System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting inetd started service to a specific bind address

SOLVED
Go to solution
Ralph Grothe
Honored Contributor

Restricting inetd started service to a specific bind address

Hello,

I need a certain service that is started through inetd to bind itself to only a particular IP address instead of to every available as is the default behaviour.

On Linux boxes which for ages have been using xinetd on nearly every distro it is absolutely easy to achieve by usage of the "bind" directive within the respective service's individual part of xinetd.conf configuration.

Although xinetd as well as tcpwrappers (the latter of which I would assume might also have some sort of optional bind restriction) are part of HP's InternetExpress bundle, unfortunately HP have discontinued availability of this repository for HP-UX 11.11 (does anyone know why?).

Sadly, the service where I need a restricted bind does only offer this when started stand-alone as a comment from its config file states:

# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd


Well ok, as last resort I could start it stand-alone via init.
But I would prefer (x)inetd because the service is only used by a single client (i.e. my Nagios server) and then at max. only every 5-10 minutes.
Also, it makes adding or modifying of check commands much easier since there is no restart required afterwards as would be the case for the init script variant.

Are there any other solutions for inetd services viable (apart from maybe some host-based packet filter)?

Regards
Ralph



Madness, thy name is system administration
5 REPLIES
Dennis Handly
Acclaimed Contributor
Solution

Re: Restricting inetd started service to a specific bind address

>HP have discontinued availability of InternetExpress for 11.11 (does anyone know why?).

Perhaps because they want you to use 11.31?
You do know you have a copy of InternetExpress on your 11.11 installation CDs.
http://www.hp.com/go/internetexpress
Internet Express for HP-UX 11i v1 is available as version A.10.00 in the OE/AR media kit 0803. This is the last release for HP-UX 11i v1 and no new versions are available as a Software Depot download.
kobylka
Valued Contributor

Re: Restricting inetd started service to a specific bind address

Hello Ralph!

The difference between a standalone server and a (x)inetd operated server is architectural, not functional:

When inetd starts a server (external in this case) it passes the accepted incoming socket connection (the client that connected) to the server process in file descriptors 0, 1 and 2. This leaves the server process with no chance to bind nowhere as the socket was already created AND bound by (x)inetd. This *should* be the reason for the "NOTE" in NRPE's conf file.

Therefore, if you could get xinetd for you OS version give it a try with NRPE using the correct IP (bind directive) and port number (port directive) in xinetd.conf and you should be done.

Regards,

Kobylka
Ralph Grothe
Honored Contributor

Re: Restricting inetd started service to a specific bind address

Hello Lads,

thank you for your hints and explanations.

However, I think that I can live with (in this case) an nrpe service which binds to every IP address because I found another way by more clever Nagios configuration and use of plug-ins to direct checks to either the cluster nodes or the cluster virtual hosts as required.

Madness, thy name is system administration
Ralph Grothe
Honored Contributor

Re: Restricting inetd started service to a specific bind address

Dennis,

neither do I receive media order forms for a set of OE 11.11 CDs/DVDs from HP's media shipping contractor in Galway, Ireland,
nor am I getting a form that would have check boxes for such a set on HP's website after I have logged in.
All I am provided with are ordering forms for either 11.11 Application Software sets (which according to CD_TABLE_OF_CONTENTS don't include any piece of the InternetExpress Software,
or alternatively order forms for Base OE 11i Version 3 DVD Sets.
This really sucks because we only have 11.11 hosts running for some of which we do have valid SW support contracts, but not a single 11i V2-V3.
Madness, thy name is system administration
Dennis Handly
Acclaimed Contributor

Re: Restricting inetd started service to a specific bind address

>... we do have valid SW support contracts

You probably need to contact the Response Center to help you interpret that web page as to where you can get InternetExpress.