Administering your TCP/IP network

Administering your TCP/IP network

This section explains how to stop and start TCP/IP, how to control which services are available through the Internet services daemon, inetd(1Mtcp), and how to tune TCP/IP.

Stopping and restarting TCP/IP

If you are a privileged user and need to stop and restart TCP/IP, shut down and reboot the system as described in ``Starting and stopping the system''.

NOTE: Networking daemons that use TCP/IP, such as inetd(1Mtcp), named(1Mtcp), routed(1Mtcp), gated(1Mtcp), xntpd(1Mtcp) and aasd(1Mtcp), can be individually restarted without stopping and restarting TCP/IP itself.

Changes to client configuration, for example, name resolution using the Client Manager, also do not require TCP/IP to be restarted.

Overview of TCP/IP startup and shutdown

WARNING: This description of how the system handles TCP/IP and its network interfaces is subject to change from release to release.

The system's LAN networking interfaces are initialized, TCP/IP configured over them, and TCP/IP services are started, when the system goes to multi-user state (state 2; see init(1M)). Following are the main steps in this process:

  1. The script /etc/rc2.d/S15nd is run to configure all the LAN networking interfaces that are currently present in the system.

  2. The script /etc/rc2.d/S69inet is run to configure TCP/IP. Much of this work is handled by the initialize command: The S69inet script next checks that inetd(1Mtcp) is running before exiting.
TCP/IP services are stopped, and the system's networking interfaces are taken down when the system goes to a states 0, 1, 5 or 6; for example, when it is shut down:

  1. The script /etc/rc2.d/K69inet is run to kill all the daemons listed in /etc/inet/config, and to tear down the TCP/IP stack.

  2. The script /etc/rc2.d/K85nd is run to shut down the networking interfaces.

Configuring TCP and UDP services

A request for service from a client process is handled by a daemon process running on a server. The client process may be running on the same system as the server process or the processes may be running on different systems that are connected via a network.

A TCP service requires the establishment of a long-term connection between a client and a server for the exchange of information. Applications that use the TCP protocol as their transport protocol can automatically take advantage of built-in reliablity features such as flow control and retransmission.

A UDP service provides a simple one-time response by a server to a request from a client. The UDP protocol does not establish a connection and it does not check that a transmitted UDP datagram reaches its destination. Applications that use UDP for their transport protocol must implement reliability themselves if they require this.

The TCP and UDP services that your system knows about are defined in the /etc/inet/services file (see services(4tcp)).

Several TCP/IP service daemons are always configured to be running on your system because they are frequently used or because there is a large system performance overhead involved in starting them. An example is the network unicast routing daemon, routed(1Mtcp) which is configured to run via an entry in the /etc/inet/config configuration file (see config(4tcp)). Other daemons that are listed in this file, such as the Internet domain name server daemon, named(1Mtcp), and the Network Time Protocol (NTP) daemon, xntpd(1Mtcp), also require their own configuration file to be present in the appropriate location before they will run.

Other services may require several instances of a server daemon to be run to handle requests from different clients, or may be less frequently used so their continual presence on a system is not desirable for the sake of performance. Daemons for such services are usually started by the Internet services daemon, inetd(1Mtcp) which is itself started by the Service Access Facility (SAF). Examples are the File Transfer Protocol (FTP) daemon, ftpd(1Mtcp), and the remote login daemon, rlogind(1Mtcp). If inetd receives a request for a service on a TCP or UDP port on which it has been configured to listen, it responds by starting the appropriate service daemon or rejecting the request. The daemon processes that inetd can start are defined in the /etc/inet/inetd.conf file (see inetd.conf(4tcp)).

By default, inetd does not start Internet service daemons directly. Instead, it runs the TCP wrapper daemon, in.tcpd, which controls access to services by hosts. If the wrapper daemon decides that a host is permitted access, it invokes the service daemon. If it decides that a host is bogus, it can deny access and send a report of the incident to an administrator. See ``Configuring TCP Wrappers'' for more information.

The inetd.conf file contains two configuration lines for each Internet service daemon: one to start the daemon via in.tcpd, and the other to start the daemon directly. One or both entries for a service are commented out using a ``#'' character at the start of the line. If both entries are commented out, inetd will not start the service provided that it has been told to read the file since you last changed it.

To make inetd re-read inetd.conf, send it a SIGHUP signal using the following command:

kill -HUP `cat /etc/saf/inetd/_pid`

or stop and restart it:

sacadm -k -p inetd
sacadm -s -p inetd

If you want to enable a service, remove the comment character from the start of the appropriate line in the pair of lines for the service, ensure that the other line is commented out, and then stop and restart inetd.

Similarly, if you want to disable a service, comment out both lines for the service, and then stop and restart inetd.

NOTE: Service daemons which can present a security risk, such as fingerd(1Mtcp) and tftpd(1Mtcp), are normally configured not to be run by inetd.

Configuring TCP/IP tunable parameters

You can adjust the configuration parameters for TCP/IP using the ifconfig(1Mtcp) and inconfig(1Mtcp) utilities as described in the following sections:

Using ifconfig to change parameters for a network interface

You can use the ifconfig(1Mtcp) command to reconfigure performance parameters for a single network interface. If you wish to make this change permanent you must edit the entry for the interface in /etc/confnet.d/inet/interface (see interface(4tcp)).

The metric, onepacket, and perf parameters affect performance.

metric can be used to artificially raise the routing metric of the interface used by the routing daemon, routed(1Mtcp). This has the effect of making a route using this interface less favorable. For example, to set the metric for the sme0 interface to 10, enter:

/etc/ifconfig sme0 inet metric 10

onepacket enables one-packet at a time operation for interfaces with small buffers that are unable to handle continuous streams of back-to-back packets. This parameter takes two arguments that allow you to define a small packet size, and the number of these that you will permit in the receive window. This deals with TCP/IP implementations that can send more than one packet within the window size for the connection. Set the small packet size and count to zero if you are not interested in detecting small packets. For example, to set one-packet mode with a small packet threshold of one small packet of 512 bytes on the en0 interface, enter:

/etc/ifconfig en0 inet onepacket 512 1

To turn off one-packet mode for this interface, enter:

/etc/ifconfig en0 inet -onepacket

perf allows you to tune performance parameters on a per-interface basis. The arguments to perf specify the default TCP receive and send window sizes in bytes, and whether TCP should restrict the size of a segment to a multiple of 1KB (when set to 0) or use all available space in a frame for a segment (when set to 1).

The following example sets the receive and send window size to 16KB, and uses the maximum space available in an Ethernet frame for each TCP segment:

/etc/ifconfig sme0 inet perf 16384 16384 1

Using inconfig to change global TCP/IP parameters

As root, you can use the inconfig(1Mtcp) command to change the global default TCP/IP configuration values.

NOTE: Any global performance parameters that you set using inconfig are overridden by per-interface values specified using ifconfig.

For example, to enable forwarding of IP packets, you would enter:

inconfig ipforwarding 1

inconfig updates the values of the parameters defined in /etc/inet/inet.dfl and those in use by the currently executing kernel. You do not need to reboot your system for these changes to take effect; inconfig dynamically updates the kernel with the changes you specify. Before doing so, it verifies that the values you input are valid. If they are not, the current values of the parameters are retained.

See ``Parameters'' for a description of the TCP/IP parameters that you can tune using inconfig.

WARNING: Do not edit /etc/inet/inet.dfl; use inconfig to change parameter settings.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004