Additional Resources - Red Hat ENTERPRISE LINUX 3 Reference Manual

Chapter 16. TCP Wrappers and
But the advantages of the
together. By binding a service to a particular IP address on a system and then redirecting requests for
this service to a second machine that only the first machine can see, an internal system can be used
to provide services for a totally different network. Alternatively, these options can be used to limit the
exposure of a particular service on a multi-homed machine to a known IP address, as well as redirect
any requests for that service to another machine specially configured for that purpose.
For example, consider a system that is used as a firewall with this setting for its Telnet service:
service telnet
{
socket_type
wait = no
server
log_on_success
log_on_failure
bind
redirect
}
The and
bind redirect
to the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests
for Telnet service sent to 123.123.123.123 are redirected via a second network adapter to an internal
IP address (10.0.1.13) that only the firewall and internal systems can access. The firewall then send
the communication between the two systems, and the connecting system thinks it is connected to
123.123.123.123 when it is actually connected to a different machine.
This feature is particularly useful for users with broadband connections and only one fixed IP address.
When using Network Address Translation (NAT), the systems behind the gateway machine, which
are using internal-only IP addresses, are not available from outside the gateway system. However,
when certain services controlled by
the gateway machine can act as a proxy between outside systems and a particular internal machine
configured to provide the service. In addition, the various
are also available for additional protection.
16.4.3.4. Resource Management Options
The daemon can add a basic level of protection from a Denial of Service (DoS) attacks.
xinetd
Below is a list of directives which can aid in limiting the effectiveness of such attacks:
— Defines the maximum number of instances for a service per source IP address. It
• per_source
accepts only integers as an argument and can be used in both
specific configuration files in the
— Defines the maximum of connections per second. This directive takes two integer arguments
• cps
separated by white space. The first is the maximum number of connections allowed to the service
per second. The second is the number of seconds
It accepts only integers as an argument and can be used in both
specific configuration files in the
— Defines the CPU usage threshold for a service. It accepts a floating point number
•
max_load
argument.
There more resource management options available for
Security in the Red Hat Enterprise Linux Security Guide for more information. Also consult the
man page.
xinetd.conf
xinetd
and
bind redirect
= stream
= /usr/sbin/in.telnetd
+= DURATION USERID
+= USERID
= 123.123.123.123
= 10.0.1.13 23
options in this file ensures that the Telnet service on the machine is bound
xinetd
xinetd.d/
xinetd.d/
options are most clearly evident when they are used
are configured with the
access control and logging options
xinetd
xinetd.conf
directory.
must wait before re-enabling the service.
xinetd
directory.
. Refer to the chapter titled Server
xinetd
and
bind redirect
and in the service-
and in the service-
xinetd.conf
251
options,