Providing Network Services

It is important to understand the role that processes play in providing network services in Mac OS X and how to provide more than one IP address per computer, a process known as multihoming. Now let's examine both the processes responsible for networking and adding more than one IP address.

Working With launchd

New in Mac OS X version 10.4 is launchd, which replaces PID 1 as the top-level master process, init, found on most UNIX systems. As such, launchd is the parent process for most of the system daemons and manages most of the incoming network traffic.

The configuration files for launchd can be found in at /System/Library/LaunchDaemons/ and are XML property lists. These property lists offer many new options for configuring a daemon that weren't available with xinetd. You can see numerous examples of different options in the launchd configuration directory, or open the Terminal and type man launchd and man launchd.plist to view the documentation. One thing worth noting is that xinetd is now started by launchd.

All of these configuration files are updated when you change the service setting in the Sharing preferences pane. Also, the configuration files are updated when you use the /sbin/service command, which allows you to start and stop services (for example, sudo service ftp start and sudo service ftp stop).

The launchd daemon listens to service requests and forwards the requests to the appropriate daemon. The following process illustrates how launchd works:

1. At startup, launchd reads the configuration files from /System/Library/LaunchDaemons/. In addition to reading configuration files at startup, launchd can be signaled to start or stop other services via the launchctl program.

2. launchd sets up listeners for the services that are enabled.

3. Whenever a listener receives a service request from the network, it forwards the request to launchd.

4. launchd forwards the request to the appropriate daemon.

For example, if launchd receives an FTP service request, it forwards the request to ftpd.

The configuration files for launchd (in /System/Library/LaunchDaemons/) map services to the executable that should be run to handle a request for a given service. If you enable FTP file sharing, the ftpd process is not started immediately. Instead, the configuration file is updated to reflect that launchd should listen for FTP requests, and when it receives one, it should launch ftpd to service the request. When the first FTP request arrives, launchd receives the request, then launches ftpd to handle it. In this way, launchd can keep the number of services running on a particular machine lower by launching only those that are requested by a client.

Note

The inetd, xinetd, and launchd processes have different configuration files. The inetd process uses one file, inetd.conf, to map a given service to its executable. All standard services that inetd handles are already listed in the file. The xinetd and launchd processes, on the other hand, use a different configuration for each service it provides. The /etc/xinetd.d folder contains configuration files for each of the services that xinetd handles, while the launchd configuration files are kept in /System/ Library/LaunchDaemons/. When you enable FTP sharing, Mac OS X modifies the configuration file /System/Library/LaunchDaemons/ftp.plist.

launchd also has a number of other locations for configuration files that it reads from for services that aren't provided by Apple. Some of the places launchd reads its configurations from include:

• /System/Library/LaunchDaemons/

• /System/Library/LaunchAgents/

• /Library/LaunchDaemons/

• /Library/LaunchAgents/

• ~/Library/LaunchAgents/

Consult the man page (man launchd) for details regarding the purpose of each of these directories.

Comparing xinetd and inetd

Although used much less in Mac OS X v10.4, the xinetd process is sometimes referred to as the super server. This process, which is a secure replacement for inetd, replaces and extends the capabilities of TCP wrappers and cohabit combined. However, because xinetd does not handle RPC services very well, both inetd and xinetd are included with Mac OS X and both of them can successfully coexist.

The xinetd process does the exact same things as inetd with the added security benefits of:

• Access control based on source address, destination address, and time

• Extensive logging (system.log)

• Efficient containment of Denial of Service attacks

• Ability to bind services to specific interfaces

Note

The configuration files for xinetd are located in /etc/xinetd.d/.

Multihoming

According to RFC 1122, a multihomed host has multiple IP addresses, which you can think of as logical interfaces. These logical interfaces might be associated with one or more physical interfaces, and these physical interfaces might be connected to the same or different networks.

As many as 64 IPs can be associated with a single interface. An effective use of multihoming is in conjunction with port forwarding. If you have one firewall server but want to provide two separate AFP services, you use multihoming to assign two IP addresses to the same interface and forward requests to each of the IP addresses to different internal servers.

Another example of multihoming is a system configured for both AirPort and Built-in Ethernet at the same time. This system shown in the following figure has more than one IP address.

To assign different IP addresses to the same interface:

As it does on a single defined IP address on an interface, the xinetd process will be listening on multiple defined IP addresses on the same interface and passing service requests to the appropriate daemon.