Chapter 3: Administering TCP/IP

Table of contents

• Chapter 3: Administering TCP/IP
  • Configuring TCP/IP client services
    • The Client Manager interface
    • Configuring a DNS client
    • Configuring the /etc/hosts file
    • Configuring a default route
    • Configuring name service resolution order
    • Configuring an NTP client
    • Deleting a client service
    • Using network tools
  • Setting interface parameters
  • Creating subnets
  • Establishing user equivalence
    • The User Equivalence Manager interface
      • Opening another user's equivalence file
      • Adding user equivalence
      • Selecting another host while adding equivalence
      • Deleting user equivalence
    • Using the Secure TCP (``Kerberized'') utilities
    • Protecting against IP address spoofing attacks
    • Protecting against SYN flood attacks
  • Setting up anonymous ftp
  • Adding or removing pseudo-ttys
  • Configuring UUCP over TCP/IP
    • Configuring UUCP over TCP/IP with the TCP socket interface
    • Configuring UUCP over TCP/IP with TLI
  • Obtaining RFCs from the Internet
  • Troubleshooting TCP/IP
    • Verifying the presence of TCP/IP interfaces
    • Verifying local network connectivity
    • Verifying remote network connectivity
    • Troubleshooting problems with netstat
      • Flushing phantom connections
      • Troubleshooting packet errors
      • Monitoring streams usage
      • Verifying correct routing behavior
    • Logging troubleshooting information

Chapter 3

Administering TCP/IP

• ``Configuring TCP/IP client services'' using the Client Manager.

• ``Setting interface parameters'' to directly change the netmask, broadcast address, and IP address used at boot time.

• ``Creating subnets'' to allow several local networks to appear as a single Internet network to off-site hosts.

• ``Establishing user equivalence'' to enable users to log into their accounts on the local host from remote hosts without a password.

• ``Using the Secure TCP (``Kerberized'') utilities'' to provide Kerberos Version 5 authentication for the ftp(TC), rcmd(TC), rcp(TC), rlogin(TC), and telnet(TC) utilities for SCO OpenServer systems within an existing Kerberos Version 5 realm or DCE cell.

• ``Setting up anonymous ftp'' to enable users without accounts on the local system to transfer files via ftp to and from specified areas of your filesystem.

• ``Adding or removing pseudo-ttys'' to increase the number of pseudo-ttys available for use by rlogin, telnet, and other programs.
  

• ``Configuring UUCP over TCP/IP'' to enable file and mail transfer between two hosts that may not be running ftpd, rshd, and smtpd.

• ``Obtaining RFCs from the Internet'' to obtain additional information on TCP/IP protocols and applications from sources on the Internet.

• ``Troubleshooting TCP/IP'' to reduce or eliminate TCP/IP errors.

For information on tuning your system for increased TCP/IP performance, refer to ``Tuning TCP/IP performance'' in the Performance Guide.

Configuring TCP/IP client services

The Client Manager allows you to set up a host as a client of several TCP/IP networking services. With the Client Manager, you can:

• Configure name service using one or more of these methods:

  • Domain Name System (DNS)

  • the /etc/hosts file

• Configure a default route to a network gateway.

• Configure the order in which the configured name services will be tried when the client wants to resolve domain names and IP addresses.

• Configure a Network Time Protocol (NTP) client

See also:

• Chapter 5, ``Configuring Internet Protocol (IP) routing''

• Chapter 6, ``Configuring the Domain Name Service''

• Chapter 18, ``Configuring the Network Time Protocol (NTP)''

Start the Network Configuration Manager in any of these ways:

• Double-click on the Client Manager icon in the Networks directory of the System Administration window on the Desktop.

• Start the SCOadmin launcher by entering scoadmin on the command line, selecting Networks, then selecting Client Manager.

• Enter scoadmin client manager on the command line (or abbreviate to scoadmin cli).

For convenience, the Client Manager displays the hostname and Internet domain name for the host being configured.

Configuring a DNS client

To configure a DNS client using the Client Manager:

1. If the host is not already configured as a DNS client, select Services → Add → DNS.

   If the host is already configured as a DNS client, click on DNS Client in the services listed, and then select Services → Modify.

2. Enter the following details for the host:

   Local domain

   The fully qualified name for the domain that the host is in, for example, mynet.COM. If you do not specify a domain search order, the domain name will be appended when looking up a name which does not contain a dot.

   Domain search order

   Enter a list of up to six domains that you want DNS to search if you specify a hostname without appending a domain name. For each domain you enter, click on Add to add it to the list. You should normally include the local domain in this list. DNS will search the domains for a hostname in the order that you specify them in the list.

   To change the position of a selected item in the list, click on Promote or Demote.

   Name server search order

   Enter a list of up to three DNS name servers, specified by their IP addresses, that the client can query. For each name server you enter, click on Add to add it to the list. If the host you are configuring is itself already configured as a DNS name server, place it at the top of the list by specifying it first using the loopback IP address (127.0.0.1). The resolver will query each name server in the order that you specify them in the list until it gets an answer.

   To change the position of a selected item in the list, click on Promote or Demote.

3. Click on OK to exit.

Configuring the /etc/hosts file

To configure name service on a client using the /etc/hosts file:

1. If the /etc/hosts file does not already exist, select Services → Add → Hosts database in the Client Manager.

   If the /etc/hosts file does already exist, click on /etc/hosts file in the services listed in the Client Manager, and then select Services → Modify.

2. To add an entry to the /etc/hosts file, click on Add, enter the IP address, hostname, and any alias names, then click on OK.

   To modify an entry in the /etc/hosts file, click on it in the list to select it, and then click on Modify. Click on OK to save your changes.

   To delete an entry in the /etc/hosts file, click on it in the list to select it, and then click on Delete.

3. Click on OK to exit.

Entries for the host, including the loopback address, cannot be modified to prevent accidental deletion.

Configuring a default route

To configure a default route using the Client Manager:

1. If a default route is not already configured, select Services → Add → Default route.

   If a default route is already configured, click on Default route in the services listed, and then select Services → Modify.

   To delete a default route, click on Default route in the services listed, and then select Services → Delete.

2. Enter the IP address of the gateway system (that is, the system to which network traffic is sent if your host does not have an explicit route for that traffic) providing the default route in the Gateway Address field.

   Enter any desired initial values for route metrics in the Default Route Options field. Available metrics are listed in the routed(ADMN) manual page, and must be entered as keyword and value inside double-quotes. For example:
   
   "-hopcount 1 -mtu 1500"

   Default route options can only be entered if a gateway address exists. It is not required to set default route options; if none are specified, no metrics are applied to the default route.

3. If the new default route configuration differs from the current runtime environment (that is, from values specified in /etc/default/tcp or set with the route command), you will be prompted to sychronize the new default values.

   In the Sync Route Info? screen, click on OK for the new default route to take effect when the Client Manager exits; click on Cancel for changes to take effect at the next TCP/IP restart.

   ---

   NOTE: Selecting the Add, Modify or Delete operations can result in the tcp(SFF) default configuration file (/etc/default/tcp) being out of synch with the current runtime environment.

   The runtime default route is not sychronized until the Client Manager exits.

   ---

4. Click on OK to exit default route configuration.

See also:

• route(ADMN)

• tcp(SFF)

• ``Default routes''

To configure the order of the name services that a client will use for resolving domain names and IP addresses:

1. Select Services → Name resolution order in the Client Manager.

2. Select a service from the Available services list, and click on Add to add it to the Configured services list.

   To remove a configured service, select it from the Configured services list, and click on Remove.

3. The list of configured services is in the order in which they will be tried when a client tries to resolve a hostname or IP address. If necessary, use Promote and Demote to change the order of the services. The default order is NIS, /etc/hosts, and DNS.

4. Click on OK to exit.

Some client applications may choose to ignore the specified order, and use their preferred method for name resolution instead.

Configuring an NTP client

To configure an NTP client using the Client Manager:

1. If the host is not already configured as an NTP client, select Services → Add → NTP.

   If the host is already configured as an NTP client, click on NTP client in the services listed, and then select Services → Modify.

2. Select how you want the client to behave:

   Listen for time broadcasts

   The client will listen passively for, and attempt to synchronize with, NTP packets being broadcast by time servers on the local network.

   Poll time servers for time

   The client will actively poll the listed time servers for the time, and attempt to synchronize with them.

   Enter the IP addresses or hostnames of each time server, and click on Add to add it to the list.

   Set clock at boot time

   If set to Yes, the client will attempt to synchronize its clock at boot time with the listed time servers. This is a ``step'' change rather than a gradual ``slewed'' change. If set to No, the client will not attempt to synchronize its clock at boot time.

3. Click on OK to exit.

Deleting a client service

To remove the configuration for a service using the Client Manager:

1. Click on the service to be removed from those listed, and then select Services → Delete.

2. Click on OK to confirm.

Using network tools

The Client Manager provides a graphical interface to the following commands:

• finger to find out information about a user.

• nslookup to find out an IP address from a hostname or a hostname from an IP address.

• ping to see if a host is alive.

• traceroute to trace the route taken by packets to reach a host.

• whois to look up a name in the Internet domain name directory service.

Finding information about a user

To find out more information about a user:

1. Select Tools → Finger in the Client Manager.

2. Enter the name of the user and click on Finger. To interrupt the query, click on Stop.

3. Click on Close to exit.

See also:

• finger(C)

Looking up a hostname or an IP address

To look up the IP address corresponding to a hostname, or the hostname corresponding to an IP address:

1. Select Tools → Host lookup in the Client Manager.

2. Enter the hostname or IP address of the host and click on Query. To interrupt the query, click on Stop.

3. Click on Close to exit.

See also:

• nslookup(TC)

Pinging other network hosts

To see if another network host is alive:

1. Select Tools → Ping in the Client Manager.

2. Enter the hostname or IP address of the host.

3. To change the interval in seconds between packets or the number of packets that will be sent, click on Options, change the default values and click on OK.

4. Click on Ping to start sending packets. To interrupt the sending of packets, click on Stop.

5. Click on Close to exit.

See also:

• ping(ADMN)

Tracing the route taken by network packets

To trace the route that network packets take to reach a host:

1. Select Tools → Trace route in the Client Manager.

2. Enter the hostname or IP address of the host.

3. To set various trace options, click on Options. To change the maximum time in seconds that your host will wait for a response, or to set the maximum number of hops before the trace will be terminated, click on Options, change the default values, and click on OK.

4. Click on Trace to start the trace. To interrupt the trace, click on Stop.

5. Click on Close to exit.

See also:

• traceroute(ADMN)

Looking up a name in the Internet domain name directory service

To find out more information about a domain, nameserver, or registrar that has an entry in the Internet domain name directory service:

1. Select Tools → Whois in the Client Manager.

2. Enter the name you wish to search.

3. To change the whois server (default is rs.internic.net), click on Options, enter the new server name, and click on OK.

4. Click on Query to start the query. To interrupt the query, click on Stop.

5. Click on Close to exit.

See also:

• whois(TC)

All network interface drivers, including the loopback interface, require that their host addresses be defined at boot time. This is done with ifconfig(ADMN) commands included in the /etc/tcp shell script. These commands are initially set up based on information you supply during the installation, or during configuration with the Network Configuration Manager.

ifconfig(ADMN) also sets the netmask, broadcast address, and IP address at boot time. You can change any of this information:

• by running the Network Configuration Manager to reconfigure TCP/IP.

• by editing /etc/tcp to include the desired information.

• by running ifconfig and its counterpart, inconfig, from the command line. Refer to Appendix C, ``Configuring TCP/IP tunable parameters'' in the Performance Guide for more information.

Using the Network Configuration Manager, while intuitive, can take longer than editing the file, especially when you are:

• changing the netmask and broadcast address to make provisions for a subnet.
  
  
  

• changing the broadcast address scheme.

• changing the IP address of the interface.

To edit /etc/tcp:

1. Log onto the system as root.

2. Make a backup of /etc/tcp:
   
   
   cp /etc/tcp /etc/tcp.00

3. Edit /etc/tcp to include the desired information on lines beginning with ifconfig.

4. Shut the system down and reboot it by using the System Shutdown Manager as described in the SCO OpenServer Handbook. Remember to select Reboot after shutdown when using the manager.

5. After the system reboots and returns to multiuser mode, test TCP/IP by using ping(ADMN) to contact another host.

In TCP/IP, the DARPA Internet support includes the concept of the subnet, sometimes called a subnetwork. This is a mechanism that enables several local networks to appear as a single Internet network to off-site hosts. You should consider using subnets in the following instances:

• When you want to hide the local network topology to the outside world. Using subnets requires only a single route to external gateways.

• When you want the ability to administer IP addresses locally. For example, a company may have an engineering subnet, a product marketing subnet, and a sales subnet, each administered by a different administrator who has control of IP addresses in a given range.

• When network bandwidth is limited due to cabling constraints. Setting up subnets, each separated by a gateway host, limits local subnet packets to those that are either destined for or sent from a local host. In this way, the overall network traffic each host on the subnet sees is lessened.

Setting up a subnet consists of:

• determining the appropriate IP addresses for your subnets.

• configuring subnet hosts with the correct IP addresses and netmasks.

• configuring gateway hosts between subnets.

To set up subnet addresses, you must use a segment of the host portion of the IP address to use as the subnet address. For example, consider the following IP addresses and netmasks:

For class A and B networks, you can create subnets by converting the second and third octets, respectively, from host addresses to subnet addresses. Notice how the netmask changes accordingly:

The class A network 16 can now have up to 254 subnets (16.1 - 16.254). The class B network 10.0 can also have up to 254 subnets (10.0.1 - 10.0.254). While the netmask masks the network portion of the address, the broadcast address exposes the network address and hides the host portion. For example, the broadcast address for the subnet 10.0.246, with a netmask of 255.255.255.0, is 10.0.246.255.

For more information on setting netmask and broadcast addresses, see Appendix A, ``Configuration parameters'' in Configuring Network Connections.

Partitioning a class C address is slightly more complex, as you must take a portion of the fourth octet as the subnetwork. For example, you might partition the first three (high order) bits of the fourth octet to represent the subnetwork, with the last five bits representing the host:

This scheme allows for up to 6 subnets of 30 hosts each, for a total of 180 hosts. The netmask for the hosts on these subnets is 255.255.255.224; 224 is a decimal representation of the binary octet 11100000, which masks the subnet portion of the IP address.

Possible subnets for the class C network 221.138.62.0, with associated broadcast addresses, are:

 ----------------------------------------------------
 Subnet           Hosts       Broadcast address
 ----------------------------------------------------
 221.138.62.32    .33-.62     221.138.62.63
 221.138.62.64    .65-.94     221.138.62.95
 221.138.62.96    .97-.126    221.138.62.127
 221.138.62.128   .129-.158   221.138.62.159
 221.138.62.160   .161-.190   221.138.62.191
 221.138.62.192   .193-.222   221.138.62.223

User equivalence allows a user to use rlogin to log in to an equivalent account on another host without entering a password. SCOadmin managers require this equivalence to allow you to manage other systems over the network. You can establish user equivalence between:

• individual remote/local account pairs by using the User Equivalence Manager to alter a user's $HOME/.rhosts file to add the remote host and account.

• a remote account and all local accounts except root (and other non-individual accounts such as bin), by editing /etc/hosts.equiv to add the remote host and account.

• all accounts on a remote host and all local accounts except root (and other non-individual accounts) by editing /etc/hosts.equiv to add only the remote host name.
  
  

If there are entries in both .rhosts and /etc/hosts.equiv for the same host or host/account combination, then the entry from /etc/hosts.equiv determines the extent of user equivalence. For more information, see the manual page for rhosts(SFF).

The User Equivalence Manager interface

You can start the User Equivalence Manager in any of these ways:

• Double-click on System Administration on the Desktop, then on Networks, then on User Equivalence Manager.

• Start the SCOadmin launcher by entering scoadmin on the command line, then select Networks, then select User Equivalence Manager.

• Enter scoadmin User Equivalence Manager on the command line.

The User Equivalence Manager's top level and menus are illustrated here:

With the User Equivalence Manager, you can:

• Add user equivalence between account(s) on a remote host and an account on the local host.

• Delete previously configured equivalence.

• If logged on as root, open a different user's equivalence file to add or delete equivalence.

You can also perform each of these tasks manually. See the manual page for rhosts(SFF) for more information.

Opening another user's equivalence file

Only root can open another user's equivalence file. To do so in the User Equivalence Manager:

1. Choose Open from the File menu. A list of user names appears.

2. Select a user in one of two ways:

   • Select a user from the list and click on OK.

   • Enter a user name in the ``Selection'' field and click on OK.

   To limit the list to those users matching a certain pattern, enter the pattern (including wildcard characters) in the ``Filter'' field, then click on Filter. You can then make your selection from the list and click on OK.

In the User Equivalence Manager:

1. Select Add Equivalence from the User menu, or click on the add a new equivalence entry toolbar button.

2. Enter the host name of the remote host. To select a host from a list of networked hosts, click on the Select button. This may take up to a minute on a network with many hosts.

3. Enter a user name.
   

4. Click on the OK button.

   • If the host name you entered is not known to the name service or is not found in /etc/hosts, a warning appears. You can choose to add the equivalence anyway or to cancel and enter a new machine name. This warning may be caused by entering a host name that is not fully qualified. If you need to reenter the name, try entering it as a fully qualified name.

   • If the host name is known, the new equivalence appears on the list.
   
   

5. Continue adding equivalences by repeating steps 1 through 4.

6. When you are finished, select Save from the File menu. If you do not save the file, either now or when leaving the User Equivalence Manager, the additions you make are not saved.

You specify a remote host when adding user equivalence. To select a host name from a list of available networked hosts:

1. Click on the Select button On the Add a user window.

2. Select a host name by one of the following means:

   • Choose a host name from the list and click on OK.

   • Enter the host name in the ``Selection'' field and click on OK.

   To limit the list to those hosts matching a certain pattern, enter the pattern (including wildcard characters) in the ``Filter'' field, then click on Filter. You can then make your selection from the list and click on OK.

You can sort the list by name or address. To do so, click on the appropriate radio button.

Deleting user equivalence

In the User Equivalence Manager:

1. Select the equivalence you want to delete from the list.

2. Select Delete equivalence from the User menu, or click on the delete the selected equivalence entry toolbar button.

3. When prompted, click on Yes to confirm the deletion.

4. Repeat steps 1 through 3 for each equivalence you want to delete.

5. When done deleting equivalences, select Save from the File menu. If you do not save the file, either now or when prompted by the User Equivalence Manager, the deletions you make are not saved.

This release includes Secure TCP versions







(providing Kerberos Version 5 authentication) of the following client utilities and server daemons:

 ---------------------------------------------------------------
 Client utilities           Server daemon
 ---------------------------------------------------------------
 ftp(TC)                    ftpd(ADMN)
 rcmd(TC) and rcp(TC)       rshd(ADMN)
 rlogin(TC)                 rlogind(ADMN)
 telnet(TC)                 telnetd(ADMN)

Configuring the Secure TCP utilities

To use these utilities with Kerberos Version 5 authentication, you must first define the users (interactive principals) and host systems (machine principals) on the Security Server(s) for the Kerberos realm or DCE cell where they are to operate:

1. If you are using SCO Security Services, the cell administrator (authentication principal) must use the SCO Distributed Administration Service Security Manager or rgy_edit to add a registry object
   for each interactive and machine principal to /.:/sec/principal in the local cell. See the secadmin(ADMD) and rgy_edit(8sec) manual pages for more information.
   
   Machine principals must be added to the host subhierarchy. For example, the machine principal corresponding to the host foo in the domain bar.com would be:
   
   /.:/sec/principal/host/foo.bar.com

   
   Interactive principals may be added directly to the /.:/sec/principal hierarchy. Create passwords in the account properties of all new principals.

2. On each host where Secure TCP utilities or daemons are to be run, log in as root and run the auth.config(ADMN) command.

3. Use auth.config to
   
   
   
   define the DCE cell (or Kerberos realm) and fully qualified domain name of the Security Server that will be used to authenticate service requests. When asked for a host password for Secure TCP services, you can select a machine-generated password as you do not need to remember this password.
   

4. Use auth.config to choose the level of authentication required for access to the ftpd, rshd, rlogind and telnetd daemons. You can select to make authentication optional if some users require traditional unauthenticated access.

5. If users are required to use authenticated access, the access control
   
   file, .k5login (see k5login(SFF)), must exist in their home directories on the machine where the server daemon is running. This file contains the names and cells of principals that can access an account. For example, the entry ``chuck@local_cell'' specifies that the principal chuck in the cell (or realm) local_cell has access. Only the owner must have write permission on .k5login, and the owner must either be root or the user associated with the home directory.

Obtaining Kerberos session credentials

Before a user can use the Secure TCP utilities, they must obtain Kerberos session credentials. Because the current versions of login(M) and scologin(XC) do not support Kerberos authenticated login, there are two alternative methods by which a user may obtain these credentials:

• using kinit

• using ktadd and kinit

Obtaining session credentials using kinit

Log in locally using unauthenticated login and then obtain session credentials using
kinit(TC). The kinit command will authenticate the user's session with the Security Server and obtain a Ticket Granting Ticket for the user's session provided the user can supply the correct password for their interactive principal name. To monitor their credentials, the user must run the
ksession(TC) command which will warn when the credentials are about to expire. The user can also use the
klist(TC) command to view their credentials and their expiry date.

Obtaining session credentials using ktadd and kinit

To avoid the possibility that passwords can be transmitted in clear text, root can use the
ktadd(ADMN) command to create user keys on the various machines that different users are allowed to access. Alternatively a user can use ktadd to create a user key on each of the machines that they need to use.

For example, to obtain a user key for the interactive principal chuck with password ``clydenw'' for the cell local_cell, enter the following commands:

ktadd -p chuck@local_cell -pw clydenw -f ~chuck/.v5srvtab
chmod 600 ~chuck/.v5srvtab

This creates a private key table .v5srvtab


for chuck in their home directory and changes its permissions so only chuck and root can read from or write to this file. (Note that this example assumes that the shell being used is either ksh or csh.)

To use their private key table when obtaining session credentials, the user calls kinit from their .profile or .login file. This example also shows ksession being run to monitor chuck's credentials:

kinit -k -t ~chuck/.v5srvtab
ksession

For more information about using the SCO Security Services, see the SCO Security Services Release and Installation Notes. For more information about using the SCO DCE Executive, see the SCO DCE Executive Release and Installation Notes.

Protecting against IP address spoofing attacks

A random element has been introduced into how TCP chooses the initial send sequence number and its increment. This feature helps protect system from IP address attacks (also known as ``IP spoofing'').




You can use inconfig(ADMN) to seed the random number sequence

by setting the value of the TCP/IP parameter, tcp_secret. The value of tcp_secret can be set to any integer from 0 through 2147483647.

Another parameter, tcp_seqbits, selects the number of bits of tcp_secret that are used to seed the sequence number increment value. The default value of tcp_seqbits is 21; its minimum and maximum values are 16 and 26. The default value represents a compromise between security and the uniqueness of the sequence number. If the value of tcp_seqbits is small, this increases the possibility that an attacker can guess the random number. A large value for tcp_seqbits decreases the time before a given sequence number occurs again. See Appendix C, ``Configuring TCP/IP tunable parameters'' in the Performance Guide for more information.

Protecting against SYN flood attacks

A ``SYN flood'' is a Denial of Service attack that takes advantage of the TCP ``three way handshake'' protocol. A SYN is a type of TCP packet sent to initiate a connection with a listening TCP port. The port responds with a SYN/ACK to the initiating port, and places the SYN packet in a partial connections queue. When a corresponding ACK packet is received on the listening port, the validated SYN packet is removed from the partial connections queue and an entry is placed in the established connection queue awaiting a socket connection.

A SYN flood occurs when one or more listening TCP ports are sent large numbers of SYN packets. Such attacks could take various forms, most of which do not adversely affect the attacked system. However, the most potentially harmful attack sends SYN packets in which the client address refers to a system which does not exist. In this case, SYN packets remain in the TCP partial connection queue for each listening port that is attacked, unable to complete because the SYN/ACK cannot be routed to a bogus address. If the queues are too small and packets awaiting response remain on the queues, the TCP stack refuses to accept any connections until the bogus packets have timed out.

You can control the size of the TCP queues by setting the tcp_q0limit parameter with the inconfig(ADMN) command. When tcp_q0limit is set to a value greater than 0:

• The TCP partial connection queue for each listening port is set to the number of connections you specify. It should be considerably greater than 1, sufficient to handle normal connection requests (including packets lost under normal conditions) with a margin of safety to guard against attack. A normal tcp_q0limit setting is expected to be in the range 100-1000, depending on system usage.
  

• The stack randomly drops existing uncompleted partial connections when the number of connections value is exceeded; in the case of an attack, most of these packets will be bogus.

• If a pending SYN request is dropped, the connection is terminated and the client is notified.

You can safely raise the tcp_q0limit value during an attack.

In the event of an attack, you should ensure that legitimate requests remain in a queue long enough to receive responses and get passed to the established connections queue. The higher the tcp_q0limit value, the less likely legitimate packets will be dropped. However, low-speed or high-latency links increase the time a packet must wait in a queue for response, and slower connections will be at greater risk during an attack.

To estimate a prudent value for tcp_q0limit, you can calculate ``attacks per turnaround''; that is, a function of the rate of attack (bogus SYN packets received per second) and the time required for a legitimate SYN packet to receive a response. You can measure the rate of attack with a packet sniffer. You can estimate the response time by collecting a representative sample of legitimate addresses and sending ping packets to each (SYN/ACK turnaround is probably quicker than ping turnaround given their higher priority of transmission). This will tell you the ``survival rate'' of a client's connection at a given tcp_q0limit value.

If S is the attack rate in packets/millisecond, T is the turnaround time of a particular client in milliseconds, and Q is the value of tcp_q0limit, the survival rate of the client's connection can be calculated as:

R1, survival rate during a single attack = ((Q - 1) / Q)
A, attacks during turnaround = T * S
R, survival rate = R1 ^ A = ((Q - 1) / Q) ^ (T * S)

For example, if bogus SYN packets arrive at a rate of 2000/second or S = 2/millisecond, and a particular client's turnaround T is 300ms, 600 attacks (A = S * T) arrive while that client's connection is partially open. If tcp_q0limit is set to Q = 450, the survival rate would be:

R1 = ((450 - 1) / 450) = 0.9978
R = ((450 - 1) / 450) ^ 600 = 0.2632

or about 26.3%. Increasing tcp_q0limit to 900 would yield:

R1 = ((900 - 1) / 900) = 0.9989
R = ((900 - 1) / 900) ^ 600 = 0.5132

or about 51.3%.

The memory costs of these values depend on the number of listening ports configured. At least 800 bytes are allocated for each partial connection, so the memory consumption = tcp_q0limit value * number of ports * 800. If in this example you had 100 listening ports configured, setting tcp_q0limit to 450 would consume 36MB of memory, while increasing it to 900 would consume 72MB. Note that:

• These memory usage figures reflect upper limits that apply only during an active SYN flood attack.

• Actual attack and turnaround rates can vary dynamically.

• Some packets are lost during normal operation.

• Configuring a firewall to protect ports that are reserved for local connections and limit access for remote clients will also decrease your vulnerability.

For more information, see ``Using inconfig to change global TCP/IP parameters'' and ``Transmission Control Protocol (TCP) parameters'' in the Performance Guide. RFC 793 describes the TCP protocol; see ``Obtaining RFCs from the Internet''.

Setting up anonymous ftp

The ftp server included in the system provides support for an anonymous ftp account. Because of the inherent security problems with such a facility, you should read this section carefully if you want to provide such a service.

When a client accesses the anonymous ftp account, a chroot(ADM) system call is performed by the server to restrict the client from moving outside that part of the filesystem where the ftp home directory is located. Because a chroot call is used, certain programs and files used by the server process must be placed in the ftp home directory as shown in the following procedure:

1. If the directory (or a link) called /usr/internet/ip/0.0.0.0/sco_ftp exists on the system, remove it or rename it (such as sco_ftp-). (If the directory does not exist, create it.)
   
   

2. Create a user called ftp with the Account Manager. Do not set a password for the account. Most importantly, set the login shell to rsh(C) to deny access to the rest of the system.

3. Create a symbolic link to the ftp home directory as follows:
   
   ln -s homedir /usr/internet/ip/0.0.0.0/sco_ftp

   where homedir is the location of the home directory you specified when creating the ftp account.
   

4. Run the following to set up directories below ftp's home directory:
   
   
   
   
   
   cd ~ftp
   chmod 755 .; chown root .; chgrp root .
   mkdir bin dev etc lib pub usr usr/lib
   chown root bin etc dev lib usr usr/lib
   chmod 555 bin etc dev lib usr usr/lib
   chown ftp pub
   chmod 777 pub
   cd bin
   cp /bin/ls .
   chmod 111 ls
   cd ../etc
   cp /etc/passwd .
   cp /etc/group .
   chmod 444 passwd group
   cd ../lib
   cp /lib/libprot.so.1 .
   
   chmod 555 lib*
   chown bin lib*
   cd ../usr/lib
   cp /usr/lib/libc.so.1 .
   cp /usr/lib/libsocket.so.1 .
   chmod 555 lib*
   chown bin lib*
   cd ../..
   find /dev/socksys -print | cpio -dumpv ~ftp
   find /dev/zero -print | cpio -dumpv ~ftp

For example, you could edit the following line in ~/ftp/etc/passwd:

   root:UDOkW7PLd1/ZQ,..EI:0:3:Superuser:/:

   root::0:3:Superuser:/:

The ftp server provides a security loophole if certain user accounts are allowed. To prevent this, the file /etc/ftpusers is checked on each connection. If the requested user name is located in the file, the request for service is denied. This file should be owned by root in the sys group, have permissions set to 444, and contain at least the following names:

   uucp
   root

See also:

• ftpd(ADMN)

• ftpaccess(SFF)

• ftpusers(SFF)

When you install TCP/IP, the Network Configuration Manager prompts you to modify the number of pseudo-ttys configured on your system. These pseudo-ttys enable users on other hosts to use telnet or rlogin to access your host. The default, 32, is adequate for situations in which several (2-10) users access your system simultaneously. You need to add pseudo-ttys if:

• you configure another networking service, such as PC-Interface, which also uses pseudo-ttys.

• your system functions as a terminal server to many users and rlogin and telnet begin to fail.

1. Log in as root.

2. Run the Hardware/Kernel Manager.

3. Select Pseudo-ttys from the list and click on the Configure Driver button.

4. Enter 1 to add pseudo-ttys, 2 to delete pseudo-ttys, or 3 to view the current number of pseudo-ttys configured.
   

5. When done, enter q to quit.

6. If you added or deleted pseudo-ttys, click on the Relink Kernel button and click on Relink to confirm. See ``Relinking the kernel'' in the SCO OpenServer Handbook for more information.

   ---

   NOTE: If you do not relink the kernel now, the changes you made do not take place, and you must then relink at a later time to effect the changes.

   ---

7. Exit the Hardware/Kernel Manager.

8. Shut the system down and reboot it by using the System Shutdown Manager as described in the SCO OpenServer Handbook. Remember to select Reboot after shutdown when using the manager.

There are several reasons you may wish to configure UUCP over TCP/IP. Some sites do not provide ftpd or rshd servers and/or their respective clients, ftp and rcp. Thus transferring files across a TCP/IP network is not an option with these systems. Additionally, some versions of TCP/IP do not provide the Simple Mail Transfer Protocol, SMTP, for mail transfer. In these cases, setting up UUCP to use TCP/IP may be an option to allow both file transfer and exchange of mail between such systems.

In the following paragraphs, the word ``client'' refers to a system that executes the uucp or uux command, while the term ``server'' or ``listener'' refers to a system that responds to a request from a client system.

There are two approaches to configuring UUCP over TCP/IP: the TCP socket interface and TLI/XTI (Transport Layer Interface and X/Open Transport Interface).

TCP socket interface

The server system uses the inetd superserver to listen for incoming uucp requests on TCP port 540. When receiving a request from a client uucico process, the server system forks the uucpd daemon, which logs in the client with the shell uucico. The two uucico processes can then transfer information similar to the way they would in a standard serial line configuration.

TLI/XTI

The server system uses a process called listen to wait for requests from a predefined TCP port and then when receiving a request, forks a uucico process directly, bypassing the standard UUCP login sequence.

Configuring UUCP over TCP/IP with the TCP socket interface

The following steps demonstrate how to configure UUCP over TCP/IP using the TCP socket interface between the systems london and thames.

1. 
   On both systems, verify that the file /etc/inetd.conf contains the following line (with no ``#'' character at the beginning of the line):

      uucp    stream tcp      nowait  NOLUID  /etc/uucpd uucpd
   

   ---

   NOTE: If the system you are configuring is running SCO TCP/IP Release 1.1.3, replace ``NOLUID'' with ``root'' in the above line.

   ---

   Should the program /etc/uucpd not exist, execute the following commands as root:
   
   ln /usr/lib/uucp/uucpd /etc/uucpd
   chmod 755 /etc/uucpd

2. Verify that the following line is in the /etc/services file on both systems:
   
   

      uucp    540/tcp         uucpd           # uucp daemon
   

3. 
   Verify the configuration of the nuucp account on each host. Make sure that the shell of this account is /usr/lib/uucp/uucico, and that the account has a password on both hosts. You will probably have to set a password for the nuucp account. Use the Account Manager to confirm the account information and set a password.

4. 
   Add the following line to the file /usr/lib/uucp/Systems on london:

      thames Any TCP,e Any - ogin: nuucp word: password
   

   where password is the password of the nuucp account on thames.
   

5. Add the following line to the file /usr/lib/uucp/Systems on thames:

      london Any TCP,e Any - ogin: nuucp word: password
   

   where password is the password of the nuucp account on london.
   

6. Verify that the /usr/lib/uucp/Permissions file on london has the following entry:

      MACHINE=thames LOGNAME=nuucp \
              COMMANDS=rmail:rnews:uucp \
              READ=/usr/spool/uucppublic:/usr/tmp \
              WRITE=/usr/spool/uucppublic:/usr/tmp \
              SENDFILES=yes REQUEST=yes
   

7. Verify that the /usr/lib/uucp/Permissions file on thames has the following entry:

      MACHINE=london LOGNAME=nuucp \
              COMMANDS=rmail:rnews:uucp \
              READ=/usr/spool/uucppublic:/usr/tmp \
              WRITE=/usr/spool/uucppublic:/usr/tmp \
              SENDFILES=yes REQUEST=yes
   

8. 
   Add the following line to /usr/lib/uucp/Devices on both hosts:

      TCP,e TCP       -       Any     TCP     540
   

9. Verify that both systems are in the other's /etc/hosts file or resolvable by a name server.

10. If you needed to change anything in step 1, shutdown and reboot the systems on which you made the changes. UUCP should then work as expected between the two systems. Each system should be able to issue requests for the opposite system.

    Note that if you alter /etc/inetd.conf while the system is running, you should force inetd to reread the configuration file by entering the following command:
    
    kill -1 'cat /etc/inetd.pid'

    If you fail to make inetd restart before trying to contact it, the contacting host may give a ``Connection refused'' error.

Configuring UUCP over TCP/IP with TLI

The following steps demonstrate how to configure UUCP over TCP/IP using TLI between the systems london and thames. The example shown by the following procedure is a configuration where the host london initiates all UUCP requests, while the host thames listens and responds to all requests. If you want both hosts to be able to use the uucp command to initiate a UUCP transaction, repeat this procedure on each host, exchanging host names where appropriate.

1. Pick a TCP port on which thames will listen for incoming UUCP requests. The sample following procedure uses port 698. The port
   chosen should not already appear in the /etc/services file and should not be port 540.

2. Determine the address on which thames will listen for requests. This number is the representation of a sockaddr_in structure
   as defined in the /usr/include/sys/netinet/in.h header file. This number is a 16-byte number and needs to be constructed both in hexadecimal and in octal. Use of the bc(C) command is helpful here. To construct the number in hexadecimal, note that:

   • The first byte represents the address family. This is
     always AF_INET, or 02, as defined in the header file /usr/include/sys/socket.h.
     

   • The second byte is always 00.

   • The third and fourth bytes are the hexadecimal representation of the port on which thames listens for UUCP requests. In our case, decimal 698 equals 2ba in hexadecimal, hence the third byte is 02, and the fourth byte is ba.

   • The fifth, sixth, seventh, and eighth bytes represent the hexadecimal equivalent of each octet of the IP number of thames. If the IP number of thames is 10.0.118.3, then the fifth, sixth, seventh, and eighth bytes are 84, 93, 76, and 03, respectively.

   • The last eight bytes are all 00.

   • Putting it all together, the address constructed is:

        02 00 02 ba 84 93 76 03 00 00 00 00 00 00 00 00
     

     for a total of 16 bytes.

   • To create the octal representation of the address, convert each hexadecimal byte above into octal:

        \002\000\002\272\204\223\166\003\000\000\000\000\000\000\000\000
     

   
   

3. 
   Set up the Network Listening Service on thames:

   a.

   As root, enter:
   
   
   nlsadmin -i inet/tcp

   This creates the directory /usr/net/nls/inet/tcp and allows us to add services that listen on the device
   /dev/inet/tcp.

   b.

   Enter on one line:
   
   nlsadmin -a 101 -c "/usr/lib/uucp/uucico -r0 -iTLI -unuucp"
   -w uucp -y "TLI UUCP" inet/tcp

   This adds service number 101, which executes the command /usr/lib/uucp/uucico -r0 -iTLI -unuucp as the user uucp, when a request for service number 101 is received on the device /dev/inet/tcp.

   The options and arguments to nlsadmin are:

   -a 101

   Add a service with label 101 (service code).

   -c "command"

   Fork the command in quotes.

   -w uucp

   Enter the command given in the -c option as the user uucp.

   -y "TLI UUCP"

   Add a comment.

   inet/tcp

   Specify that this service is to listen on /dev/inet/tcp. This step requires that the command in step 3a has already been executed.

   The options to the uucico command in the -c option of nlsadmin are:

   -r0

   Act in slave mode.

   -iTLI

   Use the TLI interface.

   -u nuucp

   Start up as the user nuucp. This is different from the -w option in the nlsadmin command.

   c.

   Enter the command:
   
   nlsadmin -l "\x020002ba849376030000000000000000" inet/tcp

   This is the hexadecimal representation of the address constructed in step 2.

4. Add the following line to /usr/lib/uucp/Systems on thames:

      london Never TLI,e Any
   

   If this line for london has already been added for TLI so that thames can initiate a connection, make no changes to the /usr/lib/uucp/Systems file.
   

5. Add the following set of lines to /usr/lib/uucp/Permissions on thames:

      MACHINE=london LOGNAME=nuucp \
              COMMANDS=rmail:rnews:uucp \
              READ=/usr/spool/uucppublic:/usr/tmp \
              WRITE=/usr/spool/uucppublic:/usr/tmp \
              SENDFILES=yes REQUEST=yes
   

6. Add the following line to the /usr/lib/uucp/Systems file on london:

      thames Any TLI,e Any address
   

   where address is the octal representation of the address constructed in step 2. Thus the line to add is:
   

      thames Any TLI,e Any \002\000\002\272\204\223\166\003
              \000\000\000\000\000\000\000\000
   

   This should all be on one line. The backslashes surrounding each octal byte are required.

7. Add the following line to the /usr/lib/uucp/Devices file on london:

      TLI inet/tcp - Any TLI \D nls
   

8. Add the following line to the /usr/lib/uucp/Dialers file on london:
   

      nls "" "" NLPS:000:001:101\N\c
   

   Note that the ``101'' specified here matches the service code added with nlsadmin -a in step 3b.

9. Add the following lines to the /usr/lib/uucp/Permissions file on london:

      MACHINE=thames LOGNAME=nuucp \
              COMMANDS=rmail:rnews:uucp \
              READ=/usr/spool/uucppublic:/usr/tmp \
              WRITE=/usr/spool/uucppublic:/usr/tmp \
              SENDFILES=yes REQUEST=yes
   

10. Verify that each host is listed in the other's /etc/hosts file or resolvable by the nameserver. Add the following lines to the
    end of the file /etc/rc2.d/P87USRDAEMON on thames, so that the listener is started when the system is booted:

       nlsadmin -s inet/tcp 2>/dev/null
       [ $? = 0 ] && echo "Started listener"
    

11. Shut down and reboot both systems. Verify that the process called ``listen'' is running on thames. You should now be able to issue uucp requests for thames from london.

SCO TCP/IP and other manual pages frequently cite appropriate RFCs (Requests for Comments). RFCs can be obtained from InterNIC Information Services in the following ways:

• Paper copies of all RFCs are available. For more information contact info@is.internic.net or call 1-800-444-4345 in the United States.

• Online copies are available via FTP from ftp.ds.internic.net as rfc/rfcN.txt or rfc/rfcN.ps for the PostScript version (N is the RFC number without leading zeroes).

• Additionally, RFCs may be requested through electronic mail from the InterNIC automated mail server by sending a message to mailserv@ds.internic.net. In the body of the message, indicate the RFC to be sent, for example:

     document-by-name rfcN
  

  where NNNN is the number of the RFC. For RFCs in PostScript format, specify the extension, for example:

     document-by-name rfcNNNN.ps
  

  Multiple requests can be sent in a single message by specifying each request on a separate line. The RFC index can be requested by entering:

     document-by-name rfc-index
  

From time to time, you will encounter problems using your network. The following general procedure can help solve most problems and points to additional documentation for help.

To troubleshoot the most common TCP/IP problems:

1. Run the netstat command to verify the presence of TCP/IP interfaces.

2. Use ping to verify stack configuration and local connectivity.

3. Use ping to verify connectivity to remote networks.

4. Use netstat to track down abnormal network behavior.

5. Turn debugging on for TCP/IP server daemons.

• ``Troubleshooting DNS''

• ``Troubleshooting IP routing''

• Chapter 13, ``Testing connectivity with other sites''

• ``Troubleshooting NTP''

• ``Troubleshooting PPP''

• ``Troubleshooting SLIP''

Use the netstat -i command to see which interfaces are currently configured. You should see the loopback interface, plus one interface for each networking card or serial line interface on your system. When viewing the results of netstat -i:

• If you do not see the loopback interface, reconfigure the TCP/IP stack with the Network Configuration Manager.

• If you do not see a networking card that you know exists on your system, reconfigure the card with the Network Configuration Manager.

The ping(ADMN) command sends TCP/IP packets to the desired destination and, if successful, returns packets to the sender. With ping, you can verify that the TCP/IP stack is configured correctly on the local host and that your system can reach others via configured interfaces. To verify connectivity:

• Enter ping localhost. This routes packets through the loopback mechanism, and should always succeed regardless of the state of your networking hardware or cabling. If it fails, use the Network Configuration Manager in Configuring Network Connections to reconfigure TCP/IP.

• Verify your network connections by using ping to try to contact one or more hosts on the local network that you know are running TCP/IP. For example, you might enter ping don.

• The command succeeds, and you see messages similar to:

     # ping don
     PING don (10.0.118.8): 56 data bytes
     64 bytes from don (10.0.118.8): icmp_seq=0 ttl=255 time=10 ms
     64 bytes from don (10.0.118.8): icmp_seq=1 ttl=255 time=10 ms
     64 bytes from don (10.0.118.8): icmp_seq=2 ttl=255 time=20 ms
     64 bytes from don (10.0.118.8): icmp_seq=3 ttl=255 time=10 ms
     64 bytes from don (10.0.118.8): icmp_seq=4 ttl=255 time=10 ms
     64 bytes from don (10.0.118.8): icmp_seq=5 ttl=255 time=20 ms
     64 bytes from don (10.0.118.8): icmp_seq=6 ttl=255 time=20 ms
     64 bytes from don (10.0.118.8): icmp_seq=7 ttl=255 time=10 ms
     64 bytes from don (10.0.118.8): icmp_seq=8 ttl=255 time=20 ms
     64 bytes from don (10.0.118.8): icmp_seq=9 ttl=255 time=20 ms
     
  
     --- don ping statistics ---
     10 packets transmitted, 10 packets received, 0% packet loss
     round-trip min/avg/max = 10/20/15 ms
  

• The command succeeds, but slowly and with packet loss. Check the network cabling on your system. On an Ethernet network, a loose cable tap or poorly placed power cable can result in severely deteriorated service.
  

• The command fails with the error message "hostname lookup failure". /etc/hosts may not have the correct permissions. Use the Software Manager's Verify feature to correct TCP/IP permissions problems.

  A hostname lookup failure may also indicate that a name server relied upon by your host is not running. Contact the administrator of the name server to verify that it is up and running, or see Chapter 6, ``Configuring the Domain Name Service'', for more information.

• The command hangs. You may need to fix interrupt conflicts or netmask/broadcast address problems.

  Use vectorsinuse(ADM) and hwconfig(C) to view the interrupt vectors already in use on your system. If your networking card's vector conflicts with that of another card, reconfigure your card with the Network Configuration Manager in Configuring Network Connections.

  Verify the netmask and broadcast address in use on your network by checking their values in /etc/tcp on another system. Look for a line or lines similar to the following:

     ifconfig net0 10.0.246.18 netmask 255.255.0.0  
     broadcast 10.0.255.255
  

  In this case, the network mask only masks the network portion of the address. Ensure that the values on your system match those of the other system, with the exception of the host portion of the interface address (in this case, 246.18).
  
  
  
  
  
  
  
  

If you can ping hosts on the local network, try to ping one remotely connected via a gateway:

• If ping returns an error indicating no route is available, you may need to reconfigure your routing tables. See Chapter 5, ``Configuring Internet Protocol (IP) routing'', and the manual page for route(ADMN) for more information.
  
  
  
  
  
  
  

• If ping fails completely, use traceroute(ADMN) to contact the remote host, and note where the failure occurs. If traceroute packets only reach a host within your network, you may need to perform troubleshooting on the last host reached. If they reach a destination outside your network, the problem is on the remote host. Contact the administrator of the remote host, if possible.

The netstat(TC) program is helpful in tracking down network malfunctions. In particular, use the following options:

• -a (active connections display), to view and remove phantom connections.

• -i (active interfaces display), to troubleshoot incoming and outgoing packet errors.

• -m (streams allocation), to check on streams failures.

• -r (routing tables), to verify the presence of needed routes.

Use the netstat -a command to display active connections and sockets. Look for phantom connections -- those that still appear as active in the display that were terminated abnormally. If many appear, your network may run slowly, and you may need to stop and restart TCP/IP to flush the connections.

Troubleshooting packet errors

The netstat -i command displays active interfaces (network card and serial interfaces) as well as statistics on:

Ipkts

input packets per interface

Ierrs

input errors per interface

Opkts

output packets per interface

Oerrs

output errors per interface

Coll

packet collisions detected

   Name  Mtu    Network       Address     Ipkts  Ierrs Opkts   Oerrs Coll
   net0  1500   10.0.118      don         1348   12    1854    23    65
   lo0   8232   loopback      localhost   4058   0     4058    0     0

If both Ipkts and Ierrs are zero, the connection to the network may be bad, the network card may be bad, or there may be an interrupt vector conflict. Verify network cabling, then check for interrupt conflicts by running hwconfig or vectorsinuse. If a conflict exists, use the Network Configuration Manager to reconfigure your card. If the cable and interrupt vectors check out, run any diagnostic tools supplied by the manufacturer of the networking card.

If Ipkts is zero, but Ierrs is nonzero, the network, cabling, or card may be bad, another host on the network may be generating bad packets, or the network may be incorrectly terminated.

If Opkts is zero and Oerrs is nonzero, there may be a conflict of I/O addresses on the system. If both are zero, the conflict may be in shared memory addresses. Verify the I/O and shared memory addresses of each card on your system, and reconfigure your networking card with other supported addresses if conflicts exist.

If Coll is high (greater than 1-2 percent of the Opkts total), your network is very busy. Consider breaking the network into multiple separate networks.

Monitoring streams usage

Use the netstat -m command to monitor streams usage. The display shows each type of buffer allocated; the number free, allocated, and configured; the number of failures per type; and other streams information.

Streams are dynamically allocated in this release of TCP/IP, so streams errors should be uncommon. However, if you notice streams failures and need to reconfigure streams allocation, do so by using configure(ADM).

Verifying correct routing behavior

The netstat -r command provides information about the usage of each route configured on your system. A route consists of a destination host or network and a network interface used to exchange packets. Direct routes are created for each interface attached to the local host.

At a minimum, your routing table should display entries for the loopback mechanism (localhost), the local network, the local hostname, and the IP Multicasting route, 224. The following is a typical display:

   Routing tables
   Destination     Gateway         Flags     Refs     Use   Interface
   localhost       localhost       UH        24       66    lo0
   10.0.118        nile            UC        1        0     net0
   nile            localhost       UGHS      3        36    lo0
   224             nile            UCS       0        0     net0

Destination

Network or host to which this route allows you to connect.

Gateway

Name of the gateway you configured for this route. If you are directly connected, this is a local address. Otherwise, it is the name of the host through which packets must be routed.

Flags

State of the route. For a complete list, refer to the manual page for route(ADMN). Common states are:

C

cloning -- new routes are derived from this route

G

a route to a gateway

H

a route to a host

N

a route to a network

S

static

U

up

Refs

Current number of active connections using the route. Connection-oriented protocols normally hold on to a single route for the duration of the connection, while connectionless protocols obtain a route, then discard it as needed.

Use

Current number of packets sent using this route.

Interface

Name of the physical network interface to begin the route.

Most of the server daemons started by /etc/inetd.conf accept a -d option forcing all sockets to be created with debugging turned on. With debugging on, activity is logged in /usr/adm/syslog. To enable logging:

1. Edit /etc/inetd.conf to add the -d option to each daemon you want to log.

2. Determine the process ID of inetd by entering the following command:
   
   cat /etc/inetd.pid

   The process ID of inetd appears.
   

3. Send a message to inetd to force it to reread /etc/inetd.conf:
   
   kill -1 inetd_pid

   inetd_pid is the process ID from step 2.