Hello, Is there any advantage to using xinetd over inetd? Anyone have any experience with this in 7.0? thankx
As with anything else in linux, the advantage is preference. But xinetd does allow for log handling and very simple security measures similar to those of firewalls. In other words, you can restrict services via xinetd to certain domains or hostnames. You can also choose what kind of error or just access logging you want to do based on the service. It allows a nice modular service management. But as for real power advantages, I see none for xinetd over inetd, I actually still use inetd. As for experience with it and Suse 7.0, I have some, and it worked without a hitch. Oh yeah, one neat thing you can due is have the xinetd.conf file include everything from a directory say /etc/xinetd.d/ and have individual files in there that correspond to each service. I think that RedHat 7 does it this way. Just an interesting way of administering things. michael On Mon, 5 Mar 2001, Ahmed Mohammad wrote:
Hello,
Is there any advantage to using xinetd over inetd? Anyone have any experience with this in 7.0?
thankx
On Mon, 5 Mar 2001, Michael Chletsos wrote:
As with anything else in linux, the advantage is preference. But xinetd
Yes, mainly :)
But as for real power advantages, I see none for xinetd over inetd, I actually still use inetd. As for experience with it and Suse 7.0, I have some, and it worked without a hitch.
One nice thing is, I can bind an service to an specific IP. But here is an bug with ipv6 which is enabled on the SuSE7.0 distro. But I can't remind me if here is an working update or not (I'm useing my own version/package). Bye Andre'
Dear Mohammad, I have experiences using xinetd, there are a few major advantages over using inetd. You can add restrictions for the clients that can use the service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this. By the way i don't want to suggest that xinetd can replace a firewall. That is not true. Regards, Joop Boonen.
Ahmed Mohammad wrote:
Hello,
Is there any advantage to using xinetd over inetd? Anyone have any experience with this in 7.0?
thankx
On Tue, 6 Mar 2001, Joop Boonen wrote:
service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this.
Are you sure? I read something else a while ago on this list. You should do perhaps a "man inetd"... Cheers, Peter -- Peter Münster http://notrix.net/pm-vcard
Peter Münster wrote:
On Tue, 6 Mar 2001, Joop Boonen wrote:
service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this.
I meant client addresses.
Are you sure? I read something else a while ago on this list. You should do perhaps a "man inetd"...
What i see in man inetd is that you can specify a local address, so if an interface ahs more than one ip address , or when you have multiple interfaces. But every person can still use the specified service when it's connected to the right ip address/port. Correct me when i'm wrong.
Cheers, Peter
-- Peter Münster http://notrix.net/pm-vcard
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 6 Mar 2001, Joop Boonen wrote:
service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this. I meant client addresses.
Are you sure? I read something else a while ago on this list. You should do perhaps a "man inetd"...
What i see in man inetd is that you can specify a local address, so if an interface ahs more than one ip address , or when you have multiple interfaces. But every person can still use the specified service when it's connected to the right ip address/port. Correct me when i'm wrong.
I don't know, I've never read the manual of inetd... But it seems, that I didn't understand that *major advantage*. Is it just the functionality of tcpd? Peter -- Peter Münster http://notrix.net/pm-vcard
Peter Münster wrote:
On Tue, 6 Mar 2001, Joop Boonen wrote:
service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this. I meant client addresses.
Are you sure? I read something else a while ago on this list. You should do perhaps a "man inetd"...
What i see in man inetd is that you can specify a local address, so if an interface ahs more than one ip address , or when you have multiple interfaces. But every person can still use the specified service when it's connected to the right ip address/port. Correct me when i'm wrong.
I don't know, I've never read the manual of inetd... But it seems, that I didn't understand that *major advantage*. Is it just the functionality of tcpd? Peter
-- Peter Münster http://notrix.net/pm-vcard
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Dear Peter, I'll try to explain with the xinetd.conf file. I'll add the comments by means of #* . Regards, Joop Boonen. # # xinetd.conf # # Copyright (c) 1998-99 SuSE GmbH Nuernberg, Germany. # defaults { #* below produces log lines in the mentioned cases log_type = FILE /var/log/xinetd.log log_on_success = HOST EXIT DURATION log_on_failure = HOST ATTEMPT RECORD #* below only alows connections from 192.168.2.4 localhost #* this effects all services mentioned below, here pop3 only_from = 192.168.2.4 localhost instances = 2 # # The specification of an interface is interesting, if we are on a firewall. # For example, if you only want to provide services from an internal # network interface, you may specify your internal interfaces IP-Address. # # interface = 192.168.2.1 # } ## ## Now the definitions of the different services ## ## service pop3 { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/ipop3d }
Well, xinetd basically has tcpd built in - and you can specify times of day
when things can be accessed, max number of processes to fork at a time, and
so on. The downside is that most of the tools for installing things know
the inetd format but not the xinetd format, so that's a bit of a downer, but
the xinetd.conf format is pretty easy to learn.
Whether or not that constitutes major advantages is very much in the eye of
the beholder...but I happen to like it.
Martin Jackson
===================
mhjacks@nwa.quik.com
----- Original Message -----
From: Peter Münster
On Tue, 6 Mar 2001, Joop Boonen wrote:
service. So if you set-up telnet or pop3 you can restrict the addresses that can use it. This is not possible with inetd that you have to use a portwrapper or a firewall to accomplish this. I meant client addresses.
Are you sure? I read something else a while ago on this list. You should do perhaps a "man inetd"...
What i see in man inetd is that you can specify a local address, so if an interface ahs more than one ip address , or when you have multiple interfaces. But every person can still use the specified service when it's connected to the right ip address/port. Correct me when i'm wrong.
I don't know, I've never read the manual of inetd... But it seems, that I didn't understand that *major advantage*. Is it just the functionality of tcpd? Peter
-- Peter Münster http://notrix.net/pm-vcard
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Wed, Mar 07, 2001 at 08:03:13PM -0600, Marty Jackson wrote:
Well, xinetd basically has tcpd built in - and you can specify times of day when things can be accessed, max number of processes to fork at a time, and so on. The downside is that most of the tools for installing things know the inetd format but not the xinetd format, so that's a bit of a downer, but the xinetd.conf format is pretty easy to learn.
Whether or not that constitutes major advantages is very much in the eye of the beholder...but I happen to like it.
Would xinetd allow me to set up a smtpd service on my router like tcpwrappers? a version with RELAYCLIENT for the internal net and a version without it for the external net? I've read the docs, but I can't seem to find any info about adding the same service "twice". Thanks, Jurriaan -- Linux is like a wigwam: no gates, no windows, and an apache inside. Joerg Beyer GNU/Linux 2.4.2-ac13 SMP/ReiserFS 2x1743 bogomips load av: 0.02 0.01 0.00
On Thu, Mar 08, 2001 at 07:14 +0100, thunder7@xs4all.nl wrote:
Would xinetd allow me to set up a smtpd service on my router like tcpwrappers?
a version with RELAYCLIENT for the internal net and a version without it for the external net? I've read the docs, but I can't seem to find any info about adding the same service "twice".
I'm not absolutely positive about *inetd. But if you want to set environment variables depending on who's connecting to the service, goto http://cr.yp.to/ and look at the ucspi-tcp package. Example usages of this very scenario can be found in qmail-smtpd and axfrdns setups. And since the ACL is kept in cdb format, it's quite efficient and easy to update. BTW where did you get the "suse-security@ns2.suse.com" address from? It wasn't in the message you replied to. Adjust your addressbook, please. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Mon, Mar 05, 2001 at 11:33:57AM +0100, Ahmed Mohammad wrote:
Hello,
Is there any advantage to using xinetd over inetd? Anyone have any experience with this in 7.0?
I found that xinetd did not work with in.talkd for some reason I have forgotten. Therefore, on one machine where I wanted to use xinetd I use inetd in parallel (inetd for in.talkd only, and xinetd for the rest). Gruesse, Peter -- +49-911-74053-340 ---------------------------------------------------------------------- Remember, even if you win the rat race -- you're still a rat.
-----BEGIN PGP SIGNED MESSAGE----- On Thursday 08 March 2001 20:13, you wrote:
On Mon, Mar 05, 2001 at 11:33:57AM +0100, Ahmed Mohammad wrote:
Hello,
Is there any advantage to using xinetd over inetd? Anyone have any experience with this in 7.0?
I found that xinetd did not work with in.talkd for some reason I have forgotten. Therefore, on one machine where I wanted to use xinetd I use inetd in parallel (inetd for in.talkd only, and xinetd for the rest).
Gruesse, Peter
Well, here you have my setup: service talk { flags = REUSE NAMEINARGS socket_type = dgram protocol = tcp wait = yes user = root instances = 4 server = /usr/sbin/tcpd server_args = /usr/sbin/in.talkd } It's working here, so I don't think it's a xinetd problem - -- Vadim http://sheelab.dynodns.net http://sheelab.homecreatures.com ICQ 71242087 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBOqfc6MZcPSEEL1mxAQGnWAP+LSbMnv8fmeneNpGQWCUKYQ8rf8F7yytn 1MOHw3Bn3xP+cjv+UdZ51BKAwyN6GF8BoPeXjqJbKA8aZCsV9DJZwJlU44vUk0Pq XJ2wUOsRlBYdmUP2D4eezLLldTgg+AR4RaGdcH1DPPzYoMPzZubA8bTL//onHbdd o9wpzJLShNY= =3x3E -----END PGP SIGNATURE-----
On Thu, Mar 08, 2001 at 08:26:24PM +0100, vadim wrote:
On Thursday 08 March 2001 20:13, you wrote:
On Mon, Mar 05, 2001 at 11:33:57AM +0100, Ahmed Mohammad wrote:
I found that xinetd did not work with in.talkd for some reason I have forgotten. Therefore, on one machine where I wanted to use xinetd I use inetd in parallel (inetd for in.talkd only, and xinetd for the rest).
Well, here you have my setup: service talk { flags = REUSE NAMEINARGS socket_type = dgram protocol = tcp wait = yes user = root instances = 4 server = /usr/sbin/tcpd server_args = /usr/sbin/in.talkd }
It's working here, so I don't think it's a xinetd problem
Oh, that works. I see that I was completely wrong with the parameters that I tried. I also discovered that I was wrong when I stated that I used both inetd's at the same time :-/ Thanks! Cheers, Peter -- +49-911-74053-340 ---------------------------------------------------------------------- Remember, even if you win the rat race -- you're still a rat.
participants (10)
-
Ahmed Mohammad -
andre.breiler@informatik.tu-chemnitz.de -
Gerhard Sittig -
Joop Boonen -
Marty Jackson -
Michael Chletsos -
Peter Münster -
Peter Poeml -
thunder7@xs4all.nl -
vadim