1999-08-27 23:37:10 +00:00
|
|
|
# $FreeBSD$
|
1993-06-20 13:41:45 +00:00
|
|
|
#
|
|
|
|
# Internet server configuration database
|
|
|
|
#
|
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
|
|
|
# Define *both* IPv4 and IPv6 entries for dual-stack support.
|
|
|
|
# To disable a service, comment it out by prefixing the line with '#'.
|
|
|
|
# To enable a service, remove the '#' at the beginning of the line.
|
1993-06-20 13:41:45 +00:00
|
|
|
#
|
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
|
|
|
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
|
|
|
|
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
|
2003-06-09 21:04:30 +00:00
|
|
|
#ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
|
|
|
|
#ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6
|
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
|
|
|
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
|
|
|
|
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
|
2017-10-06 08:43:14 +00:00
|
|
|
#shell stream tcp nowait root /usr/local/sbin/rshd rshd
|
|
|
|
#shell stream tcp6 nowait root /usr/local/sbin/rshd rshd
|
|
|
|
#login stream tcp nowait root /usr/local/sbin/rlogind rlogind
|
|
|
|
#login stream tcp6 nowait root /usr/local/sbin/rlogind rlogind
|
2010-04-01 13:13:09 +00:00
|
|
|
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
|
|
|
|
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
|
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
|
|
|
#
|
1998-12-01 22:01:59 +00:00
|
|
|
# run comsat as root to be able to print partial mailbox contents w/ biff,
|
|
|
|
# or use the safer tty:tty to just print that new mail has been received.
|
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
|
|
|
#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
|
|
|
|
#
|
|
|
|
# ntalk is required for the 'talk' utility to work correctly
|
|
|
|
#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
|
2004-03-11 22:15:28 +00:00
|
|
|
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
|
|
|
|
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
|
1996-10-02 03:52:58 +00:00
|
|
|
#bootps dgram udp wait root /usr/libexec/bootpd bootpd
|
|
|
|
#
|
|
|
|
# "Small servers" -- used to be standard on, but we're more conservative
|
|
|
|
# about things due to Internet security concerns. Only turn on what you
|
|
|
|
# need.
|
|
|
|
#
|
|
|
|
#daytime stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#daytime stream tcp6 nowait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#daytime dgram udp wait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#daytime dgram udp6 wait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#time stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#time stream tcp6 nowait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#time dgram udp wait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#time dgram udp6 wait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#echo stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#echo stream tcp6 nowait root internal
|
2003-06-09 21:04:30 +00:00
|
|
|
#echo dgram udp wait root internal
|
|
|
|
#echo dgram udp6 wait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#discard stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#discard stream tcp6 nowait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#discard dgram udp wait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#discard dgram udp6 wait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#chargen stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#chargen stream tcp6 nowait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#chargen dgram udp wait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#chargen dgram udp6 wait root internal
|
1996-10-02 03:52:58 +00:00
|
|
|
#
|
1999-12-26 15:18:58 +00:00
|
|
|
# CVS servers - for master CVS repositories only! You must set the
|
|
|
|
# --allow-root path correctly or you open a trivial to exploit but
|
|
|
|
# deadly security hole.
|
1996-10-02 03:52:58 +00:00
|
|
|
#
|
2013-06-15 20:29:07 +00:00
|
|
|
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here pserver
|
|
|
|
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here kserver
|
1996-10-02 03:52:58 +00:00
|
|
|
#
|
2002-08-09 17:34:13 +00:00
|
|
|
# RPC based services (you MUST have rpcbind running to use these)
|
1996-10-02 03:52:58 +00:00
|
|
|
#
|
|
|
|
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
|
|
|
|
#rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
|
|
|
|
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
|
|
|
|
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
|
2015-07-07 20:15:09 +00:00
|
|
|
#rquotad/1 dgram rpc/udp6 wait root /usr/libexec/rpc.rquotad rpc.rquotad
|
1996-10-02 03:52:58 +00:00
|
|
|
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
|
|
|
|
#
|
1997-01-12 17:55:16 +00:00
|
|
|
# example entry for the optional imap4 server
|
|
|
|
#
|
|
|
|
#imap4 stream tcp nowait root /usr/local/libexec/imapd imapd
|
|
|
|
#
|
2003-06-06 08:54:29 +00:00
|
|
|
# example entry for the optional nntp server
|
|
|
|
#
|
|
|
|
#nntp stream tcp nowait news /usr/local/libexec/nntpd nntpd
|
|
|
|
#
|
2001-10-01 09:16:42 +00:00
|
|
|
# example entry for the optional uucpd server
|
2003-06-06 08:54:29 +00:00
|
|
|
#
|
2001-10-01 09:16:42 +00:00
|
|
|
#uucpd stream tcp nowait root /usr/local/libexec/uucpd uucpd
|
|
|
|
#
|
1999-07-16 15:41:14 +00:00
|
|
|
# Return error for all "ident" requests
|
1998-11-04 19:42:35 +00:00
|
|
|
#
|
1999-07-16 15:41:14 +00:00
|
|
|
#auth stream tcp nowait root internal
|
2001-03-30 10:25:40 +00:00
|
|
|
#auth stream tcp6 nowait root internal
|
1998-11-04 19:42:35 +00:00
|
|
|
#
|
1999-07-23 15:49:34 +00:00
|
|
|
# Provide internally a real "ident" service which provides ~/.fakeid support,
|
1999-07-24 17:19:54 +00:00
|
|
|
# provides ~/.noident support, reports UNKNOWN as the operating system type
|
|
|
|
# and times out after 30 seconds.
|
1996-10-02 03:52:58 +00:00
|
|
|
#
|
1999-07-24 17:19:54 +00:00
|
|
|
#auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30
|
2001-03-30 10:25:40 +00:00
|
|
|
#auth stream tcp6 nowait root internal auth -r -f -n -o UNKNOWN -t 30
|
1999-07-16 15:41:14 +00:00
|
|
|
#
|
|
|
|
# Example entry for an external ident server
|
|
|
|
#
|
1999-07-16 16:24:13 +00:00
|
|
|
#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120
|
1997-09-28 22:25:29 +00:00
|
|
|
#
|
2000-01-10 20:02:28 +00:00
|
|
|
# Example entry for the optional qmail MTA
|
|
|
|
# NOTE: This is no longer the correct way to handle incoming SMTP
|
|
|
|
# connections for qmail. Use tcpserver (http://cr.yp.to/ucspi-tcp.html)
|
|
|
|
# instead.
|
1998-07-18 20:01:03 +00:00
|
|
|
#
|
|
|
|
#smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd
|
|
|
|
#
|
inetd: Add examples from manual page and other sources
The manual page lists a bunch of examples, some of which already exist
in this file. Since it's both easier to remember when all examples are
listed in the same location, move examples so they get installed into
/etc/inetd.conf
This also means users won't have to copy-paste, but can simply
uncomment one or more services to use them.
As such, it also becomes necessary to remove the examples from the
manual page, so instead add a note explaining where the previous
examples as well as others may be found.
Cross-references, including to ports, have also been added where
applicable.
The rsync example has lived in the bug tracker for too long,
considering how useful it can situationally be, for example when
backup jobs on client devices are run through periodic(8) weekly.
The microsoft-ds entry is necessary for Windows 10 compatibility
(this can be confirmed with packet capturing, as it is not readily
documented at time of writing).
While here, remove two examples for which compatible daemons could not
be found in ports.
Submitted by: David Yeske <dyeske at gmail.com> (in part, prev ver)
PR: 122037
Reviewed by: kevans, brueffer, lwhsu, yuripv
Differential Revision: https://reviews.freebsd.org/D28882
2021-02-26 20:05:46 +01:00
|
|
|
# Example entry for Samba sharing for the SMB protocol
|
1997-09-28 22:25:29 +00:00
|
|
|
#
|
inetd: Add examples from manual page and other sources
The manual page lists a bunch of examples, some of which already exist
in this file. Since it's both easier to remember when all examples are
listed in the same location, move examples so they get installed into
/etc/inetd.conf
This also means users won't have to copy-paste, but can simply
uncomment one or more services to use them.
As such, it also becomes necessary to remove the examples from the
manual page, so instead add a note explaining where the previous
examples as well as others may be found.
Cross-references, including to ports, have also been added where
applicable.
The rsync example has lived in the bug tracker for too long,
considering how useful it can situationally be, for example when
backup jobs on client devices are run through periodic(8) weekly.
The microsoft-ds entry is necessary for Windows 10 compatibility
(this can be confirmed with packet capturing, as it is not readily
documented at time of writing).
While here, remove two examples for which compatible daemons could not
be found in ports.
Submitted by: David Yeske <dyeske at gmail.com> (in part, prev ver)
PR: 122037
Reviewed by: kevans, brueffer, lwhsu, yuripv
Differential Revision: https://reviews.freebsd.org/D28882
2021-02-26 20:05:46 +01:00
|
|
|
# Enable the first two entries to enable Samba startup from inetd (according to
|
|
|
|
# the Samba documentation). Enable the third entry only if you have other
|
|
|
|
# NetBIOS daemons listening on your network. Enable the fourth entry to use
|
|
|
|
# the swat Samba configuration tool.
|
|
|
|
#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd
|
|
|
|
#microsoft-ds stream tcp nowait root /usr/local/sbin/smbd smbd
|
|
|
|
#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd
|
2002-02-13 08:21:45 +00:00
|
|
|
#swat stream tcp nowait/400 root /usr/local/sbin/swat swat
|
2016-12-21 08:32:20 +00:00
|
|
|
#
|
|
|
|
# Example entry for the Prometheus sysctl metrics exporter
|
|
|
|
#
|
|
|
|
#prom-sysctl stream tcp nowait nobody /usr/sbin/prometheus_sysctl_exporter prometheus_sysctl_exporter -dgh
|
inetd: Add examples from manual page and other sources
The manual page lists a bunch of examples, some of which already exist
in this file. Since it's both easier to remember when all examples are
listed in the same location, move examples so they get installed into
/etc/inetd.conf
This also means users won't have to copy-paste, but can simply
uncomment one or more services to use them.
As such, it also becomes necessary to remove the examples from the
manual page, so instead add a note explaining where the previous
examples as well as others may be found.
Cross-references, including to ports, have also been added where
applicable.
The rsync example has lived in the bug tracker for too long,
considering how useful it can situationally be, for example when
backup jobs on client devices are run through periodic(8) weekly.
The microsoft-ds entry is necessary for Windows 10 compatibility
(this can be confirmed with packet capturing, as it is not readily
documented at time of writing).
While here, remove two examples for which compatible daemons could not
be found in ports.
Submitted by: David Yeske <dyeske at gmail.com> (in part, prev ver)
PR: 122037
Reviewed by: kevans, brueffer, lwhsu, yuripv
Differential Revision: https://reviews.freebsd.org/D28882
2021-02-26 20:05:46 +01:00
|
|
|
#
|
|
|
|
# Example entry for insecure rsync server
|
2021-03-18 15:17:32 +01:00
|
|
|
# This is best combined with encrypted virtual tunnel interfaces, which can be
|
|
|
|
# found with: apropos if_ | grep tunnel
|
inetd: Add examples from manual page and other sources
The manual page lists a bunch of examples, some of which already exist
in this file. Since it's both easier to remember when all examples are
listed in the same location, move examples so they get installed into
/etc/inetd.conf
This also means users won't have to copy-paste, but can simply
uncomment one or more services to use them.
As such, it also becomes necessary to remove the examples from the
manual page, so instead add a note explaining where the previous
examples as well as others may be found.
Cross-references, including to ports, have also been added where
applicable.
The rsync example has lived in the bug tracker for too long,
considering how useful it can situationally be, for example when
backup jobs on client devices are run through periodic(8) weekly.
The microsoft-ds entry is necessary for Windows 10 compatibility
(this can be confirmed with packet capturing, as it is not readily
documented at time of writing).
While here, remove two examples for which compatible daemons could not
be found in ports.
Submitted by: David Yeske <dyeske at gmail.com> (in part, prev ver)
PR: 122037
Reviewed by: kevans, brueffer, lwhsu, yuripv
Differential Revision: https://reviews.freebsd.org/D28882
2021-02-26 20:05:46 +01:00
|
|
|
#rsync stream tcp nowait root /usr/local/bin/rsyncd rsyncd --daemon
|
|
|
|
#
|
|
|
|
# Let the system respond to date requests via tcpmux
|
|
|
|
#tcpmux/+date stream tcp nowait guest /bin/date date
|
|
|
|
#
|
|
|
|
# Let people access the system phonebook via tcpmux
|
|
|
|
#tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook
|
|
|
|
#
|
|
|
|
# Make kernel statistics accessible
|
|
|
|
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
|
|
|
|
#
|
|
|
|
# Use netcat as a one-shot HTTP proxy with nc (from freebsd-tips fortune)
|
|
|
|
#http stream tcp nowait nobody /usr/bin/nc nc -N dest-ip 80
|
|
|
|
#
|
|
|
|
# Set up a unix socket at /var/run/echo that echo's back whatever is written to it.
|
|
|
|
#/var/run/echo stream unix nowait root internal
|
|
|
|
#
|
|
|
|
# Run chargen for IPsec Authentication Headers
|
|
|
|
#@ ipsec ah/require
|
|
|
|
#chargen stream tcp nowait root internal
|
|
|
|
#@
|