Casual technical question about /etc/services

Joshua Brindle method at gentoo.org
Tue Mar 23 18:48:56 PST 2004


You may be right in most cases but consider DNS
domain          53/tcp          nameserver      # name-domain server
domain          53/udp          nameserver

dns _does_ use both tcp and udp, udp is primarilly used except in cases 
where the answer would be too large then a tcp connection is established

Joshua Brindle

Dagmar d'Surreal wrote:

> Okay, something that's been bugging me for awhile I'm now going to ask
> about outright, with some backstory to explain why I'm asking...
> 
> I'm just about done with the /etc/rc.d/init.d/functions-network script,
> which is basically necessary because otherwise these init scripts are
> going to become really unreadable once the modular iptables sections are
> added (see attachments for examples).  I've built routines to simplify
> "punching holes" in the firewall rules for incoming and outgoing
> connections by service name (to make it even more readable) and it does
> this by looking up the service name in /etc/services to find the port
> number (and protocols) and now it's bugging me that I'd had to modify
> the routine to accomodate instances of services which never, ever, to my
> knowledge use both tcp and udp, and yet, _both_ are listed in
> /etc/services.  Example: 
> 
> ident	113/tcp
> auth	113/tcp
> auth	113/udp
> 
> Now, I've never seen something that could look up states on what amounts
> to a stateless connection, and nearly all the entries in /etc/services
> have them doubled up like this.  Does anyone know _why_ unused protocols
> are listed like this?
> 
> (By the way I am aware of the effects of running the same script to
> start a daemon twice in a row.  I'm undecided about the solutions for
> that I've thought up.)
> 
> 
> ------------------------------------------------------------------------
> 
> log_info() {
> 	# Just uncomment this line to create syslog information about what happens in here.
> 	logger -t functions-network -p local3.info "$@"
> }
> 
> getaddr() {
> 	local interface=$1
> 	local variable=$2
>   	line=`ip -4 addr show dev $interface | grep inet`
> 	if [ -z "$line" ]
> 	then
> 		unset $variable
> 		return
> 	fi
> 	local IFS=" /"
> 	set $line
> 	eval $variable="$2"
> }
> 
> getcidr() {
> 	local interface=$1
> 	local variable=$2
> 	line=`ip -4 addr show dev $interface | grep inet`
> 	if [ -z "$line" ]
> 	then
> 		unset $variable
> 		return
> 	fi
> 	set $line
> 	eval $variable="$2"
> }
> 
> # These should possibly emit warnings if a named service isn't found.
> permit_outbound() {
>   local interface=$1 service=$2 protocol=$3
>   for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
>     local IFS=" /"
>     set $line
>     if [ -n "$protocol" ] && [ $2 = $protocol ]
>     then
>       iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT 2>/dev/null
>       iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT"
>       log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>       log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>     fi
>   done
> }
> 
> permit_inbound() {
>   local interface=$1 service=$2 protocol=$3
>   for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
>     local IFS=" /"
>     set $line
>     if [ -n "$protocol" ] && [ $2 = $protocol ]
>     then
>       iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT 2>/dev/null
>       iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT"
>       log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>       log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>     fi
>   done
> }
> 
> revoke_outbound() {
>   local interface=$1 service=$2 protocol=$3
>   local interface=$1
>   for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
>     local IFS=" /"
>     set $line
>     if [ -n "$protocol" ] && [ $2 = $protocol ]
>     then
>       iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT 2>/dev/null
>       iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT"
>       log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>       log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>     fi 
>   done
> }
> 
> revoke_inbound() {
>   local interface=$1 service=$2 protocol=$3
>   for line in `awk '{ if ( $1 == "'$2'" ) print $2 }' /etc/services`; do 
>     local IFS=" /"
>     set $line
>     if [ -n "$protocol" ] && [ $2 = $protocol ]
>     then
>       iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT 2>/dev/null
>       iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
>       log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT"
>       log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>       log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
>     fi
>   done
> }
> 
> exempt_group() {
>   iptables -I OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT 2>/dev/null
>   log_info "iptables -I OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT"
> }
> 
> unexempt_group() {
>   iptables -D OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT 2>/dev/null
>   log_info "iptables -D OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT"
> }
> 
> 
> 
> 
> 
> 




More information about the hlfs-dev mailing list