1 .\"(c) Copyright 1992, by Panagiotis Tsirigotis
2 .\"(c) Sections Copyright 1998-2001 by Rob Braun
3 .\"All rights reserved. The file named COPYRIGHT specifies the terms
4 .\"and conditions for redistribution.
6 .\" $Id: xinetd.conf.man,v 1.18 2005/10/05 17:15:33 bbraun Exp $
7 .TH XINETD.CONF 5 "14 June 2001"
8 .\" *************************** NAME *********************************
10 xinetd.conf \- Extended Internet Services Daemon configuration file
11 .\" *********************** DESCRIPTION ****************************
14 is the configuration file that
15 determines the services provided by \fBxinetd\fP.
16 Any line whose first non-white-space character is a '#' is considered
17 a comment line. Empty lines are ignored.
19 The file contains entries of the form:
24 service <service_name>
28 <attribute> <assign_op> <value> <value> ...
36 The assignment operator,
42 The majority of attributes support only the simple assignment operator,
44 Attributes whose value is a set of values support all assignment operators.
47 means adding a value to the set and
49 means removing a value from the set.
50 A list of these attributes will be given
51 after all the attributes are described.
53 Each entry defines a service identified by the \fIservice_name\fP.
54 The following is a list of available attributes:
57 This attribute is used to uniquely identify a service.
58 This is useful because there exist services that can use different
59 protocols and need to be described with different entries in the
61 By default, the service id is the same as the service name.
64 Any combination of the following values may be used:
68 if this is an RPC service
71 if this is a service provided by \fBxinetd\fP.
74 if this is a service that will be started according to the RFC 1078 protocol on the TCPMUX well-known port. See the section describing TCPMUX services below.
77 if this is a service not listed in a standard system file
82 for non-RPC services).
86 Any combination of the following flags may be used:
90 Intercept packets or accepted connections in order to verify that they
91 are coming from acceptable locations (internal or multi-threaded
92 services cannot be intercepted).
95 Avoid retry attempts in case of fork failure.
98 Accept connections only when the remote end identifies the remote user
99 (i.e. the remote host must run an identification server).
100 This flag applies only to connection-based services.
101 This flag is ineffective if the
103 log option is not used.
106 This will cause the first argument in "server_args" to be argv[0] when
107 executing the server, as specified in "server". This allows you to use
108 tcpd by putting tcpd in "server" and the name of the server in "server_args"
109 like in normal inetd.
112 If the service is a tcp service and the NODELAY flag is set, then the
113 TCP_NODELAY flag will be set on the socket. If the service is not
114 a tcp service, this option has no effect.
117 If the service is a tcp service and the KEEPALIVE flag is set, then
118 the SO_KEEPALIVE socket flag will be set on the socket. If the service
119 is not a tcp service, this option has no effect.
122 This disables internal calling of the tcpwrap library to determine access
123 to the service. This may be needed in order to use libwrap functionality
124 not available to long-running processes such as xinetd; in this case,
125 the tcpd program can be called explicitly (see also the NAMEINARGS flag).
128 This replaces the service with a sensor that detects accesses to the
129 specified port. NOTE: It will NOT detect stealth scans. This flag
130 should be used only on services that you know you don't need. When an
131 access is made to this service's port, the IP Address is added to a global
132 no_access list. This causes all subsequent accesses from the originating IP
133 address to be denied access until the deny_time setting expires. The amount
134 of time spent on this list is configurable as the deny_time attribute. The
135 SENSOR flag will also cause xinetd to consider the server attribute to be
136 INTERNAL no matter what is typed on the same line. Another important thing
137 to remember is that if the socket_type is set to stream, then the wait
138 attribute should be set to no.
141 Sets the service to be an IPv4 service (AF_INET).
144 Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on the system.
147 The REUSE flag is deprecated. All services now implicitly use the REUSE flag.
151 This is boolean "yes" or "no". This will result in the service
152 being disabled and not starting. See the DISABLE flag description.
156 Possible values for this attribute include:
163 datagram-based service
166 service that requires direct access to IP
169 service that requires reliable sequential datagram transmission
173 determines the protocol that is employed by the service.
174 The protocol must exist in
177 attribute is not defined, the default protocol employed by the service
181 This attribute determines if the service is single-threaded or
182 multi-threaded and whether or not xinetd accepts the connection or the server
183 program accepts the connection. If its value is \fIyes\fP, the service is
184 single-threaded; this means that \fBxinetd\fP will start the server and then
185 it will stop handling requests for the service until the server dies and that
186 the server software will accept the connection. If the attribute value is
187 \fIno\fP, the service is multi-threaded and \fBxinetd\fP will keep handling
188 new service requests and xinetd will accept the connection. It should be noted
189 that udp/dgram services normally expect the value to be yes since udp is not
190 connection oriented, while tcp/stream servers normally expect the value to be
194 determines the uid for the server process. The user attribute can either
195 be numeric or a name. If a name is given (recommended), the user name must
198 This attribute is ineffective if the effective user ID
199 of \fBxinetd\fP is not super-user.
202 determines the gid for the server process. The group attribute can either
203 be numeric or a name. If a name is given (recommended), the group name must
206 If a group is not specified, the group
207 of \fIuser\fP will be used (from
209 This attribute is ineffective if the effective user ID
210 of \fBxinetd\fP is not super-user and if the \fBgroups\fP attribute
214 determines the number of servers that can be simultaneously active
215 for a service (the default is no limit). The value of this
216 attribute can be either a number or
218 which means that there is no limit.
221 determines the server priority. Its value is a (possibly negative) number;
222 check nice(3) for more information.
225 determines the program to execute for this service.
228 determines the arguments passed to the server. In contrast to \fBinetd\fP,
229 the server name should \fInot\fP be included in \fIserver_args\fP.
232 overrides the service name passed to libwrap (which defaults to the
233 server name, the first server_args component with NAMEINARGS, the id
234 for internal services and the service name for redirected services).
235 This attribute is only valid if xinetd has been configured with the libwrap
239 determines the remote hosts to which the particular
240 service is available.
241 Its value is a list of IP addresses which can be specified in any
242 combination of the following ways:
246 a numeric address in the form of %d.%d.%d.%d. If the rightmost components are
247 0, they are treated as wildcards
248 (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet).
249 0.0.0.0 matches all Internet addresses. IPv6 hosts may be specified in the form of abcd:ef01::2345:6789. The rightmost rule for IPv4 addresses does not apply to IPv6 addresses.
252 a factorized address in the form of %d.%d.%d.{%d,%d,...}.
253 There is no need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok).
254 However, the factorized part must be at the end of the address. This form does not work for IPv6 hosts.
258 .I /etc/networks). This form does not work for IPv6 hosts.
261 a host name. When a connection is made to xinetd, a reverse lookup is
262 performed, and the canonical name returned is compared to the specified host
263 name. You may also use domain names in the form of .domain.com. If the
264 reverse lookup of the client's IP is within .domain.com, a match occurs.
267 an ip address/netmask range in the form of 1.2.3.4/32. IPv6 address/netmask
268 ranges in the form of 1234::/46 are also valid.
272 Specifying this attribute
273 without a value makes the service available to nobody.
276 determines the remote hosts to which the particular
277 service is unavailable. Its value can be specified in the same way as the
278 value of the \fBonly_from\fP
279 attribute. These two attributes determine the location access control
280 enforced by \fBxinetd\fP. If none of the two is specified for a service,
281 the service is available to anyone. If both are specified for a service,
282 the one that is the better match for
283 the address of the remote host determines
284 if the service is available to that host (for example, if the
285 \fBonly_from\fP list contains 128.138.209.0 and the
286 \fBno_access\fP list contains 128.138.209.10
287 then the host with the address 128.138.209.10 can not access the service).
290 determines the time intervals when the service is available. An interval
291 has the form \fIhour:min-hour:min\fP (connections
293 be accepted at the bounds of an interval). Hours can range from 0 to 23 and
294 minutes from 0 to 59.
297 determines where the service log output is sent. There are two formats:
300 .B SYSLOG " \fIsyslog_facility [syslog_level]\fP"
301 The log output is sent to syslog at the specified facility. Possible facility
313 Possible level names include:
322 If a level is not present, the messages will be recorded at the
326 .B FILE " \fIfile [soft_limit [hard_limit]]\fP"
327 The log output is appended to \fIfile\fP which will be created if it does
328 not exist. Two limits on the size of the log file can be optionally specified.
329 The first limit is a soft one;
331 will log a message the first time this limit is exceeded (if
333 logs to syslog, the message will be sent at the
336 The second limit is a hard limit;
338 will stop logging for the affected service (if the log file is a
339 common log file, then more than one service may be affected)
340 and will log a message about this (if
342 logs to syslog, the message will be sent at the
345 If a hard limit is not specified, it defaults to the soft limit
346 increased by 1% but the extra size must be within the parameters
350 which default to 5K and 20K respectively (these constants are defined in
355 determines what information is logged when a server is started and when
356 that server exits (the service id is always included in the log entry).
357 Any combination of the following values may be specified:
361 logs the server process id (if the service is implemented by \fBxinetd\fP
362 without forking another process the logged process id will be 0)
365 logs the remote host address
368 logs the user id of the remote user using the RFC 1413 identification protocol.
369 This option is available only for multi-threaded stream services.
372 logs the fact that a server exited along with the exit status or the
374 (the process id is also logged if the
379 logs the duration of a service session
382 logs the total bytes in and out for a redirected service.
386 determines what information is logged when a server cannot be started
387 (either because of a lack of resources or because of access control
388 restrictions). The service id is always included in the log entry along
389 with the reason for failure.
390 Any combination of the following values may be specified:
394 logs the remote host address.
397 logs the user id of the remote user using the RFC 1413 identification protocol.
398 This option is available only for multi-threaded stream services.
401 logs the fact that a failed attempt was made
402 (this option is implied by all others).
406 determines the RPC version for a RPC service. The version can be
407 a single number or a range in the form \fInumber\fP-\fInumber\fP.
410 determines the number for an
412 RPC service (this attribute is ignored if the service is not unlisted).
415 The value of this attribute is a list of strings of the form 'name=value'.
416 These strings will be added to the environment before
417 starting a server (therefore the server's environment will include
418 \fBxinetd\fP's environment plus the specified strings).
421 The value of this attribute is a list of environment variables from
422 \fBxinetd\fP's environment that will be passed to the server.
423 An empty list implies passing no variables to the server
424 except for those explicitly defined using the
427 (notice that you can use this attribute in conjunction with the
429 attribute to specify exactly what environment will be passed to the server).
432 determines the service port. If this attribute is specified for a service
435 it must be equal to the port number listed in that file.
438 Allows a tcp service to be redirected to another host. When xinetd receives
439 a tcp connection on this port it spawns a process that establishes a
440 connection to the host and port number specified, and forwards all data
441 between the two hosts. This option is useful when your internal machines
442 are not visible to the outside world. Syntax is: redirect = (ip address)
443 (port). You can also use a hostname instead of the IP address in this
444 field. The hostname lookup is performed only once, when xinetd is
445 started, and the first IP address returned is the one that is used
446 until xinetd is restarted.
447 The "server" attribute is not required when this option is specified. If
448 the "server" attribute is specified, this attribute takes priority.
451 Allows a service to be bound to a specific interface on the machine.
452 This means you can have a telnet server listening on a local, secured
453 interface, and not on the external interface. Or one port on one interface
454 can do something, while the same port on a different interface can do
455 something completely different. Syntax: bind = (ip address of interface).
461 Takes the name of a file to be splatted at the remote host when a
462 connection to that service is established. This banner is printed
463 regardless of access control. It should *always* be printed when
464 a connection has been made. \fBxinetd\fP outputs the file as-is,
465 so you must ensure the file is correctly formatted for the service's
466 protocol. In paticular, if the protocol requires CR-LF pairs for line
467 termination, you must supply them.
470 Takes the name of a file to be splatted at the remote host when a
471 connection to that service is granted. This banner is printed
472 as soon as access is granted for the service. \fBxinetd\fP outputs the
473 file as-is, so you must ensure the file is correctly formatted for
474 the service's protocol. In paticular, if the protocol requires CR-LF
475 pairs for line termination, you must supply them.
478 Takes the name of a file to be splatted at the remote host when a
479 connection to that service is denied. This banner is printed
480 immediately upon denial of access. This is useful for informing
481 your users that they are doing something bad and they shouldn't be
482 doing it anymore. \fBxinetd\fP outputs the file as-is,
483 so you must ensure the file is correctly formatted for the service's
484 protocol. In paticular, if the protocol requires CR-LF pairs for line
485 termination, you must supply them.
488 Takes an integer or "UNLIMITED" as an argument. This specifies the
489 maximum instances of this service per source IP address. This can
490 also be specified in the defaults section.
493 Limits the rate of incoming connections. Takes two arguments.
494 The first argument is the number of connections per second to handle.
495 If the rate of incoming connections is higher than this, the service
496 will be temporarily disabled. The second argument is the number of
497 seconds to wait before re-enabling the service after it has been disabled.
498 The default for this setting is 50 incoming connections and the interval
502 Takes a floating point value as the load at which the service will
503 stop accepting connections. For example: 2 or 2.5. The service
504 will stop accepting connections at this load. This is the one minute
505 load average. This is an OS dependent feature, and currently only
506 Linux, Solaris, and FreeBSD are supported for this. This feature is
507 only avaliable if xinetd was configured with the -with-loadavg option.
510 Takes either "yes" or "no". If the groups attribute is set to
511 "yes", then the server is executed with access to the groups that the
512 server's effective UID has access to. Alternatively, if the \fBgroup\fP
513 attribute is set, the server is executed with access to the groups
514 specified. If the groups attribute is set
515 to "no", then the server runs with no supplementary groups. This
516 attribute must be set to "yes" for many BSD systems. This attribute
517 can be set in the defaults section as well.
520 Takes either "yes" or "no". On systems that support mdns registration
521 of services (currently only Mac OS X), this will enable or disable
522 registration of the service. This defaults to "yes".
525 Sets the inherited umask for the service. Expects an octal value.
526 This option may be set in the "defaults" section to set a umask
527 for all services. xinetd sets its own umask to the previous umask
528 OR'd with 022. This is the umask that will be inherited by all
529 child processes if the umask option is not used.
532 Takes a list of service ID's to enable. This will enable only the
533 services listed as arguments to this attribute; the rest will be
534 disabled. If you have 2 ftp services, you will need to list both of
535 their ID's and not just ftp. (ftp is the service name, not the ID. It
536 might accidentally be the ID, but you better check.) Note that the
537 service "disable" attribute and "DISABLE" flag can prevent a service
538 from being enabled despite being listed in this attribute.
541 Takes a filename in the form of "include /etc/xinetd/service".
542 The file is then parsed as a new configuration file. It is not
543 the same thing as pasting the file into xinetd.conf where the
544 include directive is given. The included file must be in the
545 same form as xinetd.conf. This may not be specified from within
546 a service. It must be specified outside a service declaration.
549 Takes a directory name in the form of "includedir /etc/xinetd.d".
550 Every file inside that directory, excluding files with names containing
551 a dot ('.') or ending with a tilde ('~'), will be parsed as xinetd
552 configuration files. The files will be parsed in alphabetical order
553 according to the C locale. This allows you to specify services one
554 per file within a directory. The
556 directive may not be specified from within a service declaration.
559 Sets the Address Space resource limit for the service. One parameter
560 is required, which is either a positive integer representing the number
561 of bytes to set the limit to (K or M may be used to specify
562 kilobytes/megabytes) or "UNLIMITED". Due to the way Linux's libc malloc
563 is implemented, it is more useful to set this limit than rlimit_data,
564 rlimit_rss and rlimit_stack. This resource limit is only implemented on
568 Sets the maximum number of CPU seconds that the service may use.
569 One parameter is required, which is either a positive integer representing
570 the number of CPU seconds limit to, or "UNLIMITED".
573 Sets the maximum data size resource limit for the service.
574 One parameter is required, which is either a positive integer representing
575 the number of bytes or "UNLIMITED".
578 Sets the maximum resident set size limit for the service. Setting this
579 value low will make the process a likely candidate for swapping out to
580 disk when memory is low.
581 One parameter is required, which is either a positive integer representing
582 the number of bytes or "UNLIMITED".
585 Set the maximum stack size limit for the service.
586 One parameter is required, which is either a positive integer representing
587 the number of bytes or "UNLIMITED".
590 Sets the time span that access to all services on all IP addresses are
591 denied to someone that sets off the SENSOR. The unit of time is in minutes.
592 Valid options are: FOREVER, NEVER, and a numeric value. FOREVER causes
593 the IP address not to be purged until xinetd is restarted. NEVER has the
594 effect of just logging the offending IP address. A typical time value would
595 be 60 minutes. This should stop most DOS attacks while allowing IP addresses
596 that come from a pool to be recycled for legitimate purposes. This option
597 must be used in conjunction with the SENSOR flag.
599 You don't need to specify all of the above attributes for each service.
600 The necessary attributes for a service are:
608 (non-\fIinternal\fP services only)
611 (non-\fIinternal\fP services only)
616 (\fIRPC\fP and \fIunlisted\fP services only)
619 (\fIRPC\fP services only)
622 (\fIunlisted\fP RPC services only)
625 (\fIunlisted\fP non-RPC services only)
629 The following attributes support all assignment operators:
645 (does not support the
651 These attributes can also appear more than once in a service entry.
652 The remaining attributes support only the
654 operator and can appear at most once in a service entry.
656 The configuration file may also contain a single defaults entry
666 <attribute> = <value> <value> ...
675 This entry provides default attribute values for service entries that
676 don't specify those attributes. Possible default attributes:
730 Attributes with a cumulative effect can be specified multiple times
731 with the values specified each time accumulating (i.e. '=' does
732 the same thing as '+=').
733 With the exception of
735 they all have the same meaning as if they were specified in a service entry.
737 determines services that are disabled even if they have entries in
738 the configuration file. This allows for quick reconfiguration by
739 specifying disabled services with the
741 attribute instead of commenting them out.
742 The value of this attribute is a list of space separated service ids.
744 has the same properties as disabled. The difference being that
746 is a list of which services are to be enabled. If
748 is specified, only the services specified are available. If
750 is not specified, all services are assumed to be enabled,
751 except those listed in
754 .\" *********************** INTERNAL SERVICES ****************************
755 .SH "INTERNAL SERVICES"
757 \fBxinetd\fP provides the following services internally (both
758 stream and datagram based):
765 These services are under the same access restrictions as all other
766 services except for the ones that don't require \fBxinetd\fP to fork
767 another process for them. Those ones (\fItime\fP, \fIdaytime\fP,
768 and the datagram-based \fIecho\fP, \fIchargen\fP, and \fIdiscard\fP)
769 have no limitation in the number of
772 .\" *********************** TCPMUX Services ****************************
773 .SH "TCPMUX Services"
775 \fBxinetd\fP supports TCPMUX services that conform to RFC 1078. These services
776 may not have a well-known port associated with them, and can be accessed via
777 the TCPMUX well-known port.
779 For each service that is to be accessed via TCPMUX, a service entry in
780 \fB/etc/xinetd.conf\fP or in a configuration file in an \fBincludedir\fP
781 directory must exist.
783 The \fIservice_name\fP field (as defined above for each service in any
785 configuration file) must be identical to the string that is passed (according
786 to RFC 1078 protocol) to \fBxinetd\fP when the remote service requestor first
787 makes the connection on the TCPMUX well-known port. Private protocols should
788 use a service name that has a high probability of being unique. One way is to
789 prepend the service name with some form of organization ID.
791 The \fItype\fP field can be either \fBTCPMUX\fP or \fBTCPMUXPLUS\fP. If the
792 type is \fBTCPMUXPLUS\fP, \fBxinetd\fP will handle the initial protocol
793 handshake (as defined in RFC 1078) with the calling process before initiating
794 the service. If the type is \fBTCPMUX\fP, the server that is started is
795 responsible for performing the handshake.
797 The \fItype\fP field should also include \fBUNLISTED\fP if the service is
798 not listed in a standard system file
803 for non-RPC services).
805 The \fIsocket_type\fP for these services must be \fBstream\fP, and the
806 \fIprotocol\fP must be \fBtcp\fP.
808 Following is a sample TCPMUX service configuration:
829 = /usr/etc/my_server_exec
836 Besides a service entry for each service that can be accessed
837 via the TCPMUX well-known port, a service entry for TCPMUX itself
838 must also be included in the \fBxinetd\fP configuration. Consider the following
867 .\" *********************** NOTES ****************************
870 The following service attributes \fIcannot\fP be changed on reconfiguration:
880 are not specified for a service (either directly or via \fIdefaults\fP)
881 the address check is considered successful (i.e. access will not be
884 The address check is based on the IP address of the remote host and
885 not on its domain address. We do this so that we can avoid
886 remote name lookups which may take a long time (since
888 is single-threaded, a name lookup will prevent the daemon from
889 accepting any other requests until the lookup is resolved).
890 The down side of this scheme is that if the IP address of a remote
891 host changes, then access to that host may be denied until
894 Whether access is actually denied or not will depend on whether the
895 new host IP address is among those allowed access. For example, if
896 the IP address of a host changes from 1.2.3.4 to 1.2.3.5 and
897 only_from is specified as 1.2.3.0 then access will not be denied.
901 log option is specified and the remote host either does not run an
902 identification server or the server sends back a bad reply,
903 access will not be denied unless the
905 service flag is used.
907 Interception works by forking a process which acts as a filter
908 between the remote host(s) and the local server.
909 This obviously has a performance impact so
910 it is up to you to make the compromise between security and performance
912 The following tables show the overhead of interception.
913 The first table shows the time overhead-per-datagram for a UDP-based service
914 using various datagram sizes.
915 For TCP-based services we measured the bandwidth reduction
916 because of interception while sending
917 a certain amount of data from client to server (the time overhead should
918 the same as for UDP-based services but it is "paid" only by the first
919 packet of a continuous data transmission).
920 The amount of data is given
921 in the table as \fIsystem_calls\fPx\fIdata_sent_per_call\fP, i.e.
924 system call transferred so many bytes of data.
925 The bandwidth reduction is given in terms of bytes per second and as
926 a percentage of the bandwidth when interception is not performed.
927 All measurements were done on a SparcStation IPC running SunOS 4.1.
933 Datagram size (bytes)
936 ---------------------
972 .\" *********************** EXAMPLE ****************************
979 # Sample configuration file for xinetd
986 = FILE /var/log/servicelog
992 = 128.138.193.0 128.138.204.0
1003 # Note 1: the protocol attribute is not required
1004 # Note 2: the instances attribute overrides the default
1018 = /usr/etc/in.rlogind
1025 # Note 1: the instances attribute overrides the default
1026 # Note 2: the log_on_success flags are augmented
1064 += DURATION HOST USERID
1066 = 2:00-9:00 12:00-24:00
1070 # Limit telnet sessions to 8 Mbytes of memory and a total
1071 # 20 CPU seconds for child processes.
1084 = /usr/etc/in.telnetd
1093 # This entry and the next one specify internal services. Since
1094 # this is the same service using a different socket type, the
1095 # id attribute is used to uniquely identify each entry
1130 # Sample RPC service
1142 = /usr/etc/rpc.rstatd
1150 = LD_LIBRARY_PATH=/etc/securelib
1155 # Sample unlisted service
1169 = /home/user/some_server
1176 .\" *********************** SEE ALSO ****************************
1183 .IR "Echo Protocol" ,
1188 .IR "Discard Protocol" ,
1193 .IR "Character Generator Protocol" ,
1198 .IR "Daytime Protocol" ,
1202 Postel J., Harrenstien K.,
1203 .IR "Time Protocol" ,
1208 .IR "TCP Port Service Multiplexer (TCPMUX)" ,
1213 .IR " Identification Protocol" ,
1216 .\" *********************** BUGS ****************************
1222 access control on the address of the remote host is not performed when
1223 \fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIstream\fP.
1228 access control on the address of the remote host for
1229 services where \fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIdgram\fP
1230 is performed only on the first packet. The server may then accept packets
1231 from hosts not in the access control list. This can happen with
1235 There is no way to put a
1237 in an environment variable.
1239 When \fIwait\fP is \fIyes\fP and \fIsocket_type\fP is \fIstream\fP,
1240 the socket passed to the server can only accept connections.
1244 flag is not supported for internal services or multi-threaded services.