Personal tools
HylaFAX The world's most advanced open source fax server

Difference between revisions of "Handbook:Basic Server Configuration:Client Access"

m (Note about IP adresses in hosts.hfaxd)
(The note was suggesting an insecure way to add a subnet to hosts.hfaxd. Warn about this method.)
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
 
hfaxd is normally started up when the faxsetup program is run. faxsetup also arranges for hfaxd to be automatically started up each time a server machine is booted; either ''standalone'' by a script invoked by the init process or ''indirectly'' by the inetd process. The preferred way to run hfaxd is in a standalone mode as this gives optimal performance.
 
hfaxd is normally started up when the faxsetup program is run. faxsetup also arranges for hfaxd to be automatically started up each time a server machine is booted; either ''standalone'' by a script invoked by the init process or ''indirectly'' by the inetd process. The preferred way to run hfaxd is in a standalone mode as this gives optimal performance.
  
When hfaxd is started the command line arguments specify which of several client-server protocols it should offer. hfaxd currently has support for three protocols:
+
When hfaxd is started the command line arguments specify which of several client-server protocols it should offer. hfaxd currently has support for two protocols:
  
* the Version 4.0 HylaFAX™ client-server protocol,   
+
* the Version 4.0 HylaFAX™ client-server protocol, and
* the old HylaFAX™ client-server protocol used in versions prior to 4.0, and  
 
 
* the Simple Network Pager Protocol (SNPP) that is used to submit alpha-numeric text pager requests.  
 
* the Simple Network Pager Protocol (SNPP) that is used to submit alpha-numeric text pager requests.  
  
When operating in a standalone fashion the command line options specify the protocols to support and the ports at which service should be provided. For example, to startup hfaxd in a standalone mode supporting all three protocols the following might be used:
+
HylaFAX prior to 6.0 also supported an old protocol using the <tt>-o</tt> flag.
  
hyla# ''/usr/local/sbin/hfaxd -i 4559 -o 4557 -s 444''
+
When operating in a standalone fashion the command line options specify the protocols to support and the ports at which service should be provided. For example, to startup hfaxd in a standalone mode supporting both protocols the following might be used:
  
This specifies that the Version 4.0 protocol is to be offered at port 4559, the old protocol at port 4557, and SNPP at port 444.
+
hyla# ''/usr/local/sbin/hfaxd -i 4559 -s 444''
 +
 
 +
This specifies that the Version 4.0 protocol is to be offered at port 4559 and SNPP at port 444.
  
 
It is also possible to have the inetd program startup hfaxd. In this case only a single protocol can be requested since inetd advertises service and establishes the network connection. For example, the following entry might be used in the '''inetd.conf''' file to startup hfaxd to service SNPP requests:
 
It is also possible to have the inetd program startup hfaxd. In this case only a single protocol can be requested since inetd advertises service and establishes the network connection. For example, the following entry might be used in the '''inetd.conf''' file to startup hfaxd to service SNPP requests:
Line 27: Line 28:
 
Besides arranging for hfaxd to get started up when a server machine is booted, it is necessary to specify which client machines and users can have access to a HylaFAX™ server machine. This is specified by the contents of the '''etc/hosts.hfaxd''' file in the HylaFAX spooling area on the server machine. The contents of this file is specified in the hosts.hfaxd(5F) manual page. The default '''etc/hosts.hfaxd''' file that comes with HylaFAX permits anyone to have access through the localhost network interface; i.e. the hosts file contains:
 
Besides arranging for hfaxd to get started up when a server machine is booted, it is necessary to specify which client machines and users can have access to a HylaFAX™ server machine. This is specified by the contents of the '''etc/hosts.hfaxd''' file in the HylaFAX spooling area on the server machine. The contents of this file is specified in the hosts.hfaxd(5F) manual page. The default '''etc/hosts.hfaxd''' file that comes with HylaFAX permits anyone to have access through the localhost network interface; i.e. the hosts file contains:
  
localhost<br>
+
<pre>
 +
localhost
 
127.0.0.1
 
127.0.0.1
 +
</pre>
  
 
It is a good idea to refine the controls specified in this file before providing general access to the server. Access can be restricted both on a per-client-machine basis and by user. Passwords can also be required though support for this is presently somewhat awkward.
 
It is a good idea to refine the controls specified in this file before providing general access to the server. Access can be restricted both on a per-client-machine basis and by user. Passwords can also be required though support for this is presently somewhat awkward.
 
''
 
''
The etc/hosts.hfaxd file must be owned by the fax user and be mode 0600 or hfaxd will not permit client access.''
+
The etc/hosts.hfaxd file must be owned by the fax user and be mode <tt>0600</tt> or hfaxd will not permit client access.''
  
Note: 192.168.1.* format works.
+
'''Note''': While the <tt>192.168.1.*</tt> format works, it is not recommended as it generally allows more than intended. This must be read as a regular expression and thus the ".*" at the end specifies that anything can follow the <tt>"192.168.1"</tt> pattern (where the two dots can be any single character). This grants access to the <tt>192.168.1.0/24</tt> net, but also to every <tt>192.168.x.0/24</tt> where x is in the <tt>10-19</tt> range or the <tt>100-199</tt> range. It also allows any host with a domain name matching the above as in <tt>192.168.1.example.org</tt> or <tt>1920168212312.example.com</tt>. A better way to allow this subnet would be with <tt>192\.168\.1\.[0-9]{1,3}</tt>.

Latest revision as of 19:20, 19 June 2009

HylaFAX client applications such as sendfax do not communicate directly with server processes such as faxq or faxgetty. Instead they communicate with the hfaxd(1M) client-server protocol process. This architecture insulates client applications from the internal structure of a server machine, provides a more robust operating environment, and scales better for many clients.

hfaxd is normally started up when the faxsetup program is run. faxsetup also arranges for hfaxd to be automatically started up each time a server machine is booted; either standalone by a script invoked by the init process or indirectly by the inetd process. The preferred way to run hfaxd is in a standalone mode as this gives optimal performance.

When hfaxd is started the command line arguments specify which of several client-server protocols it should offer. hfaxd currently has support for two protocols:

  • the Version 4.0 HylaFAX™ client-server protocol, and
  • the Simple Network Pager Protocol (SNPP) that is used to submit alpha-numeric text pager requests.

HylaFAX prior to 6.0 also supported an old protocol using the -o flag.

When operating in a standalone fashion the command line options specify the protocols to support and the ports at which service should be provided. For example, to startup hfaxd in a standalone mode supporting both protocols the following might be used:

hyla# /usr/local/sbin/hfaxd -i 4559 -s 444 

This specifies that the Version 4.0 protocol is to be offered at port 4559 and SNPP at port 444.

It is also possible to have the inetd program startup hfaxd. In this case only a single protocol can be requested since inetd advertises service and establishes the network connection. For example, the following entry might be used in the inetd.conf file to startup hfaxd to service SNPP requests:

snpp stream tcp nowait fax /usr/local/sbin/hfaxd hfaxd -S -d 

The -S option specifies that hfaxd should service SNPP requests using the standard input and output descriptors and the -d option keeps hfaxd from detaching itself from the controlling tty.

It is possible to run hfaxd in a standalone mode as well as indirectly from inetd so long as this is done for separate protocols. Doing this however is of questionable value since it is much more efficient for a single standalone hfaxd process to support multiple protocols than to have multiple unrelated hfaxd processes.

Beware that hfaxd must either be started up by the super-user or be installed setuid-root for proper operation.

Besides arranging for hfaxd to get started up when a server machine is booted, it is necessary to specify which client machines and users can have access to a HylaFAX™ server machine. This is specified by the contents of the etc/hosts.hfaxd file in the HylaFAX spooling area on the server machine. The contents of this file is specified in the hosts.hfaxd(5F) manual page. The default etc/hosts.hfaxd file that comes with HylaFAX permits anyone to have access through the localhost network interface; i.e. the hosts file contains:

localhost
127.0.0.1

It is a good idea to refine the controls specified in this file before providing general access to the server. Access can be restricted both on a per-client-machine basis and by user. Passwords can also be required though support for this is presently somewhat awkward. The etc/hosts.hfaxd file must be owned by the fax user and be mode 0600 or hfaxd will not permit client access.

Note: While the 192.168.1.* format works, it is not recommended as it generally allows more than intended. This must be read as a regular expression and thus the ".*" at the end specifies that anything can follow the "192.168.1" pattern (where the two dots can be any single character). This grants access to the 192.168.1.0/24 net, but also to every 192.168.x.0/24 where x is in the 10-19 range or the 100-199 range. It also allows any host with a domain name matching the above as in 192.168.1.example.org or 1920168212312.example.com. A better way to allow this subnet would be with 192\.168\.1\.[0-9]{1,3}.


This page was last edited on 19 June 2009, at 19:20.

Powered by MediaWiki
Attribution-ShareAlike 2.5

Project hosted by iFAX Solutions