On Thu, Oct 18, 2012 at 08:26:16PM +0100, Whiskers wrote:
On Thu, 18 Oct 2012 00:03:57 +0200 Thomas Bächler <thomas@archlinux.org> wrote:
Am 17.10.2012 21:29, schrieb Whiskers:
Rather than install tcp-wrappers on my Arch system, I'd like to use whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but what is it?
Why would you replace tcpd with anything? Does it serve any purpose at all?
Thanks for responding.
On a system with tcp-wrappers, tcpd is the "server" which launches leafnode. From man leafnode:
[...]
The leafnode program itself is the NNTP server. It is run from /etc/inetd.conf when someone wants to read news. The other parts of the package, fetchnews and texpire, are responsible for fetching new news from another server, and for deleting old news.
[...]
No network-level access control is supported. This is a deliberate omission: Implementing this is a job which should not be redone for each and every service.
I recommend that either firewalling or tcpd be used for access control.
[...]
Xinetd is the 'new improved' inetd, and the xinetd setup recommended in the Leafnode tarball's README has tcpd as the "server" and leafnode as the "server argument", as in the /etc/xinetd.d/nntp file previously quoted. This of course doesn't work on my Arch system, as tcp-wrappers (and thus, tcpd) is missing.
It's quite simple. Get rid of tcpd as the "server". It's just a wrapper that launches an arbitrary process which doesn't link to libwrap.so so that tcp-wrappers can be used for ACLs. It isn't a requirement -- it's a recommendation.
So I'm trying to work out how to get leafnode available on demand, without using tcp-wrappers and tcpd, but with ufw, and with the new systemd (I've uninstalled initscripts from my system).
Use inetd-style activation via systemd. See sshd@.service and sshd.socket as an example. xinetd is redundant. d