Mercurial > illumos > illumos-gate

changeset 3186:6ce7587bee92

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6228056 tcpd(1m) still talks about inetd.conf 6451473 incomplete TCP wrapper documentation
author gt145670
date Mon, 27 Nov 2006 21:03:24 -0800
parents 780a0268fc9a
children f801da2c3e1e
files usr/src/cmd/tcpd/hosts_access.5 usr/src/cmd/tcpd/tcpd.8
diffstat 2 files changed, 20 insertions(+), 60 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/tcpd/hosts_access.5	Mon Nov 27 20:58:50 2006 -0800
+++ b/usr/src/cmd/tcpd/hosts_access.5	Mon Nov 27 21:03:24 2006 -0800
@@ -66,6 +66,10 @@
 With the exception of NIS (YP) netgroup lookups, all access control
 checks are case insensitive.
 .ne 4
+.SH HOST ADDRESSES
+IPv4 client addresses can be denoted in their usual dotted notation, i.e.
+x.x.x.x, but IPv6 addresses require a square brace around them - e.g.
+[::1]. 
 .SH PATTERNS
 The access control language implements the following patterns:
 .IP \(bu
@@ -89,6 +93,8 @@
 bitwise AND of the address and the `mask\'. For example, the net/mask
 pattern `131.155.72.0/255.255.254.0\' matches every address in the
 range `131.155.72.0\' through `131.155.73.255\'.
+.IP \(bu
+Prefixes can be specified for IPv6 address, e.g. [fe80]::/10
 .SH WILDCARDS
 The access control language supports explicit wildcards:
 .IP ALL
--- a/usr/src/cmd/tcpd/tcpd.8	Mon Nov 27 20:58:50 2006 -0800
+++ b/usr/src/cmd/tcpd/tcpd.8	Mon Nov 27 21:03:24 2006 -0800
@@ -73,76 +73,30 @@
 Client user name lookups will not work for datagram-oriented
 connections, and may cause noticeable delays in the case of connections
 from PCs.
-.SH EXAMPLES
-The details of using \fItcpd\fR depend on pathname information that was
-compiled into the program.
-.SH EXAMPLE 1
-This example applies when \fItcpd\fR expects that the original network
-daemons will be moved to an "other" place.
-.PP
-In order to monitor access to the \fIfinger\fR service, move the
-original finger daemon to the "other" place and install tcpd in the
-place of the original finger daemon. No changes are required to
-configuration files.
-.nf
-.sp
-.in +5
-# mkdir /other/place
-# mv /usr/etc/in.fingerd /other/place
-# cp tcpd /usr/etc/in.fingerd
-.fi
-.PP
-The example assumes that the network daemons live in /usr/etc. On some
-systems, network daemons live in /usr/sbin or in /usr/libexec, or have
-no `in.\' prefix to their name.
-.SH EXAMPLE 2
-This example applies when \fItcpd\fR expects that the network daemons
-are left in their original place.
-.PP
-In order to monitor access to the \fIfinger\fR service, perform the
-following edits on the \fIinetd\fR configuration file (usually 
-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
+
+.SH EXAMPLE
+In order to monitor access to the \fIfinger\fR service, run the following
+command to enable the tcp_wrapper :
 .nf
 .sp
 .ti +5
-finger  stream  tcp  nowait  nobody  /usr/etc/in.fingerd  in.fingerd
-.sp
-becomes:
-.sp
-.ti +5
-finger  stream  tcp  nowait  nobody  /some/where/tcpd     in.fingerd
+inetadm -m network/finger tcp_wrapper=TRUE
 .sp
 .fi
 .PP
-The example assumes that the network daemons live in /usr/etc. On some
-systems, network daemons live in /usr/sbin or in /usr/libexec, the
-daemons have no `in.\' prefix to their name, or there is no userid
-field in the inetd configuration file.
+The example assumes that the network/finger service hasn't been removed from
+your system.
 .PP
 Similar changes will be needed for the other services that are to be
-covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
-process to make the changes effective. AIX users may also have to
-execute the `inetimp\' command.
-.SH EXAMPLE 3
-In the case of daemons that do not live in a common directory ("secret"
-or otherwise), edit the \fIinetd\fR configuration file so that it
-specifies an absolute path name for the process name field. For example:
-.nf
-.sp
-    ntalk  dgram  udp  wait  root  /some/where/tcpd  /usr/local/lib/ntalkd
-.sp
-.fi
-.PP
-Only the last component (ntalkd) of the pathname will be used for
-access control and logging.
+covered by \fItcpd\fR. In case a (non-standard) daemon does not exist as a
+service already, use \fIsmf(5)\fR to make it a service by creating a manifest,
+and then enable tcp_wrappers for that service as shown in the example.
+
 .SH BUGS
 Some UDP (and RPC) daemons linger around for a while after they have
-finished their work, in case another request comes in.  In the inetd
-configuration file these services are registered with the \fIwait\fR
-option. Only the request that started such a daemon will be logged.
+finished their work, in case another request comes in.
 .PP
-The program does not work with RPC services over TCP. These services
-are registered as \fIrpc/tcp\fR in the inetd configuration file. The
+The program does not work with RPC services over TCP. The
 only non-trivial service that is affected by this limitation is
 \fIrexd\fR, which is used by the \fIon(1)\fR command. This is no great
 loss.  On most systems, \fIrexd\fR is less secure than a wildcard in
@@ -166,7 +120,7 @@
 .nf
 hosts_access(5), format of the tcpd access control tables.
 syslog.conf(5), format of the syslogd control file.
-inetd.conf(5), format of the inetd control file.
+smf(5), service management facility.
 .SH AUTHORS
 .na
 .nf