http://www.chinaunix.net Author:
peng
(4) The principle and setting of UCSPI-TCP.
QMAIL Developer Dan Bernstein developed the UCSPI-TCP (UNIX Customer - Server Program Port) package replacing the inetd program. The UCSPI format defines a program to exchange data, mainly reflecting three advantages:
1, the UCSPI port is independent of the underlying communication medium.
2, UCSPI allows the shell script to utilize the interconnection of the network.
3, the UCSPI program establishes UNIX environment variables, which define network information that can be used by programs and users.
UCSPI-TCP is established between applications using programs called Tool. There are two types of UCSPI Tool --- Customer Tool (TCPCLIENT) and Server Tool (TCPServer).
UCSPI-TCP TCPServer programs are the following advantages: the following advantages are replaced with UNIX:
1. He can record all inputs and output from the server side to a file.
2. He can provide access control features, refuse or allow connections from the client.
3. It contains concurrent restrictions to prevent the UNIX system from overload.
The TCPServer program provides access to access by using a Hash rule library configured by administrators.
The format of the TCPServer command line is:
TCPServer Options Host Port Application
The Host and PROT parameters have developed the host name and port number of the local server where the application is running. The Host parameter can be localhos, host ip address, or a complete domain name of the host. The Port parameter can be a number or a name of a TCP port in the / etc / service file, such as SMTP. Application is the application to be transmitted after the connection is established.
The Options parameter defines the behavior of the TCPServer program. There are three types of options:
General Options ----- Defines options for UCSPI Tool.
Connection option ----- Processing the connection request.
Data Collection Options --- How to get information in the UNIX environment variable passing to the application.
TCPServer connection options (1)
-------------------------------------------------- -------------------------
Option description
-------------------------------------------------- -----------------------
-b n allows for N connection request storage
-B Banner Write Banner to a network connection after the connection is established.
-C N does not accept more than N simultaneous connection
-d When the host is relatively slow, it is delayed to send data to the remote host.
-D never delayed to send data to the remote host
-g GID When the connection is ready to complete, change the moving group ID for GID.
-l Print local port number to stdout
-o does not change the IP option in the connected packet
-u UID When the connection is ready to complete, change the active user ID as a UID
-O Delete IP Options for Packet Looking For Path
-U equivalent to -g $ GID -U UID
-x DB Using the rules in the Hash database DB to accept or reject access to remote clients
-X Allow connection when the database specified by the -X option does not exist
-------------------------------------------------- -----------------
Data collection options available in TCPServer programs (2) --------------------------------------- -------------------------
Option description
-------------------------------------------------- ------------------
-H Use DNS to find remote host
-H does not use DNS to find the remote hostname. You must use this option to port 53
-l localhost does not use DNS to find local server hostname, and use localhost
-P doubt. Use the reverse DNS to find the remote host IP address, compare it to the host name. If you do not match, remove environment variable $ TCPREMOTEHOST
-r Try to get $ TCPREMOTEINFI (default) from the remote host
-R does not try to get $ TCPREMOTEINFO data from the remote host. You must use this option for port 53 and port 113
-t N stops at N seconds after trying to connect to $ TCPREMOTEINFO data. Default 26
-------------------------------------------------- ----------------------------
There are several UNIX environment variables TCPServer attempt to accept data. These environment variables help application handle related network indirect information.
TCPServer's UNIX environment variable (3)
-------------------------------------------------- ----------------------------
Variable description
-------------------------------------------------- ----------------------------
$ PROTO use of protocols (defaults to TCP)
$ TCPLOCALIP native IP address
$ TCPLOCALPORT Local TCP port number
$ TCPLOCALHOST local host DNS query
$ TCPREMOTEIP Remote Client IP Address
$ TCPREMOTEPROT Remote Client TCP port number
$ TCPREMOTEHOST remote host DNS query value
$ TCPREMOTEINFO remote client username
-------------------------------------------------- ----------------------------
When accepted a remote client connection, TCPServer is a map to provide environment variables when he cannot accept information for a specific variable, and TCPServer does not set a variable.
TCPRules program
The TCPRules program is created to limit the rules that are connected to the application. It is manually created rules to develop accepted and reject a single address, multiple IP addresses, all network addresses. The rule is created in a text, one rule per line. After the text is established, convert it into an Hash database using the CDB database format. This makes the TCPServer program to dynamically process rules when requesting a remote customer to request a connection.
Rules are created in this format:
Address: Action, Varible
Address is matched to the value of the connection to the connection. Several formats of this parameter are based on table (3) environment variables, and combinations of these variables can be used to create a valid address. The following list is listed in the address format of TCPServer identification: TCPserver rules
-------------------------------------------------- ---------------------------
Address example
-------------------------------------------------- ----------------------------
$ TCPREMOTEINFO @ TCPRemteip Peng @ [192.168.3.11]
$ TCPREMOTEINFO @ = $ TCPREMOTEHOST peng@96633.net
$ TCPREMOTEIP 192.168.3.11
= $ TCPREMOTEHOST mail.chinaUnix.net
Part $ TCPREMOTEIP 192.168
Part $ TCPREMOTEHOST ChinaUnix.net
Empty any address
-------------------------------------------------- -----------------------------
Action has two options: Allow and Deny.
In addition to the action, other comma-separated environment variables can be added to the action, and TCPServer sets the environment variable when the specific remote client connection request. This feature can achieve functionality such as selection.
Take a few examples:
-------------------------------------------------- -------------------------------
Rule description
-------------------------------------------------- -----------------------------
192.168.0.1:yle denoted any connection of 192.168.0.1
192.168.3: Allow allows customers on 192.168.3.0 to connect anything
192.168.4.1-11: Allow allows customers on 192.168.4.1-192.168.44.11 to any connection
: DENY rejects any connection
Peng@chinaunix.net allows connections to peng@chinaUnix.net
192.168.3: Allow, relayClient = "" Accept any connection on the 192.168.3.0 network, set the environment variable relayclient as an empty string.
-------------------------------------------------- -----------------------------------
This article establishes SMTP transfer rules [Reject any host forwarding mail, but does not limit the connection. ]
#vi /etc/tcp.smtp127.0.0.1: ALLOW ,RELAYCLIENT = ""
: Allow
Built a text file, use the TCPRules command to generate the library file, the format is as follows:
Tcprules Database TMPFILE
This is this in this article:
# / Usr / local / bin / tcprules /etc/qmail/tcp.smtp.cdb /etc/qmail/tcp.smtp.tmp.tmp
In this way, the /etc/qmail/tcp.smtp.cdb file is generated. TCP.smtp.cd indicates that the TCP protocol is applied to SMTP
The agreement, the file is the CDB database format.
Next, tell TCPServer how to apply it, this article starts SMTP service:
/ usr / local / bin / tcpserver -h -R -L 0 -T 1 -C 100 -V -P -X
/etc/qmail/tcp.smtp.cdb -u qmailduid -g nofilesgid 0 SMTP
/ usr / local / qmail / bin / qmail-smtpd / home / vpopmail / bin / vchkpw / usr / bin / true
| / Usr / local / qmail / bin / splogger &
# / Usr / local / qmail / bin / tcpserver -c 100 -V -L $ _DOMAIN -U -H -R 0 POP3 / USR / local / qmail / bin / qmail-popup domain / home / vpopmail / bin / vchkpw / USR / local / qmail / bin / qmail-pop3d maildir 2> & 1 | / usr / local / qmail / bin / SPLogger &
I believe that the above content should be able to understand the startup script of this article. When this, the TCPServer of UCSPI-TCP is set up.
