History of the inetdconf module for Linuxconf

2.0     010331
	xinetd implemented
	- Accepts configuration file according to xinetd standard with all
	  services in one file (/etc/xinetd.conf) or the way it is done
	  in RedHat 7 with includedir (/etc/xinetd.d) with one file per
	  service.
	- The inetd dialog is extended to include
	  . Security: Interface, Only from, No access from, Access time,
	    intercept packages, require identification.
	  . Log
	      Default
	      Syslog: Facility,Level
	      File: Filename, Soft limit and hard limit
	  . On success info: Process id, remote host address,
            remote host user id, server exit status, session duration
	  . On failure info: Remote host address, remote host used id,
	    failed attempts, record information
	  . Advanced: RPC Service, Internal service Unlisted service,
	    priority, reuse socket address, do not retry.

	- Some limitations:
	  . Default values are not handled at all (except enabled/disabled
	    which is located in this section).
	  . If /etc/xinetd.conf exists then /etc/inetd.conf is ignored.

        - Menu entry "Control service activity" enhanced. Protocol type is
	  shown when there are duplicate service names.

1.9     000504
	/etc/inetdconf:
	- Now uses pkg_api in RedHat systems to show info and control of
	  packages where servers are included.

1.8     000427
        /etc/inetd.conf:
        - Checks are now made if server programs exist when
          a service is activated. /usr/sbin is assumed to be the
          directory where daemons lives in when tcpd is used.

        - Two new command line options:
          . "linuxconf --modulemain inetdconf --server-path --check"
          . "linuxconf --modulemain inetdconf --server-path --check-update"
          These commands log any service where server path is invalid.
          The last also disables them in /etc/inetd.conf.

        - New module apis:
          . server_path_check()
          . server_path_check_update()
          . enable_service( argc,service,enable )

        Firewall:
        - New tab window in internet firewall with the name
         "Basic information" containing things belonging to the
          internet interface.

        - New tab window in internet firewall with the name
          "Advanced" containing:
          . Deny icmp echo-request (ping) and redirect at
            input on internet interface (default deny).
          . Deny icmp time-exceeded (traceroute) at output
            on internet interface (default deny).

        - New module apis:
          . firewall_enable( argc,service )
          . firewall_disable()
          . firewall_edit()

1.7     000409
        Firewall:
        - Script and configuration is now placed in "/etc/heimdall". Names of
          these are "firewall.sh" and "firewall.conf". The previous location
          "/usr/lib/linuxconf/lib" was not a good place for these.

        - SIGQUIT is now used to stop firewall daemon instead of SIGTERM. This
          signal will now be used when firewall is deactivated in dialog.
          Since version 1.6 SIGTERM no longer removes firewall rules.

        Inetdconf:

        - "nowait" is replaced by "wait" in /etc/inetd.conf when updating
          this file. Fixed (update sent previously for Linuxconf
          version 1.17.r10).

1.6     000401
        - RFC1918 local net was not correctly computed. Fixed.
        - Daemon: SIGTERM: stops daemon without removing firewall.
          Intended for system shutdown. Conforms to sysv-scripts.
          SIGHUP: execution of script.
          SIGINT and SIGQUIT: excutes firewall stop and exits.

1.5     000323
        Linuxconf: module inetdconf: Firewall

        - If daemon is activated the firewall config file is updated. The script
          is written in any case. The daemon start/stop is done as usual by
          Act/Changes.

        - Setting of details level for the daemon to log in system log and
          number of polls per second.

        - The script is generated to do masquerading/NAT only if the local
          network is using an address corresponding to RFC1918 (10.0.0.0/8,
          172.16.0.0/12 or 192.168.0.0/16).

        - Generation of the script is now done so that it should be possible
          to use on a Linux computer on a local network with access to the
          internet through a gateway.

        - The script creates two new chains. For input and output on the
          internet interface. This makes it possible to combine with other
          firewalls (at least in principle).

        - The output chain ensures that only packets with source ip address
          equal to interface address are accepted.

        - The input chain denies icmp broadcasts, accepts allowed services
          and ports above 1023 and denies everything else.

        - Interfaces are now determined by reading /proc/net/dev instead of
          /proc/net/route (which can be both confusing and incorrect).

        - Interface sl0 is never accepted as the internet route. If diald is
          running the user is asked to bring up the link.

        - Command line interfaces:
          To enable/disable services in /etc/inetd.conf:

          linuxconf --modulemain inetdconf --enable [service ...]
          linuxconf --modulemain inetdconf --disable [service ...]

          To activate firewall daemon using reasonable default values:

          linuxconf --modulemain inetdconf --firewall --enable
          linuxconf --update

          To disable firewall (leaving forwarding in place):

          linuxconf --modulemain inetdconf --firewall --disable
          linuxconf --update

        Firewall deamon

        - A new daemon program to execute the firewall script whenever an
          interface or ip address changes. The daemon approach was chosen as
          it solves the problem with changing interfaces and ip addresses
          with a dial up connection.

        - The daemon checks its configuration file and firewall script for
          changes. When a change is detected the file is parsed/executed again.
          So a restart should never be necessary. These files reside in
          /usr/lib/linuxconf/lib/. The name of the script has changed from
          earlier version and is now "firewall.sh". The config file is
          "firewall.conf".

        - The daemon has no logic to decide which interfaces are "interesting"
          from a firewall point of view. So at start up it will execute the
          firewall script for all interfaces one at a time. The firewall will
          be affected only when the internet interface parameter is supplied
          to the script.

        - The daemon parses its configuration file which contain the name
          of the firewall script, number of polls per second and the level
          of verbosity (three levels) to the system log (LOG_INFO).

        - Signals: Hangup execution of script. Interupt, Quit and Terminate
          all makes the deamon excute firewall stop (leaving forwarding active)
          and then exits.

        - Needed system resources are small. About 380K and 0.3% cpu utilization
          (in a 90Mhz Pentium) at 10 polls/second.

        - The daemon could be run standalone using any script.
          See: /usr/lib/linuxconf/lib/firewalld -h

        Daemon name

          I first decided to name the daemon to "heimdall" but then I
          reconsidered as I do not see it quite living up to such a powerful
          mythological name. Maybe I will change my mind later on. For now
          the daemon is named "firewalld". Not very imaginative I'm afraid.

          Anyway, here is a description of Heimdall:

          Heimdall (also spelled Heimdal or Heimdallr), in Norse mythology,
          one of the Aesir, watchman of the gods, guardian of the heavenly
          realm of Asgard, and ruler of holy places. He was the perfect god
          to act as sentinel, since he needed less sleep than a bird, and
          because his senses were very acute: he could see to a distance of
          a hundred leagues equally well by night or day; he could hear
          every sound, even the sound of grass growing upon the earth and
          wool growing on sheep.

1.4     000216
        - Internet input firewall. This firewall makes some
          assumptions and may not work for everyone. Basically it locates
          all processes listening on unconnected sockets. This list is
          presented with a clickable button to enable connections on
          the internet interface.
        - The firewall is activated through a script which can be started
          either as a rc-script (complete with start, stop and status
          commands) or an ip-up script for dynamic ip-addresses.
        - The firewall assumes that any local network wants masquerading
          for access to the internet.
        - It also assumes free access to services on the local
          network (for now).
        - Editing of /etc/hosts.allow and /etc/hosts.deny through two
          new menu entries. Lists servers started by tcpd as only these
          are allowed.
1.3        000121
        - Check for already active identical service (re port & protocol) failed
          when editing was done from "Control Service Activity".
        - Some more input checks
1.2        000113
        - While edititing existing entries protocols are limited to what is
          found in /etc/services.
        - Port numbers are reported reliably. There is at least one service
          (echo) which can exist on more than one port.
        - API to Control Service Activity is enhanced. Now all services are
          reported directly. Editing can be done. Services are reported
          as "Enabled" or "Disabled". If enabled also reported as running
          "On demand".
1.1        000109
        - Dialog lists are now sorted by service name. Config file order are
          left intact.
        - Changed dialog for inetd.conf. Combo boxes used in a few more places:
          Fields user, group and path.
        - Added /usr/sbin/tcpd as Linuxconf command.
        - Allows two or more identical services as long as only one is active
          at a time.
        - Many more input checks
        - Added check of modification time so that another persons editing
          is discovered (in which case updating is aborted).
          Still ... as the parsing is based on line numbers, another
          persons editing may be lost if done at the same time.
        - Added api to menu entry "Control service activity". This is not
          finished. At the moment it is not possible to override an entry in
          this list. Having duplicate entries is not acceptable. Now inetdconf
          shows up as "inetdconf" and when selected normal edititing is started.
        - Added enable/disable service as options. Syntax:
          "linuxconf --modulemain inetdconf --enable service [service ...]"
          "linuxconf --modulemain inetdconf --disable service [service ...]"
          These options write /etc/inetd.conf once for every service entered.
          Only one write should occur.
        - Changed the misnamed field text "Delay" to "Concurrent processes"
          for the "wait" and "nowait" concept.
        - Updated help files

1.0     991220
        - Basic editing of /etc/inetd.conf and /etc/services
        - Parsing is based on line number so all comments are preserved
        - Pure comment lines are separated from service lines by a minimum
          number of syntactically correct words.


Torbjrn Gard
tgard@netg.se
