go to server on
X.Dq tcp6 .
X.It
XIf you have only one server on
X.Dq tcp6 ,
Xonly IPv6 traffic will be routed to the server.
XThe kernel may route to the server IPv4 traffic as well,
Xunder certain configuration.
XSee
X.Xr ip6 4
Xfor details.
X.El
X.\"
X.Sh FILES
X.Bl -tag -width /etc/hosts.allow -compact
X.It Pa /etc/inetd.conf
Xconfiguration file for all
X.Nm
Xprovided services
X.It Pa /etc/services
Xservice name to protocol and port number mappings.
X.It Pa /etc/protocols
Xprotocol name to protocol number mappings
X.It Pa /etc/rpc
X.Tn Sun-RPC
Xservice name to service number mappings.
X.It Pa /etc/hosts.allow
Xexplicit remote host access list.
X.It Pa /etc/hosts.deny
Xexplicit remote host denial of service list.
X.El
X.\"
X.Sh SEE ALSO
X.Xr hosts_access 3 ,
X.Xr hosts_access 5 ,
X.Xr hosts_options 5 ,
X.Xr protocols 5 ,
X.Xr rpc 5 ,
X.Xr services 5 ,
X.Xr comsat 8 ,
X.Xr fingerd 8 ,
X.Xr ftpd 8 ,
X.Xr rexecd 8 ,
X.Xr rlogind 8 ,
X.Xr rshd 8 ,
X.Xr telnetd 8 ,
X.Xr tftpd 8
X.Rs
X.%A J. Postel
X.%R RFC
X.%N 862
X.%D May 1983
X.%T "Echo Protocol"
X.Re
X.Rs
X.%A J. Postel
X.%R RFC
X.%N 863
X.%D May 1983
X.%T "Discard Protocol"
X.Re
X.Rs
X.%A J. Postel
X.%R RFC
X.%N 864
X.%D May 1983
X.%T "Character Generator Protocol"
X.Re
X.Rs
X.%A J. Postel
X.%R RFC
X.%N 867
X.%D May 1983
X.%T "Daytime Protocol"
X.Re
X.Rs
X.%A J. Postel
X.%A K. Harrenstien
X.%R RFC
X.%N 868
X.%D May 1983
X.%T "Time Protocol"
X.Re
X.Rs
X.%A M. Lottor
X.%R RFC
X.%N 1078
X.%D November 1988
X.%T "TCP port service Multiplexer (TCPMUX)"
X.Re
X.\"
X.Sh HISTORY
XThe
X.Nm
Xcommand appeared in
X.Bx 4.3 .
X.Pp
XSupport for
X.Em Sun-RPC
Xbased services is modeled after that
Xprovided by SunOS 4.1.
X.Pp
XSupport for specifying the local host address was added in
X.Nx 1.3
Xby Mike (der Mouse) Parker, possibly based on a patch originally posted
Xby Eric Smith
X.Aq eric@goonsquad.spies.com
Xaka
X.Aq eric@brouhaha.com .
X.Pp
XSupport for specifying the socket buffer sizes was added in
X.Nx 1.4 .
X.Pp
XIn November 1996, libwrap support was added to provide
Xinternal tcpd-like access control functionality;
Xlibwrap is based on Wietse Venema's tcp_wrappers.
X.Pp
XIPv6 support and IPsec hack was made by KAME project, in 1999.
X.Pp
XSupport for specifying the default rate limiting parameters on the
Xcommand-line was added by
X.An Greg A. Woods ,
XPlanix, Inc.
X.Aq woods@planix.com .
X.Pp
XSupport for limiting the total number of outstanding connections was
Xpublished by
X.An Tomas Svensson
Xin the
X.Nx
XGNATS PR#15011 (perhaps taken from a similar feature found in
X.Fx 4 ).
X.Pp
XBetter connection logging support was added by
X.An Greg A. Woods ,
XPlanix, Inc.
X.Aq woods@planix.com .
X.\"
X.Sh BUGS
XHost address specifiers, while they make conceptual sense for RPC
Xservices, do not work entirely correctly.
XThis is largely because the portmapper interface does not provide
Xa way to register different ports for the same service on different
Xlocal addresses.
XProvided you never have more than one entry for a given RPC service,
Xeverything should work correctly (Note that default host address
Xspecifiers do apply to RPC lines with no explicit specifier.)
X.Pp
XThere should be some way to configure rate limiting on the built-in
X.Dq echo ,
X.Dq discard ,
Xand
X.DQ chargen
Xservices so that they can be enabled without posing a potential risk.
X.Pp
X.Dq tcpmux
Xon IPv6 is not tested enough.
X.\"
X.Sh SECURITY CONSIDERATIONS
XEnabling the
X.Dq chargen
Xbuilt-in service is not recommended because remote users may abuse it to
Xparticipate in a denial of network service from the local host without
Xneeding any other form of access to the local host.  Similarly the
X.Dq echo
Xbuilt-in service might be abused to force the local host to participate
Xin part of a wider form of network denial of service attack against some
Xother host.  Many people consider the
X.Dq discard
Xbuilt-in service to be potentially dangerous too since if it is enabled
Xa remote user can hold a long-lived network connection open to the local
Xhost, and potentially use it to soak up almost any amount of traffic
Xthat the network can deliver.
END-of-inetd.8
exit


-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>