inetd vs. xinet.d
email.listen at googlemail.com
email.listen at googlemail.com
Mon Sep 10 19:52:03 UTC 2007
Am Mo, 10. September 2007 20:24:46 schrieb Darryl Tidd:
[... cleared tofu ...]
> Mario Vukelic wrote:
> > On Mon, 2007-09-10 at 13:04 -0500, Darryl Tidd wrote:
> >> i netkit-inetd - The Internet Superserver
> >
> > ^^so you have the netkit inetd installed (and that it's actually
> > running was confirmed by you with the ps command that had been
> > suggested)
> Ok, so the next question is:
> Which is better to have run, inetd or xinetd?
> Darryl
An advantage of xinetd is that you can bind services to certain IPs or
restrict services available only to certain (ranges) of client IPs.
As described in 'man xinetd.conf' the 'bind = " parameter:
bind
Allows a service to be bound to a specific interface on the machine. This
means you can have a telnet server listening on a local, secured interface,
and not on the external interface. Or one port on one interface can do
something, while the same port on a different interface can do something
completely different.
Syntax: bind = (ip address of interface).
E.g.: bind = 192.168.10.4
Where 192.168.10.4 is the IP of the network card pointing to your internal net
Another advantage is that services can be restricted to a range of client IPs,
e.g. if there are several subnets which shall differ in the available
services. So you may allow only a range / subset of machines to have access
to a running ftpd or sshd service.
See 'man xinetd.conf' again the "only_from = " parameter:
only_from
determines the remote hosts to which the particular service is available.
Its value is a list of IP addresses which can be specified in any cclient
ombination of the following ways:
a) a numeric address in the form of %d.%d.%d.%d. If the rightmost components
are 0, they are treated as wild‐cards (for example, 128.138.12.0 matches
all hosts on the 128.138.12 subnet). 0.0.0.0 matches all Internet
addresses. IPv6 hosts may be specified in the form of
abcd:ef01::2345:6789. The rightmost rule for IPv4 addresses does not
apply to IPv6 addresses.
b) a factorized address in the form of %d.%d.%d.{%d,%d,...}. There is no
need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok). However,
the factorized part must be at the end of the address. This form does
not work for IPv6 hosts.
c) a network name (from /etc/networks). This form does not work for IPv6
hosts.
d) a host name. When a connection is made to xinetd, a reverse lookup is
performed, and the canonical name returned is compared to the specified
host name. You may also use domain names in the form of
.domain.com.
If the reverse lookup of the client’s IP is within .domain.com, a match
occurs.
e) an ip address/netmask range in the form of 1.2.3.4/32. IPv6
address/netmask ranges in the form of 1234::/46 are also valid.
Specifying this attribute without a value makes the service available to
nobody.
regards,
thomas
More information about the ubuntu-users
mailing list