- Get the service running on the new box
- Point the DNS entry (or IP address of the server on clients) to the new server
- Stop the service on the old box
- Enable the redirection using inetd
http stream tcp nowait nobody /usr/bin/tcpd /usr/bin/netcat new-server 80
You then leave the old server running until no more clients connect to it. I do that by inspecting the syslog entries and looking for the netcat redirections. Last time, however, I was seeing these:
Jan 30 14:20:04 old-box netcat: [ID 947420 mail.warning] refused connect from 188.8.131.52
And sure enough, I started to get complaints that some clients were no longer able to connect to the service. I had left /etc/hosts.allow empty on purpose since there was no need to restrict the service to specific hosts.
After some digging through the tcp wrappers readme, I suspected that the version of tcpd on this SunOS 5.8 (Solaris 8) had been compiled with -DPARANOID. If defined, PARANOID will cause tcpd to reject hosts whose IP address don't resolve to a name (using reverse DNS).
I downloaded the tcp_wrappers source, recompiled without -DPARANOID and installed the newly compiled binary. The refused connection entries were gone from the log and the clients confirmed they were able to reach the server once again.