inetd vs. xinet.d

email.listen at googlemail.com email.listen at googlemail.com
Mon Sep 10 19:52:03 UTC 2007


Am Mo, 10. September 2007 20:24:46 schrieb Darryl Tidd:
[... cleared tofu ...]
> Mario Vukelic wrote:
> > On Mon, 2007-09-10 at 13:04 -0500, Darryl Tidd wrote:
> >> i   netkit-inetd  - The Internet Superserver
> >
> >  ^^so you have the netkit inetd installed (and that it's actually
> > running was confirmed by you  with the ps command that had been
> > suggested)
> Ok, so the next question is:
> Which is better to have run, inetd or xinetd?
> Darryl

An advantage of xinetd is that you can bind services to certain IPs or 
restrict services available only to certain (ranges) of client IPs.

As described in 'man xinetd.conf' the 'bind = " parameter:
bind             
Allows  a  service to be bound to a specific interface on the machine.  This 
means you can have a telnet server listening on a local, secured interface, 
and not on the external interface.  Or one port on one  interface  can do 
something, while the same port on a different interface can do something 
completely different.  
Syntax: bind = (ip address of interface).
E.g.: bind = 192.168.10.4
Where 192.168.10.4 is the IP of the network card pointing to your internal net 

Another advantage is that services can be restricted to a range of client IPs, 
e.g. if there are several subnets which shall differ in the available 
services. So you may allow only a range / subset of machines to have access 
to a running ftpd or sshd service.

See 'man xinetd.conf' again the "only_from = " parameter:
only_from        
determines  the remote hosts to which the particular service is available.  
Its value is a list of IP addresses which can be specified in any cclient 
ombination of the following ways:
a) a numeric address in the form of %d.%d.%d.%d. If the rightmost components
   are 0, they are treated as wild‐cards  (for example, 128.138.12.0 matches
   all hosts on the 128.138.12 subnet).  0.0.0.0 matches all Internet
   addresses.  IPv6 hosts may be specified in the form of
   abcd:ef01::2345:6789.  The rightmost  rule  for IPv4 addresses does not
  apply to IPv6 addresses.
b) a  factorized  address  in  the form of %d.%d.%d.{%d,%d,...}.  There is no
   need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok).  However,
   the factorized part must be at the end of  the  address.   This form does
   not work for IPv6 hosts.
c) a network name (from /etc/networks). This form does not work for IPv6
   hosts.
d) a  host  name.  When a connection is made to xinetd, a reverse lookup is
   performed, and the canonical name returned is compared to the specified 
   host  name.   You  may  also  use  domain  names  in  the  form  of 
   .domain.com. 
   If the reverse lookup of the client’s IP is within .domain.com, a match
   occurs.
e) an  ip  address/netmask  range  in  the  form  of  1.2.3.4/32.  IPv6
   address/netmask ranges in the form of 1234::/46 are also valid.

Specifying this attribute without a value makes the service available to 
nobody.


regards,
thomas




More information about the ubuntu-users mailing list