tcpserver - accept incoming IPv4/IPv6 TCP connections and invoke application
Purpose
tcpserver allows applications to accept TCP connections in a chroot environment. Unlike inetd or xinetd it is not a `super daemon` but works for individual connections in the user space.
tcpserver can listen to any IPv4/IPv6 address and any port. It also supports binding to all local IPv4 and IPv6 addresses (simultaneously).
Reversely, incoming IP/TCP connections are usually under control of tcprules allowing filtering on IP addresses and DNS informations. Remote clients thus can be qualified prior of accepting a TCP session which could be understood as user-level firewall.
Application support
Applications are enabled by means of tcpserver to communication with the network via the standard file descriptors
- FD 0: Reading from the network.
- FD 1: Writing to the network.
Application may be supplied with any arguments on call.
While typically tcpserver is invoked by root, the application is executed in a chroot enviroment with restricted permissons only. Therefore, one sets
- -u uid and
- -g gid
upon calling tcpserver.
tcpserver spawns and instantiates a new copy of application whose concurrent number can be limited providing -c limit.
The application may be fed with several connection relevant informations pushed in its environment for further usage.
Local binding
tcpserver usually uses the host's primary IP address, but can otherwise bind to any IPv4 and/or IPv6 address of the system and to any port (given the required permissions) as defined by
- host (or the IPv4, the IPv6 address; or 0, ::, :0);
- port (if port equals '0', a free port is chosen),
- -I ifname
Here,
- 0 are all available IPv4 addresses (upon invocation),
- :: are all available IPv6 addresses (upon invocation), or
- :0 providing IPv4/IPv6 dual-stack binding.
tcpserver will allow to bind to IPv6 LLU addresses, in case additionally the interface name is provided. Beware, that LLU address are in particular subject of SLAAC changes.
Name resolution
tcpserver reads the environment variable DNSCACHEIP which can be used to specify the recursive DNS Resolver.
If not given, tcpserver uses the nameserver entries provided in /etc/resolv.conf.
Network settings and connections from the remote client
Prior to spawning the application tcpserver and be advised to evaluate several IP and DNS connection conditions which are subject of the client's IP and potentially the evaluated DNS and IDENT informations:
- -h
Query the inverse IP-name via i6.arpa or in-addr.arpa and the authoritative Name Server followed by a query of the remotehost name via a PTR lookup (default). - -p
Require that the incoming IP address matches those from the A/AAAA DNS lookup of the authoritative Name Server (paranoid) .
Now, TCP(6)REMOTEHOST is correctly populated.
Nowadays almost avoided is the lookup of the remote user via IDENT/TAP:
- -r
IDENT/TAP lookup applying a -t timeout (default: 26 secs). - -R
IDENT/TAP lookup disabled (default).
Apart from those possibilities, some unusual settings are available:
- -B banner
Send 'banner' as greeting string to the remote client. - -b backlog
Allow backlog simultaneous SYNs received. - -o
Allow source routing of IP packets (default: no). - -d
Delay sending of data for a fraction of a second (default: no).
Controlling remote connection behavior via tcprules
tcpserver can be advised to read one or more cdb's prior to accepting a TCP connection including additional policy informations how to handle a connection and which environment variables to be exported to the application:
- -x tcp.cdb
Require a file tcp.cdb, read and follow its instructions. - -X tcp.cdb
Don't require a file tcp.cdb but read its content if given.
In order to operate successfully, tcpserver supplies tcprules with the following data to be compared against a database (cdb):
- The IP address of the remote client (always),
- the hostname (given a DNS lookup),
- the identity of the remote caller (given a IDENT lookup).
Certain rules can be set up:
- deny a connection,
- allow a connection and provide additional environment variables for the application.
TCP connection management and spawning
Upon invocation from an accepted TCP client tcpserver spawns a new instance while setting up the environment and invoking the application.
TCP connections can be restricted by
- (global) -c n, where n is the number of active concurrent tcpserver instances and thus called applications. The default is 40.
- (gobal) $MAXCONIP is the number of maximum TCP connections from one single IPv4/IPv6 source given as environment variable resulting to limit the number of children for each uniqe IP address.
- (restricted) $MAXCONIP to be provided within a cdb to define a (typically small) value for a given network range or single IP address to be used now as limit to accepted TCP connections from that range for each unique IP address.
In the last case, tcpserver can limit the number of concurrent connections from a single source (or a network range) to 'n' instances prior of calling application and thus preventing a denial of service (DoS) attack. It should be noted, that changes of enviroment variables following the settings in tcprules don't require a new start of tcpserver.
Environment variables set
tcpserver sets up several environment variables available for the application, as described in tcp-environ:
- PROTO is either TCP or tcp6.
- The interface name for IPv6 connections: tcp6INTERFACE.
- The local information: TCPLOCALIP, tcp6LOCALIP, TCPLOCALPORT, tcp6LOCALPORT, TCPLOCALHOST, tcp6LOCALHOST.
- The remote IP/TCP data for the connection: TCPREMOTEIP, tcp6REMOTEIP together with TCPREMOTEPORT and tcp6REMOTEPORT.
DNS (TCPREMOTEHOST, tcp6REMOTEHOST) and the IDENT (TCPREMOTEINFO) informations are optional and depending on the arguments supplied.
Logging
Invoking tcpserver with the options
- -v and optionally
- -l localname
will provide a logging of the session on FD = 2 including (if possible) the hostname, as well as the used IP addresses and ports of the peers. A DNS lookup for the localhost can be avoided and substitued by a generic name. The displayed IP addresses are shown either as generic IPv4 or as compactified IPv6 addresses.