INETD(8) System Manager's Manual INETD(8)
inetd, inetd.conf -- internet ``super-server''
inetd [-d] [-l] [configuration file]
inetd should be run at boot time by /etc/rc (see rc(8)). It then opens
sockets according to its configuration and listens for connections. When
a connection is found on one of its sockets, it decides what service the
socket corresponds to, and invokes a program to service the request.
After the program is finished, it continues to listen on the socket
(except in some cases which will be described below). Essentially, inetd
allows running one daemon to invoke several others, reducing load on the
The options available for inetd:
-d Turns on debugging.
-l Turns on libwrap connection logging.
Upon execution, inetd reads its configuration information from a
configuration file which, by default, is /etc/inetd.conf. The path given
for this configuration file must be absolute, unless the -d option is
also given on the command line. There must be an entry for each field of
the configuration file, with entries for each field separated by a tab or
a space. Comments are denoted by a ``#'' at the beginning of a line.
There must be an entry for each field (except for one special case,
described below). The fields of the configuration file are as follows:
server program arguments
To specify an Sun-RPC based service, the entry would contain these
server program arguments
To specify a UNIX-domain (local) socket, the entry would contain these
server program arguments
For Internet services, the first field of the line may also have a host
address specifier prefixed to it, separated from the service name by a
colon. If this is done, the string before the colon in the first field
indicates what local address inetd should use when listening for that
service, or the single character ``*'' to indicate INADDR_ANY, meaning
`all local addresses'. To avoid repeating an address that occurs
frequently, a line with a host address specifier and colon, but no
further fields, causes the host address specifier to be remembered and
used for all further lines with no explicit host specifier (until another
such line or the end of the file). A line
is implicitly provided at the top of the file; thus, traditional
configuration files (which have no host address specifiers) will be
interpreted in the traditional manner, with all services listened for on
all local addresses.
The service-name entry is the name of a valid service in the file
/etc/services. For ``internal'' services (discussed below), the service
name must be the official name of the service (that is, the first entry
in /etc/services). When used to specify a Sun-RPC based service, this
field is a valid RPC service name in the file /etc/rpc. The part on the
right of the ``/'' is the RPC version number. This can simply be a
single numeric argument or a range of versions. A range is bounded by
the low version to the high version - ``rusers/1-3''.
The socket-type should be one of ``stream'', ``dgram'', ``raw'', ``rdm'',
or ``seqpacket'', depending on whether the socket is a stream, datagram,
raw, reliably delivered message, or sequenced packet socket.
Optionally, an accept_filter(9) can be specified by appending a colon to
the socket-type, followed by the name of the desired accept filter. In
this case inetd will not see new connections for the specified service
until the accept filter decides they are ready to be handled.
The protocol must be a valid protocol as given in /etc/protocols or the
string ``unix''. Examples might be ``tcp'' and ``udp''. Rpc based
services are specified with the ``rpc/tcp'' or ``rpc/udp'' service type.
``tcp'' and ``udp'' will be recognized as ``TCP or UDP over default IP
version''. It is currently IPv4, but in the future it will be IPv6. If
you need to specify IPv4 or IPv6 explicitly, use something like ``tcp4''
or ``udp6''. If you would like to enable special support for faithd(8),
prepend a keyword ``faith'' into protocol, like ``faith/tcp6''.
In addition to the protocol, the configuration file may specify the send
and receive socket buffer sizes for the listening socket. This is
especially useful for TCP as the window scale factor, which is based on
the receive socket buffer size, is advertised when the connection
handshake occurs, thus the socket buffer size for the server must be set
on the listen socket. By increasing the socket buffer sizes, better TCP
performance may be realized in some situations. The socket buffer sizes
are specified by appending their values to the protocol specification as
A literal value may be specified, or modified using `k' to indicate
kilobytes or `m' to indicate megabytes. Socket buffer sizes may be
specified for all services and protocols except for tcpmux services.
The wait/nowait entry is used to tell inetd if it should wait for the
server program to return, or continue processing connections on the
socket. If a datagram server connects to its peer, freeing the socket so
inetd can receive further messages on the socket, it is said to be a
``multi-threaded'' server, and should use the ``nowait'' entry. For
datagram servers which process all incoming datagrams on a socket and
eventually time out, the server is said to be ``single-threaded'' and
should use a ``wait'' entry. comsat(8) (biff(1)) and ntalkd(8) are both
examples of the latter type of datagram server. tftpd(8) is an
exception; it is a datagram server that establishes pseudo-connections.
It must be listed as ``wait'' in order to avoid a race; the server reads
the first packet, creates a new socket, and then forks and exits to allow
inetd to check for new service requests to spawn new servers. The
optional ``max'' suffix (separated from ``wait'' or ``nowait'' by a dot
or a colon) specifies the maximum number of server instances that may be
spawned from inetd within an interval of 60 seconds. When omitted,
``max'' defaults to 40. If it reaches this maximum spawn rate, inetd
will log the problem (via the syslogger using the LOG_DAEMON facility and
LOG_ERR level) and stop handling the specific service for ten minutes.
Stream servers are usually marked as ``nowait'' but if a single server
process is to handle multiple connections, it may be marked as ``wait''.
The master socket will then be passed as fd 0 to the server, which will
then need to accept the incoming connection. The server should
eventually time out and exit when no more connections are active. inetd
will continue to listen on the master socket for connections, so the
server should not close it when it exits. identd(8) is usually the only
stream server marked as wait.
The user entry should contain the user name of the user as whom the
server should run. This allows for servers to be given less permission
than root. Optionally, a group can be specified by appending a colon to
the user name, followed by the group name (it is possible to use a dot
(``.'') in lieu of a colon, however this feature is provided only for
backward compatibility). This allows for servers to run with a different
(primary) group id than specified in the password file. If a group is
specified and user is not root, the supplementary groups associated with
that user will still be set.
The server-program entry should contain the pathname of the program which
is to be executed by inetd when a request is found on its socket. If
inetd provides this service internally, this entry should be
The server program arguments should be just as arguments normally are,
starting with argv, which is the name of the program. If the service
is provided internally, the word ``internal'' should take the place of
this entry. It is possible to quote an argument using either single or
double quotes. This allows you to have, e.g., spaces in paths and
inetd provides several "trivial" services internally by use of routines
within itself. These services are "echo", "discard", "chargen"
(character generator), "daytime" (human readable time), and "time"
(machine readable time, in the form of the number of seconds since
midnight, January 1, 1900 GMT). For details of these services, consult
the appropriate RFC.
TCP services without official port numbers can be handled with the
RFC1078-based tcpmux internal service. TCPmux listens on port 1 for
requests. When a connection is made from a foreign host, the service
name requested is passed to TCPmux, which performs a lookup in the
service name table provided by /etc/inetd.conf and returns the proper
entry for the service. TCPmux returns a negative reply if the service
doesn't exist, otherwise the invoked server is expected to return the
positive reply if the service type in /etc/inetd.conf file has the prefix
"tcpmux/". If the service type has the prefix "tcpmux/+", TCPmux will
return the positive reply for the process; this is for compatibility with
older server code, and also allows you to invoke programs that use
stdin/stdout without putting any special server code in them. Services
that use TCPmux are "nowait" because they do not have a well-known port
number and hence cannot listen for new requests.
inetd rereads its configuration file when it receives a hangup signal,
SIGHUP. Services may be added, deleted or modified when the
configuration file is reread. inetd creates a file /var/run/inetd.pid
that contains its process identifier.
Support for TCP wrappers is included with inetd to provide internal tcpd-
like access control functionality. An external tcpd program is not
needed. You do not need to change the /etc/inetd.conf server-program
entry to enable this capability. inetd uses /etc/hosts.allow and
/etc/hosts.deny for access control facility configurations, as described
Nota Bene: TCP wrappers do not affect/restrict UDP or internal services.
The implementation includes a tiny hack to support IPsec policy settings
for each socket. A special form of the comment line, starting with
``#@'', is used as a policy specifier. The content of the above comment
line will be treated as a IPsec policy string, as described in
ipsec_set_policy(3). Multiple IPsec policy strings may be specified by
using a semicolon as a separator. If conflicting policy strings are
found in a single line, the last string will take effect. A #@ line
affects all of the following lines in /etc/inetd.conf, so you may want to
reset the IPsec policy by using a comment line containing only #@ (with
no policy string).
If an invalid IPsec policy string appears in /etc/inetd.conf, inetd logs
an error message using syslog(3) and terminates itself.
IPv6 TCP/UDP behavior
If you wish to run a server for both IPv4 and IPv6 traffic, you will need
to run two separate processes for the same server program, specified as
two separate lines in /etc/inetd.conf using ``tcp4'' and ``tcp6''
respectively. Plain ``tcp'' means TCP on top of the current default IP
version, which is, at this moment, IPv4.
Under various combination of IPv4/v6 daemon settings, inetd will behave
o If you have only one server on ``tcp4'', IPv4 traffic will be routed
to the server. IPv6 traffic will not be accepted.
o If you have two servers on ``tcp4'' and ``tcp6'', IPv4 traffic will
be routed to the server on ``tcp4'', and IPv6 traffic will go to
server on ``tcp6''.
o If you have only one server on ``tcp6'', only IPv6 traffic will be
routed to the server. The kernel may route to the server IPv4
traffic as well, under certain configuration. See ip6(4) for
/etc/inetd.conf configuration file for all inetd provided services
/etc/services service name to protocol and port number mappings.
/etc/protocols protocol name to protocol number mappings
/etc/rpc Sun-RPC service name to service number mappings.
/etc/hosts.allow explicit remote host access list.
/etc/hosts.deny explicit remote host denial of service list.
hosts_access(5), hosts_options(5), protocols(5), rpc(5), services(5),
comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8),
J. Postel, Echo Protocol, RFC, 862, May 1983.
J. Postel, Discard Protocol, RFC, 863, May 1983.
J. Postel, Character Generator Protocol, RFC, 864, May 1983.
J. Postel, Daytime Protocol, RFC, 867, May 1983.
J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.
M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November
The inetd command appeared in 4.3BSD. Support for Sun-RPC based services
is modeled after that provided by SunOS 4.1. Support for specifying the
socket buffer sizes was added in NetBSD 1.4. In November 1996, libwrap
support was added to provide internal tcpd-like access control
functionality; libwrap is based on Wietse Venema's tcp_wrappers. IPv6
support and IPsec hack was made by KAME project, in 1999.
Host address specifiers, while they make conceptual sense for RPC
services, do not work entirely correctly. This is largely because the
portmapper interface does not provide a way to register different ports
for the same service on different local addresses. Provided you never
have more than one entry for a given RPC service, everything should work
correctly (Note that default host address specifiers do apply to RPC
lines with no explicit specifier.)
``tcpmux'' on IPv6 is not tested enough.
Enabling the ``echo'', ``discard'', and ``chargen'' built-in trivial
services is not recommended because remote users may abuse these to cause
a denial of network service to or from the local host.
NetBSD 6.1.5 August 27, 2008 NetBSD 6.1.5