I've used
inetd +
tcp wrappers +
netcat a number of times for migration of TCP-based services to a new server. It goes something like this:
- Get the service running on the new box
- Point the DNS entry (or IP address of the server on clients) to the new server
- Stop the service on the old box
- Enable the redirection using inetd
For number 4 and HTTP redirection, an entry like the one below in your /etc/inetd.conf is usually enough:
http stream tcp nowait nobody /usr/bin/tcpd /usr/bin/netcat new-server 80You then leave the old server running until no more clients connect to it. I do that by inspecting the syslog entries and looking for the netcat redirections. Last time, however, I was seeing these:
Jan 30 14:20:04 old-box netcat[16769]: [ID 947420 mail.warning] refused connect from 189.201.77.65And sure enough, I started to get complaints that some clients were no longer able to connect to the service. I had left /etc/hosts.allow empty on purpose since there was no need to restrict the service to specific hosts.
After some digging through the tcp wrappers readme, I suspected that the version of tcpd on this SunOS 5.8 (Solaris 8) had been compiled with -DPARANOID. If defined, PARANOID will cause tcpd to reject hosts whose IP address don't resolve to a name (using reverse DNS).
I downloaded the
tcp_wrappers source, recompiled without -DPARANOID and installed the newly compiled binary. The refused connection entries were gone from the log and the clients confirmed they were able to reach the server once again.
