From owner-freebsd-questions@FreeBSD.ORG Fri May 6 00:30:54 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA72216A4CE for ; Fri, 6 May 2005 00:30:54 +0000 (GMT) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25B5D43DAE for ; Fri, 6 May 2005 00:30:52 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from [192.168.254.11] (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id B82D74BD9D; Fri, 6 May 2005 02:28:29 +0200 (CEST) Message-ID: <427ABB29.6000208@cordula.ws> Date: Fri, 06 May 2005 02:32:41 +0200 From: cpghost User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050428) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd@orchid.homeunix.org References: <427AADA0.6060701@orchid.homeunix.org> In-Reply-To: <427AADA0.6060701@orchid.homeunix.org> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Inetd and a service listening only on localhost X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2005 00:30:54 -0000 Karol Kwiatkowski wrote: >I've never used inetd and I'm not sure what will happen if a >connection is made from outside to a service which is configured to >listen only on localhost. > > When you use inetd, the spawned process gets its data from stdin, not from a socket. It is irrelevant that the spawned program listens on localhost (in addition to stdin). Its the stdin path of that program that you should watch when using inetd. Of course, you could use TCP Wrappers in inetd. Or check out inetd's -a flag to bind inetd only to localhost (but check with sockstat -l that inetd REALLY honors this flag!). Setting -a for inetd is a global change though that affects everything that you start through inetd! But why won't you use a firewall like pf or ipfw to protect the service in the first place? Just do this in addition to TCP Wrapper's hosts_access(5) and inetd's "-a 127.0.0.1" setting. It's better to be safe than sorry :-) >Is possible to run a service listening only on localhost with inetd? > How to configure inetd in such case (an entry in /etc/hosts.allow?) >or should I disable such configuration? > > If you want to set the -a flag to bind inetd to localhost only, override inetd_flag in /etc/rc.conf (from the value it has in /etc/defaults/rc.conf), then restart inetd. >Regards, > >Karol > > Good luck! -cpghost. -- Cordula's Web. http://www.cordula.ws/