2 Understanding the Genesis Preferences

2.5 Database

This section describes the more "advanced" areas of Genesis. Most Internet dialup users (ie. those simply using Genesis to connect to their Internet Service Provider) will barely need to worry about this section.

The databases are uses to add programs that require Genesis, add/remove access from remote users, setup servers on your network etc.

2.51 Groups

The db/group is the group database for the AmiTCP/IP system. Each line in this file defines a group. Groups are really only required for external programs such as NFS.

• Name: Each group is known with a unique group name. A group name should not be longer than 8 7-bit ASCII characters (for compatibility reasons). For example, `users' would be a good group name.

• ID: The numerical identifier of the group. The ID should be a decimal number on the range 0 -- 32767. Negative group IDs are used for special purposes. A group ID must be unique, i.e. two distinct groups should not have the same group ID.

• Members The list contains comma separated login names of the group members. User may be a group member even if his login name is not in this list, if the group ID in question is provided by the group ID field in the db/passwd.

2.52 Hosts

The hosts sections contains the host name to IP address mapping table. The host names cannot be used by the TCP/IP protocols directly, but they must be mapped to IP addresses before they can be used.

• IP-Addr: The IP address of the entry given in the internet dot notation.

• Name:  The full name of the host in question, i.e. the name of the host including the domain part.

• Aliases: Additional names for the host. Note that the host name as such, without the domain part is automatically recognised as a host alias by AmiTCP/IP, so you do not need to provide it as an explicit alias.

2.53 Protocols

The protocols section contains the protocol name to protocol number mapping table. This allows users to refer to protocols using symbolic names instead of numbers.

• Name  - official protocol name.

• ID:  - official protocol number.

• Aliases:  - Additional names for the protocol.

The official protocol names and numbers are described in the "Assigned Numbers" RFC. For example,

tcp 6 TCP transmission control protocol

2.54 Services

The services section contains the service and protocol name to port number mapping table. This allows users to refer to services using symbolic names instead of port numbers.

• Name:  - the symbolic name for the service.

• Port:  - the port number assigned to the service.

• Protocol Name:  - the protocol for which this entry is. Currently the value should be either `tcp' or `udp'.

• Aliases:  - additional names for the service.

The services for port numbers 0 through 255 are assigned in the "Assigned Numbers" RFC.

For example,

shell 514 tcp remote login service

2.55 Access

Genesis implements an access control feature similar to `tcpd' inside the protocol stack. This means connection doesn't even get established if the connection is to be denied, remote end just gets the usual `connection refused' error message.

When connection request arrives, the access entry list is searched through sequentially line by line until a match is found. Access entry lines looks like the following...

[service] [host/mask] [access] [log]

It is first checked whether the port where connection is made matches the port given . Service can be given as a port number, already parsed netdb service entry, or `*', `@', or `$', meaning that check host for every destination port, every privileged destination port, or every service port, respectively.

Now, if port matched the source host internet address is compared with the host value given in current access entry. Mask can be used to ignore some bits when comparing, for example whole subnet can be checked with only one entry in access control list. The host value may also contain that mask information by having `*' in place of some number in host value given in internet not notation format (see the examples).

A special hostname `$' matches to all hosts, except it does not allow source routing. Source routing is disallowed also if connection matches to an entry with a specified host.

If host matched, The next thing to do is to see whether connection is to be accepted or not. if says `allow' connection is to be established, if `deny' connection request is dropped.

If LOG is written last in the access entry list, Info whether connection was accepted or denied, with corresponding remote host and destination port is written to the syslog.

Service	Host[/Mask]	Access	Log
finger	127.1	allow	LOG
*	130.233.*.*	allow
nntp	130.233.0/255.252.0.0	allow	LOG
$	*.*.*.*	deny	LOG
*	$	allow	LOG

The list tells that finger queries from local host is to be logged. (2) All connections from hosts whose addresses start with 130.233 are to be allowed and (3) hosts in a bit wider set of class b -networks can access nntpd server of this host. and these connections will be logged. Next line tells that connections to any incoming server ports are to be disallowed and the last one will then allow the rest ports without source routing and this activity will be logged. Without this line these connections would be accepted silently, since that would be the default operation if no matches were found.

The last 2 lines in that example are quite useful. It does permit ftp to work since it binds a data transfer socket greater than 1023, but it disallows unwanted hosts to access normal features effectively. Also nonstandard services, such as netfs and irc are access controlled in this access control list.

2.56 Inetd

Inetd is the configuration section used by the built in inetd. Entries within this file can consist of many lines. Inetd must consist of one entry for each server to be able to start. Each entry has following format:

• Service:  - this is the name of a valid service in the services database. For `internal' services (explained below), the service name must be the official name of the service.

• User: The login name of the user as whom the server should run. This field is for Unix and future compatibility only.

• Server:  - the pathname of the program which is to be executed by inetd when a request is found on its socket. If the server program is resident, the path part of the name should be suppressed. If the server is naive (i.e. using DOS file), this entry should contain the shell name or, if default user shell is to be used. If inetd provides this service internally, this entry should read 'internal'.

• Args:  - command line arguments to the server program.

• Enabled:  - enable or disable listed entry.

• Protocol:  - the name of the protocol to be used. This must be either tcp or udp.

• Socket:  - the socket type should be either stream or dgram, depending on whether the socket is a stream (ie. TCP) or datagram (ie. UDP) socket.

• Options:  - this entry is a compound set of parameters, and specifies the type of server, its priority, stack size and other parameters. The available parameters are as follows:
  • WAIT  - if the server processes all incoming connections or datagrams on a socket and eventually times out, the server is said to be `single-threaded' and should use the WAIT entry. Comsat and talkd are both examples of the this type of datagram servers.

  • NOWAIT  - if a datagram server connects to its peer, freeing the socket so inetd can receive further messages on the socket, it is said to be a `multi-threaded' server, and should use the NOWAIT entry. If a stream server handles only one connection, which is accepted by the inetd, it should also use the NOWAIT entry.

  • DOS  - if the server uses the DOS IO to handle the connection, it is called a `naive' server, and it should use the DOS entry. If the server is naive, inetd maps a DOS filehandle to the incoming connection via the TCP: handler AmiTCP:l/inet-handler.

Genesis re-reads an updated inetd database when new services are added, deleted or modified.

Inetd examples:

telnet stream tcp dos bin - echo The telnet service is not installed

ftp stream tcp nowait root AmiTCP:serv/ftpd ftpd -l -x

The first entry would respond to telnet service (which is only available for TCP, which is the only stream protocol) by launching the DOS program echo with arguments "The telnet service is not installed". This causes the string "The telnet service is not installed" to be printed on the telnet client console, if anyone would try to telnet to your machine.

The second entry is the entry for the FTP server provided with Genesis.

2.57 Networks

The networks database contains the network name to IP network number mapping table. The network names and the corresponding IP network numbers are rarely used, so this file normally contains only the entry for the `loopback' network (whose official network number is 127).

• Name:  - the official network name.

• ID:  - the network number in the internet dot notation, e.g. 192.0.2 would be a valid number.

• Aliases  - additional names for the network.

Go to the previous, next, chapter, table of contents.