Updated: 2021/Apr/14

INETD(8)                    System Manager's Manual                   INETD(8)

     inetd, inetd.conf - internet "super-server"

     inetd [-d] [-l] [configuration file]

     inetd should be run at boot time by /etc/rc (see rc(8)).  It then opens
     sockets according to its configuration and listens for connections.  When
     a connection is found on one of its sockets, it decides what service the
     socket corresponds to, and invokes a program to service the request.
     After the program is finished, it continues to listen on the socket
     (except in some cases which will be described below).  Essentially, inetd
     allows running one daemon to invoke several others, reducing load on the

     The options available for inetd:

     -d      Turns on debugging.

     -l      Turns on libwrap connection logging.

     Upon execution, inetd reads its configuration information from a
     configuration file which, by default, is /etc/inetd.conf.  The path given
     for this configuration file must be absolute, unless the -d option is
     also given on the command line.  There must be an entry for each field of
     the configuration file, with entries for each field separated by a tab or
     a space.  Comments are denoted by a ``#'' at the beginning of a line.
     There must be an entry for each field (except for one special case,
     described below).  The fields of the configuration file are as follows:

           server program arguments

     The listen-addr specifies the local address inetd should use when
     listening.  The single character "*" means INADDR_ANY: all local
     addresses.  To avoid the need to repeat listen addresses over and over
     again, listen addresses are inherited from line to line, and the listen
     address can be changed without defining a service by including a line
     containing just a listen-addr followed by a colon.  The default
     (compatible with historical configuration files) is *.  To return to this
     behavior after configuring some services with specific listen addresses,
     give * explicitly.

     Note that restricted listen addresses are meaningless and ignored for
     UNIX-domain services, and are not supported for Sun-RPC services.  All
     Sun-RPC services always listen on all interfaces.

     The form of the service-spec varies with the service type.  For Internet
     services, the service-spec can be either the name of a service from
     /etc/services or a decimal port number.  For "internal" services
     (discussed below), the service name must be the official name of the
     service (that is, the first entry in /etc/services) and not an alias for

     For Sun-RPC based services, the service-spec has the form
     service-name/version.  The service name must be a valid RPC service name
     from the file /etc/rpc.  The version on the right of the "/" is the RPC
     version number.  This can simply be a single numeric argument or a range
     of versions.  A range is bounded by the low version to the high version -
     e.g.  "rusers/1-3".

     For UNIX-domain (local) services, the service-spec is the path name to
     listen on.

     The socket-type should be one of "stream", "dgram", "raw", "rdm", or
     "seqpacket", depending on whether the socket is a stream, datagram, raw,
     reliably delivered message, or sequenced packet socket.

     Optionally, for Internet services, an accept filter (see
     accept_filter(9)) can be specified by appending a colon to socket-type,
     followed by the name of the desired accept filter.  In this case inetd
     will not see new connections for the specified service until the accept
     filter decides they are ready to be handled.

     The protocol must be a valid protocol as given in /etc/protocols or (for
     UNIX-domain services) the string "unix".  The most common are "tcp" and
     "udp".  For TCP and UDP, the IP version (4 or 6) may be specified
     explicitly by appending 4 or 6 to the protocol name.  Otherwise the
     default version (IPv4) is used.  For Sun-RPC the string "rpc" and a slash
     should be prepended: "rpc/tcp" or "rpc/udp".  If you would like to enable
     special support for faithd(8), prepend the string "faith" and a slash:

     In addition to the protocol, the configuration file may specify the send
     and receive socket buffer sizes for the listening socket.  This is
     especially useful for TCP: the window scale factor, which is based on the
     receive socket buffer size, is advertised when the connection handshake
     occurs and thus the socket buffer size must be set on the listen socket.
     By increasing the socket buffer sizes, better TCP performance may be
     realized in some situations.  The socket buffer sizes are specified by
     appending their values to the protocol specification as follows:


     A literal value may be specified, or modified using `k' to indicate
     kilobytes or `m' to indicate megabytes.  Socket buffer sizes may be
     specified for all services and protocols except for tcpmux services.

     The wait/nowait entry is used to tell inetd if it should wait for the
     server program to return, or continue processing connections on the
     socket.  If a datagram server connects to its peer, freeing the socket so
     inetd can receive further messages on the socket, it is said to be a
     "multi-threaded" server, and should use the "nowait" entry.  For datagram
     servers which process all incoming datagrams on a socket and eventually
     time out, the server is said to be "single-threaded" and should use a
     "wait" entry.  comsat(8) (biff(1)) and ntalkd(8) are both examples of the
     latter type of datagram server.  tftpd(8) is an exception; it is a
     datagram server that establishes pseudo-connections.  It must be listed
     as "wait" in order to avoid a race; the server reads the first packet,
     creates a new socket, and then forks and exits to allow inetd to check
     for new service requests to spawn new servers.  The optional "max" suffix
     (separated from "wait" or "nowait" by a dot or a colon) specifies the
     maximum number of server instances that may be spawned from inetd within
     an interval of 60 seconds.  When omitted, "max" defaults to 40.  If it
     reaches this maximum spawn rate, inetd will log the problem (via the
     syslogger using the LOG_DAEMON facility and LOG_ERR level) and stop
     handling the specific service for ten minutes.

     Stream servers are usually marked as "nowait" but if a single server
     process is to handle multiple connections, it may be marked as "wait".
     The master socket will then be passed as fd 0 to the server, which will
     then need to accept the incoming connection.  The server should
     eventually time out and exit when no more connections are active.  inetd
     will continue to listen on the master socket for connections, so the
     server should not close it when it exits.  identd(8) is usually the only
     stream server marked as wait.

     The user entry should contain the user name of the user as whom the
     server should run.  This allows for servers to be given less permission
     than root.  Optionally, a group can be specified by appending a colon to
     the user name, followed by the group name (it is possible to use a dot
     (``.'') in lieu of a colon, however this feature is provided only for
     backward compatibility).  This allows for servers to run with a different
     (primary) group id than specified in the password file.  If a group is
     specified and user is not root, the supplementary groups associated with
     that user will still be set.

     The server-program entry should contain the pathname of the program which
     is to be executed by inetd when a request is found on its socket.  If
     inetd provides this service internally, this entry should be "internal".

     The server program arguments should be just as arguments normally are,
     starting with argv[0], which is the name of the program.  If the service
     is provided internally, the word "internal" should take the place of this
     entry.  It is possible to quote an argument using either single or double
     quotes.  This allows you to have, e.g., spaces in paths and parameters.

   Internal Services
     inetd provides several "trivial" services internally by use of routines
     within itself.  These services are "echo", "discard", "chargen"
     (character generator), "daytime" (human readable time), and "time"
     (machine readable time, in the form of the number of seconds since
     midnight, January 1, 1900 GMT).  For details of these services, consult
     the appropriate RFC.

     TCP services without official port numbers can be handled with the
     RFC1078-based tcpmux internal service.  TCPmux listens on port 1 for
     requests.  When a connection is made from a foreign host, the service
     name requested is passed to TCPmux, which performs a lookup in the
     service name table provided by /etc/inetd.conf and returns the proper
     entry for the service.  TCPmux returns a negative reply if the service
     doesn't exist, otherwise the invoked server is expected to return the
     positive reply if the service type in /etc/inetd.conf file has the prefix
     "tcpmux/".  If the service type has the prefix "tcpmux/+", TCPmux will
     return the positive reply for the process; this is for compatibility with
     older server code, and also allows you to invoke programs that use
     stdin/stdout without putting any special server code in them.  Services
     that use TCPmux are "nowait" because they do not have a well-known port
     number and hence cannot listen for new requests.

     inetd rereads its configuration file when it receives a hangup signal,
     SIGHUP.  Services may be added, deleted or modified when the
     configuration file is reread.  inetd creates a file /var/run/inetd.pid
     that contains its process identifier.

     Support for TCP wrappers is included with inetd to provide internal tcpd-
     like access control functionality.  An external tcpd program is not
     needed.  You do not need to change the /etc/inetd.conf server-program
     entry to enable this capability.  inetd uses /etc/hosts.allow and
     /etc/hosts.deny for access control facility configurations, as described
     in hosts_access(5).

     Nota Bene: TCP wrappers do not affect/restrict UDP or internal services.

     The implementation includes a tiny hack to support IPsec policy settings
     for each socket.  A special form of the comment line, starting with "#@",
     is used as a policy specifier.  The content of the above comment line
     will be treated as a IPsec policy string, as described in
     ipsec_set_policy(3).  Multiple IPsec policy strings may be specified by
     using a semicolon as a separator.  If conflicting policy strings are
     found in a single line, the last string will take effect.  A #@ line
     affects all of the following lines in /etc/inetd.conf, so you may want to
     reset the IPsec policy by using a comment line containing only #@ (with
     no policy string).

     If an invalid IPsec policy string appears in /etc/inetd.conf, inetd logs
     an error message using syslog(3) and terminates itself.

   IPv6 TCP/UDP behavior
     If you wish to run a server for both IPv4 and IPv6 traffic, you will need
     to run two separate processes for the same server program, specified as
     two separate lines in /etc/inetd.conf using "tcp4" and "tcp6"
     respectively.  Plain "tcp" means TCP on top of the current default IP
     version, which is, at this moment, IPv4.

     Under various combination of IPv4/v6 daemon settings, inetd will behave
     as follows:
        If you have only one server on "tcp4", IPv4 traffic will be routed to
         the server.  IPv6 traffic will not be accepted.
        If you have two servers on "tcp4" and "tcp6", IPv4 traffic will be
         routed to the server on "tcp4", and IPv6 traffic will go to server on
        If you have only one server on "tcp6", only IPv6 traffic will be
         routed to the server.  The kernel may route to the server IPv4
         traffic as well, under certain configuration.  See ip6(4) for

     /etc/inetd.conf   configuration file for all inetd provided services
     /etc/services     service name to protocol and port number mappings.
     /etc/protocols    protocol name to protocol number mappings
     /etc/rpc          Sun-RPC service name to service number mappings.
     /etc/hosts.allow  explicit remote host access list.
     /etc/hosts.deny   explicit remote host denial of service list.

     hosts_access(5), hosts_options(5), protocols(5), rpc(5), services(5),
     comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8),
     telnetd(8), tftpd(8)

     J. Postel, Echo Protocol, RFC, 862, May 1983.

     J. Postel, Discard Protocol, RFC, 863, May 1983.

     J. Postel, Character Generator Protocol, RFC, 864, May 1983.

     J. Postel, Daytime Protocol, RFC, 867, May 1983.

     J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.

     M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November

     The inetd command appeared in 4.3BSD.  Support for Sun-RPC based services
     is modeled after that provided by SunOS 4.1.  Support for specifying the
     socket buffer sizes was added in NetBSD 1.4.  In November 1996, libwrap
     support was added to provide internal tcpd-like access control
     functionality; libwrap is based on Wietse Venema's tcp_wrappers.  IPv6
     support and IPsec hack was made by KAME project, in 1999.

     Host address specifiers, while they make conceptual sense for RPC
     services, do not work entirely correctly.  This is largely because the
     portmapper interface does not provide a way to register different ports
     for the same service on different local addresses.  Provided you never
     have more than one entry for a given RPC service, everything should work
     correctly (Note that default host address specifiers do apply to RPC
     lines with no explicit specifier.)

     "tcpmux" on IPv6 is not tested enough.

     Enabling the "echo", "discard", and "chargen" built-in trivial services
     is not recommended because remote users may abuse these to cause a denial
     of network service to or from the local host.

NetBSD 9.99                      July 19, 2017                     NetBSD 9.99