History of the inetdconf module for Linuxconf 2.0 010331 xinetd implemented - Accepts configuration file according to xinetd standard with all services in one file (/etc/xinetd.conf) or the way it is done in RedHat 7 with includedir (/etc/xinetd.d) with one file per service. - The inetd dialog is extended to include . Security: Interface, Only from, No access from, Access time, intercept packages, require identification. . Log Default Syslog: Facility,Level File: Filename, Soft limit and hard limit . On success info: Process id, remote host address, remote host user id, server exit status, session duration . On failure info: Remote host address, remote host used id, failed attempts, record information . Advanced: RPC Service, Internal service Unlisted service, priority, reuse socket address, do not retry. - Some limitations: . Default values are not handled at all (except enabled/disabled which is located in this section). . If /etc/xinetd.conf exists then /etc/inetd.conf is ignored. - Menu entry "Control service activity" enhanced. Protocol type is shown when there are duplicate service names. 1.9 000504 /etc/inetdconf: - Now uses pkg_api in RedHat systems to show info and control of packages where servers are included. 1.8 000427 /etc/inetd.conf: - Checks are now made if server programs exist when a service is activated. /usr/sbin is assumed to be the directory where daemons lives in when tcpd is used. - Two new command line options: . "linuxconf --modulemain inetdconf --server-path --check" . "linuxconf --modulemain inetdconf --server-path --check-update" These commands log any service where server path is invalid. The last also disables them in /etc/inetd.conf. - New module apis: . server_path_check() . server_path_check_update() . enable_service( argc,service,enable ) Firewall: - New tab window in internet firewall with the name "Basic information" containing things belonging to the internet interface. - New tab window in internet firewall with the name "Advanced" containing: . Deny icmp echo-request (ping) and redirect at input on internet interface (default deny). . Deny icmp time-exceeded (traceroute) at output on internet interface (default deny). - New module apis: . firewall_enable( argc,service ) . firewall_disable() . firewall_edit() 1.7 000409 Firewall: - Script and configuration is now placed in "/etc/heimdall". Names of these are "firewall.sh" and "firewall.conf". The previous location "/usr/lib/linuxconf/lib" was not a good place for these. - SIGQUIT is now used to stop firewall daemon instead of SIGTERM. This signal will now be used when firewall is deactivated in dialog. Since version 1.6 SIGTERM no longer removes firewall rules. Inetdconf: - "nowait" is replaced by "wait" in /etc/inetd.conf when updating this file. Fixed (update sent previously for Linuxconf version 1.17.r10). 1.6 000401 - RFC1918 local net was not correctly computed. Fixed. - Daemon: SIGTERM: stops daemon without removing firewall. Intended for system shutdown. Conforms to sysv-scripts. SIGHUP: execution of script. SIGINT and SIGQUIT: excutes firewall stop and exits. 1.5 000323 Linuxconf: module inetdconf: Firewall - If daemon is activated the firewall config file is updated. The script is written in any case. The daemon start/stop is done as usual by Act/Changes. - Setting of details level for the daemon to log in system log and number of polls per second. - The script is generated to do masquerading/NAT only if the local network is using an address corresponding to RFC1918 (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). - Generation of the script is now done so that it should be possible to use on a Linux computer on a local network with access to the internet through a gateway. - The script creates two new chains. For input and output on the internet interface. This makes it possible to combine with other firewalls (at least in principle). - The output chain ensures that only packets with source ip address equal to interface address are accepted. - The input chain denies icmp broadcasts, accepts allowed services and ports above 1023 and denies everything else. - Interfaces are now determined by reading /proc/net/dev instead of /proc/net/route (which can be both confusing and incorrect). - Interface sl0 is never accepted as the internet route. If diald is running the user is asked to bring up the link. - Command line interfaces: To enable/disable services in /etc/inetd.conf: linuxconf --modulemain inetdconf --enable [service ...] linuxconf --modulemain inetdconf --disable [service ...] To activate firewall daemon using reasonable default values: linuxconf --modulemain inetdconf --firewall --enable linuxconf --update To disable firewall (leaving forwarding in place): linuxconf --modulemain inetdconf --firewall --disable linuxconf --update Firewall deamon - A new daemon program to execute the firewall script whenever an interface or ip address changes. The daemon approach was chosen as it solves the problem with changing interfaces and ip addresses with a dial up connection. - The daemon checks its configuration file and firewall script for changes. When a change is detected the file is parsed/executed again. So a restart should never be necessary. These files reside in /usr/lib/linuxconf/lib/. The name of the script has changed from earlier version and is now "firewall.sh". The config file is "firewall.conf". - The daemon has no logic to decide which interfaces are "interesting" from a firewall point of view. So at start up it will execute the firewall script for all interfaces one at a time. The firewall will be affected only when the internet interface parameter is supplied to the script. - The daemon parses its configuration file which contain the name of the firewall script, number of polls per second and the level of verbosity (three levels) to the system log (LOG_INFO). - Signals: Hangup execution of script. Interupt, Quit and Terminate all makes the deamon excute firewall stop (leaving forwarding active) and then exits. - Needed system resources are small. About 380K and 0.3% cpu utilization (in a 90Mhz Pentium) at 10 polls/second. - The daemon could be run standalone using any script. See: /usr/lib/linuxconf/lib/firewalld -h Daemon name I first decided to name the daemon to "heimdall" but then I reconsidered as I do not see it quite living up to such a powerful mythological name. Maybe I will change my mind later on. For now the daemon is named "firewalld". Not very imaginative I'm afraid. Anyway, here is a description of Heimdall: Heimdall (also spelled Heimdal or Heimdallr), in Norse mythology, one of the Aesir, watchman of the gods, guardian of the heavenly realm of Asgard, and ruler of holy places. He was the perfect god to act as sentinel, since he needed less sleep than a bird, and because his senses were very acute: he could see to a distance of a hundred leagues equally well by night or day; he could hear every sound, even the sound of grass growing upon the earth and wool growing on sheep. 1.4 000216 - Internet input firewall. This firewall makes some assumptions and may not work for everyone. Basically it locates all processes listening on unconnected sockets. This list is presented with a clickable button to enable connections on the internet interface. - The firewall is activated through a script which can be started either as a rc-script (complete with start, stop and status commands) or an ip-up script for dynamic ip-addresses. - The firewall assumes that any local network wants masquerading for access to the internet. - It also assumes free access to services on the local network (for now). - Editing of /etc/hosts.allow and /etc/hosts.deny through two new menu entries. Lists servers started by tcpd as only these are allowed. 1.3 000121 - Check for already active identical service (re port & protocol) failed when editing was done from "Control Service Activity". - Some more input checks 1.2 000113 - While edititing existing entries protocols are limited to what is found in /etc/services. - Port numbers are reported reliably. There is at least one service (echo) which can exist on more than one port. - API to Control Service Activity is enhanced. Now all services are reported directly. Editing can be done. Services are reported as "Enabled" or "Disabled". If enabled also reported as running "On demand". 1.1 000109 - Dialog lists are now sorted by service name. Config file order are left intact. - Changed dialog for inetd.conf. Combo boxes used in a few more places: Fields user, group and path. - Added /usr/sbin/tcpd as Linuxconf command. - Allows two or more identical services as long as only one is active at a time. - Many more input checks - Added check of modification time so that another persons editing is discovered (in which case updating is aborted). Still ... as the parsing is based on line numbers, another persons editing may be lost if done at the same time. - Added api to menu entry "Control service activity". This is not finished. At the moment it is not possible to override an entry in this list. Having duplicate entries is not acceptable. Now inetdconf shows up as "inetdconf" and when selected normal edititing is started. - Added enable/disable service as options. Syntax: "linuxconf --modulemain inetdconf --enable service [service ...]" "linuxconf --modulemain inetdconf --disable service [service ...]" These options write /etc/inetd.conf once for every service entered. Only one write should occur. - Changed the misnamed field text "Delay" to "Concurrent processes" for the "wait" and "nowait" concept. - Updated help files 1.0 991220 - Basic editing of /etc/inetd.conf and /etc/services - Parsing is based on line number so all comments are preserved - Pure comment lines are separated from service lines by a minimum number of syntactically correct words. Torbjörn Gard tgard@netg.se