
  Jnetd needs to be invoked with the name of a configuration file, for
instance :

 			     jnetd /etc/jnetd.cf 
			     
  If you want to use it as an inetd suite replacement, don't forget to kill
your inetd server first, using a simple kill command. But both programs can
cohabit if they don't bind the same services.
  BTW jnetd needs to be launched as the root user in order to serve ports
below 1024.

  Peek at the samples directory to find a model of configuration file.
  
  Each service is encapsulated into blocks delimited by braces. A block
means a context and blocks can be imbricated, as a sub-block herits from the
parent values as a default context. See :

{
  DENY *.epita.fr
  {
    {
      RUN /bin/ls
      {
        SERVICE ls1
        DESCRIPTION "First LS service"
      }
      { 
        SERVICE ls2
        DESCRIPTION "Second LS service"
	DENY *.epi.net
      }
    }
  }
  {
    SERVICE info=9999
    DESCRIPTION Informations
    BUILTIN INFO
  }
}

  This will create three services. As all of them are in sub-blocks of the
fist one whose content is "DENY *.epita.fr", they all will refuse connections
from that network by default.
  Info, port 9999, will invoke a builtin, while ls1 and ls2 ports will
launch the same "ls" command, but they will be logged as different service
names. ls2 DENY command will override the parent's one and the filter mask
will only be *.epi.net . *.epita.fr will pass through.

  Keywords are case-independant. Line breaks are not necessary :
  
	 { SERVICE info=9999 DESCRIPTION Informations BUILTIN INFO }
	 
  have the same effect than the previous presentation.

  Comments begin with a "#".

  Strings with spaces must be prefixed and suffixed by double-quotes :
  
		      DESCRIPTION Informations for G2S
  
  is *NOT* valid : the unique parameter to the DESCRIPTION keyword is the
single word "Informations". "FOR" and "G2S" are treated as unknown keywords
and the presentation style of the configuration file is free.

		     DESCRIPTION "Informations for G2S"
		     
  is the right thing.		     

  Tokens have no special order in a block.
  
  Sizes can be suffixed by K (kilobytes), M (megabytes) or G (gigabytes) .
  For instance, 10M means 10 Megabytes.

  Here we go for the available keywords :
  
* DESCRIPTION <string> : 

       One-line description for a service. The purpose is just to have
clearer names in your log files. Without any description, either the port
name or the port number will be used.

       Examples :
       
			  DESCRIPTION Irc
			  DESCRIPTION "Private FTP"



* ENV <variable> <value> :               [YET=unimplemented]

       Add a variable to the environnement the server will be run in.
       Use two double-quotes if you don't want it to have a content.
       
       Example :

			ENV DISPLAY stdc.g2s.com:0.0



* HOST <host> :

       Binds only one IP address, in order to create virtual hosts or help
your local firewall. Default is to bind all IP addresses and network
interfaces.

       Example :
       
{
  SERVICE ftp
  { HOST ftp1.g2s.com RUN /usr/sbin/in.normal.ftpd }
  { HOST ftp2.g2s.com RUN /usr/sbin/in.private.ftpd ALLOW *.customers.g2s.com }
}

       So that ftp1 and ftp2 can be hosted on the same machine, but have
different IP addresses.



* SERVICE <name>
  SERVICE <port>
  SERVICE <name=port>
  
       *NEEDED* for all services : specify which port will handle the
requests. <name> will be looked in the services database (/etc/services or
whatever) . In case of failure, the fixed <port> number will be used instead.

       Examples :
       
	     SERVICE ftp
             SERVICE 119
             SERVICE telnet=23
             SERVICE service_not_referenced_in_etc_services=1234



* CORELIMIT <bytes>

       Limit core dumps to <bytes> . Unless you are planning to debug core
files, a good idea would be to use 0 as a default value to avoid these big
and nasty files for non-programmers.

       Example :
       
				 CORELIMIT 0
				 


* PROTO <protocol>

       Protocol used for the service : tcp, udp, raw, ...
       Default is tcp.
       
       Example :
       
				  PROTO udp
				  


* ENDPOINT <endpoint>

       Type of connection : stream, dgram, rdm, seqpacket, raw or tli.
       Default is stream unless a protocol is specifed. In this case, a
default endpoint is selected, for instance "PROTO udp" implicitely implies
datagrams while "PROTO tcp" means a stream-oriented connection.

       Example :
       
				ENDPOINT dgram
				


* WAIT <flag>                            [YET=implicit only]

       Toggle how a server application will be kept running :
single-threaded or multi-threaded. It is especially useful for non-streamed
connections.

       - If <flag> is set to 0, the first packet will spawn the application,
socket descriptors copied to standard inputs/outputs and the called program
will be in charge to handle properly the following packets.

       - If <flags> is set to 1, packets will be forwarded to the
application that will eventually times out.

       Using a stream-oriented protocol like tcp implicitely uses a
multi-threaded mechanism, while datagram-oritented protocols means a
single-threaded handling by default.

       Example :

				   WAIT 1




* SESSION_TIMELIMIT <seconds>

       Set a maximum human-time limit for a session on a service.
       
       Example :
       
			    SESSION_TIMELIMIT 900
			    
			    
			    
* SESSION_CPUPLIMIT <percentage>         [YET=unimplemented]

       Set a maximum % of the CPU time waste for a session.
       
       Example :
       
			    SESSION_CPUPLIMIT 17%


			  
			  
* SESSION_CPULIMIT <seconds>

       Set the maximum of machine time the CPU can allow to the application.
       
       Example :

			     SESSION_CPULIMIT 10


* SESSION_FILELIMIT <bytes>

       Set the maximum file size the spawned application may be able to
create.

       Example :
       
			  SESSION_FILELIMIT 10M
			  
			  
			  
* SESSION_DATALIMIT <bytes>

       Set the maximum data the application can store in memory.
       
       Example :
       
			  SESSION_DATALIMIT 8M
			  
			  
			  
* SESSION_VMEMLIMIT <bytes>              [YET=unimplemented]

       Set the maximum virtual memory the session can bite.
       
       Example :
       
			  SESSION_VMEMLIMIT 16M
			  
			  
			  
* SESSION_STACKLIMIT <bytes>

       Limit the stack usage.
       
       Example :
       
			  SESSION_STACKLIMIT 4M
			  
			  
			  
* SESSION_FDLIMIT <number>

       Restrict the number of file descriptors the spawned application will
be able to handle.

       Example :
       
			     SESSION_FDLIMIT 100
			     
			     
			     
* SERVICE_CPUPLIMIT <percentage>         [YET=unimplemented]

       Fix a maximum percentage of eatable CPU time for all simultanous
connections to a service. Older and inactive connections will be dropped
first.

       Example :
       
			    SERVICE_CPUPLIMIT 64%
			     
			     


* SERVICE_CPULIMIT <seconds>             [YET=unimplemented]

       Fix a high border to the CPU time allowed to all simultanous
connections to a service. Older and inactive connections will be dropped
first.

       Example :
       
			     SERVICE_CPULIMIT 120
			     
			     
			     
* SERVICE_NBLIMIT <number>

       Restrict the number of simultanous connections to a service. If that
number is reached, no new connection will be accepted until someone hangs up.

       Example :
       
			     SERVICE_NBLIMIT 40
			     
			     
			     
* CNX_TIMEOUT <seconds>                  [YET=unimplemented]

       Time out, as the default system times may be too low for very slow
links.

       Example :
       
			       CNX_TIMEOUT 120
			       
			       
			       			       
* ABUSE_DETECT_TIME <seconds>            [YET=unimplemented]

       See below. Default is one minute.
       
       Example :
       
			    ABUSE_DETECT_TIME 40
			    
			    
			    
       
* ABUSE_DETECT_SAMESERVICE <number>      [YET=unimplemented]

       Run a denial security procedure if the current service is called more
than this number per <ABUSE_DETECT_TIME> seconds.

       Example :
       
			 ABUSE_DETECT_SAMESERVICE 100
			 


			 
* ABUSE_DETECT_SAMEHOST <number>         [YET=unimplemented]

       Run a denial security procedure if the current service is called more
than this number per <ABUSE_DETECT_TIME> seconds from the same host.

       Example :
       
			  ABUSE_DETECT_SAMEHOST 10




* ABUSE_DETECT_SAMENET <number>          [YET=unimplemented]

       Run a denial security procedure if the current service is called more
than this number per <ABUSE_DETECT_TIME> seconds from the same network.

       A default netmask will be used according to the internet class of the
attacker.

       Example :
       
			   ABUSE_DETECT_SAMENET 20
			 



* ABUSE_DENYTIME <seconds>               [YET=unimplemented]

       In case of an automatic denial security procedure, access will be
refused for the banned service/host/network during that time before being
reactivated. Use -1 to definitely disable.

       Example :
       
			     ABUSE_DENYTIME 3600



* ABUSE_DENYSERVICES <services>          [YET=unimplemented]

       Also disable these other services in case of an automatic denial
security procedure.

       Example :
       
{
  ABUSE_DETECT_SAMEHOST 10
  ABUSE_DETECT_SAMENET 20
  ABUSE_DENYTIME 3600
  {
    SERVICE smtp
    RUN /usr/qmail/binwrappers/q-smtpd
    ABUSE_DENYSERVICES qmtp,pop,imap
  }
  { SERVICE qmtp
    RUN /usr/qmail/binwrappers/q-qmtpd
    ABUSE_DENYSERVICES smtp,pop,imap
  }
}
       
 
 
* ABUSE_RUN <file>                       [YET=unimplemented]

       Run that program in case of an abuse procedure. This can be, for
instance, a script that will send a mail to the administrator.

       Example :
       
		       ABUSE_RUN /usr/sbin/abuse-report
		       
		       
		       
* ABUSE_LOGFILE <file>                   [YET=unimplemented]

       Store banned services/hosts/networks in that file in order to keep
them and restore them even though the daemon is restarted.

       Example :
       
		  ABUSE_LOGFILE /var/daemonlib/abuses-list



* ALLOW <regex>

       Only allow connections coming from hosts names matching the
regular expression. If nothing is denied, default is to consider that all
hosts are refused but these ones.

       Extended POSIX regexes are fully supported.
       
       Example :
       
	       ALLOW *.g2s.com|firewall.friends.org




* ALLOW_EXCEPT <regex>

       Matching expressions will be exceptions to the previous keyword
content. Seems to be useless, but it can make the regex simpler and can be
quite useful in cooperation with the contextual blocks mechanism.

       Example :
       
		   ALLOW_EXCEPT router.g2s.com




* DENY <regex>

       Don't let these hosts reach the current service, unless they are
authorized by an ALLOW keyword.

       Example :
       
		     DENY *.epita.fr|*.epi.net

		     
		     
* DENY_EXCEPT <regex>

       Hosts matching the previous regex and that one will be allowed.
       
       Example :
       
			 DENY_EXCEPT guests.epita.fr
			 
			 
			 
* ALLOW_IP <regex>

       Only allow connections coming from IP addresses matching the
regular expression. If nothing is denied, default is to consider that all
hosts are refused but these ones.

       Extended POSIX regexes are fully supported.
       
       Example :
       
	       ALLOW_IP 127.0.0.*




* ALLOW_IP_EXCEPT <regex>

       Matching expressions will be exceptions to the previous keyword
content. Seems to be useless, but it can make the regex simpler and can be
quite useful in cooperation with the contextual blocks mechanism.

       Example :
       
		   ALLOW_IP_EXCEPT 127.0.0.255




* DENY_IP <regex>

       Don't let these addresses reach the current service, unless they are
authorized by an ALLOW keyword.

       Example :
       
		     DENY_IP 163.5.*|194.98.116.*
		     
		     
		     
* DENY_IP_EXCEPT <regex>

       Hosts matching the previous regex and that one will be allowed.
       
       Example :
       
			 DENY_IP_EXCEPT 194.98.116.250
			 


* USER <name>

       Run the service as this user name. If it is impossible to find it,
refuse to run the server for security reasons.
       
       Example :
       
				 USER nobody
				 
				 
				 
* GROUP <name>

       When switching from the root user to another one with the previous
keyword, all groups that user belongs to, are available to the spawned
application. If you want the process being run with the permissions of an
unique group, use this keyword.

       Example :
       
				  GROUP www
				  
				  
				  
* CHROOT <path>

       Define a new path as a rootdir. This keyword performs a chroot()
system call before launching the server process. The path has to be absolute.

       Example : 
       
			CHROOT /usr/local/restricted
			
			
			
			
* RUN <file> [arg1 [arg2]...]

       Launch this program as a server when a connection arrives for the
corresponding service.

       Example :
       
			      RUN /bin/ls /tmp




* FILTER [<file>][BUILTIN <b> [args...]] [YET=unimplemented]

       Application filter. Packets are piped to <file> before being
sent/received to/by the server in order to be analysed to avoid possible
security holes.
       Jnetd has some generic and common built-in filters that can be
combined with external plug-ins.
       
       With that feature, G2S can act as a basic, but effective firewall.
       
       Examples :
       
		 FILTER /usr/sbin/g2s/firewalling/www-filter
		 FILTER BUILTIN TRUNC=80 VCAR=[:alpha:]*
		 
		 
		 
		 
* GATEWAY_TO <host> <service>

       Transparently relay incoming requests to another host and/or another
port. One application to this is to hide a subnet, using the G2S host as a
software router. For instance, your real WWW server could be 10.1.1.3 (not
routed on internet), internally named realwww.g2s.com . Your public DNS
hides it, but registers www.g2s.com as 190.1.2.3 , one of your G2S host IP
addresses. When people will connect to www.g2s.com, packet will be silently
forwarded to realwww.g2s.com through the fake server. If your router is
compromited, realwww will not be vulnerable from the attacker, unless the
G2S host itself is successfully attacked.
       
		     [Yet not implemented part follows]
		     
       Multiple GATEWAY_TO entries can be in the same service sub-block. In
that case, you might have several redundant servers and your G2S host will
manage the load-balancing and fault tolerance. Weights can be affected to
each targets and if a server doesn't answer, clients won't be disconnected
but the other identical servers will be used instead.

       Example :
       
		       GATEWAY_TO realwww.g2s.com www
		       


* GATEWAY_FROM <host>

       If the G2S host has multiple IP addresses, you can choose which one
will be presented to the real server. That's the way to do multiple hosts
masquerading and it might be very useful in coordination with a filtering
router.

       Example :
       
			  GATEWAY_FROM www.g2s.com
			  
			  
			  
			  
* SPAWN_NBLIMIT <number>                 [YET=unimplemented]

       Limit the number of simultaneous relaying connections for a
sub-block. If that limit is reached, other blocks will be probed.

       Example :
       
{
  SERVICE www=80
  HOST www.g2s.com
  GATEWAY_FROM www-relaying.g2s.com
  {
    GATEWAY_TO realwww.g2s.com www=80
    SPAWN_NBLIMIT 50
  }
  {
    GATEWAY_TO realwww-backup.g2s.com www=80
  }
}




* SPAWN_CPUPLIMIT                        [YET=unimplemented]

       Set a percentage of CPU time not to be reached or switch to another
alternative gateway.

       Example :

{
  SERVICE www=80
  HOST www.g2s.com
  GATEWAY_FROM www-relaying.g2s.com
  {
    GATEWAY_TO realwww.g2s.com www=80
    SPAWN_NBLIMIT 50
    SPAWN_CPUPLIMIT 80%
  }
  {
    GATEWAY_TO realwww-backup.g2s.com www=80
  }
}




* SPAWN_CPULIMIT                         [YET=unimplemented]

       Set a maximum machine time not to be reached or switch to another
alternative gateway.

       Example :

{
  SERVICE www=80
  HOST www.g2s.com
  GATEWAY_FROM www-relaying.g2s.com
  {
    GATEWAY_TO realwww.g2s.com www=80
    SPAWN_NBLIMIT 50
    SPAWN_CPUPLIMIT 80%
    SPAWN_CPULIMIT 240
  }
  {
    GATEWAY_TO realwww-backup.g2s.com www=80
    SPAWN_CPULIMIT 120    
  }
  {
    GATEWAY_TO realwww-backup-fastcpu.g2s.com www=80
  }  
}


* SPAMFILTER 0|1|2

       With SPAMFILTER 0, no RBL check will be performed. This is the
default. With SPAMFILTER 1, a new connexion attempt will be matched
against RBL maps.
       With SPAMFILTER 2, an RBL check will be performed. If the RBL maps
server is down or can't be reached, the connexion will be allowed anyway.
       So, if there is a network or DNS problem, you have the choice between
delaying all mail (just in case there is some spam in it) with SPAMFILTER 1,
or receiving all mail, until the DNS is up anew with SPAMFILTER 2.
       RBL maps is a way to automatically reject connexions from sites known
to send lotsa unwanted commercial email junks (spam) .
       Although you may want to set this as a default option (no pity for
these bad guys !), it slows down each connexions and increases DNS traffic.
       It's why in most case, you may just want to use it for SMTP.
       
{
  SPAMFILTER 1
  SERVICE smtp=25
  ...
}

* BUILTIN

       Common built-in commands, to be used intead of a RUN keyword :
       
- ECHO : Just a stupid test that will return a copy received data.

- DISCARD : Discard incoming packets.

- INFO : If you like G2S and want to show it, let you add this service to
port 9999/TCP. It will return a little string with your G2S version.

       Example :
       
				BUILTIN INFO
				
				
       
       
