1eecd0985SBrad Davis# 2eecd0985SBrad Davis# Internet server configuration database 3eecd0985SBrad Davis# 4eecd0985SBrad Davis# Define *both* IPv4 and IPv6 entries for dual-stack support. 5eecd0985SBrad Davis# To disable a service, comment it out by prefixing the line with '#'. 6eecd0985SBrad Davis# To enable a service, remove the '#' at the beginning of the line. 7eecd0985SBrad Davis# 8eecd0985SBrad Davis#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l 9eecd0985SBrad Davis#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l 10eecd0985SBrad Davis#ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4 11eecd0985SBrad Davis#ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6 12*edb52262SBrooks Davis#telnet stream tcp nowait root /usr/local/libexec/telnetd telnetd 13*edb52262SBrooks Davis#telnet stream tcp6 nowait root /usr/local/libexec/telnetd telnetd 14eecd0985SBrad Davis#shell stream tcp nowait root /usr/local/sbin/rshd rshd 15eecd0985SBrad Davis#shell stream tcp6 nowait root /usr/local/sbin/rshd rshd 16eecd0985SBrad Davis#login stream tcp nowait root /usr/local/sbin/rlogind rlogind 17eecd0985SBrad Davis#login stream tcp6 nowait root /usr/local/sbin/rlogind rlogind 18eecd0985SBrad Davis#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s 19eecd0985SBrad Davis#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s 20eecd0985SBrad Davis# 21eecd0985SBrad Davis# run comsat as root to be able to print partial mailbox contents w/ biff, 22eecd0985SBrad Davis# or use the safer tty:tty to just print that new mail has been received. 23eecd0985SBrad Davis#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat 24eecd0985SBrad Davis# 25eecd0985SBrad Davis# ntalk is required for the 'talk' utility to work correctly 26eecd0985SBrad Davis#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd 27eecd0985SBrad Davis#tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot 28eecd0985SBrad Davis#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot 29eecd0985SBrad Davis#bootps dgram udp wait root /usr/libexec/bootpd bootpd 30eecd0985SBrad Davis# 31eecd0985SBrad Davis# "Small servers" -- used to be standard on, but we're more conservative 32eecd0985SBrad Davis# about things due to Internet security concerns. Only turn on what you 33eecd0985SBrad Davis# need. 34eecd0985SBrad Davis# 35eecd0985SBrad Davis#daytime stream tcp nowait root internal 36eecd0985SBrad Davis#daytime stream tcp6 nowait root internal 37eecd0985SBrad Davis#daytime dgram udp wait root internal 38eecd0985SBrad Davis#daytime dgram udp6 wait root internal 39eecd0985SBrad Davis#time stream tcp nowait root internal 40eecd0985SBrad Davis#time stream tcp6 nowait root internal 41eecd0985SBrad Davis#time dgram udp wait root internal 42eecd0985SBrad Davis#time dgram udp6 wait root internal 43eecd0985SBrad Davis#echo stream tcp nowait root internal 44eecd0985SBrad Davis#echo stream tcp6 nowait root internal 45eecd0985SBrad Davis#echo dgram udp wait root internal 46eecd0985SBrad Davis#echo dgram udp6 wait root internal 47eecd0985SBrad Davis#discard stream tcp nowait root internal 48eecd0985SBrad Davis#discard stream tcp6 nowait root internal 49eecd0985SBrad Davis#discard dgram udp wait root internal 50eecd0985SBrad Davis#discard dgram udp6 wait root internal 51eecd0985SBrad Davis#chargen stream tcp nowait root internal 52eecd0985SBrad Davis#chargen stream tcp6 nowait root internal 53eecd0985SBrad Davis#chargen dgram udp wait root internal 54eecd0985SBrad Davis#chargen dgram udp6 wait root internal 55eecd0985SBrad Davis# 56eecd0985SBrad Davis# CVS servers - for master CVS repositories only! You must set the 57eecd0985SBrad Davis# --allow-root path correctly or you open a trivial to exploit but 58eecd0985SBrad Davis# deadly security hole. 59eecd0985SBrad Davis# 60eecd0985SBrad Davis#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here pserver 61eecd0985SBrad Davis#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here kserver 62eecd0985SBrad Davis# 63eecd0985SBrad Davis# RPC based services (you MUST have rpcbind running to use these) 64eecd0985SBrad Davis# 65eecd0985SBrad Davis#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd 66eecd0985SBrad Davis#rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd 67eecd0985SBrad Davis#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld 68eecd0985SBrad Davis#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad 69eecd0985SBrad Davis#rquotad/1 dgram rpc/udp6 wait root /usr/libexec/rpc.rquotad rpc.rquotad 70eecd0985SBrad Davis#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd 71eecd0985SBrad Davis# 72eecd0985SBrad Davis# example entry for the optional imap4 server 73eecd0985SBrad Davis# 74eecd0985SBrad Davis#imap4 stream tcp nowait root /usr/local/libexec/imapd imapd 75eecd0985SBrad Davis# 76eecd0985SBrad Davis# example entry for the optional nntp server 77eecd0985SBrad Davis# 78eecd0985SBrad Davis#nntp stream tcp nowait news /usr/local/libexec/nntpd nntpd 79eecd0985SBrad Davis# 80eecd0985SBrad Davis# example entry for the optional uucpd server 81eecd0985SBrad Davis# 82eecd0985SBrad Davis#uucpd stream tcp nowait root /usr/local/libexec/uucpd uucpd 83eecd0985SBrad Davis# 84eecd0985SBrad Davis# Return error for all "ident" requests 85eecd0985SBrad Davis# 86eecd0985SBrad Davis#auth stream tcp nowait root internal 87eecd0985SBrad Davis#auth stream tcp6 nowait root internal 88eecd0985SBrad Davis# 89eecd0985SBrad Davis# Provide internally a real "ident" service which provides ~/.fakeid support, 90eecd0985SBrad Davis# provides ~/.noident support, reports UNKNOWN as the operating system type 91eecd0985SBrad Davis# and times out after 30 seconds. 92eecd0985SBrad Davis# 93eecd0985SBrad Davis#auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 94eecd0985SBrad Davis#auth stream tcp6 nowait root internal auth -r -f -n -o UNKNOWN -t 30 95eecd0985SBrad Davis# 96eecd0985SBrad Davis# Example entry for an external ident server 97eecd0985SBrad Davis# 98eecd0985SBrad Davis#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120 99eecd0985SBrad Davis# 100eecd0985SBrad Davis# Example entry for the optional qmail MTA 101eecd0985SBrad Davis# NOTE: This is no longer the correct way to handle incoming SMTP 102eecd0985SBrad Davis# connections for qmail. Use tcpserver (http://cr.yp.to/ucspi-tcp.html) 103eecd0985SBrad Davis# instead. 104eecd0985SBrad Davis# 105eecd0985SBrad Davis#smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd 106eecd0985SBrad Davis# 107bc3bba70SDaniel Ebdrup Jensen# Example entry for Samba sharing for the SMB protocol 108eecd0985SBrad Davis# 109bc3bba70SDaniel Ebdrup Jensen# Enable the first two entries to enable Samba startup from inetd (according to 110bc3bba70SDaniel Ebdrup Jensen# the Samba documentation). Enable the third entry only if you have other 111bc3bba70SDaniel Ebdrup Jensen# NetBIOS daemons listening on your network. Enable the fourth entry to use 112bc3bba70SDaniel Ebdrup Jensen# the swat Samba configuration tool. 113eecd0985SBrad Davis#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd 114bc3bba70SDaniel Ebdrup Jensen#microsoft-ds stream tcp nowait root /usr/local/sbin/smbd smbd 115eecd0985SBrad Davis#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd 116eecd0985SBrad Davis#swat stream tcp nowait/400 root /usr/local/sbin/swat swat 117eecd0985SBrad Davis# 118eecd0985SBrad Davis# Example entry for the Prometheus sysctl metrics exporter 119eecd0985SBrad Davis# 120eecd0985SBrad Davis#prom-sysctl stream tcp nowait nobody /usr/sbin/prometheus_sysctl_exporter prometheus_sysctl_exporter -dgh 121bc3bba70SDaniel Ebdrup Jensen# 1221a7f22d9SAlan Somers# Example entry for the CTL exporter 1231a7f22d9SAlan Somers#prom-ctl stream tcp nowait root /usr/bin/ctlstat ctlstat -P 1241a7f22d9SAlan Somers# 125bc3bba70SDaniel Ebdrup Jensen# Example entry for insecure rsync server 12621864048SDaniel Ebdrup Jensen# This is best combined with encrypted virtual tunnel interfaces, which can be 12721864048SDaniel Ebdrup Jensen# found with: apropos if_ | grep tunnel 128bc3bba70SDaniel Ebdrup Jensen#rsync stream tcp nowait root /usr/local/bin/rsyncd rsyncd --daemon 129bc3bba70SDaniel Ebdrup Jensen# 130bc3bba70SDaniel Ebdrup Jensen# Let the system respond to date requests via tcpmux 131bc3bba70SDaniel Ebdrup Jensen#tcpmux/+date stream tcp nowait guest /bin/date date 132bc3bba70SDaniel Ebdrup Jensen# 133bc3bba70SDaniel Ebdrup Jensen# Let people access the system phonebook via tcpmux 134bc3bba70SDaniel Ebdrup Jensen#tcpmux/phonebook stream tcp nowait guest /usr/local/bin/phonebook phonebook 135bc3bba70SDaniel Ebdrup Jensen# 136bc3bba70SDaniel Ebdrup Jensen# Make kernel statistics accessible 137bc3bba70SDaniel Ebdrup Jensen#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd 138bc3bba70SDaniel Ebdrup Jensen# 139bc3bba70SDaniel Ebdrup Jensen# Use netcat as a one-shot HTTP proxy with nc (from freebsd-tips fortune) 140bc3bba70SDaniel Ebdrup Jensen#http stream tcp nowait nobody /usr/bin/nc nc -N dest-ip 80 141bc3bba70SDaniel Ebdrup Jensen# 142bc3bba70SDaniel Ebdrup Jensen# Set up a unix socket at /var/run/echo that echo's back whatever is written to it. 143bc3bba70SDaniel Ebdrup Jensen#/var/run/echo stream unix nowait root internal 144bc3bba70SDaniel Ebdrup Jensen# 145bc3bba70SDaniel Ebdrup Jensen# Run chargen for IPsec Authentication Headers 146bc3bba70SDaniel Ebdrup Jensen#@ ipsec ah/require 147bc3bba70SDaniel Ebdrup Jensen#chargen stream tcp nowait root internal 148bc3bba70SDaniel Ebdrup Jensen#@ 149