diff --git a/en_US.ISO8859-1/articles/relaydelay/article.sgml b/en_US.ISO8859-1/articles/relaydelay/article.sgml
index cdfad2cb76..1d2cacaee3 100644
--- a/en_US.ISO8859-1/articles/relaydelay/article.sgml
+++ b/en_US.ISO8859-1/articles/relaydelay/article.sgml
@@ -1,262 +1,262 @@
%articles.ent;
]>
Using Greylist with &os;TomRhodestrhodes@FreeBSD.org2004The &os; Documentation ProjectAn article written for the sole purpose of explaining
the relaydelay system on a &os; mail server. A relaydelay
or greylisting server cuts down on spam simply by issuing
a TEMPFAIL error message to
every incoming email. The purpose behind this idea
is that most spammers use their personal computers with
software to do their spamming. A real mail server should
queue the message and try to send it later. Thus the
spammer most likely moves on to the next host in place
of trying to send the email again. This is an excellent
idea; at least until the spammers begin to use software
that offers to try again. But how does this work exactly?
Well, when an email is received the message
ID is stored in a database and the
TEMPFAIL is returned along with the
email. If the email is resent, the message
ID will be checked against the message
IDs currently stored in the database.
If it exists in the database then the email is permitted to reach its
intended recipient. Otherwise, the ID
will be stored and a TEMPFAIL will
be issued. This cycle will repeat with every email which
comes into the server. From my personal experience, this
really does cut out 90% of the spam.Basic ConfigurationWe need to install the threaded perl.
- Install lang/perl5.8
+ Install lang/perl5.8
with the USE_THREADS=yes variable
set. The current version of perl
may need to be removed first; errors will be reported
by the install process if this is necessary.This will require all ports which require
perl to be rebuilt and reinstalled;
- ports-mgmt/portupgrade
+ ports-mgmt/portupgrade
is perfect for this. At least it will point out which
ports have been removed and which will need to be
reinstalled.Now for the database server;
MySQL is perfect for this
sort of work. Install the
- databases/mysql40-server
+ databases/mysql40-server
along with
- databases/p5-DBD-mysql40.
+ databases/p5-DBD-mysql40.
The previous port should imply the installation of
- databases/p5-DBI-137
+ databases/p5-DBI-137
so that knocks off another step.Install the perl based portable
- server plugin, net/p5-Net-Daemon
+ server plugin, net/p5-Net-Daemon
port. Most of these port installations should have
been straight forward. The next step will be more
involved.Now install the
- mail/p5-Sendmail-Milter
+ mail/p5-Sendmail-Milter
port. As of this writing the Makefile
contains a line beginning with BROKEN,
just remove it or comment it out. It is only marked
this way because &os; neither has nor installs
a threaded perl package by default. Once that
line is removed it should build and install perfectly
fine.Create a directory to hold temporary configuration
files:&prompt.root; mkdir /tmp/relaydelay
&prompt.root; cd /tmp/relaydelayNow that we have a temporary directory to work in, the
following URLs should be sent to the
fetch command:&prompt.root; fetch http://projects.puremagic.com/greylisting/releases/relaydelay-0.04.tgz
&prompt.root; fetch http://lists.puremagic.com/pipermail/greylist-users/attachments/20030904/b8dafed9/relaydelay-0.04.binThe source code should now be unpacked:&prompt.root; gunzip -c relaydelay-0.04.tgz | tar xvf -There should now be several files into the temporary directory
by this point. The appropriate information can now be passed to
the database server by importing it from the
mysql.sql file:&prompt.root; mysql < relaydelay-0.04/mysql.sqlAnd patch the other files with the
relaydelay.bin by running:&prompt.root; patch -d /tmp/relaydelay/relaydelay-0.04 < relaydelay.binEdit the relaydelay.conf and the
db_maintenance.pl file to append the
correct username and password for the
MySQL database. If the database was
built and installed like the above then no users or passwords
exist. This should be altered before putting this into
production, that is covered in the database documentation and
is beyond the scope of this document.Change the working directory to the
relaydelay-0.04
directory:&prompt.root; cd relaydelay-0.04Copy or move the configuration files to their respective
directories:&prompt.root; mv db_maintenance.pl relaydelay.pl /usr/local/sbin
&prompt.root; mv relaydelay.conf /etc/mail
&prompt.root; mv relaydelay.sh /usr/local/etc/rc.d/Test the current configuration by running:&prompt.root; sh /usr/local/etc/rc.d/relaydelay.sh startThis file will not exist if the previous &man.mv.1; commands
were neglected.If everything worked correctly a new file,
relaydelay.log, should exist in
/var/log. It should
contain something similar to the following text:Loaded Config File: /etc/mail/relaydelay.conf
Using connection 'local:/var/run/relaydelay.sock' for filter relaydelay
DBI Connecting to DBI:mysql:database=relaydelay:host=localhost:port=3306
Spawned relaydelay daemon process 38277.
Starting Sendmail::Milter 0.18 engine.If this does not appear then something went wrong, review
the screen output or look for anything new in the
messages log file.Glue everything together by adding the following line to
/etc/mail/sendmail.mc or the customized
site specific mc file:INPUT_MAIL_FILTER(`relaydelay', `S=local:/var/run/relaydelay.sock, T=S:1m;R:2m;E:3m')dnlRebuild and reinstall the files in the
/etc/mail directory and restart
sendmail. A quick makerestart should do the trick.Obtain the perl script located at
http://lists.puremagic.com/pipermail/greylist-users/2003-November/000327.html
and save it in the
relaydelay-0.04
directory. In the following examples this script is
referred to as addlist.pl.Edit the whitelist_ip.txt file and
modify it to include IP addresses of servers
which should have the explicit abilities to bypass the
relaydelay filters. i.e., domains
from which email will not be issued a
TEMPFAIL when received.Some examples could include:192.168. # My internal network.
66.218.66 # Yahoo groups has unique senders.The blacklist_ip.txt file should
be treated similarly but with reversed rules. List within
this file IPs which should be denied without
being issued a TEMPFAIL. This list of
domains will never have the opportunity to prove that they are
legitimate email servers.These files should now be imported into the database with
the addlist.pl script obtained a few
lines ago:&prompt.root; perl addlist.pl -whitelist 9999-12-31 23:59:59 < whitelist_ip.txt
&prompt.root; perl addlist.pl -blacklist 9999-12-31 23:59:59 < blacklist_ip.txtTo have relaydelay start with
every system boot, add the
to the
/etc/rc.conf file.The /var/log/relaydelay.log log file
should slowly fill up with success stories. Lines like the
following should appear after a short time, depending on how
busy the mail server is.=== 2004-05-24 21:03:22 ===
Stored Sender: <someasshole@flawed-example.com>
Passed Recipient: <local_user@pittgoth.com>
Relay: example.net [XXX.XX.XXX.XX] - If_Addr: MY_IP_ADDRESS
RelayIP: XX.XX.XX.XX - RelayName: example.net - RelayIdent: - PossiblyForged: 0
From: someasshole@flawed-example.com - To: local_user
InMailer: esmtp - OutMailer: local - QueueID: i4P13Lo6000701111
Email is known but block has not expired. Issuing a tempfail. rowid: 51
IN ABORT CALLBACK - PrivData: 0<someasshole@flawed-example.com>The following line may now be added to
/etc/newsyslog.conf to cause for
relaydelay.log rotation at every
100 Kb:/var/log/relaydelay.log 644 3 100 * ZAt some point there was an error about improper
perl variables in the
/etc/mail/relaydelay.conf. If those
two variables are commented out then configuration may
proceed as normal. Just remember to uncomment them before
starting the relaydelay process.
diff --git a/en_US.ISO8859-1/books/developers-handbook/tools/chapter.sgml b/en_US.ISO8859-1/books/developers-handbook/tools/chapter.sgml
index 5efeb5e132..abf59b17fe 100644
--- a/en_US.ISO8859-1/books/developers-handbook/tools/chapter.sgml
+++ b/en_US.ISO8859-1/books/developers-handbook/tools/chapter.sgml
@@ -1,2369 +1,2369 @@
JamesRaynardContributed by MurrayStokelyProgramming ToolsSynopsisThis chapter is an introduction to using some of the
programming tools supplied with FreeBSD, although much of it
will be applicable to many other versions of &unix;. It does
not attempt to describe coding in any
detail. Most of the chapter assumes little or no previous
programming knowledge, although it is hoped that most
programmers will find something of value in it.IntroductionFreeBSD offers an excellent development environment.
Compilers for C and C++ and an assembler come with the
basic system, not to mention classic &unix;
tools such as sed and awk.
If that is not enough, there are many more compilers and
interpreters in the Ports collection. The following section,
Introduction to Programming,
lists some of the available options. FreeBSD is very
compatible with standards such as &posix; and
ANSI C, as well with its own BSD heritage, so
it is possible to write applications that will compile and run
with little or no modification on a wide range of
platforms.However, all this power can be rather overwhelming at first
if you have never written programs on a &unix; platform before.
This document aims to help you get up and running, without
getting too deeply into more advanced topics. The intention is
that this document should give you enough of the basics to be
able to make some sense of the documentation.Most of the document requires little or no knowledge of
programming, although it does assume a basic competence with
using &unix; and a willingness to learn!Introduction to ProgrammingA program is a set of instructions that tell the computer to
do various things; sometimes the instruction it has to perform
depends on what happened when it performed a previous
instruction. This section gives an overview of the two main
ways in which you can give these instructions, or
commands as they are usually called. One way
uses an interpreter, the other a
compiler. As human languages are too
difficult for a computer to understand in an unambiguous way,
commands are usually written in one or other languages specially
designed for the purpose.InterpretersWith an interpreter, the language comes as an environment,
where you type in commands at a prompt and the environment
executes them for you. For more complicated programs, you can
type the commands into a file and get the interpreter to load
the file and execute the commands in it. If anything goes
wrong, many interpreters will drop you into a debugger to help
you track down the problem.The advantage of this is that you can see the results of
your commands immediately, and mistakes can be corrected
readily. The biggest disadvantage comes when you want to
share your programs with someone. They must have the same
interpreter, or you must have some way of giving it to them,
and they need to understand how to use it. Also users may not
appreciate being thrown into a debugger if they press the
wrong key! From a performance point of view, interpreters can
use up a lot of memory, and generally do not generate code as
efficiently as compilers.In my opinion, interpreted languages are the best way to
start if you have not done any programming before. This kind
of environment is typically found with languages like Lisp,
Smalltalk, Perl and Basic. It could also be argued that the
&unix; shell (sh, csh) is itself an
interpreter, and many people do in fact write shell
scripts to help with various
housekeeping tasks on their machine. Indeed, part
of the original &unix; philosophy was to provide lots of small
utility programs that could be linked together in shell
scripts to perform useful tasks.Interpreters available with FreeBSDHere is a list of interpreters that are available from
the &os; Ports Collection, with a brief discussion of
some of the more popular interpreted languages.Instructions on how to get and install applications
from the Ports Collection can be found in the
Ports section of the handbook.
BASICShort for Beginner's All-purpose Symbolic
Instruction Code. Developed in the 1950s for teaching
University students to program and provided with every
self-respecting personal computer in the 1980s,
BASIC has been the first programming
language for many programmers. It is also the foundation
for Visual Basic.The Bywater Basic Interpreter can be found in the
Ports Collection as
- lang/bwbasic
+ lang/bwbasic
and the Phil Cockroft's Basic Interpreter
(formerly Rabbit Basic) is available as
- lang/pbasic.
+ lang/pbasic.LispA language that was developed in the late 1950s as
an alternative to the number-crunching
languages that were popular at the time. Instead of
being based on numbers, Lisp is based on lists; in fact
the name is short for List Processing.
Very popular in AI (Artificial Intelligence)
circles.Lisp is an extremely powerful and sophisticated
language, but can be rather large and unwieldy.Various implementations of Lisp that can run on &unix;
systems are available in the Ports Collection for &os;.
GNU Common Lisp can be found as
- lang/gcl. CLISP
+ lang/gcl. CLISP
by Bruno Haible and Michael Stoll is available as
- lang/clisp.
+ lang/clisp.
For CMUCL, which includes a highly-optimizing compiler too, or
simpler Lisp implementations like SLisp, which implements most
of the Common Lisp constructs in a few hundred lines of C code,
- lang/cmucl and
- lang/slisp are available
+ lang/cmucl and
+ lang/slisp are available
respectively.PerlVery popular with system administrators for writing
scripts; also often used on World Wide Web servers for
writing CGI scripts.Perl is available in the Ports Collection as
- lang/perl5 for all
+ lang/perl5 for all
&os; releases, and is installed as /usr/bin/perl
in the base system 4.X releases.SchemeA dialect of Lisp that is rather more compact and
cleaner than Common Lisp. Popular in Universities as it
is simple enough to teach to undergraduates as a first
language, while it has a high enough level of
abstraction to be used in research work.Scheme is available from the Ports Collection as
- lang/elk for the
+ lang/elk for the
Elk Scheme Interpreter. The MIT Scheme Interpreter
can be found in
- lang/mit-scheme
+ lang/mit-scheme
and the SCM Scheme Interpreter in
- lang/scm.
+ lang/scm.
IconIcon is a high-level language with extensive
facilities for processing strings and structures.
The version of Icon for &os; can be found in the
Ports Collection as
- lang/icon.
+ lang/icon.
LogoLogo is a language that is easy to learn, and has
been used as an introductory programming language in
various courses. It is an excellent tool to work with
when teaching programming in small ages, as it makes the
creation of elaborate geometric shapes an easy task even
for very small children.The latest version of Logo for &os; is available from
the Ports Collection in
- lang/logo.
+ lang/logo.
PythonPython is an Object-Oriented, interpreted language.
Its advocates argue that it is one of the best languages
to start programming with, since it is relatively easy
to start with, but is not limited in comparison to other
popular interpreted languages that are used for the
development of large, complex applications (Perl and
Tcl are two other languages that are popular for such tasks).The latest version of Python is available from the
Ports Collection in
- lang/python.
+ lang/python.
RubyRuby is an interpreter, pure object-oriented programming
language. It has become widely popular because of its easy
to understand syntax, flexibility when writing code, and the
ability to easily develop and maintain large, complex
programs.Ruby is available from the Ports Collection as
- lang/ruby18.
+ lang/ruby18.
Tcl and TkTcl is an embeddable, interpreted language, that has
become widely used and became popular mostly because of its portability to many
platforms. It can be used both for quickly writing
small, prototype applications, or (when combined with
Tk, a GUI toolkit) fully-fledged, featureful
programs.Various versions of Tcl are available as ports
for &os;. The latest version, Tcl 8.4, can be found in
- lang/tcl84.
+ lang/tcl84.
CompilersCompilers are rather different. First of all, you write
your code in a file (or files) using an editor. You then run
the compiler and see if it accepts your program. If it did
not compile, grit your teeth and go back to the editor; if it
did compile and gave you a program, you can run it either at a
shell command prompt or in a debugger to see if it works
properly.
If you run it in the shell, you may get a core
dump.Obviously, this is not quite as direct as using an
interpreter. However it allows you to do a lot of things
which are very difficult or even impossible with an
interpreter, such as writing code which interacts closely with
the operating system—or even writing your own operating
system! It is also useful if you need to write very efficient
code, as the compiler can take its time and optimize the code,
which would not be acceptable in an interpreter. Moreover,
distributing a program written for a compiler is usually more
straightforward than one written for an interpreter—you
can just give them a copy of the executable, assuming they
have the same operating system as you.Compiled languages include Pascal, C and C++. C and C++
are rather unforgiving languages, and best suited to more
experienced programmers; Pascal, on the other hand, was
designed as an educational language, and is quite a good
language to start with. FreeBSD does not include Pascal
support in the base system, but both GNU Pascal Compiler (GPC)
and the Free Pascal Compiler
are available in the Ports Collection as
- lang/gpc and
- lang/fpc.
+ lang/gpc and
+ lang/fpc.
As the edit-compile-run-debug cycle is rather tedious when
using separate programs, many commercial compiler makers have
produced Integrated Development Environments
(IDEs for short). FreeBSD does not include
- an IDE in the base system, but devel/kdevelop is
+ an IDE in the base system, but devel/kdevelop is
available in the Ports Collection and many use
Emacs for this purpose. Using
Emacs as an IDE is discussed in
.Compiling with ccThis section deals only with the GNU compiler for C and C++,
since that comes with the base FreeBSD system. It can be
invoked by either cc or gcc. The
details of producing a program with an interpreter vary
considerably between interpreters, and are usually well covered
in the documentation and on-line help for the
interpreter.Once you have written your masterpiece, the next step is to
convert it into something that will (hopefully!) run on FreeBSD.
This usually involves several steps, each of which is done by a
separate program.Pre-process your source code to remove comments and do
other tricks like expanding macros in C.Check the syntax of your code to see if you have obeyed
the rules of the language. If you have not, it will
complain!Convert the source code into assembly
language—this is very close to machine code, but still
understandable by humans. Allegedly.
To be strictly accurate, cc converts the
source code into its own, machine-independent
p-code instead of assembly language at
this stage.Convert the assembly language into machine
code—yep, we are talking bits and bytes, ones and
zeros here.Check that you have used things like functions and
global variables in a consistent way. For example, if you
have called a non-existent function, it will
complain.If you are trying to produce an executable from several
source code files, work out how to fit them all
together.Work out how to produce something that the system's
run-time loader will be able to load into memory and
run.Finally, write the executable on the filesystem.The word compiling is often used to refer to
just steps 1 to 4—the others are referred to as
linking. Sometimes step 1 is referred to as
pre-processing and steps 3-4 as
assembling.Fortunately, almost all this detail is hidden from you, as
cc is a front end that manages calling all these
programs with the right arguments for you; simply typing&prompt.user; cc foobar.cwill cause foobar.c to be compiled by all the
steps above. If you have more than one file to compile, just do
something like&prompt.user; cc foo.c bar.cNote that the syntax checking is just that—checking
the syntax. It will not check for any logical mistakes you may
have made, like putting the program into an infinite loop, or
using a bubble sort when you meant to use a binary
sort.
In case you did not know, a binary sort is an efficient
way of sorting things into order and a bubble sort
is not.There are lots and lots of options for cc, which
are all in the manual page. Here are a few of the most important
ones, with examples of how to use them.The output name of the file. If you do not use this
option, cc will produce an executable called
a.out.
The reasons for this are buried in the mists of
history.&prompt.user; cc foobar.cexecutable is a.out
&prompt.user; cc -o foobar foobar.cexecutable is foobarJust compile the file, do not link it. Useful for toy
programs where you just want to check the syntax, or if
you are using a Makefile.&prompt.user; cc -c foobar.cThis will produce an object file (not an
executable) called foobar.o. This
can be linked together with other object files into an
executable.Create a debug version of the executable. This makes
the compiler put information into the executable about
which line of which source file corresponds to which
function call. A debugger can use this information to show
the source code as you step through the program, which is
very useful; the disadvantage is that
all this extra information makes the program much bigger.
Normally, you compile with while you
are developing a program and then compile a release
version without when you are
satisfied it works properly.&prompt.user; cc -g foobar.cThis will produce a debug version of the
program.
Note, we did not use the flag
to specify the executable name, so we will get an
executable called a.out.
Producing a debug version called
foobar is left as an exercise for
the reader!Create an optimized version of the executable. The
compiler performs various clever tricks to try to produce
an executable that runs faster than normal. You can add a
number after the to specify a higher
level of optimization, but this often exposes bugs in the
compiler's optimizer. For instance, the version of
cc that comes with the 2.1.0 release of
FreeBSD is known to produce bad code with the
option in some circumstances.Optimization is usually only turned on when compiling
a release version.&prompt.user; cc -O -o foobar foobar.cThis will produce an optimized version of
foobar.The following three flags will force cc
to check that your code complies to the relevant international
standard, often referred to as the ANSI
standard, though strictly speaking it is an
ISO standard.Enable all the warnings which the authors of
cc believe are worthwhile. Despite the
name, it will not enable all the warnings
cc is capable of.Turn off most, but not all, of the
non-ANSI C features provided by
cc. Despite the name, it does not
guarantee strictly that your code will comply to the
standard.Turn off allcc's non-ANSI C
features.Without these flags, cc will allow you to
use some of its non-standard extensions to the standard. Some
of these are very useful, but will not work with other
compilers—in fact, one of the main aims of the standard is
to allow people to write code that will work with any compiler
on any system. This is known as portable
code.Generally, you should try to make your code as portable as
possible, as otherwise you may have to completely rewrite the
program later to get it to work somewhere else—and who
knows what you may be using in a few years time?&prompt.user; cc -Wall -ansi -pedantic -o foobar foobar.cThis will produce an executable foobar
after checking foobar.c for standard
compliance.Specify a function library to be used at link time.The most common example of this is when compiling a
program that uses some of the mathematical functions in C.
Unlike most other platforms, these are in a separate
library from the standard C one and you have to tell the
compiler to add it.The rule is that if the library is called
libsomething.a,
you give cc the argument
.
For example, the math library is
libm.a, so you give
cc the argument .
A common gotcha with the math library is
that it has to be the last library on the command
line.&prompt.user; cc -o foobar foobar.c -lmThis will link the math library functions into
foobar.If you are compiling C++ code, you need to add
, or if
you are using FreeBSD 2.2 or later, to the command line
argument to link the C++ library functions.
Alternatively, you can run c++ instead
of cc, which does this for you.
c++ can also be invoked as
g++ on FreeBSD.&prompt.user; cc -o foobar foobar.cc -lg++For FreeBSD 2.1.6 and earlier
&prompt.user; cc -o foobar foobar.cc -lstdc++For FreeBSD 2.2 and later
&prompt.user; c++ -o foobar foobar.ccEach of these will both produce an executable
foobar from the C++ source file
foobar.cc. Note that, on &unix;
systems, C++ source files traditionally end in
.C, .cxx or
.cc, rather than the
&ms-dos; style
.cpp (which was already used for
something else). gcc used to rely on
this to work out what kind of compiler to use on the
source file; however, this restriction no longer applies,
so you may now call your C++ files
.cpp with impunity!Common cc Queries and ProblemsI am trying to write a program which uses the
sin() function and I get an error
like this. What does it mean?/var/tmp/cc0143941.o: Undefined symbol `_sin' referenced from text segment
When using mathematical functions like
sin(), you have to tell
cc to link in the math library, like
so:&prompt.user; cc -o foobar foobar.c -lmAll right, I wrote this simple program to practice
using . All it does is raise 2.1 to
the power of 6.#include <stdio.h>
int main() {
float f;
f = pow(2.1, 6);
printf("2.1 ^ 6 = %f\n", f);
return 0;
}
and I compiled it as:&prompt.user; cc temp.c -lmlike you said I should, but I get this when I run
it:&prompt.user; ./a.out
2.1 ^ 6 = 1023.000000
This is not the right answer!
What is going on?When the compiler sees you call a function, it
checks if it has already seen a prototype for it. If it
has not, it assumes the function returns an
int, which is definitely not what you want
here.So how do I fix this?The prototypes for the mathematical functions are in
math.h. If you include this file,
the compiler will be able to find the prototype and it
will stop doing strange things to your
calculation!#include <math.h>
#include <stdio.h>
int main() {
...
After recompiling it as you did before, run
it:&prompt.user; ./a.out
2.1 ^ 6 = 85.766121
If you are using any of the mathematical functions,
always include
math.h and remember to link in the
math library.I compiled a file called
foobar.c and I cannot find an
executable called foobar. Where has
it gone?Remember, cc will call the
executable a.out unless you tell it
differently. Use the
option:&prompt.user; cc -o foobar foobar.cOK, I have an executable called
foobar, I can see it when I run
ls, but when I type in
foobar at the command prompt it tells
me there is no such file. Why can it not find
it?Unlike &ms-dos;, &unix; does not
look in the current directory when it is trying to find
out which executable you want it to run, unless you tell
it to. Either type ./foobar, which
means run the file called
foobar in the current
directory, or change your PATH
environment
variable so that it looks something likebin:/usr/bin:/usr/local/bin:.
The dot at the end means look in the current
directory if it is not in any of the
others.I called my executable test,
but nothing happens when I run it. What is going
on?Most &unix; systems have a program called
test in /usr/bin
and the shell is picking that one up before it gets to
checking the current directory. Either type:&prompt.user; ./testor choose a better name for your program!I compiled my program and it seemed to run all right
at first, then there was an error and it said something
about core dumped. What does that
mean?The name core dump dates back
to the very early days of &unix;, when the machines used
core memory for storing data. Basically, if the program
failed under certain conditions, the system would write
the contents of core memory to disk in a file called
core, which the programmer could
then pore over to find out what went wrong.Fascinating stuff, but what I am supposed to do
now?Use gdb to analyze the core (see
).When my program dumped core, it said something about
a segmentation fault. What is
that?This basically means that your program tried to
perform some sort of illegal operation on memory; &unix;
is designed to protect the operating system and other
programs from rogue programs.Common causes for this are:Trying to write to a NULL
pointer, egchar *foo = NULL;
strcpy(foo, "bang!");
Using a pointer that has not been initialized,
egchar *foo;
strcpy(foo, "bang!");
The pointer will have some random value that,
with luck, will point into an area of memory that
is not available to your program and the kernel will
kill your program before it can do any damage. If
you are unlucky, it will point somewhere inside your
own program and corrupt one of your data structures,
causing the program to fail mysteriously.Trying to access past the end of an array,
egint bar[20];
bar[27] = 6;
Trying to store something in read-only memory,
egchar *foo = "My string";
strcpy(foo, "bang!");
&unix; compilers often put string literals like
"My string" into read-only areas
of memory.Doing naughty things with
malloc() and
free(), egchar bar[80];
free(bar);
orchar *foo = malloc(27);
free(foo);
free(foo);
Making one of these mistakes will not always lead to
an error, but they are always bad practice. Some
systems and compilers are more tolerant than others,
which is why programs that ran well on one system can
crash when you try them on an another.Sometimes when I get a core dump it says
bus error. It says in my &unix;
book that this means a hardware problem, but the
computer still seems to be working. Is this
true?No, fortunately not (unless of course you really do
have a hardware problem…). This is usually
another way of saying that you accessed memory in a way
you should not have.This dumping core business sounds as though it could
be quite useful, if I can make it happen when I want to.
Can I do this, or do I have to wait until there is an
error?Yes, just go to another console or xterm, do&prompt.user; psto find out the process ID of your program, and
do&prompt.user; kill -ABRT pidwhere
pid is
the process ID you looked up.This is useful if your program has got stuck in an
infinite loop, for instance. If your program happens to
trap SIGABRT, there are several other
signals which have a similar effect.Alternatively, you can create a core dump from
inside your program, by calling the
abort() function. See the manual page
of &man.abort.3; to learn more.If you want to create a core dump from outside your
program, but do not want the process to terminate, you
can use the gcore program. See the
manual page of &man.gcore.1; for more information.MakeWhat is make?When you are working on a simple program with only one or
two source files, typing in&prompt.user; cc file1.c file2.cis not too bad, but it quickly becomes very tedious when
there are several files—and it can take a while to
compile, too.One way to get around this is to use object files and only
recompile the source file if the source code has changed. So
we could have something like:&prompt.user; cc file1.o file2.o … file37.c …if we had changed file37.c, but not any
of the others, since the last time we compiled. This may
speed up the compilation quite a bit, but does not solve the
typing problem.Or we could write a shell script to solve the typing
problem, but it would have to re-compile everything, making it
very inefficient on a large project.What happens if we have hundreds of source files lying
about? What if we are working in a team with other people who
forget to tell us when they have changed one of their source
files that we use?Perhaps we could put the two solutions together and write
something like a shell script that would contain some kind of
magic rule saying when a source file needs compiling. Now all
we need now is a program that can understand these rules, as
it is a bit too complicated for the shell.This program is called make. It reads
in a file, called a makefile, that
tells it how different files depend on each other, and works
out which files need to be re-compiled and which ones do not.
For example, a rule could say something like if
fromboz.o is older than
fromboz.c, that means someone must have
changed fromboz.c, so it needs to be
re-compiled. The makefile also has rules telling
make how to re-compile the source file,
making it a much more powerful tool.Makefiles are typically kept in the same directory as the
source they apply to, and can be called
makefile, Makefile
or MAKEFILE. Most programmers use the
name Makefile, as this puts it near the
top of a directory listing, where it can easily be
seen.
They do not use the MAKEFILE form
as block capitals are often used for documentation files
like README.Example of using makeHere is a very simple make file:foo: foo.c
cc -o foo foo.cIt consists of two lines, a dependency line and a creation
line.The dependency line here consists of the name of the
program (known as the target), followed
by a colon, then whitespace, then the name of the source file.
When make reads this line, it looks to see
if foo exists; if it exists, it compares
the time foo was last modified to the
time foo.c was last modified. If
foo does not exist, or is older than
foo.c, it then looks at the creation line
to find out what to do. In other words, this is the rule for
working out when foo.c needs to be
re-compiled.The creation line starts with a tab (press
the tab key) and then the command you would
type to create foo if you were doing it
at a command prompt. If foo is out of
date, or does not exist, make then executes
this command to create it. In other words, this is the rule
which tells make how to re-compile
foo.c.So, when you type make, it will
make sure that foo is up to date with
respect to your latest changes to foo.c.
This principle can be extended to
Makefiles with hundreds of
targets—in fact, on FreeBSD, it is possible to compile
the entire operating system just by typing make
world in the appropriate directory!Another useful property of makefiles is that the targets
do not have to be programs. For instance, we could have a make
file that looks like this:foo: foo.c
cc -o foo foo.c
install:
cp foo /home/meWe can tell make which target we want to make by
typing:&prompt.user; make targetmake will then only look at that target
and ignore any others. For example, if we type
make foo with the makefile above, make
will ignore the install target.If we just type make on its own,
make will always look at the first target and then stop
without looking at any others. So if we typed
make here, it will just go to the
foo target, re-compile
foo if necessary, and then stop without
going on to the install target.Notice that the install target does not
actually depend on anything! This means that the command on
the following line is always executed when we try to make that
target by typing make install. In this
case, it will copy foo into the user's
home directory. This is often used by application makefiles,
so that the application can be installed in the correct
directory when it has been correctly compiled.This is a slightly confusing subject to try to explain.
If you do not quite understand how make
works, the best thing to do is to write a simple program like
hello world and a make file like the one above
and experiment. Then progress to using more than one source
file, or having the source file include a header file. The
touch command is very useful here—it
changes the date on a file without you having to edit
it.Make and include-filesC code often starts with a list of files to include, for
example stdio.h. Some of these files are system-include
files, some of them are from the project you are now working
on:
#include <stdio.h>
#include "foo.h"
int main(....To make sure that this file is recompiled the moment
foo.h is changed, you have to add it in
your Makefile:foo: foo.c foo.hThe moment your project is getting bigger and you have
more and more own include-files to maintain, it will be a
pain to keep track of all include files and the files which
are depending on it. If you change an include-file but
forget to recompile all the files which are depending on
it, the results will be devastating. gcc
has an option to analyze your files and to produce a list
of include-files and their dependencies: .
If you add this to your Makefile:depend:
gcc -E -MM *.c > .dependand run make depend, the file
.depend will appear with a list of
object-files, C-files and the include-files:foo.o: foo.c foo.hIf you change foo.h, next time
you run make all files depending on
foo.h will be recompiled.Do not forget to run make depend each
time you add an include-file to one of your files.FreeBSD MakefilesMakefiles can be rather complicated to write. Fortunately,
BSD-based systems like FreeBSD come with some very powerful
ones as part of the system. One very good example of this is
the FreeBSD ports system. Here is the essential part of a
typical ports Makefile:MASTER_SITES= ftp://freefall.cdrom.com/pub/FreeBSD/LOCAL_PORTS/
DISTFILES= scheme-microcode+dist-7.3-freebsd.tgz
.include <bsd.port.mk>Now, if we go to the directory for this port and type
make, the following happens:A check is made to see if the source code for this
port is already on the system.If it is not, an FTP connection to the URL in
MASTER_SITES is set up to download the
source.The checksum for the source is calculated and compared
it with one for a known, good, copy of the source. This
is to make sure that the source was not corrupted while in
transit.Any changes required to make the source work on
FreeBSD are applied—this is known as
patching.Any special configuration needed for the source is
done. (Many &unix; program distributions try to work out
which version of &unix; they are being compiled on and which
optional &unix; features are present—this is where
they are given the information in the FreeBSD ports
scenario).The source code for the program is compiled. In
effect, we change to the directory where the source was
unpacked and do make—the
program's own make file has the necessary information to
build the program.We now have a compiled version of the program. If we
wish, we can test it now; when we feel confident about the
program, we can type make install.
This will cause the program and any supporting files it
needs to be copied into the correct location; an entry is
also made into a package database, so
that the port can easily be uninstalled later if we change
our mind about it.Now I think you will agree that is rather impressive for a
four line script!The secret lies in the last line, which tells
make to look in the system makefile called
bsd.port.mk. It is easy to overlook this
line, but this is where all the clever stuff comes
from—someone has written a makefile that tells
make to do all the things above (plus a
couple of other things I did not mention, including handling
any errors that may occur) and anyone can get access to that
just by putting a single line in their own make file!If you want to have a look at these system makefiles,
they are in /usr/share/mk, but it is
probably best to wait until you have had a bit of practice with
makefiles, as they are very complicated (and if you do look at
them, make sure you have a flask of strong coffee
handy!)More advanced uses of makeMake is a very powerful tool, and can
do much more than the simple example above shows.
Unfortunately, there are several different versions of
make, and they all differ considerably.
The best way to learn what they can do is probably to read the
documentation—hopefully this introduction will have
given you a base from which you can do this.The version of make that comes with FreeBSD is the
Berkeley make; there is a tutorial
for it in /usr/share/doc/psd/12.make. To
view it, do&prompt.user; zmore paper.ascii.gzin that directory.Many applications in the ports use GNU
make, which has a very good set of
info pages. If you have installed any of these
ports, GNU make will automatically
have been installed as gmake. It is also
available as a port and package in its own right.To view the info pages for GNU
make, you will have to edit the
dir file in the
/usr/local/info directory to add an entry
for it. This involves adding a line like * Make: (make). The GNU Make utility.to the file. Once you have done this, you can type
info and then select
make from the menu (or in
Emacs, do C-h
i).DebuggingThe DebuggerThe debugger that comes with FreeBSD is called
gdb (GNU
debugger). You start it up by typing&prompt.user; gdb prognamealthough many people prefer to run it inside
Emacs. You can do this by:M-x gdb RET progname RETUsing a debugger allows you to run the program under more
controlled circumstances. Typically, you can step through the
program a line at a time, inspect the value of variables,
change them, tell the debugger to run up to a certain point
and then stop, and so on. You can even attach to a program
that is already running, or load a core file to investigate why
the program crashed. It is even possible to debug the kernel,
though that is a little trickier than the user applications
we will be discussing in this section.gdb has quite good on-line help, as
well as a set of info pages, so this section will concentrate
on a few of the basic commands.Finally, if you find its text-based command-prompt style
off-putting, there is a graphical front-end for it
- (devel/xxgdb) in the Ports
+ (devel/xxgdb) in the Ports
Collection.This section is intended to be an introduction to using
gdb and does not cover specialized topics
such as debugging the kernel.Running a program in the debuggerYou will need to have compiled the program with the
option to get the most out of using
gdb. It will work without, but you will only
see the name of the function you are in, instead of the source
code. If you see a line like:… (no debugging symbols found) …when gdb starts up, you will know that
the program was not compiled with the
option.At the gdb prompt, type
break main. This will tell the
debugger that you are not interested in watching the
preliminary set-up code in the program being run, and that it
should stop execution at the beginning of your code. Now type
run to start the program—it will
start at the beginning of the set-up code and then get stopped
by the debugger when it calls main().
(If you have ever wondered where main()
gets called from, now you know!).You can now step through the program, a line at a time, by
pressing n. If you get to a function call,
you can step into it by pressing s. Once
you are in a function call, you can return from stepping into a
function call by pressing f. You can also
use up and down to take
a quick look at the caller.Here is a simple example of how to spot a mistake in a
program with gdb. This is our program
(with a deliberate mistake):#include <stdio.h>
int bazz(int anint);
main() {
int i;
printf("This is my program\n");
bazz(i);
return 0;
}
int bazz(int anint) {
printf("You gave me %d\n", anint);
return anint;
}This program sets i to be
5 and passes it to a function
bazz() which prints out the number we
gave it.When we compile and run the program we get&prompt.user; cc -g -o temp temp.c
&prompt.user; ./temp
This is my program
anint = 4231That was not what we expected! Time to see what is going
on!&prompt.user; gdb temp
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc.
(gdb) break mainSkip the set-up code
Breakpoint 1 at 0x160f: file temp.c, line 9. gdb puts breakpoint at main()
(gdb) runRun as far as main()
Starting program: /home/james/tmp/temp Program starts running
Breakpoint 1, main () at temp.c:9 gdb stops at main()
(gdb) nGo to next line
This is my program Program prints out
(gdb) sstep into bazz()
bazz (anint=4231) at temp.c:17 gdb displays stack frame
(gdb)Hang on a minute! How did anint get to be
4231? Did we not we set it to be
5 in main()? Let's
move up to main() and have a look.(gdb) upMove up call stack
#1 0x1625 in main () at temp.c:11 gdb displays stack frame
(gdb) p iShow us the value of i
$1 = 4231 gdb displays 4231Oh dear! Looking at the code, we forgot to initialize
i. We meant to put…
main() {
int i;
i = 5;
printf("This is my program\n");
…but we left the i=5; line out. As we
did not initialize i, it had whatever number
happened to be in that area of memory when the program ran,
which in this case happened to be
4231.gdb displays the stack frame every
time we go into or out of a function, even if we are using
up and down to move
around the call stack. This shows the name of the function
and the values of its arguments, which helps us keep track
of where we are and what is going on. (The stack is a
storage area where the program stores information about the
arguments passed to functions and where to go when it
returns from a function call).Examining a core fileA core file is basically a file which contains the
complete state of the process when it crashed. In the
good old days, programmers had to print out hex
listings of core files and sweat over machine code manuals,
but now life is a bit easier. Incidentally, under FreeBSD and
other 4.4BSD systems, a core file is called
progname.core instead of just
core, to make it clearer which program a
core file belongs to.To examine a core file, start up gdb in
the usual way. Instead of typing break or
run, type(gdb) core progname.coreIf you are not in the same directory as the core file,
you will have to do dir
/path/to/core/file first.You should see something like this:&prompt.user; gdb a.out
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc.
(gdb) core a.out.core
Core was generated by `a.out'.
Program terminated with signal 11, Segmentation fault.
Cannot access memory at address 0x7020796d.
#0 0x164a in bazz (anint=0x5) at temp.c:17
(gdb)In this case, the program was called
a.out, so the core file is called
a.out.core. We can see that the program
crashed due to trying to access an area in memory that was not
available to it in a function called
bazz.Sometimes it is useful to be able to see how a function was
called, as the problem could have occurred a long way up the
call stack in a complex program. The bt
command causes gdb to print out a
back-trace of the call stack:(gdb) bt
#0 0x164a in bazz (anint=0x5) at temp.c:17
#1 0xefbfd888 in end ()
#2 0x162c in main () at temp.c:11
(gdb)The end() function is called when a
program crashes; in this case, the bazz()
function was called from main().Attaching to a running programOne of the neatest features about gdb
is that it can attach to a program that is already running. Of
course, that assumes you have sufficient permissions to do so.
A common problem is when you are stepping through a program
that forks, and you want to trace the child, but the debugger
will only let you trace the parent.What you do is start up another gdb,
use ps to find the process ID for the
child, and do(gdb) attach pidin gdb, and then debug as usual.That is all very well, you are probably
thinking, but by the time I have done that, the child
process will be over the hill and far away. Fear
not, gentle reader, here is how to do it (courtesy of the
gdb info pages):…
if ((pid = fork()) < 0) /* _Always_ check this */
error();
else if (pid == 0) { /* child */
int PauseMode = 1;
while (PauseMode)
sleep(10); /* Wait until someone attaches to us */
…
} else { /* parent */
…Now all you have to do is attach to the child, set
PauseMode to 0, and wait
for the sleep() call to return!Using Emacs as a Development EnvironmentEmacsUnfortunately, &unix; systems do not come with the kind of
everything-you-ever-wanted-and-lots-more-you-did-not-in-one-gigantic-package
integrated development environments that other systems
have.
Some powerful, free IDEs now exist, such as KDevelop
in the Ports Collection.
However, it is possible to set up your own environment. It
may not be as pretty, and it may not be quite as integrated,
but you can set it up the way you want it. And it is free.
And you have the source to it.The key to it all is Emacs. Now there are some people who
loathe it, but many who love it. If you are one of the former,
I am afraid this section will hold little of interest to you.
Also, you will need a fair amount of memory to run it—I would
recommend 8MB in text mode and 16MB in X as the bare minimum
to get reasonable performance.Emacs is basically a highly customizable
editor—indeed, it has been customized to the point where
it is more like an operating system than an editor! Many
developers and sysadmins do in fact spend practically all
their time working inside Emacs, leaving it only to log
out.It is impossible even to summarize everything Emacs can do
here, but here are some of the features of interest to
developers:Very powerful editor, allowing search-and-replace on
both strings and regular expressions (patterns), jumping
to start/end of block expression, etc, etc.Pull-down menus and online help.Language-dependent syntax highlighting and
indentation.Completely customizable.You can compile and debug programs within
Emacs.On a compilation error, you can jump to the offending
line of source code.Friendly-ish front-end to the info
program used for reading GNU hypertext documentation,
including the documentation on Emacs itself.Friendly front-end to gdb, allowing
you to look at the source code as you step through your
program.You can read Usenet news and mail while your program
is compiling.And doubtless many more that I have overlooked.Emacs can be installed on &os; using
- the editors/emacs
+ the editors/emacs
port.Once it is installed, start it up and do C-h
t to read an Emacs tutorial—that means
hold down the control key, press
h, let go of the control
key, and then press t. (Alternatively, you
can you use the mouse to select Emacs
Tutorial from the Help
menu).Although Emacs does have menus, it is well worth learning
the key bindings, as it is much quicker when you are editing
something to press a couple of keys than to try to find the
mouse and then click on the right place. And, when you are
talking to seasoned Emacs users, you will find they often
casually throw around expressions like M-x
replace-s RET foo RET bar RET so it is
useful to know what they mean. And in any case, Emacs has far
too many useful functions for them to all fit on the menu
bars.Fortunately, it is quite easy to pick up the key-bindings,
as they are displayed next to the menu item. My advice is to
use the menu item for, say, opening a file until you
understand how it works and feel confident with it, then try
doing C-x C-f. When you are happy with that, move on to
another menu command.If you can not remember what a particular combination of
keys does, select Describe Key from
the Help menu and type it in—Emacs
will tell you what it does. You can also use the
Command Apropos menu item to find
out all the commands which contain a particular word in them,
with the key binding next to it.By the way, the expression above means hold down the
Meta key, press x, release
the Meta key, type
replace-s (short for
replace-string—another feature of
Emacs is that you can abbreviate commands), press the
return key, type foo
(the string you want replaced), press the
return key, type bar (the string you want to
replace foo with) and press
return again. Emacs will then do the
search-and-replace operation you have just requested.If you are wondering what on earth the
Meta key is, it is a special key that many
&unix; workstations have. Unfortunately, PC's do not have one,
so it is usually the alt key (or if you are
unlucky, the escape key).Oh, and to get out of Emacs, do C-x C-c
(that means hold down the control key, press
x, press c and release the
control key). If you have any unsaved files
open, Emacs will ask you if you want to save them. (Ignore
the bit in the documentation where it says
C-z is the usual way to leave
Emacs—that leaves Emacs hanging around in the
background, and is only really useful if you are on a system
which does not have virtual terminals).Configuring EmacsEmacs does many wonderful things; some of them are built
in, some of them need to be configured.Instead of using a proprietary macro language for
configuration, Emacs uses a version of Lisp specially adapted
for editors, known as Emacs Lisp. Working with Emacs Lisp can
be quite helpful if you want to go on and learn something like
Common Lisp. Emacs Lisp has many features of Common Lisp,
although it is considerably smaller (and thus easier to
master).The best way to learn Emacs Lisp is to download the Emacs
TutorialHowever, there is no need to actually know any Lisp to get
started with configuring Emacs, as I have included a sample
.emacs file, which should be enough to
get you started. Just copy it into your home directory and
restart Emacs if it is already running; it will read the
commands from the file and (hopefully) give you a useful basic
setup.A sample .emacs fileUnfortunately, there is far too much here to explain it in
detail; however there are one or two points worth
mentioning.Everything beginning with a ; is a comment
and is ignored by Emacs.In the first line, the
-*- Emacs-Lisp -*- is so that
we can edit the .emacs file itself
within Emacs and get all the fancy features for editing
Emacs Lisp. Emacs usually tries to guess this based on
the filename, and may not get it right for
.emacs.The tab key is bound to an
indentation function in some modes, so when you press the
tab key, it will indent the current line of code. If you
want to put a tab character in whatever
you are writing, hold the control key down
while you are pressing the tab key.This file supports syntax highlighting for C, C++,
Perl, Lisp and Scheme, by guessing the language from the
filename.Emacs already has a pre-defined function called
next-error. In a compilation output
window, this allows you to move from one compilation error
to the next by doing M-n; we define a
complementary function,
previous-error, that allows you to go
to a previous error by doing M-p. The
nicest feature of all is that C-c C-c
will open up the source file in which the error occurred
and jump to the appropriate line.We enable Emacs's ability to act as a server, so that
if you are doing something outside Emacs and you want to
edit a file, you can just type in&prompt.user; emacsclient filenameand then you can edit the file in your
Emacs!
Many Emacs users set their EDITOR
environment to
emacsclient so this happens every
time they need to edit a file.A sample .emacs file;; -*-Emacs-Lisp-*-
;; This file is designed to be re-evaled; use the variable first-time
;; to avoid any problems with this.
(defvar first-time t
"Flag signifying this is the first time that .emacs has been evaled")
;; Meta
(global-set-key "\M- " 'set-mark-command)
(global-set-key "\M-\C-h" 'backward-kill-word)
(global-set-key "\M-\C-r" 'query-replace)
(global-set-key "\M-r" 'replace-string)
(global-set-key "\M-g" 'goto-line)
(global-set-key "\M-h" 'help-command)
;; Function keys
(global-set-key [f1] 'manual-entry)
(global-set-key [f2] 'info)
(global-set-key [f3] 'repeat-complex-command)
(global-set-key [f4] 'advertised-undo)
(global-set-key [f5] 'eval-current-buffer)
(global-set-key [f6] 'buffer-menu)
(global-set-key [f7] 'other-window)
(global-set-key [f8] 'find-file)
(global-set-key [f9] 'save-buffer)
(global-set-key [f10] 'next-error)
(global-set-key [f11] 'compile)
(global-set-key [f12] 'grep)
(global-set-key [C-f1] 'compile)
(global-set-key [C-f2] 'grep)
(global-set-key [C-f3] 'next-error)
(global-set-key [C-f4] 'previous-error)
(global-set-key [C-f5] 'display-faces)
(global-set-key [C-f8] 'dired)
(global-set-key [C-f10] 'kill-compilation)
;; Keypad bindings
(global-set-key [up] "\C-p")
(global-set-key [down] "\C-n")
(global-set-key [left] "\C-b")
(global-set-key [right] "\C-f")
(global-set-key [home] "\C-a")
(global-set-key [end] "\C-e")
(global-set-key [prior] "\M-v")
(global-set-key [next] "\C-v")
(global-set-key [C-up] "\M-\C-b")
(global-set-key [C-down] "\M-\C-f")
(global-set-key [C-left] "\M-b")
(global-set-key [C-right] "\M-f")
(global-set-key [C-home] "\M-<")
(global-set-key [C-end] "\M->")
(global-set-key [C-prior] "\M-<")
(global-set-key [C-next] "\M->")
;; Mouse
(global-set-key [mouse-3] 'imenu)
;; Misc
(global-set-key [C-tab] "\C-q\t") ; Control tab quotes a tab.
(setq backup-by-copying-when-mismatch t)
;; Treat 'y' or <CR> as yes, 'n' as no.
(fset 'yes-or-no-p 'y-or-n-p)
(define-key query-replace-map [return] 'act)
(define-key query-replace-map [?\C-m] 'act)
;; Load packages
(require 'desktop)
(require 'tar-mode)
;; Pretty diff mode
(autoload 'ediff-buffers "ediff" "Intelligent Emacs interface to diff" t)
(autoload 'ediff-files "ediff" "Intelligent Emacs interface to diff" t)
(autoload 'ediff-files-remote "ediff"
"Intelligent Emacs interface to diff")
(if first-time
(setq auto-mode-alist
(append '(("\\.cpp$" . c++-mode)
("\\.hpp$" . c++-mode)
("\\.lsp$" . lisp-mode)
("\\.scm$" . scheme-mode)
("\\.pl$" . perl-mode)
) auto-mode-alist)))
;; Auto font lock mode
(defvar font-lock-auto-mode-list
(list 'c-mode 'c++-mode 'c++-c-mode 'emacs-lisp-mode 'lisp-mode 'perl-mode 'scheme-mode)
"List of modes to always start in font-lock-mode")
(defvar font-lock-mode-keyword-alist
'((c++-c-mode . c-font-lock-keywords)
(perl-mode . perl-font-lock-keywords))
"Associations between modes and keywords")
(defun font-lock-auto-mode-select ()
"Automatically select font-lock-mode if the current major mode is in font-lock-auto-mode-list"
(if (memq major-mode font-lock-auto-mode-list)
(progn
(font-lock-mode t))
)
)
(global-set-key [M-f1] 'font-lock-fontify-buffer)
;; New dabbrev stuff
;(require 'new-dabbrev)
(setq dabbrev-always-check-other-buffers t)
(setq dabbrev-abbrev-char-regexp "\\sw\\|\\s_")
(add-hook 'emacs-lisp-mode-hook
'(lambda ()
(set (make-local-variable 'dabbrev-case-fold-search) nil)
(set (make-local-variable 'dabbrev-case-replace) nil)))
(add-hook 'c-mode-hook
'(lambda ()
(set (make-local-variable 'dabbrev-case-fold-search) nil)
(set (make-local-variable 'dabbrev-case-replace) nil)))
(add-hook 'text-mode-hook
'(lambda ()
(set (make-local-variable 'dabbrev-case-fold-search) t)
(set (make-local-variable 'dabbrev-case-replace) t)))
;; C++ and C mode...
(defun my-c++-mode-hook ()
(setq tab-width 4)
(define-key c++-mode-map "\C-m" 'reindent-then-newline-and-indent)
(define-key c++-mode-map "\C-ce" 'c-comment-edit)
(setq c++-auto-hungry-initial-state 'none)
(setq c++-delete-function 'backward-delete-char)
(setq c++-tab-always-indent t)
(setq c-indent-level 4)
(setq c-continued-statement-offset 4)
(setq c++-empty-arglist-indent 4))
(defun my-c-mode-hook ()
(setq tab-width 4)
(define-key c-mode-map "\C-m" 'reindent-then-newline-and-indent)
(define-key c-mode-map "\C-ce" 'c-comment-edit)
(setq c-auto-hungry-initial-state 'none)
(setq c-delete-function 'backward-delete-char)
(setq c-tab-always-indent t)
;; BSD-ish indentation style
(setq c-indent-level 4)
(setq c-continued-statement-offset 4)
(setq c-brace-offset -4)
(setq c-argdecl-indent 0)
(setq c-label-offset -4))
;; Perl mode
(defun my-perl-mode-hook ()
(setq tab-width 4)
(define-key c++-mode-map "\C-m" 'reindent-then-newline-and-indent)
(setq perl-indent-level 4)
(setq perl-continued-statement-offset 4))
;; Scheme mode...
(defun my-scheme-mode-hook ()
(define-key scheme-mode-map "\C-m" 'reindent-then-newline-and-indent))
;; Emacs-Lisp mode...
(defun my-lisp-mode-hook ()
(define-key lisp-mode-map "\C-m" 'reindent-then-newline-and-indent)
(define-key lisp-mode-map "\C-i" 'lisp-indent-line)
(define-key lisp-mode-map "\C-j" 'eval-print-last-sexp))
;; Add all of the hooks...
(add-hook 'c++-mode-hook 'my-c++-mode-hook)
(add-hook 'c-mode-hook 'my-c-mode-hook)
(add-hook 'scheme-mode-hook 'my-scheme-mode-hook)
(add-hook 'emacs-lisp-mode-hook 'my-lisp-mode-hook)
(add-hook 'lisp-mode-hook 'my-lisp-mode-hook)
(add-hook 'perl-mode-hook 'my-perl-mode-hook)
;; Complement to next-error
(defun previous-error (n)
"Visit previous compilation error message and corresponding source code."
(interactive "p")
(next-error (- n)))
;; Misc...
(transient-mark-mode 1)
(setq mark-even-if-inactive t)
(setq visible-bell nil)
(setq next-line-add-newlines nil)
(setq compile-command "make")
(setq suggest-key-bindings nil)
(put 'eval-expression 'disabled nil)
(put 'narrow-to-region 'disabled nil)
(put 'set-goal-column 'disabled nil)
(if (>= emacs-major-version 21)
(setq show-trailing-whitespace t))
;; Elisp archive searching
(autoload 'format-lisp-code-directory "lispdir" nil t)
(autoload 'lisp-dir-apropos "lispdir" nil t)
(autoload 'lisp-dir-retrieve "lispdir" nil t)
(autoload 'lisp-dir-verify "lispdir" nil t)
;; Font lock mode
(defun my-make-face (face color &optional bold)
"Create a face from a color and optionally make it bold"
(make-face face)
(copy-face 'default face)
(set-face-foreground face color)
(if bold (make-face-bold face))
)
(if (eq window-system 'x)
(progn
(my-make-face 'blue "blue")
(my-make-face 'red "red")
(my-make-face 'green "dark green")
(setq font-lock-comment-face 'blue)
(setq font-lock-string-face 'bold)
(setq font-lock-type-face 'bold)
(setq font-lock-keyword-face 'bold)
(setq font-lock-function-name-face 'red)
(setq font-lock-doc-string-face 'green)
(add-hook 'find-file-hooks 'font-lock-auto-mode-select)
(setq baud-rate 1000000)
(global-set-key "\C-cmm" 'menu-bar-mode)
(global-set-key "\C-cms" 'scroll-bar-mode)
(global-set-key [backspace] 'backward-delete-char)
; (global-set-key [delete] 'delete-char)
(standard-display-european t)
(load-library "iso-transl")))
;; X11 or PC using direct screen writes
(if window-system
(progn
;; (global-set-key [M-f1] 'hilit-repaint-command)
;; (global-set-key [M-f2] [?\C-u M-f1])
(setq hilit-mode-enable-list
'(not text-mode c-mode c++-mode emacs-lisp-mode lisp-mode
scheme-mode)
hilit-auto-highlight nil
hilit-auto-rehighlight 'visible
hilit-inhibit-hooks nil
hilit-inhibit-rebinding t)
(require 'hilit19)
(require 'paren))
(setq baud-rate 2400) ; For slow serial connections
)
;; TTY type terminal
(if (and (not window-system)
(not (equal system-type 'ms-dos)))
(progn
(if first-time
(progn
(keyboard-translate ?\C-h ?\C-?)
(keyboard-translate ?\C-? ?\C-h)))))
;; Under UNIX
(if (not (equal system-type 'ms-dos))
(progn
(if first-time
(server-start))))
;; Add any face changes here
(add-hook 'term-setup-hook 'my-term-setup-hook)
(defun my-term-setup-hook ()
(if (eq window-system 'pc)
(progn
;; (set-face-background 'default "red")
)))
;; Restore the "desktop" - do this as late as possible
(if first-time
(progn
(desktop-load-default)
(desktop-read)))
;; Indicate that this file has been read at least once
(setq first-time nil)
;; No need to debug anything now
(setq debug-on-error nil)
;; All done
(message "All done, %s%s" (user-login-name) ".")
Extending the Range of Languages Emacs UnderstandsNow, this is all very well if you only want to program in
the languages already catered for in the
.emacs file (C, C++, Perl, Lisp and
Scheme), but what happens if a new language called
whizbang comes out, full of exciting
features?The first thing to do is find out if whizbang comes with
any files that tell Emacs about the language. These usually
end in .el, short for Emacs
Lisp. For example, if whizbang is a FreeBSD port, we
can locate these files by doing&prompt.user; find /usr/ports/lang/whizbang -name "*.el" -printand install them by copying them into the Emacs site Lisp
directory. On &os;, this is
/usr/local/share/emacs/site-lisp.So for example, if the output from the find command
was/usr/ports/lang/whizbang/work/misc/whizbang.elwe would do&prompt.root; cp /usr/ports/lang/whizbang/work/misc/whizbang.el /usr/local/share/emacs/site-lispNext, we need to decide what extension whizbang source
files have. Let's say for the sake of argument that they all
end in .wiz. We need to add an entry to
our .emacs file to make sure Emacs will
be able to use the information in
whizbang.el.Find the auto-mode-alist entry in
.emacs and add a line for whizbang, such
as:…
("\\.lsp$" . lisp-mode)
("\\.wiz$" . whizbang-mode)
("\\.scm$" . scheme-mode)
…This means that Emacs will automatically go into
whizbang-mode when you edit a file ending
in .wiz.Just below this, you will find the
font-lock-auto-mode-list entry. Add
whizbang-mode to it like so:;; Auto font lock mode
(defvar font-lock-auto-mode-list
(list 'c-mode 'c++-mode 'c++-c-mode 'emacs-lisp-mode 'whizbang-mode 'lisp-mode 'perl-mode 'scheme-mode)
"List of modes to always start in font-lock-mode")This means that Emacs will always enable
font-lock-mode (ie syntax highlighting)
when editing a .wiz file.And that is all that is needed. If there is anything else
you want done automatically when you open up a
.wiz file, you can add a
whizbang-mode hook (see
my-scheme-mode-hook for a simple example
that adds auto-indent).Further ReadingFor information about setting up a development environment
for contributing fixes to FreeBSD itself, please see
&man.development.7;.Brian Harvey and Matthew Wright
Simply Scheme
MIT 1994.
ISBN 0-262-08226-8Randall Schwartz
Learning Perl
O'Reilly 1993
ISBN 1-56592-042-2Patrick Henry Winston and Berthold Klaus Paul Horn
Lisp (3rd Edition)
Addison-Wesley 1989
ISBN 0-201-08319-1Brian W. Kernighan and Rob Pike
The Unix Programming Environment
Prentice-Hall 1984
ISBN 0-13-937681-XBrian W. Kernighan and Dennis M. Ritchie
The C Programming Language (2nd Edition)
Prentice-Hall 1988
ISBN 0-13-110362-8Bjarne Stroustrup
The C++ Programming Language
Addison-Wesley 1991
ISBN 0-201-53992-6W. Richard Stevens
Advanced Programming in the Unix Environment
Addison-Wesley 1992
ISBN 0-201-56317-7W. Richard Stevens
Unix Network Programming
Prentice-Hall 1990
ISBN 0-13-949876-1
diff --git a/en_US.ISO8859-1/books/faq/book.sgml b/en_US.ISO8859-1/books/faq/book.sgml
index 0949f7772d..c4b4efc54d 100644
--- a/en_US.ISO8859-1/books/faq/book.sgml
+++ b/en_US.ISO8859-1/books/faq/book.sgml
@@ -1,11313 +1,11313 @@
%books.ent;
]>
Frequently Asked Questions for &os;
6.X and
7.XThe &os; Documentation Project$FreeBSD$19951996199719981999200020012002200320042005200620072008The &os; Documentation Project
&bookinfo.legalnotice;
&tm-attrib.freebsd;
&tm-attrib.3com;
&tm-attrib.adobe;
&tm-attrib.creative;
&tm-attrib.cvsup;
&tm-attrib.ibm;
&tm-attrib.ieee;
&tm-attrib.intel;
&tm-attrib.iomega;
&tm-attrib.linux;
&tm-attrib.microsoft;
&tm-attrib.mips;
&tm-attrib.netscape;
&tm-attrib.opengroup;
&tm-attrib.oracle;
&tm-attrib.sgi;
&tm-attrib.sparc;
&tm-attrib.sun;
&tm-attrib.usrobotics;
&tm-attrib.xfree86;
&tm-attrib.general;
This is the FAQ for &os; versions
6.X and
7.X. All entries are assumed to be
relevant to &os; 6.X and later,
unless otherwise noted. If you are interested in helping with
this project, send email to the &a.doc;. The latest version of
this document is always available from the &os; World Wide Web server.
It may also be downloaded as one large HTML file with HTTP or as plain text,
&postscript;, PDF, etc. from the &os; FTP
server. You may also want to Search the FAQ.
IntroductionWelcome to the &os;
6.X-7.X
FAQ!As is usual with Usenet FAQs, this document aims to cover the
most frequently asked questions concerning the &os; operating
system (and of course answer them!). Although originally intended
to reduce bandwidth and avoid the same old questions being asked
over and over again, FAQs have become recognized as valuable
information resources.Every effort has been made to make this FAQ as informative as
possible; if you have any suggestions as to how it may be
improved, please feel free to mail them to the &a.doc;.What is &os;?Briefly, &os; is a &unix; like operating system for
AMD64 and &intel; EM64T, &i386; PC-98, IA-64, &arm;,
&powerpc; and &ultrasparc; platforms based on U.C.
Berkeley's 4.4BSD-Lite release, with some
4.4BSD-Lite2 enhancements. It is also based
indirectly on William Jolitz's port of U.C. Berkeley's
Net/2 to the &i386;, known as
386BSD, though very little of the 386BSD code
remains. A fuller description of what &os; is and how it
can work for you may be found on the &os; home page.
&os; is used by companies, Internet Service Providers,
researchers, computer professionals, students and home users
all over the world in their work, education and
recreation.For more detailed information on &os;, please see the
&os; Handbook.
What is the goal of the &os; Project?The goal of the &os; Project is to provide software that
may be used for any purpose and without strings attached.
Many of us have a significant investment in the code (and
project) and would certainly not mind a little financial
compensation now and then, but we definitely do not insist
on it. We believe that our first and foremost
mission is to provide code to any and all
comers, and for whatever purpose, so that the code gets the
widest possible use and provides the widest possible
benefit. This is, we believe, one of the most fundamental
goals of Free Software and one that we enthusiastically
support.That code in our source tree which falls under the
GNU General Public License (GPL)
or GNU Library General Public License (LGPL)
comes with slightly more strings attached, though at least
on the side of enforced access rather than the usual
opposite. Due to the additional complexities that can
evolve in the commercial use of GPL software, we do,
however, endeavor to replace such software with submissions
under the more relaxed &os; license
whenever possible.Does the &os; license have any restrictions?Yes. Those restrictions do not control how you use the
code, merely how you treat the &os; Project itself. If you
have serious license concerns, read the actual license.
For the simply curious, the license can be summarized like
this.Do not claim that you wrote this.Do not sue us if it breaks.Can &os; replace my current operating system?For most people, yes. But this question is not quite
that cut-and-dried.Most people do not actually use an operating system.
They use applications. The applications are what really use
the operating system. &os; is designed to provide a robust
and full-featured environment for applications. It supports
a wide variety of web browsers, office suites, email
readers, graphics programs, programming environments,
network servers, and just about everything else you might
want. Most of these applications can be managed through the
Ports Collection.
If you need to use an application that is only available
on one operating system, you simply cannot replace that
operating system. Chances are there is a very similar
application on &os;, however. If you want a solid office or
Internet server, a reliable workstation, or just the ability
to do your job without interruptions, &os; will almost
certainly do everything you need. Many computer users
across the world, including both novices and experienced
&unix; administrators, use &os; as their only desktop
operating system.If you are migrating to &os; from some other &unix;
environment, you already know most of what you need to. If
your background is in graphic-driven operating systems such
as &windows; and older versions of &macos;, expect to invest
additional time learning the &unix; way of doing things.
This FAQ and the &os; Handbook
are excellent places to start.Why is it called &os;?It may be used free of charge, even by commercial
users.Full source for the operating system is freely
available, and the minimum possible restrictions have
been placed upon its use, distribution and incorporation
into other work (commercial or non-commercial).Anyone who has an improvement or bug fix is free to
submit their code and have it added to the source tree
(subject to one or two obvious provisions).It is worth pointing out that the word
free is being used in two ways here, one
meaning at no cost, the other meaning
you can do whatever you like. Apart from one
or two things you cannot do with the
&os; code, for example pretending you wrote it, you can
really do whatever you like with it.What are the differences between &os; and NetBSD,
OpenBSD, and other open source BSD operating systems?James Howard wrote a good explanation of the history and
differences between the various projects for DaemonNews,
called The BSD Family Tree
which goes a fair way to answering this question.What is the latest version of &os;?At this point in &os;'s development, there are two
parallel development branches; releases are being made from
both branches. The 6.X series of
releases is being made from the
6-STABLE branch and the
7.X series of releases from
7-STABLE.Up until the release of 7.0, the
6.X series was the one known as
-STABLE. However, as of 7.0, the
6.X branch will be designated for
an extended support status and receive only
fixes for major problems, such as security-related fixes.
There will be more releases made from the
6-STABLE branch, but it is considered a
legacy branch and most current work will only
become a part of 7-STABLE.Version &rel.current;
is the latest release from the 7-STABLE
branch; it was released in &rel.current.date;. Version
&rel2.current;
is the latest release from the 6-STABLE
branch; it was released in &rel2.current.date;.Briefly, -STABLE is aimed at the
ISP, corporate user, or any user who wants stability and a
minimal number of changes compared to the new (and possibly
unstable) features of the latest
-CURRENT snapshot. Releases can come
from either branch, but -CURRENT should
only be used if you are prepared for its increased
volatility (relative to -STABLE, that
is).Releases are made every few months. While
many people stay more up-to-date with the &os; sources (see
the questions on &os.current; and &os.stable;) than that, doing so
is more of a commitment, as the sources are a moving
target.More information on &os; releases can be found on the
Release Engineering page
on the &os; Web site.What is &os;-CURRENT?&os.current;
is the development version of the operating system, which
will in due course become the new &os.stable; branch. As
such, it is really only of interest to developers working on
the system and die-hard hobbyists. See the relevant section
in the Handbook for
details on running -CURRENT.If you are not familiar with the operating system or are
not capable of identifying the difference between a real
problem and a temporary problem, you should not use
&os.current;. This branch sometimes evolves quite quickly
and can be un-buildable for a number of days at a time.
People that use &os.current; are expected to be able to
analyze any problems and only report them if they are deemed
to be mistakes rather than glitches.
Questions such as make world produces some error
about groups on the &a.current; may be treated with
contempt.Every month, snapshot
releases are made based on the current state of the
-CURRENT and
-STABLE branches. The goals behind
each snapshot release are:To test the latest version of the installation
software.To give people who would like to run
-CURRENT or
-STABLE but who do not have the
time or bandwidth to follow it on a day-to-day basis an
easy way of bootstrapping it onto their systems.To preserve a fixed reference point for the code in
question, just in case we break something really badly
later. (Although CVS normally prevents anything
horrible like this happening.)To ensure that all new features and fixes in need of
testing have the greatest possible number of potential
testers.No claims are made that any
-CURRENT snapshot can be considered
production quality for any purpose. If you
want to run a stable and fully tested system, you will have
to stick to full releases, or use the
-STABLE snapshots.Snapshot releases are directly available from snapshot.
Official snapshots are generated each month on a regular
basis for all actively developed branches. There are also
daily snapshot builds of the popular &arch.i386; and
&arch.amd64; branches, hosted on .
What is the &os;-STABLE
concept?Back when &os; 2.0.5 was released, &os; development
branched in two. One branch was named -STABLE,
one -CURRENT.
&os;-STABLE is intended for Internet
Service Providers and other commercial enterprises for whom
sudden shifts or experimental features are quite
undesirable. It receives only well-tested bug fixes and
other small incremental enhancements.
&os;-CURRENT, on the other hand, has
been one unbroken line since 2.0 was released, leading
towards &rel.current;-RELEASE and beyond. For more detailed
information on branches see &os; Release Engineering: Creating the Release Branch,
the status of the branches and the upcoming release schedule
can be found on the Release Engineering Information page.
The 2.2-STABLE branch was retired with the release of
2.2.8. The 3-STABLE branch has ended with the release of
3.5.1, the final 3.X release.
The 4-STABLE branch has ended with the release of 4.11, the
final 4.X release. The only
changes made to either of these branches will be, for the
most part, security-related bug fixes. Support for the
5-STABLE branches has ended with the release of 5.5, the
final 5.X release. Support for
the 6-STABLE branches will continue for some time but focus
primarily on security-related bug fixes and other serious
issues.&rel.current;-STABLE is the actively developed
-STABLE branch. The latest release on
the &rel.current;-STABLE branch is &rel.current;-RELEASE,
which was released in &rel.current.date;.The 8-CURRENT branch is the actively developed
-CURRENT branch toward the next
generation of &os;. See What is &os;-CURRENT? for more
information on this branch.When are &os; releases made?The &a.re; releases a new major version of &os; about
every 18 months and a new minor version about every 8 months,
on average. Release dates are announced well in advance, so
that the people working on the system know when their
projects need to be finished and tested. A testing period
precedes each release, in order to ensure that the addition
of new features does not compromise the stability of the
release. Many users regard this caution as one of the best
things about &os;, even though waiting for all the latest
goodies to reach -STABLE can be a
little frustrating.More information on the release engineering process
(including a schedule of upcoming releases) can be found on
the release engineering
pages on the &os; Web site.For people who need or want a little more excitement,
binary snapshots are made daily as discussed above.Who is responsible for &os;?The key decisions concerning the &os; project, such as
the overall direction of the project and who is allowed to
add code to the source tree, are made by a core team of
9 people. There is a much larger team of more than 350
committers
who are authorized to make changes directly to the &os;
source tree.However, most non-trivial changes are discussed in
advance in the mailing lists,
and there are no restrictions on who may take part in the
discussion.Where can I get &os;?Every significant release of &os; is available via
anonymous FTP from the &os; FTP site:
The latest 7-STABLE release, &rel.current;-RELEASE
can be found in the &rel.current;-RELEASE directory.
Snapshot
releases are made monthly for the -CURRENT and -STABLE branch, these being of
service purely to bleeding-edge testers and
developers.The latest 6-STABLE release, &rel2.current;-RELEASE
can be found in the &rel2.current;-RELEASE directory.
Information about obtaining &os; on CD, DVD, and other
media can be found in the Handbook.
How do I access the Problem Report database?The Problem Report database of all user change requests
may be queried by using our web-based PR query
interface.The &man.send-pr.1; command can be used to submit
problem reports and change requests via electronic mail.
Alternatively, the web-based problem report submission interface
can be used to submit problem reports through a web
browser.Before submitting a problem report, please read Writing &os; Problem Reports,
an article on how to write good problem reports.What other sources of information are there?Please check the Documentation
list on the main &os; web site.Documentation and SupportWhat good books are there about &os;?The project produces a wide range of documentation,
available online from this link: . The same
documents are available as packages, that you can easily
install on your &os; system. More details on documentation
packages can be found in the next paragraphs.In addition, the Bibliography at the end of this
FAQ, and the one in the Handbook
reference other recommended books.Is the documentation available in other formats, such as
plain text (ASCII), or &postscript;?Yes. The documentation is available in a number of
different formats and compression schemes on the &os; FTP
site, in the /pub/FreeBSD/doc/
directory.The documentation is categorized in a number of
different ways. These include:The document's name, such as faq,
or handbook.The document's language and encoding. These are
based on the locale names you will find under
/usr/share/locale on your &os;
system. The current languages and encodings that we
have for documentation are as follows:NameMeaningen_US.ISO8859-1US Englishbn_BD.ISO10646-1Bengali (or Bangla)da_DK.ISO8859-1Danish (Denmark)de_DE.ISO8859-1Germanel_GR.ISO8859-7Greek (Greece)es_ES.ISO8859-1Spanishfr_FR.ISO8859-1Frenchhu_HU.ISO8859-2Hungarianit_IT.ISO8859-15Italianja_JP.eucJPJapanese (EUC encoding)mn_MN.UTF-8Mongolian (UTF-8 encoding)nl_NL.ISO8859-1Dutch (Netherlands)no_NO.ISO8859-1Norwegian (Norway)pl_PL.ISO8859-2Polish (Poland)pt_BR.ISO8859-1Portuguese (Brazil)ru_RU.KOI8-RRussian (KOI8-R encoding)sr_YU.ISO8859-2Serbian (Serbia)tr_TR.ISO8859-9Turkish (Turkey)zh_CN.GB2312Simplified Chinese (GB2312
encoding)zh_TW.Big5Traditional Chinese (Big5 encoding)Some documents may not be available in all
languages.The document's format. We produce the documentation
in a number of different output formats. Each format
has its own advantages and disadvantages. Some formats
are better suited for online reading, while others are
meant to be aesthetically pleasing when printed on
paper. Having the documentation available in any of
these formats ensures that our readers will be able to
read the parts they are interested in, either on their
monitor, or on paper after printing the documents. The
currently available formats are:FormatMeaninghtml-splitA collection of small, linked, HTML
files.htmlOne large HTML file containing the entire
documentpdbPalm Pilot database format, for use with
the iSilo
reader.pdfAdobe's Portable Document Formatps&postscript;rtfMicrosoft's Rich Text FormatPage numbers are not automatically
updated when loading this format into Word.
Press CTRLA,
CTRLEND,
F9 after loading the
document, to update the page numbers.txtPlain textThe compression and packaging scheme. There are
three of these currently in use.Where the format is
html-split, the files are bundled
up using &man.tar.1;. The resulting
.tar file is then compressed
using the compression schemes detailed in the next
point.All the other formats generate one file, called
type.format
(i.e., article.pdf,
book.html, and so on).These files are then compressed using two
compression schemes.SchemeDescriptionzipThe Zip format. If you want to
uncompress this on &os; you will need to
install the archivers/unzip
port first.bz2The BZip2 format. Less widespread than
Zip, but generally gives smaller files.
Install the archivers/bzip2
port to uncompress these files.So the &postscript; version of the Handbook,
compressed using BZip2 will be stored in a file
called book.ps.bz2 in the
handbook/ directory.After choosing the format and compression mechanism that
you want to download, you will have to download the compressed
files yourself, uncompress them, and then copy the
appropriate documents into place.For example, the split HTML version of the FAQ,
compressed using &man.bzip2.1;, can be found in the
doc/en_US.ISO8859-1/books/faq/book.html-split.tar.bz2
file. To download and uncompress that file you would have
to do this.&prompt.root; fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/en_US.ISO8859-1/books/faq/book.html-split.tar.bz2
&prompt.root; bzip2 -d book.html-split.tar.bz2
&prompt.root; tar xvf book.html-split.tarYou will be left with a collection of
.html files. The main one is called
index.html, which will contain the
table of contents, introductory material, and links to the
other parts of the document. You can then copy or move
these to their final location as necessary.Where do I find info on the &os; mailing lists?You can find full information in the Handbook entry on mailing-lists.What &os; news groups are available?You can find full information in the Handbook entry on newsgroups.Are there &os; IRC (Internet Relay Chat)
channels?Yes, most major IRC networks host a &os; chat
channel:Channel #FreeBSD on EFNet is
a &os; forum, but do not go there for tech support or
try to get folks there to help you avoid the pain of
reading manual pages or doing your own research. It is
a chat channel, first and foremost, and topics there are
just as likely to involve sex, sports or nuclear weapons
as they are &os;. You Have Been Warned! Available at
server irc.chat.org.Channel #FreeBSDhelp on EFNet is
a channel dedicated to helping &os; users. They are
much more sympathetic to questions than
#FreeBSD is.Channel ##FreeBSD on Freenode is a
general help channel with about 300 users at any time.
The conversations have been known to run off-topic for a
while, but priority is given to users with &os;
questions. We are good about helping you understand the
basics, referring to the Handbook whenever possible, and
directing you where to learn more about the topic you
need help with. We are a primarily English speaking
channel, though we have users from all over the world.
If you would like to speak in your native language, try
to ask the question in English and then relocate to
another channel
##freebsd-lang
as appropriate.Channel #FreeBSD on DALNET is available at
irc.dal.net in the US and
irc.eu.dal.net in Europe.Channel #FreeBSDHelp on DALNET is available
at irc.dal.net in the US and
irc.eu.dal.net in Europe.Channel #FreeBSD on UNDERNET is
available at us.undernet.org in the US
and eu.undernet.org in Europe. Since
it is a help channel, be prepared to read the documents
you are referred to.Channel #FreeBSD on
RUSNET
is a russian-language oriented channel dedicated
to helping &os; users. This is also good place
for non-technical discussions.Channel #bsdchat on Freenode is a
Traditional-Chinese (UTF-8 encoding) language oriented
channel dedicated to helping &os; users. This is also
good place for non-technical discussions.Each of these channels are distinct and are not
connected to each other. Their chat styles also differ, so
you may need to try each to find one suited to your chat
style. As with all types of IRC
traffic, if you are easily offended or cannot deal with lots
of young people (and more than a few older ones) doing the
verbal equivalent of jello wrestling, do not even bother
with it.Where can I get commercial &os; training and
support?DaemonNews provides commercial training and support for
&os;. More information can be found at their BSD Mall site.The &os; Mall provides commercial &os; support. You can
get more information at their web site.Any other organizations providing training and support
should contact the project in order to be listed here.NikClaytonnik@FreeBSD.orgInstallationWhich file do I download to get &os;?You need three floppy images:
floppies/boot.flp,
floppies/kern1.flp, and
floppies/kern2.flp. These images need
to be copied onto floppies by tools like
fdimage or &man.dd.1;.If you need to download the distributions yourself (for
a DOS file system install, for instance), below are some
recommendations for distributions to grab:base/manpages/compat*/doc/src/ssys.*Full instructions on this procedure and a little bit
more about installation issues in general can be found in
the Handbook entry on installing &os;.
What do I do if the floppy images does not fit on a
single floppy?A 3.5 inch (1.44 MB) floppy can accommodate
1474560 bytes of data. The boot image is exactly
1474560 bytes in size.Common mistakes when preparing the boot floppy
are:Not downloading the floppy image in
binary mode when using
FTP.Some FTP clients default their transfer mode to
ascii and attempt to change any
end-of-line characters received to match the conventions
used by the client's system. This will almost
invariably corrupt the boot image. Check the size of
the downloaded boot image: if it is not
exactly that on the server, then
the download process is suspect.To workaround: type binary at
the FTP command prompt after getting connected to the
server and before starting the download of the
image.Using the DOS copy command (or
equivalent GUI tool) to transfer the boot image to
floppy.Programs like copy will not work
as the boot image has been created to be booted into
directly. The image has the complete content of the
floppy, track for track, and is not meant to be placed
on the floppy as a regular file. You have to transfer
it to the floppy raw, using the low-level
tools (e.g. fdimage or
rawrite) described in the installation guide to &os;.
Where are the instructions for installing &os;?Installation instructions can be found in the Handbook entry on installing &os;.
What do I need in order to run &os;?For &os; you will need a 486 or better PC, with
24 MB or more of RAM and at least 150 MB of hard
disk space.All versions of &os; can run with a low end MDA graphics
card but to run &xorg;, a VGA or better video card is
needed.See also .How can I make my own custom install floppy?Currently there is no way to just
make a custom install floppy. You have to cut a whole new
release, which will include your install floppy.To make a custom release, follow the instructions in the
Release Engineering
article.Can I have more than one operating system on my
PC?Have a look at the multi-OS page.
Can &windows; co-exist with &os;?Install &windows; first, then &os;. &os;'s boot manager
will then manage to boot &windows; and &os;. If you install
&windows; second, it will boorishly overwrite your boot
manager without even asking. If that happens, see the next
section.&windows; killed my boot manager! How do I get it
back?You can reinstall the boot manager &os; comes with in
one of three ways:Running DOS, go into the tools directory of your
&os; distribution and look for
bootinst.exe. You run it like
so:...\TOOLS>bootinst.exe boot.binand the boot manager will be reinstalled.Boot the &os; boot floppy again and go to the
Custom menu item for custom
installation. Choose
Partition. Select the drive
which used to contain your boot manager (likely the
first one) and when you come to the partition editor for
it, as the very first thing (e.g. do not make any
changes) press W. This will ask for
confirmation, select &gui.yes;, and when you get the
Boot Manager selection prompt, be sure to select the
&os; Boot Manager. This will
re-write the boot manager to disk. Now quit out of the
installation menu and reboot off the hard disk as
normal.Boot the &os; boot floppy (or CD-ROM) and choose the
Fixit menu item. Select
either the Fixit floppy or CD-ROM #2 (the
live file system option) as appropriate
and enter the fixit shell. Then execute the following
command:Fixit#fdisk -B -b /boot/boot0 bootdevicesubstituting bootdevice
for your real boot device such as
ad0 (first IDE disk),
ad4 (first IDE disk on
auxiliary controller), da0
(first SCSI disk), etc.My A, T, or X series IBM Thinkpad locks up when I first
booted up my &os; installation. How can I solve
this?A bug in early revisions of IBM's BIOS on these machines
mistakenly identifies the &os; partition as a potential FAT
suspend-to-disk partition. When the BIOS tries to parse the
&os; partition it hangs.According to IBMIn an email from Keith Frechette
kfrechet@us.ibm.com.,
the following model/BIOS release numbers incorporate the
fix.ModelBIOS revisionT20IYET49WW or laterT21KZET22WW or laterA20pIVET62WW or laterA20mIWET54WW or laterA21pKYET27WW or laterA21mKXET24WW or laterA21eKUET30WWIt has been reported that later IBM BIOS revisions may
have reintroduced the bug. This message
from Jacques Vidrine to the &a.mobile; describes a procedure
which may work if your newer IBM laptop does not boot &os;
properly, and you can upgrade or downgrade the BIOS.If you have an earlier BIOS, and upgrading is not an
option, a workaround is to install &os;, change the partition
ID &os; uses, and install new boot blocks that can handle
the different partition ID.First, you will need to restore the machine to a state
where it can get through its self-test screen. Doing this
requires powering up the machine without letting it find a
&os; partition on its primary disk. One way is to remove
the hard disk and temporarily move it to an older ThinkPad
(such as a ThinkPad 600) or a desktop PC with an appropriate
conversion cable. Once it is there, you can delete the &os;
partition and move the hard disk back. The ThinkPad should
now be in a bootable state again.With the machine functional again, you can use the
workaround procedure described here to get a working &os;
installation.Download boot1 and
boot2 from .
Put these files somewhere you will be able to retrieve
them later.Install &os; as normal on to the ThinkPad.
Do not use Dangerously
Dedicated mode. Do not
reboot when the install has finished.Either switch to the Emergency Holographic
Shell (AltF4)
or start a fixit shell.Use &man.fdisk.8; to change the &os; partition ID
from 165 to 166
(this is the type used by OpenBSD).Bring the boot1 and
boot2 files to the local file
system.Use &man.disklabel.8; to write
boot1 and boot2
to your &os; slice.&prompt.root; disklabel -B -b boot1 -s boot2 ad0snn is the number of the
slice where you installed &os;.Reboot. At the boot prompt you will be given the
option of booting OpenBSD. This will
actually boot &os;.Getting this to work in the case where you want to dual
boot OpenBSD and &os; on the same laptop is left as an
exercise for the reader.Can I install on a disk with bad blocks?You can, but it is a bad idea.If you are seeing bad block errors with a modern IDE
drive, chances are the drive is going to die very soon (the
drive's internal remapping functions are no longer
sufficient to fix the bad blocks, which means the disk is
heavily corrupted); we suggest you buy a new hard
drive.If you have a SCSI drive with bad blocks, see this answer.Strange things happen when I boot the install floppy!
What is happening?If you are seeing things like the machine grinding to a
halt or spontaneously rebooting when you try to boot the
install floppy, here are three questions to ask
yourself:Did you use a new, freshly-formatted, error-free
floppy (preferably a brand-new one straight out of the
box, as opposed to the magazine cover disk that has been
lying under the bed for the last three years)?Did you download the floppy image in binary (or
image) mode? (do not be embarrassed, even the best of us
have accidentally downloaded a binary file in ASCII mode
at least once!)If you are using &windows; 95 or
&windows; 98 did you run fdimage
or rawrite in pure DOS mode? These
operating systems can interfere with programs that write
directly to hardware, which the disk creation program
does; even running it inside a DOS shell in the GUI can
cause this problem.There have also been reports of &netscape; causing
problems when downloading the boot floppy, so it is probably
best to use a different FTP client if you can.I booted from my ATAPI CD-ROM, but the install program
says no CD-ROM is found. Where did it go?The usual cause of this problem is a mis-configured
CD-ROM drive. Many PCs now ship with the CD-ROM as the slave
device on the secondary IDE controller, with no master
device on that controller. This is illegal according to the
ATAPI specification, but &windows; plays fast and loose with
the specification, and the BIOS ignores it when booting.
This is why the BIOS was able to see the CD-ROM to boot from
it, but why &os; cannot see it to complete the
install.Reconfigure your system so that the CD-ROM is either the
master device on the IDE controller it is attached to, or
make sure that it is the slave on an IDE controller that
also has a master device.Can I install on my laptop over PLIP (Parallel Line
IP)?Yes. Use a standard Laplink cable. If necessary, you
can check out the PLIP section of the Handbook
for details on parallel port networking.Which geometry should I use for a disk drive?By the geometry of a disk, we mean
the number of cylinders, heads and sectors/track on a
disk. We will refer to this as C/H/S for convenience.
This is how the PC's BIOS works out which area on a disk
to read/write from.This causes a lot of confusion among new system
administrators. First of all, the
physical geometry of a SCSI drive is
totally irrelevant, as &os; works in term of disk blocks.
In fact, there is no such thing as the
physical geometry, as the sector density varies across the
disk. What manufacturers claim is the physical
geometry is usually the geometry that they have
determined wastes the least space. For IDE disks, &os; does
work in terms of C/H/S, but all modern drives internally
convert this into block references.All that matters is the logical
geometry. This is the answer that the BIOS gets when it
asks the drive what is your geometry? It then
uses this geometry to access the disk. As &os; uses the
BIOS when booting, it is very important to get this right.
In particular, if you have more than one operating system on
a disk, they must all agree on the geometry. Otherwise you
will have serious problems booting!For SCSI disks, the geometry to use depends on whether
extended translation support is turned on in your controller
(this is often referred to as support for DOS disks
>1GB or something similar). If it is turned off,
then use N cylinders, 64 heads
and 32 sectors/track, where N is
the capacity of the disk in MB. For example, a 2GB disk
should pretend to have 2048 cylinders, 64 heads and 32
sectors/track.If it is turned on (it is often
supplied this way to get around certain limitations in
&ms-dos;) and the disk capacity is more than 1 GB, use
M cylinders, 63 sectors per track
(not 64), and 255 heads, where
M is the disk capacity in MB
divided by 7.844238 (!). So our example 2 GB drive
would have 261 cylinders, 63 sectors per track and 255
heads.If you are not sure about this, or &os; fails to detect
the geometry correctly during installation, the simplest way
around this is usually to create a small DOS partition on
the disk. The BIOS should then detect the correct geometry,
and you can always remove the DOS partition in the partition
editor if you do not want to keep it. You might want to
leave it around for programming network cards and the like,
however.Alternatively, there is a freely available utility
distributed with &os; called
pfdisk.exe. You can find it in the
tools subdirectory on
the &os; CD-ROM or on the various &os; FTP sites. This
program can be used to work out what geometry the other
operating systems on the disk are using. You can then enter
this geometry in the partition editor.Are there any restrictions on how I divide the disk
up?Yes. You must make sure that your root partition is
below 1024 cylinders so the BIOS can boot the kernel from it.
(Note that this is a limitation in the PC's BIOS, not
&os;).For a SCSI drive, this will normally imply that the root
partition will be in the first 1024 MB (or in the first
4096 MB if extended translation is turned on - see
previous question). For IDE, the corresponding figure is
504 MB.Is &os; compatible with any disk managers?&os; recognizes the Ontrack Disk
Manager and makes allowances for it. Other disk
managers are not supported.If you just want to use the disk with &os; you do not
need a disk manager. Just configure the disk for as much
space as the BIOS can deal with (usually
504 megabytes), and &os; should figure out how much
space you really have. If you are using an old disk with an
MFM controller, you may need to explicitly tell &os; how
many cylinders to use.If you want to use the disk with &os; and another
operating system, you may be able to do without a disk
manager: just make sure the &os; boot partition and the
slice for the other operating system are in the first 1024
cylinders. If you are reasonably careful, a
20 megabyte boot partition should be plenty.When I boot &os; for the first time after install I get
Missing Operating System. What is
happening?This is classically a case of &os; and DOS or some other
OS conflicting over their ideas of disk geometry. You will have to
reinstall &os;, but obeying the instructions given above
will almost always get you going.Why can I not get past the boot manager's
F? prompt?This is another symptom of the problem described in the
preceding question. Your BIOS geometry and &os; geometry
settings do not agree! If your controller or BIOS supports
cylinder translation (often marked as >1GB drive
support), try toggling its setting and reinstalling
&os;.Do I need to install the complete sources?In general, no. However, we would strongly recommend
that you install, at a minimum, the base
source kit, which includes several of the files mentioned
here, and the sys (kernel) source kit,
which includes sources for the kernel. There is nothing in
the system which requires the presence of the sources to
operate, however, except for the kernel-configuration
program &man.config.8;. With the exception of the kernel
sources, our build structure is set up so that you can
read-only mount the sources from elsewhere via NFS and still
be able to make new binaries (due to the kernel-source
restriction, we recommend that you not mount this on
/usr/src directly, but
rather in some other location with appropriate symbolic
links to duplicate the top-level structure of the source
tree).Having the sources on-line and knowing how to build a
system with them will make it much easier for you to upgrade
to future releases of &os;.To actually select a subset of the sources, use the
Custom menu item when you are in
the Distributions menu of the
system installation tool.Do I need to build a kernel?Building a new kernel was originally pretty much a
required step in a &os; installation, but more recent releases
have benefited from the introduction of much friendlier
kernel configuration methods. It is very easy to configure
the kernel's configuration by much more flexible
hints which can be set at the loader
prompt.It may still be worthwhile building a new kernel
containing just the drivers that you need, just to save a
bit of RAM, but it is no longer necessary for most
systems.Should I use DES, Blowfish, or MD5 passwords and how do
I specify which form my users receive?The default password format on &os; is to use
MD5-based passwords. These are
believed to be more secure than the traditional &unix;
password format, which used a scheme based on the
DES algorithm. DES passwords are still
available if you need to share your password file with
legacy operating systems which still use the less secure
password format. &os; also allows you to use the Blowfish
password format, which is more secure. Which password
format to use for new passwords is controlled by the
passwd_format login capability in
/etc/login.conf, which takes values of
des, blf (if these are
available) or md5. See the
&man.login.conf.5; manual page for more information about
login capabilities.Why does the boot floppy start, but hang at the
Probing Devices... screen?If you have a IDE &iomegazip; or &jaz; drive installed,
remove it and try again. The boot floppy can get confused by
the drives. After the system is installed you can reconnect
the drive. Hopefully this will be fixed in a later
release.Why do I get a panic: can't mount
root error when rebooting the system after
installation?This error comes from confusion between the boot block's
and the kernel's understanding of the disk devices. The
error usually manifests on two-disk IDE systems, with the
hard disks arranged as the master or single device on
separate IDE controllers, with &os; installed on the
secondary IDE controller. The boot blocks think the system
is installed on ad0 (the second
BIOS disk) while the kernel assigns the first disk on the
secondary controller device, ad2.
After the device probing, the kernel tries to mount what the
boot blocks think is the boot disk,
ad0, while it is really
ad2, and fails.To fix the problem, do one of the following:Reboot the system and hit Enter at
the Booting kernel in 10 seconds; hit [Enter]
to interrupt prompt. This will drop you into
the boot loader.Then type
set root_disk_unit="disk_number".
disk_number will be
0 if &os; is installed on the master
drive on the first IDE controller, 1
if it is installed on the slave on the first IDE
controller, 2 if it is installed on
the master of the second IDE controller, and
3 if it is installed on the slave of
the second IDE controller.Then type boot, and your
system should boot correctly.To make this change permanent (i.e, so you do not
have to do this every time you reboot or turn on your
&os; machine), put the line
root_disk_unit="disk_number"
in /boot/loader.conf.local.Move the &os; disk onto the primary IDE
controller, so the hard disks are consecutive.What are the limits for memory?Memory limits depend on the platform used. On a
standard &i386; install, the limit is 4 GB but more
memory can be supported through &man.pae.4;. See instructions for using 4 GB or more memory on &i386;.
&os;/pc98 has a limit of 4 GB memory, and PAE can
not be used with it. Other architectures supported by &os;
have much higher theoretical limits on maximum memory (many
terabytes).What are the limits for FFS file systems?For FFS file systems, the maximum theoretical limit is
8 TB (2 G blocks), or 16 TB for the default
block size of 8 KB. In practice, there is a soft limit
of 1 TB, but with modifications file systems with
4 TB are possible (and exist).The maximum size of a single FFS file is approximately
1 G blocks, or 4 TB with a block size of
4 KB.
When the FS block size is 4 KB, triple indirect
blocks work and everything should be limited by the maximum FS
block number that can be represented using triple indirect
blocks (approx.
10243 + 10242 + 1024),
but everything is limited by a (wrong) limit of
1 G - 1 on FS block numbers. The limit on FS
block numbers should be 2 G - 1. There are
some bugs for FS block numbers near 2 G - 1,
but such block numbers are unreachable when the FS block
size is 4 KB.For block sizes of 8 KB and larger, everything
should be limited by the 2 G - 1 limit on FS
block numbers, but is actually limited by the
1 G - 1 limit on FS block numbers. Using the
correct limit of 2 G - 1 blocks does cause
problems.Why do I get an error message,
archsw.readin.failed after compiling
and booting a new kernel?Because your world and kernel are out of sync. This is
not supported. Be sure you use make buildworld
and make buildkernel
to update your kernel.You can boot by specifying the kernel directly at the
second stage, pressing any key when the |
shows up before loader is started.Installation crashes while booting, what can I do?Try disabling ACPI support. When the bootloader loads,
press the Space key. The system will display
the following:OKType:unset acpi_loadAnd then type:bootHardware compatibilityGeneralI want to get a piece of hardware for my &os; system.
Which model/brand/type is best?This is discussed continually on the &os; mailing
lists. Since hardware changes so quickly, however, we
expect this. We still strongly
recommend that you read through the Hardware Notes
for &os; &rel.current; or
&rel2.current; and
search the mailing list archives
before asking about the latest and greatest hardware.
Chances are a discussion about the type of hardware you
are looking for took place just last week.If you are looking for a laptop, check the &a.mobile;
archives. Otherwise, you probably want the archives for
the &a.questions;, or possibly a specific mailing list for
a particular hardware type.MemoryDoes &os; support more than 4 GB of memory (RAM)?
More than 16 GB? More than 48 GB?Yes. &os; as an operating system generally supports
as much physical memory (RAM) as the platform it is running
on does. Keep in mind that different platforms have
different limits for memory; for example &i386; without
PAE supports at most 4 GB of
memory (and usually less than that because of PCI address
space) and &i386; with PAE supports at most 64 GB
memory. AMD64 platforms currently deployed support up to
1 TB of physical memory.Why does &os; report less than 4 GB memory when
installed on an &i386; machine?The total address space on &i386; machines is 32-bit,
meaning that at most 4 GB of memory is addressable (can
be accessed). Furthermore, some addresses in this range
are reserved by hardware for different purposes, for
example for using and controlling PCI devices, for
accessing video memory, and so on. Therefore, the total
amount of memory usable by the operating system for its
kernel and applications is limited to significantly less
than 4 GB. Usually, 3.2 GB to 3.7 GB is
the maximum usable physical memory in this
configuration.To access more than 3.2 GB to 3.7 GB of
installed memory (meaning up to 4 GB but also more than
4 GB), a special tweak called PAE
must be used. PAE stands for Physical Address Extension
and is a way for 32-bit x86 CPUs to address more than
4 GB of memory. It remaps the memory that would
otherwise be overlayed by address reservations for
hardware devices above the 4 GB range and uses it as
additional physical memory (see &man.pae.4;). Using PAE
has some drawbacks; this mode of memory access is a little
bit slower than the normal (without PAE) mode and loadable
modules (see &man.kld.4;) are not supported. This means
all drivers must be compiled into the kernel.The most common way to enable PAE is to build a new
kernel with the special ready-provided kernel configuration
file called PAE, which is already
configured to build a safe kernel. Note that some entries
in this kernel configuration file are too conservative and
some drivers marked as unready to be used with PAE are
actually usable. A rule of thumb is that if the driver is
usable on 64-bit architectures (like AMD64), it is also
usable with PAE. If you wish to create your own kernel
configuration file, you can enable PAE by adding the
following line to your configuration:options PAEPAE is not much used nowadays because most new x86
hardware also supports running in 64-bit mode, known as
AMD64 or &intel; 64. It has a much larger address
space and does not need such tweaks. &os; supports AMD64
and it is recommended that this version of &os; be used
instead of the &i386; version if 4 GB or more memory
is required.Architectures and processorsDoes &os; support architectures other than the
x86?Yes. &os; currently runs on the Intel x86 and the
AMD64 architectures. The Intel EM64T, IA-64, &arm;,
&powerpc;, sun4v and &sparc64; architectures are also
supported. Upcoming platforms are &mips; and &s390;, join
the &a.mips; for more information about ongoing work on
the &mips; platform. For general discussion on new
architectures, join the &a.platforms;.If your machine has a different architecture and you
need something right now, we suggest you look at NetBSD or OpenBSD.Does &os; support Symmetric Multiprocessing
(SMP)?Symmetric multi-processor (SMP) systems are generally
supported by &os;, although in some cases, BIOS or
motherboard bugs may generate some problems. Perusing the
&a.smp; may yield some clues.&os; will take advantage of HyperThreading (HTT)
support on Intel CPUs that support this feature. A kernel
with the options SMP feature enabled
will automatically detect the additional logical
processors. The default &os; scheduler treats the logical
processors the same as additional physical processors; in
other words, no attempt is made to optimize scheduling
decisions given the shared resources between logical
processors within the same CPU. Because this naive
scheduling can result in suboptimal performance, under
certain circumstances it may be useful to disable the
logical processors with the
machdep.hlt_logical_cpus sysctl
variable. It is also possible to halt any CPU in the idle
loop with the machdep.hlt_cpus sysctl
variable. The &man.smp.4; manual page has more
details.Hard drives, tape drives, and CD and DVD drivesWhat kind of hard drives does &os; support?&os; supports EIDE, SATA, SCSI, and SAS drives (with a
compatible controller; see the next section), and all
drives using the original Western Digital
interface (MFM, RLL, ESDI, and of course IDE). A few ESDI
controllers that use proprietary interfaces may not work:
stick to WD1002/3/6/7 interfaces and clones.Which SCSI or SAS controllers are supported?See the complete list in the Hardware Notes for &os;
&rel.current;
or &rel2.current;.
What types of tape drives are supported?&os; supports SCSI and QIC-36 (with a QIC-02
interface). This includes 8-mm (aka Exabyte) and DAT
drives.Some of the early 8-mm drives are not quite compatible
with SCSI-2, and may not work well with &os;.Does &os; support tape changers?&os; supports SCSI changers using the &man.ch.4; device
and the &man.chio.1; command. The details of how you
actually control the changer can be found in the
&man.chio.1; manual page.If you are not using AMANDA
or some other product that already understands changers,
remember that they only know how to move a tape from one
point to another, so you need to keep track of which slot a
tape is in, and which slot the tape currently in the drive
needs to go back to.Which CD-ROM drives are supported by &os;?Any SCSI drive connected to a supported controller is
supported.The following proprietary CD-ROM interfaces are also
supported:Mitsumi LU002 (8bit), LU005 (16bit) and FX001D
(16bit 2x Speed).Sony CDU 31/33ASound Blaster Non-SCSI CD-ROMMatsushita/Panasonic CD-ROMATAPI compatible IDE CD-ROMsAll non-SCSI cards are known to be extremely slow
compared to SCSI drives, and some ATAPI CD-ROMs may not
work.The official &os; CD-ROM ISO, and CD-ROMs from Daemon
News and &os; Mall, support booting directly from the
CD.Which CD-RW drives are supported by &os;?&os; supports any ATAPI-compatible IDE CD-R or CD-RW
drive. See &man.burncd.8; for details.&os; also supports any SCSI CD-R or CD-RW drives.
Install and use the cdrecord command
from the ports or packages system, and make sure that you
have the pass device compiled in
your kernel.Does &os; support &iomegazip; drives?&os; supports SCSI and ATAPI (IDE) &iomegazip; drives
out of the box. SCSI ZIP drives can only be set to run at
SCSI target IDs 5 or 6, but if your SCSI host adapter's
BIOS supports it you can even boot from it. It is not
clear which host adapters support booting from targets
other than 0 or 1, so you will have to consult your
adapter's documentation if you would like to use this
feature.&os; also supports Parallel Port Zip Drives. Check
that your kernel contains the
scbus0,
da0,
ppbus0, and
vp0 drivers (the
GENERIC kernel contains everything
except vp0). With all these
drivers present, the Parallel Port drive should be available
as /dev/da0s4. Disks can be
mounted using mount /dev/da0s4 /mnt OR
(for DOS disks) mount_msdos /dev/da0s4 /mnt
as appropriate.Also check out the FAQ on
removable drives later in this chapter, and the note on
formattingin the Administration
chapter.Does &os; support &jaz;, EZ and other removable
drives?They work. Most of these are SCSI devices, so they
look like SCSI disks to &os;. The IDE EZ looks like an IDE
drive.Make sure that any external units are powered on when
booting the system.To change the media while
running, check out &man.mount.8;, &man.umount.8;, and
&man.camcontrol.8; (for SCSI devices) or &man.atacontrol.8;
(for IDE devices), plus the discussion on using removable drives
later in the FAQ.Keyboards and miceDoes &os; support my USB keyboard?&os; supports USB keyboards out-of-the-box. Once you
have USB keyboard support enabled on your system, the AT
keyboard becomes /dev/kbd0 and
the USB keyboard becomes
/dev/kbd1, if both are connected
to the system. If there is the USB keyboard only, it will
be /dev/ukbd0.If you want to use the USB keyboard in the console,
you have to explicitly tell the console driver to use the
existing USB keyboard. This can be done by running the
following command as a part of system
initialization.&prompt.root; kbdcontrol -k /dev/kbd1 < /dev/console > /dev/nullNote that if the USB keyboard is the only keyboard, it
is accessed as /dev/ukbd0, thus,
the command should look like:&prompt.root; kbdcontrol -k /dev/ukbd0 < /dev/console > /dev/nullTo make this change permanent across reboots, add
keyboard="/dev/ukbd0" to
/etc/rc.conf.Once this is done, the USB keyboard should work in the
X environment as well without any special settings.If you want to switch back to the default keyboard,
use this command:&prompt.root; kbdcontrol -k /dev/kbd0 > /dev/nullTo allow using both the second USB keyboard and the
first AT keyboard at the same time on a console via
&man.kbdmux.4; driver type the following commands:&prompt.root; kbdcontrol -K < /dev/console > /dev/nullkbdcontrol -a atkbd0 < /dev/kbdmux0 > /dev/nullkbdcontrol -a ukbd1 < /dev/kbdmux0 > /dev/nullkbdcontrol -k /dev/kbdmux0 < /dev/console > /dev/nullSee the &man.ukbd.4;, &man.kbdcontrol.1; and
&man.kbdmux.4; manual pages for more information.Hot-plugging and unplugging of the USB keyboard may
not work quite right yet. We recommend connecting the
keyboard before starting the system and leaving it
connected until the system is shutdown to avoid
issues.I have an unusual bus mouse. How do I set it
up?&os; supports the bus mouse and the InPort bus mouse
from such manufacturers as Microsoft, Logitech and ATI. The
GENERIC kernel does not include the
device driver. To build a custom kernel with the bus mouse
driver, add the following line to the kernel config
file:device mse0 at isa? port 0x23c irq5Bus mice usually come with dedicated interface cards.
These cards may allow you to set the port address and the
IRQ number other than shown above. Refer to the manual of
your mouse and the &man.mse.4; manual page for more
information.How do I use my PS/2 (mouse port or
keyboard) mouse?The PS/2 mouse is supported out-of-the-box. The
necessary device driver, psm, is
included in the kernel.If your custom kernel does not have this, add the
following line to your kernel configuration and compile a
new kernel.device psm0 at atkbdc? irq 12Once the kernel detects psm0
correctly at boot time, a device node
psm0 will be created
automatically.Is it possible to use a mouse in any way outside the X
Window system?If you are using the default console driver,
&man.syscons.4;, you can use a mouse pointer in text
consoles to cut & paste text. Run the mouse daemon,
&man.moused.8;, and turn on the mouse pointer in the
virtual console:&prompt.root; moused -p /dev/xxxx -t yyyy
&prompt.root; vidcontrol -m onWhere xxxx is the mouse
device name and yyyy is a
protocol type for the mouse. The mouse daemon can
automatically determine the protocol type of most mice,
except old serial mice. Specify the
auto protocol to invoke automatic
detection. If automatic detection does not work, see the
&man.moused.8; manual page for a list of supported
protocol types.If you have a PS/2 mouse, just add
moused_enable="YES" to
/etc/rc.conf to start the mouse
daemon at boot-time. Additionally, if you would like to
use the mouse daemon on all virtual terminals instead of
just the console, add
allscreens_flags="-m on" to
/etc/rc.conf.When the mouse daemon is running, access to the mouse
must be coordinated between the mouse daemon and other
programs such as X Windows. Refer to the FAQ Why does my mouse not work with X?
for more details on this issue.How do I cut and paste text with a mouse in the text
console?Once you get the mouse daemon running (see the previous section), hold down the
button 1 (left button) and move the mouse to select a region
of text. Then, press the button 2 (middle button) to paste
it at the text cursor. Pressing button 3 (right button)
will extend the selected region of
text.If your mouse does not have a middle button, you may
wish to emulate one or remap buttons using mouse daemon
options. See the &man.moused.8; manual page for
details.My mouse has a fancy wheel and buttons. Can I use
them in &os;?The answer is, unfortunately, It
depends. These mice with additional features
require specialized driver in most cases. Unless the
mouse device driver or the user program has specific
support for the mouse, it will act just like a standard
two, or three button mouse.For the possible usage of wheels in the X Window
environment, refer to that section.
How do I use the mouse/trackball/touchpad on my
laptop?Please refer to the answer to
the previous question.How do I use my delete key in sh
and csh?For the Bourne Shell, add
the following lines to your .shrc. See
&man.sh.1; and &man.editrc.5;.bind ^? ed-delete-next-char # for console
bind ^[[3~ ed-delete-next-char # for xtermFor the C Shell, add the
following lines to your .cshrc. See
&man.csh.1;.bindkey ^? delete-char # for console
bindkey ^[[3~ delete-char # for xtermFor more information, see this page.
Networking and serial devicesWhich network cards does &os; support?See the Hardware Notes supplied with each release of
&os; for a more complete list.Does &os; support software modems, such as
Winmodems?&os; supports many software modems via add-on
software. For example, the comms/ltmdm port adds support
for modems based on the very popular Lucent LT
chipsets.You cannot install &os; via a software modem; this
software must be installed after the OS is
installed.Is there a native driver for the Broadcom 43xx
cards?No, and there is not likely to be.Broadcom refuses to publically release programming
information for their wireless chipsets, most likely
because they use software controlled radios. In order to
get FCC type acceptance for their parts, they have to
ensure that users cannot arbitrarily set things like
operating frequencies, modulation parameters and power
output. But without knowing how to program the chipsets,
it is nearly impossible to write a driver.Which multi-port serial cards are supported by
&os;?There is a list of these in the Serial Communications
chapter of the handbook.Some unnamed clone cards have also been known to work,
especially those that claim to be AST compatible.Check the &man.sio.4; manual page to get more
information on configuring such cards.How do I get the boot: prompt to show on the serial
console?See this section of the handbook.
Sound devicesWhich sound cards are supported by &os;?&os; supports various sound cards (for more details,
see &os; Release Information
and the &man.snd.4; manual page). There is also limited
support for MPU-401 and compatible MIDI cards. Cards
conforming to the µsoft; Sound System specification
are also supported.This is only for sound! This driver does not
support CD-ROMs, SCSI or joysticks on these cards, except
for the &soundblaster;. The &soundblaster; SCSI
interface and some non-SCSI CD-ROMs are supported, but
you cannot boot off this device.Workarounds for no sound from my &man.pcm.4; sound
card?Some sound cards set their output volume to 0 at every
boot. Run the following command every time the machine
boots:&prompt.root; mixer pcm 100 vol 100 cd 100Other hardwareDoes &os; support power management on my
laptop?&os; supports APM on certain
machines. Further information can be found in
&man.apm.4;.&os; also supports the ACPI
features found in most modern hardware. Further
information can be found in &man.acpi.4;. If a system
supports both APM and
ACPI, either can be used. We suggest
you try both and choose the one that best fits your
needs.How do I disable ACPI?Add following line
hint.acpi.0.disabled="1" into your
/boot/device.hints file.Why does my Micron system hang at boot time?Certain Micron motherboards have a non-conforming PCI
BIOS implementation that causes grief when &os; boots
because PCI devices do not get configured at their
reported addresses.Disable the Plug and Play Operating
System flag in the BIOS to work around this
problem.The boot floppy hangs on a system with an ASUS K7V
motherboard. How do I fix this?Go into the BIOS setup and disable the boot
virus protection.Why does my &tm.3com; PCI network card not work with my
Micron computer?See the previous answer.
TroubleshootingWhy is &os; finding the wrong amount of memory on &i386;
hardware?The most likely reason is the difference between
physical memory addresses and virtual addresses.The convention for most PC hardware is to use the memory
area between 3.5 GB and 4 GB for a special purpose
(usually for PCI). This address space is used to access PCI
hardware. As a result real, physical memory can not be
accessed by that address space.What happens to the memory that should appear in that
location is dependent on your hardware. Unfortunately, some
hardware does nothing and the ability to use that last
500 MB of RAM is entirely lost.Luckily, most hardware remaps the memory to a higher
location so that it can still be used. However, this can
cause some confusion if you watch the boot messages.On a 32 bit version of &os;, the memory appears
lost, since it will be remapped above 4 GB, which a
32 bit kernel is unable to access. In this case, the
solution is to build a PAE enabled kernel. See the entry on memory limits
and about different
memory limits on different platforms for more
information.On a 64-bit version of &os;, or when running a
PAE-enabled kernel, &os; will correctly detect and remap the
memory so it is usable. During boot, however, it may seem
as if &os; is detecting more memory than the system really
has, due to the described remapping. This is normal and the
available memory will be corrected as the boot process
completes.What do I do when I have bad blocks on my hard
drive?With SCSI drives, the drive should be capable of
re-mapping these automatically. However, many drives ship
with this feature disabled.To enable bad block remapping edit the first device page
mode, which can be done by giving the command (as
root)&prompt.root; camcontrol modepage sd0 -m 1 -e -P 3and changing the values of AWRE and ARRE from 0 to
1:AWRE (Auto Write Reallocation Enbld): 1
ARRE (Auto Read Reallocation Enbld): 1Modern IDE drives also have bad block remapping features
in the controller, and they ship with this feature turned
on.If you see warnings about bad blocks (on either type of
drive), it is time to consider replacing the drive. You
might be able to use the drive manufacturer's diagnostic
program to lock out those bad blocks, but at best this will
buy you some time.Why does &os; not detect my HP Netserver's SCSI
controller?This is basically a known problem. The EISA on-board
SCSI controller in the HP Netserver machines occupies EISA
slot number 11, so all the true EISA slots
are in front of it. Alas, the address space for EISA slots
>= 10 collides with the address space assigned to PCI,
and &os;'s auto-configuration currently cannot handle this
situation very well.So now, the best you can do is to pretend there is no
address range clash :), by bumping the kernel option
EISA_SLOTS to a value of 12. Configure
and compile a kernel, as described in the Handbook entry on configuring the kernel.
Of course, this does present you with a chicken-and-egg
problem when installing on such a machine. In order to work
around this problem, a special hack is available inside
UserConfig. Do not use the
visual interface, but the plain command-line
interface there. Simply type the following command at the
prompt and install your system as usual:eisa 12
quitWhile it is recommended you compile and install a custom
kernel anyway.Hopefully, future versions will have a proper fix for
this problem.You cannot use a dangerously
dedicated disk with an HP Netserver. See this note for more info.
I keep seeing messages like ed1:
timeout. What do these messages mean?This is usually caused by an interrupt conflict (e.g.,
two boards using the same IRQ). Boot with the
option and change the
ed0/de0/...
entry to match your board.If you are using the BNC connector on your network card,
you may also see device timeouts because of bad termination.
To check this, attach a terminator directly to the NIC (with
no cable) and see if the error messages go away.Some NE2000 compatible cards will give this error if
there is no link on the UTP port or if the cable is
disconnected.Why did my &tm.3com; 3C509 card stop working for no
apparent reason?This card has a bad habit of losing its configuration
information. Refresh your card's settings with the DOS
utility 3c5x9.exe.My parallel printer is ridiculously slow. What can I
do?If the only problem is that the printer is terribly
slow, try changing your printer port mode
as discussed in the Printer Setup
section of the Handbook.Why do my programs occasionally die with
Signal 11 errors?Signal 11 errors are caused when your process has
attempted to access memory which the operating system has not
granted it access to. If something like this is happening
at seemingly random intervals then you need to start
investigating things very carefully.These problems can usually be attributed to
either:If the problem is occurring only in a specific
application that you are developing yourself it is
probably a bug in your code.If it is a problem with part of the base &os;
system, it may also be buggy code, but more often than not
these problems are found and fixed long before us
general FAQ readers get to use these bits of code (that
is what -current is for).In particular, a dead giveaway that this is
not a &os; bug is if you see the
problem when you are compiling a program, but the activity
that the compiler is carrying out changes each time.For example, suppose you are running
make buildworld,
and the compile fails while trying to compile
ls.c into ls.o.
If you then run
make buildworld
again, and the compile fails in the same place then this is
a broken build — try updating your sources and try
again. If the compile fails elsewhere then this is almost
certainly hardware.What you should do:In the first case you can use a debugger e.g.
&man.gdb.1; to find the point in the program which is
attempting to access a bogus address and then fix it.In the second case you need to verify that it is not
your hardware at fault.Common causes of this include:Your hard disks might be overheating: Check the fans
in your case are still working, as your disk (and perhaps
other hardware might be overheating).The processor running is overheating: This might be
because the processor has been overclocked, or the fan
on the processor might have died. In either case you
need to ensure that you have hardware running at what it
is specified to run at, at least while trying to solve
this problem. i.e. Clock it back to the default
settings.If you are overclocking then note that it is far
cheaper to have a slow system than a fried system that
needs replacing! Also the wider community is not often
sympathetic to problems on overclocked systems, whether
you believe it is safe or not.Dodgy memory: If you have multiple memory
SIMMS/DIMMS installed then pull them all out and try
running the machine with each SIMM or DIMM individually
and narrow the problem down to either the problematic
DIMM/SIMM or perhaps even a combination.Over-optimistic Motherboard settings: In your BIOS
settings, and some motherboard jumpers you have options
to set various timings, mostly the defaults will be
sufficient, but sometimes, setting the wait states on
RAM too low, or setting the RAM Speed:
Turbo option, or similar in the BIOS will cause
strange behavior. A possible idea is to set to BIOS
defaults, but it might be worth noting down your
settings first!Unclean or insufficient power to the motherboard.
If you have any unused I/O boards, hard disks, or CD-ROMs
in your system, try temporarily removing them or
disconnecting the power cable from them, to see if your
power supply can manage a smaller load. Or try another
power supply, preferably one with a little more power
(for instance, if your current power supply is rated at
250 Watts try one rated at 300 Watts).You should also read the SIG11 FAQ (listed below) which
has excellent explanations of all these problems, albeit from
a &linux; viewpoint. It also discusses how memory testing
software or hardware can still pass faulty memory.Finally, if none of this has helped it is possible that
you have just found a bug in &os;, and you should follow the
instructions to send a problem report.There is an extensive FAQ on this at the SIG11 problem FAQMy system crashes with either Fatal trap 12:
page fault in kernel mode, or
panic:, and spits out a bunch of
information. What should I do?The &os; developers are very interested in these
errors, but need some more information than just the error
you see. Copy your full crash message. Then consult the
FAQ section on kernel panics,
build a debugging kernel, and get a backtrace. This might
sound difficult, but you do not need any programming skills;
you just have to follow the instructions.Why does the screen go black and lose sync when I
boot?This is a known problem with the ATI Mach64 video
card. The problem is that this card uses address
2e8, and the fourth serial port does too.
Due to a bug (feature?) in the &man.sio.4; driver it will
touch this port even if you do not have the fourth serial
port, and even if you disable
sio3 (the fourth port) which
normally uses this address.Until the bug has been fixed, you can use this
workaround:Enter at the boot prompt.
(This will put the kernel into configuration
mode).Disable sio0,
sio1,
sio2 and
sio3 (all of them). This way
the &man.sio.4; driver does not get activated — no
problems.Type exit to continue booting.If you want to be able to use your serial ports, you
will have to build a new kernel with the following
modification: in
/usr/src/sys/dev/sio/sio.c (or in
/usr/src/sys/pc98/cbus/sio.c for pc98)
find the one occurrence of the string
0x2e8 and remove that string and the
preceding comma (keep the trailing comma). Now follow the
normal procedure of building a new kernel.Why does &os; only use 64 MB of RAM when my system
has 128 MB of RAM installed?Due to the manner in which &os; gets the memory size
from the BIOS, it can only detect 16 bits worth of
Kbytes in size (65535 Kbytes = 64 MB) (or less...
some BIOSes peg the memory size to 16 MB). If you have
more than 64 MB, &os; will attempt to detect it;
however, the attempt may fail.To work around this problem, you need to use the kernel
option specified below. There is a way to get complete
memory information from the BIOS, but we do not have room in
the bootblocks to do it. Someday when lack of room in the
bootblocks is fixed, we will use the extended BIOS functions
to get the full memory information... but for now we are
stuck with the kernel option.options MAXMEM=nWhere n is your memory in
Kilobytes. For a 128 MB machine, you would want to use
131072.My system has more than 1 GB of RAM, and I'm
getting panics with kmem_map too small
messages. What is wrong?Normally, &os; determines a number of kernel parameters,
such as as the maximum number of files that can be open
concurrently, from the amount of memory installed in the
system. On systems with one gigabyte of RAM or more, this
auto sizing mechanism may choose values that
are too high: while starting up, the kernel allocates
various tables and other structures that fill up most of the
available kernel memory. Later on, while the system is
running, the kernel has no more space left for dynamic
memory allocations, and panics.Compile your own kernel, and add the
to your kernel
configuration file, increasing the maximum size to
400 MB (). 400 MB appears
to be sufficient for machines with up to 6 GB of
memory.My system does not have 1 GB of RAM, and &os; still
panics with kmem_map too
small!The panic indicates that the system ran out of virtual
memory for network buffers (specifically, mbuf clusters).
You can increase the amount of VM available for mbuf
clusters by following the instructions in the Network Limits
section of the Handbook.Why do I get the error kernel: proc: table is
full?The &os; kernel will only allow a certain number of
processes to exist at one time. The number is based on the
kern.maxusers &man.sysctl.8; variable.
kern.maxusers also affects various other
in-kernel limits, such as network buffers (see this earlier
question). If your machine is heavily loaded, you probably
want to increase kern.maxusers. This
will increase these other system limits in addition to the
maximum number of processes.To adjust your kern.maxusers value,
see the File/Process Limits
section of the Handbook. (While that section refers to open
files, the same limits apply to processes.)If your machine is lightly loaded, and you are simply
running a very large number of processes, you can adjust
this with the kern.maxproc tunable. If
this tunable needs adjustment it needs to be defined in
/boot/loader.conf. The tunable will
not get adjusted until the system is rebooted. For more
information about tuning tunables, you should see the
&man.loader.conf.5; and &man.sysctl.conf.5; manual pages.
If these processes are being run by a single user, you will
also need to adjust kern.maxprocperuid to
be one less than your new kern.maxproc
value. (It must be at least one less because one system
program, &man.init.8;, must always be running.)To make a sysctl change permanent place the proper value
in /etc/sysctl.conf. More information
about system tuning with &man.sysctl.8; can be found at the
Tuning with sysctl
section of the Handbook.Why do I get an error reading CMAP
busy when rebooting with a new kernel?The logic that attempts to detect an out of date
/var/db/kvm_*.db files sometimes fails
and using a mismatched file can sometimes lead to
panics.If this happens, reboot single-user and do:&prompt.root; rm /var/db/kvm_*.dbWhat does the message ahc0: brkadrint,
Illegal Host Access at seqaddr 0x0 mean?This is a conflict with an Ultrastor SCSI Host
Adapter.During the boot process enter the kernel configuration
menu and disable uha0, which is
causing the problem.When I boot my system, I get the error ahc0:
illegal cable configuration. My cabling is
correct. What is going on?Your motherboard lacks the external logic to support
automatic termination. Switch your SCSI BIOS to specify the
correct termination for your configuration rather than
automatic termination. The &man.ahc.4; driver cannot
determine if the external logic for cable detection (and
thus auto-termination) is available. The driver simply
assumes that this support must exist if the configuration
contained in the serial EEPROM is set to automatic
termination. Without the external cable detection
logic the driver will often configure termination
incorrectly, which can compromise the reliability of the
SCSI bus.Why does sendmail give me an
error reading mail loops back to
myself?You can find a detailed answer for this question in the
Handbook.
Why do full screen applications on remote machines
misbehave?The remote machine may be setting your terminal type to
something other than the cons25 terminal
type required by the &os; console.There are a number of possible work-arounds for this
problem:After logging on to the remote machine, set your
TERM shell variable to
ansi or sco if
the remote machine knows about these terminal
types.Use a VT100 emulator like
screen at the &os; console.
screen offers you the
ability to run multiple concurrent sessions from one
terminal, and is a neat program in its own right.
Each screen window behaves
like a VT100 terminal, so the TERM
variable at the remote end should be set to
vt100.Install the cons25 terminal
database entry on the remote machine. The way to do
this depends on the operating system on the remote
machine. The system administration manuals for the
remote system should be able to help you here.Fire up an X server at the &os; end and login to the
remote machine using an X based terminal emulator such
as xterm or rxvt.
The TERM variable at the remote host
should be set to xterm or
vt100.Why is my PnP card not found (or found as
unknown)?The reasons for this behavior are explained by the
following email, posted to the &a.questions; by &a.peter;, in
answer to a question about an internal modem that was no
longer found after an upgrade to
&os; 4.X (the comments in
[] have been added to clarify the
context).The contents of this quotation has been updated from
its original text.
The PNP bios preconfigured it [the modem] and left it
laying around in port space, so [in
3.X] the old-style ISA probes
found it there.Under 4.0, the ISA code is much more PnP-centric. It
was possible [in 3.X] for an ISA
probe to find a stray device and then for
the PNP device ID to match and then fail due to resource
conflicts. So, it disables the programmable cards first
so this double probing cannot happen. It also means that
it needs to know the PnP IDs for supported PnP hardware.
Making this more user tweakable is on the TODO
list.
To get the device working again requires finding its PnP
ID and adding it to the list that the ISA probes use to
identify PnP devices. This is obtained using
&man.pnpinfo.8; to probe the device, for example this is the
output from &man.pnpinfo.8; for an internal modem:&prompt.root; pnpinfo
Checking for Plug-n-Play devices...
Card assigned CSN #1
Vendor ID PMC2430 (0x3024a341), Serial Number 0xffffffff
PnP Version 1.0, Vendor Version 0
Device Description: Pace 56 Voice Internal Plug & Play Modem
Logical Device ID: PMC2430 0x3024a341 #0
Device supports I/O Range Check
TAG Start DF
I/O Range 0x3f8 .. 0x3f8, alignment 0x8, len 0x8
[16-bit addr]
IRQ: 4 - only one type (true/edge)[more TAG lines elided]TAG End DF
End Tag
Successfully got 31 resources, 1 logical fdevs
-- card select # 0x0001
CSN PMC2430 (0x3024a341), Serial Number 0xffffffff
Logical device #0
IO: 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8
IRQ 5 0
DMA 4 0
IO range check 0x00 activate 0x01The information you require is in the Vendor
ID line at the start of the output. The
hexadecimal number in parentheses
(0x3024a341 in this example) is the PnP
ID and the string immediately before this
(PMC2430) is a unique ASCII ID.Alternatively, if &man.pnpinfo.8; does not list the card
in question, &man.pciconf.8; can be used instead. This is
part of the output from pciconf -vl for
an onboard sound chip:&prompt.root; pciconf -vl
chip1@pci0:31:5: class=0x040100 card=0x00931028 chip=0x24158086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '82801AA 8xx Chipset AC'97 Audio Controller'
class = multimedia
subclass = audioHere, you would use the chip value,
0x24158086.This information (Vendor ID or
chip value) needs adding to the file
/usr/src/sys/dev/sio/sio_isa.c.You should first make a backup of
sio_isa.c just in case things go wrong.
You will also need it to make the patch to submit with your
PR (you are going to submit a PR, are you not?) then edit
sio_isa.c and search for the
line:static struct isa_pnp_id sio_ids[] = {Then scroll down to find the correct place to add the
entry for your device. The entries look like this, and are
sorted on the ASCII Vendor ID string which should be
included in the comment to the right of the line of code
along with all (if it will fit) or part of the
Device Description from the output of
&man.pnpinfo.8;:{0x0f804f3f, NULL}, /* OZO800f - Zoom 2812 (56k Modem) */
{0x39804f3f, NULL}, /* OZO8039 - Zoom 56k flex */
{0x3024a341, NULL}, /* PMC2430 - Pace 56 Voice Internal Modem */
{0x1000eb49, NULL}, /* ROK0010 - Rockwell ? */
{0x5002734a, NULL}, /* RSS0250 - 5614Jx3(G) Internal Modem */Add the hexadecimal Vendor ID for your device in the
correct place, save the file, rebuild your kernel, and
reboot. Your device should now be found as an
sio device.Why do I get the error nlist
failed when running, for example,
top or systat?The problem is that the application you are trying to
run is looking for a specific kernel symbol, but, for whatever
reason, cannot find it; this error stems from one of two
problems:Your kernel and userland are not synchronized (i.e.,
you built a new kernel but did not do an
installworld, or vice versa),
and thus the symbol table is different from what the
user application thinks it is. If this is the case,
simply complete the upgrade process (see
/usr/src/UPDATING for the correct
sequence).You are not using /boot/loader to
load your kernel, but doing it directly from
boot2 (see &man.boot.8;). While
there is nothing wrong with bypassing
/boot/loader, it generally does a
better job of making the kernel symbols available to
user applications.Why does it take so long to connect to my computer via
ssh or telnet?The symptom: there is a long delay between the time the
TCP connection is established and the time when the client
software asks for a password (or, in &man.telnet.1;'s case,
when a login prompt appears).The problem: more likely than not, the delay is caused
by the server software trying to resolve the client's IP
address into a hostname. Many servers, including the
Telnet and
SSH servers that come with &os;,
do this in order to, among other things, store the hostname
in a log file for future reference by the
administrator.The remedy: if the problem occurs whenever you connect
from your computer (the client) to any server, the problem is
with the client; likewise, if the problem only occurs when
someone connects to your computer (the server) the problem
is with the server.If the problem is with the client, the only remedy is to
fix the DNS so the server can resolve it. If this is on a
local network, consider it a server problem and keep
reading; conversely, if this is on the global Internet, you
will most likely need to contact your ISP and ask them to
fix it for you.If the problem is with the server, and this is on a
local network, you need to configure the server to be able to
resolve address-to-hostname queries for your local address
range. See the &man.hosts.5; and &man.named.8; manual pages
for more information. If this is on the global Internet,
the problem may be that your server's resolver is not
functioning correctly. To check, try to look up another
host — say, www.yahoo.com. If it
does not work, that is your problem.Following a fresh install of &os;, it is also possible
that domain and name server information is missing from
/etc/resolv.conf. This will often
cause a delay in SSH, as the
option UseDNS is set to
yes by default in the
sshd_config file in
/etc/ssh. If this is causing the
problem, you will either need to fill in the missing
information in /etc/resolv.conf or set
UseDNS to no in
sshd_config as a temporary
workaround.What does stray IRQ mean?Stray IRQs are indications of hardware IRQ glitches,
mostly from hardware that removes its interrupt request in
the middle of the interrupt request acknowledge
cycle.One has three options for dealing with this:Live with the warnings. All except the first 5 per
irq are suppressed anyway.Break the warnings by changing the value of
MAX_STRAY_LOG from
5 to 0 in your
platform's (e.g. &i386;)
intr_machdep.c file and rebuild the
new kernel and all the warnings will be
suppressed.Break the warnings by installing parallel port
hardware that uses IRQ 7 and the PPP driver for it
(this happens on most systems), and install an ide drive
or other hardware that uses IRQ 15 and a suitable
driver for it.Why does file: table is full show
up repeatedly in &man.dmesg.8;?This error message indicates you have exhausted the
number of available file descriptors on your system. Please
see the kern.maxfiles
section of the Tuning Kernel Limits
section of the Handbook for a discussion and
solution.Why are calcru: negative runtime
or calcru: runtime went backwards
messages pounding the console?There is a known problem when enabling &intel; Enhanced
SpeedStep from the BIOS causes the kernel to start printing
calcru messages like this:calcru: runtime went backwards from 6 usec to 3 usec for pid 37 (pagezero)
calcru: runtime went backwards from 6 usec to 3 usec for pid 36 (vmdaemon)
calcru: runtime went backwards from 170 usec to 138 usec for pid 35 (pagedaemon)
calcru: runtime went backwards from 553 usec to 291 usec for pid 15 (swi6: task queue)
calcru: runtime went backwards from 15521 usec to 10366 usec for pid 2 (g_event)
calcru: runtime went backwards from 25 usec to 12 usec for pid 11 (swi1: net)
calcru: runtime went backwards from 4417 usec to 3960 usec for pid 1 (init)
calcru: runtime went backwards from 2084385 usec to 1793542 usec for pid 1 (init)
calcru: runtime went backwards from 408 usec to 204 usec for pid 0 (swapper)It is because &intel; SpeedStep (EIST) is incompatible
with some motherboards.Workaround: Disable the EIST feature in the BIOS. You
can still achieve ACPI-based processor frequency throttling
by using &man.powerd.8;.Why does the clock on my computer keep incorrect time?Your computer has two or more clocks, and &os; has
chosen to use the wrong one.Run &man.dmesg.8;, and check for lines that contain
Timecounter. The one with the highest
quality value that &os; chose.&prompt.root; dmesg | grep Timecounter
Timecounter "i8254" frequency 1193182 Hz quality 0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
Timecounter "TSC" frequency 2998570050 Hz quality 800
Timecounters tick every 1.000 msecYou can confirm this by checking the
kern.timecounter.hardware
&man.sysctl.3;.&prompt.root; sysctl kern.timecounter.hardware
kern.timecounter.hardware: ACPI-fastIt may be a broken ACPI timer. The simplest solution is
to disable the ACPI timer in
/etc/loader.conf:
debug.acpi.disabled="timer"Or the BIOS may modify the TSC clock—perhaps to
change the speed of the processor when running from batteries,
or going into a power saving mode, but &os; is unaware of
these adjustments, and appears to gain or lose time.In this example, the i8254 clock is
also available, and can be selected by writing its name to the
kern.timecounter.hardware
&man.sysctl.3;.&prompt.root; sysctl -w kern.timecounter.hardware=i8254
kern.timecounter.hardware: TSC -> i8254Your computer should now start keeping more accurate
time.To have this change automatically run at boot time, add
the following line to
/etc/sysctl.conf:kern.timecounter.hardware=i8254Why did my laptop fail to correctly probe PC
cards?This problem is common on laptops that boot more than
one operating system. Some non-BSD operating systems leave
PC card hardware in an inconsistent state. &man.pccardd.8;
will detect the card as
"(null)""(null)" instead of its
actual model.You must remove all power from the PC card slot to fully
reset the hardware. Completely power off the laptop. (Do
not suspend it, do not let it go into standby; the power
needs to be completely off.) Wait a few moments, and reboot.
Your PC card should work now.Some laptop hardware lies when it claims to be off. If
the above does not work shut down, remove the battery, wait
a moment, replace the battery, and reboot.Why does &os;'s boot loader display Read
error and stop after the BIOS screen?&os;'s boot loader is incorrectly recognizing the hard
drive's geometry. This must be manually set within
&man.fdisk.8; when creating or modifying &os;'s
slice.The correct drive geometry values can be found within
the machine's BIOS. Look for the number of cylinders, heads
and sectors for the particular drive.Within &man.sysinstall.8;'s fdisk, hit
G to set the drive geometry.A dialog will pop up requesting the number of cylinders,
heads and sectors. Type the numbers found from the BIOS
separated by forward slashes. For example, values of 5000
cylinders, 250 heads, and 60 sectors would be entered as
5000/250/60.Press Enter to set the values, and hit
W to write the new partition table to the
drive.Another operating system destroyed my Boot Manager. How
do I get it back?Enter &man.sysinstall.8; and choose
Configure, then
Fdisk. Select the disk the Boot
Manager resided on with the Space key.
Press W to write changes to the drive. A
prompt will appear asking which boot loader to install.
Select this, and it will be restored.What does the error swap_pager: indefinite
wait buffer: mean?This means that a process is trying to page memory to
disk, and the page attempt has hung trying to access the
disk for more than 20 seconds. It might be caused by bad
blocks on the disk drive, disk wiring, cables, or any other
disk I/O-related hardware. If the drive itself is actually
bad, you will also see disk errors in
/var/log/messages and in the output of
dmesg. Otherwise, check your cables and
connections.What are UDMA ICRC errors, and
how do I fix them?The &man.ata.4; driver reports UDMA
ICRC errors when a DMA transfer to or from a drive
is corrupted. The driver will retry the operation a few
times. Should the retries fail, it will switch from DMA to
the slower PIO mode of communication with the device.The problem can be caused by many factors, although
perhaps the most common cause is faulty or incorrect
cabling. Check that the ATA cables are undamaged and rated
for the Ultra DMA mode in use. If you are using
removable drive trays, they must also be compatible. Be
sure that all connections are making good contact. Problems
have also been noticed when an old drive is installed on the
same ATA channel as an Ultra DMA 66 (or faster)
drive. Lastly, these errors can indicate that the drive is
failing. Most drive vendors provide testing software for
their drives, so test your drive, and, if necessary, back up
your data and replace it.The &man.atacontrol.8; utility can be used to show and
select the DMA or PIO modes used for each ATA device. In
particular, atacontrol mode
channel will show the
modes in use on a particular ATA channel, where the primary
channel is numbered 0, and so on.What is a lock order
reversal?An answer for this question can be found in the &os;
Glosssary, see LOR.
What does Called ... with the following
non-sleepable locks held mean?This means that a function that may sleep was called
while a mutex (or other unsleepable) lock was held.The reason this is an error is because mutexes are not
intended to be held for long periods of time; they are
supposed to only be held to maintain short periods of
synchronization. This programming contract allows device
drivers to use mutexes to synchronize with the rest of the
kernel during interrupts. Interrupts (under &os;) may not
sleep. Hence it is imperative that no subsystem in the
kernel block for an extended period while holding a
mutex.To catch such errors, assertions may be added to the
kernel that interact with the &man.witness.4; subsystem to
emit a warning or fatal error (depending on the system
configuration) when a potentially blocking call is made
while holding a mutex.In summary, such warnings are non-fatal, however with
unfortunate timing they could cause undesirable effects
ranging from a minor blip in the system's responsiveness to
a complete system lockup.Why does
buildworld/installworld
die with the message touch: not
found?This error does not mean that the &man.touch.1; utility
is missing. The error is instead probably due to the dates
of the files being set sometime in the future. If your
CMOS-clock is set to local time you need to run the command
adjkerntz -i to adjust the kernel
clock when booting into single user mode.Commercial ApplicationsThis section is still very sparse, though we are hoping, of
course, that companies will add to it! :) The &os; group has no
financial interest in any of the companies listed here but
simply lists them as a public service (and feels that commercial
interest in &os; can have very positive effects on &os;'s
long-term viability). We encourage commercial software vendors
to send their entries here for inclusion. See the Vendors page
for a longer list.Where can I get an Office Suite for &os;?The open-source OpenOffice.org
office suite works natively on &os;. The &linux; version of
StarOffice,
the value-added closed-source version of OpenOffice.org,
also works on &os;.&os; also includes a variety of text editors,
spreadsheets, and drawing programs in the Ports
Collection.Where can I get &motif; for
&os;?The Open Group has released the source code to
&motif; 2.2.2. You can
install the x11-toolkits/open-motif package,
or compile it from ports. Refer to the ports section of the Handbook
for more information on how to do this.The Open &motif;
distribution only allows redistribution if it is running
on an open source
operating system.In addition, there are commercial distributions of the
&motif; software available. These,
however, are not for free, but their license allows them to
be used in closed-source software. Contact Apps2go for the least expensive ELF
&motif; 2.1.20 distribution
for &os; (&i386;).There are two distributions, the development
edition and the runtime edition (for
much less). These distributions includes:OSF/&motif; manager,
xmbind,
panner,
wsm.Development kit with uil, mrm, xm, xmcxx, include
and Imake files.Static and dynamic ELF libraries.Demonstration applets.Be sure to specify that you want the &os; version of
&motif; when ordering (do not
forget to mention the architecture you want too)! Versions
for NetBSD and OpenBSD are also sold by
Apps2go. This is currently a FTP only
download.More info Apps2go
WWW pageorsales@apps2go.com or
support@apps2go.comorphone (817) 431 8775 or
+1 817 431-8775Where can I get CDE for
&os;?Xi Graphics used to sell
CDE for &os;, but no longer
do.KDE
is an open source X11 desktop which is similar to
CDE in many respects. You might
also like the look and feel of xfce.
KDE and
xfce are both in the ports system.
Are there any Database systems for &os;?Yes! See the Commercial Vendors
section of &os;'s Web site.Also see the Databases
section of the Ports Collection.Can I run &oracle; on
&os;?Yes. The following pages tell you exactly how to set up
&linux; &oracle; on &os;:http://www.unixcities.com/oracle/index.htmlhttp://www.shadowcom.net/freebsd-oracle9i/User ApplicationsSo, where are all the user applications?Please take a look at the ports page
for info on software packages ported to &os;. The list
currently tops &os.numports; and is growing daily, so come
back to check often or subscribe to the &a.announce; for
periodic updates on new entries.Most ports should work on the
6.X,
7.X and
8.X branches. Each time a &os;
release is made, a snapshot of the ports tree at the time of
release in also included in the ports/
directory.We also support the concept of a package,
essentially no more than a compressed binary distribution
with a little extra intelligence embedded in it for doing
whatever custom installation work is required. A package
can be installed and uninstalled again easily without having
to know the gory details of which files it includes.Use the Packages package
installation menu in &man.sysinstall.8; (under the
Configure menu item) or invoke
the &man.pkg.add.1; command on the specific package files
you are interested in installing. Package files can usually
be identified by their .tbz suffix and
CD-ROM distribution people will have a
packages/All directory on their CD
which contains such files. They can also be downloaded over
the net for various versions of &os; at the following
locations:for 6.X-RELEASE/6-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-6-stablefor 7.X-RELEASE/7-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-7-stablefor 8-CURRENTftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8-currentor your nearest local mirror site.Note that all ports may not be available as packages
since new ones are constantly being added. It is always a
good idea to check back periodically to see which packages
are available at the ftp.FreeBSD.org
master site.How do I configure INN (Internet News) for my
machine?After installing the news/inn package or port, an
excellent place to start is Dave Barr's INN Page
where you will find the INN FAQ.Does &os; support &java;?Yes. Please see http://www.FreeBSD.org/java/.
Why can I not build this port on my
6.X or
7.X-STABLE machine?If you are running a &os; version that lags
significantly behind -CURRENT or
-STABLE, you may need to update your
Ports Collection; see the Keeping Up
section of the Porter's Handbook for further information on
how to do this. If you are up to date, then someone might
have committed a change to the port which works for
-CURRENT but which broke the port for
-STABLE. Please submit a bug report on
this with the &man.send-pr.1; command, since the Ports
Collection is supposed to work for both the
-CURRENT and
-STABLE branches.I just tried to build INDEX using
make index, and
it failed. Why?First, always make sure that you have a completely
up-to-date Ports Collection. Errors that affect building
INDEX from an up-to-date copy of the
Ports Collection are high-visibility and are thus almost
always fixed immediately.However, if you are up-to-date, perhaps you are seeing
another problem. make index
has a known bug in dealing with incomplete copies of the
Ports Collection. It assumes that you have a local copy of
every single port that every other port that you have a
local copy of depends on. To explain, if you have a copy of
foo/bar on your disk, and
foo/bar depends on
baz/quux, then you must also have a
copy of baz/quux on your disk, and the
ports baz/quux depends on, and so on.
Otherwise, make index
has insufficient information to create its dependency
tree.This is particularly a problem for &os; users who
utilize &man.cvsup.1; (or &man.csup.1;) to track the Ports
Collection but choose not to install certain categories by
specifying them in refuse. In theory,
one should be able to refuse categories, but in practice
there are too many ports that depend on ports in other
categories. Until someone comes up with a solution for this
problem, the general rule is is that if you want to build
INDEX, you must have a complete copy of
the Ports Collection.There are rare cases where INDEX
will not build due to odd cases involving
WITH_* or
WITHOUT_*
variables being set in make.conf. If
you suspect that this is the case, please try to make
INDEX with those make variables turned
off before reporting it to &a.ports;.Why is CVSup not integrated
in the main &os; tree?The &os; base system is designed as self-hosting —
it should be possible to build the whole operating system
starting with a very limited set of tools. Thus, the actual
build tools needed to compile the &os; sources are bundled
with the sources themselves. This includes a C compiler
(&man.gcc.1;), &man.make.1;, &man.awk.1;, and similar
tools.Since CVSup is written in
Modula-3, adding it to the &os; base system would also require
adding and maintaining a Modula-3 compiler. This would lead
to both an increase in the disk space consumed by the &os;
sources and additional maintenance work. Thus, it is much
easier for both the developers and users to keep
CVSup as a separate port, which
can be easily installed as a package bundled on the &os;
installation CDs.However, &os; users are not without an integrated
CVSup compatible client anymore
since &os; 6.2-RELEASE. Thanks to &a.mux;,
CVSup was rewritten in C as
&man.csup.1; and it is the part of the base system by now.
Although it does not implement all the features of
CVSup at the moment, it is good
enough (and really fast!) to keep your sources synchronized.
For systems earlier than 6.2, it can be installed as a port
or package (see net/csup).I updated the sources, now how do I update my installed
ports?&os; does not include a port upgrading tool, but it does
have some tools to make the upgrade process somewhat easier.
You can also install additional tools to simplify port
handling, see the Upgrading Ports
section in the &os; Handbook.Why is /bin/sh so minimal? Why does
&os; not use bash or another
shell?Because &posix; says that there shall be such a
shell.The more complicated answer: many people need to write
shell scripts which will be portable across many systems.
That is why &posix; specifies the shell and utility commands
in great detail. Most scripts are written in Bourne shell,
and because several important programming interfaces
(&man.make.1;, &man.system.3;, &man.popen.3;, and analogues
in higher-level scripting languages like Perl and Tcl) are
specified to use the Bourne shell to interpret commands.
Because the Bourne shell is so often and widely used, it is
important for it to be quick to start, be deterministic in
its behavior, and have a small memory footprint.The existing implementation is our best effort at
meeting as many of these requirements simultaneously as we
can. In order to keep /bin/sh small, we
have not provided many of the convenience features that
other shells have. That is why the Ports Collection
includes more featureful shells like
bash, scsh,
tcsh, and zsh. (You
can compare for yourself the memory utilization of all these
shells by looking at the VSZ and
RSS columns in a ps
listing.)Why do &netscape; and
Opera take so long to start?The usual answer is that DNS on your system is
misconfigured. Both &netscape;
and Opera perform DNS checks when
starting up. The browser will not appear on your desktop
until the program either gets a response or determines that
the system has no network connection.I updated parts of the Ports Collection using
CVSup, and now many ports fail to
build with mysterious error messages! What happened? Is
the Ports Collection broken in some major way?If you only update parts of the Ports Collection, using
one of its CVSup subcollections
and not the ports-allCVSup collection, you should
always update the
ports-base subcollection too! The
reasons are described in the Handbook.
How do I create audio CDs from my MIDI files?To create audio CDs from MIDI files, first install
audio/timidity++ from
ports then install manually the GUS patches set by Eric A.
Welsh, available at .
After TiMidity++ has been installed
properly, MIDI files may be converted to WAV files with the
following command line:&prompt.user; timidity -Ow -s 44100 -o /tmp/juke/01.wav01.midThe WAV files can then be converted to other formats or
burned onto audio CDs, as described in the &os; Handbook.
Kernel ConfigurationI would like to customize my kernel. Is it
difficult?Not at all! Check out the kernel config section of the Handbook.
The new kernel will be installed
to the /boot/kernel directory along
with its modules, while the old kernel and its modules
will be moved to the /boot/kernel.old
directory, so if you make a mistake the next time you play
with your configuration you can boot the previous version
of your kernel.My kernel compiles fail because
_hw_float is missing. How do I solve
this problem?You probably removed npx0 (see
&man.npx.4;) from your kernel configuration file because you
do not have a math co-processor. The
npx0 device is
MANDATORY. Somewhere inside your
hardware lies a device that provides hardware floating-point
support, even if it is no longer a separate device as used
in the good old 386 days. You must
include the npx0 device. Even if
you manage to build a kernel without
npx0 support, it will not boot
anyway.Why is my kernel so big (over 10 MB)?Chances are, you compiled your kernel in debug
mode. Kernels built in debug mode contain many
symbols that are used for debugging, thus greatly increasing
the size of the kernel. Note that there will be little or
no performance decrease from running a debug kernel, and it
is useful to keep one around in case of a system
panic.However, if you are running low on disk space, or you
simply do not want to run a debug kernel, make sure that
both of the following are true:You do not have a line in your kernel configuration
file that reads:makeoptions DEBUG=-gYou are not running &man.config.8; with the
option.Either of the above settings will cause your kernel to
be built in debug mode. As long as you make sure you follow
the steps above, you can build your kernel normally, and you
should notice a fairly large size decrease; most kernels
tend to be around 1.5 MB to 2 MB.Why do I get interrupt conflicts with multi-port serial
code?When I compile a kernel with multi-port serial code, it
tells me that only the first port is probed and the rest
skipped due to interrupt conflicts. How do I fix
this?The problem here is that &os; has code built-in to keep
the kernel from getting trashed due to hardware or software
conflicts. The way to fix this is to leave out the IRQ
settings on all but one port. Here is an example:#
# Multiport high-speed serial line - 16550 UARTS
#
device sio2 at isa? port 0x2a0 tty irq 5 flags 0x501 vector siointr
device sio3 at isa? port 0x2a8 tty flags 0x501 vector siointr
device sio4 at isa? port 0x2b0 tty flags 0x501 vector siointr
device sio5 at isa? port 0x2b8 tty flags 0x501 vector siointrWhy does every kernel I try to build fail to compile,
even GENERIC?There are a number of possible causes for this problem.
They are, in no particular order:You are not using the
make buildkernel and
make installkernel
targets, and your source tree is different from the one
used to build the currently running system (e.g., you
are compiling &rel.current;-RELEASE on a
&rel2.current;-RELEASE system). If you are attempting
an upgrade, please read the
/usr/src/UPDATING file, paying
particular attention to the COMMON ITEMS
section at the end.You are using the
make buildkernel
and
make installkernel
targets, but you failed to assert the completion of the
make buildworld
target. The
make buildkernel
target relies on files generated by the
make buildworld
target to complete its job correctly.Even if you are trying to build &os;-STABLE, it is possible that
you fetched the source tree at a time when it was either
being modified, or broken for other reasons; only
releases are absolutely guaranteed to be buildable,
although &os;-STABLE
builds fine the majority of the time. If you have not
already done so, try re-fetching the source tree and see
if the problem goes away. Try using a different server
in case the one you are using is having problems.How can I verify which scheduler is in use on a running
system?Check for the existence of the
kern.sched.quantum sysctl. If you have
it, you should see something like this:&prompt.user; sysctl kern.sched.quantum
kern.sched.quantum: 99960If the kern.sched.quantum sysctl
exists, you are using the 4BSD scheduler (&man.sched.4bsd.4;).
If not, you will get an error printed by &man.sysctl.8;
(which you can safely ignore):&prompt.user; sysctl kern.sched.quantum
sysctl: unknown oid 'kern.sched.quantum'The name of the scheduler currently being used is
directly available as the value of the
kern.sched.name sysctl:&prompt.user; sysctl kern.sched.name
kern.sched.name: 4BSDWhat is kern.sched.quantum?kern.sched.quantum is the maximum
number of ticks a process can run without being preempted. It
is specific to the 4BSD scheduler, so you can use its
presence or absence to determine which scheduler is in
use.Disks, File Systems, and Boot LoadersHow can I add my new hard disk to my &os; system?See the Adding Disks
section in the &os; Handbook.How do I move my system over to my huge new disk?The best way is to reinstall the OS on the new disk,
then move the user data over. This is highly recommended if
you have been tracking -STABLE for more
than one release, or have updated a release instead of
installing a new one. You can install booteasy on both
disks with &man.boot0cfg.8;, and dual boot them until you
are happy with the new configuration. Skip the next
paragraph to find out how to move the data after doing
this.Should you decide not to do a fresh install, you need to
partition and label the new disk with either
&man.sysinstall.8;, or &man.fdisk.8; and &man.disklabel.8;.
You should also install booteasy on both disks with
&man.boot0cfg.8;, so that you can dual boot to the old or
new system after the copying is done. See the formatting-media article
for details on this process.Now you have the new disk set up, and are ready to move
the data. Unfortunately, you cannot just blindly copy the
data. Things like device files (in
/dev), flags, and links tend to screw
that up. You need to use tools that understand these
things, which means &man.dump.8;. Although it is suggested
that you move the data in single user mode, it is not
required.You should never use anything but &man.dump.8; and
&man.restore.8; to move the root file system. The
&man.tar.1; command may work — then again, it may not.
You should also use &man.dump.8; and &man.restore.8; if you
are moving a single partition to another empty partition.
The sequence of steps to use dump to move
a partitions data to a new partition is:newfs the new partition.mount it on a temporary mount
point.cd to that directory.dump the old partition, piping
output to the new one.For example, if you are going to move root to
/dev/ad1s1a,
with /mnt as
the temporary mount point, it is:&prompt.root; newfs /dev/ad1s1a
&prompt.root; mount /dev/ad1s1a/mnt
&prompt.root; cd /mnt
&prompt.root; dump 0af - / | restore xf -Rearranging your partitions with dump
takes a bit more work. To merge a partition like
/var into its parent, create the new
partition large enough for both, move the parent partition
as described above, then move the child partition into the
empty directory that the first move created:&prompt.root; newfs /dev/ad1s1a
&prompt.root; mount /dev/ad1s1a/mnt
&prompt.root; cd /mnt
&prompt.root; dump 0af - / | restore xf -
&prompt.root; cd var
&prompt.root; dump 0af - /var | restore xf -To split a directory from its parent, say putting
/var on its own partition when it was
not before, create both partitions, then mount the child
partition on the appropriate directory in the temporary
mount point, then move the old single partition:&prompt.root; newfs /dev/ad1s1a
&prompt.root; newfs /dev/ad1s1d
&prompt.root; mount /dev/ad1s1a/mnt
&prompt.root; mkdir /mnt/var
&prompt.root; mount /dev/ad1s1d/mnt/var
&prompt.root; cd /mnt
&prompt.root; dump 0af - / | restore xf -You might prefer &man.cpio.1;, &man.pax.1;, &man.tar.1;
to &man.dump.8; for user data. At the time of this writing,
these are known to lose file flag information, so use them
with caution.Will a dangerously dedicated disk
endanger my health?The installation procedure allows
you to chose two different methods in partitioning your hard
disk(s). The default way makes it compatible with other
operating systems on the same machine, by using
&man.fdisk.8; table entries (called slices in
&os;), with a &os; slice that employs partitions of its own.
Optionally, one can chose to install a boot-selector to
switch between the possible operating systems on the
disk(s). The alternative uses the entire disk for &os;, and
makes no attempt to be compatible with other operating
systems.So why it is called dangerous? A disk in
this mode does not contain what normal PC utilities would
consider a valid &man.fdisk.8; table. Depending on how well
they have been designed, they might complain at you once
they are getting in contact with such a disk, or even worse,
they might damage the BSD bootstrap without even asking or
notifying you. In addition, the dangerously
dedicated disk's layout is known to confuse many
BIOSes, including those from AWARD (e.g. as found in HP
Netserver and Micronics systems as well as many others) and
Symbios/NCR (for the popular 53C8xx range of SCSI
controllers). This is not a complete list, there are more.
Symptoms of this confusion include the read
error message printed by the &os; bootstrap when
it cannot find itself, as well as system lockups when
booting.Why have this mode at all then? It only saves a few
kbytes of disk space, and it can cause real problems for a new
installation. Dangerously dedicated mode's
origins lie in a desire to avoid one of the most common
problems plaguing new &os; installers — matching the
BIOS geometry numbers for a disk to the disk
itself.Geometry is an outdated concept, but one
still at the heart of the PC's BIOS and its interaction with
disks. When the &os; installer creates slices, it has to
record the location of these slices on the disk in a fashion
that corresponds with the way the BIOS expects to find them.
If it gets it wrong, you will not be able to boot.Dangerously dedicated mode tries to work
around this by making the problem simpler. In some cases,
it gets it right. But it is meant to be used as a
last-ditch alternative — there are better ways to
solve the problem 99 times out of 100.So, how do you avoid the need for DD mode
when you are installing? Start by making a note of the
geometry that your BIOS claims to be using for your disks.
You can arrange to have the kernel print this as it boots by
specifying at the
boot: prompt, or using
boot -v in the loader. Just before the
installer starts, the kernel will print a list of BIOS
geometries. Do not panic — wait for the installer to
start and then use scrollback to read the numbers.
Typically the BIOS disk units will be in the same order that
&os; lists your disks, first IDE, then SCSI.When you are slicing up your disk, check that the disk
geometry displayed in the FDISK screen is correct (ie. it
matches the BIOS numbers); if it is wrong, use the
G key to fix it. You may have to do this
if there is absolutely nothing on the disk, or if the disk
has been moved from another system. Note that this is only
an issue with the disk that you are going to boot from; &os;
will sort itself out just fine with any other disks you may
have.Once you have got the BIOS and &os; agreeing about the
geometry of the disk, your problems are almost guaranteed to
be over, and with no need for DD mode at all.
If, however, you are still greeted with the dreaded
read error message when you try to
boot, it is time to cross your fingers and go for it - there
is nothing left to lose.To return a dangerously dedicated disk
for normal PC use, there are basically two options. The
first is, you write enough NULL bytes over the MBR to make
any subsequent installation believe this to be a blank disk.
You can do this for example with the following
command:&prompt.root; dd if=/dev/zero of=/dev/rda0 count=15Alternatively, the undocumented DOS
featureC:\>fdisk /mbrwill to install a new master boot record as well, thus
clobbering the BSD bootstrap.Which partitions can safely use Soft Updates? I have
heard that Soft Updates on / can cause
problems.Short answer: you can usually use Soft Updates safely on
all partitions.Long answer: There used to be some concern over using
Soft Updates on the root partition. Soft Updates has two
characteristics that caused this. First, a Soft Updates
partition has a small chance of losing data during a system
crash. (The partition will not be corrupted; the data will
simply be lost.) Also, Soft Updates can cause temporary
space shortages.When using Soft Updates, the kernel can take up to
thirty seconds to actually write changes to the physical
disk. If you delete a large file, the file still resides on
disk until the kernel actually performs the deletion. This
can cause a very simple race condition. Suppose you delete
one large file and immediately create another large file.
The first large file is not yet actually removed from the
physical disk, so the disk might not have enough room for
the second large file. You get an error that the partition
does not have enough space, although you know perfectly well
that you just released a large chunk of space! When you try
again mere seconds later, the file creation works as you
expect. This has left more than one user scratching his
head and doubting his sanity, the &os; file system, or
both.If a system should crash after the kernel accepts a
chunk of data for writing to disk, but before that data is
actually written out, data could be lost or corrupted. This
risk is extremely small, but generally manageable. Use of
IDE write caching greatly increases this risk; it is
strongly recommended that you disable IDE write caching when
using Soft Updates.These issues affect all partitions using Soft Updates.
So, what does this mean for the root partition?Vital information on the root partition changes very
rarely. Files such as
/boot/kernel/kernel and the contents of
/etc only change during system
maintenance, or when users change their passwords. If the
system crashed during the thirty-second window after such a
change is made, it is possible that data could be lost.
This risk is negligible for most applications, but you
should be aware that it exists. If your system cannot
tolerate this much risk, do not use Soft Updates on the root
file system!/ is traditionally one of the
smallest partitions. If you put the
/tmp directory on
/ and you have a busy
/tmp, you might see intermittent space
problems. Symlinking /tmp to
/var/tmp will solve this
problem.What is inappropriate about my &man.ccd.4;?The symptom of this is:&prompt.root; ccdconfig -C
ccdconfig: ioctl (CCDIOCSET): /dev/ccd0c: Inappropriate file type or formatThis usually happens when you are trying to concatenate
the c partitions, which default to type
unused. The &man.ccd.4; driver requires
the underlying partition type to be
FS_BSDFFS. Edit the disk label of the
disks you are trying to concatenate and change the types of
partitions to 4.2BSD.Why can I not edit the disk label on my
&man.ccd.4;?The symptom of this is:&prompt.root; disklabel ccd0
(it prints something sensible here, so let us try to edit it)
&prompt.root; disklabel -e ccd0
(edit, save, quit)
disklabel: ioctl DIOCWDINFO: No disk label on disk;
use "disklabel -r" to install initial labelThis is because the disk label returned by &man.ccd.4;
is actually a fake one that is not really on
the disk. You can solve this problem by writing it back
explicitly, as in:&prompt.root; disklabel ccd0 > /tmp/disklabel.tmp
&prompt.root; disklabel -Rr ccd0/tmp/disklabel.tmp
&prompt.root; disklabel -e ccd0
(this will work now)Can I mount other foreign file systems under
&os;?&os; supports a variety of other file systems.UFSUFS CD-ROMs can be mounted directly on &os;.
Mounting disk partitions from Digital UNIX and other
systems that support UFS may be more complex,
depending on the details of the disk partitioning for
the operating system in question.ext2/ext3&os; supports ext2fs and
ext3fs partitions. See
&man.mount.ext2fs.8; for more information.NTFS&os; includes a read-only NTFS driver. For more
information, see &man.mount.ntfs.8;. A port of ntfs-3g
supports write operations on NTFS (see sysutils/fusefs-ntfs).FAT&os; includes a read-write FAT driver. For more
information, see &man.mount.msdosfs.8;.ReiserFS&os; includes a read-only ReiserFS driver. For
more information, see &man.mount.reiserfs.8;.ZFSAs of this writing, &os; includes a port of
&sun;'s ZFS driver. The current recommendation is to
use it only on &arch.amd64; platforms with sufficient
memory. For more information, see &man.zfs.8;.&os; also supports network file systems such as NFS (see
&man.mount.nfs.8;), NetWare (see &man.mount.nwfs.8;), and
Microsoft-style SMB file systems (see &man.mount.smbfs.8;).
You can find ports based on FUSE (sysutils/fusefs-kmod) for many
other file systems.How do I mount a secondary DOS partition?The secondary DOS partitions are found after
all the primary partitions. For
example, if you have an E partition as the
second DOS partition on the second SCSI drive, there will be
a device file for slice 5 in
/dev, so simply mount it:&prompt.root; mount -t msdos /dev/da1s5 /dos/eIs there a cryptographic file system for &os;?Yes. You can use either &man.gbde.8; or &man.geli.8;,
see the Encrypting Disk Partitions
section of the &os; Handbook.How can I use the &windowsnt; loader to boot
&os;?The general idea is that you copy the first sector of
your native root &os; partition into a file in the
DOS/&windowsnt; partition. Assuming you name that file
something like c:\bootsect.bsd
(inspired by c:\bootsect.dos), you can
then edit the c:\boot.ini file to come
up with something like this:[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows NT"
C:\BOOTSECT.BSD="&os;"
C:\="DOS"If &os; is installed on the same disk as the &windowsnt;
boot partition simply copy /boot/boot1 to
C:\BOOTSECT.BSD. However, if &os; is
installed on a different disk
/boot/boot1 will not work,
/boot/boot0 is needed./boot/boot0 needs to be installed
using &man.sysinstall.8; by selecting the &os; boot manager
on the screen which asks if you wish to use a boot manager.
This is because /boot/boot0 has the
partition table area filled with NULL characters but
&man.sysinstall.8; copies the partition table before copying
/boot/boot0 to the MBR.Do not simply copy
/boot/boot0 instead of
/boot/boot1; you will overwrite
your partition table and render your computer
un-bootable!When the &os; boot manager runs it records the last OS
booted by setting the active flag on the partition table
entry for that OS and then writes the whole 512-bytes of
itself back to the MBR so if you just copy
/boot/boot0 to
C:\BOOTSECT.BSD then it writes an empty
partition table, with the active flag set on one entry, to
the MBR.How do I boot &os; and &linux; from LILO?If you have &os; and &linux; on the same disk, just
follow LILO's installation instructions for booting a
non-&linux; operating system. Very briefly, these
are:Boot &linux;, and add the following lines to
/etc/lilo.conf:other=/dev/hda2
table=/dev/hda
label=&os;(the above assumes that your &os; slice is known to
&linux; as /dev/hda2; tailor to
suit your setup). Then, run lilo as
root and you should be done.If &os; resides on another disk, you need to add
loader=/boot/chain.b to the LILO entry.
For example:other=/dev/dab4
table=/dev/dab
loader=/boot/chain.b
label=&os;In some cases you may need to specify the BIOS drive
number to the &os; boot loader to successfully boot off the
second disk. For example, if your &os; SCSI disk is probed
by BIOS as BIOS disk 1, at the &os; boot loader prompt you
need to specify:Boot: 1:da(0,a)/boot/kernel/kernelYou can configure &man.boot.8; to automatically do this
for you at boot time.The &linux;+&os; mini-HOWTO
is a good reference for &os; and &linux; interoperability
issues.How do I boot &os; and &linux; using GRUB?Booting &os; using GRUB is very simple. Just add the
following to your configuration file
/boot/grub/menu.lst (or
/boot/grub/grub.conf in some systems,
e.g. Red Hat Linux and its derivatives).title &os; 6.1
root (hd0,a)
kernel /boot/loader
Where hd0,a points to your
root partition on the first disk. If you need to specify
which slice number should be used, use something like this
(hd0,2,a). By default, if the
slice number is omitted, GRUB searches the first slice which
has a partition.How do I boot &os; and &linux; using
BootEasy?Install LILO at the start of your &linux; boot partition
instead of in the Master Boot Record. You can then boot
LILO from BootEasy.If you are running &windows; and &linux; this is
recommended anyway, to make it simpler to get &linux; booting
again if you should need to reinstall &windows; (which is a
Jealous Operating System, and will bear no other Operating
Systems in the Master Boot Record).How do I change the boot prompt from
??? to something more meaningful?You can not do that with the standard boot manager
without rewriting it. There are a number of other boot
managers in the sysutils ports category
that provide this functionality.I have a new removable drive, how do I use it?Whether it is a removable drive like a &iomegazip; or an
EZ drive (or even a floppy, if you want to use it that way),
or a new hard disk, once it is installed and recognized by
the system, and you have your cartridge/floppy/whatever
slotted in, things are pretty much the same for all
devices.(this section is based on Mark Mayo's ZIP FAQ)
If it is a ZIP drive or a floppy, you have already got a
DOS file system on it, you can use a command like this:&prompt.root; mount -t msdos /dev/fd0c /floppyif it is a floppy, or this:&prompt.root; mount -t msdos /dev/da2s4 /zipfor a ZIP disk with the factory configuration.For other disks, see how they are laid out using
&man.fdisk.8; or &man.sysinstall.8;.The rest of the examples will be for a ZIP drive on
da2, the third SCSI disk.Unless it is a floppy, or a removable you plan on
sharing with other people, it is probably a better idea to
stick a BSD file system on it. You will get long filename
support, at least a 2X improvement in performance, and a lot
more stability. First, you need to redo the DOS-level
partitions/file systems. You can either use &man.fdisk.8;
or &man.sysinstall.8;, or for a small drive that you do not
want to bother with multiple operating system support on,
just blow away the whole FAT partition table (slices) and
just use the BSD partitioning:&prompt.root; dd if=/dev/zero of=/dev/rda2 count=2
&prompt.root; disklabel -Brw da2 autoYou can use &man.disklabel.8; or &man.sysinstall.8; to
create multiple BSD partitions. You will certainly want to
do this if you are adding swap space on a fixed disk, but it
is probably irrelevant on a removable drive like a
ZIP.Finally, create a new file system, this one is on our
ZIP drive using the whole disk:&prompt.root; newfs /dev/rda2cand mount it:&prompt.root; mount /dev/da2c /zipand it is probably a good idea to add a line like this
to /etc/fstab (see &man.fstab.5;) so
you can just type mount /zip in the
future:/dev/da2c /zip ffs rw,noauto 0 0Why do I get Incorrect super
block when mounting a CD-ROM?You have to tell &man.mount.8; the type of the device
that you want to mount. This is described in the Handbook section on optical media,
specifically the section Using Data CDs.
Why do I get Device not
configured when mounting a CD-ROM?This generally means that there is no CD-ROM in the
CD-ROM drive, or the drive is not visible on the bus.
Please see the Using Data CDs
section of the Handbook for a detailed discussion of this
issue.Why do all non-English characters in filenames show up
as ? on my CDs when mounted in &os;?Your CD-ROM probably uses the Joliet
extension for storing information about files and
directories. This is discussed in the Handbook chapter on
creating and using CD-ROMs,
specifically the section on Using Data CD-ROMs.
I burned a CD under &os; and now I can not read it under
any other operating system. Why?You most likely burned a raw file to your CD, rather
than creating an ISO 9660 file system. Take a look at
the Handbook chapter on creating CD-ROMs,
particularly the section on burning raw data CDs.
How can I create an image of a data CD?This is discussed in the Handbook section on duplicating data CDs.
For more on working with CD-ROMs, see the Creating CDs Section
in the Storage chapter in the Handbook.Why can I not mount an audio
CD?If you try to mount an audio CD, you will get an error
like cd9660: /dev/acd0c: Invalid
argument. This is because
mount only works on file systems. Audio
CDs do not have file systems; they just have data. You need
a program that reads audio CDs, such as the audio/xmcd port.How do I mount a multi-session
CD?By default, &man.mount.8; will attempt to mount the last
data track (session) of a CD. If you would like to load an
earlier session, you must use the
command line argument. Please see &man.mount.cd9660.8; for
specific examples.How do I let ordinary users mount floppies, CD-ROMs and
other removable media?Ordinary users can be permitted to mount devices. Here
is how:As root set the sysctl variable
vfs.usermount to
1.&prompt.root; sysctl -w vfs.usermount=1As root assign the appropriate
permissions to the block device associated with the
removable media.For example, to allow users to mount the first
floppy drive, use:&prompt.root; chmod 666 /dev/fd0To allow users in the group
operator to mount the CD-ROM
drive, use:&prompt.root; chgrp operator /dev/acd0c
&prompt.root; chmod 640 /dev/acd0cYou will need to alter
/etc/devfs.conf to make these
changes permanent across reboots.As root, add the necessary
lines to /etc/devfs.conf. For
example, to allow users to mount the first floppy drive
add:# Allow all users to mount the floppy disk.
own /dev/fd0 root:operator
perm /dev/fd0 0666To allow users in the group
operator to mount the CD-ROM drive
add:# Allow members of the group operator to mount CD-ROMs.
own /dev/acd0 root:operator
perm /dev/acd0 0660Finally, add the line
vfs.usermount=1 to
the file /etc/sysctl.conf so that
it is reset at system boot time.All users can now mount the floppy
/dev/fd0 onto a directory that they
own:&prompt.user; mkdir ~/my-mount-point
&prompt.user; mount -t msdos /dev/fd0 ~/my-mount-pointUsers in group operator can now
mount the CD-ROM /dev/acd0c onto a
directory that they own:&prompt.user; mkdir ~/my-mount-point
&prompt.user; mount -t cd9660 /dev/acd0c ~/my-mount-pointUnmounting the device is simple:&prompt.user; umount ~/my-mount-pointEnabling vfs.usermount, however, has
negative security implications. A better way to access
&ms-dos; formatted media is to use the emulators/mtools package in the
Ports Collection.The device name used in the previous examples must be
changed according to your configuration.The du and df
commands show different amounts of disk space available.
What is going on?You need to understand what du and
df really do. du goes
through the directory tree, measures how large each file is,
and presents the totals. df just asks
the file system how much space it has left. They seem to be
the same thing, but a file without a directory entry will
affect df but not
du.When a program is using a file, and you delete the file,
the file is not really removed from the file system until
the program stops using it. The file is immediately deleted
from the directory listing, however. You can see this
easily enough with a program such as
more. Assume you have a file large
enough that its presence affects the output of
du and df. (Since
disks can be so large today, this might be a
very large file!) If you delete this
file while using more on it,
more does not immediately choke and
complain that it cannot view the file. The entry is simply
removed from the directory so no other program or user can
access it. du shows that it is gone
— it has walked the directory tree and the file is not
listed. df shows that it is still there,
as the file system knows that more is
still using that space. Once you end the
more session, du and
df will agree.Note that Soft Updates can delay the freeing of disk
space; you might need to wait up to 30 seconds for the
change to be visible!This situation is common on web servers. Many people
set up a &os; web server and forget to rotate the log files.
The access log fills up /var. The new
administrator deletes the file, but the system still
complains that the partition is full. Stopping and
restarting the web server program would free the file,
allowing the system to release the disk space. To prevent
this from happening, set up &man.newsyslog.8;.How can I add more swap space?In the Configuration and Tuning
section of the Handbook, you will find a section
describing how to do this.Why does &os; see my disk as smaller than the
manufacturer says it is?Disk manufacturers calculate gigabytes as a billion
bytes each, whereas &os; calculates them as
1,073,741,824 bytes each. This explains why, for
example, &os;'s boot messages will report a disk that
supposedly has 80 GB as holding 76,319 MB.Also note that &os; will (by default) reserve 8% of the disk
space.How is it possible for a partition to be more than 100%
full?A portion of each UFS partition (8%, by default) is
reserved for use by the operating system and the
root user. &man.df.1; does not count
that space when calculating the Capacity
column, so it can exceed 100%. Also, you will notice that
the Blocks column is always greater than
the sum of the Used and
Avail columns, usually by a factor of
8%.For more details, look up the option
in &man.tunefs.8;.System AdministrationWhere are the system start-up configuration
files?The primary configuration file is
/etc/defaults/rc.conf (see
&man.rc.conf.5;). System startup scripts such as
/etc/rc and
/etc/rc.d (see &man.rc.8;) just include
this file. Do not edit this file!
Instead, if there is any entry in
/etc/defaults/rc.conf that you want to
change, you should copy the line into
/etc/rc.conf and change it
there.For example, if you wish to start &man.named.8;, the
included DNS server, all you need to do is:&prompt.root; echo named_enable="YES" >> /etc/rc.confTo start up local services, place shell scripts in the
/usr/local/etc/rc.d directory. These
shell scripts should be set executable, the default file
mode is 555.How do I add a user easily?Use the &man.adduser.8; command, or the &man.pw.8;
command for more complicated situations.To remove the user, use the &man.rmuser.8; command or,
if necessary, &man.pw.8;.Why do I keep getting messages like root: not
found after editing my
crontab file?This is normally caused by editing the system crontab
(/etc/crontab) and then using
&man.crontab.1; to install it:&prompt.root; crontab /etc/crontabThis is not the correct way to do things. The system
crontab has a different format to the per-user crontabs
which &man.crontab.1; updates (the &man.crontab.5; manual
page explains the differences in more detail).If this is what you did, the extra crontab is simply a
copy of /etc/crontab in the wrong
format it. Delete it with the command:&prompt.root; crontab -rNext time, when you edit
/etc/crontab, you should not do
anything to inform &man.cron.8; of the changes, since it
will notice them automatically.If you want something to be run once per day, week, or
month, it is probably better to add shell scripts
/usr/local/etc/periodic, and let the
&man.periodic.8; command run from the system
cron schedule it with the other periodic
system tasks.The actual reason for the error is that the system
crontab has an extra field, specifying which user to run the
command as. In the default system crontab provided with
&os;, this is root for all entries.
When this crontab is used as the root
user's crontab (which is not the same
as the system crontab), &man.cron.8; assumes the string
root is the first word of the command to
execute, but no such command exists.Why do I get the error, you are not in the
correct group to su root when I try to
su to root?This is a security feature. In order to
su to root (or any
other account with superuser privileges), you must be in the
wheel group. If this feature were
not there, anybody with an account on a system who also
found out root's password would be able
to gain superuser level access to the system. With this
feature, this is not strictly true; &man.su.1; will prevent
them from even trying to enter the password if they are not
in wheel.To allow someone to su to
root, simply put them in the
wheel group.I made a mistake in rc.conf, or
another startup file, and now I cannot edit it because the
file system is read-only. What should I do?Restart the system using boot -s
at the loader prompt to enter Single User mode. When
prompted for a shell pathname, simply press
Enter, and run
mount -urw / to re-mount the root file
system in read/write mode. You may also need to run
mount -a -t ufs to mount the file system
where your favorite editor is defined. If your favorite
editor is on a network file system, you will need to either
configure the network manually before you can mount network
file systems, or use an editor which resides on a local file
system, such as &man.ed.1;.If you intend to use a full screen editor such as
&man.vi.1; or &man.emacs.1;, you may also need to run
export TERM=cons25 so that these editors
can load the correct data from the &man.termcap.5;
database.Once you have performed these steps, you can edit
/etc/rc.conf as you usually would to
fix the syntax error. The error message displayed
immediately after the kernel boot messages should tell you
the number of the line in the file which is at fault.Why am I having trouble setting up my printer?See the Handbook entry on printing.
It should cover most of your problem.Some printers require a host-based driver to do any kind
of printing. These so-called WinPrinters are
not natively supported by &os;. If your printer does not
work in DOS or &windows;, it is probably a WinPrinter. Your
only hope of getting one of these to work is to check if the
print/pnm2ppa port
supports it.How can I correct the keyboard mappings for my
system?Please see the Handbook section on using localization,
specifically the section on console setup.
Why do I get messages like: unknown:
<PNP0303> can't assign resources on
boot?The following is an excerpt from a post to the
&a.current;.
&a.wollman;, 24 April 2001The can't assign resources messages
indicate that the devices are legacy ISA devices for which
a non-PnP-aware driver is compiled into the kernel. These
include devices such as keyboard controllers, the
programmable interrupt controller chip, and several other
bits of standard infrastructure. The resources cannot be
assigned because there is already a driver using those
addresses.
Why can I not get user quotas to work properly?It is possible that your kernel is not configured
to use quotas. If this is the case, you will need to
add the following line to your kernel configuration
file and recompile:options QUOTAPlease read the Handbook entry on quotas
for full details.Do not turn on quotas on
/.Put the quota file on the file system that the
quotas are to be enforced on, i.e.:File SystemQuota file/usr/usr/admin/quotas/home/home/admin/quotas……Does &os; support System V IPC primitives?Yes, &os; supports System V-style IPC, including shared
memory, messages and semaphores, in the
GENERIC kernel. In a custom kernel,
enable this support by adding the following lines to your
kernel config.options SYSVSHM # enable shared memory
options SYSVSEM # enable for semaphores
options SYSVMSG # enable for messagingRecompile and install your kernel.What other mail-server software can I use instead of
sendmail?The sendmail
server is the default mail-server software for &os;, but you
can easily replace it with one of the other MTA (for
instance, an MTA installed from the ports).There are various alternative MTAs in the ports tree
already, with mail/exim,
mail/postfix, mail/qmail, and mail/zmailer being some of the
most popular choices.Diversity is nice, and the fact that you have many
different mail-servers to chose from is considered a good
thing; therefore try to avoid asking questions like
Is sendmail better than
qmail? in the mailing
lists. If you do feel like asking, first check the mailing
list archives. The advantages and disadvantages of each and
every one of the available MTAs have already been discussed
a few times.I have forgotten the root password!
What do I do?Do not panic! Restart the system, type
boot -s at the
Boot: prompt to enter Single User mode.
At the question about the shell to use, hit
Enter. You will be dropped to a
&prompt.root; prompt. Enter mount -urw /
to remount your root file system read/write, then run
mount -a to remount all the file systems.
Run passwd root to change the
root password then run &man.exit.1; to
continue booting.If you are still prompted to give the
root password when entering the
Single User mode, it means that the console has been
marked as insecure in
/etc/ttys. In this case it will be
required to boot from an &os; installation disk, choose
the Fixit shell from
&man.sysinstall.8; and issue the commands mentioned
above.If you cannot mount your root partition from Single
User mode, it is possible that the partitions are
encrypted and it is impossible to mount them without the
access keys. Your chances are depending on the chosen
implementation. For more information see the section
about encrypted disks in the &os; Handbook.How do I keep ControlAltDelete
from rebooting the system?If you are using &man.syscons.4; (the default console
driver) build and install a new kernel with the line in the
configuration file:options SC_DISABLE_REBOOTThis can also be done by setting the following
&man.sysctl.8; which does not require a reboot or kernel
recompile:&prompt.root; sysctl hw.syscons.kbd_reboot=0If you use the &man.pcvt.4; console driver, use the
following kernel configuration line instead and rebuild the
kernel:options PCVT_CTRL_ALT_DELHow do I reformat DOS text files to &unix; ones?Use this &man.perl.1; command:&prompt.user; perl -i.bak -npe 's/\r\n/\n/g' file(s)where file(s) is one or more
files to process. The modification is done in-place, with the
original file stored with a .bak
extension.Alternatively you can use the &man.tr.1; command:&prompt.user; tr -d '\r' < dos-text-file > unix-filedos-text-file is the file
containing DOS text while
unix-file will contain the
converted output. This can be quite a bit faster than using
perl.Yet another way to reformat DOS text files is to use the
converters/dosunix port
from the Ports Collection. Consult its documentation about
the details.How do I kill processes by name?Use &man.killall.1;.Why is &man.su.1; bugging me about not being in
root's ACL?The error comes from the
Kerberos distributed authentication
system. The problem is not fatal but annoying. You can
either run su with the option, or
uninstall Kerberos as described
in the next question.How do I uninstall
Kerberos?To remove Kerberos from the
system, reinstall the base distribution
for the release you are running. If you have the CD-ROM,
you can mount the it (we will assume on /cdrom) and run the commands
below:&prompt.root; cd /cdrom/base
&prompt.root; ./install.shAlternately, you can include the
NO_KERBEROS option in your
/etc/make.conf and rebuild
world.What happened to
/dev/MAKEDEV?&os; 5.X and beyond use
the &man.devfs.8; device-on-demand system. Device drivers
automatically create new device nodes as they are needed,
obsoleting /dev/MAKEDEV.How do I add pseudoterminals to the system?If you have a lot of telnet,
ssh, X, or screen
users, you might run out of pseudoterminals. By default,
&os; 6.2 and earlier support 256 pseudoterminals, while
&os; 6.3 and later support 512 pseudoterminals.If needed, more pseudoterminals can be added.
However, this requires patching the standard C library,
the kernel, and /etc/ttys. For
example,
expands the number of pseudoterminals to 1152. Note that
the patch will only apply cleanly to &os; 6.3 or
later.How do I re-read /etc/rc.conf and
re-start /etc/rc without a
reboot?Go into single user mode and then back to multi user
mode.On the console do:&prompt.root; shutdown now
(Note: without -r or -h)
&prompt.root; return
&prompt.root; exitI tried to update my system to the latest
-STABLE, but got
-BETAx,
-RC or
-PRERELEASE! What is going on?Short answer: it is just a name.
RC stands for Release
Candidate. It signifies that a release is imminent.
In &os;, -PRERELEASE is typically
synonymous with the code freeze before a release. (For some
releases, the -BETA label was used in
the same way as -PRERELEASE.)Long answer: &os; derives its releases from one of two
places. Major, dot-zero, releases, such as 6.0-RELEASE and
7.0-RELEASE, are branched from the head of the development
stream, commonly referred to as -CURRENT. Minor releases, such as
6.3-RELEASE or 5.2-RELEASE, have been snapshots of the
active -STABLE branch.
Starting with 4.3-RELEASE, each release also now has its own
branch which can be tracked by people requiring an extremely
conservative rate of development (typically only security
advisories).When a release is about to be made, the branch from
which it will be derived from has to undergo a certain
process. Part of this process is a code freeze. When a
code freeze is initiated, the name of the branch is changed
to reflect that it is about to become a release. For
example, if the branch used to be called 6.2-STABLE, its
name will be changed to 6.3-PRERELEASE to signify the code
freeze and signify that extra pre-release testing should be
happening. Bug fixes can still be committed to be part of
the release. When the source code is in shape for the
release the name will be changed to 6.3-RC to signify that a
release is about to be made from it. Once in the RC stage,
only the most critical bugs found can be fixed. Once the
release (6.3-RELEASE in this example) and release branch
have been made, the branch will be renamed to
6.3-STABLE.For more information on version numbers and the various
CVS branches, refer to the Release Engineering
article.I tried to install a new kernel, and the &man.chflags.1;
failed. How do I get around this?Short answer: You are probably at security level greater
than 0. Reboot directly to Single User mode to install the
kernel.Long answer: &os; disallows changing system flags at
security levels greater than 0. You can check your security
level with the command:&prompt.root; sysctl kern.securelevelYou cannot lower the security level; you have to boot to
Single Mode to install the kernel, or change the security
level in /etc/rc.conf then reboot. See
the &man.init.8; manual page for details on
securelevel, and see
/etc/defaults/rc.conf and the
&man.rc.conf.5; manual page for more information on
rc.conf.I cannot change the time on my system by more than one
second! How do I get around this?Short answer: You are probably at security level greater
than 1. Reboot directly to Single User mode to change the
date.Long answer: &os; disallows changing the time by more
that one second at security levels greater than 1. You can
check your security level with the command:&prompt.root; sysctl kern.securelevelYou cannot lower the security level; you have to boot to
Single User mode to change the date, or change the security
level in /etc/rc.conf then reboot. See
the &man.init.8; manual page for details on
securelevel, and see
/etc/defaults/rc.conf and the
&man.rc.conf.5; manual page for more information on
rc.conf.Why is rpc.statd using 256 MB of
memory?No, there is no memory leak, and it is not using
256 MB of memory. For convenience,
rpc.statd maps an obscene amount of
memory into its address space. There is nothing terribly
wrong with this from a technical standpoint; it just throws
off things like &man.top.1; and &man.ps.1;.&man.rpc.statd.8; maps its status file (resident on
/var) into its address space; to save
worrying about remapping it later when it needs to grow, it
maps it with a generous size. This is very evident from the
source code, where one can see that the length argument to
&man.mmap.2; is 0x10000000, or one
sixteenth of the address space on an IA32, or exactly
256 MB.Why can I not unset the schg file
flag?You are running at an elevated (i.e., greater than 0)
securelevel. Lower the securelevel and try again. For more
information, see the FAQ entry
on securelevel and the &man.init.8; manual
page.Why does SSH authentication
through .shosts not work by default in
recent versions of &os;?The reason why .shosts
authentication does not work by default in more recent
versions of &os; is because &man.ssh.1; is not installed
suid root by default. To
fix this, you can do one of the
following:As a permanent fix, set
ENABLE_SUID_SSH to
true in
/etc/make.conf then rebuild and
install &man.ssh.1; (or run
make world).
As a temporary fix, change the mode on
/usr/bin/ssh to
4555 by running
chmod 4555 /usr/bin/ssh as
root. Then add
ENABLE_SUID_SSH= true
to /etc/make.conf so
the change takes effect the next time
make world
is run.What is vnlru?vnlru flushes and frees vnodes when
the system hits the kern.maxvnodes limit.
This kernel thread sits mostly idle, and only activates if
you have a huge amount of RAM and are accessing tens of
thousands of tiny files.What do the various memory states displayed by
top mean?Active: pages recently
statistically used.Inactive: pages recently
statistically unused.Cache: (most often) pages that
have percolated from inactive to a status where they
maintain their data, but can often be immediately reused
(either with their old association, or reused with a new
association.) There can be certain immediate transitions
from active to
cache state if the page is known to
be clean (unmodified), but that transition is a matter
of policy, depending upon the algorithm choice of the VM
system maintainer.Free: pages without data content,
and can be immediately used in certain circumstances
where cache pages might be ineligible. Free pages can
be reused at interrupt or process
state.Wired: pages that are fixed into
memory, usually for kernel purposes, but also sometimes
for special use in processes.Pages are most often written to disk (sort of a VM sync)
when they are in the inactive state, but active pages can
also be synced. This depends upon the CPU tracking of the
modified bit being available, and in certain situations
there can be an advantage for a block of VM pages to be
synced, whether they are active or inactive. In most common
cases, it is best to think of the inactive queue to be a
queue of relatively unused pages that might or might not be
in the process of being written to disk. Cached pages are
already synced, not mapped, but available for immediate
process use with their old association or with a new
association. Free pages are available at interrupt level,
but cached or free pages can be used at process state for
reuse. Cache pages are not adequately locked to be
available at interrupt level.There are some other flags (e.g., busy flag or busy
count) that might modify some of the described rules.How much free memory is available?There are a couple of kinds of free
memory. One kind is the amount of memory
immediately available without paging anything else out.
That is approximately the size of cache queue + size of free
queue (with a derating factor, depending upon system
tuning.) Another kind of free memory is the
total amount of VM space. That can be
complex, but is dependent upon the amount of swap space and
memory. Other kinds of free memory
descriptions are also possible, but it is relatively useless
to define these, but rather it is important to make sure
that the paging rate is kept low, and to avoid running out
of swap space.What is /var/empty? I can not
delete it!/var/empty is a directory that the
&man.sshd.8; program uses when performing privilege separation.
The /var/empty directory is empty, owned by
root and has the schg
flag set.Although it is not recommended to delete this directory, to
do so you will need to unset the schg flag
first. See the &man.chflags.1; manual page for more information
(and bear in mind the answer to
the question on unsetting the schg flag).
The X Window System and Virtual ConsolesWhat is the X Window System?The X Window System (commonly X11) is
the most widely available windowing system capable of running
on &unix; or &unix; like systems, including &os;.
The X.Org Foundation
administers the X protocol standards,
with the current reference implementation, version 11
release &xorg.version;, so you will often see references
shortened to X11.Many implementations are available for different
architectures and operating systems. An implementation of
the server-side code is properly known as an X
server.Which X implementations are available for &os;?Historically, the default implementation of X on &os;
has been &xfree86; which is maintained by The XFree86 Project, Inc.
This software was installed by default on &os; versions up
until 4.10 and 5.2. Although &xorg; itself maintained an
implementation during that time period, it was basically
only provided as a reference platform, as it had suffered
greatly from bitrot over the years.However, early in 2004, some XFree86 developers left
that project over issues including the pace of code changes,
future directions, and interpersonal conflicts, and are now
contributing code directly to &xorg; instead. At that time,
&xorg; updated its source tree to the last &xfree86; release
before its subsequent licensing change (XFree86
version 4.3.99.903), incorporated many changes
that had previously been maintained separately, and has
released that software as
X11R6.7.0. A separate but
related project, freedesktop.org
(or fd.o for short), is working on
rearchitecting the original &xfree86; code to offload more
work onto the graphics cards (with the goal of increased
performance) and make it more modular (with the goal of
increased maintainability, and thus faster releases as well
as easier configuration). &xorg; intends to incorporate the
freedesktop.org changes in its future
releases.As of July 2004, in &os.current;,
&xfree86; has been replaced with &xorg; as the default
implementation. Since then the default X11 implementation
in &os; is &xorg;.For further information, read the X11 section of
the &os; Handbook.Why did the X projects split, anyway?The answer to this question is outside the scope of this
FAQ. Note that there are voluminous postings in various
mailing list archives on the Internet; please use your
favorite search engine to investigate the history instead of
asking this question on the &os; mailing lists. It may even
be the case that only the participants will ever know for
certain.Why did &os; choose to go with the &xorg; ports by
default?The &xorg; developers claimed that their goal is to
release more often and incorporate new features more
quickly. If they are able to do so, this will be very
attractive. Also, their software still uses the traditional
X license, while &xfree86; is using their modified
one.I want to run X, how do I go about it?If you would like to add X to an existing installation,
you should use either the x11/xorg meta-port, which will
build and install all the necessary components, or install
&xorg; from &os; packages:&prompt.root; pkg_add -r xorgIt is also possible to install &xorg; from
&man.sysinstall.8; by choosing
Configure, then
Distributions, then
The X.Org Distribution.After the installation of &xorg; was successful, follow
the instructions from &man.xorgconfig.1;. It will assists
you in configuring &xorg; for your particular graphics
card/mouse/etc. You may also wish to examine the
&man.xorgcfg.1; tool, which provides a graphical interface
to the X configuration process.For further information, read the X11 section of
the &os; Handbook.I tried to run X, but I get an
KDENABIO failed (Operation not
permitted) error when I type
startx. What do I do now?Your system is probably running at a raised
securelevel. It is not possible to start X
at a raised securelevel because X
requires write access to &man.io.4;. For more information,
see at the &man.init.8; manual page.So the question is what else you should do instead, and
you basically have two choices: set your
securelevel back down to zero (usually
from /etc/rc.conf), or run &man.xdm.1;
at boot time (before the securelevel is
raised).See for more information about
running &man.xdm.1; at boot time.Why does my mouse not work with X?If you are using &man.syscons.4; (the default console
driver), you can configure &os; to support a mouse pointer on
each virtual screen. In order to avoid conflicting with X,
&man.syscons.4; supports a virtual device called
/dev/sysmouse. All mouse events
received from the real mouse device are written to the
&man.sysmouse.4; device via &man.moused.8;. If you wish to
use your mouse on one or more virtual consoles,
and use X, see and set up
moused.Then edit /etc/X11/xorg.conf and
make sure you have the following lines:Section "InputDevice"
Option "Protocol" "SysMouse"
Option "Device" "/dev/sysmouse"
.....Some people prefer to use
/dev/mouse under X. To make this
work, /dev/mouse should be linked
to /dev/sysmouse (see
&man.sysmouse.4;) by adding the following line to
/etc/devfs.conf (see
&man.devfs.conf.5;):link sysmouse mouseThis link can be created by restarting &man.devfs.5;
with the following command (as
root):&prompt.root; /etc/rc.d/devfs restartMy mouse has a fancy wheel. Can I use it in X?Yes.You need to tell X that you have a 5 button mouse. To
do this, simply add the lines Buttons 5
and ZAxisMapping 4 5 to the
InputDevice section of
/etc/X11/xorg.conf. For example, you
might have the following InputDevice section
in /etc/X11/xorg.conf.InputDevice Section for Wheeled Mouse
in &xorg; configuration fileSection "InputDevice"
Identifier "Mouse1"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/sysmouse"
Option "Buttons" "5"
Option "ZAxisMapping" "4 5"
EndSection.emacs example for naive page
scrolling with Wheeled Mouse (optional);; wheel mouse
(global-set-key [mouse-4] 'scroll-down)
(global-set-key [mouse-5] 'scroll-up)How do I use remote X displays?For security reasons, the default setting is to not
allow a machine to remotely open a window.To enable this feature, simply start
X with the optional
argument:&prompt.user; startx -listen_tcpWhat is a virtual console and how do I make more?Virtual consoles, put simply, enable you to have several
simultaneous sessions on the same machine without doing
anything complicated like setting up a network or running
X.When the system starts, it will display a login prompt
on the monitor after displaying all the boot messages. You
can then type in your login name and password and start
working (or playing!) on the first virtual console.At some point, you will probably wish to start another
session, perhaps to look at documentation for a program you
are running or to read your mail while waiting for an FTP
transfer to finish. Just do AltF2
(hold down the Alt key and press the
F2 key), and you will find a login prompt
waiting for you on the second virtual
console! When you want to go back to the original
session, do AltF1.
The default &os; installation has eight virtual consoles
enabled. AltF1,
AltF2,
AltF3,
and so on will switch between these virtual consoles.To enable more of them, edit
/etc/ttys (see &man.ttys.5;) and add
entries for ttyv8 to
ttyvc after the comment on
Virtual terminals:# Edit the existing entry for ttyv8 in /etc/ttys and change
# "off" to "on".
ttyv8 "/usr/libexec/getty Pc" cons25 on secure
ttyv9 "/usr/libexec/getty Pc" cons25 on secure
ttyva "/usr/libexec/getty Pc" cons25 on secure
ttyvb "/usr/libexec/getty Pc" cons25 on secureUse as many or as few as you want. The more virtual
terminals you have, the more resources that are used; this
can be important if you have 8 MB RAM or less. You may
also want to change the secure to
insecure.If you want to run an X server you
must leave at least one virtual
terminal unused (or turned off) for it to use. That is to
say that if you want to have a login prompt pop up for all
twelve of your Alt-function keys, you are out of luck
— you can only do this for eleven of them if you
also want to run an X server on the same machine.The easiest way to disable a console is by turning it
off. For example, if you had the full 12 terminal
allocation mentioned above and you wanted to run X, you
would change settings for virtual terminal 12 from:ttyvb "/usr/libexec/getty Pc" cons25 on secureto:ttyvb "/usr/libexec/getty Pc" cons25 off secureIf your keyboard has only ten function keys, you would
end up with:ttyv9 "/usr/libexec/getty Pc" cons25 off secure
ttyva "/usr/libexec/getty Pc" cons25 off secure
ttyvb "/usr/libexec/getty Pc" cons25 off secure(You could also just delete these lines.)Next, the easiest (and cleanest) way to activate the
virtual consoles is to reboot. However, if you really do
not want to reboot, you can just shut down the X Window
system and execute (as root):&prompt.root; kill -HUP 1It is imperative that you completely shut down X Window
if it is running, before running this command. If you do not,
your system will probably appear to hang or lock up after
executing the kill command.How do I access the virtual consoles from X?Use CtrlAltFn
to switch back to a virtual console. CtrlAltF1
would return you to the first virtual console.Once you are back to a text console, you can then use
AltFn
as normal to move between them.To return to the X session, you must switch to the
virtual console running X. If you invoked X from the
command line, (e.g., using startx) then
the X session will attach to the next unused virtual
console, not the text console from which it was invoked. If
you have eight active virtual terminals then X will be
running on the ninth, and you would use AltF9
to return.How do I start XDM on
boot?There are two schools of thought on how to start
&man.xdm.1;. One school starts xdm from
/etc/ttys (see &man.ttys.5;) using the
supplied example, while the other simply runs
xdm from from
rc.local (see &man.rc.8;) or from an
X script in
/usr/local/etc/rc.d. Both are equally
valid, and one may work in situations where the other does
not. In both cases the result is the same: X will pop up a
graphical login prompt.The &man.ttys.5; method has the advantage of documenting
which vty X will start on and passing the responsibility of
restarting the X server on logout to &man.init.8;. The
&man.rc.8; method makes it easy to killxdm if there is a problem starting the X
server.If loaded from &man.rc.8;, xdm should
be started without any arguments (i.e., as a daemon). The
xdm command must start
after &man.getty.8; runs, or else
getty and xdm will
conflict, locking out the console. The best way around this
is to have the script sleep 10 seconds or so then launch
xdm.If you are to start xdm from
/etc/ttys, there still is a chance of
conflict between xdm and &man.getty.8;.
One way to avoid this is to add the vt
number in the
/usr/local/lib/X11/xdm/Xservers
file::0 local /usr/local/bin/X vt4The above example will direct the X server to run in
/dev/ttyv3. Note the number is
offset by one. The X server counts the vty from one,
whereas the &os; kernel numbers the vty from zero.Why do I get Couldn't open
console when I run
xconsole?If you start X with
startx, the permissions on
/dev/console will
not get changed, resulting in things
like xterm -C and
xconsole not working.This is because of the way console permissions are set
by default. On a multi-user system, one does not
necessarily want just any user to be able to write on the
system console. For users who are logging directly onto a
machine with a VTY, the &man.fbtab.5; file exists to solve
such problems.In a nutshell, make sure an uncommented line of the form
is in /etc/fbtab (see
&man.fbtab.5;):/dev/ttyv0 0600 /dev/consoleIt will ensure that whomever logs in on
/dev/ttyv0 will own the
console.Before, I was able to run &xfree86; as a regular user.
Why does it now say that I must be
root?All X servers need to be run as
root in order to get direct access to
your video hardware. Older versions of &xfree86; (<=
3.3.6) installed all bundled servers to be automatically run
as root (setuid to
root). This is obviously a security
hazard because X servers are large, complicated programs.
Newer versions of &xfree86; do not install the servers
setuid to root for just this
reason.Obviously, running an X server as the
root user is not acceptable, nor a good
idea security-wise. There are two ways to be able to use X
as a regular user. The first is to use
xdm or another display manager (e.g.,
kdm); the second is to use the
Xwrapper.xdm is a daemon that handles
graphical logins. It is usually started at boot time, and is
responsible for authenticating users and starting their
sessions; it is essentially the graphical counterpart of
&man.getty.8; and &man.login.1;. For more information on
xdm see the &xfree86; documentation,
and the the FAQ entry on it.Xwrapper is the X server wrapper; it
is a small utility to enable one to manually run an X server
while maintaining reasonable safety. It performs some
sanity checks on the command line arguments given, and if
they pass, runs the appropriate X server. If you do not
want to run a display manager for whatever reason, this is
for you. If you have installed the complete Ports
Collection, you can find the port in x11/wrapper.Why does my PS/2 mouse misbehave under X?Your mouse and the mouse driver may have somewhat become
out of synchronization. In rare cases the driver may erroneously report
synchronization problem and you may see the kernel
message:psmintr: out of sync (xxxx != yyyy)and notice that your mouse does not work
properly.If this happens, disable the synchronization check code
by setting the driver flags for the PS/2 mouse driver to
0x100. Enter
UserConfig by giving the
option at the boot prompt:boot: -cThen, in the UserConfig command
line, type:UserConfig> flags psm0 0x100
UserConfig> quitWhy does my PS/2 mouse from MouseSystems not
work?There have been some reports that certain model of PS/2
mouse from MouseSystems works only if it is put into the
high resolution mode. Otherwise, the mouse
cursor may jump to the upper-left corner of the screen every
so often.Specify the flags 0x04 to the PS/2
mouse driver to put the mouse into the high resolution mode.
Enter UserConfig by giving the
option at the boot prompt:boot: -cThen, in the UserConfig command
line, type:UserConfig> flags psm0 0x04
UserConfig> quitSee the previous section for another possible cause of
mouse problems.How do I reverse the mouse buttons?Run the command xmodmap -e "pointer = 3 2 1"
from your .xinitrc or
.xsession.How do I install a splash screen and where do I find
them?&os; have a feature to allow the display of
splash screens during the boot messages. The
splash screens currently must be a 256 color bitmap
(*.BMP) or ZSoft PCX
(*.PCX) file. In addition, they must
have a resolution of 320x200 or less to work on standard VGA
adapters. If you compile VESA support into your kernel,
then you can use larger bitmaps up to 1024x768. The actual
VESA support can either be compiled directly into the kernel
with the VESA kernel config option or by
loading the VESA kld module during bootup.To use a splash screen, you need to modify the startup
files that control the boot process for &os;.You need to create a
/boot/loader.rc file that contains the
following lines:include /boot/loader.4th
startand a /boot/loader.conf that
contains the following:splash_bmp_load="YES"
bitmap_load="YES"This assumes you are using
/boot/splash.bmp for your splash
screen. If you would rather use a PCX file, copy it to
/boot/splash.pcx, create a
/boot/loader.rc as instructed above,
and create a /boot/loader.conf that
contains:splash_pcx_load="YES"
bitmap_load="YES"
bitmap_name="/boot/splash.pcx"Now all you need is a splash screen. For that you can
surf on over to the gallery at .Can I use the Windows keys on my
keyboard in X?Yes. All you need to do is use &man.xmodmap.1; to
define what function you wish them to perform.Assuming all Windows keyboards are
standard then the keycodes for these three keys are the
following:115 —
Windows key, between the left-hand
Ctrl and Alt
keys116 —
Windows key, to the right of the
AltGr key117 — Menu
key, to the left of the right-hand Ctrl
keyTo have the left Windows key print a
comma, try this.&prompt.root; xmodmap -e "keycode 115 = comma"You will probably have to re-start your window manager
to see the result.To have the Windows key-mappings
enabled automatically every time you start X either put the
xmodmap commands in your
~/.xinitrc file or, preferably, create
a file ~/.xmodmaprc and include the
xmodmap options, one per line, then add
the following line to your
~/.xinitrc:xmodmap $HOME/.xmodmaprcFor example, you could map the 3 keys to be
F13, F14, and
F15, respectively. This would make it easy
to map them to useful functions within applications or your
window manager, as demonstrated further down.To do this put the following in
~/.xmodmaprc.keycode 115 = F13
keycode 116 = F14
keycode 117 = F15If you use the x11-wm/fvwm2 port, for example,
you could map the keys so that F13
iconifies (or de-iconifies) the window the cursor is in,
F14 brings the window the cursor is in to
the front or, if it is already at the front, pushes it to
the back, and F15 pops up the main
Workplace (application) menu even if the cursor is not on
the desktop, which is useful if you do not have any part of
the desktop visible (and the logo on the key matches its
functionality).The following entries in ~/.fvwmrc
implement the aforementioned setup:Key F13 FTIWS A Iconify
Key F14 FTIWS A RaiseLower
Key F15 A A Menu Workplace NopHow can I get 3D hardware acceleration for
&opengl;?The availability of 3D acceleration depends on the
version of &xorg; that you are using and the type of video
chip you have. If you have an nVidia chip, you can use the
binary drivers provided for &os; by installing one of the
following ports:The latest versions of nVidia cards are supported by
the x11/nvidia-driver
port.nVidia cards like the GeForce2 MX/3/4 series
are supported by the 96XX series of drivers, available
in the x11/nvidia-driver-96xx
port.Even older cards, like GeForce and RIVA TNT are
supported by the 71XX series of drivers, available in
the x11/nvidia-driver-71xx
port.In fact, nVidia provides detailed information on which
card is supported by which driver. This information is
available directly on their web site: .
For Matrox G200/G400, you should check the
x11-servers/mga_hal
port.For ATI Rage 128 and Radeon, see the
&man.ati.4x;, &man.r128.4x; and &man.radeon.4x; manual
pages.For 3dfx Voodoo 3, 4, 5, and Banshee cards, there
is a x11-servers/driglide
port.NetworkingWhere can I get information on diskless
booting?Diskless booting means that the &os;
box is booted over a network, and reads the necessary
files from a server instead of its hard disk. For full
details, please read the Handbook entry on diskless bootingCan a &os; box be used as a dedicated network
router?Yes. Please see the Handbook entry on advanced networking,
specifically the section on routing and gateways.
Can I connect my &windows; box to the Internet via
&os;?Typically, people who ask this question have two PCs at
home, one with &os; and one with some version of &windows;
the idea is to use the &os; box to connect to the Internet
and then be able to access the Internet from the &windows;
box through the &os; box. This is really just a special
case of the previous question and works perfectly
well.If you are using dialup to connect to the Internet
user-mode &man.ppp.8; contains a
option. If you run &man.ppp.8; with the
option, set
gateway_enable to
YES in
/etc/rc.conf, and configure your
&windows; machine correctly, this should work fine. For
more information, please see the &man.ppp.8; manual page or
the Handbook entry on user PPP.
If you are using kernel-mode PPP or have an Ethernet
connection to the Internet, you need to use &man.natd.8;.
Please look at the natd
section of the Handbook for a tutorial.Does &os; support SLIP and PPP?Yes. See the manual pages for &man.slattach.8;,
&man.sliplogin.8;, &man.ppp.8;, and &man.pppd.8;.
&man.ppp.8; and &man.pppd.8; provide support for both
incoming and outgoing connections, while &man.sliplogin.8;
deals exclusively with incoming connections, and
&man.slattach.8; deals exclusively with outgoing
connections.For more information on how to use these, please see the
Handbook chapter on PPP and SLIP.
If you only have access to the Internet through a
shell account, you may want to have a look at
the net/slirp package.
It can provide you with (limited) access to services such as
ftp and http direct from your local machine.Does &os; support NAT or Masquerading?Yes. If you want to use NAT over a user PPP connection,
please see the Handbook entry on user PPP.
If you want to use NAT over some other sort of network
connection, please look at the natd
section of the Handbook.How do I connect two &os; systems over a parallel line
using PLIP?Please see the PLIP section
of the Handbook.How can I set up Ethernet aliases?If the alias is on the same subnet as an address already
configured on the interface, then add netmask
0xffffffff to your &man.ifconfig.8; command-line,
as in the following:&prompt.root; ifconfig ed0 alias 192.0.2.2 netmask 0xffffffffOtherwise, just specify the network address and netmask
as usual:&prompt.root; ifconfig ed0 alias 172.16.141.5 netmask 0xffffff00You can read more about this in the &os; Handbook.
How do I get my 3C503 to use the other network
port?If you want to use the other ports, you will have to
specify an additional parameter on the &man.ifconfig.8;
command line. The default port is link0.
To use the AUI port instead of the BNC one, use
link2. These flags should be specified
using the ifconfig_* variables in
/etc/rc.conf (see
&man.rc.conf.5;).Why am I having trouble with NFS and &os;?Certain PC network cards are better than others (to put
it mildly) and can sometimes cause problems with network
intensive applications like NFS.See the Handbook entry on NFS
for more information on this topic.Why can I not NFS-mount from a &linux; box?Some versions of the &linux; NFS code only accept mount
requests from a privileged port; try to issue the following
command:&prompt.root; mount -o -P linuxbox:/blah/mntWhy can I not NFS-mount from a &sun; box?&sun; workstations running
&sunos; 4.X only accept
mount requests from a privileged port; try the following
command:&prompt.root; mount -o -P sunbox:/blah/mntWhy does mountd keep telling me it
can't change attributes and that I
have a bad exports list on my &os;
NFS server?The most frequent problem is not understanding the
correct format of /etc/exports. Please
review &man.exports.5; and the NFS
entry in the Handbook, especially the section on configuring NFS.
Why am I having problems talking PPP to NeXTStep
machines?Try disabling the TCP extensions in
/etc/rc.conf (see &man.rc.conf.5;) by
changing the following variable to
NO:tcp_extensions=NOXylogic's Annex boxes are also broken in this regard and
you must use the above change to connect through
them.How do I enable IP multicast support?&os; supports multicast host operations by default. If
you want your box to run as a multicast router, you need to
recompile your kernel with the MROUTING
option and run &man.mrouted.8;. &os; will start
&man.mrouted.8; at boot time if the flag
mrouted_enable is set to
YES in
/etc/rc.conf.In recent &os; releases, the &man.mrouted.8; multicast
routing daemon, the &man.map-mbone.8; and &man.mrinfo.8;
utilities have been removed from the base system. These
programs are now available in the &os; Ports Collection as
net/mrouted.MBONE tools are available in their own ports category,
mbone.
If you are looking for the conference tools
vic and vat, look
there!Which network cards are based on the DEC PCI
chipset?Here is a list compiled by Glen Foster
gfoster@driver.nsta.org, with some more
modern additions:
Network cards based on the DEC PCI chipsetVendorModelASUSPCI-L101-TBAcctonENI1203CogentEM960PCICompexENET32-PCID-LinkDE-530DaynaDP1203, DP2100DECDE435, DE450DanpexEN-9400P3JCISCondor JC1260LinksysEtherPCIMylexLNP101SMCEtherPower 10/100 (Model 9332)SMCEtherPower (Model 8432)TopWareTE-3500PZnyx (2.2.x)ZX312, ZX314, ZX342, ZX345, ZX346,
ZX348Znyx (3.x)ZX345Q, ZX346Q, ZX348Q, ZX412Q, ZX414, ZX442,
ZX444, ZX474, ZX478, ZX212, ZX214 (10mbps/hd)
Why do I have to use the FQDN for hosts on my
site?See the answer in the &os; Handbook.
Why do I get an error, Permission
denied, for all networking operations?If you have compiled your kernel with the
IPFIREWALL option, you need to be aware
that the default policy is to deny all packets that are not
explicitly allowed.If you had unintentionally misconfigured your system for
firewalling, you can restore network operability by typing
the following while logged in as
root:&prompt.root; ipfw add 65534 allow all from any to anyYou can also set firewall_type="open"
in /etc/rc.conf.For further information on configuring a &os; firewall,
see the Handbook chapter.
Why is my ipfwfwd
rule to redirect a service to another machine not
working?Possibly because you want to do network address
translation (NAT) and not just forward packets. A
fwd rule does exactly what it says; it
forwards packets. It does not actually change the data
inside the packet. Say we have a rule like:01000 fwd 10.0.0.1 from any to foo 21When a packet with a destination address of
foo arrives at the machine with
this rule, the packet is forwarded to
10.0.0.1, but it still has the
destination address of foo! The
destination address of the packet is
not changed to
10.0.0.1. Most machines would
probably drop a packet that they receive with a destination
address that is not their own. Therefore, using a
fwd rule does not often work the way the user
expects. This behavior is a feature and not a bug.See the FAQ about redirecting services,
the &man.natd.8; manual, or one of the several port
redirecting utilities in the Ports Collection
for a correct way to do this.How can I redirect service requests from one machine to
another?You can redirect FTP (and other service) request with
the sysutils/socket
port. Simply replace the service's command line to call
socket instead, like so:ftp stream tcp nowait nobody /usr/local/bin/socket socket ftp.example.comftpwhere ftp.example.com and
ftp are the host and port to
redirect to, respectively.Where can I get a bandwidth management tool?There are three bandwidth management tools available for
&os;. &man.dummynet.4; is integrated into &os; as part of
&man.ipfw.4;. ALTQ
has been integrated into &os; as part of &man.pf.4;.
Bandwidth Manager from Emerging Technologies
is a commercial product.Why do I get /dev/bpf0: device not
configured?You are running a program that requires the Berkeley
Packet Filter (&man.bpf.4;), but it is not in your kernel.
Add this to your kernel config file and build a new
kernel:device bpf # Berkeley Packet FilterHow do I mount a disk from a &windows; machine that is
on my network, like smbmount in &linux;?Use the SMBFS toolset. It
includes a set of kernel modifications and a set of userland
programs. The programs and information are available as
&man.mount.smbfs.8; in the base system.What are these messages about: Limiting
icmp/open port/closed port response in my log
files?This is the kernel telling you that some activity is
provoking it to send more ICMP or TCP reset (RST) responses
than it thinks it should. ICMP responses are often
generated as a result of attempted connections to unused UDP
ports. TCP resets are generated as a result of attempted
connections to unopened TCP ports. Among others, these are
the kinds of activities which may cause these
messages:Brute-force denial of service (DoS) attacks (as
opposed to single-packet attacks which exploit a
specific vulnerability).Port scans which attempt to connect to a large
number of ports (as opposed to only trying a few
well-known ports).The first number in the message tells you how many
packets the kernel would have sent if the limit was not in
place, and the second number tells you the limit. You can
control the limit using the
net.inet.icmp.icmplim sysctl variable
like this, where 300 is the limit in
packets per second:&prompt.root; sysctl -w net.inet.icmp.icmplim=300If you do not want to see messages about this in your
log files, but you still want the kernel to do response
limiting, you can use the
net.inet.icmp.icmplim_output sysctl
variable to disable the output like this:&prompt.root; sysctl -w net.inet.icmp.icmplim_output=0Finally, if you want to disable response limiting, you
can set the net.inet.icmp.icmplim sysctl
variable (see above for an example) to 0.
Disabling response limiting is discouraged for the reasons
listed above.What are these arp: unknown hardware address
format error messages?This means that some device on your local Ethernet is
using a MAC address in a format that &os; does not
recognize. This is probably caused by someone experimenting
with an Ethernet card somewhere else on the network. You
will see this most commonly on cable modem networks. It is
harmless, and should not affect the performance of your &os;
machine.Why do I keep seeing messages like: 192.168.0.10 is on
fxp1 but got reply from 00:15:17:67:cf:82 on rl0, and how do I
disable it?Because a packet is coming from outside the network
unexpectedly. To disable them, set
net.link.ether.inet.log_arp_wrong_iface
to 0.I have just installed CVSup
but trying to execute it produces errors. What is
wrong?First, see if the error message you are receiving is
like the one shown below./usr/libexec/ld-elf.so.1: Shared object "libXaw.so.6" not foundErrors like these are caused by installing the net/cvsup port on a machine which
does not have the &xorg; suite.
If you want to use the GUI included with
CVSup you will need to install
&xorg; now. Alternatively if you
just wish to use CVSup from a
command line you should delete the package previously
installed. Then install the net/cvsup-without-gui or the
net/csup port. If you
have a recent &os; release you may use &man.csup.1;. This
is covered in more detail in the CVSup section
of the Handbook.SecurityWhat is a sandbox?Sandbox is a security term. It can mean
two things:A process which is placed inside a set of virtual
walls that are designed to prevent someone who breaks
into the process from being able to break into the wider
system.The process is said to be able to
play inside the walls. That is, nothing
the process does in regards to executing code is
supposed to be able to breech the walls so you do not
have to do a detailed audit of its code to be able to
say certain things about its security.The walls might be a user ID, for example.
This is the definition used in the &man.security.7; and
&man.named.8; man pages.Take the ntalk service, for
example (see &man.inetd.8;). This service used to run
as user ID root. Now it runs
as user ID tty. The
tty user is a sandbox designed to
make it more difficult for someone who has successfully
hacked into the system via ntalk from
being able to hack beyond that user ID.A process which is placed inside a simulation of the
machine. This is more hard-core. Basically it means
that someone who is able to break into the process may
believe that he can break into the wider machine but is,
in fact, only breaking into a simulation of that machine
and not modifying any real data.The most common way to accomplish this is to build a
simulated environment in a subdirectory and then run the
processes in that directory chroot'd (i.e. / for that process is this
directory, not the real / of the system).Another common use is to mount an underlying file
system read-only and then create a file system layer on
top of it that gives a process a seemingly writeable
view into that file system. The process may believe it
is able to write to those files, but only the process
sees the effects — other processes in the system
do not, necessarily.An attempt is made to make this sort of sandbox so
transparent that the user (or hacker) does not realize
that he is sitting in it.&unix; implements two core sandboxes. One is at the
process level, and one is at the userid level.Every &unix; process is completely firewalled off from
every other &unix; process. One process cannot modify the
address space of another. This is unlike &windows; where a
process can easily overwrite the address space of any other,
leading to a crash.A &unix; process is owned by a particular userid. If
the user ID is not the root user,
it serves to firewall the process off from processes owned
by other users. The user ID is also used to firewall
off on-disk data.What is securelevel?The securelevel is a security mechanism implemented in
the kernel. Basically, when the securelevel is positive, the
kernel restricts certain tasks; not even the superuser
(i.e., root) is allowed to do them. At
the time of this writing, the securelevel mechanism is
capable of, among other things, limiting the ability
to:Unset certain file flags, such as
schg (the system immutable
flag).Write to kernel memory via
/dev/mem and
/dev/kmem.Load kernel modules.Alter firewall rules.To check the status of the securelevel on a running
system, simply execute the following command:&prompt.root; sysctl kern.securelevelThe output will contain the name of the &man.sysctl.8;
variable (in this case, kern.securelevel)
and a number. The latter is the current value of the
securelevel. If it is positive (i.e., greater than 0), at
least some of the securelevel's protections are
enabled.You cannot lower the securelevel of a running system;
being able to do that would defeat its purpose. If you need
to do a task that requires that the securelevel be
non-positive (e.g., an installworld
or changing the date), you will have to change the
securelevel setting in /etc/rc.conf
(you want to look for the
kern_securelevel and
kern_securelevel_enable variables) and
reboot.For more information on securelevel and the specific
things all the levels do, please consult the &man.init.8;
manual page.Securelevel is not a silver bullet; it has many known
deficiencies. More often than not, it provides a false
sense of security.One of its biggest problems is that in order for it to
be at all effective, all files used in the boot process up
until the securelevel is set must be protected. If an
attacker can get the system to execute their code prior to
the securelevel being set (which happens quite late in the
boot process since some things the system must do at
start-up cannot be done at an elevated securelevel), its
protections are invalidated. While this task of
protecting all files used in the boot process is not
technically impossible, if it is achieved, system
maintenance will become a nightmare since one would have
to take the system down, at least to single-user mode, to
modify a configuration file.This point and others are often discussed on the
mailing lists, particularly the &a.security;. Please
search the archives here for an
extensive discussion. Some people are hopeful that
securelevel will soon go away in favor of a more
fine-grained mechanism, but things are still hazy in this
respect.Consider yourself warned.BIND (named) is listening on port 53
and some other high-numbered port. What is going on?BIND uses a random high-numbered port for outgoing
queries. If you want to use port 53 for outgoing queries,
either to get past a firewall or to make yourself feel
better, you can try the following in
/etc/namedb/named.conf:options {
query-source address * port 53;
};You can replace the * with a single
IP address if you want to tighten things further.Congratulations, by the way. It is good practice to
read your &man.sockstat.1; output and notice odd
things!The sendmail daemon is
listening on port 587 as well as the standard port 25! What
is going on?Recent versions of sendmail
support a mail submission feature that runs over port 587.
This is not yet widely supported, but is growing in
popularity.What is this UID 0 toor account?
Have I been compromised?Do not worry. toor is an
alternative superuser account (toor is root
spelt backwards). Previously it was created when the
&man.bash.1; shell was installed but now it is created by
default. It is intended to be used with a non-standard
shell so you do not have to change
root's default shell. This is
important as shells which are not part of the base
distribution (for example a shell installed from ports or
packages) are likely to be installed in
/usr/local/bin which, by default,
resides on a different file system. If
root's shell is located in
/usr/local/bin and
/usr (or whatever file system contains
/usr/local/bin) is not mounted for some
reason, root will not be able to log in
to fix a problem (although if you reboot into single user
mode you will be prompted for the path to a shell).Some people use toor for day-to-day
root tasks with a non-standard shell,
leaving root, with a standard shell,
for single user mode or emergencies. By default you cannot
log in using toor as it does not have a
password, so log in as root and set a
password for toor if you want to use
it.Why is suidperl not working
properly?For security reasons, suidperl is not
installed by default. If you want
suidperl to be built during upgrades from
source, edit /etc/make.conf and add
ENABLE_SUIDPERL=true
before you build perl.PPPI cannot make &man.ppp.8; work. What am I doing
wrong?You should first read the &man.ppp.8; manual page and
the PPP section of the handbook.
Enable logging with the following command:set log Phase Chat Connect Carrier lcp ipcp ccp commandThis command may be typed at the &man.ppp.8; command
prompt or it may be entered in the
/etc/ppp/ppp.conf configuration file
(the start of the default section is the
best place to put it). Make sure that
/etc/syslog.conf (see
&man.syslog.conf.5;) contains the lines below and the file
/var/log/ppp.log exists:!ppp
*.* /var/log/ppp.logYou can now find out a lot about what is going on from
the log file. Do not worry if it does not all make sense.
If you need to get help from someone, it may make sense to
them.Why does &man.ppp.8; hang when I run it?This is usually because your hostname will not resolve.
The best way to fix this is to make sure that
/etc/hosts is consulted by your
resolver first by editing
/etc/host.conf and putting the
hosts line first. Then, simply put an
entry in /etc/hosts for your local
machine. If you have no local network, change your
localhost line:127.0.0.1 foo.example.com foo localhostOtherwise, simply add another entry for your host.
Consult the relevant manual pages for more details.You should be able to successfully
ping -c1 `hostname` when you are
done.Why will &man.ppp.8; not dial in
-auto mode?First, check that you have got a default route. By
running netstat -rn (see
&man.netstat.1;), you should see two entries like
this:Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.2 UGSc 0 0 tun0
10.0.0.2 10.0.0.1 UH 0 0 tun0This is assuming that you have used the addresses from
the handbook, the manual page, or from the
ppp.conf.sample file. If you do not
have a default route, it may be because you forgot to add
the HISADDR line to the
ppp.conf file.Another reason for the default route line being missing
is that you have mistakenly set up a default router in your
/etc/rc.conf (see &man.rc.conf.5;) file
and you have omitted the line below from
ppp.conf:delete ALLIf this is the case, go back to the Final System Configuration
section of the handbook.What does No route to host
mean?This error is usually due that the following section is
missing in your /etc/ppp/ppp.linkup
file:MYADDR:
delete ALL
add 0 0 HISADDRThis is only necessary if you have a dynamic IP address
or do not know the address of your gateway. If you are
using interactive mode, you can type the following after
entering packet mode (packet mode is
indicated by the capitalized PPP in the
prompt):delete ALL
add 0 0 HISADDRRefer to the PPP and Dynamic IP addresses
section of the handbook for further details.Why does my connection drop after about 3
minutes?The default PPP timeout is 3 minutes. This can be
adjusted with the following line:set timeout NNNwhere NNN is the number of
seconds of inactivity before the connection is closed. If
NNN is zero, the connection is
never closed due to a timeout. It is possible to put this
command in the ppp.conf file, or to
type it at the prompt in interactive mode. It is also
possible to adjust it on the fly while the line is active by
connecting to ppp's server socket
using &man.telnet.1; or &man.pppctl.8;. Refer to the
&man.ppp.8; man page for further details.Why does my connection drop under heavy load?If you have Link Quality Reporting (LQR) configured, it
is possible that too many LQR packets are lost between your
machine and the peer. The &man.ppp.8; program deduces that
the line must therefore be bad, and disconnects. Prior to
&os; version 2.2.5, LQR was enabled by default. It is now
disabled by default. LQR can be disabled with the following
line:disable lqrWhy does my connection drop after a random amount of
time?Sometimes, on a noisy phone line or even on a line with
call waiting enabled, your modem may hang up because it
thinks (incorrectly) that it lost carrier.There is a setting on most modems for determining how
tolerant it should be to temporary losses of carrier. On a
&usrobotics; &sportster; for example, this is measured
by the S10 register in tenths of a
second. To make your modem more forgiving, you could add
the following send-expect sequence to your dial
string:set dial "...... ATS10=10 OK ......"Refer to your modem manual for details.Why does my connection hang after a random amount of
time?Many people experience hung connections with no apparent
explanation. The first thing to establish is which side of
the link is hung.If you are using an external modem, you can simply try
using &man.ping.8; to see if the TD light
is flashing when you transmit data. If it flashes (and the
RD light does not), the problem is with
the remote end. If TD does not flash,
the problem is local. With an internal modem, you will need
to use the set server command in your
ppp.conf file. When the hang occurs,
connect to &man.ppp.8; using &man.pppctl.8;. If your
network connection suddenly revives (PPP was revived due to
the activity on the diagnostic socket) or if you cannot
connect (assuming the set socket command
succeeded at startup time), the problem is local. If you
can connect and things are still hung, enable local async
logging with set log local async and use
&man.ping.8; from another window or terminal to make use of
the link. The async logging will show you the data being
transmitted and received on the link. If data is going out
and not coming back, the problem is remote.Having established whether the problem is local or
remote, you now have two possibilities:If the problem is remote, read on entry .If the problem is local, read on entry .The remote end is not responding. What can I do?There is very little you can do about this. Most ISPs
will refuse to help if you are not running a µsoft; OS.
You can enable lqr in your
ppp.conf file, allowing &man.ppp.8; to
detect the remote failure and hang up, but this detection is
relatively slow and therefore not that useful. You may want
to avoid telling your ISP that you are running
user-PPP.First, try disabling all local compression by adding the
following to your configuration:disable pred1 deflate deflate24 protocomp acfcomp shortseq vj
deny pred1 deflate deflate24 protocomp acfcomp shortseq vjThen reconnect to ensure that this makes no difference.
If things improve or if the problem is solved completely,
determine which setting makes the difference through trial
and error. This will provide good ammunition when you
contact your ISP (although it may make it apparent that you
are not running a µsoft; product).Before contacting your ISP, enable async logging locally
and wait until the connection hangs again. This may use up
quite a bit of disk space. The last data read from the port
may be of interest. It is usually ASCII data, and may even
describe the problem (Memory fault,
Core dumped).If your ISP is helpful, they should be able to enable
logging on their end, then when the next link drop occurs,
they may be able to tell you why their side is having a
problem. Feel free to send the details to &a.brian;, or
even to ask your ISP to contact him directly.&man.ppp.8; has hung. What can I do?Your best bet here is to rebuild &man.ppp.8; with
debugging information, and then use &man.gdb.1; to grab a
stack trace from the ppp process
that is stuck. To rebuild the
ppp utility with debugging
information, you can type:&prompt.root; cd /usr/src/usr.sbin/ppp
&prompt.root; env DEBUG_FLAGS='-g' make clean
&prompt.root; env DEBUG_FLAGS='-g' make installThen you should restart ppp
and wait until it hangs again. When the debug build of
ppp hangs, start
gdb on the stuck process by
typing:&prompt.root; gdb ppp `pgrep ppp`At the gdb prompt, you can
use the bt or where
commands to get a stack trace. Save the output of your
gdb session, and
detach from the running process by the
quit command of
gdb.Finally, send the log of your
gdb session to &a.brian;.Why does nothing happen after the Login
OK! message?Prior to &os; version 2.2.5, once the link was
established, &man.ppp.8; would wait for the peer to initiate
the Line Control Protocol (LCP). Many ISPs will not
initiate negotiations and expect the client to do so. To
force &man.ppp.8; to initiate the LCP, use the following
line:set openmode activeIt usually does no harm if both sides initiate
negotiation, so openmode is now active by default.
However, the next section explains when it
does do some harm.I keep seeing errors about magic being the same. What
does it mean?Occasionally, just after connecting, you may see
messages in the log that say Magic is
same. Sometimes, these messages are harmless,
and sometimes one side or the other exits. Most PPP
implementations cannot survive this problem, and even if the
link seems to come up, you will see repeated configure
requests and configure acknowledgments in the log file until
&man.ppp.8; eventually gives up and closes the
connection.This normally happens on server machines with slow disks
that are spawning a &man.getty.8; on the port, and executing
&man.ppp.8; from a login script or program after login.
There were reports of it happening consistently when using
slirp. The reason is that in the time taken between
&man.getty.8; exiting and &man.ppp.8; starting, the
client-side &man.ppp.8; starts sending Line Control Protocol
(LCP) packets. Because ECHO is still switched on for the
port on the server, the client &man.ppp.8; sees these
packets reflect back.One part of the LCP negotiation is to establish a magic
number for each side of the link so that
reflections can be detected. The protocol
says that when the peer tries to negotiate the same magic
number, a NAK should be sent and a new magic number should
be chosen. During the period that the server port has ECHO
turned on, the client &man.ppp.8; sends LCP packets, sees
the same magic in the reflected packet and NAKs it. It also
sees the NAK reflect (which also means &man.ppp.8; must
change its magic). This produces a potentially enormous
number of magic number changes, all of which are happily
piling into the server's tty buffer. As soon as &man.ppp.8;
starts on the server, it is flooded with magic number
changes and almost immediately decides it has tried enough
to negotiate LCP and gives up. Meanwhile, the client, who
no longer sees the reflections, becomes happy just in time
to see a hangup from the server.This can be avoided by allowing the peer to start
negotiating with the following line in your
ppp.conf file:set openmode passiveThis tells &man.ppp.8; to wait for the server to
initiate LCP negotiations. Some servers however may never
initiate negotiations. If this is the case, you can do
something like:set openmode active 3This tells &man.ppp.8; to be passive for 3 seconds, and
then to start sending LCP requests. If the peer starts
sending requests during this period, &man.ppp.8; will
immediately respond rather than waiting for the full 3
second period.LCP negotiations continue until the connection is
closed. What is wrong?There is currently an implementation mis-feature in
&man.ppp.8; where it does not associate LCP, CCP & IPCP
responses with their original requests. As a result, if one
PPP implementation is more than 6 seconds slower than the
other side, the other side will send two additional LCP
configuration requests. This is fatal.Consider two implementations, A and
B. A starts sending LCP
requests immediately after connecting and B
takes 7 seconds to start. When B starts,
A has sent 3 LCP REQs. We are assuming the
line has ECHO switched off, otherwise we would see magic
number problems as described in the previous section.
B sends a REQ, then an ACK to the first of
A's REQs. This results in
A entering the OPENED
state and sending and ACK (the first) back to
B. In the meantime, B
sends back two more ACKs in response to the two additional
REQs sent by A before B
started up. B then receives the first ACK
from A and enters the
OPENED state. A
receives the second ACK from B and goes
back to the REQ-SENT state, sending
another (forth) REQ as per the RFC. It then receives the
third ACK and enters the OPENED state.
In the meantime, B receives the forth REQ
from A, resulting in it reverting to the
ACK-SENT state and sending another
(second) REQ and (forth) ACK as per the RFC.
A gets the REQ, goes into
REQ-SENT and sends another REQ. It
immediately receives the following ACK and enters
OPENED.This goes on until one side figures out that they are
getting nowhere and gives up.The best way to avoid this is to configure one side to
be passive — that is, make one side
wait for the other to start negotiating. This can be done
with the following command:set openmode passiveCare should be taken with this option. You should also
use the this command to limit the amount of time that
&man.ppp.8; waits for the peer to begin negotations:set stopped NAlternatively, the following command (where
N is the number of seconds to
wait before starting negotiations) can be used:set openmode active NCheck the manual page for details.Why does &man.ppp.8; lock up when I shell out to test
it?When you execute the shell or
! command, &man.ppp.8; executes a shell
(or if you have passed any arguments, &man.ppp.8; will
execute those arguments). The
ppp program will wait for the
command to complete before continuing. If you attempt to
use the PPP link while running the command, the link will
appear to have frozen. This is because &man.ppp.8; is
waiting for the command to complete.If you wish to execute commands like this, use the
!bg command instead. This will execute
the given command in the background, and &man.ppp.8; can
continue to service the link.Why does &man.ppp.8; over a null-modem cable never
exit?There is no way for &man.ppp.8; to automatically
determine that a direct connection has been dropped. This
is due to the lines that are used in a null-modem serial
cable. When using this sort of connection, LQR should
always be enabled with the following line:enable lqrLQR is accepted by default if negotiated by the
peer.Why does &man.ppp.8; dial for no reason in
mode?If &man.ppp.8; is dialing unexpectedly, you must
determine the cause, and set up Dial filters (dfilters) to
prevent such dialing.To determine the cause, use the following line:set log +tcp/ipThis will log all traffic through the connection. The
next time the line comes up unexpectedly, you will see the
reason logged with a convenient timestamp next to it.You can now disable dialing under these circumstances.
Usually, this sort of problem arises due to DNS lookups. To
prevent DNS lookups from establishing a connection (this
will not prevent &man.ppp.8; from
passing the packets through an established connection), use
the following:set dfilter 1 deny udp src eq 53
set dfilter 2 deny udp dst eq 53
set dfilter 3 permit 0/0 0/0This is not always suitable, as it will effectively
break your demand-dial capabilities — most programs
will need a DNS lookup before doing any other network
related things.In the DNS case, you should try to determine what is
actually trying to resolve a host name. A lot of the time,
&man.sendmail.8; is the culprit. You should make sure that
you tell sendmail not to do any
DNS lookups in its configuration file. See the section on
using email with a dialup connection
in the &os; Handbook for details on how to create your own
configuration file and what should go into it. You may also
want to add the following line to your
.mc file:define(`confDELIVERY_MODE', `d')dnlThis will make sendmail queue
everything until the queue is run (usually, sendmail is
invoked with , telling it to run
the queue every 30 minutes) or until a sendmail
is done (perhaps from your
ppp.linkup file).What do these CCP errors mean?I keep seeing the following errors in my log
file:CCP: CcpSendConfigReq
CCP: Received Terminate Ack (1) state = Req-Sent (6)This is because &man.ppp.8; is trying to negotiate
Predictor1 compression, and the peer does not want to
negotiate any compression at all. The messages are
harmless, but if you wish to remove them, you can disable
Predictor1 compression locally too:disable pred1Why does &man.ppp.8; not log my connection speed?In order to log all lines of your modem
conversation, you must enable the
following:set log +connectThis will make &man.ppp.8; log everything up until the
last requested expect string.If you wish to see your connect speed and are using PAP
or CHAP (and therefore do not have anything to
chat after the CONNECT in the dial script
— no set login script), you must
make sure that you instruct &man.ppp.8; to
expect the whole CONNECT line, something like
this:set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 4 \
\"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"Here, we get our CONNECT, send nothing, then expect a
line-feed, forcing &man.ppp.8; to read the whole CONNECT
response.Why does &man.ppp.8; ignore the \
character in my chat script?The ppp utility parses each
line in your config files so that it can interpret strings
such as set phone "123 456 789" correctly
and realize that the number is actually only
one argument. In order to specify a
" character, you must escape it
using a backslash (\).When the chat interpreter parses each argument, it
re-interprets the argument in order to find any special
escape sequences such as \P or
\T (see the manual page). As a result of
this double-parsing, you must remember to use the correct
number of escapes.If you wish to actually send a \
character to (say) your modem, you would need something
like:set dial "\"\" ATZ OK-ATZ-OK AT\\\\X OK"It will result in the following sequence:ATZ
OK
AT\X
OKOr:set phone 1234567
set dial "\"\" ATZ OK ATDT\\T"It will result in the following sequence:ATZ
OK
ATDT1234567Why does &man.ppp.8; get a Segmentation
fault, but I see no ppp.core
file?The ppp utility (or any other
program for that matter) should never dump core. Because
&man.ppp.8; runs with an effective user ID of
0, the operating system will not write
core image of &man.ppp.8; to disk before terminating it.
If, however &man.ppp.8; is actually terminating due to a
segmentation violation or some other signal that normally
causes core to be dumped, and you are
sure you are using the latest version (see the start of this
section), then you should install the system sources and do
the following:&prompt.root; cd/usr/src/usr.sbin/ppp
&prompt.root; echoSTRIP= >> /etc/make.conf
&prompt.root; echoCFLAGS+= >> /etc/make.conf
&prompt.root; makeinstallcleanYou will now have a debuggable version of &man.ppp.8;
installed. You will have to be root to
run &man.ppp.8; as all of its privileges have been revoked.
When you start &man.ppp.8;, take a careful note of what your
current directory was at the time.Now, if and when &man.ppp.8; receives the segmentation
violation, it will dump a core file called
ppp.core. You should then do the
following:&prompt.user; su
&prompt.root; gdb /usr/sbin/ppp ppp.core(gdb)bt
.....
(gdb)f 0
....
(gdb)i args
....
(gdb)l
.....All of this information should be given alongside your
question, making it possible to diagnose the problem.If you are familiar with &man.gdb.1;, you may wish to
find out some other bits and pieces such as what actually
caused the dump or the addresses and values of the relevant
variables.Why does the process that forces a dial in
mode never connect?This was a known problem with &man.ppp.8; set up to
negotiate a dynamic local IP number with the peer in
mode. It has been fixed a long time
ago — search the manual page for
iface.The problem was that when that initial program calls
&man.connect.2;, the IP number of the &man.tun.4; interface
is assigned to the socket endpoint. The kernel creates the
first outgoing packet and writes it to the &man.tun.4;
device. &man.ppp.8; then reads the packet and establishes a
connection. If, as a result of &man.ppp.8;'s dynamic IP
assignment, the interface address is changed, the original
socket endpoint will be invalid. Any subsequent packets
sent to the peer will usually be dropped. Even if they are
not, any responses will not route back to the originating
machine as the IP number is no longer owned by that
machine.There are several theoretical ways to approach this
problem. It would be nicest if the peer would re-assign the
same IP number if possible. The current version of
&man.ppp.8; does this, but most other implementations do
not.The easiest method from our side would be to never
change the &man.tun.4; interface IP number, but instead to
change all outgoing packets so that the source IP number is
changed from the interface IP to the negotiated IP on the
fly. This is essentially what the
iface-alias option in the latest version
of &man.ppp.8; is doing (with the help of &man.libalias.3;
and &man.ppp.8;'s switch) — it
is maintaining all previous interface addresses and NATing
them to the last negotiated address.Another alternative (and probably the most reliable)
would be to implement a system call that changes all bound
sockets from one IP to another. &man.ppp.8; would use this
call to modify the sockets of all existing programs when a
new IP number is negotiated. The same system call could be
used by DHCP clients when they are forced
to call the bind() function for their
sockets.Yet another possibility is to allow an interface to be
brought up without an IP number. Outgoing packets would be
given an IP number of 255.255.255.255 up until the first
SIOCAIFADDR &man.ioctl.2; is done. This
would result in fully binding the socket. It would be up to
&man.ppp.8; to change the source IP number, but only if it
is set to 255.255.255.255,
and only the IP number and IP checksum would need to change.
This, however is a bit of a hack as the kernel would be
sending bad packets to an improperly configured interface,
on the assumption that some other mechanism is capable of
fixing things retrospectively.Why do most games not work with the
switch?The reason games and the like do not work when
&man.libalias.3; is in use is that the machine on the outside
will try to open a connection or send (unsolicited) UDP
packets to the machine on the inside. The NAT software does
not know that it should send these packets to the interior
machine.To make things work, make sure that the only thing
running is the software that you are having problems with,
then either run &man.tcpdump.1; on the &man.tun.4; interface
of the gateway or enable &man.ppp.8; TCP/IP logging
(set log +tcp/ip) on the gateway.When you start the offending software, you should see
packets passing through the gateway machine. When something
comes back from the outside, it will be dropped (that is the
problem). Note the port number of these packets then shut
down the offending software. Do this a few times to see if
the port numbers are consistent. If they are, then the
following line in the relevant section of
/etc/ppp/ppp.conf will make the
software functional:nat port protointernalmachine:portportwhere proto is either
tcp or udp,
internalmachine is the machine
that you want the packets to be sent to and
port is the destination port
number of the packets.You will not be able to use the software on other
machines without changing the above command, and running the
software on two internal machines at the same time is out of
the question — after all, the outside world is seeing
your entire internal network as being just a single
machine.If the port numbers are not consistent, there are three
more options:Submit support in &man.libalias.3;. Examples of
special cases can be found in
/usr/src/sys/netinet/libalias/alias_*.c
(alias_ftp.c is a good prototype).
This usually involves reading certain recognised
outgoing packets, identifying the instruction that tells
the outside machine to initiate a connection back to the
internal machine on a specific (random) port and setting
up a route in the alias table so that the
subsequent packets know where to go.This is the most difficult solution, but it is the
best and will make the software work with multiple
machines.Use a proxy. The application may support
socks5 for example, or (as in the
cvsup case) may have a
passive option that avoids ever
requesting that the peer open connections back to the
local machine.Redirect everything to the internal machine using
nat addr. This is the sledge-hammer
approach.Has anybody made a list of useful port numbers?Not yet, but this is intended to grow into such a list
(if any interest is shown). In each example,
internal should be replaced with
the IP number of the machine playing the game.Asheron's Callnat port udp
internal :65000
65000Manually change the port number within the game to
65000. If you have got a number of
machines that you wish to play on assign a unique port
number for each (i.e. 65001,
65002, etc) and add a nat
port line for each one.Half Lifenat port udp
internal:27005
27015PCAnywhere 8.0nat port udp
internal:5632
5632nat port tcp
internal:5631
5631Quakenat port udp
internal:6112
6112Quake 2nat port udp
internal:27901
27910nat port udp
internal:60021
60021nat port udp
internal:60040
60040Red Alertnat port udp
internal:8675
8675nat port udp
internal:5009
5009What are FCS errors?FCS stands for Frame
Check Sequence. Each
PPP packet has a checksum attached to ensure that the data
being received is the data being sent. If the FCS of an
incoming packet is incorrect, the packet is dropped and the
HDLC FCS count is increased. The HDLC error values can be
displayed using the show hdlc
command.If your link is bad (or if your serial driver is
dropping packets), you will see the occasional FCS error.
This is not usually worth worrying about although it does
slow down the compression protocols substantially. If you
have an external modem, make sure your cable is properly
shielded from interference - this may eradicate the
problem.If your link freezes as soon as you have connected and
you see a large number of FCS errors, this may be because your
link is not 8-bit clean. Make sure your modem is not using
software flow control (XON/XOFF). If your datalink
must use software flow control, use the
command set accmap 0x000a0000 to tell
&man.ppp.8; to escape the ^Q and
^S characters.Another reason for seeing too many FCS errors may be
that the remote end has stopped talking
PPP. You may want to enable
async logging at this point to determine
if the incoming data is actually a login or shell prompt.
If you have a shell prompt at the remote end, it is possible
to terminate &man.ppp.8; without dropping the line by using
the close lcp command (a following
term command) will reconnect you to the
shell on the remote machine.If nothing in your log file indicates why the link might
have been terminated, you should ask the remote
administrator (your ISP?) why the session was
terminated.Why do &macos; and &windows; 98 connections freeze
when running PPPoE on the gateway?Thanks to Michael Wozniak
mwozniak@netcom.ca for figuring this out and
Dan Flemming danflemming@mac.com for the Mac
solution:This is due to what is called a Black
Hole router. &macos; and &windows; 98 (and maybe
other µsoft; OSs) send TCP packets with a requested
segment size too big to fit into a PPPoE frame (MTU is
1500 by default for Ethernet)
and have the do not
fragment bit set (default of TCP) and the Telco
router is not sending ICMP must fragment back
to the WWW site you are trying to load. (Alternatively, the
router is sending the ICMP packet correctly, but the
firewall at the WWW site is dropping it.) When the www
server is sending you frames that do not fit into the PPPoE
pipe the Telco router drops them on the floor and your page
does not load (some pages/graphics do as they are smaller
than a MSS.) This seems to be the default of most Telco
PPPoE configurations.One fix is to use regedit on
your 95/98 system to add the following registry entry:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\MaxMTUIt should be a string with a value
1436, as some ADSL routers are reported
to be unable to deal with packets larger than this. This
registry key has been changed to
Tcpip\Parameters\Interfaces\ID for
adapter\MTU in &windows; 2000
and becomes a DWORD.Refer to the Microsoft Knowledge Base documents Q158474 - Windows TCPIP Registry Entries
and Q120642 - TCPIP & NBT Configuration Parameters for &windowsnt;
for more information on changing &windows; MTU to work with
a NAT router.Another regedit possibility under &windows; 2000 to
set the Tcpip\Parameters\Interfaces\ID
for adapter\EnablePMTUBHDetectDWORD to 1 as
mentioned in the Microsoft document 120642 mentioned
above.Unfortunately, &macos; does not provide an interface for
changing TCP/IP settings. However, there many commercial
software available that will allow users to customize TCP/IP
settings. &macos; NAT users should search for their MTU
settings and enter 1450 instead of
1500.The &man.ppp.8; has an enable
tcpmssfixup command that will automatically adjust
the MSS to an appropriate value. This facility is enabled
by default. If you are stuck with an older version of
&man.ppp.8;, you may want to look at the net/tcpmssd port.
+ role="package">net/tcpmssd port.
None of this helps — I am desperate! What can I
do?If all else fails, send as much information as you can,
including your config files, how you are starting
&man.ppp.8;, the relevant parts of your log file and the
output of the netstat -rn command (before
and after connecting) to the &a.questions; or the comp.unix.bsd.freebsd.misc
news group, and someone should point you in the right
direction.Serial CommunicationsThis section answers common questions about serial
communications with &os;. PPP and SLIP are covered in the Networking section.How do I tell if &os; found my serial ports?As the &os; kernel boots, it will probe for the serial
ports in your system for which the kernel was configured.
You can either watch your system closely for the messages it
prints or run this command after your system is up and
running:&prompt.user; dmesg | grep -E "^sio[0-9]"Here is some example output from the above
command:sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550AThis shows two serial ports. The first is on
IRQ 4, is using port address 0x3f8,
and has a 16550A-type UART chip. The second uses the same
kind of chip but is on IRQ 3 and is at port address
0x2f8. Internal modem cards are treated
just like serial ports — except that they always have
a modem attached to the port.The GENERIC kernel includes support
for two serial ports using the same IRQ and port address
settings in the above example. If these settings are not
right for your system, or if you have added modem cards or
have more serial ports than your kernel is configured for,
just reconfigure your kernel. See section about building a kernel for
more details.How do I tell if &os; found my modem cards?Refer to the answer to the previous question.How do I access the serial ports on &os;?The third serial port, sio2
(see &man.sio.4;, known as COM3 in
DOS), is on /dev/cuad2 for dial-out
devices, and on /dev/ttyd2 for
dial-in devices. What is the difference between these two
classes of devices?You use
ttydX
for dial-ins. When opening
/dev/ttydX
in blocking mode, a process will wait for the corresponding
cuadX
device to become inactive, and then wait for the carrier
detect line to go active. When you open the
cuadX
device, it makes sure the serial port is not already in use
by the
ttydX
device. If the port is available, it steals
it from the
ttydX
device. Also, the
cuadX
device does not care about carrier detect. With this scheme
and an auto-answer modem, you can have remote users log in
and you can still dial out with the same modem and the
system will take care of all the conflicts.How do I enable support for a multiport serial
card?Again, the section on kernel configuration provides
information about configuring your kernel. For a multiport
serial card, place an &man.sio.4; line for each serial port
on the card in the &man.device.hints.5; file. But place the
IRQ specifiers on only one of the entries. All of the ports
on the card should share one IRQ. For consistency, use the
last serial port to specify the IRQ. Also, specify the
following option in the kernel configuration file:options COM_MULTIPORTThe following /boot/device.hints
example is for an AST 4-port serial card on
IRQ 12:hint.sio.4.at="isa"
hint.sio.4.port="0x2a0"
hint.sio.4.flags="0x701"
hint.sio.5.at="isa"
hint.sio.5.port="0x2a8"
hint.sio.5.flags="0x701"
hint.sio.6.at="isa"
hint.sio.6.port="0x2b0"
hint.sio.6.flags="0x701"
hint.sio.7.at="isa"
hint.sio.7.port="0x2b8"
hint.sio.7.flags="0x701"
hint.sio.7.irq="12"The flags indicate that the master port has minor number
7 (0x700), and all the
ports share an IRQ (0x001).Can &os; handle multiport serial cards sharing
IRQs?Not yet. You will have to use a different IRQ for each
card.Can I set the default serial parameters for a
port?See the Serial Communications
section in the &os; Handbook.How can I enable dialup logins on my modem?Please read the section about Dial-in Services
in the &os; Handbook.How can I connect a dumb terminal to my &os; box?You can find this information in the Terminals
section of the &os; Handbook.Why can I not run tip or
cu?On your system, the programs &man.tip.1; and &man.cu.1;
can only access the /var/spool/lock
directory via user uucp and group
dialer. You can use the group
dialer to control who has access to
your modem or remote systems. Just add yourself to group
dialer.Alternatively, you can let everyone on your system run
&man.tip.1; and &man.cu.1; by typing:&prompt.root; chmod 4511 /usr/bin/cu
&prompt.root; chmod 4511 /usr/bin/tipMy stock Hayes modem is not supported — what can I
do?See this answer
in the &os; Handbook.How am I expected to enter these AT commands?See this answer
in the &os; Handbook.Why does the @ sign for the
pn capability not
work?See this answer
in the &os; Handbook.How can I dial a phone number on the command
line?See this answer
in the &os; Handbook.Do I have to type in the bps rate every time I do
that?See this answer
in the &os; Handbook.How can I more easily access a number of hosts through a
terminal server?See this answer
in the &os; Handbook.Can tip try more than one line for each site?See this answer
in the &os; Handbook.Why do I have to hit CtrlP
twice to send CtrlP
once?See this answer
in the &os; Handbook.Why is everything I type suddenly in UPPER CASE?See this answer
in the &os; Handbook.How can I do file transfers with
tip?See this answer
in the &os; Handbook.How can I run zmodem with
tip?See this answer
in the &os; Handbook.Miscellaneous Questions&os; uses far more swap space than &linux;. Why?&os; only appears to use more swap than &linux;. In
actual fact, it does not. The main difference between &os;
and &linux; in this regard is that &os; will proactively
move entirely idle, unused pages of main memory into swap in
order to make more main memory available for active use.
&linux; tends to only move pages to swap as a last resort.
The perceived heavier use of swap is balanced by the more
efficient use of main memory.Note that while &os; is proactive in this regard, it
does not arbitrarily decide to swap pages when the system is
truly idle. Thus you will not find your system all paged
out when you get up in the morning after leaving it idle
overnight.Why does top show very little free
memory even when I have very few programs running?The simple answer is that free memory is wasted memory.
Any memory that your programs do not actively allocate is
used within the &os; kernel as disk cache. The values shown
by &man.top.1; labeled as Inact,
Cache, and Buf are all
cached data at different aging levels. This cached data
means the system does not have to access a slow disk again
for data it has accessed recently, thus increasing overall
performance. In general, a low value shown for
Free memory in &man.top.1; is good,
provided it is not very low.Why will chmod not change the
permissions on symlinks?Symlinks do not have permissions, and by default,
&man.chmod.1; will not follow symlinks to change the
permissions on the target file. So if you have a file,
foo, and a symlink to that file,
bar, then this command will always
succeed.&prompt.user; chmod g-w barHowever, the permissions on foo
will not have changed.You have to use either or
together with the
option to make this work. See the &man.chmod.1; and
&man.symlink.7; manual pages for more info.The option does a
recursive &man.chmod.1;. Be careful
about specifying directories or symlinks to directories to
&man.chmod.1;. If you want to change the permissions of a
directory referenced by a symlink, use &man.chmod.1;
without any options and follow the symlink with a trailing
slash (/). For example, if
foo is a symlink to directory
bar, and you want to change the
permissions of foo (actually
bar), you would do something
like:&prompt.user; chmod 555 foo/With the trailing slash, &man.chmod.1; will follow the
symlink, foo, to change the
permissions of the directory,
bar.Can I run DOS binaries under &os;?Yes, you can use emulators/doscmd, a DOS
emulation program, available in the &os; Ports
Collection.If doscmd will not suffice,
the add-on utility emulators/pcemu emulates an 8088
and enough BIOS services to run many DOS text mode
applications. It requires the X Window System.You may also try emulators/dosbox from the &os;
Ports Collection. The main focus of this application is
emulating old DOS games using the local file system for
files.What do I need to do to translate a &os; document into
my native language?See the Translation FAQ
in the &os; Documentation Project Primer.Why does my email to any address at FreeBSD.org bounce?The FreeBSD.org mail
system implements some of the stricter
Postfix checks on incoming mail
and rejects mail that is either misconfigured or is
potential spam. Your mail might bounce for one of the
following reasons:The email is being sent from a known spam domain or
IP block.The &os; mail servers reject email from known spam
sources. If you have service through a company or
domain who generates or relays spam, please switch to a
service provider who does not.The body of the email only contains HTML.Mail should be sent in plain text only. Please
configure your mail user agent to send plain
text.The mailer at FreeBSD.org cannot resolve
the IP address of the connecting host back to a
symbolic name.Working reverse DNS is a standard requirement for
accepting mail from a host. Set up reverse DNS for your
mail server's IP address. Many home services (DSL,
cable, dialup, etc.) will not give you this option. In
this case, relay your email through your service
provider's mail server.The hostname given in the EHLO/HELO part of the SMTP
exchange cannot be resolved to an IP address.A fully qualified, resolvable host name is necessary
in this part of the SMTP dialogue before mail will be
accepted. If you do not have a host name that is
registered in the DNS, then you should use your service
provider's mail server to relay your mail.Your message had a message ID ending with the string
localhost.Some mail user agents generate bad message IDs which
will not be accepted. You will need to persuade your mail
user agent to generate a valid message ID or else
configure your mail transfer agent to rewrite
them.Where can I find a free &os; account?While &os; does not provide open access to any of their
servers, others do provide open access &unix; systems. The
charge varies and limited services may be available.Arbornet, Inc,
also known as M-Net, has been providing
open access to &unix; systems since 1983. Starting on an
Altos running System III, the site switched to BSD/OS in
1991. In June of 2000, the site switched again to &os;.
M-Net can be accessed via
telnet and
SSH and provides basic access to
the entire &os; software suite. However, network access is
limited to members and patrons who donate to the system,
which is run as a non-profit organization.
M-Net also provides an bulletin board
system and interactive chat.Grex provides
a site very similar to M-Net including
the same bulletin board and interactive chat software.
However, the machine is a &sun; 4M and is running
&sunos;.What is sup, and how do I use
it?SUP
stands for Software Update Protocol, and was developed by
CMU for keeping their development trees in sync. It was
used to keep remote sites in sync with the Project's central
development sources.SUP is not bandwidth friendly, and has been retired.
The current recommended method to keep your sources up to
date is CVSupWhat is the cute little red guy's name?He does not have one, and is just called the BSD
daemon. If you insist upon using a name, call him
beastie. Note that beastie is
pronounced BSD.You can learn more about the BSD daemon on his home page.
Can I use the BSD daemon image?Perhaps. The BSD daemon is copyrighted by Marshall Kirk
McKusick. You will want to check his Statement on the Use of the BSD Daemon Figure
for detailed usage terms.In summary, you are free to use the image in a tasteful
manner, for personal use, so long as appropriate credit is
given. If you want to use him commercially, you must
contact &a.mckusick;. More details are available on the
BSD Daemon's home page.
Do you have any BSD daemon images I could use?You will find eps and Xfig drawings under
/usr/share/examples/BSD_daemon/.I have seen an acronym or other term on the mailing
lists and I do not understand what it means. Where should I
look?Please see the &os; Glossary.
Why should I care what color the bikeshed is?The really, really short answer is that you should not.
The somewhat longer answer is that just because you are
capable of building a bikeshed does not mean you should stop
others from building one just because you do not like the
color they plan to paint it. This is a metaphor indicating
that you need not argue about every little feature just
because you know enough to do so. Some people have
commented that the amount of noise generated by a change is
inversely proportional to the complexity of the
change.The longer and more complete answer is that after a very
long argument about whether &man.sleep.1; should take
fractional second arguments, &a.phk; posted a long message
entitled A bike shed (any color will do) on greener grass....
The appropriate portions of that message are quoted
below.
&a.phk; on &a.hackers.name;, October 2,
1999What is it about this bike shed? Some
of you have asked me.It is a long story, or rather it is an old story, but
it is quite short actually. C. Northcote Parkinson wrote
a book in the early 1960s, called Parkinson's
Law, which contains a lot of insight into the
dynamics of management.[snip a bit of commentary on the
book]In the specific example involving the bike shed, the
other vital component is an atomic power-plant, I guess
that illustrates the age of the book.Parkinson shows how you can go into the board of
directors and get approval for building a multi-million or
even billion dollar atomic power plant, but if you want to
build a bike shed you will be tangled up in endless
discussions.Parkinson explains that this is because an atomic
plant is so vast, so expensive and so complicated that
people cannot grasp it, and rather than try, they fall
back on the assumption that somebody else checked all the
details before it got this far. Richard P. Feynmann
gives a couple of interesting, and very much to the point,
examples relating to Los Alamos in his books.A bike shed on the other hand. Anyone can build one
of those over a weekend, and still have time to watch the
game on TV. So no matter how well prepared, no matter how
reasonable you are with your proposal, somebody will seize
the chance to show that he is doing his job, that he is
paying attention, that he is
here.In Denmark we call it setting your
fingerprint. It is about personal pride and
prestige, it is about being able to point somewhere and
say There! I did
that. It is a strong trait in politicians, but
present in most people given the chance. Just think about
footsteps in wet cement.
The &os; FunniesHow cool is &os;?Q. Has anyone done any temperature testing while
running &os;? I know &linux; runs cooler than DOS, but have
never seen a mention of &os;. It seems to run really
hot.A. No, but we have done numerous taste tests on
blindfolded volunteers who have also had 250 micrograms of
LSD-25 administered beforehand. 35% of the volunteers said
that &os; tasted sort of orange, whereas &linux; tasted like
purple haze. Neither group mentioned any significant
variances in temperature. We eventually had to throw the
results of this survey out entirely anyway when we found
that too many volunteers were wandering out of the room
during the tests, thus skewing the results. We think most
of the volunteers are at Apple now, working on their new
scratch and sniff GUI. It is a funny old
business we are in!Seriously, both &os; and &linux; use the
HLT (halt) instruction when the system is
idle thus lowering its energy consumption and therefore the
heat it generates. Also if you have APM (advanced power
management) configured, then &os; can also put the CPU into
a low power mode.Who is scratching in my memory banks??Q. Is there anything odd that &os; does
when compiling the kernel which would cause the memory to
make a scratchy sound? When compiling (and for a brief
moment after recognizing the floppy drive upon startup, as
well), a strange scratchy sound emanates from what appears
to be the memory banks.A. Yes! You will see frequent references to
daemons in the BSD documentation, and what
most people do not know is that this refers to genuine,
non-corporeal entities that now possess your computer. The
scratchy sound coming from your memory is actually
high-pitched whispering exchanged among the daemons as they
best decide how to deal with various system administration
tasks.If the noise gets to you, a good
fdisk /mbr from DOS will get rid of them,
but do not be surprised if they react adversely and try to
stop you. In fact, if at any point during the exercise you
hear the satanic voice of Bill Gates coming from the
built-in speaker, take off running and do not ever look
back! Freed from the counterbalancing influence of the BSD
daemons, the twin demons of DOS and &windows; are often able
to re-assert total control over your machine to the eternal
damnation of your soul. Now that you know, given a choice
you would probably prefer to get used to the scratchy
noises, no?How many &os; hackers does it take to change a
lightbulb?One thousand, one hundred and sixty-nine:Twenty-three to complain to -CURRENT about the lights
being out;Four to claim that it is a configuration problem, and
that such matters really belong on -questions;Three to submit PRs about it, one of which is misfiled
under doc and consists only of it's
dark;One to commit an untested lightbulb which breaks
buildworld, then back it out five minutes later;Eight to flame the PR originators for not including
patches in their PRs;Five to complain about buildworld being broken;Thirty-one to answer that it works for them, and they
must have cvsupped at a bad time;One to post a patch for a new lightbulb to
-hackers;One to complain that he had patches for this three years
ago, but when he sent them to -CURRENT they were just
ignored, and he has had bad experiences with the PR system;
besides, the proposed new lightbulb is non-reflexive;Thirty-seven to scream that lightbulbs do not belong in
the base system, that committers have no right to do things
like this without consulting the Community, and WHAT IS
-CORE DOING ABOUT IT!?Two hundred to complain about the color of the bicycle
shed;Three to point out that the patch breaks
&man.style.9;;Seventeen to complain that the proposed new lightbulb is
under GPL;Five hundred and eighty-six to engage in a flame war
about the comparative advantages of the GPL, the BSD
license, the MIT license, the NPL, and the personal hygiene
of unnamed FSF founders;Seven to move various portions of the thread to -chat
and -advocacy;One to commit the suggested lightbulb, even though it
shines dimmer than the old one;Two to back it out with a furious flame of a commit
message, arguing that &os; is better off in the dark than
with a dim lightbulb;Forty-six to argue vociferously about the backing out of
the dim lightbulb and demanding a statement from
-core;Eleven to request a smaller lightbulb so it will fit
their Tamagotchi if we ever decide to port &os; to that
platform;Seventy-three to complain about the SNR on -hackers and
-chat and unsubscribe in protest;Thirteen to post unsubscribe, How
do I unsubscribe?, or Please remove me from
the list, followed by the usual footer;One to commit a working lightbulb while everybody is too
busy flaming everybody else to notice;Thirty-one to point out that the new lightbulb would
shine 0.364% brighter if compiled with TenDRA (although it
will have to be reshaped into a cube), and that &os; should
therefore switch to TenDRA instead of GCC;One to complain that the new lightbulb lacks
fairings;Nine (including the PR originators) to ask what
is MFC?;Fifty-seven to complain about the lights being out two
weeks after the bulb has been changed.&a.nik; adds:I was laughing quite hard at
this.And then I thought, Hang on, shouldn't
there be '1 to document it.' in that list
somewhere?And then I was enlightened
:-)&a.tabthorpe; says: None,
real &os; hackers are not afraid of the
dark!Where does data written to
/dev/null go?It goes into a special data sink in the CPU where it is
converted to heat which is vented through the heatsink / fan
assembly. This is why CPU cooling is increasingly
important; as people get used to faster processors, they
become careless with their data and more and more of it ends
up in /dev/null, overheating their
CPUs. If you delete /dev/null (which
effectively disables the CPU data sink) your CPU may run
cooler but your system will quickly become constipated with
all that excess data and start to behave erratically. If
you have a fast network connection you can cool down your
CPU by reading data out of /dev/random
and sending it off somewhere; however you run the risk of
overheating your network connection and
/ or angering your ISP, as most of the
data will end up getting converted to heat by their
equipment, but they generally have good cooling, so if you
do not overdo it you should be OK.Paul Robinson adds:There are other methods. As every good sysadmin knows,
it is part of standard practice to send data to the screen
of interesting variety to keep all the pixies that make up
your picture happy. Screen pixies (commonly mis-typed or
re-named as pixels) are categorized by the
type of hat they wear (red, green or blue) and will hide or
appear (thereby showing the color of their hat) whenever
they receive a little piece of food. Video cards turn data
into pixie-food, and then send them to the pixies —
the more expensive the card, the better the food, so the
better behaved the pixies are. They also need constant
stimulation — this is why screen savers exist.To take your suggestions further, you could just throw
the random data to console, thereby letting the pixies
consume it. This causes no heat to be produced at all,
keeps the pixies happy and gets rid of your data quite
quickly, even if it does make things look a bit messy on
your screen.Incidentally, as an ex-admin of a large ISP who
experienced many problems attempting to maintain a stable
temperature in a server room, I would strongly discourage
people sending the data they do not want out to the network.
The fairies who do the packet switching and routing get
annoyed by it as well.Advanced TopicsHow can I learn more about &os;'s internals?At this time, there is only one book on &os;-specific OS
internals, namely The Design and Implementation of
the &os; Operating System by Marshall Kirk McKusick
and George V. Neville-Neil, ISBN 0-201-70245-2, which
focuses on version 5.X of
&os;.Additionally, much general &unix; knowledge is directly
applicable to &os;.For a list of relevant books, please check the
Handbook's Operating System Internals Bibliography.
How can I contribute to &os;?Please see the article on Contributing to &os;
for specific advice on how to do this. Assistance is more
than welcome!What are snapshots and releases?There are currently three active/semi-active branches in
the &os; CVS Repository.
(Earlier branches are only changed very rarely, which is why
there are only three active branches of development):RELENG_6 AKA
6-STABLERELENG_7 AKA
7-STABLEHEAD AKA
-CURRENT AKA
8-CURRENTHEAD is not an actual branch tag,
like the other two; it is simply a symbolic constant for
the current, non-branched development
stream which we simply refer to as
-CURRENT.Right now, -CURRENT is the
8.X development stream; the
6-STABLE branch,
RELENG_6, forked off from
-CURRENT in November 2005, and the
7-STABLE branch,
RELENG_7, forked off from
-CURRENT in February 2008.How do I make my own custom release?Please see the Release Engineering
article.Why does
make world
clobber my existing installed binaries?Yes, this is the general idea; as its name might
suggest,
make world
rebuilds every system binary from scratch, so you can be
certain of having a clean and consistent environment at the
end (which is why it takes so long).If the environment variable DESTDIR
is defined while running
make world or
make install,
the newly-created binaries will be deposited in a directory
tree identical to the installed one, rooted at
${DESTDIR}. Some random combination of
shared libraries modifications and program rebuilds can
cause this to fail in
make world
however.Why isn't cvsup.FreeBSD.org
a round robin DNS entry to share the load amongst the various
CVSup servers?While CVSup mirrors update
from the master CVSup server
hourly, this update might happen at any time during the
hour. This means that some servers have newer code than
others, even though all servers have code that is less than
an hour old. If cvsup.FreeBSD.org was a round robin
DNS entry that simply redirected users to a random
CVSup server, running
CVSup twice in a row could
download code older than the code already on the
system.Can I follow -CURRENT with limited
Internet access?Yes, you can do this without
downloading the whole source tree by using the CTM facility.
How did you split the distribution into 1392 KB
files?Newer BSD based systems have a
option to &man.split.1; that allows them to split files on
arbitrary byte boundaries.Here is an example from
/usr/src/release/Makefile.ZIPNSPLIT= gzip --no-name -9 -c | split -b 1392k -I have written a kernel extension, who do I send it
to?Please take a look at the article on Contributing to &os;
to learn how to submit code.And thanks for the thought!How are Plug N Play ISA cards detected and
initialized?By: Frank Durda IV
uhclem@nemesis.lonestar.orgIn a nutshell, there a few I/O ports that all of the PnP
boards respond to when the host asks if anyone is out there.
So when the PnP probe routine starts, it asks if there are
any PnP boards present, and all the PnP boards respond with
their model # to a I/O read of the same port, so the probe
routine gets a wired-OR yes to that question.
At least one bit will be on in that reply. Then the probe
code is able to cause boards with board model IDs (assigned
by µsoft;/&intel;) lower than X to
go off-line. It then looks to see if any
boards are still responding to the query. If the answer was
0, then there are no boards with IDs
above X. Probe will then ask for boards
below X. Finally, probe requests boards
greater than
X - (limit / 4) to go
off-line. It then repeats this query. By repeating this
semi-binary search of IDs-in-range enough times, the probing
code will eventually identify all PnP boards present in a
given machine with a number of iterations that is much lower
than what 264 would take.The IDs are two 32-bit fields (hence
264) + 8-bit checksum. The first
32 bits are a vendor identifier. They never come out
and say it, but it appears to be assumed that different
types of boards from the same vendor could have different
32-bit vendor IDs. The idea of needing 32 bits just
for unique manufacturers is a bit excessive.The lower 32 bits are a serial #, or something else
that makes this one board unique. The vendor must never
produce a second board that has the same lower 32 bits
unless the upper 32 bits are also different. So you
can have multiple boards of the same type in the machine and
the full 64 bits will still be unique.The 32 bit groups can never be all zero. This
allows the wired-OR to show non-zero bits during the initial
binary search.Once the system has identified all the board IDs
present, it will reactivate each board, one at a time (via the
same I/O ports), and find out what resources the given board
needs, what interrupt choices are available, etc. A scan is
made over all the boards to collect this information.This info is then combined with info from any ECU files
on the hard disk or wired into the MLB BIOS. The ECU and
BIOS PnP support for hardware on the MLB is usually
synthetic, and the peripherals do not really do genuine PnP.
However by examining the BIOS info plus the ECU info, the
probe routines can cause the devices that are PnP to avoid
those devices the probe code cannot relocate.Then the PnP devices are visited once more and given
their I/O, DMA, IRQ and Memory-map address assignments. The
devices will then appear at those locations and remain there
until the next reboot, although there is nothing that says
you cannot move them around whenever you want.There is a lot of oversimplification above, but you
should get the general idea.µsoft; took over some of the primary printer status
ports to do PnP, on the logic that no boards decoded those
addresses for the opposing I/O cycles. I found a genuine
IBM printer board that did decode writes of the status port
during the early PnP proposal review period, but µsoft;
said tough. So they do a write to the
printer status port for setting addresses, plus that use
that address + 0x800, and a third I/O
port for reading that can be located anywhere between
0x200 and 0x3ff.
Can you assign a major number for a device driver I have
written?&os; releases after February 2003 has a facility for
dynamically and automatically allocating major numbers for
device drivers at runtime (see &man.devfs.5;), so there is
no need for this.What about alternative layout policies for
directories?In answer to the question of alternative layout policies
for directories, the scheme that is currently in use is
unchanged from what I wrote in 1983. I wrote that policy
for the original fast file system, and never revisited it.
It works well at keeping cylinder groups from filling up.
As several of you have noted, it works poorly for find.
Most file systems are created from archives that were
created by a depth first search (aka ftw). These
directories end up being striped across the cylinder groups
thus creating a worst possible scenario for future depth
first searches. If one knew the total number of directories
to be created, the solution would be to create
(total / fs_ncg) per cylinder
group before moving on. Obviously, one would have to create
some heuristic to guess at this number. Even using a small
fixed number like say 10 would make an order of magnitude
improvement. To differentiate restores from normal
operation (when the current algorithm is probably more
sensible), you could use the clustering of up to 10 if they
were all done within a ten second window. Anyway, my
conclusion is that this is an area ripe for
experimentation.&a.mckusick;, September 1998How can I make the most of the data I see when my kernel
panics?Here is typical kernel panic:Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x40
fault code = supervisor read, page not present
instruction pointer = 0x8:0xf014a7e5
stack pointer = 0x10:0xf4ed6f24
frame pointer = 0x10:0xf4ed6f28
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 80 (mount)
interrupt mask =
trap number = 12
panic: page faultWhen you see a message like this, it is not enough to
just reproduce it and send it in. The instruction pointer
value that I highlighted up there is important;
unfortunately, it is also configuration dependent. In other
words, the value varies depending on the exact kernel image
that you are using. If you are using a
GENERIC kernel image from one of the
snapshots, then it is possible for somebody else to track
down the offending function, but if you are running a custom
kernel then only you can tell us where
the fault occurred.What you should do is this:Write down the instruction pointer value. Note
that the 0x8: part at the beginning
is not significant in this case: it is the
0xf0xxxxxx part that we
want.When the system reboots, do the following:&prompt.user; nmkernel.that.caused.the.panic | grep f0xxxxxxwhere f0xxxxxx is the
instruction pointer value. The odds are you will not
get an exact match since the symbols in the kernel
symbol table are for the entry points of functions and
the instruction pointer address will be somewhere
inside a function, not at the start. If you do not
get an exact match, omit the last digit from the
instruction pointer value and try again, i.e.:&prompt.user; nmkernel.that.caused.the.panic | grep f0xxxxxIf that does not yield any results, chop off another
digit. Repeat until you get some sort of output. The
result will be a possible list of functions which caused
the panic. This is a less than exact mechanism for
tracking down the point of failure, but it is better
than nothing.However, the best way to track down the cause of a panic
is by capturing a crash dump, then using &man.kgdb.1; to
generate a stack trace on the crash dump.In any case, the method is this:Make sure that the following line is included in
your kernel configuration file
(/usr/src/sys/arch/conf/MYKERNEL):makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbolsChange to the /usr/src
directory:&prompt.root; cd/usr/srcCompile the kernel:&prompt.root; makebuildkernelKERNCONFIG=MYKERNELWait for &man.make.1; to finish compiling.&prompt.root; makeinstallkernelKERNCONFIG=MYKERNELReboot.If you do not use the KERNCONFIG
make variable a GENERIC kernel will
be built and installed.The &man.make.1; process will have built two kernels.
/usr/obj/usr/src/sys/MYKERNEL/kernel
and
/usr/obj/usr/src/sys/MYKERNEL/kernel.debug.
kernel was installed as
/boot/kernel/kernel, while
kernel.debug can be used as the source
of debugging symbols for &man.kgdb.1;.To make sure you capture a crash dump, you need edit
/etc/rc.conf and set
dumpdev to point to your swap partition
(or AUTO). This will cause the
&man.rc.8; scripts to use the &man.dumpon.8; command to
enable crash dumps. You can also run &man.dumpon.8;
manually. After a panic, the crash dump can be recovered
using &man.savecore.8;; if dumpdev is set
in /etc/rc.conf, the &man.rc.8; scripts
will run &man.savecore.8; automatically and put the crash
dump in /var/crash.&os; crash dumps are usually the same size as the
physical RAM size of your machine. That is, if you have
512 MB of RAM, you will get a 512 MB crash dump.
Therefore you must make sure there is enough space in
/var/crash to hold the dump.
Alternatively, you run &man.savecore.8; manually and have
it recover the crash dump to another directory where you
have more room. It is possible to limit the size of the
crash dump by using options
MAXMEM=N where
N is the size of kernel's
memory usage in KBs. For example, if you have 1 GB
of RAM, you can limit the kernel's memory usage to
128 MB by this way, so that your crash dump size will
be 128 MB instead of 1 GB.Once you have recovered the crash dump, you can get a
stack trace with &man.kgdb.1; as follows:&prompt.user; kgdb/usr/obj/usr/src/sys/MYKERNEL/kernel.debug/var/crash/vmcore.0(kgdb)backtraceNote that there may be several screens worth of
information; ideally you should use &man.script.1; to
capture all of them. Using the unstripped kernel image with
all the debug symbols should show the exact line of kernel
source code where the panic occurred. Usually you have to
read the stack trace from the bottom up in order to trace
the exact sequence of events that lead to the crash. You
can also use &man.kgdb.1; to print out the contents of
various variables or structures in order to examine the
system state at the time of the crash.Now, if you are really insane and have a second
computer, you can also configure &man.kgdb.1; to do remote
debugging such that you can use &man.kgdb.1; on one system
to debug the kernel on another system, including setting
breakpoints, single-stepping through the kernel code, just
like you can do with a normal user-mode program.If you have DDB enabled and the
kernel drops into the debugger, you can force a panic (and
a crash dump) just by typing panic at
the ddb prompt. It may stop in the
debugger again during the panic phase. If it does, type
continue and it will finish the crash
dump.Why has dlsym() stopped working for
ELF executables?The ELF toolchain does not, by default, make the symbols
defined in an executable visible to the dynamic linker.
Consequently dlsym() searches on
handles obtained from calls to dlopen(NULL,
flags) will fail to find such symbols.If you want to search, using
dlsym(), for symbols present in the
main executable of a process, you need to link the
executable using the
option to the ELF linker (&man.ld.1;).How can I increase or reduce the kernel address space on
i386?By default, the kernel address space is 1 GB
(2 GB for PAE) for i386. If you run a
network-intensive server (e.g. a large FTP or HTTP server),
or you want to use ZFS, you might find that is not
enough.Add the following line to your kernel configuration file
to increase available space and rebuild your kernel:options KVA_PAGES=NTo find the correct value of
N, divide the desired address
space size (in megabytes) by four. (For example, it is
512 for 2 GB.)AcknowledgmentsThis innocent little Frequently Asked Questions document has
been written, rewritten, edited, folded, spindled, mutilated,
eviscerated, contemplated, discombobulated, cogitated,
regurgitated, rebuilt, castigated, and reinvigorated over the last
decade, by a cast of hundreds if not thousands.
Repeatedly.We wish to thank every one of the people responsible, and we
encourage you to to join them
in making this FAQ even better.
&bibliography;
diff --git a/en_US.ISO8859-1/books/fdp-primer/the-website/chapter.sgml b/en_US.ISO8859-1/books/fdp-primer/the-website/chapter.sgml
index c6b2af3cfa..bfef1cb72a 100644
--- a/en_US.ISO8859-1/books/fdp-primer/the-website/chapter.sgml
+++ b/en_US.ISO8859-1/books/fdp-primer/the-website/chapter.sgml
@@ -1,390 +1,390 @@
The WebsitePreparationUse a disk with sufficient free space. You may need anything from
200 MB to over 500 MB, depending on the method you choose.
This space will hold the SGML tools, a subset of the
CVS tree, temporary build space and the
installed web pages.Make sure your documentation ports are up to date! When in
doubt, remove the old ports using &man.pkg.delete.1; command before
installing the port. For example, we currently depend on
jade-1.2 and if you have installed jade-1.1, please do:&prompt.root; pkg_delete jade-1.1There are two methods to get the files required for the website
build:Use csup to get a local copy of the files
from a CVSup server. This is the
easiest method, and does not require installation of additional
software. The supfile presented in the next section will always
checkout the latest version of the required files. This is
sufficient if you are simply rebuilding the website and do not
intend to commit any changes.&man.csup.1; became part of the base system in
&os; 6.2-RELEASE. If you are using an earlier version of &os;
- you will need to install net/csup
+ you will need to install net/csup
from the Ports Collection.Use cvsup in cvs mode to
create and maintain a local CVS
repository with the required files. This will require you to
install a program like
net/cvsup-without-gui, but it is
a more flexible method if you need to have quick access to different
revisions of the doc/www files, revision histories, or if you
intend to commit changes to the central &os;
CVS repository.Simple method: Using csupThe csup command is part of the base system and
already used extensively by most people for updating the
Ports Collection. The following sample supfile can be used to
obtain a checkout of the files required for the website build:#
# This file checks out all collections required to rebuild
# the FreeBSD website
#
# Use the nearest CVSup mirror
# listed at http://www.freebsd.org/doc/handbook/mirrors.html.
*default host=cvsup10.FreeBSD.org
*default base=/var/db
*default prefix=/usr/build
*default release=cvs tag=.
*default delete use-rel-suffix
*default compress
# This will retrieve the entire doc branch of the FreeBSD repository.
doc-all
# This will retrieve the files required for the website
www
# This will retrieve some basic ports info required for the build
ports-baseYou should, of course, change the default host
entry to a CVSup mirror near your
location, and the default prefix entry to the
location where you intend to store the checked out files. Save this
file as e.g.
doc-www-supfile, and
then execute the following command:&prompt.root; csupdoc-www-supfileWhen this command finishes, you will find the directories
doc/,
www/ and
ports/ under the directory you
specified in default prefix
(/usr/build
in our example). We will use this same directory for the build
process itself, so it would be better to use a filesystem with
sufficient free space.That's it! You can now proceed with the
website build.Advanced method: Maintaining a local
CVS doc/www repositoryThis method will give you more advanced options, but will require
you to install the
- net/cvsup-without-gui port or
+ net/cvsup-without-gui port or
package.
- The net/cvsup-without-gui
+ The net/cvsup-without-gui
port has a build dependency on
- lang/ezm3, a Modula 3
+ lang/ezm3, a Modula 3
compiler. This compiler takes quite some time to build, and since
most people will not need it for anything else, it is perhaps best
to use a package to install CVSup.The CVSup utility has a special
cvs mode that allows the retrieval of the
,v files that make up a CVS
repository. This function is not currently available in
csup. For detailed information on
CVSup, please read the CVSup introduction in the &os; Handbook.The supfile shown below will fetch the cvs collections required
for the website build, and create a local
CVS repository:#
# This file will create a local CVS repository
# with the collections required for a complete
# FreeBSD website rebuild. It should be used with
# cvsup *only* (csup will not work)
*default host=cvsup10.FreeBSD.org
*default base=/var/db
*default prefix=/usr/dcvs
*default release=cvs
*default delete use-rel-suffix
*default compress
# The following collections are needed
# for the website build
ports-base
doc-all
www
# These collections are needed
# for CVS functionality
cvsroot-common
cvsroot-ports
cvsroot-docYou should, of course, change the default host
entry to a CVSup mirror near your
location, and the default prefix entry to the
location where you intend to store the repository files. Save this
file as e.g.
doc-www-cvsfile, and
then execute the following command:&prompt.root; cvsupdoc-www-cvsfileIt is also advisable to set the CVSROOT environment
variable in your shell's startup files. For example, use
the following entry in your ~/.cshrc file:setenv CVSROOT/usr/dcvsIf you set this variable, you may omit the
argument (shown below) when performing repository operations using
the cvs command.Currently, you will need more than 400 MB of free space to
host the repository files. An additional 200 MB will be needed
for the temporary build space. Once the cvsup
command completes, you are ready to check out the files to your build
directory:&prompt.root; mkdir/usr/build
&prompt.root; cd/usr/build
&prompt.root; cvs/usr/dcvs co doc www portsThe above command is consistent with the way
csup checks out the files from the
CVSup servers. When it completes, you
will have a build directory with similar contents to the one used in
the simple csup method.You can continue to use the cvsup command
shown above, to update your local CVS
repository on a regular basis. After the initial somewhat lengthy
download, regular updates will only take a few minutes.Build the web pages from scratchHaving completed either of the two methods, you will be ready to
start the website build. In our example, the build directory is
/usr/build
and all the required files are already in place.Change into the build directory:&prompt.root; cd/usr/buildThe website build starts from the
www/en directory by executing
the &man.make.1; all target, to create
the web pages.&prompt.root; cd www/en
&prompt.root; makeallInstall the web pages into your web serverIf you have moved out of the
en directory, change back to
it.&prompt.root; cd/usr/build/www/enRun the &man.make.1; install target,
setting the DESTDIR variable to the name of the
directory you want to install the files to.&prompt.root; envDESTDIR=/usr/local/wwwmakeinstallIf you have previously installed the web pages into the same
directory the install process will not have deleted any old or
outdated pages. For example, if you build and install a new copy
of the site every day, this command will find and delete all
files that have not been updated in three days.&prompt.root; find/usr/local/www 3 | xargsrmEnvironment variablesCVSROOTLocation of the CVS tree. We suggest you set this
variable, if you use the CVSup
method:&prompt.root; CVSROOT=/usr/dcvs; exportCVSROOTCVSROOT is an environment variable. You must
set it on the command line or in your dot files
(e.g., ~/.profile). The exact syntax will
differ depending on your shell (the above example is for
bash and bash-like shells).ENGLISH_ONLYIf set and not empty, the makefiles will build and
install only the English documents. All translations will be
ignored. E.g.:&prompt.root; makeENGLISH_ONLY=YESallinstallIf you want to unset the variable
ENGLISH_ONLY and build all pages, including
translations, set the variable ENGLISH_ONLY
to an empty value:&prompt.root; makeENGLISH_ONLY=""allinstallcleanWEB_ONLYIf set and not empty, the makefiles will build and install
only the HTML pages from the www directory. All documents from
the doc directory (Handbook,
FAQ, Tutorials) will be ignored. E.g.:&prompt.root; makeWEB_ONLY=YESallinstallNOPORTSCVSIf set, the makefiles will not checkout files from the ports
cvs repository. Instead, it will copy the files from
/usr/ports (or where the
variable PORTSBASE points to).WEB_ONLY, ENGLISH_ONLY and
NOPORTSCVS are make variables. You can set the
variables in /etc/make.conf,
Makefile.inc, as environment variables on the
command line, or in your dot files.
diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
index 708b1c5a46..5b1f404fac 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@@ -1,5626 +1,5626 @@
Advanced NetworkingSynopsisThis chapter will cover a number of advanced networking
topics.After reading this chapter, you will know:The basics of gateways and routes.How to set up IEEE 802.11 and &bluetooth; devices.How to make FreeBSD act as a bridge.How to set up network booting on a diskless machine.How to set up network address translation.How to connect two computers via PLIP.How to set up IPv6 on a FreeBSD machine.How to configure ATM.How to enable and utilize the features of CARP, the
Common Access Redundancy Protocol in &os;Before reading this chapter, you should:Understand the basics of the /etc/rc scripts.Be familiar with basic network terminology.Know how to configure and install a new FreeBSD kernel
().Know how to install additional third-party
software ().CoranthGryphonContributed by Gateways and RoutesroutinggatewaysubnetFor one machine to be able to find another over a network,
there must be a mechanism in place to describe how to get from
one to the other. This is called
routing. A route is a
defined pair of addresses: a destination and a
gateway. The pair indicates that if you are
trying to get to this destination,
communicate through this gateway. There
are three types of destinations: individual hosts, subnets, and
default. The default route is
used if none of the other routes apply. We will talk a little
bit more about default routes later on. There are also three
types of gateways: individual hosts, interfaces (also called
links), and Ethernet hardware addresses (MAC
addresses).
An ExampleTo illustrate different aspects of routing, we will use the
following example from netstat:&prompt.user; netstat -r
Routing tables
Destination Gateway Flags Refs Use Netif Expire
default outside-gw UGSc 37 418 ppp0
localhost localhost UH 0 181 lo0
test0 0:e0:b5:36:cf:4f UHLW 5 63288 ed0 77
10.20.30.255 link#1 UHLW 1 2421
example.com link#1 UC 0 0
host1 0:e0:a8:37:8:1e UHLW 3 4601 lo0
host2 0:e0:a8:37:8:1e UHLW 0 5 lo0 =>
host2.example.com link#1 UC 0 0
224 link#1 UC 0 0default routeThe first two lines specify the default route (which we
will cover in the next
section) and the localhost route.loopback deviceThe interface (Netif column) that this
routing table specifies to use for
localhost is lo0,
also known as the loopback device. This says to keep all
traffic for this destination internal, rather than sending it
out over the LAN, since it will only end up back where it
started.EthernetMAC addressThe next thing that stands out are the addresses beginning
with 0:e0:. These are Ethernet
hardware addresses, which are also known as MAC addresses.
FreeBSD will automatically identify any hosts
(test0 in the example) on the local Ethernet
and add a route for that host, directly to it over the
Ethernet interface, ed0. There is
also a timeout (Expire column) associated
with this type of route, which is used if we fail to hear from
the host in a specific amount of time. When this happens, the
route to this host will be automatically deleted. These hosts
are identified using a mechanism known as RIP (Routing
Information Protocol), which figures out routes to local hosts
based upon a shortest path determination.subnetFreeBSD will also add subnet routes for the local subnet (10.20.30.255 is the broadcast address for the
subnet 10.20.30, and example.com is the domain name associated
with that subnet). The designation link#1 refers
to the first Ethernet card in the machine. You will notice no
additional interface is specified for those.Both of these groups (local network hosts and local subnets) have
their routes automatically configured by a daemon called
routed. If this is not run, then only
routes which are statically defined (i.e. entered explicitly) will
exist.The host1 line refers to our host, which it
knows by Ethernet address. Since we are the sending host, FreeBSD
knows to use the loopback interface (lo0)
rather than sending it out over the Ethernet interface.The two host2 lines are an example of
what happens when we use an &man.ifconfig.8; alias (see the
section on Ethernet for reasons why we would do this). The
=> symbol after the
lo0 interface says that not only are
we using the loopback (since this address also refers to the
local host), but specifically it is an alias. Such routes
only show up on the host that supports the alias; all other
hosts on the local network will simply have a
link#1 line for such routes.The final line (destination subnet 224) deals
with multicasting, which will be covered in another section.Finally, various attributes of each route can be seen in
the Flags column. Below is a short table
of some of these flags and their meanings:UUp: The route is active.HHost: The route destination is a single host.GGateway: Send anything for this destination on to this
remote system, which will figure out from there where to send
it.SStatic: This route was configured manually, not
automatically generated by the system.CClone: Generates a new route based upon this route for
machines we connect to. This type of route is normally used
for local networks.WWasCloned: Indicated a route that was auto-configured
based upon a local area network (Clone) route.LLink: Route involves references to Ethernet
hardware.Default Routesdefault routeWhen the local system needs to make a connection to a remote host,
it checks the routing table to determine if a known path exists. If
the remote host falls into a subnet that we know how to reach (Cloned
routes), then the system checks to see if it can connect along that
interface.If all known paths fail, the system has one last option: the
default route. This route is a special type of gateway
route (usually the only one present in the system), and is always
marked with a c in the flags field. For hosts on a
local area network, this gateway is set to whatever machine has a
direct connection to the outside world (whether via PPP link,
DSL, cable modem, T1, or another network interface).If you are configuring the default route for a machine which
itself is functioning as the gateway to the outside world, then the
default route will be the gateway machine at your Internet Service
Provider's (ISP) site.Let us look at an example of default routes. This is a common
configuration:
[Local2] <--ether--> [Local1] <--PPP--> [ISP-Serv] <--ether--> [T1-GW]
The hosts Local1 and
Local2 are at your site.
Local1 is connected to an ISP via a dial up
PPP connection. This PPP server computer is connected through
a local area network to another gateway computer through an
external interface to the ISPs Internet feed.The default routes for each of your machines will be:HostDefault GatewayInterfaceLocal2Local1EthernetLocal1T1-GWPPPA common question is Why (or how) would we set
the T1-GW to be the default gateway for
Local1, rather than the ISP server it is
connected to?.Remember, since the PPP interface is using an address on the ISP's
local network for your side of the connection, routes for any other
machines on the ISP's local network will be automatically generated.
Hence, you will already know how to reach the T1-GW
machine, so there is no need for the intermediate step
of sending traffic to the ISP server.It is common to use the address X.X.X.1 as the gateway address for your local
network. So (using the same example), if your local class-C address
space was 10.20.30 and your ISP was
using 10.9.9 then the default routes
would be:HostDefault RouteLocal2 (10.20.30.2)Local1 (10.20.30.1)Local1 (10.20.30.1, 10.9.9.30)T1-GW (10.9.9.1)You can easily define the default route via the
/etc/rc.conf file. In our example, on the
Local2 machine, we added the following line
in /etc/rc.conf:defaultrouter="10.20.30.1"It is also possible to do it directly from the command
line with the &man.route.8; command:&prompt.root; route add default 10.20.30.1For more information on manual manipulation of network
routing tables, consult &man.route.8; manual page.Dual Homed Hostsdual homed hostsThere is one other type of configuration that we should cover, and
that is a host that sits on two different networks. Technically, any
machine functioning as a gateway (in the example above, using a PPP
connection) counts as a dual-homed host. But the term is really only
used to refer to a machine that sits on two local-area
networks.In one case, the machine has two Ethernet cards, each
having an address on the separate subnets. Alternately, the
machine may only have one Ethernet card, and be using
&man.ifconfig.8; aliasing. The former is used if two
physically separate Ethernet networks are in use, the latter
if there is one physical network segment, but two logically
separate subnets.Either way, routing tables are set up so that each subnet knows
that this machine is the defined gateway (inbound route) to the other
subnet. This configuration, with the machine acting as a router
between the two subnets, is often used when we need to implement
packet filtering or firewall security in either or both
directions.If you want this machine to actually forward packets
between the two interfaces, you need to tell FreeBSD to enable
this ability. See the next section for more details on how
to do this.Building a RouterrouterA network router is simply a system that forwards packets
from one interface to another. Internet standards and good
engineering practice prevent the FreeBSD Project from enabling
this by default in FreeBSD. You can enable this feature by
changing the following variable to YES in
&man.rc.conf.5;:gateway_enable=YES # Set to YES if this host will be a gatewayThis option will set the &man.sysctl.8; variable
net.inet.ip.forwarding to
1. If you should need to stop routing
temporarily, you can reset this to 0 temporarily.Your new router will need routes to know where to send the
traffic. If your network is simple enough you can use static
routes. FreeBSD also comes with the standard BSD routing
daemon &man.routed.8;, which speaks RIP (both version 1 and
version 2) and IRDP. Support for BGP v4, OSPF v2, and other
sophisticated routing protocols is available with the
net/zebra package.
Commercial products such as &gated; are also available for more
complex network routing solutions.BGPRIPOSPFAlHoangContributed by Setting Up Static RoutesManual ConfigurationLet us assume we have a network as follows:
INTERNET
| (10.0.0.1/24) Default Router to Internet
|
|Interface xl0
|10.0.0.10/24
+------+
| | RouterA
| | (FreeBSD gateway)
+------+
| Interface xl1
| 192.168.1.1/24
|
+--------------------------------+
Internal Net 1 | 192.168.1.2/24
|
+------+
| | RouterB
| |
+------+
| 192.168.2.1/24
|
Internal Net 2
In this scenario, RouterA is our &os;
machine that is acting as a router to the rest of the
Internet. It has a default route set to 10.0.0.1 which allows it to connect
with the outside world. We will assume that
RouterB is already configured properly and
knows how to get wherever it needs to go. (This is simple
in this picture. Just add a default route on
RouterB using 192.168.1.1 as the gateway.)If we look at the routing table for
RouterA we would see something like the
following:&prompt.user; netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGS 0 49378 xl0
127.0.0.1 127.0.0.1 UH 0 6 lo0
10.0.0/24 link#1 UC 0 0 xl0
192.168.1/24 link#2 UC 0 0 xl1With the current routing table RouterA
will not be able to reach our Internal Net 2. It does not
have a route for 192.168.2.0/24. One way to alleviate
this is to manually add the route. The following command
would add the Internal Net 2 network to
RouterA's routing table using 192.168.1.2 as the next hop:&prompt.root; route add -net 192.168.2.0/24 192.168.1.2Now RouterA can reach any hosts on the
192.168.2.0/24
network.Persistent ConfigurationThe above example is perfect for configuring a static
route on a running system. However, one problem is that the
routing information will not persist if you reboot your &os;
machine. The way to handle the addition of a static route
is to put it in your /etc/rc.conf
file:# Add Internal Net 2 as a static route
static_routes="internalnet2"
route_internalnet2="-net 192.168.2.0/24 192.168.1.2"The static_routes configuration
variable is a list of strings separated by a space. Each
string references to a route name. In our above example we
only have one string in static_routes.
This string is internalnet2. We
then add a configuration variable called
route_internalnet2
where we put all of the configuration parameters we would
give to the &man.route.8; command. For our example above we
would have used the command:&prompt.root; route add -net 192.168.2.0/24 192.168.1.2so we need "-net 192.168.2.0/24 192.168.1.2".As said above, we can have more than one string in
static_routes. This allows us to
create multiple static routes. The following lines shows
an example of adding static routes for the 192.168.0.0/24 and 192.168.1.0/24 networks on an imaginary
router:static_routes="net1 net2"
route_net1="-net 192.168.0.0/24 192.168.0.1"
route_net2="-net 192.168.1.0/24 192.168.1.1"Routing Propagationrouting propagationWe have already talked about how we define our routes to the
outside world, but not about how the outside world finds us.We already know that routing tables can be set up so that all
traffic for a particular address space (in our examples, a class-C
subnet) can be sent to a particular host on that network, which will
forward the packets inbound.When you get an address space assigned to your site, your service
provider will set up their routing tables so that all traffic for your
subnet will be sent down your PPP link to your site. But how do sites
across the country know to send to your ISP?There is a system (much like the distributed DNS information) that
keeps track of all assigned address-spaces, and defines their point of
connection to the Internet Backbone. The Backbone are
the main trunk lines that carry Internet traffic across the country,
and around the world. Each backbone machine has a copy of a master
set of tables, which direct traffic for a particular network to a
specific backbone carrier, and from there down the chain of service
providers until it reaches your network.It is the task of your service provider to advertise to the
backbone sites that they are the point of connection (and thus the
path inward) for your site. This is known as route
propagation.TroubleshootingtracerouteSometimes, there is a problem with routing propagation, and some
sites are unable to connect to you. Perhaps the most useful command
for trying to figure out where routing is breaking down is the
&man.traceroute.8; command. It is equally useful if you cannot seem
to make a connection to a remote machine (i.e. &man.ping.8;
fails).The &man.traceroute.8; command is run with the name of the remote
host you are trying to connect to. It will show the gateway hosts
along the path of the attempt, eventually either reaching the target
host, or terminating because of a lack of connection.For more information, see the manual page for
&man.traceroute.8;.Multicast Routingmulticast routingkernel optionsMROUTINGFreeBSD supports both multicast applications and multicast
routing natively. Multicast applications do not require any
special configuration of FreeBSD; applications will generally
run out of the box. Multicast routing
requires that support be compiled into the kernel:options MROUTINGIn addition, the multicast routing daemon, &man.mrouted.8;
must be configured to set up tunnels and DVMRP via
/etc/mrouted.conf. More details on
multicast configuration may be found in the manual page for
&man.mrouted.8;.As of &os; 7.0 the &man.mrouted.8; multicast routing daemon
has been removed from the base system. It implements the
DVMRP multicast routing protocol, which has
largely been replaced by &man.pim.4; in many multicast
installations. The related &man.map-mbone.8; and
&man.mrinfo.8; utilities have also been removed. These programs
are now available in the &os; Ports Collection as
- net/mrouted.
+ net/mrouted.
LoaderMarcFonvieilleMurrayStokelyWireless Networkingwireless networking802.11wireless networkingWireless Networking BasicsMost wireless networks are based on the IEEE 802.11
standards. A basic wireless network consists of multiple
stations communicating with radios that broadcast in either
the 2.4GHz or 5GHz band (though this varies according to the
locale and is also changing to enable communication in the
2.3GHz and 4.9GHz ranges).802.11 networks are organized in two ways: in
infrastructure mode one station acts as a
master with all the other stations associating to it; the
network is known as a BSS and the master station is termed an
access point (AP). In a BSS all communication passes through
the AP; even when one station wants to communicate with
another wireless station messages must go through the AP. In
the second form of network there is no master and stations
communicate directly. This form of network is termed an IBSS
and is commonly known as an ad-hoc
network.802.11 networks were first deployed in the 2.4GHz band
using protocols defined by the IEEE 802.11 and 802.11b
standard. These specifications include the operating
frequencies, MAC layer characteristics including framing and
transmission rates (communication can be done at various
rates). Later the 802.11a standard defined operation in the
5GHz band, including different signalling mechanisms and
higher transmission rates. Still later the 802.11g standard
was defined to enable use of 802.11a signalling and
transmission mechanisms in the 2.4GHz band in such a way as to
be backwards compatible with 802.11b networks.Separate from the underlying transmission techniques
802.11 networks have a variety of security mechanisms. The
original 802.11 specifications defined a simple security
protocol called WEP. This protocol uses a fixed pre-shared key
and the RC4 cryptographic cipher to encode data transmitted on
a network. Stations must all agree on the fixed key in order
to communicate. This scheme was shown to be easily broken and
is now rarely used except to discourage transient users from
joining networks. Current security practice is given by the
IEEE 802.11i specification that defines new cryptographic
ciphers and an additional protocol to authenticate stations to
an access point and exchange keys for doing data
communication. Further, cryptographic keys are periodically
refreshed and there are mechanisms for detecting intrusion
attempts (and for countering intrusion attempts). Another
security protocol specification commonly used in wireless
networks is termed WPA. This was a precursor to 802.11i
defined by an industry group as an interim measure while
waiting for 802.11i to be ratified. WPA specifies a subset of
the requirements found in 802.11i and is designed for
implementation on legacy hardware. Specifically WPA requires
only the TKIP cipher that is derived from the original WEP
cipher. 802.11i permits use of TKIP but also requires support
for a stronger cipher, AES-CCM, for encrypting data. (The AES
cipher was not required in WPA because it was deemed too
computationally costly to be implemented on legacy
hardware.)Other than the above protocol standards the other
important standard to be aware of is 802.11e. This defines
protocols for deploying multi-media applications such as
streaming video and voice over IP (VoIP) in an 802.11 network.
Like 802.11i, 802.11e also has a precursor specification
termed WME (later renamed WMM) that has been defined by an
industry group as a subset of 802.11e that can be deployed now
to enable multi-media applications while waiting for the final
ratification of 802.11e. The most important thing to know
about 802.11e and WME/WMM is that it enables prioritized
traffic use of a wireless network through Quality of Service
(QoS) protocols and enhanced media access protocols. Proper
implementation of these protocols enable high speed bursting
of data and prioritized traffic flow.Since the 6.0 version, &os; supports networks that operate
using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i
security protocols are likewise supported (in conjunction with
any of 11a, 11b, and 11g) and QoS and traffic prioritization
required by the WME/WMM protocols are supported for a limited
set of wireless devices.Basic SetupKernel ConfigurationTo use wireless networking you need a wireless
networking card and to configure the kernel with the
appropriate wireless networking support. The latter is
separated into multiple modules so that you only need to
configure the software you are actually going to use.The first thing you need is a wireless device. The most
commonly used devices are those that use parts made by
Atheros. These devices are supported by the &man.ath.4;
driver and require the following line to be added to the
/boot/loader.conf file:if_ath_load="YES"The Atheros driver is split up into three separate
pieces: the driver proper (&man.ath.4;), the hardware
support layer that handles chip-specific functions
(&man.ath.hal.4;), and an algorithm for selecting which of
several possible rates for transmitting frames
(ath_rate_sample here). When you load this support as
modules these dependencies are automatically handled for
you. If instead of an Atheros device you had another device
you would select the module for that device; e.g.:if_wi_load="YES"for devices based on the Intersil Prism parts
(&man.wi.4; driver).In the rest of this document, we will use an
&man.ath.4; device, the device name in the examples must
be changed according to your configuration. A list of
available wireless drivers can be found at the beginning
of the &man.wlan.4; manual page. If a native &os; driver
for your wireless device does not exist, it may be
possible to directly use the &windows; driver with the
help of the NDIS driver
wrapper.With a device driver configured you need to also bring
in the 802.11 networking support required by the driver.
For the &man.ath.4; driver this is at least the &man.wlan.4;
module; this module is automatically loaded with the
wireless device driver. With that you will need the modules
that implement cryptographic support for the security
protocols you intend to use. These are intended to be
dynamically loaded on demand by the &man.wlan.4; module but
for now they must be manually configured. The following
modules are available: &man.wlan.wep.4;, &man.wlan.ccmp.4;
and &man.wlan.tkip.4;. Both &man.wlan.ccmp.4; and
&man.wlan.tkip.4; drivers are only needed if you intend to
use the WPA and/or 802.11i security protocols. If your
network is to run totally open (i.e., with no encryption)
then you do not even need the &man.wlan.wep.4; support. To
load these modules at boot time, add the following lines to
/boot/loader.conf:wlan_wep_load="YES"
wlan_ccmp_load="YES"
wlan_tkip_load="YES"With this information in the system bootstrap
configuration file (i.e.,
/boot/loader.conf), you have to reboot
your &os; box. If you do not want to reboot your machine
for the moment, you can just load the modules by hand using
&man.kldload.8;.If you do not want to use modules, it is possible to
compile these drivers into the kernel by adding the
following lines to your kernel configuration file:device ath # Atheros IEEE 802.11 wireless network driver
device ath_hal # Atheros Hardware Access Layer
device ath_rate_sample # John Bicket's SampleRate control algorithm.
device wlan # 802.11 support (Required)
device wlan_wep # WEP crypto support for 802.11 devices
device wlan_ccmp # AES-CCMP crypto support for 802.11 devices
device wlan_tkip # TKIP and Michael crypto support for 802.11 devicesWith this information in the kernel configuration
file, recompile the kernel and reboot your &os;
machine.When the system is up, we could find some information
about the wireless device in the boot messages, like
this:ath0: <Atheros 5212> mem 0xff9f0000-0xff9fffff irq 17 at device 2.0 on pci2
ath0: Ethernet address: 00:11:95:d5:43:62
ath0: mac 7.9 phy 4.5 radio 5.6Infrastructure ModeThe infrastructure mode or BSS mode is the mode that is
typically used. In this mode, a number of wireless access
points are connected to a wired network. Each wireless
network has its own name, this name is called the SSID of the
network. Wireless clients connect to the wireless access
points.&os; ClientsHow to Find Access PointsTo scan for networks, use the
ifconfig command. This request may
take a few moments to complete as it requires that the
system switches to each available wireless frequency and
probes for available access points. Only the super-user
can initiate such a scan:&prompt.root; ifconfig ath0 up scan
SSID BSSID CHAN RATE S:N INT CAPS
dlinkap 00:13:46:49:41:76 6 54M 29:3 100 EPS WPA WME
freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS WPAYou must mark the interface
before you can scan. Subsequent scan requests do not
require you to mark the interface up again.The output of a scan request lists each BSS/IBSS
network found. Beside the name of the network,
SSID, we find the
BSSID which is the MAC address of the
access point. The CAPS field
identifies the type of each network and the capabilities
of the stations operating there:EExtended Service Set (ESS). Indicates that the
station is part of an infrastructure network (in
contrast to an IBSS/ad-hoc network).IIBSS/ad-hoc network. Indicates that the station
is part of an ad-hoc network (in contrast to an ESS
network).PPrivacy. Data confidentiality is required for
all data frames exchanged within the BSS. This means
that this BSS requires the station to use
cryptographic means such as WEP, TKIP or AES-CCMP to
encrypt/decrypt data frames being exchanged with
others.SShort Preamble. Indicates that the network is
using short preambles (defined in 802.11b High
Rate/DSSS PHY, short preamble utilizes a 56 bit sync
field in contrast to a 128 bit field used in long
preamble mode).sShort slot time. Indicates that the 802.11g
network is using a short slot time because there are
no legacy (802.11b) stations present.One can also display the current list of known
networks with:&prompt.root; ifconfig ath0 list scanThis information may be updated automatically by the
adapter or manually with a request.
Old data is automatically removed from the cache, so over
time this list may shrink unless more scans are
done.Basic SettingsThis section provides a simple example of how to make
the wireless network adapter work in &os; without
encryption. After you are familiar with these concepts,
we strongly recommend using WPA to set up your
wireless network.There are three basic steps to configure a wireless
network: selecting an access point, authenticating your
station, and configuring an IP address. The following
sections discuss each step.Selecting an Access PointMost of time it is sufficient to let the system
choose an access point using the builtin heuristics.
This is the default behaviour when you mark an interface
up or otherwise configure an interface by listing it in
/etc/rc.conf, e.g.:ifconfig_ath0="DHCP"If there are multiple access points and you want to
select a specific one, you can select it by its
SSID:ifconfig_ath0="ssid your_ssid_here DHCP"In an environment where there are multiple access
points with the same SSID (often done to simplify
roaming) it may be necessary to associate to one
specific device. In this case you can also specify the
BSSID of the access point (you can also leave off the
SSID):ifconfig_ath0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP"There are other ways to constrain the choice of an
access point such as limiting the set of frequencies the
system will scan on. This may be useful if you have a
multi-band wireless card as scanning all the possible
channels can be time-consuming. To limit operation to a
specific band you can use the
parameter; e.g.:ifconfig_ath0="mode 11g ssid your_ssid_here DHCP"will force the card to operate in 802.11g which is
defined only for 2.4GHz frequencies so any 5GHz channels
will not be considered. Other ways to do this are the
parameter, to lock operation to
one specific frequency, and the
parameter, to specify a list
of channels for scanning. More information about these
parameters can be found in the &man.ifconfig.8; manual
page.AuthenticationOnce you have selected an access point your station
needs to authenticate before it can pass data.
Authentication can happen in several ways. The most
common scheme used is termed open authentication and
allows any station to join the network and communicate.
This is the authentication you should use for test
purpose the first time you set up a wireless network.
Other schemes require cryptographic handshakes be
completed before data traffic can flow; either using
pre-shared keys or secrets, or more complex schemes that
involve backend services such as RADIUS. Most users
will use open authentication which is the default
setting. Next most common setup is WPA-PSK, also known
as WPA Personal, which is described below.If you have an &apple; &airport; Extreme base
station for an access point you may need to configure
shared-key authentication together with a WEP key.
This can be done in the
/etc/rc.conf file or using the
&man.wpa.supplicant.8; program. If you have a single
&airport; base station you can setup access with
something like:ifconfig_ath0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP"In general shared key authentication is to be
avoided because it uses the WEP key material in a
highly-constrained manner making it even easier to
crack the key. If WEP must be used (e.g., for
compatibility with legacy devices) it is better to use
WEP with open authentication. More
information regarding WEP can be found in the .Getting an IP Address with DHCPOnce you have selected an access point and set the
authentication parameters, you will have to get an IP
address to communicate. Most of time you will obtain
your wireless IP address via DHCP. To achieve that,
simply edit /etc/rc.conf and add
DHCP to the configuration for your
device as shown in various examples above:ifconfig_ath0="DHCP"At this point, you are ready to bring up the
wireless interface:&prompt.root; /etc/rc.d/netif startOnce the interface is running, use
ifconfig to see the status of the
interface ath0:&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid dlinkap channel 6 bssid 00:13:46:49:41:76
authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100The status: associated means you
are connected to the wireless network (to the
dlinkap network in our case). The
bssid 00:13:46:49:41:76 part is the
MAC address of your access point; the
authmode line informs you that the
communication is not encrypted
(OPEN).Static IP AddressIn the case you cannot obtain an IP address from a
DHCP server, you can set a fixed IP address. Replace
the DHCP keyword shown above with the
address information. Be sure to retain any other
parameters you have set up for selecting an access
point:ifconfig_ath0="ssid your_ssid_here inet 192.168.1.100 netmask 255.255.255.0"WPAWPA (Wi-Fi Protected Access) is a security protocol
used together with 802.11 networks to address the lack of
proper authentication and the weakness of WEP. WPA leverages
the 802.1X authentication protocol and uses one of several
ciphers instead of WEP for data integrity. The only
cipher required by WPA is TKIP (Temporary Key Integrity
Protocol) which is a cipher that extends the basic RC4
cipher used by WEP by adding integrity checking, tamper
detection, and measures for responding to any detected
intrusions. TKIP is designed to work on legacy hardware
with only software modification; it represents a
compromise that improves security but is still not
entirely immune to attack. WPA also specifies the
AES-CCMP cipher as an alternative to TKIP and that is
preferred when possible; for this specification the term
WPA2 (or RSN) is commonly used.WPA defines authentication and encryption protocols.
Authentication is most commonly done using one of two
techniques: by 802.1X and a backend authentication service
such as RADIUS, or by a minimal handshake between the
station and the access point using a pre-shared secret.
The former is commonly termed WPA Enterprise with the
latter known as WPA Personal. Since most people will not
set up a RADIUS backend server for wireless network,
WPA-PSK is by far the most commonly encountered
configuration for WPA.The control of the wireless connection and the
authentication (key negotiation or authentication with a
server) is done with the &man.wpa.supplicant.8; utility.
This program requires a configuration file,
/etc/wpa_supplicant.conf, to run.
More information regarding this file can be found in the
&man.wpa.supplicant.conf.5; manual page.WPA-PSKWPA-PSK also known as WPA-Personal is based on a
pre-shared key (PSK) generated from a given password and
that will be used as the master key in the wireless
network. This means every wireless user will share the
same key. WPA-PSK is intended for small networks where
the use of an authentication server is not possible or
desired.Always use strong passwords that are
sufficiently long and made from a rich alphabet so
they will not be guessed and/or attacked.The first step is the configuration of the
/etc/wpa_supplicant.conf file with
the SSID and the pre-shared key of your network:network={
ssid="freebsdap"
psk="freebsdmall"
}Then, in /etc/rc.conf, we
indicate that the wireless device configuration will be
done with WPA and the IP address will be obtained with
DHCP:ifconfig_ath0="WPA DHCP"Then, we can bring up the interface:&prompt.root; /etc/rc.d/netif start
Starting wpa_supplicant.
DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 5
DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 6
DHCPOFFER from 192.168.0.1
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.1
bound to 192.168.0.254 -- renewal in 300 seconds.
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/36Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36
protmode CTS roaming MANUAL bintval 100Or you can try to configure it manually using the
same /etc/wpa_supplicant.conf above, and
run:&prompt.root; wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf
Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz)
Associated with 00:11:95:c3:0d:ac
WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=TKIP GTK=TKIP]The next operation is the launch of the
dhclient command to get the IP
address from the DHCP server:&prompt.root; dhclient ath0
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.1
bound to 192.168.0.254 -- renewal in 300 seconds.
&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/48Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36
protmode CTS roaming MANUAL bintval 100If the /etc/rc.conf is set up
with the line ifconfig_ath0="DHCP"
then it is no need to run the
dhclient command manually,
dhclient will be launched after
wpa_supplicant plumbs the
keys.In the case where the use of DHCP is not possible,
you can set a static IP address after
wpa_supplicant has authenticated the
station:&prompt.root; ifconfig ath0 inet 192.168.0.100 netmask 255.255.255.0
&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/36Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36
protmode CTS roaming MANUAL bintval 100When DHCP is not used, you also have to manually set
up the default gateway and the nameserver:&prompt.root; route add default your_default_router
&prompt.root; echo "nameserver your_DNS_server" >> /etc/resolv.confWPA with EAP-TLSThe second way to use WPA is with an 802.1X backend
authentication server, in this case WPA is called
WPA-Enterprise to make difference with the less secure
WPA-Personal with its pre-shared key. The
authentication in WPA-Enterprise is based on EAP
(Extensible Authentication Protocol).EAP does not come with an encryption method, it was
decided to embed EAP inside an encrypted tunnel. Many
types of EAP authentication methods have been designed,
the most common methods are EAP-TLS, EAP-TTLS and
EAP-PEAP.EAP-TLS (EAP with Transport Layer Security) is a
very well-supported authentication protocol in the
wireless world since it was the first EAP method to be
certified by the Wi-Fi alliance.
EAP-TLS will require three certificates to run: the CA
certificate (installed on all machines), the server
certificate for your authentication server, and one
client certificate for each wireless client. In this
EAP method, both authentication server and wireless
client authenticate each other in presenting their
respective certificates, and they verify that these
certificates were signed by your organization's
certificate authority (CA).As previously, the configuration is done via
/etc/wpa_supplicant.conf:network={
ssid="freebsdap"
proto=RSN
key_mgmt=WPA-EAP
eap=TLS
identity="loader"
ca_cert="/etc/certs/cacert.pem"
client_cert="/etc/certs/clientcert.pem"
private_key="/etc/certs/clientkey.pem"
private_key_passwd="freebsdmallclient"
}This field indicates the network name
(SSID).Here, we use RSN (IEEE 802.11i) protocol, i.e.,
WPA2.The key_mgmt line refers to
the key management protocol we use. In our case it
is WPA using EAP authentication:
WPA-EAP.In this field, we mention the EAP method for our
connection.The identity field contains
the identity string for EAP.The ca_cert field indicates
the pathname of the CA certificate file. This file
is needed to verify the server certificat.The client_cert line gives
the pathname to the client certificate file. This
certificate is unique to each wireless client of the
network.The private_key field is the
pathname to the client certificate private key
file.The private_key_passwd field
contains the passphrase for the private key.Then add the following line to
/etc/rc.conf:ifconfig_ath0="WPA DHCP"The next step is to bring up the interface with the
help of the rc.d facility:&prompt.root; /etc/rc.d/netif start
Starting wpa_supplicant.
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.20
bound to 192.168.0.254 -- renewal in 300 seconds.
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit
txpowmax 36 protmode CTS roaming MANUAL bintval 100As previously shown, it is also possible to bring up
the interface manually with both
wpa_supplicant and
ifconfig commands.WPA with EAP-TTLSWith EAP-TLS both the authentication server and the
client need a certificate, with EAP-TTLS (EAP-Tunneled
Transport Layer Security) a client certificate is
optional. This method is close to what some secure web
sites do , where the web server can create a secure SSL
tunnel even if the visitors do not have client-side
certificates. EAP-TTLS will use the encrypted TLS
tunnel for safe transport of the authentication
data.The configuration is done via the
/etc/wpa_supplicant.conf
file:network={
ssid="freebsdap"
proto=RSN
key_mgmt=WPA-EAP
eap=TTLS
identity="test"
password="test"
ca_cert="/etc/certs/cacert.pem"
phase2="auth=MD5"
}In this field, we mention the EAP method for our
connection.The identity field contains
the identity string for EAP authentication inside
the encrypted TLS tunnel.The password field contains
the passphrase for the EAP authentication.The ca_cert field indicates
the pathname of the CA certificate file. This file
is needed to verify the server certificat.In this field, we mention the authentication
method used in the encrypted TLS tunnel. In our
case, EAP with MD5-Challenge has been used. The
inner authentication phase is often
called phase2.You also have to add the following line to
/etc/rc.conf:ifconfig_ath0="WPA DHCP"The next step is to bring up the interface:&prompt.root; /etc/rc.d/netif start
Starting wpa_supplicant.
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.20
bound to 192.168.0.254 -- renewal in 300 seconds.
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit
txpowmax 36 protmode CTS roaming MANUAL bintval 100WPA with EAP-PEAPPEAP (Protected EAP) has been designed as an
alternative to EAP-TTLS. There are two types of PEAP
methods, the most common one is PEAPv0/EAP-MSCHAPv2. In
the rest of this document, we will use the PEAP term to
refer to that EAP method. PEAP is the most used EAP
standard after EAP-TLS, in other words if you have a
network with mixed OSes, PEAP should be the most
supported standard after EAP-TLS.PEAP is similar to EAP-TTLS: it uses a server-side
certificate to authenticate clients by creating an
encrypted TLS tunnel between the client and the
authentication server, which protects the ensuing
exchange of authentication information. In term of
security the difference between EAP-TTLS and PEAP is
that PEAP authentication broadcasts the username in
clear, only the password is sent in the encrypted TLS
tunnel. EAP-TTLS will use the TLS tunnel for both
username and password.We have to edit the
/etc/wpa_supplicant.conf file and
add the EAP-PEAP related settings:network={
ssid="freebsdap"
proto=RSN
key_mgmt=WPA-EAP
eap=PEAP
identity="test"
password="test"
ca_cert="/etc/certs/cacert.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}In this field, we mention the EAP method for our
connection.The identity field contains
the identity string for EAP authentication inside
the encrypted TLS tunnel.The password field contains
the passphrase for the EAP authentication.The ca_cert field indicates
the pathname of the CA certificate file. This file
is needed to verify the server certificat.This field contains the parameters for the
first phase of the authentication (the TLS
tunnel). According to the authentication server
used, you will have to specify a specific label
for the authentication. Most of time, the label
will be client EAP encryption which
is set by using peaplabel=0.
More information can be found in the
&man.wpa.supplicant.conf.5; manual page.In this field, we mention the authentication
protocol used in the encrypted TLS tunnel. In the
case of PEAP, it is
auth=MSCHAPV2.The following must be added to
/etc/rc.conf:ifconfig_ath0="WPA DHCP"Then, we can bring up the interface:&prompt.root; /etc/rc.d/netif start
Starting wpa_supplicant.
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.20
bound to 192.168.0.254 -- renewal in 300 seconds.
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit
txpowmax 36 protmode CTS roaming MANUAL bintval 100WEPWEP (Wired Equivalent Privacy) is part of the original
802.11 standard. There is no authentication mechanism,
only a weak form of access control, and it is easily to be
cracked.WEP can be set up with
ifconfig:&prompt.root; ifconfig ath0 ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012 \
inet 192.168.1.100 netmask 255.255.255.0The weptxkey means which WEP
key will be used in the transmission. Here we used the
third key. This must match the setting in the access
point.The wepkey means setting the
selected WEP key. It should in the format
index:key, if the index is
not given, key 1 is set. That is
to say we need to set the index if we use keys other
than the first key.You must replace
the 0x3456789012 with the key
configured for use on the access point.You are encouraged to read &man.ifconfig.8; manual
page for further information.The wpa_supplicant facility also
can be used to configure your wireless interface with WEP.
The example above can be set up by adding the following
lines to
/etc/wpa_supplicant.conf:network={
ssid="my_net"
key_mgmt=NONE
wep_key3=3456789012
wep_tx_keyidx=3
}Then:&prompt.root; wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf
Trying to associate with 00:13:46:49:41:76 (SSID='dlinkap' freq=2437 MHz)
Associated with 00:13:46:49:41:76Ad-hoc ModeIBSS mode, also called ad-hoc mode, is designed for point
to point connections. For example, to establish an ad-hoc
network between the machine A and the machine
B we will just need to choose two IP adresses
and a SSID.On the box A:&prompt.root; ifconfig ath0 ssid freebsdap mediaopt adhoc inet 192.168.0.1 netmask 255.255.255.0
&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
ether 00:11:95:c3:0d:ac
media: IEEE 802.11 Wireless Ethernet autoselect <adhoc> (autoselect <adhoc>)
status: associated
ssid freebsdap channel 2 bssid 02:11:95:c3:0d:ac
authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100The adhoc parameter indicates the
interface is running in the IBSS mode.On B, we should be able to detect
A:&prompt.root; ifconfig ath0 up scan
SSID BSSID CHAN RATE S:N INT CAPS
freebsdap 02:11:95:c3:0d:ac 2 54M 19:3 100 ISThe I in the output confirms the
machine A is in ad-hoc mode. We just have to
configure B with a different IP
address:&prompt.root; ifconfig ath0 ssid freebsdap mediaopt adhoc inet 192.168.0.2 netmask 255.255.255.0
&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect <adhoc> (autoselect <adhoc>)
status: associated
ssid freebsdap channel 2 bssid 02:11:95:c3:0d:ac
authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100Both A and B are now
ready to exchange informations.&os; Host Access Points&os; can act as an Access Point (AP) which eliminates the
need to buy a hardware AP or run an ad-hoc network. This can be
particularly useful when your &os; machine is acting as a
gateway to another network (e.g., the Internet).Basic SettingsBefore configuring your &os; machine as an AP, the
kernel must be configured with the appropriate wireless
networking support for your wireless card. You also have to
add the support for the security protocols you intend to
use. For more details, see .The use of the NDIS driver wrapper and the &windows;
drivers do not allow currently the AP operation. Only
native &os; wireless drivers support AP mode.Once the wireless networking support is loaded, you can
check if your wireless device supports the host-based access
point mode (also know as hostap mode):&prompt.root; ifconfig ath0 list caps
ath0=783ed0f<WEP,TKIP,AES,AES_CCM,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME>This output displays the card capabilities; the
HOSTAP word confirms this wireless card
can act as an Access Point. Various supported ciphers are
also mentioned: WEP, TKIP, WPA2, etc., these informations
are important to know what security protocols could be set
on the Access Point.The wireless device can now be put into hostap mode and
configured with the correct SSID and IP address:&prompt.root; ifconfig ath0 ssid freebsdap mode 11g mediaopt hostap inet 192.168.0.1 netmask 255.255.255.0Use again ifconfig to see the status
of the ath0 interface:&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
ether 00:11:95:c3:0d:ac
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode OPEN privacy OFF txpowmax 38 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100The hostap parameter indicates the
interface is running in the host-based access point
mode.The interface configuration can be done automatically at
boot time by adding the following line to
/etc/rc.conf:ifconfig_ath0="ssid freebsdap mode 11g mediaopt hostap inet 192.168.0.1 netmask 255.255.255.0"Host-based Access Point without Authentication or
EncryptionAlthough it is not recommended to run an AP without any
authentication or encryption, this is a simple way to check
if your AP is working. This configuration is also important
for debugging client issues.Once the AP configured as previously shown, it is
possible from another wireless machine to initiate a scan to
find the AP:&prompt.root; ifconfig ath0 up scan
SSID BSSID CHAN RATE S:N INT CAPS
freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 ESThe client machine found the Access Point and can be
associated with it:&prompt.root; ifconfig ath0 ssid freebsdap inet 192.168.0.2 netmask 255.255.255.0
&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:11:95:d5:43:62
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100WPA Host-based Access PointThis section will focus on setting up &os; Access Point
using the WPA security protocol. More details regarding WPA
and the configuration of WPA-based wireless clients can be
found in the .The hostapd daemon is used to
deal with client authentication and keys management on the
WPA enabled Access Point.In the following, all the configuration operations will
be performed on the &os; machine acting as AP. Once the
AP is correctly working, hostapd
should be automatically enabled at boot with the following
line in /etc/rc.conf:hostapd_enable="YES"Before trying to configure
hostapd, be sure you have done
the basic settings introduced in the .WPA-PSKWPA-PSK is intended for small networks where the use
of an backend authentication server is not possible or
desired.The configuration is done in the
/etc/hostapd.conf file:interface=ath0
debug=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=freebsdap
wpa=1
wpa_passphrase=freebsdmall
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP This field indicates the wireless interface used
for the Access Point.This field sets the level of verbosity during the
execution of hostapd. A
value of 1 represents the minimal
level.The ctrl_interface field gives
the pathname of the directory used by
hostapd to stores its
domain socket files for the communication with
external programs such as &man.hostapd.cli.8;. The
default value is used here.The ctrl_interface_group line
sets the group (here, it is the
wheel group) allowed to access
to the control interface files.This field sets the network name.The wpa field enables WPA and
specifies which WPA authentication protocol will be
required. A value of 1 configures the
AP for WPA-PSK.The wpa_passphrase field
contains the ASCII passphrase for the WPA
authentication.Always use strong passwords that are
sufficiently long and made from a rich alphabet so
they will not be guessed and/or attacked.The wpa_key_mgmt line refers to
the key management protocol we use. In our case it is
WPA-PSK.The wpa_pairwise field
indicates the set of accepted encryption algorithms by
the Access Point. Here both TKIP (WPA) and CCMP
(WPA2) ciphers are accepted. CCMP cipher is an
alternative to TKIP and that is strongly preferred
when possible; TKIP should be used solely for stations
incapable of doing CCMP.The next step is to start
hostapd:&prompt.root /etc/rc.d/hostapd forcestart&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
ether 00:11:95:c3:0d:ac
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100The Access Point is running, the clients can now be
associated with it, see for more details. It is
possible to see the stations associated with the AP using
the ifconfig ath0 list
sta command.WEP Host-based Access PointIt is not recommended to use WEP for setting up an
Access Point since there is no authentication mechanism and
it is easily to be cracked. Some legacy wireless cards only
support WEP as security protocol, these cards will only
allow to set up AP without authentication or encryption or
using the WEP protocol.The wireless device can now be put into hostap mode and
configured with the correct SSID and IP address:&prompt.root; ifconfig ath0 ssid freebsdap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \
inet 192.168.0.1 netmask 255.255.255.0The weptxkey means which WEP
key will be used in the transmission. Here we used the
third key (note that the key numbering starts with
1). This parameter must be specified
to really encrypt the data.The wepkey means setting the
selected WEP key. It should in the format
index:key, if the index is
not given, key 1 is set. That is
to say we need to set the index if we use keys other
than the first key.Use again ifconfig to see the status
of the ath0 interface:&prompt.root; ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
ether 00:11:95:c3:0d:ac
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: associated
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100From another wireless machine, it is possible to initiate
a scan to find the AP:&prompt.root; ifconfig ath0 up scan
SSID BSSID CHAN RATE S:N INT CAPS
freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPSThe client machine found the Access Point and can be
associated with it using the correct parameters (key, etc.),
see for more
details.TroubleshootingIf you are having trouble with wireless networking, there
are a number of steps you can take to help troubleshoot the
problem.If you do not see the access point listed when
scanning be sure you have not configured your wireless
device to a limited set of channels.If you cannot associate to an access point verify the
configuration of your station matches the one of the
access point. This includes the authentication scheme and
any security protocols. Simplify your configuration as
much as possible. If you are using a security protocol
such as WPA or WEP configure the access point for open
authentication and no security to see if you can get
traffic to pass.Once you can associate to the access point diagnose
any security configuration using simple tools like
&man.ping.8;.The wpa_supplicant has much
debugging support; try running it manually with the
option and look at the system
logs.There are also many lower-level debugging tools. You
can enable debugging messages in the 802.11 protocol
support layer using the wlandebug
program found in
/usr/src/tools/tools/net80211. For
example:&prompt.root; wlandebug -i ath0 +scan+auth+debug+assoc
net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan>can be used to enable console messages related to
scanning for access points and doing the 802.11 protocol
handshakes required to arrange communication.There are also many useful statistics maintained by
the 802.11 layer; the wlanstats tool
will dump these informations. These statistics should
identify all errors identified by the 802.11 layer.
Beware however that some errors are identified in the
device drivers that lie below the 802.11 layer so they may
not show up. To diagnose device-specific problems you
need to refer to the drivers' documentation.If the above information does not help to clarify the
problem, please submit a problem report and include output
from the above tools.PavLucistnikWritten by pav@FreeBSD.orgBluetoothBluetoothIntroductionBluetooth is a wireless technology for creating personal networks
operating in the 2.4 GHz unlicensed band, with a range of 10 meters.
Networks are usually formed ad-hoc from portable devices such as
cellular phones, handhelds and laptops. Unlike the other popular
wireless technology, Wi-Fi, Bluetooth offers higher level service
profiles, e.g. FTP-like file servers, file pushing, voice transport,
serial line emulation, and more.The Bluetooth stack in &os; is implemented using the Netgraph
framework (see &man.netgraph.4;). A broad variety of Bluetooth USB
dongles is supported by the &man.ng.ubt.4; driver. The Broadcom BCM2033
chip based Bluetooth devices are supported via the &man.ubtbcmfw.4; and
&man.ng.ubt.4; drivers. The 3Com Bluetooth PC Card 3CRWB60-A is
supported by the &man.ng.bt3c.4; driver. Serial and UART based
Bluetooth devices are supported via &man.sio.4;, &man.ng.h4.4;
and &man.hcseriald.8;. This section describes the use of the USB
Bluetooth dongle.Plugging in the DeviceBy default Bluetooth device drivers are available as kernel modules.
Before attaching a device, you will need to load the driver into the
kernel:&prompt.root; kldload ng_ubtIf the Bluetooth device is present in the system during system
startup, load the module from
/boot/loader.conf:ng_ubt_load="YES"Plug in your USB dongle. The output similar to the following will
appear on the console (or in syslog):ubt0: vendor 0x0a12 product 0x0001, rev 1.10/5.25, addr 2
ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3,
wMaxPacketSize=49, nframes=6, buffer size=294Copy
/usr/share/examples/netgraph/bluetooth/rc.bluetooth
into some convenient place, like /etc/rc.bluetooth.
This script is used to start and stop the Bluetooth stack. It is a good
idea to stop the stack before unplugging the device, but it is not
(usually) fatal. When starting the stack, you will receive output similar
to the following:&prompt.root; /etc/rc.bluetooth start ubt0
BD_ADDR: 00:02:72:00:d4:1a
Features: 0xff 0xff 0xf 00 00 00 00 00
<3-Slot> <5-Slot> <Encryption> <Slot offset>
<Timing accuracy> <Switch> <Hold mode> <Sniff mode>
<Park mode> <RSSI> <Channel quality> <SCO link>
<HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD>
<Paging scheme> <Power control> <Transparent SCO data>
Max. ACL packet size: 192 bytes
Number of ACL packets: 8
Max. SCO packet size: 64 bytes
Number of SCO packets: 8HCIHost Controller Interface (HCI)Host Controller Interface (HCI) provides a command interface to the
baseband controller and link manager, and access to hardware status and
control registers. This interface provides a uniform method of accessing
the Bluetooth baseband capabilities. HCI layer on the Host exchanges
data and commands with the HCI firmware on the Bluetooth hardware.
The Host Controller Transport Layer (i.e. physical bus) driver provides
both HCI layers with the ability to exchange information with each
other.A single Netgraph node of type hci is
created for a single Bluetooth device. The HCI node is normally
connected to the Bluetooth device driver node (downstream) and
the L2CAP node (upstream). All HCI operations must be performed
on the HCI node and not on the device driver node. Default name
for the HCI node is devicehci.
For more details refer to the &man.ng.hci.4; manual page.One of the most common tasks is discovery of Bluetooth devices in
RF proximity. This operation is called inquiry.
Inquiry and other HCI related operations are done with the
&man.hccontrol.8; utility. The example below shows how to find out
which Bluetooth devices are in range. You should receive the list of
devices in a few seconds. Note that a remote device will only answer
the inquiry if it put into discoverable
mode.&prompt.user; hccontrol -n ubt0hci inquiry
Inquiry result, num_responses=1
Inquiry result #0
BD_ADDR: 00:80:37:29:19:a4
Page Scan Rep. Mode: 0x1
Page Scan Period Mode: 00
Page Scan Mode: 00
Class: 52:02:04
Clock offset: 0x78ef
Inquiry complete. Status: No error [00]BD_ADDR is unique address of a Bluetooth
device, similar to MAC addresses of a network card. This address
is needed for further communication with a device. It is possible
to assign human readable name to a BD_ADDR.
The /etc/bluetooth/hosts file contains information
regarding the known Bluetooth hosts. The following example shows how
to obtain human readable name that was assigned to the remote
device:&prompt.user; hccontrol -n ubt0hci remote_name_request 00:80:37:29:19:a4
BD_ADDR: 00:80:37:29:19:a4
Name: Pav's T39If you perform an inquiry on a remote Bluetooth device, it will
find your computer as your.host.name (ubt0). The name
assigned to the local device can be changed at any time.The Bluetooth system provides a point-to-point connection (only two
Bluetooth units involved), or a point-to-multipoint connection. In the
point-to-multipoint connection the connection is shared among several
Bluetooth devices. The following example shows how to obtain the list
of active baseband connections for the local device:&prompt.user; hccontrol -n ubt0hci read_connection_list
Remote BD_ADDR Handle Type Mode Role Encrypt Pending Queue State
00:80:37:29:19:a4 41 ACL 0 MAST NONE 0 0 OPENA connection handle is useful when termination
of the baseband connection is required. Note, that it is normally not
required to do it by hand. The stack will automatically terminate
inactive baseband connections.&prompt.root; hccontrol -n ubt0hci disconnect 41
Connection handle: 41
Reason: Connection terminated by local host [0x16]Refer to hccontrol help for a complete listing
of available HCI commands. Most of the HCI commands do not require
superuser privileges.L2CAPLogical Link Control and Adaptation Protocol (L2CAP)Logical Link Control and Adaptation Protocol (L2CAP) provides
connection-oriented and connectionless data services to upper layer
protocols with protocol multiplexing capability and segmentation and
reassembly operation. L2CAP permits higher level protocols and
applications to transmit and receive L2CAP data packets up to 64
kilobytes in length.L2CAP is based around the concept of channels.
Channel is a logical connection on top of baseband connection. Each
channel is bound to a single protocol in a many-to-one fashion. Multiple
channels can be bound to the same protocol, but a channel cannot be
bound to multiple protocols. Each L2CAP packet received on a channel is
directed to the appropriate higher level protocol. Multiple channels
can share the same baseband connection.A single Netgraph node of type l2cap is
created for a single Bluetooth device. The L2CAP node is normally
connected to the Bluetooth HCI node (downstream) and Bluetooth sockets
nodes (upstream). Default name for the L2CAP node is
devicel2cap. For more details refer to the
&man.ng.l2cap.4; manual page.A useful command is &man.l2ping.8;, which can be used to ping
other devices. Some Bluetooth implementations might not return all of
the data sent to them, so 0 bytes in the following
example is normal.&prompt.root; l2ping -a 00:80:37:29:19:a4
0 bytes from 0:80:37:29:19:a4 seq_no=0 time=48.633 ms result=0
0 bytes from 0:80:37:29:19:a4 seq_no=1 time=37.551 ms result=0
0 bytes from 0:80:37:29:19:a4 seq_no=2 time=28.324 ms result=0
0 bytes from 0:80:37:29:19:a4 seq_no=3 time=46.150 ms result=0The &man.l2control.8; utility is used to perform various operations
on L2CAP nodes. This example shows how to obtain the list of logical
connections (channels) and the list of baseband connections for the
local device:&prompt.user; l2control -a 00:02:72:00:d4:1a read_channel_list
L2CAP channels:
Remote BD_ADDR SCID/ DCID PSM IMTU/ OMTU State
00:07:e0:00:0b:ca 66/ 64 3 132/ 672 OPEN
&prompt.user; l2control -a 00:02:72:00:d4:1a read_connection_list
L2CAP connections:
Remote BD_ADDR Handle Flags Pending State
00:07:e0:00:0b:ca 41 O 0 OPENAnother diagnostic tool is &man.btsockstat.1;. It does a job
similar to as &man.netstat.1; does, but for Bluetooth network-related
data structures. The example below shows the same logical connection as
&man.l2control.8; above.&prompt.user; btsockstat
Active L2CAP sockets
PCB Recv-Q Send-Q Local address/PSM Foreign address CID State
c2afe900 0 0 00:02:72:00:d4:1a/3 00:07:e0:00:0b:ca 66 OPEN
Active RFCOMM sessions
L2PCB PCB Flag MTU Out-Q DLCs State
c2afe900 c2b53380 1 127 0 Yes OPEN
Active RFCOMM sockets
PCB Recv-Q Send-Q Local address Foreign address Chan DLCI State
c2e8bc80 0 250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3 6 OPENRFCOMMRFCOMM ProtocolThe RFCOMM protocol provides emulation of serial ports over the
L2CAP protocol. The protocol is based on the ETSI standard TS 07.10.
RFCOMM is a simple transport protocol, with additional provisions for
emulating the 9 circuits of RS-232 (EIATIA-232-E) serial ports. The
RFCOMM protocol supports up to 60 simultaneous connections (RFCOMM
channels) between two Bluetooth devices.For the purposes of RFCOMM, a complete communication path involves
two applications running on different devices (the communication
endpoints) with a communication segment between them. RFCOMM is intended
to cover applications that make use of the serial ports of the devices
in which they reside. The communication segment is a Bluetooth link from
one device to another (direct connect).RFCOMM is only concerned with the connection between the devices in
the direct connect case, or between the device and a modem in the
network case. RFCOMM can support other configurations, such as modules
that communicate via Bluetooth wireless technology on one side and
provide a wired interface on the other side.In &os; the RFCOMM protocol is implemented at the Bluetooth sockets
layer.pairingPairing of DevicesBy default, Bluetooth communication is not authenticated, and any
device can talk to any other device. A Bluetooth device (for example,
cellular phone) may choose to require authentication to provide a
particular service (for example, Dial-Up service). Bluetooth
authentication is normally done with PIN codes.
A PIN code is an ASCII string up to 16 characters in length. User is
required to enter the same PIN code on both devices. Once user has
entered the PIN code, both devices will generate a
link key. After that the link key can be stored
either in the devices themselves or in a persistent storage. Next time
both devices will use previously generated link key. The described
above procedure is called pairing. Note that if
the link key is lost by any device then pairing must be repeated.The &man.hcsecd.8; daemon is responsible for handling of all
Bluetooth authentication requests. The default configuration file is
/etc/bluetooth/hcsecd.conf. An example section for
a cellular phone with the PIN code arbitrarily set to
1234 is shown below:device {
bdaddr 00:80:37:29:19:a4;
name "Pav's T39";
key nokey;
pin "1234";
}There is no limitation on PIN codes (except length). Some devices
(for example Bluetooth headsets) may have a fixed PIN code built in.
The switch forces the &man.hcsecd.8; daemon to stay
in the foreground, so it is easy to see what is happening. Set the
remote device to receive pairing and initiate the Bluetooth connection
to the remote device. The remote device should say that pairing was
accepted, and request the PIN code. Enter the same PIN code as you
have in hcsecd.conf. Now your PC and the remote
device are paired. Alternatively, you can initiate pairing on the remote
device.On &os; 5.5, 6.1 and newer, the following line can be added to the
/etc/rc.conf file to have
hcsecd started automatically on system
start:hcsecd_enable="YES"The following is a sample of the
hcsecd daemon output:hcsecd[16484]: Got Link_Key_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', link key doesn't exist
hcsecd[16484]: Sending Link_Key_Negative_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4
hcsecd[16484]: Got PIN_Code_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', PIN code exists
hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4SDPService Discovery Protocol (SDP)The Service Discovery Protocol (SDP) provides the means for client
applications to discover the existence of services provided by server
applications as well as the attributes of those services. The attributes
of a service include the type or class of service offered and the
mechanism or protocol information needed to utilize the service.SDP involves communication between a SDP server and a SDP client.
The server maintains a list of service records that describe the
characteristics of services associated with the server. Each service
record contains information about a single service. A client may
retrieve information from a service record maintained by the SDP server
by issuing a SDP request. If the client, or an application associated
with the client, decides to use a service, it must open a separate
connection to the service provider in order to utilize the service.
SDP provides a mechanism for discovering services and their attributes,
but it does not provide a mechanism for utilizing those services.Normally, a SDP client searches for services based on some desired
characteristics of the services. However, there are times when it is
desirable to discover which types of services are described by an SDP
server's service records without any a priori information about the
services. This process of looking for any offered services is called
browsing.The Bluetooth SDP server &man.sdpd.8; and command line client
&man.sdpcontrol.8; are included in the standard &os; installation.
The following example shows how to perform a SDP browse query.&prompt.user; sdpcontrol -a 00:01:03:fc:6e:ec browse
Record Handle: 00000000
Service Class ID List:
Service Discovery Server (0x1000)
Protocol Descriptor List:
L2CAP (0x0100)
Protocol specific parameter #1: u/int/uuid16 1
Protocol specific parameter #2: u/int/uuid16 1
Record Handle: 0x00000001
Service Class ID List:
Browse Group Descriptor (0x1001)
Record Handle: 0x00000002
Service Class ID List:
LAN Access Using PPP (0x1102)
Protocol Descriptor List:
L2CAP (0x0100)
RFCOMM (0x0003)
Protocol specific parameter #1: u/int8/bool 1
Bluetooth Profile Descriptor List:
LAN Access Using PPP (0x1102) ver. 1.0
... and so on. Note that each service has a list of attributes
(RFCOMM channel for example). Depending on the service you might need to
make a note of some of the attributes. Some Bluetooth implementations do
not support service browsing and may return an empty list. In this case
it is possible to search for the specific service. The example below
shows how to search for the OBEX Object Push (OPUSH) service:&prompt.user; sdpcontrol -a 00:01:03:fc:6e:ec search OPUSHOffering services on &os; to Bluetooth clients is done with the
&man.sdpd.8; server. On &os; 5.5, 6.1 and newer, the following line can
be added to the /etc/rc.conf file:sdpd_enable="YES"Then the sdpd daemon can be started with:&prompt.root; /etc/rc.d/sdpd startThe local server application that wants to provide Bluetooth
service to the remote clients will register service with the local
SDP daemon. The example of such application is &man.rfcomm.pppd.8;.
Once started it will register Bluetooth LAN service with the local
SDP daemon.The list of services registered with the local SDP server can be
obtained by issuing SDP browse query via local control channel:&prompt.root; sdpcontrol -l browseDial-Up Networking (DUN) and Network Access with PPP (LAN)
ProfilesThe Dial-Up Networking (DUN) profile is mostly used with modems
and cellular phones. The scenarios covered by this profile are the
following:use of a cellular phone or modem by a computer as
a wireless modem for connecting to a dial-up Internet access server,
or using other dial-up services;use of a cellular phone or modem by a computer to
receive data calls.Network Access with PPP (LAN) profile can be used in the following
situations:LAN access for a single Bluetooth device;
LAN access for multiple Bluetooth devices;
PC to PC (using PPP networking over serial cable
emulation).In &os; both profiles are implemented with &man.ppp.8; and
&man.rfcomm.pppd.8; - a wrapper that converts RFCOMM Bluetooth
connection into something PPP can operate with. Before any profile
can be used, a new PPP label in the /etc/ppp/ppp.conf
must be created. Consult &man.rfcomm.pppd.8; manual page for examples.
In the following example &man.rfcomm.pppd.8; will be used to open
RFCOMM connection to remote device with BD_ADDR 00:80:37:29:19:a4 on
DUN RFCOMM channel. The actual RFCOMM channel number will be obtained
from the remote device via SDP. It is possible to specify RFCOMM channel
by hand, and in this case &man.rfcomm.pppd.8; will not perform SDP
query. Use &man.sdpcontrol.8; to find out RFCOMM
channel on the remote device.&prompt.root; rfcomm_pppd -a 00:80:37:29:19:a4 -c -C dun -l rfcomm-dialupIn order to provide Network Access with PPP (LAN) service the
&man.sdpd.8; server must be running. A new entry for LAN clients must
be created in the /etc/ppp/ppp.conf file. Consult
&man.rfcomm.pppd.8; manual page for examples. Finally, start RFCOMM PPP
server on valid RFCOMM channel number. The RFCOMM PPP server will
automatically register Bluetooth LAN service with the local SDP daemon.
The example below shows how to start RFCOMM PPP server.&prompt.root; rfcomm_pppd -s -C 7 -l rfcomm-serverOBEXOBEX Object Push (OPUSH) ProfileOBEX is a widely used protocol for simple file transfers between
mobile devices. Its main use is in infrared communication, where it is
used for generic file transfers between notebooks or PDAs,
and for sending business cards or calendar entries between cellular
phones and other devices with PIM applications.The OBEX server and client are implemented as a third-party package
obexapp, which is available as
comms/obexapp port.OBEX client is used to push and/or pull objects from the OBEX server.
An object can, for example, be a business card or an appointment.
The OBEX client can obtain RFCOMM channel number from the remote device
via SDP. This can be done by specifying service name instead of RFCOMM
channel number. Supported service names are: IrMC, FTRN and OPUSH.
It is possible to specify RFCOMM channel as a number. Below is an
example of an OBEX session, where device information object is pulled
from the cellular phone, and a new object (business card) is pushed
into the phone's directory.&prompt.user; obexapp -a 00:80:37:29:19:a4 -C IrMC
obex> get telecom/devinfo.txt devinfo-t39.txt
Success, response: OK, Success (0x20)
obex> put new.vcf
Success, response: OK, Success (0x20)
obex> di
Success, response: OK, Success (0x20)In order to provide OBEX Object Push service,
&man.sdpd.8; server must be running. A root folder, where all incoming
objects will be stored, must be created. The default path to the root
folder is /var/spool/obex. Finally, start OBEX
server on valid RFCOMM channel number. The OBEX server will
automatically register OBEX Object Push service with the local SDP
daemon. The example below shows how to start OBEX server.&prompt.root; obexapp -s -C 10Serial Port Profile (SPP)The Serial Port Profile (SPP) allows Bluetooth devices to perform
RS232 (or similar) serial cable emulation. The scenario covered by this
profile deals with legacy applications using Bluetooth as a cable
replacement, through a virtual serial port abstraction.The &man.rfcomm.sppd.1; utility implements the Serial Port profile.
A pseudo tty is used as a virtual serial port abstraction. The example
below shows how to connect to a remote device Serial Port service.
Note that you do not have to specify a RFCOMM channel -
&man.rfcomm.sppd.1; can obtain it from the remote device via SDP.
If you would like to override this, specify a RFCOMM channel on the
command line.&prompt.root; rfcomm_sppd -a 00:07:E0:00:0B:CA -t /dev/ttyp6
rfcomm_sppd[94692]: Starting on /dev/ttyp6...Once connected, the pseudo tty can be used as serial port:&prompt.root; cu -l ttyp6TroubleshootingA remote device cannot connectSome older Bluetooth devices do not support role switching.
By default, when &os; is accepting a new connection, it tries to
perform a role switch and become master. Devices, which do not
support this will not be able to connect. Note that role switching is
performed when a new connection is being established, so it is not
possible to ask the remote device if it does support role switching.
There is a HCI option to disable role switching on the local
side:&prompt.root; hccontrol -n ubt0hci write_node_role_switch 0Something is going wrong, can I see what exactly is happening?Yes, you can. Use the third-party package
hcidump, which is available as
comms/hcidump port.
The hcidump utility is similar to
&man.tcpdump.1;. It can be used to display the content of the Bluetooth
packets on the terminal and to dump the Bluetooth packets to a
file.AndrewThompsonWritten by BridgingIntroductionIP subnetbridgeIt is sometimes useful to divide one physical network
(such as an Ethernet segment) into two separate network
segments without having to create IP subnets and use a router
to connect the segments together. A device that connects two
networks together in this fashion is called a
bridge. A FreeBSD system with two network
interface cards can act as a bridge.The bridge works by learning the MAC layer addresses
(Ethernet addresses) of the devices on each of its network interfaces.
It forwards traffic between two networks only when its source and
destination are on different networks.In many respects, a bridge is like an Ethernet switch with very
few ports.Situations Where Bridging Is AppropriateThere are many common situations in which a bridge is used
today.Connecting NetworksThe basic operation of a bridge is to join two or more
network segments together. There are many reasons to use a
host based bridge over plain networking equipment such as
cabling constraints, firewalling or connecting pseudo
networks such as a Virtual Machine interface. A bridge can
also connect a wireless interface running in hostap mode to
a wired network and act as an access point.Filtering/Traffic Shaping FirewallfirewallNATA common situation is where firewall functionality is
needed without routing or network address translation (NAT).An example is a small company that is connected via DSL
or ISDN to their ISP. They have a 13 globally-accessible IP
addresses from their ISP and have 10 PCs on their network.
In this situation, using a router-based firewall is
difficult because of subnetting issues.routerDSLISDNA bridge-based firewall can be configured and dropped into the
path just downstream of their DSL/ISDN router without any IP
numbering issues.Network TapA bridge can join two network segments and be used to
inspect all Ethernet frames that pass between them. This can
either be from using &man.bpf.4;/&man.tcpdump.1; on the
bridge interface or by sending a copy of all frames out an
additional interface (span port).Layer 2 VPNTwo Ethernet networks can be joined across an IP link by
bridging the networks to an EtherIP tunnel or a &man.tap.4;
based solution such as OpenVPN.Layer 2 RedundancyA network can be connected together with multiple links
and use the Spanning Tree Protocol to block redundant paths.
For an Ethernet network to function properly only one active
path can exist between two devices, Spanning Tree will
detect loops and put the redundant links into a blocked
state. Should one of the active links fail then the
protocol will calculate a different tree and reenable one of
the blocked paths to restore connectivity to all points in
the network.Kernel ConfigurationThis section covers &man.if.bridge.4; bridge
implementation, a netgraph bridging driver is also available,
for more information see &man.ng.bridge.4; manual page.The bridge driver is a kernel module and will be
automatically loaded by &man.ifconfig.8; when creating a
bridge interface. It is possible to compile the bridge in to
the kernel by adding device if_bridge to
your kernel configuration file.Packet filtering can be used with any firewall package
that hooks in via the &man.pfil.9; framework. The firewall
can be loaded as a module or compiled into the kernel.The bridge can be used as a traffic shaper with
&man.altq.4; or &man.dummynet.4;.Enabling the BridgeThe bridge is created using interface cloning. To create
a bridge use &man.ifconfig.8;, if the bridge driver is not
present in the kernel then it will be loaded
automatically.&prompt.root; ifconfig bridge create
bridge0
&prompt.root; ifconfig bridge0
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 96:3d:4b:f1:79:7a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0A bridge interface is created and is automatically
assigned a randomly generated Ethernet address. The
maxaddr and timeout
parameters control how many MAC addresses the bridge will keep
in its forwarding table and how many seconds before each entry
is removed after it is last seen. The other parameters
control how Spanning Tree operates.Add the member network interfaces to the bridge. For the
bridge to forward packets all member interfaces and the bridge
need to be up:&prompt.root; ifconfig bridge0 addm fxp0 addm fxp1 up
&prompt.root; ifconfig fxp0 up
&prompt.root; ifconfig fxp1 upThe bridge is now forwarding Ethernet frames between
fxp0 and
fxp1. The equivalent configuration
in /etc/rc.conf so the bridge is created
at startup is:cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"If the bridge host needs an IP address then the correct
place to set this is on the bridge interface itself rather
than one of the member interfaces. This can be set statically
or via DHCP:&prompt.root; ifconfig bridge0 inet 192.168.0.1/24It is also possible to assign an IPv6 address to a bridge
interface.FirewallingfirewallWhen packet filtering is enabled, bridged packets will
pass through the filter inbound on the originating interface,
on the bridge interface and outbound on the appropriate
interfaces. Either stage can be disabled. When direction of
the packet flow is important it is best to firewall on the
member interfaces rather than the bridge itself.The bridge has several configurable settings for passing
non-IP and ARP packets, and layer2 firewalling with IPFW. See
&man.if.bridge.4; for more information.Spanning TreeThe bridge driver implements the Rapid Spanning Tree
Protocol (RSTP or 802.1w) with backwards compatibility with
the legacy Spanning Tree Protocol (STP). Spanning Tree is
used to detect and remove loops in a network topology. RSTP
provides faster Spanning Tree convergence than legacy STP, the
protocol will exchange information with neighbouring switches
to quickly transition to forwarding without creating
loops.The following table shows the supported operating
modes:OS VersionSTP ModesDefault Mode&os; 5.4—&os; 6.2STPSTP&os; 6.3+RSTP or STPSTP&os; 7.0+RSTP or STPRSTPSpanning Tree can be enabled on member interfaces using
the stp command. For a bridge with
fxp0 and
fxp1 as the current interfaces,
enable STP with the following:&prompt.root; ifconfig bridge0 stp fxp0 stp fxp1
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether d6:cf:d5:a0:94:6d
id 00:01:02:4b:d4:50 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:01:02:4b:d4:50 priority 32768 ifcost 0 port 0
member: fxp0 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
port 3 priority 128 path cost 200000 proto rstp
role designated state forwarding
member: fxp1 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
port 4 priority 128 path cost 200000 proto rstp
role designated state forwardingThis bridge has a spanning tree ID of
00:01:02:4b:d4:50 and a priority of
32768. As the root id
is the same it indicates that this is the root bridge for the
tree.Another bridge on the network also has spanning tree
enabled:bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 96:3d:4b:f1:79:7a
id 00:13:d4:9a:06:7a priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4
member: fxp0 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
port 4 priority 128 path cost 200000 proto rstp
role root state forwarding
member: fxp1 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
port 5 priority 128 path cost 200000 proto rstp
role designated state forwardingThe line root id 00:01:02:4b:d4:50 priority 32768
ifcost 400000 port 4 shows that the root bridge is
00:01:02:4b:d4:50 as above and has a path
cost of 400000 from this bridge, the path
to the root bridge is via port 4 which is
fxp0.Advanced BridgingReconstruct Traffic FlowsThe bridge supports monitor mode, where the packets are
discarded after &man.bpf.4; processing, and are not
processed or forwarded further. This can be used to
multiplex the input of two or more interfaces into a single
&man.bpf.4; stream. This is useful for reconstructing the
traffic for network taps that transmit the RX/TX signals out
through two separate interfaces.To read the input from four network interfaces as one
stream:&prompt.root; ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up
&prompt.root; tcpdump -i bridge0Span PortsA copy of every Ethernet frame received by the bridge
will be transmitted out a designated span port. The number
of span ports configured on a bridge is unlimited, if an
interface is designated as a span port then it may not also
be used as a regular bridge port. This is most useful for
snooping a bridged network passively on another host
connected to one of the span ports of the bridge.To send a copy of all frames out the interface named
fxp4:&prompt.root; ifconfig bridge0 span fxp4Private InterfacesA private interface does not forward any traffic to any
other port that is also a private interface. The traffic is
blocked unconditionally so no Ethernet frames will be
forwarded, including ARP. If traffic needs to be
selectively blocked then a firewall should be used
instead.Sticky InterfacesIf a bridge member interface is marked as sticky then
dynamically learned address entries are treated at static once
entered into the forwarding cache. Sticky entries are never
aged out of the cache or replaced, even if the address is seen
on a different interface. This gives the benefit of static
address entries without the need to pre-populate the
forwarding table, clients learnt on a particular segment of
the bridge can not roam to another segment.Another example of using sticky addresses would be to
combine the bridge with VLANs to create a router where
customer networks are isolated without wasting IP address
space. Consider that CustomerA is on
vlan100 and CustomerB is on
vlan101. The bridge has the address
192.168.0.1 and is also an
internet router.&prompt.root; ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101
&prompt.root; ifconfig bridge0 inet 192.168.0.1/24Both clients see 192.168.0.1 as their default gateway
and since the bridge cache is sticky they can not spoof the
MAC address of the other customer to intercept their
traffic.Any communication between the VLANs can be blocked using
private interfaces (or a firewall):&prompt.root; ifconfig bridge0 private vlan100 private vlan101The customers are completely isolated from each other,
the full /24 address range
can be allocated without subnetting.Address limitsThe number of unique source MAC addresses behind an
interface can limited. Once the limit is reached packets
with unknown source addresses are dropped until an
existing host cache entry expires or is removed.The following example sets the maximum number of Ethernet
devices for CustomerA on
vlan100 to 10.&prompt.root; ifconfig bridge0 ifmaxaddr vlan100 10SNMP MonitoringThe bridge interface and STP parameters can be monitored
via the SNMP daemon which is included in the &os; base
system. The exported bridge MIBs conform to the IETF
standards so any SNMP client or monitoring package can be
used to retrieve the data.On the bridge machine uncomment the
begemotSnmpdModulePath."bridge" =
"/usr/lib/snmp_bridge.so" line from
/etc/snmp.config and start the
bsnmpd daemon. Other
configuration such as community names and access lists may
need to be modified. See &man.bsnmpd.1; and
&man.snmp.bridge.3; for more information.The following examples use the
Net-SNMP software (net-mgmt/net-snmp) to query a
bridge, the net-mgmt/bsnmptools port can also
be used. From the SNMP client host add to
$HOME/.snmp/snmp.conf the following
lines to import the bridge MIB definitions in to
Net-SNMP:mibdirs +/usr/share/snmp/mibs
mibs +BRIDGE-MIB:RSTP-MIB:BEGEMOT-MIB:BEGEMOT-BRIDGE-MIBTo monitor a single bridge via the IETF BRIDGE-MIB
(RFC4188) do&prompt.user; snmpwalk -v 2c -c public bridge1.example.com mib-2.dot1dBridge
BRIDGE-MIB::dot1dBaseBridgeAddress.0 = STRING: 66:fb:9b:6e:5c:44
BRIDGE-MIB::dot1dBaseNumPorts.0 = INTEGER: 1 ports
BRIDGE-MIB::dot1dStpTimeSinceTopologyChange.0 = Timeticks: (189959) 0:31:39.59 centi-seconds
BRIDGE-MIB::dot1dStpTopChanges.0 = Counter32: 2
BRIDGE-MIB::dot1dStpDesignatedRoot.0 = Hex-STRING: 80 00 00 01 02 4B D4 50
...
BRIDGE-MIB::dot1dStpPortState.3 = INTEGER: forwarding(5)
BRIDGE-MIB::dot1dStpPortEnable.3 = INTEGER: enabled(1)
BRIDGE-MIB::dot1dStpPortPathCost.3 = INTEGER: 200000
BRIDGE-MIB::dot1dStpPortDesignatedRoot.3 = Hex-STRING: 80 00 00 01 02 4B D4 50
BRIDGE-MIB::dot1dStpPortDesignatedCost.3 = INTEGER: 0
BRIDGE-MIB::dot1dStpPortDesignatedBridge.3 = Hex-STRING: 80 00 00 01 02 4B D4 50
BRIDGE-MIB::dot1dStpPortDesignatedPort.3 = Hex-STRING: 03 80
BRIDGE-MIB::dot1dStpPortForwardTransitions.3 = Counter32: 1
RSTP-MIB::dot1dStpVersion.0 = INTEGER: rstp(2)The dot1dStpTopChanges.0 value is two
which means that the STP bridge topology has changed twice,
a topology change means that one or more links in the
network have changed or failed and a new tree has been
calculated. The
dot1dStpTimeSinceTopologyChange.0 value
will show when this happened.To monitor multiple bridge interfaces one may use the
private BEGEMOT-BRIDGE-MIB:&prompt.user; snmpwalk -v 2c -c public bridge1.example.com
enterprises.fokus.begemot.begemotBridge
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge0" = STRING: bridge0
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge2" = STRING: bridge2
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseAddress."bridge0" = STRING: e:ce:3b:5a:9e:13
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseAddress."bridge2" = STRING: 12:5e:4d:74:d:fc
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseNumPorts."bridge0" = INTEGER: 1
BEGEMOT-BRIDGE-MIB::begemotBridgeBaseNumPorts."bridge2" = INTEGER: 1
...
BEGEMOT-BRIDGE-MIB::begemotBridgeStpTimeSinceTopologyChange."bridge0" = Timeticks: (116927) 0:19:29.27 centi-seconds
BEGEMOT-BRIDGE-MIB::begemotBridgeStpTimeSinceTopologyChange."bridge2" = Timeticks: (82773) 0:13:47.73 centi-seconds
BEGEMOT-BRIDGE-MIB::begemotBridgeStpTopChanges."bridge0" = Counter32: 1
BEGEMOT-BRIDGE-MIB::begemotBridgeStpTopChanges."bridge2" = Counter32: 1
BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge0" = Hex-STRING: 80 00 00 40 95 30 5E 31
BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge2" = Hex-STRING: 80 00 00 50 8B B8 C6 A9To change the bridge interface being monitored via the
mib-2.dot1dBridge subtree do:&prompt.user; snmpset -v 2c -c private bridge1.example.com
BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2AndrewThompsonWritten by Link Aggregation and FailoverlaggfailoverfeclacploadbalanceroundrobinIntroductionThe &man.lagg.4; interface allows aggregation of multiple network
interfaces as one virtual interface for the purpose of providing
fault-tolerance and high-speed links.Operating ModesfailoverSends and receives traffic only through the master port. If the
master port becomes unavailable, the next active port is used. The
first interface added is the master port; any interfaces added after
that are used as failover devices.fecSupports Cisco EtherChannel. This is a static setup and does not
negotiate aggregation with the peer or exchange frames to monitor the
link, if the switch supports LACP then that should be used
instead.Balances outgoing traffic across the active ports based on hashed
protocol header information and accepts incoming traffic from any
active port. The hash includes the Ethernet source and destination
address, and, if available, the VLAN tag, and the IPv4/IPv6 source
and destination address.lacpSupports the IEEE 802.3ad Link Aggregation Control Protocol
(LACP) and the Marker Protocol. LACP will negotiate a set of
aggregable links with the peer in to one or more Link Aggregated
Groups. Each LAG is composed of ports of the same speed, set to
full-duplex operation. The traffic will be balanced across the ports
in the LAG with the greatest total speed, in most cases there will
only be one LAG which contains all ports. In the event of changes in
physical connectivity, Link Aggregation will quickly converge to a
new configuration.Balances outgoing traffic across the active ports based on hashed
protocol header information and accepts incoming traffic from any
active port. The hash includes the Ethernet source and destination
address, and, if available, the VLAN tag, and the IPv4/IPv6 source
and destination address.loadbalanceThis is an alias of fec mode.roundrobinDistributes outgoing traffic using a round-robin scheduler
through all active ports and accepts incoming traffic from any active
port. This mode will violate Ethernet frame ordering and should be
used with caution.ExamplesLACP aggregation with a Cisco switchThis example connects two interfaces on a &os; machine to the
switch as a single load balanced and fault tolerant link. More interfaces
can be added to increase throughput and fault tolerance. Since frame
ordering is mandatory on Ethernet links then any traffic between two
stations always flows over the same physical link limiting the maximum
speed to that of one interface. The transmit algorithm attempts to use as
much information as it can to distinguish different traffic flows and
balance across the available interfaces.On the Cisco switch add the interfaces to the channel group.interface FastEthernet0/1
channel-group 1 mode active
channel-protocol lacp
!
interface FastEthernet0/2
channel-group 1 mode active
channel-protocol lacp
!On the &os; machine create the lagg interface.&prompt.root; ifconfig lagg0 create
&prompt.root; ifconfig lagg0 up laggproto lacp laggport fxp0 laggport fxp1View the interface status from ifconfig; ports marked as
ACTIVE are part of the active aggregation group
that has been negotiated with the remote switch and traffic will be
transmitted and received. Use the verbose output of &man.ifconfig.8;
to view the LAG identifiers.lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:05:5d:71:8d:b8
media: Ethernet autoselect
status: active
laggproto lacp
laggport: fxp1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: fxp0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>The switch will show which ports are active. For more detail use
show lacp neighbor detail.switch# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1 neighbors
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/1 SA 32768 0005.5d71.8db8 29s 0x146 0x3 0x3D
Fa0/2 SA 32768 0005.5d71.8db8 29s 0x146 0x4 0x3DFailover modeFailover mode can be used to switch over to another interface if
the link is lost on the master.&prompt.root; ifconfig lagg0 create
&prompt.root; ifconfig lagg0 up laggproto failover laggport fxp0 laggport fxp1lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:05:5d:71:8d:b8
media: Ethernet autoselect
status: active
laggproto failover
laggport: fxp1 flags=0<>
laggport: fxp0 flags=5<MASTER,ACTIVE>Traffic will be transmitted and received on
fxp0. If the link is lost on
fxp0 then fxp1 will
become the active link. If the link is restored on the master
interface then it will once again become the active link.Jean-FrançoisDockèsUpdated by AlexDupreReorganized and enhanced by Diskless Operationdiskless workstationdiskless operationA FreeBSD machine can boot over the network and operate without a
local disk, using file systems mounted from an NFS server. No system
modification is necessary, beyond standard configuration files.
Such a system is relatively easy to set up because all the necessary elements
are readily available:There are at least two possible methods to load the kernel over
the network:PXE: The &intel; Preboot eXecution
Environment system is a form of smart boot ROM built into some
networking cards or motherboards. See &man.pxeboot.8; for more
details.The Etherboot
port (net/etherboot) produces
ROM-able code to boot kernels over the network. The
code can be either burnt into a boot PROM on a network
card, or loaded from a local floppy (or hard) disk
drive, or from a running &ms-dos; system. Many network
cards are supported.A sample script
(/usr/share/examples/diskless/clone_root) eases
the creation and maintenance of the workstation's root file system
on the server. The script will probably require a little
customization but it will get you started very quickly.Standard system startup files exist in /etc
to detect and support a diskless system startup.Swapping, if needed, can be done either to an NFS file or to
a local disk.There are many ways to set up diskless workstations. Many
elements are involved, and most can be customized to suit local
taste. The following will describe variations on the setup of a complete system,
emphasizing simplicity and compatibility with the
standard FreeBSD startup scripts. The system described has the
following characteristics:The diskless workstations use a shared
read-only / file system, and a shared
read-only /usr.The root file system is a copy of a
standard FreeBSD root (typically the server's), with some
configuration files overridden by ones specific to diskless
operation or, possibly, to the workstation they belong to.The parts of the root which have to be
writable are overlaid with &man.md.4; file systems. Any changes
will be lost when the system reboots.The kernel is transferred and loaded either with
Etherboot or PXE
as some situations may mandate the use of either method.As described, this system is insecure. It should
live in a protected area of a network, and be untrusted by
other hosts.All the information in this section has been tested
using &os; 5.2.1-RELEASE.Background InformationSetting up diskless workstations is both relatively
straightforward and prone to errors. These are sometimes
difficult to diagnose for a number of reasons. For example:Compile time options may determine different behaviors at
runtime.Error messages are often cryptic or totally absent.In this context, having some knowledge of the background
mechanisms involved is very useful to solve the problems that
may arise.Several operations need to be performed for a successful
bootstrap:The machine needs to obtain initial parameters such as its IP
address, executable filename, server name, root path. This is
done using the DHCP or BOOTP protocols.
DHCP is a compatible extension of BOOTP, and
uses the same port numbers and basic packet format.It is possible to configure a system to use only BOOTP.
The &man.bootpd.8; server program is included in the base &os;
system.However, DHCP has a number of advantages
over BOOTP (nicer configuration files, possibility of using
PXE, plus many others not directly related to
diskless operation), and we will describe mainly a
DHCP configuration, with equivalent examples
using &man.bootpd.8; when possible. The sample configuration will
use the ISC DHCP software package
(release 3.0.1.r12 was installed on the test server).The machine needs to transfer one or several programs to local
memory. Either TFTP or NFS
are used. The choice between TFTP and
NFS is a compile time option in several places.
A common source of error is to specify filenames for the wrong
protocol: TFTP typically transfers all files from
a single directory on the server, and would expect filenames
relative to this directory. NFS needs absolute
file paths.The possible intermediate bootstrap programs and the kernel
need to be initialized and executed. There are several important
variations in this area:PXE will load &man.pxeboot.8;, which is
a modified version of the &os; third stage loader. The
&man.loader.8; will obtain most parameters necessary to system
startup, and leave them in the kernel environment before
transferring control. It is possible to use a
GENERIC kernel in this case.Etherboot, will directly
load the kernel, with less preparation. You will need to
build a kernel with specific options.PXE and Etherboot
work equally well; however, because kernels
normally let the &man.loader.8; do more work for them,
PXE is the preferred method.If your BIOS and network cards support
PXE, you should probably use it.Finally, the machine needs to access its file systems.
NFS is used in all cases.See also &man.diskless.8; manual page.Setup InstructionsConfiguration Using ISC DHCPDHCPdiskless operationThe ISC DHCP server can answer
both BOOTP and DHCP requests.ISC DHCP
3.0 is not part of the base
system. You will first need to install the
net/isc-dhcp3-server port or the
corresponding package.Once ISC DHCP is installed, it
needs a configuration file to run (normally named
/usr/local/etc/dhcpd.conf). Here follows
a commented example, where host margaux
uses Etherboot and host
corbieres uses PXE:
default-lease-time 600;
max-lease-time 7200;
authoritative;
option domain-name "example.com";
option domain-name-servers 192.168.4.1;
option routers 192.168.4.1;
subnet 192.168.4.0 netmask 255.255.255.0 {
use-host-decl-names on;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.4.255;
host margaux {
hardware ethernet 01:23:45:67:89:ab;
fixed-address margaux.example.com;
next-server 192.168.4.4;
filename "/data/misc/kernel.diskless";
option root-path "192.168.4.4:/data/misc/diskless";
}
host corbieres {
hardware ethernet 00:02:b3:27:62:df;
fixed-address corbieres.example.com;
next-server 192.168.4.4;
filename "pxeboot";
option root-path "192.168.4.4:/data/misc/diskless";
}
}
This option tells
dhcpd to send the value in the
host declarations as the hostname for the
diskless host. An alternate way would be to add an
option host-name
margaux inside the
host declarations.The
next-server directive designates
the TFTP or NFS server to
use for loading loader or kernel file (the default is to use
the same host as the
DHCP server).The
filename directive defines the file that
Etherboot or PXE
will load for the next execution step. It must be specified
according to the transfer method used.
Etherboot can be compiled to use
NFS or TFTP. The &os;
port configures NFS by default.
PXE uses TFTP, which is
why a relative filename is used here (this may depend on the
TFTP server configuration, but would be
fairly typical). Also, PXE loads
pxeboot, not the kernel. There are other
interesting possibilities, like loading
pxeboot from a &os; CD-ROM
/boot directory (as
&man.pxeboot.8; can load a GENERIC kernel,
this makes it possible to use PXE to boot
from a remote CD-ROM).The
root-path option defines the path to
the root file system, in usual NFS notation.
When using PXE, it is possible to leave off
the host's IP as long as you do not enable the kernel option
BOOTP. The NFS server will then be
the same as the TFTP one.Configuration Using BOOTPBOOTPdiskless operationHere follows an equivalent bootpd
configuration (reduced to one client). This would be found in
/etc/bootptab.Please note that Etherboot
must be compiled with the non-default option
NO_DHCP_SUPPORT in order to use BOOTP,
and that PXE needs DHCP. The only
obvious advantage of bootpd is
that it exists in the base system.
.def100:\
:hn:ht=1:sa=192.168.4.4:vm=rfc1048:\
:sm=255.255.255.0:\
:ds=192.168.4.1:\
:gw=192.168.4.1:\
:hd="/tftpboot":\
:bf="/kernel.diskless":\
:rp="192.168.4.4:/data/misc/diskless":
margaux:ha=0123456789ab:tc=.def100
Preparing a Boot Program with
EtherbootEtherbootEtherboot's Web
site contains
extensive documentation mainly intended for Linux
systems, but nonetheless containing useful information. The
following will just outline how you would use
Etherboot on a FreeBSD
system.You must first install the net/etherboot package or port.You can change the Etherboot
configuration (i.e. to use TFTP instead of
NFS) by editing the Config
file in the Etherboot source
directory.For our setup, we shall use a boot floppy. For other methods
(PROM, or &ms-dos; program), please refer to the
Etherboot documentation.To make a boot floppy, insert a floppy in the drive on the
machine where you installed Etherboot,
then change your current directory to the src
directory in the Etherboot tree and
type:
&prompt.root; gmake bin32/devicetype.fd0devicetype depends on the type of
the Ethernet card in the diskless workstation. Refer to the
NIC file in the same directory to determine the
right devicetype.Booting with PXEBy default, the &man.pxeboot.8; loader loads the kernel via
NFS. It can be compiled to use
TFTP instead by specifying the
LOADER_TFTP_SUPPORT option in
/etc/make.conf. See the comments in
/usr/share/examples/etc/make.conf
for instructions.There are two other make.conf
options which may be useful for setting up a serial console diskless
machine: BOOT_PXELDR_PROBE_KEYBOARD, and
BOOT_PXELDR_ALWAYS_SERIAL.To use PXE when the machine starts, you will
usually need to select the Boot from network
option in your BIOS setup, or type a function key
during the PC initialization.Configuring the TFTP and NFS ServersTFTPdiskless operationNFSdiskless operationIf you are using PXE or
Etherboot configured to use
TFTP, you need to enable
tftpd on the file server:Create a directory from which tftpd
will serve the files, e.g. /tftpboot.Add this line to your
/etc/inetd.conf:tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpbootIt appears that at least some PXE versions want
the TCP version of TFTP. In this case, add a second line,
replacing dgram udp with stream
tcp.Tell inetd to reread its configuration
file. The must be in
the /etc/rc.conf file for this
command to execute correctly:&prompt.root; /etc/rc.d/inetd restartYou can place the tftpboot
directory anywhere on the server. Make sure that the
location is set in both inetd.conf and
dhcpd.conf.In all cases, you also need to enable NFS and export the
appropriate file system on the NFS server.Add this to /etc/rc.conf:nfs_server_enable="YES"Export the file system where the diskless root directory
is located by adding the following to
/etc/exports (adjust the volume mount
point and replace margaux corbieres
with the names of the diskless workstations):/data/misc -alldirs -ro margaux corbieresTell mountd to reread its configuration
file. If you actually needed to enable NFS in
/etc/rc.conf
at the first step, you probably want to reboot instead.&prompt.root; /etc/rc.d/mountd restartBuilding a Diskless Kerneldiskless operationkernel configurationIf using Etherboot, you need to
create a kernel configuration file for the diskless client
with the following options (in addition to the usual ones):
options BOOTP # Use BOOTP to obtain IP address/hostname
options BOOTP_NFSROOT # NFS mount root file system using BOOTP info
You may also want to use BOOTP_NFSV3,
BOOT_COMPAT and BOOTP_WIRED_TO
(refer to NOTES).These option names are historical and slightly misleading as
they actually enable indifferent use of DHCP and
BOOTP inside the kernel (it is also possible to force strict BOOTP
or DHCP use).Build the kernel (see ),
and copy it to the place specified
in dhcpd.conf.When using PXE, building a kernel with the
above options is not strictly necessary (though suggested).
Enabling them will cause more DHCP requests to be
issued during kernel startup, with a small risk of inconsistency
between the new values and those retrieved by &man.pxeboot.8; in some
special cases. The advantage of using them is that the host name
will be set as a side effect. Otherwise you will need to set the
host name by another method, for example in a client-specific
rc.conf file.In order to be loadable with
Etherboot, a kernel needs to have
the device hints compiled in. You would typically set the
following option in the configuration file (see the
NOTES configuration comments file):hints "GENERIC.hints"Preparing the Root Filesystemroot file systemdiskless operationYou need to create a root file system for the diskless
workstations, in the location listed as
root-path in
dhcpd.conf.Using make world to populate rootThis method is quick and
will install a complete virgin system (not only the root file system)
into DESTDIR.
All you have to do is simply execute the following script:#!/bin/sh
export DESTDIR=/data/misc/diskless
mkdir -p ${DESTDIR}
cd /usr/src; make buildworld && make buildkernel
cd /usr/src/etc; make distributionOnce done, you may need to customize your
/etc/rc.conf and
/etc/fstab placed into
DESTDIR according to your needs.Configuring SwapIf needed, a swap file located on the server can be
accessed via NFS.NFS SwapThe kernel does not support enabling NFS
swap at boot time. Swap must be enabled by the startup scripts,
by mounting a writable file system and creating and enabling a
swap file. To create a swap file of appropriate size, you can do
like this:&prompt.root; dd if=/dev/zero of=/path/to/swapfile bs=1k count=1 oseek=100000To enable it you have to add the following line to your
rc.conf:swapfile=/path/to/swapfileMiscellaneous IssuesRunning with a Read-only /usrdiskless operation/usr read-onlyIf the diskless workstation is configured to run X, you
will have to adjust the XDM configuration file, which puts
the error log on /usr by default.Using a Non-FreeBSD ServerWhen the server for the root file system is not running FreeBSD,
you will have to create the root file system on a
FreeBSD machine, then copy it to its destination, using
tar or cpio.In this situation, there are sometimes
problems with the special files in /dev,
due to differing major/minor integer sizes. A solution to this
problem is to export a directory from the non-FreeBSD server,
mount this directory onto a FreeBSD machine, and
use &man.devfs.5; to allocate device nodes transparently for
the user.ISDNISDNA good resource for information on ISDN technology and hardware is
Dan Kegel's ISDN
Page.A quick simple road map to ISDN follows:If you live in Europe you might want to investigate the ISDN card
section.If you are planning to use ISDN primarily to connect to the
Internet with an Internet Provider on a dial-up non-dedicated basis,
you might look into Terminal Adapters. This will give you the
most flexibility, with the fewest problems, if you change
providers.If you are connecting two LANs together, or connecting to the
Internet with a dedicated ISDN connection, you might consider
the stand alone router/bridge option.Cost is a significant factor in determining what solution you will
choose. The following options are listed from least expensive to most
expensive.HellmuthMichaelisContributed by ISDN CardsISDNcardsFreeBSD's ISDN implementation supports only the DSS1/Q.931
(or Euro-ISDN) standard using passive cards. Some active cards
are supported where the firmware
also supports other signaling protocols; this also includes the
first supported Primary Rate (PRI) ISDN card.The isdn4bsd software allows you to connect
to other ISDN routers using either IP over raw HDLC or by using
synchronous PPP: either by using kernel PPP with isppp, a
modified &man.sppp.4; driver, or by using userland &man.ppp.8;. By using
userland &man.ppp.8;, channel bonding of two or more ISDN
B-channels is possible. A telephone answering machine
application is also available as well as many utilities such as
a software 300 Baud modem.Some growing number of PC ISDN cards are supported under
FreeBSD and the reports show that it is successfully used all
over Europe and in many other parts of the world.The passive ISDN cards supported are mostly the ones with
the Infineon (formerly Siemens) ISAC/HSCX/IPAC ISDN chipsets,
but also ISDN cards with chips from Cologne Chip (ISA bus only),
PCI cards with Winbond W6692 chips, some cards with the
Tiger300/320/ISAC chipset combinations and some vendor specific
chipset based cards such as the AVM Fritz!Card PCI V.1.0 and the
AVM Fritz!Card PnP.Currently the active supported ISDN cards are the AVM B1
(ISA and PCI) BRI cards and the AVM T1 PCI PRI cards.For documentation on isdn4bsd,
have a look at /usr/share/examples/isdn/
directory on your FreeBSD system or at the homepage of
isdn4bsd which also has pointers to hints, erratas and
much more documentation such as the isdn4bsd
handbook.In case you are interested in adding support for a
different ISDN protocol, a currently unsupported ISDN PC card or
otherwise enhancing isdn4bsd, please
get in touch with &a.hm;.For questions regarding the installation, configuration
and troubleshooting isdn4bsd, a
&a.isdn.name; mailing list is available.ISDN Terminal AdaptersTerminal adapters (TA), are to ISDN what modems are to regular
phone lines.modemMost TA's use the standard Hayes modem AT command set, and can be
used as a drop in replacement for a modem.A TA will operate basically the same as a modem except connection
and throughput speeds will be much faster than your old modem. You
will need to configure PPP exactly the same
as for a modem setup. Make sure you set your serial speed as high as
possible.PPPThe main advantage of using a TA to connect to an Internet
Provider is that you can do Dynamic PPP. As IP address space becomes
more and more scarce, most providers are not willing to provide you
with a static IP anymore. Most stand-alone routers are not able to
accommodate dynamic IP allocation.TA's completely rely on the PPP daemon that you are running for
their features and stability of connection. This allows you to
upgrade easily from using a modem to ISDN on a FreeBSD machine, if you
already have PPP set up. However, at the same time any problems you
experienced with the PPP program and are going to persist.If you want maximum stability, use the kernel PPP option, not the userland PPP.The following TA's are known to work with FreeBSD:Motorola BitSurfer and Bitsurfer ProAdtranMost other TA's will probably work as well, TA vendors try to make
sure their product can accept most of the standard modem AT command
set.The real problem with external TA's is that, like modems,
you need a good serial card in your computer.You should read the FreeBSD Serial
Hardware tutorial for a detailed understanding of
serial devices, and the differences between asynchronous and
synchronous serial ports.A TA running off a standard PC serial port (asynchronous) limits
you to 115.2 Kbs, even though you have a 128 Kbs connection.
To fully utilize the 128 Kbs that ISDN is capable of,
you must move the TA to a synchronous serial card.Do not be fooled into buying an internal TA and thinking you have
avoided the synchronous/asynchronous issue. Internal TA's simply have
a standard PC serial port chip built into them. All this will do is
save you having to buy another serial cable and find another empty
electrical socket.A synchronous card with a TA is at least as fast as a stand-alone
router, and with a simple 386 FreeBSD box driving it, probably more
flexible.The choice of synchronous card/TA v.s. stand-alone router is largely a
religious issue. There has been some discussion of this in
the mailing lists. We suggest you search the archives for
the complete discussion.Stand-alone ISDN Bridges/RoutersISDNstand-alone bridges/routersISDN bridges or routers are not at all specific to FreeBSD
or any other operating system. For a more complete
description of routing and bridging technology, please refer
to a networking reference book.In the context of this section, the terms router and bridge will
be used interchangeably.As the cost of low end ISDN routers/bridges comes down, it
will likely become a more and more popular choice. An ISDN
router is a small box that plugs directly into your local
Ethernet network, and manages its own connection to the other
bridge/router. It has built in software to communicate via
PPP and other popular protocols.A router will allow you much faster throughput than a
standard TA, since it will be using a full synchronous ISDN
connection.The main problem with ISDN routers and bridges is that
interoperability between manufacturers can still be a problem.
If you are planning to connect to an Internet provider, you
should discuss your needs with them.If you are planning to connect two LAN segments together,
such as your home LAN to the office LAN, this is the simplest
lowest
maintenance solution. Since you are buying the equipment for
both sides of the connection you can be assured that the link
will work.For example to connect a home computer or branch office
network to a head office network the following setup could be
used:Branch Office or Home Network10 base 2Network uses a bus based topology with 10 base 2
Ethernet (thinnet). Connect router to network cable with
AUI/10BT transceiver, if necessary.---Sun workstation
|
---FreeBSD box
|
---Windows 95
|
Stand-alone router
|
ISDN BRI line10 Base 2 EthernetIf your home/branch office is only one computer you can use a
twisted pair crossover cable to connect to the stand-alone router
directly.Head Office or Other LAN10 base TNetwork uses a star topology with 10 base T Ethernet
(Twisted Pair). -------Novell Server
| H |
| ---Sun
| |
| U ---FreeBSD
| |
| ---Windows 95
| B |
|___---Stand-alone router
|
ISDN BRI lineISDN Network DiagramOne large advantage of most routers/bridges is that they allow you
to have 2 separate independent PPP connections to
2 separate sites at the same time. This is not
supported on most TA's, except for specific (usually expensive) models
that
have two serial ports. Do not confuse this with channel bonding, MPP,
etc.This can be a very useful feature if, for example, you
have an dedicated ISDN connection at your office and would
like to tap into it, but do not want to get another ISDN line
at work. A router at the office location can manage a
dedicated B channel connection (64 Kbps) to the Internet
and use the other B channel for a separate data connection.
The second B channel can be used for dial-in, dial-out or
dynamically bonding (MPP, etc.) with the first B channel for
more bandwidth.IPX/SPXAn Ethernet bridge will also allow you to transmit more than just
IP traffic. You can also send IPX/SPX or whatever other protocols you
use.ChernLeeContributed by Network Address TranslationOverviewnatdFreeBSD's Network Address Translation daemon, commonly known as
&man.natd.8; is a daemon that accepts incoming raw IP packets,
changes the source to the local machine and re-injects these packets
back into the outgoing IP packet stream. &man.natd.8; does this by changing
the source IP address and port such that when data is received back,
it is able to determine the original location of the data and forward
it back to its original requester.Internet connection sharingNATThe most common use of NAT is to perform what is commonly known as
Internet Connection Sharing.SetupDue to the diminishing IP space in IPv4, and the increased number
of users on high-speed consumer lines such as cable or DSL, people are
increasingly in need of an Internet Connection Sharing solution. The
ability to connect several computers online through one connection and
IP address makes &man.natd.8; a reasonable choice.Most commonly, a user has a machine connected to a cable or DSL
line with one IP address and wishes to use this one connected computer to
provide Internet access to several more over a LAN.To do this, the FreeBSD machine on the Internet must act as a
gateway. This gateway machine must have two NICs—one for connecting
to the Internet router, the other connecting to a LAN. All the
machines on the LAN are connected through a hub or switch.There are many ways to get a LAN connected to the Internet
through a &os; gateway. This example will only cover a
gateway with at least two NICs. _______ __________ ________
| | | | | |
| Hub |-----| Client B |-----| Router |----- Internet
|_______| |__________| |________|
|
____|_____
| |
| Client A |
|__________|Network LayoutA setup like this is commonly used to share an Internet
connection. One of the LAN machines is
connected to the Internet. The rest of the machines access
the Internet through that gateway
machine.kernelconfigurationConfigurationThe following options must be in the kernel configuration
file:options IPFIREWALL
options IPDIVERTAdditionally, at choice, the following may also be suitable:options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSEThe following must be in /etc/rc.conf:gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="fxp0"
natd_flags="" Sets up the machine to act as a gateway. Running
sysctl net.inet.ip.forwarding=1 would
have the same effect.Enables the firewall rules in
/etc/rc.firewall at boot.This specifies a predefined firewall ruleset that
allows anything in. See
/etc/rc.firewall for additional
types.Indicates which interface to forward packets through
(the interface connected to the Internet).Any additional configuration options passed to
&man.natd.8; on boot.Having the previous options defined in
/etc/rc.conf would run
natd -interface fxp0 at boot. This can also
be run manually.It is also possible to use a configuration file for
&man.natd.8; when there are too many options to pass. In this
case, the configuration file must be defined by adding the
following line to /etc/rc.conf:natd_flags="-f /etc/natd.conf"The /etc/natd.conf file will
contain a list of configuration options, one per line. For
example the next section case would use the following
file:redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80For more information about the configuration file,
consult the &man.natd.8; manual page about the
option.Each machine and interface behind the LAN should be
assigned IP address numbers in the private network space as
defined by RFC 1918
and have a default gateway of the natd machine's internal IP
address.For example, client A and
B behind the LAN have IP addresses of 192.168.0.2 and 192.168.0.3, while the natd machine's
LAN interface has an IP address of 192.168.0.1. Client A
and B's default gateway must be set to that
of the natd machine, 192.168.0.1. The natd machine's
external, or Internet interface does not require any special
modification for &man.natd.8; to work.Port RedirectionThe drawback with &man.natd.8; is that the LAN clients are not accessible
from the Internet. Clients on the LAN can make outgoing connections to
the world but cannot receive incoming ones. This presents a problem
if trying to run Internet services on one of the LAN client machines.
A simple way around this is to redirect selected Internet ports on the
natd machine to a LAN client.
For example, an IRC server runs on client A, and a web server runs
on client B. For this to work properly, connections received on ports
6667 (IRC) and 80 (web) must be redirected to the respective machines.
The must be passed to
&man.natd.8; with the proper options. The syntax is as follows: -redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]In the above example, the argument should be: -redirect_port tcp 192.168.0.2:6667 6667
-redirect_port tcp 192.168.0.3:80 80
This will redirect the proper tcp ports to the
LAN client machines.
The argument can be used to indicate port
ranges over individual ports. For example, tcp
192.168.0.2:2000-3000 2000-3000 would redirect
all connections received on ports 2000 to 3000 to ports 2000
to 3000 on client A.These options can be used when directly running
&man.natd.8;, placed within the
natd_flags="" option in
/etc/rc.conf,
or passed via a configuration file.For further configuration options, consult &man.natd.8;Address Redirectionaddress redirectionAddress redirection is useful if several IP addresses are
available, yet they must be on one machine. With this,
&man.natd.8; can assign each LAN client its own external IP address.
&man.natd.8; then rewrites outgoing packets from the LAN clients
with the proper external IP address and redirects
all traffic incoming on that particular IP address back to
the specific LAN client. This is also known as static NAT.
For example, the IP addresses 128.1.1.1,
128.1.1.2, and
128.1.1.3 belong to the natd gateway
machine. 128.1.1.1 can be used
as the natd gateway machine's external IP address, while
128.1.1.2 and
128.1.1.3 are forwarded back to LAN
clients A and B.The syntax is as follows:-redirect_address localIP publicIPlocalIPThe internal IP address of the LAN client.publicIPThe external IP address corresponding to the LAN client.In the example, this argument would read:-redirect_address 192.168.0.2 128.1.1.2
-redirect_address 192.168.0.3 128.1.1.3Like , these arguments are also placed within
the natd_flags="" option of /etc/rc.conf, or passed via a configuration file. With address
redirection, there is no need for port redirection since all data
received on a particular IP address is redirected.The external IP addresses on the natd machine must be active and aliased
to the external interface. Look at &man.rc.conf.5; to do so.Parallel Line IP (PLIP)PLIPParallel Line IPPLIPPLIP lets us run TCP/IP between parallel ports. It is
useful on machines without network cards, or to install on
laptops. In this section, we will discuss:Creating a parallel (laplink) cable.Connecting two computers with PLIP.Creating a Parallel CableYou can purchase a parallel cable at most computer supply
stores. If you cannot do that, or you just want to know how
it is done, the following table shows how to make one out of a normal parallel
printer cable.
Setting Up PLIPFirst, you have to get a laplink cable.
Then, confirm that both computers have a kernel with &man.lpt.4; driver
support:&prompt.root; grep lp /var/run/dmesg.boot
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven portThe parallel port must be an interrupt driven port,
you should have lines similar to the
following in your in the
/boot/device.hints file:hint.ppc.0.at="isa"
hint.ppc.0.irq="7"Then check if the kernel configuration file has a
device plip line or if the
plip.ko kernel module is loaded. In both
cases the parallel networking interface should appear when you
use the &man.ifconfig.8; command to display it:&prompt.root; ifconfig plip0
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500Plug the laplink cable into the parallel interface on
both computers.Configure the network interface parameters on both
sites as root. For example, if you want to connect
the host host1 with another machine host2: host1 <-----> host2
IP Address 10.0.0.1 10.0.0.2Configure the interface on host1 by doing:&prompt.root; ifconfig plip0 10.0.0.1 10.0.0.2Configure the interface on host2 by doing:&prompt.root; ifconfig plip0 10.0.0.2 10.0.0.1You now should have a working connection. Please read the
manual pages &man.lp.4; and &man.lpt.4; for more details.You should also add both hosts to
/etc/hosts:127.0.0.1 localhost.my.domain localhost
10.0.0.1 host1.my.domain host1
10.0.0.2 host2.my.domainTo confirm the connection works, go to each host and ping
the other. For example, on host1:&prompt.root; ifconfig plip0
plip0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 --> 10.0.0.2 netmask 0xff000000
&prompt.root; netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
host2 host1 UH 0 0 plip0
&prompt.root; ping -c 4 host2
PING host2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=2.774 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=2.530 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=2.556 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=2.714 ms
--- host2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 msAaronKaplanOriginally Written by TomRhodesRestructured and Added by BradDavisExtended by IPv6IPv6 (also known as IPng IP next generation) is
the new version of the well known IP protocol (also known as
IPv4). Like the other current *BSD systems,
FreeBSD includes the KAME IPv6 reference implementation.
So your FreeBSD system comes with all you will need to experiment with IPv6.
This section focuses on getting IPv6 configured and running.In the early 1990s, people became aware of the rapidly
diminishing address space of IPv4. Given the expansion rate of the
Internet there were two major concerns:Running out of addresses. Today this is not so much of a concern
anymore since RFC1918 private address space
(10.0.0.0/8,
172.16.0.0/12, and
192.168.0.0/16)
and Network Address Translation (NAT) are
being employed.Router table entries were getting too large. This is
still a concern today.IPv6 deals with these and many other issues:128 bit address space. In other words theoretically there are
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
available. This means there are approximately
6.67 * 10^27 IPv6 addresses per square meter on our planet.Routers will only store network aggregation addresses in their routing
tables thus reducing the average space of a routing table to 8192
entries.There are also lots of other useful features of IPv6 such as:Address autoconfiguration (RFC2462)Anycast addresses (one-out-of many)Mandatory multicast addressesIPsec (IP security)Simplified header structureMobile IPIPv6-to-IPv4 transition mechanismsFor more information see:IPv6 overview at playground.sun.comKAME.netBackground on IPv6 AddressesThere are different types of IPv6 addresses: Unicast, Anycast and
Multicast.Unicast addresses are the well known addresses. A packet sent
to a unicast address arrives exactly at the interface belonging to
the address.Anycast addresses are syntactically indistinguishable from unicast
addresses but they address a group of interfaces. The packet destined for
an anycast address will arrive at the nearest (in router metric)
interface. Anycast addresses may only be used by routers.Multicast addresses identify a group of interfaces. A packet destined
for a multicast address will arrive at all interfaces belonging to the
multicast group.The IPv4 broadcast address (usually xxx.xxx.xxx.255) is expressed
by multicast addresses in IPv6.
Reserved IPv6 addressesIPv6 addressPrefixlength (Bits)DescriptionNotes::128 bitsunspecifiedcf. 0.0.0.0 in
IPv4::1128 bitsloopback addresscf. 127.0.0.1 in
IPv4::00:xx:xx:xx:xx96 bitsembedded IPv4The lower 32 bits are the IPv4 address. Also
called IPv4 compatible IPv6
address::ff:xx:xx:xx:xx96 bitsIPv4 mapped IPv6 addressThe lower 32 bits are the IPv4 address.
For hosts which do not support IPv6.fe80:: - feb::10 bitslink-localcf. loopback address in IPv4fec0:: - fef::10 bitssite-localff::8 bitsmulticast001 (base
2)3 bitsglobal unicastAll global unicast addresses are assigned from
this pool. The first 3 bits are
001.
Reading IPv6 AddressesThe canonical form is represented as: x:x:x:x:x:x:x:x, each
x being a 16 Bit hex value. For example
FEBC:A574:382B:23C1:AA49:4592:4EFE:9982Often an address will have long substrings of all zeros
therefore one such substring per address can be abbreviated by ::.
Also up to three leading 0s per hexquad can be omitted.
For example fe80::1
corresponds to the canonical form
fe80:0000:0000:0000:0000:0000:0000:0001.A third form is to write the last 32 Bit part in the
well known (decimal) IPv4 style with dots .
as separators. For example
2002::10.0.0.1
corresponds to the (hexadecimal) canonical representation
2002:0000:0000:0000:0000:0000:0a00:0001
which in turn is equivalent to
writing 2002::a00:1.By now the reader should be able to understand the following:&prompt.root; ifconfigrl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
ether 00:00:21:03:08:e1
media: Ethernet autoselect (100baseTX )
status: activefe80::200:21ff:fe03:8e1%rl0
is an auto configured link-local address. It is generated from the MAC
address as part of the auto configuration.For further information on the structure of IPv6 addresses
see RFC3513.Getting ConnectedCurrently there are four ways to connect to other IPv6 hosts and networks:Contact your Internet Service Provider to see if they
offer IPv6 yet.SixXS offers
tunnels with end-points all around the globe.Tunnel via 6-to-4 (RFC3068)Use the net/freenet6 port if you are on a dial-up connection.DNS in the IPv6 WorldThere used to be two types of DNS records for IPv6. The IETF
has declared A6 records obsolete. AAAA records are the standard
now.Using AAAA records is straightforward. Assign your hostname to the new
IPv6 address you just received by adding:MYHOSTNAME AAAA MYIPv6ADDRTo your primary zone DNS file. In case you do not serve your own
DNS zones ask your DNS provider.
Current versions of bind (version 8.3 and 9)
and dns/djbdns (with the IPv6 patch)
support AAAA records.Applying the needed changes to /etc/rc.confIPv6 Client SettingsThese settings will help you configure a machine that will be on
your LAN and act as a client, not a router. To have &man.rtsol.8;
autoconfigure your interface on boot all you need to add is:ipv6_enable="YES"To statically assign an IP address such as
2001:471:1f11:251:290:27ff:fee0:2093, to your
fxp0 interface, add:ipv6_ifconfig_fxp0="2001:471:1f11:251:290:27ff:fee0:2093"To assign a default router of
2001:471:1f11:251::1
add the following to /etc/rc.conf:ipv6_defaultrouter="2001:471:1f11:251::1"IPv6 Router/Gateway SettingsThis will help you take the directions that your tunnel provider has
given you and convert it into settings that will persist through reboots.
To restore your tunnel on startup use something like the following in
/etc/rc.conf:List the Generic Tunneling interfaces that will be configured, for
example gif0:gif_interfaces="gif0"To configure the interface with a local endpoint of
MY_IPv4_ADDR to a remote endpoint of
REMOTE_IPv4_ADDR:gifconfig_gif0="MY_IPv4_ADDR REMOTE_IPv4_ADDR"To apply the IPv6 address you have been assigned for use as your
IPv6 tunnel endpoint, add:ipv6_ifconfig_gif0="MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR"Then all you have to do is set the default route for IPv6. This is
the other side of the IPv6 tunnel:ipv6_defaultrouter="MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR"IPv6 Tunnel SettingsIf the server is to route IPv6 between the rest of your network
and the world, the following /etc/rc.conf
setting will also be needed:ipv6_gateway_enable="YES"Router Advertisement and Host Auto ConfigurationThis section will help you setup &man.rtadvd.8; to advertise the
IPv6 default route.To enable &man.rtadvd.8; you will need the following in your
/etc/rc.conf:rtadvd_enable="YES"It is important that you specify the interface on which to do
IPv6 router solicitation. For example to tell &man.rtadvd.8; to use
fxp0:rtadvd_interfaces="fxp0"Now we must create the configuration file,
/etc/rtadvd.conf. Here is an example:fxp0:\
:addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether:Replace fxp0 with the interface you
are going to be using.Next, replace 2001:471:1f11:246::
with the prefix of your allocation.If you are dedicated a /64 subnet
you will not need to change anything else. Otherwise, you will need to
change the prefixlen# to the correct value.HartiBrandtContributed by Asynchronous Transfer Mode (ATM)Configuring classical IP over ATM (PVCs)Classical IP over ATM (CLIP) is the
simplest method to use Asynchronous Transfer Mode (ATM)
with IP. It can be used with
switched connections (SVCs) and with permanent connections
(PVCs). This section describes how to set up a network based
on PVCs.Fully meshed configurationsThe first method to set up a CLIP with
PVCs is to connect each machine to each other machine in the
network via a dedicated PVC. While this is simple to
configure it tends to become impractical for a larger number
of machines. The example supposes that we have four
machines in the network, each connected to the ATM network
with an ATM adapter card. The first step is the planning of
the IP addresses and the ATM connections between the
machines. We use the following:HostIP AddresshostA192.168.173.1hostB192.168.173.2hostC192.168.173.3hostD192.168.173.4To build a fully meshed net we need one ATM connection
between each pair of machines:MachinesVPI.VCI couplehostA - hostB0.100hostA - hostC0.101hostA - hostD0.102hostB - hostC0.103hostB - hostD0.104hostC - hostD0.105The VPI and VCI values at each end of the connection may
of course differ, but for simplicity we assume that they are
the same. Next we need to configure the ATM interfaces on
each host:hostA&prompt.root; ifconfig hatm0 192.168.173.1 up
hostB&prompt.root; ifconfig hatm0 192.168.173.2 up
hostC&prompt.root; ifconfig hatm0 192.168.173.3 up
hostD&prompt.root; ifconfig hatm0 192.168.173.4 upassuming that the ATM interface is
hatm0 on all hosts. Now the PVCs
need to be configured on hostA (we assume that
they are already configured on the ATM switches, you need to
consult the manual for the switch on how to do this).hostA&prompt.root; atmconfig natm add 192.168.173.2 hatm0 0 100 llc/snap ubr
hostA&prompt.root; atmconfig natm add 192.168.173.3 hatm0 0 101 llc/snap ubr
hostA&prompt.root; atmconfig natm add 192.168.173.4 hatm0 0 102 llc/snap ubr
hostB&prompt.root; atmconfig natm add 192.168.173.1 hatm0 0 100 llc/snap ubr
hostB&prompt.root; atmconfig natm add 192.168.173.3 hatm0 0 103 llc/snap ubr
hostB&prompt.root; atmconfig natm add 192.168.173.4 hatm0 0 104 llc/snap ubr
hostC&prompt.root; atmconfig natm add 192.168.173.1 hatm0 0 101 llc/snap ubr
hostC&prompt.root; atmconfig natm add 192.168.173.2 hatm0 0 103 llc/snap ubr
hostC&prompt.root; atmconfig natm add 192.168.173.4 hatm0 0 105 llc/snap ubr
hostD&prompt.root; atmconfig natm add 192.168.173.1 hatm0 0 102 llc/snap ubr
hostD&prompt.root; atmconfig natm add 192.168.173.2 hatm0 0 104 llc/snap ubr
hostD&prompt.root; atmconfig natm add 192.168.173.3 hatm0 0 105 llc/snap ubrOf course other traffic contracts than UBR can be used
given the ATM adapter supports those. In this case the name
of the traffic contract is followed by the parameters of the
traffic. Help for the &man.atmconfig.8; tool can be
obtained with:&prompt.root; atmconfig help natm addor in the &man.atmconfig.8; manual page.The same configuration can also be done via
/etc/rc.conf.
For hostA this would look like:network_interfaces="lo0 hatm0"
ifconfig_hatm0="inet 192.168.173.1 up"
natm_static_routes="hostB hostC hostD"
route_hostB="192.168.173.2 hatm0 0 100 llc/snap ubr"
route_hostC="192.168.173.3 hatm0 0 101 llc/snap ubr"
route_hostD="192.168.173.4 hatm0 0 102 llc/snap ubr"The current state of all CLIP routes
can be obtained with:hostA&prompt.root; atmconfig natm showTomRhodesContributed by Common Access Redundancy Protocol (CARP)CARPCommon Access Redundancy ProtocolThe Common Access Redundancy Protocol, or
CARP allows multiple hosts to share the same
IP address. In some configurations, this may
be used for availability or load balancing. Hosts may use separate
IP addresses as well, as in the example provided
here.To enable support for CARP, the &os;
kernel must be rebuilt with the following option:device carpCARP functionality should now be available
and may be tuned via several sysctl
OIDs:OIDDescriptionnet.inet.carp.allowAccept incoming CARP packets.
Enabled by default.net.inet.carp.preemptThis option downs all of the CARP
interfaces on the host when one of them goes down.
Disabled by defaultnet.inet.carp.logA value of 0 disables any logging.
A Value of 1 enables logging of bad
CARP packets. Values greater than
1 enables logging of state changes for
the CARP interfaces. The default value
is 1.net.inet.carp.arpbalanceBalance local network traffic using
ARP. Disabled by default.net.inet.carp.suppress_preemptA read only OID showing the status
of preemption suppression. Preemption can be suppressed
if link on an interface is down. A value of
0, means that preemption is not
suppressed. Every problem increments this
OID.The CARP devices themselves may be created
via the ifconfig command:&prompt.root; ifconfig carp0 createIn a real environment, these interfaces will need unique
identification numbers known as a VHID. This
VHID or Virtual Host Identification will be
used to distinguish the host on the network.Using CARP For Server Availability (CARP)One use of CARP, as noted above, is for
server availability. This example will provide failover support
for three hosts, all with unique IP
addresses and providing the same web content. These machines will
act in conjunction with a Round Robin DNS
configuration. The failover machine will have two additional
CARP interfaces, one for each of the content
server's IPs. When a failure occurs, the
failover server should pick up the failed machine's
IP address. This means the failure should
go completely unnoticed to the user. The failover server
requires identical content and services as the other content
servers it is expected to pick up load for.The two machines should be configured identically other
than their issued hostnames and VHIDs.
This example calls these machines
hosta.example.org and
hostb.example.org respectively. First, the
required lines for a CARP configuration have
to be added to rc.conf. For
hosta.example.org, the
rc.conf file should contain the following
lines:hostname="hosta.example.org"
ifconfig_fxp0="inet 192.168.1.3 netmask 255.255.255.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass testpass 192.168.1.50/24"On hostb.example.org the following lines
should be in rc.conf:hostname="hostb.example.org"
ifconfig_fxp0="inet 192.168.1.4 netmask 255.255.255.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 2 pass testpass 192.168.1.51/24"It is very important that the passwords, specified by the
option to ifconfig,
are identical. The carp devices will
only listen to and accept advertisements from machines with the
correct password. The VHID must also be
different for each machine.The third machine,
provider.example.org, should be prepared so that
it may handle failover from either host. This machine will require
two carp devices, one to handle each
host. The appropriate rc.conf
configuration lines will be similar to the following:hostname="provider.example.org"
ifconfig_fxp0="inet 192.168.1.5 netmask 255.255.255.0"
cloned_interfaces="carp0 carp1"
ifconfig_carp0="vhid 1 advskew 100 pass testpass 192.168.1.50/24"
ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24"Having the two carp devices will
allow provider.example.org to notice and pick
up the IP address of either machine should
it stop responding.The default &os; kernel may have
preemption enabled. If so,
provider.example.org may not relinquish the
IP address back to the original content
server. In this case, an administrator may have to manually
force the IP back to the master. The following command
should be issued on
provider.example.org:&prompt.root; ifconfig carp0 down && ifconfig carp0 upThis should be done on the carp
interface which corresponds to the correct host.At this point, CARP should be completely
enabled and available for testing. For testing, either networking has
to be restarted or the machines need to be rebooted.More information is always available in the &man.carp.4;
manual page.
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index 7bfea11f2d..ff6155e94d 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -1,2093 +1,2093 @@
TomRhodesWritten by Mandatory Access ControlSynopsisMACMandatory Access ControlMAC&os; 5.X introduced new security extensions from the
TrustedBSD project based on the &posix;.1e draft. Two of the most
significant new security mechanisms are file system Access Control
Lists (ACLs) and Mandatory Access Control
(MAC) facilities. Mandatory Access Control allows
new access control modules to be loaded, implementing new security
policies. Some provide protections of a narrow subset of the
system, hardening a particular service. Others provide
comprehensive labeled security across all subjects and objects.
The mandatory part
of the definition comes from the fact that the enforcement of
the controls is done by administrators and the system, and is
not left up to the discretion of users as is done with
discretionary access control (DAC, the standard
file and System V IPC permissions on &os;).This chapter will focus on the
Mandatory Access Control Framework (MAC Framework), and a set
of pluggable security policy modules enabling various security
mechanisms.After reading this chapter, you will know:What MAC security policy modules are currently
included in &os; and their associated mechanisms.What MAC security policy modules implement as
well as the difference between a labeled and non-labeled
policy.How to efficiently configure a system to use
the MAC framework.How to configure the different security policy modules included with the
MAC framework.How to implement a more secure environment using the
MAC framework and the examples
shown.How to test the MAC configuration
to ensure the framework has been properly implemented.Before reading this chapter, you should:Understand &unix; and &os; basics
().Be familiar with
the basics of kernel configuration/compilation
().Have some familiarity with security and how it
pertains to &os; ().The improper use of the
information contained herein may cause loss of system access,
aggravation of users, or inability to access the features
provided by X11. More importantly, MAC should not
be relied upon to completely secure a system. The
MAC framework only augments
existing security policy; without sound security practices and
regular security checks, the system will never be completely
secure.It should also be noted that the examples contained
within this chapter are just that, examples. It is not
recommended that these particular settings be rolled out
on a production system. Implementing the various security policy modules takes
a good deal of thought and testing. One who does not fully understand
exactly how everything works may find him or herself going
back through the entire system and reconfiguring many files
or directories.What Will Not Be CoveredThis chapter covers a broad range of security issues relating
to the MAC framework. The
development of new MAC security policy modules
will not be covered. A number of security policy modules included with the
MAC framework have specific characteristics
which are provided for both testing and new module
development. These include the &man.mac.test.4;,
&man.mac.stub.4; and &man.mac.none.4;.
For more information on these security policy modules and the various
mechanisms they provide, please review the manual pages.Key Terms in this ChapterBefore reading this chapter, a few key terms must be
explained. This will hopefully clear up any confusion that
may occur and avoid the abrupt introduction of new terms
and information.compartment: A compartment is a
set of programs and data to be partitioned or separated,
where users are given explicit access to specific components
of a system. Also, a compartment represents a grouping,
such as a work group, department, project, or topic. Using
compartments, it is possible to implement a need-to-know
security policy.high water mark: A high water mark
policy is one which permits the raising of security levels
for the purpose of accessing higher level information. In
most cases, the original level is restored after the process
is complete. Currently, the &os; MAC
framework does not have a policy for this, but the definition
is included for completeness.integrity: Integrity, as a key
concept, is the level of trust which can be placed on data.
As the integrity of the data is elevated, so does the ability
to trust that data.label: A label is a security
attribute which can be applied to files, directories, or
other items in the system. It could be considered
a confidentiality stamp; when a label is placed on
a file it describes the security properties for that specific
file and will only permit access by files, users, resources,
etc. with a similar security setting. The meaning and
interpretation of label values depends on the policy configuration: while
some policies might treat a label as representing the
integrity or secrecy of an object, other policies might use
labels to hold rules for access.level: The increased or decreased
setting of a security attribute. As the level increases,
its security is considered to elevate as well.low water mark: A low water mark
policy is one which permits lowering of the security levels
for the purpose of accessing information which is less
secure. In most cases, the original security level of the
user is restored after the process is complete. The only
security policy module in &os; to use this is
&man.mac.lomac.4;.multilabel: The
property is a file system option
which can be set in single user mode using the
&man.tunefs.8; utility, during the boot operation
using the &man.fstab.5; file, or during the creation of
a new file system. This option will permit an administrator
to apply different MAC labels on different
objects. This option
only applies to security policy modules which support labeling.object: An object or system
object is an entity through which information flows
under the direction of a subject.
This includes directories, files, fields, screens, keyboards,
memory, magnetic storage, printers or any other data
storage/moving device. Basically, an object is a data container or
a system resource; access to an object
effectively means access to the data.policy: A collection of rules
which defines how objectives are to be achieved. A
policy usually documents how certain
items are to be handled. This chapter will
consider the term policy in this
context as a security policy; i.e.
a collection of rules which will control the flow of data
and information and define whom will have access to that
data and information.sensitivity: Usually used when
discussing MLS. A sensitivity level is
a term used to describe how important or secret the data
should be. As the sensitivity level increases, so does the
importance of the secrecy, or confidentiality of the data.single label: A single label is
when the entire file system uses one label to
enforce access control over the flow of data. When a file
system has this set, which is any time when the
option is not set, all
files will conform to the same label setting.subject: a subject is any
active entity that causes information to flow between
objects; e.g. a user, user processor,
system process, etc. On &os;, this is almost always a thread
acting in a process on behalf of a user.Explanation of MACWith all of these new terms in mind, consider how the
MAC framework augments the security of
the system as a whole. The various security policy modules provided by
the MAC framework could be used to
protect the network and file systems, block users from
accessing certain ports and sockets, and more. Perhaps
the best use of the policy modules is to blend them together, by loading
several security policy modules at a time for a multi-layered
security environment. In a multi-layered security environment,
multiple policy modules are in effect to keep security in check. This
is different to a hardening policy, which typically hardens
elements of a system that is used only for specific purposes.
The only downside is administrative overhead in cases of
multiple file system labels, setting network access control
user by user, etc.These downsides are minimal when compared to the lasting
effect of the framework; for instance, the ability to pick and choose
which policies are required for a specific configuration keeps
performance overhead down. The reduction of support for unneeded
policies can increase the overall performance of the system as well as
offer flexibility of choice. A good implementation would
consider the overall security requirements and effectively implement
the various security policy modules offered by the framework.Thus a system utilizing MAC features
should at least guarantee that a user will not be permitted
to change security attributes at will; all user utilities,
programs and scripts must work within the constraints of
the access rules provided by the selected security policy modules; and
that total control of the MAC access
rules are in the hands of the system administrator.It is the sole duty of the system administrator to
carefully select the correct security policy modules. Some environments
may need to limit access control over the network; in these
cases, the &man.mac.portacl.4;, &man.mac.ifoff.4; and even
&man.mac.biba.4; policy modules might make good starting points. In other
cases, strict confidentiality of file system objects might
be required. Policy modules such as &man.mac.bsdextended.4;
and &man.mac.mls.4; exist for this purpose.Policy decisions could be made based on network
configuration. Perhaps only certain users should be permitted
access to facilities provided by &man.ssh.1; to access the
network or the Internet. The &man.mac.portacl.4; would be
the policy module of choice for these situations. But what should be
done in the case of file systems? Should all access to certain
directories be severed from other groups or specific
users? Or should we limit user or utility access to specific
files by setting certain objects as classified?In the file system case, access to objects might be
considered confidential to some users, but not to others.
For an example, a large development team might be broken
off into smaller groups of individuals. Developers in
project A might not be permitted to access objects written
by developers in project B. Yet they might need to access
objects created by developers in project C; that is quite a
situation indeed. Using the different security policy modules provided by
the MAC framework; users could
be divided into these groups and then given access to the
appropriate areas without fear of information
leakage.Thus, each security policy module has a unique way of dealing with
the overall security of a system. Module selection should be based
on a well thought out security policy. In many cases, the
overall policy may need to be revised and reimplemented on
the system. Understanding the different security policy modules offered by
the MAC framework will help administrators
choose the best policies for their situations.The default &os; kernel does not include the option for
the MAC framework; thus the following
kernel option must be added before trying any of the examples or
information in this chapter:options MACAnd the kernel will require a rebuild and a reinstall.While the various manual pages for MAC
policy modules state that they may be built into the kernel,
it is possible to lock the system out of
the network and more. Implementing MAC
is much like implementing a firewall, care must be taken
to prevent being completely locked out of the system. The
ability to revert back to a previous configuration should be
considered while the implementation of MAC
remotely should be done with extreme caution.Understanding MAC LabelsA MAC label is a security attribute
which may be applied to subjects and objects throughout
the system.When setting a label, the user must be able to comprehend
what it is, exactly, that is being done. The attributes
available on an object depend on the policy module loaded, and that
policy modules interpret their attributes in different
ways. If improperly configured due to lack of comprehension, or
the inability to understand the implications, the result will
be the unexpected and perhaps, undesired, behavior of the
system.The security label on an object is used as a part of a
security access control decision by a policy. With some
policies, the label by itself contains all information necessary
to make a decision; in other models, the labels may be processed
as part of a larger rule set, etc.For instance, setting the label of biba/low
on a file will represent a label maintained by the Biba security policy module,
with a value of low.A few policy modules which support the labeling feature in
&os; offer three specific predefined labels. These
are the low, high, and equal labels. Although they enforce
access control in a different manner with each policy module, you
can be sure that the low label will be the lowest setting,
the equal label will set the subject or object to be disabled
or unaffected, and the high label will enforce the highest
setting available in the Biba and MLS
policy modules.Within single label file system environments, only one label may be
used on objects. This will enforce one set of
access permissions across the entire system and in many
environments may be all that is required. There are a few
cases where multiple labels may be set on objects
or subjects in the file system. For those cases, the
option may be passed to
&man.tunefs.8;.In the case of Biba and MLS, a numeric
label may be set to indicate the precise level of hierarchical
control. This numeric level is used to partition or sort
information into different groups of say, classification only
permitting access to that group or a higher group level.In most cases the administrator will only be setting up a
single label to use throughout the file system.Hey wait, this is similar to DAC!
I thought MAC gave control strictly to the
administrator. That statement still holds true, to some
extent as root is the one in control and who
configures the policies so that users are placed in the
appropriate categories/access levels. Alas, many policy modules can
restrict the root user as well. Basic
control over objects will then be released to the group, but
root may revoke or modify the settings
at any time. This is the hierarchal/clearance model covered
by policies such as Biba and MLS.Label ConfigurationVirtually all aspects of label policy module configuration
will be performed using the base system utilities. These
commands provide a simple interface for object or subject
configuration or the manipulation and verification of
the configuration.All configuration may be done by use of the
&man.setfmac.8; and &man.setpmac.8; utilities.
The setfmac command is used to set
MAC labels on system objects while the
setpmac command is used to set the labels
on system subjects. Observe:&prompt.root; setfmac biba/high testIf no errors occurred with the command above, a prompt
will be returned. The only time these commands are not
quiescent is when an error occurred; similarly to the
&man.chmod.1; and &man.chown.8; commands. In some cases this
error may be a Permission denied and
is usually obtained when the label is being set or modified
on an object which is restricted.Other conditions
may produce different failures. For instance, the file may not
be owned by the user attempting to relabel the object, the
object may not exist or may be read only. A mandatory policy
will not allow the process to relabel the file, maybe because
of a property of the file, a property of the process, or a
property of the proposed new label value. For example: a user
running at low integrity tries to change the label of a high
integrity file. Or perhaps a user running at low integrity
tries to change the label of a low integrity file to a high
integrity label. The system administrator
may use the following commands to overcome this:&prompt.root; setfmac biba/high testPermission denied
&prompt.root; setpmac biba/low setfmac biba/high test
&prompt.root; getfmac test
test: biba/highAs we see above, setpmac
can be used to override the policy module's settings by assigning
a different label to the invoked process. The
getpmac utility is usually used with currently
running processes, such as sendmail:
although it takes a process ID in place of
a command the logic is extremely similar. If users
attempt to manipulate a file not in their access, subject to the
rules of the loaded policy modules, the
Operation not permitted error
will be displayed by the mac_set_link
function.Common Label TypesFor the &man.mac.biba.4;, &man.mac.mls.4; and
&man.mac.lomac.4; policy modules, the ability to assign
simple labels is provided. These take the form of high,
equal and low, what follows is a brief description of
what these labels provide:The low label is considered the
lowest label setting an object or subject may have.
Setting this on objects or subjects will block their
access to objects or subjects marked high.The equal label should only be
placed on objects considered to be exempt from the
policy.The high label grants an object or
subject the highest possible setting.With respect to each policy module, each of those settings
will instate a different information flow directive. Reading
the proper manual pages will further explain the traits of
these generic label configurations.Advanced Label ConfigurationNumeric grade labels are used for
comparison:compartment+compartment; thus
the following:biba/10:2+3+6(5:2+3-20:2+3+4+5+6)May be interpreted as:Biba Policy Label/Grade 10
:Compartments 2, 3 and 6:
(grade 5 ...)In this example, the first grade would be considered
the effective grade with
effective compartments, the second grade
is the low grade and the last one is the high grade.
In most configurations these settings will not be used;
indeed, they offered for more advanced
configurations.When applied to system objects, they will only have a
current grade/compartments as opposed to system subjects
as they reflect the range of available rights in the system,
and network interfaces, where they are used for access
control.The grade and compartments in a subject and object pair
are used to construct a relationship referred to as
dominance, in which a subject dominates an
object, the object dominates the subject, neither dominates
the other, or both dominate each other. The
both dominate case occurs when the two labels
are equal. Due to the information flow nature of Biba, you
have rights to a set of compartments,
need to know, that might correspond to
projects, but objects also have a set of compartments.
Users may have to subset their rights using
su or setpmac in order
to access objects in a compartment from which they are not
restricted.Users and Label SettingsUsers themselves are required to have labels so that
their files and processes may properly interact with the
security policy defined on the system. This is
configured through the login.conf file
by use of login classes. Every policy module that uses labels
will implement the user class setting.An example entry containing every policy module setting is displayed
below:default:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5,biba/10(5-15),lomac/10[2]:The label option is used to set the
user class default label which will be enforced by
MAC. Users will never be permitted to
modify this value, thus it can be considered not optional
in the user case. In a real configuration, however, the
administrator will never wish to enable every policy module.
It is recommended that the rest of this chapter be reviewed
before any of this configuration is implemented.Users may change their label after the initial login;
however, this change is subject constraints of the policy.
The example above tells the Biba policy that a process's
minimum integrity is 5, its maximum is 15, but the default
effective label is 10. The process will run at 10 until
it chooses to change label, perhaps due to the user using
the setpmac command, which will be constrained by Biba to
the range set at login.In all cases, after a change to
login.conf, the login class capability
database must be rebuilt using cap_mkdb
and this will be reflected throughout every forthcoming
example or discussion.It is useful to note that many sites may have a
particularly large number of users requiring several
different user classes. In depth planning is required
as this may get extremely difficult to manage.Future versions of &os; will include a new way to
deal with mapping users to labels; however, this will
not be available until some time after &os; 5.3.Network Interfaces and Label SettingsLabels may also be set on network interfaces to help
control the flow of data across the network. In all cases
they function in the same way the policies function with
respect to objects. Users at high settings in
biba, for example, will not be permitted
to access network interfaces with a label of low.The may be passed to
ifconfig when setting the
MAC label on network interfaces. For
example:&prompt.root; ifconfig bge0 maclabel biba/equalwill set the MAC label of
biba/equal on the &man.bge.4; interface.
When using a setting similar to
biba/high(low-high) the entire label should
be quoted; otherwise an error will be returned.Each policy module which supports labeling has a tunable
which may be used to disable the MAC
label on network interfaces. Setting the label to
will have a similar effect. Review
the output from sysctl, the policy manual
pages, or even the information found later in this chapter
for those tunables.Singlelabel or Multilabel?By default the system will use the
option. But what does this
mean to the administrator? There are several differences
which, in their own right, offer pros and cons to the
flexibility in the systems security model.The only permits for one
label, for instance biba/high to be used
for each subject or object. It provides for lower
administration overhead but decreases the flexibility of
policies which support labeling. Many administrators may
want to use the option in
their security policy.The option will permit each
subject or object to have its own independent
MAC label in
place of the standard option
which will allow only one label throughout the partition.
The and
label options are only required for the policies which
implement the labeling feature, including the Biba, Lomac,
MLS and SEBSD
policies.In many cases, the may not need
to be set at all. Consider the following situation and
security model:&os; web-server using the MAC
framework and a mix of the various policies.This machine only requires one label,
biba/high, for everything in the system.
Here the file system would not require the
option as a single label
will always be in effect.But, this machine will be a web server and should have
the web server run at biba/low to prevent
write up capabilities. The Biba policy and how it works
will be discussed later, so if the previous comment was
difficult to interpret just continue reading and return.
The server could use a separate partition set at
biba/low for most if not all of its
runtime state. Much is lacking from this example, for
instance the restrictions on data, configuration and user
settings; however, this is just a quick example to prove the
aforementioned point.If any of the non-labeling policies are to be used,
then the option would never
be required. These include the seeotheruids,
portacl and partition
policies.It should also be noted that using
with a partition and establishing
a security model based on
functionality could open the doors for higher administrative
overhead as everything in the file system would have a label.
This includes directories, files, and even device
nodes.The following command will set
on the file systems to have multiple labels. This may only be
done in single user mode:&prompt.root; tunefs -l enable /This is not a requirement for the swap file
system.Some users have experienced problems with setting the
flag on the root partition.
If this is the case, please review the
of this chapter.Planning the Security ConfigurationWhenever a new technology is implemented, a planning phase is
always a good idea. During the planning stages, an administrator
should in general look at the big picture, trying
to keep in view at least the following:The implementation requirements;The implementation goals;For MAC installations, these include:How to classify information and resources available on
the target systems.What sorts of information or resources to restrict
access to along with the type of restrictions that should be
applied.Which MAC module or modules will be
required to achieve this goal.It is always possible to reconfigure and change the
system resources and security settings, it is quite often very inconvenient to
search through the system and fix existing files and user
accounts. Planning helps to ensure a trouble-free and efficient
trusted system implementation. A trial run of the trusted system,
including the configuration, is often vital and definitely
beneficial before a MAC
implementation is used on production systems. The idea of just
letting loose on a system
with MAC is like setting up for failure.Different environments may have explicit needs and
requirements. Establishing an in depth and complete security
profile will decrease the need of changes once the system
goes live. As such, the future sections will cover the
different modules available to administrators; describe their
use and configuration; and in some cases provide insight on
what situations they would be most suitable for. For instance,
a web server might roll out the &man.mac.biba.4; and
&man.mac.bsdextended.4; policies. In other cases, a machine
with very few local users, the &man.mac.partition.4; might
be a good choice.Module ConfigurationEvery module included with the MAC
framework may be either compiled into the kernel as noted above
or loaded as a run-time kernel module.
The recommended method is to add the module name to the
/boot/loader.conf file so that it will load
during the initial boot operation.The following sections will discuss the various
MAC modules and cover their features.
Implementing them into a specific environment will also
be a consideration of this chapter. Some modules support
the use of labeling, which is controlling access by enforcing
a label such as this is allowed and this is not.
A label configuration file may control how files may be accessed,
network communication can be exchanged, and more. The previous
section showed how the flag could
be set on file systems to enable per-file or per-partition
access control.A single label configuration would enforce only one label
across the system, that is why the tunefs
option is called .The MAC seeotheruids ModuleMAC See Other UIDs PolicyModule name: mac_seeotheruids.koKernel configuration line:
options MAC_SEEOTHERUIDSBoot option:
mac_seeotheruids_load="YES"The &man.mac.seeotheruids.4; module mimics and extends
the security.bsd.see_other_uids and
security.bsd.see_other_gidssysctl tunables. This option does
not require any labels to be set before configuration and
can operate transparently with the other modules.After loading the module, the following
sysctl tunables may be used to control
the features:security.mac.seeotheruids.enabled
will enable the module's features and use the default
settings. These default settings will deny users the
ability to view processes and sockets owned by other
users.security.mac.seeotheruids.specificgid_enabled
will allow a certain group to be exempt from this policy.
To exempt specific groups from this policy, use the
security.mac.seeotheruids.specificgid=XXXsysctl tunable. In the above example,
the XXX should be replaced with the
numeric group ID to be exempted.security.mac.seeotheruids.primarygroup_enabled
is used to exempt specific primary groups from this policy.
When using this tunable, the
security.mac.seeotheruids.specificgid_enabled
may not be set.The MAC bsdextended ModuleMACFile System Firewall PolicyModule name: mac_bsdextended.koKernel configuration line:
options MAC_BSDEXTENDEDBoot option:
mac_bsdextended_load="YES"The &man.mac.bsdextended.4; module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
administrator to create a firewall-like ruleset to protect files,
utilities, and directories in the file system hierarchy. When
access to a file system object is attempted, the list of rules
is iterated until either a matching rule is located or the end
is reached. This behavior may be changed by the use of a
&man.sysctl.8; parameter,
security.mac.bsdextended.firstmatch_enabled. Similar to
other firewall modules in &os;, a file containing access control
rules can be created and read by the system at boot time using
an &man.rc.conf.5; variable.The rule list may be entered using a utility, &man.ugidfw.8;,
that has a syntax similar to that of &man.ipfw.8;. More tools
can be written by using the functions in the
&man.libugidfw.3; library.Extreme caution should be taken when working with this
module; incorrect use could block access to certain parts of
the file system.ExamplesAfter the &man.mac.bsdextended.4; module has
been loaded, the following command may be used to list the
current rule configuration:&prompt.root; ugidfw list
0 slots, 0 rulesAs expected, there are no rules defined. This means that
everything is still completely accessible. To create a rule
which will block all access by users but leave
root unaffected, simply run the
following command:&prompt.root; ugidfw add subject not uid root new object not uid root mode nIn releases prior to &os; 5.3, the
add parameter did not exist. In those
cases the set should be used
instead. See below for a command example.This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls. A more patriotic list of rules
might be:&prompt.root; ugidfw set 2 subject uid user1 object uid user2 mode n
&prompt.root; ugidfw set 3 subject uid user1 object gid user2 mode nThis will block any and all access, including directory
listings, to user2's home
directory from the username user1.In place of user1, the
could
be passed. This will enforce the same access restrictions
above for all users in place of just one user.The root user will be unaffected
by these changes.This should provide a general idea of how the
&man.mac.bsdextended.4; module may be used to help fortify
a file system. For more information, see the
&man.mac.bsdextended.4; and the &man.ugidfw.8; manual
pages.The MAC ifoff ModuleMAC Interface Silencing PolicyModule name: mac_ifoff.koKernel configuration line:
options MAC_IFOFFBoot option: mac_ifoff_load="YES"The &man.mac.ifoff.4; module exists solely to disable network
interfaces on the fly and keep network interfaces from being
brought up during the initial system boot. It does not require
any labels to be set up on the system, nor does it have a
dependency on other MAC modules.Most of the control is done through the
sysctl tunables listed below.security.mac.ifoff.lo_enabled will
enable/disable all traffic on the loopback (&man.lo.4;)
interface.security.mac.ifoff.bpfrecv_enabled will
enable/disable all traffic on the Berkeley Packet Filter
interface (&man.bpf.4;)security.mac.ifoff.other_enabled will
enable/disable traffic on all other interfaces.One of the most common uses of &man.mac.ifoff.4; is network
monitoring in an environment where network traffic should not
be permitted during the boot sequence. Another suggested use
would be to write a script which uses
security/aide to automatically
block network traffic if it finds new or altered files in
protected directories.The MAC portacl ModuleMAC Port Access Control List PolicyModule name: mac_portacl.koKernel configuration line:
MAC_PORTACLBoot option: mac_portacl_load="YES"The &man.mac.portacl.4; module is used to limit binding to
local TCP and UDP ports
using a variety of sysctl variables. In
essence &man.mac.portacl.4; makes it possible to allow
non-root users to bind to specified
privileged ports, i.e. ports fewer than 1024.Once loaded, this module will enable the
MAC policy on all sockets. The following
tunables are available:security.mac.portacl.enabled will
enable/disable the policy completely.security.mac.portacl.port_high will set
the highest port number that &man.mac.portacl.4;
will enable protection for.security.mac.portacl.suser_exempt will,
when set to a non-zero value, exempt the
root user from this policy.security.mac.portacl.rules will
specify the actual mac_portacl policy; see below.The actual mac_portacl policy, as
specified in the security.mac.portacl.rules
sysctl, is a text string of the form:
rule[,rule,...] with as many rules as
needed. Each rule is of the form:
idtype:id:protocol:port. The
idtype parameter can be
uid or gid and used to
interpret the id parameter as either a
user id or group id, respectively. The
protocol parameter is used to determine if
the rule should apply to TCP or
UDP by setting the parameter to
tcp or udp. The final
port parameter is the port number to allow
the specified user or group to bind to.Since the ruleset is interpreted directly by the kernel
only numeric values can be used for the user ID, group ID, and
port parameters. I.e. user, group, and port service names
cannot be used.By default, on &unix;-like systems, ports fewer than 1024
can only be used by/bound to privileged processes,
i.e. those run as root. For
&man.mac.portacl.4; to allow non-privileged processes to bind
to ports below 1024 this standard &unix; restriction has to be
disabled. This can be accomplished by setting the &man.sysctl.8;
variables net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh
to zero.See the examples below or review the &man.mac.portacl.4;
manual page for further information.ExamplesThe following examples should illuminate the above
discussion a little better:&prompt.root; sysctl security.mac.portacl.port_high=1023
&prompt.root; sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0First we set &man.mac.portacl.4; to cover the standard
privileged ports and disable the normal &unix; bind
restrictions.&prompt.root; sysctl security.mac.portacl.suser_exempt=1The root user should not be crippled
by this policy, thus set the
security.mac.portacl.suser_exempt to a
non-zero value. The &man.mac.portacl.4; module
has now been set up to behave the same way &unix;-like systems
behave by default.&prompt.root; sysctl security.mac.portacl.rules=uid:80:tcp:80Allow the user with UID 80 (normally
the www user) to bind to port 80.
This can be used to allow the www
user to run a web server without ever having
root privilege.&prompt.root; sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995Permit the user with the UID of
1001 to bind to the TCP ports 110
(pop3) and 995 (pop3s).
This will permit this user to start a server that accepts
connections on ports 110 and 995.The MAC partition ModuleMAC Process Partition PolicyModule name: mac_partition.koKernel configuration line:
options MAC_PARTITIONBoot option:
mac_partition_load="YES"The &man.mac.partition.4; policy will drop processes into
specific partitions based on their
MAC label. Think of it as a special
type of &man.jail.8;, though that is hardly a worthy
comparison.This is one module that should be added to the
&man.loader.conf.5; file so that it loads
and enables the policy during the boot process.Most configuration for this policy is done using
the &man.setpmac.8; utility which will be explained below.
The following sysctl tunable is
available for this policy:security.mac.partition.enabled will
enable the enforcement of MAC process
partitions.When this policy is enabled, users will only be permitted
to see their processes, and any others within their partition,
but will not be permitted to work with
utilities outside the scope of this partition. For instance, a user in the
insecure class above will not be permitted
to access the top command as well as many
other commands that must spawn a process.To set or drop utilities into a partition label, use the
setpmac utility:&prompt.root; setpmac partition/13 topThis will add the top command to the
label set on users in the insecure class.
Note that all processes spawned by users
in the insecure class will stay in the
partition/13 label.ExamplesThe following command will show you the partition label
and the process list:&prompt.root; ps ZaxThis next command will allow the viewing of another
user's process partition label and that user's currently
running processes:&prompt.root; ps -ZU trhodesUsers can see processes in root's
label unless the &man.mac.seeotheruids.4; policy is
loaded.A really crafty implementation could have all of the
services disabled in /etc/rc.conf and
started by a script that starts them with the proper
labeling set.The following policies support integer settings
in place of the three default labels offered. These options,
including their limitations, are further explained in
the module manual pages.The MAC Multi-Level Security ModuleMAC Multi-Level Security PolicyModule name: mac_mls.koKernel configuration line:
options MAC_MLSBoot option: mac_mls_load="YES"The &man.mac.mls.4; policy controls access between subjects
and objects in the system by enforcing a strict information
flow policy.In MLS environments, a
clearance level is set in each subject or objects
label, along with compartments. Since these clearance or
sensibility levels can reach numbers greater than six thousand;
it would be a daunting task for any system administrator to
thoroughly configure each subject or object. Thankfully, three
instant labels are already included in this
policy.These labels are mls/low,
mls/equal and mls/high.
Since these labels are described in depth in the manual page,
they will only get a brief description here:The mls/low label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with mls/low
will have a low clearance level and not be permitted to access
information of a higher level. In addition, this label will
prevent objects of a higher clearance level from writing or
passing information on to them.The mls/equal label should be
placed on objects considered to be exempt from the
policy.The mls/high label is the highest level
of clearance possible. Objects assigned this label will
hold dominance over all other objects in the system; however,
they will not permit the leaking of information to objects
of a lower class.MLS provides for:A hierarchical security level with a set of non
hierarchical categories;Fixed rules: no read up, no write down (a subject can
have read access to objects on its own level or below, but
not above. Similarly, a subject can have write access to
objects on its own level or above but not beneath.);Secrecy (preventing inappropriate disclosure
of data);Basis for the design of systems that concurrently handle
data at multiple sensitivity levels (without leaking
information between secret and confidential).The following sysctl tunables are
available for the configuration of special services and
interfaces:security.mac.mls.enabled is used to
enable/disable the MLS policy.security.mac.mls.ptys_equal will label
all &man.pty.4; devices as mls/equal during
creation.security.mac.mls.revocation_enabled is
used to revoke access to objects after their label changes
to a label of a lower grade.security.mac.mls.max_compartments is
used to set the maximum number of compartment levels with
objects; basically the maximum compartment number allowed
on a system.To manipulate the MLS labels, the
&man.setfmac.8; command has been provided. To assign a label
to an object, issue the following command:&prompt.root; setfmac mls/5 testTo get the MLS label for the file
test issue the following command:&prompt.root; getfmac testThis is a summary of the MLS
policy's features. Another approach is to create a master policy
file in /etc which
specifies the MLS policy information and to
feed that file into the setfmac command. This
method will be explained after all policies are covered.Planning Mandatory SensitivityWith the Multi-Level Security Policy Module, an
administrator plans for controlling the flow of sensitive
information. By default, with its block read up block write
down nature, the system defaults everything to a low state.
Everything is accessible and an administrator
slowly changes this during the configuration stage; augmenting
the confidentiality of the information.Beyond the three basic label options above, an administrator
may group users and groups as required to block the information
flow between them. It might be easier to look at the
information in clearance levels familiarized with words, for
instance classifications such as
Confidential, Secret,
and Top Secret. Some administrators might
just create different groups based on project levels.
Regardless of classification method, a well thought out plan
must exist before implementing such a restrictive policy.Some example situations for this security policy module
could be an e-commerce web server, a file server holding critical
company information, and financial institution environments.
The most unlikely place would be a personal workstation with
only two or three users.The MAC Biba ModuleMAC Biba Integrity PolicyModule name: mac_biba.koKernel configuration line: options MAC_BIBABoot option: mac_biba_load="YES"The &man.mac.biba.4; module loads the MAC
Biba policy. This policy works much like that of the
MLS policy with the exception that the rules
for information flow
are slightly reversed. This is said to prevent the downward
flow of sensitive information whereas the MLS
policy prevents the upward flow of sensitive information; thus,
much of this section can apply to both policies.In Biba environments, an integrity label is
set on each subject or object. These labels are made up of
hierarchal grades, and non-hierarchal components. As an object's
or subject's grade ascends, so does its integrity.Supported labels are biba/low,
biba/equal, and biba/high;
as explained below:The biba/low label is considered the
lowest integrity an object or subject may have. Setting
this on objects or subjects will block their write access
to objects or subjects marked high. They still have read
access though.The biba/equal label should only be
placed on objects considered to be exempt from the
policy.The biba/high label will permit
writing to objects set at a lower label, but not
permit reading that object. It is recommended that this
label be placed on objects that affect the integrity of
the entire system.Biba provides for:Hierarchical integrity level with a set of non
hierarchical integrity categories;Fixed rules: no write up, no read down (opposite of
MLS). A subject can have write access
to objects on its own level or below, but not above. Similarly, a
subject can have read access to objects on its own level
or above, but not below;Integrity (preventing inappropriate modification of
data);Integrity levels (instead of MLS sensitivity
levels).The following sysctl tunables can
be used to manipulate the Biba policy.security.mac.biba.enabled may be used
to enable/disable enforcement of the Biba policy on the
target machine.security.mac.biba.ptys_equal may be
used to disable the Biba policy on &man.pty.4;
devices.security.mac.biba.revocation_enabled
will force the revocation of access to objects if the label
is changed to dominate the subject.To access the Biba policy setting on system objects, use
the setfmac and getfmac
commands:&prompt.root; setfmac biba/low test
&prompt.root; getfmac test
test: biba/lowPlanning Mandatory IntegrityIntegrity, different from sensitivity, guarantees that the
information will never be manipulated by untrusted parties.
This includes information passed between subjects, objects,
and both. It ensures that users will only be able to modify
and in some cases even access information they explicitly need
to.The &man.mac.biba.4; security policy module permits an
administrator to address which files and programs a user or
users may see and invoke while assuring that the programs and
files are free from threats and trusted by the system for that
user, or group of users.During the initial planning phase, an administrator must be
prepared to partition users into grades, levels, and areas.
Users will be blocked access not only to data but programs
and utilities both before and after they start. The system will
default to a high label once this policy module is enabled, and
it is up to the administrator to configure the different grades
and levels for users. Instead of using clearance levels as
described above, a good planning method could include topics.
For instance, only allow developers modification access to the source code
repository, source code compiler, and other development
utilities. While other users would be grouped into other
categories such as testers, designers, or just ordinary
users and would only be permitted read access.With its natural security control, a lower integrity subject
is unable to write to a higher integrity subject; a higher
integrity subject cannot observe or read a lower integrity
object. Setting a label at the lowest possible grade could make
it inaccessible to subjects. Some prospective environments for
this security policy module would include a constrained web
server, development and test machine, and source code
repository. A less useful implementation would be a personal
workstation, a machine used as a router, or a network
firewall.The MAC LOMAC ModuleMAC LOMACModule name: mac_lomac.koKernel configuration line: options MAC_LOMACBoot option: mac_lomac_load="YES"Unlike the MAC Biba policy, the
&man.mac.lomac.4; policy permits access to lower integrity
objects only after decreasing the integrity level to not disrupt
any integrity rules.The MAC version of the Low-watermark
integrity policy, not to be confused with the older &man.lomac.4;
implementation, works almost identically to Biba, but with the
exception of using floating labels to support subject
demotion via an auxiliary grade compartment. This secondary
compartment takes the form of [auxgrade].
When assigning a lomac policy with an auxiliary grade, it
should look a little bit like: lomac/10[2]
where the number two (2) is the auxiliary grade.The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects. This is the
[auxgrade] option discussed above, thus the
policy may provide for greater compatibility and require less
initial configuration than Biba.ExamplesLike the Biba and MLS policies;
the setfmac and setpmac
utilities may be used to place labels on system objects:&prompt.root; setfmac /usr/home/trhodes lomac/high[low]
&prompt.root; getfmac /usr/home/trhodes lomac/high[low]Notice the auxiliary grade here is low,
this is a feature provided only by the MAC
LOMAC policy.Nagios in a MAC JailNagios in a MAC JailThe following demonstration will implement a secure
environment using various MAC modules
with properly configured policies. This is only a test and
should not be considered the complete answer to everyone's
security woes. Just implementing a policy and ignoring it
never works and could be disastrous in a production
environment.Before beginning this process, the
multilabel option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors. While at it, ensure that the
- net-mngt/nagios-plugins,
- net-mngt/nagios, and
- www/apache13 ports are all
+ net-mngt/nagios-plugins,
+ net-mngt/nagios, and
+ www/apache13 ports are all
installed, configured, and working correctly.Create an insecure User ClassBegin the procedure by adding the following user class
to the /etc/login.conf file:insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=biba/10(10-10):And adding the following line to the default user
class::label=biba/high:Once this is completed, the following command must be
issued to rebuild the database:&prompt.root; cap_mkdb /etc/login.confBoot ConfigurationDo not reboot yet, just add the following lines to
/boot/loader.conf so the required
modules will load during system initialization:mac_biba_load="YES"
mac_seeotheruids_load="YES"Configure UsersSet the root user to the default
class using:&prompt.root; pw usermod root -L defaultAll user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as &man.vi.1;.
The following sh script should do the
trick:&prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \/etc/passwd`; do pw usermod $x -L default; done;Drop the nagios and
www users into the insecure class:&prompt.root; pw usermod nagios -L insecure&prompt.root; pw usermod www -L insecureCreate the Contexts FileA contexts file should now be created; the following example
file should be placed in
/etc/policy.contexts.# This is the default BIBA policy for this system.
# System:
/var/run biba/equal
/var/run/* biba/equal
/dev biba/equal
/dev/* biba/equal
/var biba/equal
/var/spool biba/equal
/var/spool/* biba/equal
/var/log biba/equal
/var/log/* biba/equal
/tmp biba/equal
/tmp/* biba/equal
/var/tmp biba/equal
/var/tmp/* biba/equal
/var/spool/mqueue biba/equal
/var/spool/clientmqueue biba/equal
# For Nagios:
/usr/local/etc/nagios
/usr/local/etc/nagios/* biba/10
/var/spool/nagios biba/10
/var/spool/nagios/* biba/10
# For apache
/usr/local/etc/apache biba/10
/usr/local/etc/apache/* biba/10This policy will enforce security by setting restrictions
on the flow of information. In this specific configuration,
users, root and others, should never be
allowed to access Nagios.
Configuration files and processes that are a part of
Nagios will be completely self
contained or jailed.This file may now be read into our system by issuing the
following command:&prompt.root; setfsmac -ef /etc/policy.contexts /
&prompt.root; setfsmac -ef /etc/policy.contexts /The above file system layout may be different depending
on environment; however, it must be run on every single file
system.The /etc/mac.conf file requires
the following modifications in the main section:default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?bibaEnable NetworkingAdd the following line to
/boot/loader.conf:security.mac.biba.trust_all_interfaces=1And the following to the network card configuration stored
in rc.conf. If the primary Internet
configuration is done via DHCP, this may
need to be configured manually after every system boot:maclabel biba/equalTesting the ConfigurationMAC Configuration TestingEnsure that the web server and
Nagios will not be started
on system initialization, and reboot. Ensure the
root user cannot access any of the files
in the Nagios configuration
directory. If root can issue an &man.ls.1;
command on /var/spool/nagios, then something
is wrong. Otherwise a permission denied error
should be returned.If all seems well, Nagios,
Apache, and
Sendmail can now be started in a way
fitting of the security policy. The following commands will
make this happen:&prompt.root; cd /etc/mail && make stop && \
setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestartDouble check to ensure that everything is working
properly. If not, check the log files or error messages. Use
the &man.sysctl.8; utility to disable the &man.mac.biba.4;
security policy module enforcement and try starting everything
again, like normal.The root user can change the security
enforcement and edit the configuration files without fear.
The following command will permit the degradation of the
security policy to a lower grade for a newly spawned
shell:&prompt.root; setpmac biba/10 cshTo block this from happening, force the user into a range
via &man.login.conf.5;. If &man.setpmac.8; attempts to run
a command outside of the compartment's range, an error will
be returned and the command will not be executed. In this
case, setting root to
biba/high(high-high).User Lock DownThis example considers a relatively small, fewer than fifty
users, storage system. Users would have login capabilities, and
be permitted to not only store data but access resources as
well.For this scenario, the &man.mac.bsdextended.4; mixed with
&man.mac.seeotheruids.4; could co-exist and block access not
only to system objects but to hide user processes as well.
Begin by adding the following lines to
/boot/loader.conf:mac_seeotheruids_enabled="YES"The &man.mac.bsdextended.4; security policy module may be
activated through the use of the following rc.conf
variable:ugidfw_enable="YES"Default rules stored in
/etc/rc.bsdextended will be loaded at system
initialization; however, the default entries may need
modification. Since this machine is expected only to service
users, everything may be left commented out except the last
two. These will force the loading of user owned system objects
by default.Add the required users to this machine and reboot. For
testing purposes, try logging in as a different user across two
consoles. Run the ps aux command to see if
processes of other users are visible. Try to run &man.ls.1; on
another users home directory, it should fail.Do not try to test with the root user
unless the specific sysctls have been modified
to block super user access.When a new user is added, their &man.mac.bsdextended.4;
rule will not be in the ruleset list. To update the ruleset
quickly, simply unload the security policy module and reload
it again using the &man.kldunload.8; and &man.kldload.8;
utilities.Troubleshooting the MAC FrameworkMAC TroubleshootingDuring the development stage, a few users reported problems
with normal configuration. Some of these problems
are listed below:The option cannot be enabled on
/The flag does not stay
enabled on my root (/) partition!It seems that one out of every fifty users has this
problem, indeed, we had this problem during our initial
configuration. Further observation of this so called
bug has lead me to believe that it is a
result of either incorrect documentation or misinterpretation
of the documentation. Regardless of why it happened, the
following steps may be taken to resolve it:Edit /etc/fstab and set the root
partition at for read-only.Reboot into single user mode.Run tunefs
on /.Reboot the system into normal mode.Run mount/ and change the
back to in /etc/fstab
and reboot the system again.Double-check the output from the
mount to ensure that
has been properly set on the
root file system.Cannot start a X11 server after MACAfter establishing a secure environment with
MAC, I am no longer able to start
X!This could be caused by the MAC
partition policy or by a mislabeling in
one of the MAC labeling policies. To
debug, try the following:Check the error message; if the user is in the
insecure class, the
partition policy may be the culprit.
Try setting the user's class back to the
default class and rebuild the database
with the cap_mkdb command. If this
does not alleviate the problem, go to step two.Double-check the label policies. Ensure that the
policies are set correctly for the user in question, the
X11 application, and
the /dev
entries.If neither of these resolve the problem, send the
error message and a description of your environment to
the TrustedBSD discussion lists located at the
TrustedBSD
website or to the &a.questions;
mailing list.Error: &man..secure.path.3; cannot stat .login_confWhen I attempt to switch from the root
to another user in the system, the error message
_secure_path: unable to state .login_conf.This message is usually shown when the user has a higher
label setting then that of the user whom they are attempting to
become. For instance a user on the system,
joe, has a default label of
. The root user,
who has a label of , cannot view
joe's home directory. This will happen
regardless if root has used the
su command to become joe,
or not. In this scenario, the Biba integrity model will not
permit root to view objects set at a lower
integrity level.The root username is broken!In normal or even single user mode, the
root is not recognized. The
whoami command returns 0 (zero) and
su returns who are you?.
What could be going on?This can happen if a labeling policy has been disabled,
either by a &man.sysctl.8; or the policy module was unloaded.
If the policy is being disabled or has been temporarily
disabled, then the login capabilities database needs to be
reconfigured with the option being
removed. Double check the login.conf
file to ensure that all options have
been removed and rebuild the database with the
cap_mkdb command.This may also happen if a policy restricts access to the
master.passwd file or database. Usually
caused by an administrator altering the file under a label
which conflicts with the general policy being used by the
system. In these cases, the user information would be read
by the system and access would be blocked as the file has
inherited the new label. Disable the policy via a
&man.sysctl.8; and everything should return to normal.
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index fec3a5a25e..b55da3de6e 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,4419 +1,4419 @@
MatthewDillonMuch of this chapter has been taken from the
security(7) manual page by SecuritysecuritySynopsisThis chapter will provide a basic introduction to system security
concepts, some general good rules of thumb, and some advanced topics
under &os;. A lot of the topics covered here can be applied
to system and Internet security in general as well. The Internet
is no longer a friendly place in which everyone
wants to be your kind neighbor. Securing your system is imperative
to protect your data, intellectual property, time, and much more
from the hands of hackers and the like.&os; provides an array of utilities and mechanisms to ensure
the integrity and security of your system and network.After reading this chapter, you will know:Basic system security concepts, in respect to &os;.About the various crypt mechanisms available in &os;,
such as DES and MD5.How to set up one-time password authentication.How to configure TCP Wrappers for use
with inetd.How to set up KerberosIV on &os;
releases prior to 5.0.How to set up Kerberos5 on
&os;.How to configure IPsec and create a VPN between
&os;/&windows; machines.How to configure and use OpenSSH, &os;'s SSH
implementation.What file system ACLs are and how to use them.How to use the Portaudit
utility to audit third party software packages installed
from the Ports Collection.How to utilize the &os; security advisories
publications.Have an idea of what Process Accounting is and how to
enable it on &os;.Before reading this chapter, you should:Understand basic &os; and Internet concepts.Additional security topics are covered throughout this book.
For example, Mandatory Access Control is discussed in and Internet Firewalls are discussed in .IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD &unix; multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. &unix;
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers — meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
inter-networked, security becomes an even bigger issue.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash, or otherwise make a
system unusable, but do not attempt to compromise the
root account (break root).
Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.DoS attacksDenial of Service (DoS)securityDoS attacksDenial of Service (DoS)Denial of Service (DoS)A denial of service attack is an action that deprives the
machine of needed resources. Typically, DoS attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
DoS attacks try to take advantage of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop,
short of cutting your system off from the Internet. It may not be
able to take your machine down, but it can saturate your
Internet connection.securityaccount compromisesA user account compromise is even more common than a DoS
attack. Many sysadmins still run standard
telnetd, rlogind,
rshd,
and ftpd servers on their machines.
These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root.
However, the reality is that in a well secured and maintained system,
access to a user account does not necessarily give the attacker
access to root. The distinction is important
because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more than mess with the user's files, or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.securitybackdoorsSystem administrators must keep in mind that there are
potentially many ways to break root on a machine.
The attacker may know the root password,
the attacker may find a bug in a root-run server and be able
to break root over a network
connection to that server, or the attacker may know of a bug in
a suid-root program that allows the attacker to break
root once he has broken into a user's account.
If an attacker has found a way to break root
on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. A backdoor provides the attacker with a way to easily
regain root access to the system, but it
also gives the smart system administrator a convenient way
to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security, because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root–run servers
and suid/sgid binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
file systems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.Securing &os;securitysecuring &os;Command vs. ProtocolThroughout this document, we will use
bold text to refer to an
application, and a monospaced font to refer
to specific commands. Protocols will use a normal font. This
typographical distinction is useful for instances such as ssh,
since it is
a protocol as well as command.The sections that follow will cover the methods of securing your
&os; system that were mentioned in the last section of this chapter.Securing the root Account and
Staff AccountssuFirst off, do not bother securing staff accounts if you have
not secured the root account.
Most systems have a password assigned to the root
account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your ptys are specified as being insecure in the
/etc/ttys file so that direct
root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct
root logins are disabled there as well.
You can do this by editing
your /etc/ssh/sshd_config file, and making
sure that PermitRootLogin is set to
NO. Consider every access method —
services such as FTP often fall through the cracks.
Direct root logins should only be allowed
via the system console.wheelOf course, as a sysadmin you have to be able to get to
root, so we open up a few holes.
But we make sure these holes require additional password
verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root.
You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access
should be placed in the
wheel group. It is also possible, when using
an authentication method such as Kerberos, to use Kerberos'
.k5login file in the root
account to allow a &man.ksu.1; to root
without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder
has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better than having
nothing at all, it is not necessarily the safest option.To lock an account completely, the &man.pw.8; command should
be used:&prompt.root;pw lock staffThis will prevent the user from logging in using any
mechanism, including &man.ssh.1;.Another method of blocking access to accounts would be to
replace the encrypted password with a single
* character. This character
would never match the encrypted password and thus block user
access. For example, the following staff account:foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshShould be changed to this:foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshThis will prevent the foobar user
from logging in using conventional methods. This method for
access restriction is flawed on sites using
Kerberos or in situations where the
user has set up keys with &man.ssh.1;.These security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider, but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.KerberosIVUsing something like Kerberos also gives you the ability to
disable or change the password for a staff account in one place,
and have it immediately affect all the machines on which the staff
member may have an account. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with Kerberos: not only can a
Kerberos ticket be made to timeout after a while, but the Kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesntalkcomsatfingersandboxessshdtelnetdrshdrlogindThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of
imapd or
popper is like giving a universal
root ticket out to the entire world.
Never run a server that you have not checked out carefully.
Many servers do not need to be run as root.
For example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox is not perfect,
unless you go through a large amount of trouble, but the onion
approach to security still stands: If someone is able to break
in through a server running in a sandbox, they still have to
break out of the sandbox. The more layers the attacker must
break through, the lower the likelihood of his success. Root
holes have historically been found in virtually every server
ever run as root, including basic system servers.
If you are running a machine through which people only login via
sshd and never login via
telnetd or
rshd or
rlogind, then turn off those
services!&os; now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
/etc/defaults/rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.sendmailThere are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other
mechanisms to detect break-ins that might occur through them.The other big potential root holes in a
system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still,
root holes are occasionally found in these
binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe than sorry and the prudent
sysadmin will restrict suid binaries, that only staff should run,
to a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary,
the intruder might be able to read /dev/kmem
and thus read the encrypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
ptys, including ptys used by users who login through secure
methods. An intruder that breaks the tty
group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose draconian access restrictions on your staff and
star out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control, then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and Kerberos for user accounts is
more problematic, due to the extra administration and technical
support required, but still a very good solution compared to a
encrypted password file.Securing the Password FileThe only sure fire way is to star out as many
passwords as you can and use ssh or
Kerberos for access to those accounts. Even though the encrypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder
to obtain read access to that file even if the attacker cannot
obtain root-write access.Your security scripts should always check for and report
changes to the password file (see the Checking file integrity section
below).Securing the Kernel Core, Raw Devices, and
File systemsIf an attacker breaks root he can do
just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under &os; it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems do not have the need for the
bpf device compiled in.sysctlBut even if you turn off the bpf
device, you still have
/dev/mem and
/dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf
device, or other sniffing
device, on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags,
such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files — everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive, because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important — detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
security) if you cannot detect potential intrusions. Half the job
of the onion is to slow down the attacker, rather than stop him, in
order to be able to catch him in the act.The best way to detect an intrusion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh key-pairs to
allow the limited-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method — allowing you to monitor the
file systems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub, or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you have given a limited-access box at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found, relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh client on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
insecure links, but it is also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth,
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space, it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries is a good idea.
The nosuid option (see &man.mount.8;) is what you
want to look into. You should probably scan them anyway, at least
once a week, since the object of this layer is to detect a break-in
attempt, whether or not the attempt succeeds.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which might help
as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in has
occured.Finally, security scripts should process the log files, and the
logs themselves should be generated in as secure a manner as
possible — remote syslog can be very useful. An intruder
will try to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information to a secure machine monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features, as long as they do not affect
convenience, and can add security features that
do affect convenience with some added thought.
Even more importantly, a security administrator should mix it up a
bit — if you use recommendations such as those given by this
document verbatim, you give away your methodologies to the
prospective attacker who also has access to this document.Denial of Service AttacksDenial of Service (DoS)This section covers Denial of Service attacks. A DoS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers by:Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Overloading the Kernel Route Cache.A common DoS attack scenario is attacking a forking server and
making it spawning so many child processes that the host system
eventually runs out of memory, file descriptors, etc. and then
grinds to a halt. inetd
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual
page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to
inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option, which tends to work
much better than trying to use Sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter, when you start
sendmail; high enough to handle your
expected load, but not so high that the computer cannot handle that
number of Sendmail instances without falling on
its face. It is also prudent to run Sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for
thatSendmail to prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as TCP Wrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
TCP Wrapper for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise.
Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other Internet-accessible
services. If you try to configure the firewall the other way
— as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services, or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall, to allow permissive-like operation,
without compromising your low ports. Also take note that &os;
allows you to control the range of port numbers used for dynamic
binding, via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. For example, you might use a normal
first/last range of 4000 to 5000, and a hiport range of 49152 to
65535, then block off everything under 4000 in your firewall
(except for certain specific Internet-accessible ports, of
course).Another common DoS attack is called a springboard attack
— to attack a server in a manner that causes the server to
generate responses which overloads the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping packets to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
memory, especially if the server cannot drain the ICMP responses
it generates fast enough.
Use the sysctl
variable net.inet.icmp.icmplim to limit these attacks.
The last major class of springboard
attacks is related to certain internal
inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal
chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it
to less than rtminexpire. There are two
problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHsshKerberosIVThere are a few issues with both Kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos 5 is an excellent
authentication protocol, but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
Kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.Ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an insecure machine, your keys
are usable. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login, and if an attacker has broken
root on the
insecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with Kerberos whenever possible for staff logins.
Ssh can be compiled with Kerberos
support. This reduces your reliance on potentially exposed
ssh keys while at the same time
protecting passwords via Kerberos. Ssh
keys should only be used for automated tasks from secure machines
(something that Kerberos is unsuited to do). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.BillSwingleParts rewritten and updated by DES, Blowfish, MD5, and CryptsecuritycryptcryptBlowfishDESMD5Every user on a &unix; system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
&unix; came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in
the US, but since the source code for DES could not be exported
outside the US, &os; had to find a way to both comply with
US law and retain compatibility with all the other &unix;
variants that still used DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how &os; came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing Your Crypt MechanismCurrently the library supports DES, MD5 and Blowfish hash
functions. By default &os; uses MD5 to encrypt
passwords.It is pretty easy to identify which encryption method
&os; is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
$1$. Passwords starting with
$2a$ are encrypted with the
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The password format used for new passwords is controlled
by the passwd_format login capability in
/etc/login.conf, which takes values of
des, md5 or
blf. See the &man.login.conf.5; manual page
for more information about login capabilities.One-time Passwordsone-time passwordssecurityone-time passwordsBy default, &os; includes support for OPIE (One-time Passwords
In Everything), which uses the MD5 hash by default.There are three different sorts of passwords which we will discuss
below. The first is your usual &unix; style or
Kerberos password; we will call this a &unix; password.
The second sort is the one-time password which is generated by the OPIE
&man.opiekey.1; program and accepted by the
&man.opiepasswd.1; program
and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
opiekey program (and
sometimes the
opiepasswd programs)
which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your &unix;
password; they can be the same but this is not recommended.
OPIE secret passwords are not limited to 8 characters like old
&unix; passwordsUnder &os; the standard login
password may be up to 128 characters in length.,
they can be as long as you like. Passwords of six or
seven word long phrases are fairly common. For the most part, the
OPIE system operates completely independently of the &unix;
password system.Besides the password, there are two other pieces of data that
are important to OPIE. One is what is known as the
seed or key, consisting of two letters
and five digits. The other is what is called the iteration
count, a number between 1 and 100. OPIE creates the
one-time password by concatenating the seed and the secret password,
then applying the MD5 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
authentication system (primarily PAM) keeps
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1, OPIE must be
reinitialized.There are a few programs involved in each system
which we will discuss below. The
opiekey program accepts an iteration
count, a seed, and a secret password, and generates a one-time
password or a consecutive list of one-time passwords. The
opiepasswd
program is used to initialize OPIE,
and to change passwords, iteration counts, or seeds; it
takes either a secret passphrase, or an iteration count,
seed, and a one-time password. The
opieinfo program will examine the
relevant credentials files
(/etc/opiekeys) and print out the invoking user's
current iteration count and seed.There are four different sorts of operations we will cover. The
first is using
opiepasswd over a secure connection to set up
one-time-passwords for the first time, or to change your password
or seed. The second operation is using
opiepasswd over an insecure connection, in
conjunction with opiekey
over a secure connection, to do the same. The third is using
opiekey to log in over
an insecure connection. The fourth is using
opiekey to generate a number of keys which
can be written down or printed out to carry with you when going to
some location without secure connections to anywhere.Secure Connection InitializationTo initialize OPIE for the first time, execute the
opiepasswd command:&prompt.user; opiepasswd -c
[grimreaper] ~ $ opiepasswd -f -c
Adding unfurl:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED
At the Enter new secret pass phrase: or
Enter secret password: prompts, you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular instance: your login name, the
iteration count, and seed. When logging in the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure Connection InitializationTo initialize or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run
opiekey; this might be in the form of a shell
prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use opiepasswd:&prompt.user; opiepasswd
Updating unfurl:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 498 to4268 ext
Response: GAME GAG WELT OUT DOWN CHAT
New secret pass phrase:
otp-md5 499 to4269
Response: LINE PAP MILK NELL BUOY TROY
ID mark OTP key is 499 gr4269
LINE PAP MILK NELL BUOY TROY
To accept the default seed press Return.
Then before entering an
access password, move over to your secure connection and give it
the same parameters:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT
Now switch back over to the insecure connection, and copy the
one-time password generated over to the relevant program.Generating a Single One-time PasswordOnce you have initialized OPIE and login, you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
otp-md5 498 gr4269 ext
Password: As a side note, the OPIE prompts have a useful feature
(not shown here): if you press Return
at the password prompt, the
prompter will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in a password by hand, such as from a printout.MS-DOSWindowsMacOSAt this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run
opiekey on. (There are versions of these for DOS,
&windows; and &macos; as well.) They need the iteration count and
the seed as command line options. You can cut-and-paste these
right from the login prompt on the machine that you are logging
in to.On the trusted system:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHATNow that you have your one-time password you can continue
logging in.Generating Multiple One-time PasswordsSometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the
opiekey command to
generate a number of one-time passwords beforehand to be printed
out and taken with you. For example:&prompt.user; opiekey -n 5 30 zz99999
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <secret password>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHIThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting Use of &unix; PasswordsOPIE can restrict the use of &unix; passwords based on the IP
address of a login session. The relevant file
is /etc/opieaccess, which is present by default.
Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.Here is a sample opieaccess file:permit 192.168.0.0 255.255.0.0This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
to use &unix; passwords at any time.If no rules in opieaccess are matched,
the default is to deny non-OPIE logins.TomRhodesWritten by TCP WrappersTCP WrappersAnyone familiar with &man.inetd.8; has probably heard
of TCP Wrappers at some point. But few
individuals seem to fully comprehend its usefulness in a
network environment. It seems that everyone wants to
install a firewall to handle network connections. While a
firewall has a wide variety of uses, there are some things
that a firewall not handle such as sending text back to the
connection originator. The TCP Wrappers software
does this and much more. In the next few sections many of
the TCP Wrappers features will be discussed,
and, when applicable, example configuration lines will be
provided.The TCP Wrappers software extends the
abilities of inetd to provide support for
every server daemon under its control. Using this method it
is possible to provide logging support, return messages to
connections, permit a daemon to only accept internal connections,
etc. While some of these features can be provided by implementing
a firewall, this will add not only an extra layer of protection
but go beyond the amount of control a firewall can
provide.The added functionality of TCP Wrappers
should not be considered a replacement for a good firewall.
TCP Wrappers can be used in conjunction
with a firewall or other security enhancements though and
it can serve nicely as an extra layer of protection
for the system.Since this is an extension to the configuration of
inetd, the reader is expected have
read the inetd configuration
section.While programs run by &man.inetd.8; are not exactly
daemons, they have traditionally been called
daemons. This is the term we will use in this section too.Initial ConfigurationThe only requirement of using TCP
Wrappers in &os; is to ensure the inetd
server is started from rc.conf with the
option; this is the default setting. Of
course, proper configuration of
/etc/hosts.allow is also expected, but
&man.syslogd.8; will throw messages in the system logs in
these cases.Unlike other implementations of TCP
Wrappers, the use of hosts.deny has
been deprecated. All configuration options should be placed
in /etc/hosts.allow.In the simplest configuration, daemon connection policies
are set to either be permitted or blocked depending on the
options in /etc/hosts.allow. The default
configuration in &os; is to allow a connection to every daemon
started with inetd. Changing this will be
discussed only after the basic configuration is covered.Basic configuration usually takes the form of
daemon : address : action. Where
daemon is the daemon name which
inetd started. The
address can be a valid hostname, an
IP address or an IPv6 address enclosed in
brackets ([ ]). The action field can be either allow
or deny to grant or deny access appropriately. Keep in mind
that configuration works off a first rule match semantic,
meaning that the configuration file is scanned in ascending
order for a matching rule. When a match is found the rule
is applied and the search process will halt.Several other options exist but they will be explained
in a later section. A simple configuration line may easily be
constructed from that information alone. For example, to
allow POP3 connections via the
mail/qpopper daemon,
the following lines should be appended to
hosts.allow:# This line is required for POP3 connections:
qpopper : ALL : allowAfter adding this line, inetd will need
to be restarted. This can be accomplished by use of the &man.kill.1;
command, or with the restart parameter
with /etc/rc.d/inetd.Advanced ConfigurationTCP Wrappers has advanced
options too; they will allow for more control over the
way connections are handled. In some cases it may be
a good idea to return a comment to certain hosts or
daemon connections. In other cases, perhaps a log file
should be recorded or an email sent to the administrator.
Other situations may require the use of a service for local
connections only. This is all possible through the use of
configuration options known as wildcards,
expansion characters and external command execution. The
next two sections are written to cover these situations.External CommandsSuppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
individual who attempted to establish that connection. How
could it be done? That action can be made possible by
using the option. When a connection
attempt is made, will be called to
execute a shell command or script. An example already exists
in the hosts.allow file:# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."This example shows that the message,
You are not allowed to use daemon
from hostname. will be returned
for any daemon not previously configured in the access file.
This is extremely useful for sending a reply back to the
connection initiator right after the established connection
is dropped. Note that any message returned
must be wrapped in quote
" characters; there are no exceptions to
this rule.It may be possible to launch a denial of service attack
on the server if an attacker, or group of attackers could
flood these daemons with connection requests.Another possibility is to use the
option in these cases. Like , the
implicitly denies the connection and
may be used to run external shell commands or scripts.
Unlike , will
not send a reply back to the individual who established the
connection. For an example, consider the following
configuration line:# We do not allow connections from example.com:
ALL : .example.com \
: spawn (/bin/echo %a from %h attempted to access %d >> \
/var/log/connections.log) \
: denyThis will deny all connection attempts from the
*.example.com domain;
simultaneously logging the hostname, IP
address and the daemon which they attempted to access in the
/var/log/connections.log file.Aside from the already explained substitution characters
above, e.g. %a, a few others exist. See the
&man.hosts.access.5; manual page for the complete list.Wildcard OptionsThus far the ALL example has been used
continuously throughout the examples. Other options exist
which could extend the functionality a bit further. For
instance, ALL may be used to match every
instance of either a daemon, domain or an
IP address. Another wildcard available is
PARANOID which may be used to match any
host which provides an IP address that may
be forged. In other words, paranoid may
be used to define an action to be taken whenever a connection
is made from an IP address that differs
from its hostname. The following example may shed some more
light on this discussion:# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : denyIn that example all connection requests to
sendmail which have an
IP address that varies from its hostname
will be denied.Using the PARANOID may severely
cripple servers if the client or server has a broken
DNS setup. Administrator discretion
is advised.To learn more about wildcards and their associated
functionality, see the &man.hosts.access.5; manual
page.Before any of the specific configuration lines above will
work, the first configuration line should be commented out
in hosts.allow. This was noted at the
beginning of this section.MarkMurrayContributed by MarkDapozBased on a contribution by KerberosIVKerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for &os;. However, you should refer to the
relevant manual pages for a complete description.Installing KerberosIVMITKerberosIVinstallingKerberos is an optional component of &os;. The easiest
way to install this software is by selecting the krb4 or
krb5 distribution in sysinstall
during the initial installation of &os;. This will install
the eBones (KerberosIV) or Heimdal (Kerberos5)
implementation of Kerberos. These implementations are
included because they are developed outside the USA/Canada and
were thus available to system owners outside those countries
during the era of restrictive export controls on cryptographic
code from the USA.Alternatively, the MIT implementation of Kerberos is
available from the Ports Collection as
security/krb5.Creating the Initial DatabaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, or if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be EXAMPLE.COM and the
server is grunt.example.com. We edit
or create the krb.conf file:&prompt.root; cat krb.conf
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a host's name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos manual pages.Now we have to add grunt.example.com
to the EXAMPLE.COM realm and also add an entry to
put all hosts in the .example.com
domain in the EXAMPLE.COM realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:EXAMPLE.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this:&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making It All RunKerberosIVinitial startupTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd.
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like &man.rcp.1;,
&man.rlogin.1; and &man.rsh.1;.Now let us add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the Server FileWe now have to extract all the instances which define the
services on each machine. For this we use the
ext_srvtab command. This will create a file
which must be copied or moved by secure
means to each Kerberos client's
/etc directory. This file must
be present on each server and client, and is crucial to the
operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the servers can pick
it up. Use the &man.mv.1; command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the DatabaseWe now have to add some user entries into the database. First
let us create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting It All OutFirst we have to start the Kerberos daemons. Note that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automatically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: EXAMPLE.COM
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the ID jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@EXAMPLE.COM
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COMNow try changing the password using &man.passwd.1; to
check if the kpasswd daemon can get
authorization to the Kerberos database:&prompt.user; passwd
realm EXAMPLE.COM
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su PrivilegesKerberos allows us to give each user
who needs root privileges their own
separate &man.su.1; password.
We could now add an ID which is authorized to
&man.su.1; to root. This is
controlled by having an instance of root
associated with a principal. Using kdb_edit
we can create the entry jane.root in the
Kerberos database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's
.klogin file:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMNow try doing the &man.su.1;:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@EXAMPLE.COM
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COMUsing Other CommandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to &man.su.1; to
root if the necessary entries are in the
.klogin file in root's
home directory:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMLikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@EXAMPLE.COM
jack@EXAMPLE.COMThis allows anyone in the EXAMPLE.COM realm
who has authenticated themselves as jane or
jack (via kinit, see above)
to access to jane's
account or files on this system (grunt) via
&man.rlogin.1;, &man.rsh.1; or
&man.rcp.1;.For example, jane now logs into another system using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.example.com)
Password:
&prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or jack logs into jane's account on the same machine
(jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance):&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.example.com)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995TillmanHodgsonContributed by MarkMurrayBased on a contribution by Kerberos5Every &os; release beyond &os;-5.1 includes support
only for Kerberos5. Hence
Kerberos5 is the only version
included, and its configuration is similar in many aspects
to that of KerberosIV. The following
information only applies to
Kerberos5 in post &os;-5.0
releases. Users who wish to use the
KerberosIV package may install the
security/krb4 port.Kerberos is a network add-on
system/protocol that allows users to authenticate themselves
through the services of a secure server. Services such as remote
login, remote copy, secure inter-system file copying and other
high-risk tasks are made considerably safer and more
controllable.Kerberos can be described as an
identity-verifying proxy system. It can also be described as a
trusted third-party authentication system.
Kerberos provides only one
function — the secure authentication of users on the network.
It does not provide authorization functions (what users are
allowed to do) or auditing functions (what those users did).
After a client and server have used
Kerberos to prove their identity, they
can also encrypt all of their communications to assure privacy
and data integrity as they go about their business.Therefore it is highly recommended that
Kerberos be used with other security
methods which provide authorization and audit services.The following instructions can be used as a guide on how to set
up Kerberos as distributed for &os;.
However, you should refer to the relevant manual pages for a complete
description.For purposes of demonstrating a Kerberos
installation, the various name spaces will be handled as follows:The DNS domain (zone)
will be example.org.The Kerberos realm will be
EXAMPLE.ORG.Please use real domain names when setting up
Kerberos even if you intend to run
it internally. This avoids DNS problems
and assures inter-operation with other
Kerberos realms.HistoryKerberos5historyKerberos was created by
MIT as a solution to network security problems.
The Kerberos protocol uses strong
cryptography so that a client can prove its identity to a server
(and vice versa) across an insecure network connection.Kerberos is both the name of a
network authentication protocol and an adjective to describe
programs that implement the program
(Kerberos telnet, for example). The
current version of the protocol is version 5, described in
RFC 1510.Several free implementations of this protocol are available,
covering a wide range of operating systems. The Massachusetts
Institute of Technology (MIT), where
Kerberos was originally developed,
continues to develop their Kerberos
package. It is commonly used in the US
as a cryptography product, as such it
has historically been affected by US export
regulations. The MIT
Kerberos is available as a port
(security/krb5). Heimdal
Kerberos is another version 5
implementation, and was explicitly developed outside of the
US to avoid export
regulations (and is thus often included in non-commercial &unix;
variants). The Heimdal Kerberos
distribution is available as a port
(security/heimdal), and a
minimal installation of it is included in the base &os;
install.In order to reach the widest audience, these instructions assume
the use of the Heimdal distribution included in &os;.Setting up a Heimdal KDCKerberos5Key Distribution CenterThe Key Distribution Center (KDC) is the
centralized authentication service that
Kerberos provides — it is the
computer that issues Kerberos tickets.
The KDC is considered trusted by
all other computers in the Kerberos
realm, and thus has heightened security concerns.Note that while running the Kerberos
server requires very few computing resources, a dedicated machine
acting only as a KDC is recommended for security
reasons.To begin setting up a KDC, ensure that your
/etc/rc.conf file contains the correct
settings to act as a KDC (you may need to adjust
paths to reflect your own system):kerberos5_server_enable="YES"
kadmind5_server_enable="YES"Next we will set up your Kerberos
config file, /etc/krb5.conf:[libdefaults]
default_realm = EXAMPLE.ORG
[realms]
EXAMPLE.ORG = {
kdc = kerberos.example.org
admin_server = kerberos.example.org
}
[domain_realm]
.example.org = EXAMPLE.ORGNote that this /etc/krb5.conf file implies
that your KDC will have the fully-qualified
hostname of kerberos.example.org.
You will need to add a CNAME (alias) entry to your zone file to
accomplish this if your KDC has a different
hostname.For large networks with a properly configured
BIND DNS server, the
above example could be trimmed to:[libdefaults]
default_realm = EXAMPLE.ORGWith the following lines being appended to the
example.org zonefile:_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
_kerberos IN TXT EXAMPLE.ORGFor clients to be able to find the
Kerberos services, you
must have either a fully configured
/etc/krb5.conf or a minimally configured
/etc/krb5.confand a
properly configured DNS server.Next we will create the Kerberos
database. This database contains the keys of all principals encrypted
with a master password. You are not
required to remember this password, it will be stored in a file
(/var/heimdal/m-key). To create the master
key, run kstash and enter a password.Once the master key has been created, you can initialize the
database using the kadmin program with the
-l option (standing for local).
This option instructs kadmin to modify the
database files directly rather than going through the
kadmind network service. This handles the
chicken-and-egg problem of trying to connect to the database
before it is created. Once you have the kadmin
prompt, use the init command to create your
realms initial database.Lastly, while still in kadmin, create your
first principal using the add command. Stick
to the defaults options for the principal for now, you can always
change them later with the modify command.
Note that you can use the ? command at any
prompt to see the available options.A sample database creation session is shown below:&prompt.root; kstash
Master key: xxxxxxxx
Verifying password - Master key: xxxxxxxx
&prompt.root; kadmin -l
kadmin> init EXAMPLE.ORG
Realm max ticket life [unlimited]:
kadmin> add tillman
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxxNow it is time to start up the KDC services.
Run /etc/rc.d/kerberos start and
/etc/rc.d/kadmind start to bring up the
services. Note that you will not have any kerberized daemons running
at this point but you should be able to confirm the that the
KDC is functioning by obtaining and listing a
ticket for the principal (user) that you just created from the
command-line of the KDC itself:&prompt.user; kinit tillman
tillman@EXAMPLE.ORG's Password:
&prompt.user; klist
Credentials cache: FILE:/tmp/krb5cc_500
Principal: tillman@EXAMPLE.ORG
Issued Expires Principal
Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG@EXAMPLE.ORGThe ticket can then be revoked when you have
finished:&prompt.user; k5destroyKerberos enabling a server with
Heimdal servicesKerberos5enabling servicesFirst, we need a copy of the Kerberos
configuration file, /etc/krb5.conf. To do
so, simply copy it over to the client computer from the
KDC in a secure fashion (using network utilities,
such as &man.scp.1;, or physically via a
floppy disk).Next you need a /etc/krb5.keytab file.
This is the major difference between a server providing
Kerberos enabled daemons and a
workstation — the server must have a
keytab file. This file
contains the server's host key, which allows it and the
KDC to verify each others identity. It
must be transmitted to the server in a secure fashion, as the
security of the server can be broken if the key is made public.
This explicitly means that transferring it via a clear text
channel, such as FTP, is a very bad idea.Typically, you transfer to the keytab
to the server using the kadmin program.
This is handy because you also need to create the host principal
(the KDC end of the
krb5.keytab) using
kadmin.Note that you must have already obtained a ticket and that this
ticket must be allowed to use the kadmin
interface in the kadmind.acl. See the section
titled Remote administration in the Heimdal info
pages (info heimdal) for details on designing
access control lists. If you do not want to enable remote
kadmin access, you can simply securely connect
to the KDC (via local console,
&man.ssh.1; or Kerberos
&man.telnet.1;) and perform administration locally
using kadmin -l.After installing the /etc/krb5.conf file,
you can use kadmin from the
Kerberos server. The
add --random-key command will let you add the
server's host principal, and the ext command
will allow you to extract the server's host principal to its own
keytab. For example:&prompt.root; kadmin
kadmin> add --random-key host/myserver.example.org
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
kadmin> ext host/myserver.example.org
kadmin> exitNote that the ext command (short for
extract) stores the extracted key in
/etc/krb5.keytab by default.If you do not have kadmind running on the
KDC (possibly for security reasons) and thus
do not have access to kadmin remotely, you
can add the host principal
(host/myserver.EXAMPLE.ORG) directly on the
KDC and then extract it to a temporary file
(to avoid over-writing the /etc/krb5.keytab
on the KDC) using something like this:&prompt.root; kadmin
kadmin> ext --keytab=/tmp/example.keytab host/myserver.example.org
kadmin> exitYou can then securely copy the keytab to the server
computer (using scp or a floppy, for
example). Be sure to specify a non-default keytab name
to avoid over-writing the keytab on the
KDC.At this point your server can communicate with the
KDC (due to its krb5.conf
file) and it can prove its own identity (due to the
krb5.keytab file). It is now ready for
you to enable some Kerberos services.
For this example we will enable the telnet
service by putting a line like this into your
/etc/inetd.conf and then restarting the
&man.inetd.8; service with
/etc/rc.d/inetd restart:telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a userThe critical bit is that the -a
(for authentication) type is set to user. Consult the
&man.telnetd.8; manual page for more details.Kerberos enabling a client with HeimdalKerberos5configure clientsSetting up a client computer is almost trivially easy. As
far as Kerberos configuration goes,
you only need the Kerberos
configuration file, located at /etc/krb5.conf.
Simply securely copy it over to the client computer from the
KDC.Test your client computer by attempting to use
kinit, klist, and
kdestroy from the client to obtain, show, and
then delete a ticket for the principal you created above. You
should also be able to use Kerberos
applications to connect to Kerberos
enabled servers, though if that does not work and obtaining a
ticket does the problem is likely with the server and not with
the client or the KDC.When testing an application like telnet,
try using a packet sniffer (such as &man.tcpdump.1;)
to confirm that your password is not sent in the clear. Try
using telnet with the -x
option, which encrypts the entire data stream (similar to
ssh).Various non-core Kerberos client
applications are also installed by default. This is where the
minimal nature of the base Heimdal installation is
felt: telnet is the only
Kerberos enabled service.The Heimdal port adds some of the missing client applications:
Kerberos enabled versions of
ftp, rsh,
rcp, rlogin, and a few
other less common programs. The MIT port also
contains a full suite of Kerberos
client applications.User configuration files: .k5login and .k5users.k5login.k5usersUsers within a realm typically have their
Kerberos principal (such as
tillman@EXAMPLE.ORG) mapped to a local
user account (such as a local account named
tillman). Client applications such as
telnet usually do not require a user name
or a principal.Occasionally, however, you want to grant access to a local
user account to someone who does not have a matching
Kerberos principal. For example,
tillman@EXAMPLE.ORG may need access to the
local user account webdevelopers. Other
principals may also need access to that local account.The .k5login and
.k5users files, placed in a users home
directory, can be used similar to a powerful combination of
.hosts and .rhosts,
solving this problem. For example, if a
.k5login with the following
contents:tillman@example.org
jdoe@example.orgWere to be placed into the home directory of the local user
webdevelopers then both principals listed
would have access to that account without requiring a shared
password.Reading the manual pages for these commands is recommended.
Note that the ksu manual page covers
.k5users.Kerberos Tips, Tricks, and TroubleshootingKerberos5troubleshootingWhen using either the Heimdal or MIT
Kerberos ports ensure that your
PATH environment variable lists the
Kerberos versions of the client
applications before the system versions.Do all the computers in your realm have synchronized
time settings? If not, authentication may fail.
describes how to synchronize
clocks using NTP.MIT and Heimdal inter-operate nicely.
Except for kadmin, the protocol for
which is not standardized.If you change your hostname, you also need to change your
host/ principal and update your keytab.
This also applies to special keytab entries like the
www/ principal used for Apache's
www/mod_auth_kerb.All hosts in your realm must be resolvable (both forwards
and reverse) in DNS (or
/etc/hosts as a minimum). CNAMEs
will work, but the A and PTR records must be correct and in
place. The error message is not very intuitive:
Kerberos5 refuses authentication because Read req
failed: Key table entry not found.Some operating systems that may being acting as clients
to your KDC do not set the permissions
for ksu to be setuid
root. This means that
ksu does not work, which is a good
security idea but annoying. This is not a
KDC error.With MIT
Kerberos, if you want to allow a
principal to have a ticket life longer than the default ten
hours, you must use modify_principal in
kadmin to change the maxlife of both the
principal in question and the krbtgt
principal. Then the principal can use the
-l option with kinit
to request a ticket with a longer lifetime.If you run a packet sniffer on your
KDC to add in troubleshooting and then
run kinit from a workstation, you will
notice that your TGT is sent
immediately upon running kinit —
even before you type your password! The explanation is
that the Kerberos server freely
transmits a TGT (Ticket Granting
Ticket) to any unauthorized request; however, every
TGT is encrypted in a key derived from
the user's password. Therefore, when a user types their
password it is not being sent to the KDC,
it is being used to decrypt the TGT that
kinit already obtained. If the decryption
process results in a valid ticket with a valid time stamp,
the user has valid Kerberos
credentials. These credentials include a session key for
establishing secure communications with the
Kerberos server in the future, as
well as the actual ticket-granting ticket, which is actually
encrypted with the Kerberos
server's own key. This second layer of encryption is
unknown to the user, but it is what allows the
Kerberos server to verify
the authenticity of each TGT.If you want to use long ticket lifetimes (a week, for
example) and you are using OpenSSH
to connect to the machine where your ticket is stored, make
sure that Kerberos
is set to no
in your sshd_config or else your tickets
will be deleted when you log out.Remember that host principals can have a longer ticket
lifetime as well. If your user principal has a lifetime of a
week but the host you are connecting to has a lifetime of nine
hours, you will have an expired host principal in your cache
and the ticket cache will not work as expected.When setting up a krb5.dict file to
prevent specific bad passwords from being used (the manual page
for kadmind covers this briefly), remember
that it only applies to principals that have a password policy
assigned to them. The krb5.dict files
format is simple: one string per line. Creating a symbolic
link to /usr/share/dict/words might be
useful.Differences with the MIT portThe major difference between the MIT
and Heimdal installs relates to the kadmin
program which has a different (but equivalent) set of commands
and uses a different protocol. This has a large implications
if your KDC is MIT as you
will not be able to use the Heimdal kadmin
program to administer your KDC remotely
(or vice versa, for that matter).The client applications may also take slightly different
command line options to accomplish the same tasks. Following
the instructions on the MIT
Kerberos web site
()
is recommended. Be careful of path issues: the
MIT port installs into
/usr/local/ by default, and the
normal system applications may be run instead
of MIT if your PATH
environment variable lists the system directories first.With the MIT
security/krb5 port
that is provided by &os;, be sure to read the
/usr/local/share/doc/krb5/README.FreeBSD
file installed by the port if you want to understand why logins
via telnetd and klogind
behave somewhat oddly. Most importantly, correcting the
incorrect permissions on cache file behavior
requires that the login.krb5 binary be used
for authentication so that it can properly change ownership for
the forwarded credentials.The rc.conf must also be modified
to contain the following configuration:kerberos5_server="/usr/local/sbin/krb5kdc"
kadmind5_server="/usr/local/sbin/kadmind"
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"This is done because the applications for
MIT kerberos installs binaries in the
/usr/local
hierarchy.Mitigating limitations found in KerberosKerberos5limitations and shortcomingsKerberos is an all-or-nothing approachEvery service enabled on the network must be modified to
work with Kerberos (or be otherwise
secured against network attacks) or else the users credentials
could be stolen and re-used. An example of this would be
Kerberos enabling all remote shells
(via rsh and telnet, for
example) but not converting the POP3 mail
server which sends passwords in plain text.Kerberos is intended for single-user workstationsIn a multi-user environment,
Kerberos is less secure.
This is because it stores the tickets in the
/tmp directory, which is readable by all
users. If a user is sharing a computer with several other
people simultaneously (i.e. multi-user), it is possible that
the user's tickets can be stolen (copied) by another
user.This can be overcome with the -c
filename command-line option or (preferably) the
KRB5CCNAME environment variable, but this
is rarely done. In principal, storing the ticket in the users
home directory and using simple file permissions can mitigate
this problem.The KDC is a single point of failureBy design, the KDC must be as secure as
the master password database is contained on it. The
KDC should have absolutely no other
services running on it and should be physically secured. The
danger is high because Kerberos
stores all passwords encrypted with the same key (the
master key), which in turn is stored as a file
on the KDC.As a side note, a compromised master key is not quite as
bad as one might normally fear. The master key is only used
to encrypt the Kerberos database
and as a seed for the random number generator. As long as
access to your KDC is secure, an attacker
cannot do much with the master key.Additionally, if the KDC is unavailable
(perhaps due to a denial of service attack or network problems)
the network services are unusable as authentication can not be
performed, a recipe for a denial-of-service attack. This can
alleviated with multiple KDCs (a single
master and one or more slaves) and with careful implementation
of secondary or fall-back authentication
(PAM is excellent for this).Kerberos ShortcomingsKerberos allows users, hosts
and services to authenticate between themselves. It does not
have a mechanism to authenticate the KDC
to the users, hosts or services. This means that a trojanned
kinit (for example) could record all user
names and passwords. Something like
security/tripwire or
other file system integrity checking tools can alleviate
this.Resources and further informationKerberos5external resources
The Kerberos FAQDesigning
an Authentication System: a Dialog in Four ScenesRFC 1510,
The Kerberos Network Authentication Service
(V5)MIT
Kerberos home pageHeimdal
Kerberos home pageTomRhodesWritten by OpenSSLsecurityOpenSSLOne feature that many users overlook is the
OpenSSL toolkit included
in &os;. OpenSSL provides an
encryption transport layer on top of the normal communications
layer; thus allowing it to be intertwined with many network
applications and services.Some uses of OpenSSL may include
encrypted authentication of mail clients, web based transactions
such as credit card payments and more. Many ports such as
www/apache13-ssl, and
mail/sylpheed-claws
will offer compilation support for building with
OpenSSL.In most cases the Ports Collection will attempt to build
the security/openssl port
unless the WITH_OPENSSL_BASE make variable
is explicitly set to yes.The version of OpenSSL included
in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
Transport Layer Security v1 (TLSv1) network security protocols
and can be used as a general cryptographic library.While OpenSSL supports the
IDEA algorithm, it is disabled by default
due to United States patents. To use it, the license should
be reviewed and, if the restrictions are acceptable, the
MAKE_IDEA variable must be set in
make.conf.One of the most common uses of
OpenSSL is to provide certificates for
use with software applications. These certificates ensure
that the credentials of the company or individual are valid
and not fraudulent. If the certificate in question has
not been verified by one of the several Certificate Authorities,
or CAs, a warning is usually produced. A
Certificate Authority is a company, such as VeriSign, which will
sign certificates in order to validate credentials of individuals
or companies. This process has a cost associated with it and
is definitely not a requirement for using certificates; however,
it can put some of the more paranoid users at ease.Generating CertificatesOpenSSLcertificate generationTo generate a certificate, the following command is
available:&prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem
Generating a 1024 bit RSA private key
................++++++
.......................................++++++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Pittsburgh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Systems Administrator
Common Name (eg, YOUR name) []:localhost.example.org
Email Address []:trhodes@FreeBSD.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SOME PASSWORD
An optional company name []:Another NameNotice the response directly after the
Common Name prompt shows a domain name.
This prompt requires a server name to be entered for
verification purposes; placing anything but a domain name
would yield a useless certificate. Other options, for
instance expire time, alternate encryption algorithms, etc.
are available. A complete list may be obtained by viewing
the &man.openssl.1; manual page.Two files should now exist in
the directory in which the aforementioned command was issued.
The certificate request, req.pem, may be
sent to a certificate authority who will validate the credentials
that you entered, sign the request and return the certificate to
you. The second file created will be named cert.pem
and is the private key for the certificate and should be
protected at all costs; if this falls in the hands of others it
can be used to impersonate you (or your server).In cases where a signature from a CA is
not required, a self signed certificate can be created. First,
generate the RSA key:&prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024Next, generate the CA key:&prompt.root; openssl gendsa -des3 -out myca.keymyRSA.keyUse this key to create the certificate:&prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crtTwo new files should appear in the directory: a certificate
authority signature file, myca.key and the
certificate itself, new.crt. These should
be placed in a directory, preferably under
/etc, which is readable
only by root. Permissions of 0700 should be fine for this and
they can be set with the chmod
utility.Using Certificates, an ExampleSo what can these files do? A good use would be to
encrypt connections to the Sendmail
MTA. This would dissolve the use of clear
text authentication for users who send mail via the local
MTA.This is not the best use in the world as some
MUAs will present the user with an
error if they have not installed the certificate locally.
Refer to the documentation included with the software for
more information on certificate installation.The following lines should be placed inside the
local .mc file:dnl SSL Options
define(`confCACERT_PATH',`/etc/certs')dnl
define(`confCACERT',`/etc/certs/new.crt')dnl
define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnlWhere /etc/certs/
is the directory to be used for storing the certificate
and key files locally. The last few requirements are a rebuild
of the local .cf file. This is easily
achieved by typing make
install within the
/etc/mail
directory. Follow that up with make
restart which should start the
Sendmail daemon.If all went well there will be no error messages in the
/var/log/maillog file and
Sendmail will show up in the process
list.For a simple test, simply connect to the mail server
using the &man.telnet.1; utility:&prompt.root; telnet example.com 25
Trying 192.0.34.166...
Connected to example.com.
Escape character is '^]'.
220 example.com ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
ehlo example.com
250-example.com Hello example.com [192.0.34.166], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 example.com closing connection
Connection closed by foreign host.If the STARTTLS line appears in the output
then everything is working correctly.NikClaytonnik@FreeBSD.orgWritten by IPsecVPN over IPsecCreating a VPN between two networks, separated by the
Internet, using FreeBSD gateways.Hiten M.Pandyahmp@FreeBSD.orgWritten by Understanding IPsecThis section will guide you through the process of setting
up IPsec. In order to set up
IPsec, it is necessary that you are familiar with the concepts
of building a custom kernel (see
).IPsec is a protocol which sits on top
of the Internet Protocol (IP) layer. It allows two or more
hosts to communicate in a secure manner (hence the name). The
FreeBSD IPsec network stack is based on the
KAME implementation,
which has support for both protocol families, IPv4 and
IPv6.IPsecESPIPsecAHIPsec consists of two sub-protocols:Encapsulated Security Payload
(ESP), protects the IP packet data from third
party interference, by encrypting the contents using
symmetric cryptography algorithms (like Blowfish,
3DES).Authentication Header (AH),
protects the IP packet header from third party interference
and spoofing, by computing a cryptographic checksum and
hashing the IP packet header fields with a secure hashing
function. This is then followed by an additional header
that contains the hash, to allow the information in the
packet to be authenticated.ESP and AH can
either be used together or separately, depending on the
environment.VPNvirtual private networkVPNIPsec can either be used to directly encrypt the traffic
between two hosts (known as Transport
Mode); or to build virtual tunnels
between two subnets, which could be used for secure
communication between two corporate networks (known as
Tunnel Mode). The latter is more commonly
known as a Virtual Private Network (VPN).
The &man.ipsec.4; manual page should be consulted for detailed
information on the IPsec subsystem in FreeBSD.To add IPsec support to your kernel, add the following
options to your kernel configuration file:kernel optionsIPSEC
options IPSEC #IP security
device crypto
kernel optionsIPSEC_DEBUGIf IPsec debugging support is desired, the following
kernel option should also be added:
options IPSEC_DEBUG #debug for IP security
The ProblemThere is no standard for what constitutes a VPN. VPNs can
be implemented using a number of different technologies, each of
which have their own strengths and weaknesses. This section
presents a scenario, and the strategies used for implementing a
VPN for this scenario.The Scenario: Two networks, one home based and one corporate
based. Both are connected to the Internet, and expected, via
this VPN to behave as one.VPNcreatingThe premise is as follows:You have at least two sitesBoth sites are using IP internallyBoth sites are connected to the Internet, through a
gateway that is running FreeBSD.The gateway on each network has at least one public IP
address.The internal addresses of the two networks can be
public or private IP addresses, it does not matter. They
just may not collide; e.g.: may not both use
192.168.1.x.TomRhodestrhodes@FreeBSD.orgWritten by Configuring IPsec on &os;To begin, the
security/ipsec-tools must
be installed from the Ports Collection. This third party
software package provides a number of applications which
will help support the configuration.The next requirement is to create two &man.gif.4;
pseudo-devices which will be used to tunnel packets and allow
both networks to communicate properly. As
root, run the following commands,
replacing the internal and
external items with the
real internal and external gateways:&prompt.root; ifconfig gif0 create&prompt.root; ifconfig gif0 internal1 internal2&prompt.root; ifconfig gif0 tunnel external1 external2For example, the corporate LAN's public
IP is
172.16.5.4 having a private
IP of
10.246.38.1. The home
LAN's public IP is
192.168.1.12 with an internal
private IP of
10.0.0.5.This may seem confusing, so review the following example
output from the &man.ifconfig.8; command:Gateway 1:
gif0: flags=8051 mtu 1280
tunnel inet 172.16.5.4 --> 192.168.1.12
inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00
Gateway 2:
gif0: flags=8051 mtu 1280
tunnel inet 192.168.1.12 --> 172.16.5.4
inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4Once complete, both private IPs
should be reachable using the &man.ping.8; command like
the following output suggests:priv-net# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5): 56 data bytes
64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms
--- 10.0.0.5 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms
corp-net# ping 10.246.38.1
PING 10.246.38.1 (10.246.38.1): 56 data bytes
64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms
64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms
64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms
64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms
64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms
--- 10.246.38.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 msAs expected, both sides have the ability to send and
receive ICMP packets from the privately
configured addresses. Next, both gateways must be told how
to route packets in order to correctly send traffic from
either network. The following command will achieve this
goal:&prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0&prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5&prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0&prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1At this point, internal machines should be reachable from
each gateway as well as from machines behind the gateways. This
is easily determined from the following example:corp-net# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8): 56 data bytes
64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms
64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms
64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms
64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms
--- 10.0.0.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms
priv-net# ping 10.246.38.107
PING 10.246.38.1 (10.246.38.107): 56 data bytes
64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms
64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms
64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms
64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms
64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms
--- 10.246.38.107 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 msSetting up the tunnels is the easy part. Configuring
a secure link is a much more in depth process. The following
configuration uses pre-shared (PSK)
RSA keys. Aside from the
IP addresses, both
/usr/local/etc/racoon/racoon.conf files
will be identical and look similar topath pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp 172.16.5.4 [500];
isakmp_natt 172.16.5.4 [4500];
}
remote 192.168.1.12 [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 172.16.5.4;
peers_identifier address 192.168.1.12;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}Explaining every available option, along with those listed
in these examples is beyond the scope of this document. There
is plenty of relevant information in the
racoon configuration manual
page.The SPD policies need to be configured
so &os; and racoon is able to
encrypt and decrypt network traffic between hosts.This task may be undertaken with a simple shell script
similar to the following which is on the corporate
gateway. This file will be used during system
initialization and should be saved as
/usr/local/etc/racoon/setkey.conf.flush;
spdflush;
# To the home network
spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;Once in place, racoon may
be started on both gateways using the following
command:&prompt.root; /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.logThe output should be similar to the following:corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
Foreground mode.
2006-01-30 01:35:47: INFO: begin Identity Protection mode.
2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon
2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon
2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a
2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)
2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)
2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)
2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)To ensure the tunnel is working properly, switch to another
console and use &man.tcpdump.1; to view network traffic using
the following command. Replace em0 with
the network interface card as required.&prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12Data similar to the following should appear on the
console. If not, there is an issue, and debugging the
returned data will be required.01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)
01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)At this point, both networks should be available and
seem to be part of the same network. Most likely both
networks are protected by a firewall, as they should be. To
allow traffic to flow between them, rules need to be added
to pass packets back and forth. For the &man.ipfw.8; firewall,
add the following lines to the firewall configuration
file:ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log usp from any 500 to anyThe rule numbers may need to be altered depending
on the current host configuration.For users of &man.pf.4; or &man.ipf.8;, the following
rules should do the trick:pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to anyFinally, to allow the machine to start support
for the VPN during system initialization,
add the following lines to
/etc/rc.conf:ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"ChernLeeContributed by OpenSSHOpenSSHsecurityOpenSSHOpenSSH is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for rlogin,
rsh, rcp, and
telnet. Additionally, TCP/IP
connections can be tunneled/forwarded securely through SSH.
OpenSSH encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2.Advantages of Using OpenSSHNormally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in a clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.Enabling sshdOpenSSHenablingThe
sshd is an option presented during
a Standard install of &os;. To see if
sshd is enabled, check the
rc.conf file for:sshd_enable="YES"This will load &man.sshd.8;, the daemon program for OpenSSH,
the next time your system initializes. Alternatively, it is
possible to use /etc/rc.d/sshd &man.rc.8;
script to start OpenSSH:/etc/rc.d/sshd startSSH ClientOpenSSHclientThe &man.ssh.1; utility works similarly to
&man.rlogin.1;.&prompt.root; ssh user@example.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******The login will continue just as it would have if a session was
created using rlogin or
telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter
yes only when
connecting for the first time. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in ~/.ssh/known_hosts, or
~/.ssh/known_hosts2 for SSH v2
fingerprints.By default, recent versions of the
OpenSSH servers only accept SSH v2
connections. The client will use version 2 if possible and
will fall back to version 1. The client can also be forced to
use one or the other by passing it the or
for version 1 or version 2, respectively.
The version 1 compatibility is maintained in the client for
backwards compatibility with older versions.Secure CopyOpenSSHsecure copyscpThe &man.scp.1; command works similarly to
&man.rcp.1;; it copies a file to or from a remote machine,
except in a secure fashion.&prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT
user@example.com's password: *******
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root;Since the fingerprint was already saved for this host in the
previous example, it is verified when using &man.scp.1;
here.The arguments passed to &man.scp.1; are similar
to &man.cp.1;, with the file or files in the first
argument, and the destination in the second. Since the file is
fetched over the network, through SSH, one or more of the file
arguments takes on the form
.ConfigurationOpenSSHconfigurationThe system-wide configuration files for both the
OpenSSH daemon and client reside
within the /etc/ssh directory.ssh_config configures the client
settings, while sshd_config configures the
daemon.Additionally, the
(/usr/sbin/sshd by default), and
rc.conf
options can provide more levels of configuration.ssh-keygenInstead of using passwords, &man.ssh-keygen.1; can
be used to generate DSA or RSA keys to authenticate a user:&prompt.user; ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com
&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
~/.ssh/id_dsa or
~/.ssh/id_rsa, whereas the public key is
stored in ~/.ssh/id_dsa.pub or
~/.ssh/id_rsa.pub, respectively for
DSA and RSA key types.
The public key must be placed in the
~/.ssh/authorized_keys file of the remote
machine for both RSA or
DSA keys in order for the setup to
work.This will allow connection to the remote machine based upon
SSH keys instead of passwords.If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the
private key. &man.ssh-agent.1; can alleviate the strain of
repeatedly entering long passphrases, and is explored in the
section below.The various options and files can be different
according to the OpenSSH version
you have on your system; to avoid problems you should consult
the &man.ssh-keygen.1; manual page.ssh-agent and ssh-addThe &man.ssh-agent.1; and &man.ssh-add.1; utilities provide
methods for SSH keys to be loaded
into memory for use, without needing to type the passphrase
each time.The &man.ssh-agent.1; utility will handle the authentication
using the private key(s) that are loaded into it.
&man.ssh-agent.1; should be used to launch another application.
At the most basic level, it could spawn a shell or at a more
advanced level, a window manager.To use &man.ssh-agent.1; in a shell, first it will need to
be spawned with a shell as an argument. Secondly, the
identity needs to be added by running &man.ssh-add.1; and
providing it the passphrase for the private key. Once these
steps have been completed the user will be able to &man.ssh.1;
to any host that has the corresponding public key installed.
For example:&prompt.user; ssh-agent csh
&prompt.user; ssh-add
Enter passphrase for /home/user/.ssh/id_dsa:
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
&prompt.user;To use &man.ssh-agent.1; in X11, a call to
&man.ssh-agent.1; will need to be placed in
~/.xinitrc. This will provide the
&man.ssh-agent.1; services to all programs launched in X11.
An example ~/.xinitrc file might look
like this:exec ssh-agent startxfce4This would launch &man.ssh-agent.1;, which would in turn
launch XFCE, every time X11 starts.
Then once that is done and X11 has been restarted so that the
changes can take effect, simply run &man.ssh-add.1; to load
all of your SSH keys.SSH TunnelingOpenSSHtunnelingOpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.The following command tells &man.ssh.1; to create a tunnel
for telnet:&prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
&prompt.user;The ssh command is used with the
following options:Forces ssh to use version 2 of
the protocol. (Do not use if you are working with older
SSH servers)Indicates no command, or tunnel only. If omitted,
ssh would initiate a normal
session.Forces ssh to run in the
background.Indicates a local tunnel in
localport:remotehost:remoteport
fashion.The remote SSH server.An SSH tunnel works by creating a listen socket on
localhost on the specified port.
It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.In the example, port 5023 on
localhost is being forwarded to port
23 on localhost
of the remote machine. Since 23 is telnet,
this would create a secure telnet session through an SSH tunnel.This can be used to wrap any number of insecure TCP
protocols such as SMTP, POP3, FTP, etc.Using SSH to Create a Secure Tunnel for SMTP&prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
user@mailserver.example.com's password: *****
&prompt.user; telnet localhost 5025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTPThis can be used in conjunction with an
&man.ssh-keygen.1; and additional user accounts to create a
more seamless/hassle-free SSH tunneling environment. Keys
can be used in place of typing a password, and the tunnels
can be run as a separate user.Practical SSH Tunneling ExamplesSecure Access of a POP3 ServerAt work, there is an SSH server that accepts
connections from the outside. On the same office network
resides a mail server running a POP3 server. The network,
or network path between your home and office may or may not
be completely trustable. Because of this, you need to check
your e-mail in a secure manner. The solution is to create
an SSH connection to your office's SSH server, and tunnel
through to the mail server.&prompt.user; ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
user@ssh-server.example.com's password: ******When the tunnel is up and running, you can point your
mail client to send POP3 requests to localhost
port 2110. A connection here will be forwarded securely across
the tunnel to mail.example.com.Bypassing a Draconian FirewallSome network administrators impose extremely draconian
firewall rules, filtering not only incoming connections,
but outgoing connections. You may be only given access
to contact remote machines on ports 22 and 80 for SSH
and web surfing.You may wish to access another (perhaps non-work
related) service, such as an Ogg Vorbis server to stream
music. If this Ogg Vorbis server is streaming on some other
port than 22 or 80, you will not be able to access it.The solution is to create an SSH connection to a machine
outside of your network's firewall, and use it to tunnel to
the Ogg Vorbis server.&prompt.user; ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org
user@unfirewalled-system.example.org's password: *******Your streaming client can now be pointed to
localhost port 8888, which will be
forwarded over to music.example.com port
8000, successfully evading the firewall.The AllowUsers Users OptionIt is often a good idea to limit which users can log in and
from where. The AllowUsers option is a good
way to accomplish this. For example, to only allow the
root user to log in from
192.168.1.32, something like this
would be appropriate in the
/etc/ssh/sshd_config file:AllowUsers root@192.168.1.32To allow the user admin to log in from
anywhere, just list the username by itself:AllowUsers adminMultiple users should be listed on the same line, like so:AllowUsers root@192.168.1.32 adminIt is important that you list each user that needs to
log in to this machine; otherwise they will be locked out.After making changes to
/etc/ssh/sshd_config you must tell
&man.sshd.8; to reload its config files, by running:&prompt.root; /etc/rc.d/sshd reloadFurther ReadingOpenSSH&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1; &man.ssh.config.5;&man.sshd.8; &man.sftp-server.8; &man.sshd.config.5;TomRhodesContributed by ACLFile System Access Control ListsIn conjunction with file system enhancements like snapshots, FreeBSD 5.0
and later offers the security of File System Access Control Lists
(ACLs).Access Control Lists extend the standard &unix;
permission model in a highly compatible (&posix;.1e) way. This feature
permits an administrator to make use of and take advantage of a
more sophisticated security model.To enable ACL support for UFS
file systems, the following:options UFS_ACLmust be compiled into the kernel. If this option has
not been compiled in, a warning message will be displayed
when attempting to mount a file system supporting ACLs.
This option is included in the GENERIC kernel.
ACLs rely on extended attributes being enabled on
the file system. Extended attributes are natively supported in the next generation
&unix; file system, UFS2.A higher level of administrative overhead is required to
configure extended attributes on UFS1 than on
UFS2. The performance of extended attributes
on UFS2 is also substantially higher. As a
result, UFS2 is generally recommended in preference
to UFS1 for use with access control lists.ACLs are enabled by the mount-time administrative
flag, , which may be added to /etc/fstab.
The mount-time flag can also be automatically set in a persistent manner using
&man.tunefs.8; to modify a superblock ACLs flag in the
file system header. In general, it is preferred to use the superblock flag
for several reasons:The mount-time ACLs flag cannot be changed by a
remount (&man.mount.8; ), only by means of a complete
&man.umount.8; and fresh &man.mount.8;. This means that
ACLs cannot be enabled on the root file system after boot.
It also means that you cannot change the disposition of a file system once
it is in use.Setting the superblock flag will cause the file system to always be
mounted with ACLs enabled even if there is not an
fstab entry or if the devices re-order. This prevents
accidental mounting of the file system without ACLs
enabled, which can result in ACLs being improperly enforced,
and hence security problems.We may change the ACLs behavior to allow the flag to
be enabled without a complete fresh &man.mount.8;, but we consider it desirable to
discourage accidental mounting without ACLs enabled, because you
can shoot your feet quite nastily if you enable ACLs, then disable
them, then re-enable them without flushing the extended attributes. In general, once
you have enabled ACLs on a file system, they should not be disabled,
as the resulting file protections may not be compatible with those intended by the
users of the system, and re-enabling ACLs may re-attach the previous
ACLs to files that have since had their permissions changed,
resulting in other unpredictable behavior.File systems with ACLs enabled will show a +
(plus) sign in their permission settings when viewed. For example:drwx------ 2 robert robert 512 Dec 27 11:54 private
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_htmlHere we see that the directory1,
directory2, and directory3
directories are all taking advantage of ACLs. The
public_html directory is not.Making Use of ACLsThe file system ACLs can be viewed by the
&man.getfacl.1; utility. For instance, to view the
ACL settings on the test
file, one would use the command:&prompt.user; getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
group::r--
other::r--To change the ACL settings on this file,
invoke the &man.setfacl.1; utility. Observe:&prompt.user; setfacl -k testThe flag will remove all of the
currently defined ACLs from a file or file
system. The more preferable method would be to use
as it leaves the basic fields required for
ACLs to work.&prompt.user; setfacl -m u:trhodes:rwx,group:web:r--,o::--- testIn the aforementioned command, the
option was used to modify the default ACL
entries. Since there were no pre-defined entries, as they were
removed by the previous command, this will restore the default
options and assign the options listed. Take care to notice that
if you add a user or group which does not exist on the system,
an Invalid argument error will be printed
to stdout.TomRhodesContributed by PortauditMonitoring Third Party Security IssuesIn recent years, the security world has made many improvements
to how vulnerability assessment is handled. The threat of system
intrusion increases as third party utilities are installed and
configured for virtually any operating system available
today.Vulnerability assessment is a key factor in security, and
while &os; releases advisories for the base system, doing so
for every third party utility is beyond the &os; Project's
capability. There is a way to mitigate third party
vulnerabilities and warn administrators of known security
issues. A &os; add on utility known as
Portaudit exists solely for this
purpose.
- The ports-mgmt/portaudit port
+ The ports-mgmt/portaudit port
polls a database, updated and maintained by the &os; Security
Team and ports developers, for known security issues.To begin using Portaudit, one
must install it from the Ports Collection:&prompt.root; cd /usr/ports/ports-mgmt/portaudit && make install cleanDuring the install process, the configuration files for
&man.periodic.8; will be updated, permitting
Portaudit output in the daily security
runs. Ensure the daily security run emails, which are sent to
root's email account, are being read. No
more configuration will be required here.After installation, an administrator can update the database
and view known vulnerabilities in installed packages by invoking
the following command:&prompt.root; portaudit -FdaThe database will automatically be updated during the
&man.periodic.8; run; thus, the previous command is completely
optional. It is only required for the following
examples.To audit the third party utilities installed as part of
the Ports Collection at anytime, an administrator need only run
the following command:&prompt.root; portaudit -aPortaudit will produce something
like this for vulnerable packages:Affected package: cups-base-1.1.22.0_1
Type of problem: cups-base -- HPGL buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html>
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.By pointing a web browser to the URL shown,
an administrator may obtain more information about the
vulnerability in question. This will include versions affected,
by &os; Port version, along with other web sites which may contain
security advisories.In short, Portaudit is a powerful
utility and extremely useful when coupled with the
Portupgrade port.TomRhodesContributed by FreeBSD Security Advisories&os; Security AdvisoriesLike many production quality operating systems, &os; publishes
Security Advisories. These advisories are usually
mailed to the security lists and noted in the Errata only
after the appropriate releases have been patched. This section
will work to explain what an advisory is, how to understand it,
and what measures to take in order to patch a system.What does an advisory look like?The &os; security advisories look similar to the one below,
taken from the &a.security-notifications.name; mailing list.=============================================================================
&os;-SA-XX:XX.UTIL Security Advisory
The &os; Project
Topic: denial of service due to some problem
Category: core
Module: sys
Announced: 2003-09-23
Credits: Person@EMAIL-ADDRESS
Affects: All releases of &os;
&os; 4-STABLE prior to the correction date
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
CVE Name: CVE-XXXX-XXXX
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I. Background
II. Problem Description
III. Impact
IV. Workaround
V. Solution
VI. Correction details
VII. ReferencesThe Topic field indicates exactly what the problem is.
It is basically an introduction to the current security
advisory and notes the utility with the
vulnerability.The Category refers to the affected part of the system
which may be one of core, contrib, or ports. The core
category means that the vulnerability affects a core
component of the &os; operating system. The contrib
category means that the vulnerability affects software
contributed to the &os; Project, such as
sendmail. Finally the ports
category indicates that the vulnerability affects add on
software available as part of the Ports Collection.The Module field refers to the component location, for
instance sys. In this example, we see that the module,
sys, is affected; therefore, this vulnerability
affects a component used within the kernel.The Announced field reflects the date said security
advisory was published, or announced to the world. This
means that the security team has verified that the problem
does exist and that a patch has been committed to the &os;
source code repository.The Credits field gives credit to the individual or
organization who noticed the vulnerability and reported
it.The Affects field explains which releases of &os; are
affected by this vulnerability. For the kernel, a quick
look over the output from ident on the
affected files will help in determining the revision.
For ports, the version number is listed after the port name
in /var/db/pkg. If the system does not
sync with the &os; CVS repository and rebuild
daily, chances are that it is affected.The Corrected field indicates the date, time, time
offset, and release that was corrected.Reserved for the identification information used to look up
vulnerabilities in the Common Vulnerabilities Database system.The Background field gives information on exactly what
the affected utility is. Most of the time this is why
the utility exists in &os;, what it is used for, and a bit
of information on how the utility came to be.The Problem Description field explains the security hole
in depth. This can include information on flawed code, or
even how the utility could be maliciously used to open
a security hole.The Impact field describes what type of impact the
problem could have on a system. For example, this could
be anything from a denial of service attack, to extra
privileges available to users, or even giving the attacker
superuser access.The Workaround field offers a feasible workaround to
system administrators who may be incapable of upgrading
the system. This may be due to time constraints, network
availability, or a slew of other reasons. Regardless,
security should not be taken lightly, and an affected system
should either be patched or the security hole workaround
should be implemented.The Solution field offers instructions on patching the
affected system. This is a step by step tested and verified
method for getting a system patched and working
securely.The Correction Details field displays the
CVS branch or release name with the
periods changed to underscore characters. It also shows
the revision number of the affected files within each
branch.The References field usually offers sources of other
information. This can include web URLs,
books, mailing lists, and newsgroups.TomRhodesContributed by Process AccountingProcess AccountingProcess accounting is a security method in which an
administrator may keep track of system resources used,
their allocation among users, provide for system monitoring,
and minimally track a user's commands.This indeed has its own positive and negative points. One of
the positives is that an intrusion may be narrowed down
to the point of entry. A negative is the amount of logs
generated by process accounting, and the disk space they may
require. This section will walk an administrator through
the basics of process accounting.Enable and Utilizing Process AccountingBefore making use of process accounting, it
must be enabled. To do this, execute the following
commands:&prompt.root; touch /var/account/acct
&prompt.root; accton /var/account/acct
&prompt.root; echo 'accounting_enable="YES"' >> /etc/rc.confOnce enabled, accounting will begin to track
CPU stats, commands, etc. All accounting
logs are in a non-human readable format and may be viewed
using the &man.sa.8; utility. If issued without any options,
sa will print information relating to the
number of per user calls, the total elapsed time in minutes,
total CPU and user time in minutes, average
number of I/O operations, etc.To view information about commands being issued, one
would use the &man.lastcomm.1; utility. The
lastcomm command may be used to print out commands
issued by users on specific &man.ttys.5;, for example:&prompt.root; lastcomm ls
trhodes ttyp1Would print out all known usage of the ls
by trhodes on the ttyp1 terminal.Many other useful options exist and are explained in the
&man.lastcomm.1;, &man.acct.5; and &man.sa.8; manual
pages.