*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> inetd.sec (4)              
Title
Content
Arch
Section
 

Contents


 inetd.sec(4)                                                   inetd.sec(4)




 NAME    [Toc]    [Back]
      inetd.sec - optional security file for inetd

 DESCRIPTION    [Toc]    [Back]
      When inetd accepts a connection from a remote system, it checks the
      address of the host requesting the service against the list of hosts
      to be allowed or denied access to the specific service (see
      inetd(1M)).  The file inetd.sec allows the system administrator to
      control which hosts (or networks in general) are allowed to use the
      system remotely.  This file constitutes an extra layer of security in
      addition to the normal checks done by the services.  It precedes the
      security of the servers; that is, a server is not started by the
      Internet daemon unless the host requesting the service is a valid host
      according to inetd.sec.

      If file /var/adm/inetd.sec does not exist, security is limited to that
      implemented by the servers.  inetd.sec and the directory /var/adm
      should be writable only by their owners.  Changes to inetd.sec apply
      to any subsequent connections.

      Lines in inetd.sec beginning with # are comments.  Comments are not
      allowed at the end of a line of data.

      The lines in the file contain a service name, permission field, and
      the Internet addresses or official names of the hosts and networks
      allowed to use that service in the local host.  The fields in each
      line are as follows:

           <service name> <allow|deny> <host/net addresses, host/net names>

      service name is the name (not alias) of a valid service in file
      /etc/services.  The service name for RPC-based services (NFS) is the
      name (not alias) of a valid service in file /etc/rpc.  A service name
      in /etc/rpc corresponds to a unique RPC program number.

      allow|deny determines whether the list of remote hosts in the next
      field is allowed or denied access to the specified service.  Multiple
      allow|deny lines for each service are not unsupported.  If there are
      multiple allow|deny lines for a particular service, all but the last
      line are ignored.

      Addresses and names are separated by white space.  Any mix of
      addresses and names is allowed.  To continue a line, terminate it with
      \.

      Host names and network names are the official names of the hosts or
      networks as returned by gethostbyaddr() or getnetbyaddr(),
      respectively.  Wildcard characters (*) and range characters (-) are
      allowed.  The * and the - can be present in any of the fields of the
      address.  An address field is a string of characters separated by a
      dot (.).



 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003






 inetd.sec(4)                                                   inetd.sec(4)




 EXAMPLES    [Toc]    [Back]
      Use a wildcard character to permit a whole network to communicate with
      the local host without having to list all the hosts in that network.
      For example, to allow all hosts with network addresses starting with a
      10, as well as the single host with address 192.54.24.5 to use rlogin:

           login      allow   10.*  192.54.24.5

      On a system running NFS, deny host 192.54.24.5 access to sprayd, an
      RPC-based server:

           sprayd     deny    192.54.24.5

      A range is a field containing a - character.  To deny hosts in network
      10 (arpa) with subnets 3 through 5 access to remsh:

           shell      deny    10.3-5.*

      The following entry denies rlogin access to host cory.berkeley.edu,
      any hosts on the network named testlan, and the host with internet
      address 192.54.24.5:

           login      deny    192.54.24.5 cory.berkeley.edu testlan

      If a remote service is not listed in the security file, or if it is
      listed but it is not followed by allow or deny, all remote hosts can
      attempt to use it.  Security is then provided by the service itself.
      The following lines, if present in inetd.sec, allow or deny access to
      the service indicated:

           Allow all hosts to use ftp:

                ftp

           Deny all access to the shell service; i.e., remsh:

                shell   deny

           Allow access to the shell service by any host:

                shell   allow
           or
                shell

    IPv6 FUNCTIONALITY    [Toc]    [Back]
      For an IPv6 service, an IPv6 address can be specified in the host
      address field of inetd.sec.  The host address field can contain IPv6
      addresses, IPv4 addresses, or both.  This specification includes the
      IPv4 mapped IPv6 addresses also.





 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003






 inetd.sec(4)                                                   inetd.sec(4)




      Host names for IPv6 services are the official names of the hosts
      returned by getaddrinfo().

      The wildcard characters (*) and range characters (-) are not supported
      for IPv6 addresses. The equivalent for the wildcard character (*) is
      provided in the form of subnet_prefix followed by a forward-slash (/)
      and prefix_length.  See the IPv6 Examples section for more details.

    IPv6 EXAMPLES    [Toc]    [Back]
      To allow an IPv6 host with address fe80::210:83ff:feb9:903f and an
      IPv4 host with address 192.54.24.5 in order to use the telnet service,
      an entry in the inetd.sec file should be as follows :

           telnet      allow   fe80::210:83ff:feb9:903f  192.54.24.5

      The following entry denies ftp access to all hosts with a prefix fe80:

           ftp         deny    fe80::/16

 WARNINGS    [Toc]    [Back]
      IPv6 is supported on HP-UX 11i Version 1.0, with the optional IPv6
      software installed.  Currently, IPv6 is not supported on systems
      running HP-UX 11i Version 1.6.

 AUTHOR    [Toc]    [Back]
      inetd.sec was developed by HP.

      NFS was developed by Sun Microsystems, Inc.

 FILES    [Toc]    [Back]
      /var/adm/inetd.sec

 SEE ALSO    [Toc]    [Back]
      inetd(1M), gethostent(3N), getaddrinfo(3N), getnetent(3N), hosts(4),
      inetd.conf(4), networks(4), protocols(4), rpc(4), services(4).


 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003
[ Back ]
      
      
 Similar pages
Name OS Title
inetd.conf HP-UX configuration file for inetd
ldohseek Tru64 seek to the optional file header of a common object file
ldohseek IRIX seek to the optional file header of a common object file
inetd.conf Tru64 The default configuration files for the inetd daemon
inetd.conf.local Tru64 The default configuration files for the inetd daemon
update-inetd Linux create, remove, enable or disable entry in /etc/inetd.conf
Add_disk IRIX add an optional disk to the system
present IRIX Determines whether an optional argument is present
rectcopy IRIX copies a rectangle of pixels with an optional zoom
mkisofs Tru64 Creates a hybrid ISO9660/JOLIET/HFS filesystem with optional Rock Ridge attributes.
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service