INETD(8)                NetBSD System Manager's Manual                INETD(8)

     inetd, inetd.conf - internet ``super-server''

     inetd [-d] [-l] [configuration file]

     inetd should be run at boot time by /etc/rc (see rc(8)).  It then listens
     for connections on certain internet sockets.  When a connection is found
     on one of its sockets, it decides what service the socket corresponds to,
     and invokes a program to service the request.  After the program is fin-
     ished, it continues to listen on the socket (except in some cases which
     will be described below).  Essentially, inetd allows running one daemon
     to invoke several others, reducing load on the system.

     The options available for inetd:

     -d      Turns on debugging.

     -l      Turns on libwrap connection logging.

     Upon execution, inetd reads its configuration information from a configu-
     ration file which, by default, is /etc/inetd.conf.  The path given for
     this configuration file must be absolute, unless the -d option is also
     given on the command line.  There must be an entry for each field of the
     configuration file, with entries for each field separated by a tab or a
     space.  Comments are denoted by a ``#'' at the beginning of a line.
     There must be an entry for each field (except for one special case, de-
     scribed below).  The fields of the configuration file are as follows:

           server program arguments

     To specify an Sun-RPC based service, the entry would contain these

           server program arguments

     For Internet services, the first field of the line may also have a host
     address specifier prefixed to it, separated from the service name by a
     colon.  If this is done, the string before the colon in the first field
     indicates what local address inetd should use when listening for that
     service, or the single character ``*'' to indicate INADDR_ANY, meaning
     `all local addresses'.  To avoid repeating an address that occurs fre-
     quently, a line with a host address specifier and colon, but no further
     fields, causes the host address specifier to be remembered and used for
     all further lines with no explicit host specifier (until another such
     line or the end of the file).  A line
     is implicitly provided at the top of the file; thus, traditional configu-
     ration files (which have no host address specifiers) will be interpreted
     in the traditional manner, with all services listened for on all local

     The service-name entry is the name of a valid service in the file
     /etc/services.  For ``internal'' services (discussed below), the service
     name must be the official name of the service (that is, the first entry
     in /etc/services).  When used to specify a Sun-RPC based service, this
     field is a valid RPC service name in the file /etc/rpc.  The part on the
     right of the ``/'' is the RPC version number.  This can simply be a sin-
     gle numeric argument or a range of versions.  A range is bounded by the
     low version to the high version - ``rusers/1-3''.

     The socket-type should be one of ``stream'', ``dgram'', ``raw'', ``rdm'',
     or ``seqpacket'', depending on whether the socket is a stream, datagram,
     raw, reliably delivered message, or sequenced packet socket.

     The protocol must be a valid protocol as given in /etc/protocols.  Exam-
     ples might be ``tcp'' and ``udp''.  Rpc based services are specified with
     the ``rpc/tcp'' or ``rpc/udp'' service type.  ``tcp'' and ``udp'' will be
     recognized as ``TCP or UDP over default IP version''.  It is currently
     IPv4, but in the future it will be IPv6.  If you need to specify IPv4 or
     IPv6 explicitly, use something like ``tcp4'' or ``udp6''.  If you would
     like to enable special support for faithd(8), prepend a keyword ``faith''
     into protocol, like ``faith/tcp6''.

     In addition to the protocol, the configuration file may specify the send
     and receive socket buffer sizes for the listening socket.  This is espe-
     cially useful for TCP as the window scale factor, which is based on the
     receive socket buffer size, is advertised when the connection handshake
     occurs, thus the socket buffer size for the server must be set on the
     listen socket.  By increasing the socket buffer sizes, better TCP perfor-
     mance may be realized in some situations.  The socket buffer sizes are
     specified by appending their values to the protocol specification as fol-


     A literal value may be specified, or modified using `k' to indicate kilo-
     bytes or `m' to indicate megabytes.  Socket buffer sizes may be specified
     for all services and protocols except for tcpmux services.

     The wait/nowait entry is used to tell inetd if it should wait for the
     server program to return, or continue processing connections on the sock-
     et.  If a datagram server connects to its peer, freeing the socket so in-
     etd can receive further messages on the socket, it is said to be a
     ``multi-threaded'' server, and should use the ``nowait'' entry.  For
     datagram servers which process all incoming datagrams on a socket and
     eventually time out, the server is said to be ``single-threaded'' and
     should use a ``wait'' entry.  comsat(8) (biff(1)) and talkd(8) are both
     examples of the latter type of datagram server.  tftpd(8) is an excep-
     tion; it is a datagram server that establishes pseudo-connections.  It
     must be listed as ``wait'' in order to avoid a race; the server reads the
     first packet, creates a new socket, and then forks and exits to allow in-
     etd to check for new service requests to spawn new servers.  The optional
     ``max'' suffix (separated from ``wait'' or ``nowait'' by a dot or a
     colon) specifies the maximum number of server instances that may be
     spawned from inetd within an interval of 60 seconds.  When omitted,
     ``max'' defaults to 40.

     Stream servers are usually marked as ``nowait'' but if a single server
     process is to handle multiple connections, it may be marked as ``wait''.
     The master socket will then be passed as fd 0 to the server, which will
     then need to accept the incoming connection.  The server should eventual-
     ly time out and exit when no more connections are active.  inetd will
     continue to listen on the master socket for connections, so the server
     should not close it when it exits.  identd(8) is usually the only stream
     server marked as wait.

     The user entry should contain the user name of the user as whom the serv-
     er should run.  This allows for servers to be given less permission than
     root.  Optionally, a group can be specified by appending a colon to the
     user name, followed by the group name (it is possible to use a dot
     (``.'') in lieu of a colon, however this feature is provided only for
     backward compatibility).  This allows for servers to run with a different
     (primary) group id than specified in the password file.  If a group is
     specified and user is not root, the supplementary groups associated with
     that user will still be set.

     The server-program entry should contain the pathname of the program which
     is to be executed by inetd when a request is found on its socket.  If in-
     etd provides this service internally, this entry should be ``internal''.

     The server program arguments should be just as arguments normally are,
     starting with argv[0], which is the name of the program.  If the service
     is provided internally, the word ``internal'' should take the place of
     this entry.

   Internal Services
     inetd provides several "trivial" services internally by use of routines
     within itself.  These services are "echo", "discard", "chargen" (charac-
     ter generator), "daytime" (human readable time), and "time" (machine
     readable time, in the form of the number of seconds since midnight, Jan-
     uary 1, 1900 GMT).  For details of these services, consult the appropri-
     ate RFC.

     TCP services without official port numbers can be handled with the
     RFC1078-based tcpmux internal service.  TCPmux listens on port 1 for re-
     quests.  When a connection is made from a foreign host, the service name
     requested is passed to TCPmux, which performs a lookup in the service
     name table provided by /etc/inetd.conf and returns the proper entry for
     the service.  TCPmux returns a negative reply if the service doesn't ex-
     ist, otherwise the invoked server is expected to return the positive re-
     ply if the service type in /etc/inetd.conf file has the prefix "tcpmux/".
     If the service type has the prefix "tcpmux/+", TCPmux will return the
     positive reply for the process; this is for compatibility with older
     server code, and also allows you to invoke programs that use stdin/stdout
     without putting any special server code in them.  Services that use TCP-
     mux are "nowait" because they do not have a well-known port nubmer and
     hence cannot listen for new requests.

     inetd rereads its configuration file when it receives a hangup signal,
     SIGHUP.  Services may be added, deleted or modified when the configura-
     tion file is reread.  inetd creates a file /var/run/ that con-
     tains its process identifier.

     Support for TCP wrappers is included with inetd to provide internal tcpd-
     like access control functionality.  An external tcpd program is not need-
     ed.  You do not need to change the /etc/inetd.conf server-program entry
     to enable this capability.  inetd uses /etc/hosts.allow and
     /etc/hosts.deny for access control facility configurations, as described
     in hosts_access(5).

     The implementation includes a tiny hack to support IPsec policy settings
     for each socket.  A special form of the comment line, starting with
     ``#@'', is used as a policy specifier.  The content of the above comment
     line will be treated as a IPsec policy string, as described in
     ipsec_set_policy(3).  Multiple IPsec policy strings may be specified by
     using a semicolon as a separator.  If conflicting policy strings are
     found in a single line, the last string will take effect.  A #@ line af-
     fects all of the following lines in /etc/inetd.conf, so you may want to
     reset the IPsec policy by using a comment line containing only #@ (with
     no policy string).

     If an invalid IPsec policy string appears in /etc/inetd.conf, inetd logs
     an error message using syslog(3) and terminates itself.

   IPv6 TCP/UDP behavior
     If you wish to run a server for IPv4 and IPv6 traffic, you'll need to run
     two separate process for the same server program, specified as two sepa-
     rate lines on /etc/inetd.conf, for ``tcp4'' and ``tcp6''.  ``tcp'' means
     TCP on top of currently-default IP version, which is, at this moment,

     Under various combination of IPv4/v6 daemon settings, inetd will behave
     as follows:
     +   If you have only one server on ``tcp4'', IPv4 traffic will be routed
         to the server.  IPv6 traffic will not be accepted.
     +   If you have two servers on ``tcp4'' and ``tcp6'', IPv4 traffic will
         be routed to the server on ``tcp4'', and IPv6 traffic will go to
         server on ``tcp6''.
     +   If you have only one server on ``tcp6'', only IPv6 traffic will be
         routed to the server.  The kernel may route to the server IPv4 traf-
         fic as well, under certain configuration.  See ip6(4) for details.

     /etc/inetd.conf   configuration file for all inetd provided services
     /etc/services     service name to protocol and port number mappings.
     /etc/protocols    protocol name to protocol number mappings
     /etc/rpc          Sun-RPC service name to service number mappings.
     /etc/hosts.allow  explicit remote host access list.
     /etc/hosts.deny   explicit remote host denial of service list.

     hosts_access(5), hosts_options(5), protocols(5), rpc(5), services(5),
     comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8),
     telnetd(8), tftpd(8)

     J. Postel, Echo Protocol, RFC, 862, May 1983.

     J. Postel, Discard Protocol, RFC, 863, May 1983.

     J. Postel, Character Generator Protocol, RFC, 864, May 1983.

     J. Postel, Daytime Protocol, RFC, 867, May 1983.

     J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.

     M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November

     The inetd command appeared in 4.3BSD.  Support for Sun-RPC based services
     is modeled after that provided by SunOS 4.1.  Support for specifying the
     socket buffer sizes was added in NetBSD 1.4.  In November 1996, libwrap
     support was added to provide internal tcpd-like access control function-
     ality; libwrap is based on Wietse Venema's tcp_wrappers.  IPv6 support
     and IPsec hack was made by KAME project, in 1999.

     Host address specifiers, while they make conceptual sense for RPC ser-
     vices, do not work entirely correctly.  This is largely because the
     portmapper interface does not provide a way to register different ports
     for the same service on different local addresses.  Provided you never
     have more than one entry for a given RPC service, everything should work
     correctly (Note that default host address specifiers do apply to RPC
     lines with no explicit specifier.)

     ``tcpmux'' on IPv6 is not tested enough.

     Enabling the ``echo'', ``discard'', and ``chargen'' built-in trivial ser-
     vices is not recommended because remote users may abuse these to cause a
     denial of network service to or from the local host.

NetBSD 1.6                      March 10, 2001                               5

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2018 Modified for NetBSD by Kimmo Suominen