Updated: April 19, 2023 |
Super-server configuration file (UNIX)
/etc/inetd.conf
The /etc/inetd.conf file is the default configuration file for the inetd (super-server) daemon.
Alternatively, in the inetd configuration file, replace references to in.sshd with sshd.
The file must have an entry in each of its fields, with each field separated by a tab or a space. Comments are denoted by a pound sign (#) at the beginning of a line.
The fields in the configuration file are:
[addr:]service-name | service-name/version socket-type protocol[,sndbuf=size][,rcvbuf=size] wait|nowait[:max] user[:group] server-program server program arguments
Here's a description of the arguments:
When a line contains an address specifier and colon only (no service-name field is specified), the address specifier is assumed for all further lines until another line with an explicit address specifier appears, or until the end of the file is reached.
For internal services (see server program arguments), the service name must be the official name of the service (i.e., the first entry in /etc/services).
If you need to specify an IP version explicitly, use protocols such as tcp4 (for IPv4) or udp6 (for IPv6). Protocols, such as tcp or udp, default to the current IP version (currently IPv4).
For RPC-based services, you must prefix the protocol with rpc/ (e.g., rpc/udp).
tcp,rcvbuf=16384 tcp,sndbuf=64k tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified or modified using k (for kilobytes) or m (for megabytes). Socket buffer sizes may be specified for all services and protocols except for the TCP port service multiplexer (TCPMUX) services.
If a datagram server processes all incoming datagrams on a socket and eventually times out, that server is said to be single-threaded and should use a wait entry. The tftpd daemon is an exception; it's a datagram server that establishes pseudo-connections. It must be listed as wait in order to avoid a race; the server reads the first packet, creates a new socket, and then forks and exits to let inetd check for new service requests to spawn new servers.
Stream servers are usually marked as nowait, but if a single server process is to handle multiple connections, it may be marked as wait. The master socket is passed as fd 0 to the server, which then needs to accept the incoming connection. The server should eventually time out and exit when no more connections are active. The inetd daemon will continue to listen on the master socket for connections. The identd server is usually the only stream server marked as wait.
A group name is specified by appending a colon or dot (allowed for backwards compatibility) to the user name followed by the group name.
Setting the IPsec policy
You can specify the IPsec policy setting for each socket in a special comment line. A line that starts with the special comment #@ identifies the policy specifier, and the content of the comment line is treated as the IPsec policy string.
Valid policy settings for /etc/inetd.conf include:
direction bypass direction entrust direction ipsec request ...
Multiple IPsec policy strings may be specified using semicolons as separators. If conflicting strings are found in a single line, the last string takes effect.
When a policy specifier is set with #@, all further lines in the /etc/inetd.conf configuration file are also affected. You can reset the IPsec policy by inserting a comment line without a policy string (i.e., a comment line containing #@ only).
If an invalid IPsec policy string appears in /etc/inetd.conf, inetd leaves error messages using syslog(), and terminates itself.
IPv6 TCP/UDP behavior
If you want to run a server for both IPv4 and IPv6 traffic, you'll need to run two separate processes for the same server program. You do this by adding two separate lines in inetd.conf, one for tcp4 and one for tcp6.
Under various combination of IPv4/v6 daemon settings, inetd behaves as follows:
If you have: | IPv4 traffic: | IPv6 traffic: |
---|---|---|
Only one server on tcp4 | Routed to the server | Isn't accepted |
Two servers: one on tcp4 and one on tcp6 | Routed to the server on tcp4 | Routed to the server on tcp6 |
Only one server on tcp6 | For certain configurations, may be routed to the tcp6 server (see the IP6 protocol page for details). | Routed to the server on tcp6. |
The following is an example from a working inetd.conf file:
ftp stream tcp nowait root /usr/sbin/ftpd in.ftpd -el
where: