diff --git a/en_US.ISO8859-1/books/handbook/config/chapter.sgml b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
index 8d396b81bc..88bb051922 100644
--- a/en_US.ISO8859-1/books/handbook/config/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
@@ -1,2990 +1,2990 @@
ChernLeeWritten by MikeSmithBased on a tutorial written by MattDillonAlso based on tuning(7) written by Configuration and TuningSynopsissystem configurationsystem optimizationOne of the important aspects of &os; is system configuration.
Correct system configuration will help prevent headaches during future upgrades.
This chapter will explain much of the &os; configuration process,
including some of the parameters which
can be set to tune a &os; system.
After reading this chapter, you will know:How to efficiently work with
file systems and swap partitions.The basics of rc.conf configuration and
/usr/local/etc/rc.d startup systems.How to configure and test a network card.How to configure virtual hosts on your network devices.How to use the various configuration files in
/etc.How to tune &os; using sysctl
variables.How to tune disk performance and modify kernel
limitations.Before reading this chapter, you should:Understand &unix; and &os; basics ().Be familiar with the basics of kernel configuration/compilation
().Initial ConfigurationPartition Layoutpartition layout/etc/var/usrBase PartitionsWhen laying out file systems with &man.disklabel.8;
or &man.sysinstall.8;, remember that hard
drives transfer data faster from the outer
tracks to the inner.
Thus smaller and heavier-accessed file systems
should be closer to the outside of the drive, while
larger partitions like /usr should be placed
toward the inner. It is a good idea to create
partitions in a similar order to: root, swap,
/var, /usr.The size of /var
reflects the intended machine usage.
/var is used to hold
mailboxes, log files, and printer spools. Mailboxes and log
files can grow to unexpected sizes depending
on how many users exist and how long log
files are kept. Most users would never require a gigabyte,
but remember that /var/tmp
must be large enough to contain packages.
The /usr partition holds much
of the files required to support the system, the &man.ports.7;
collection (recommended) and the source code (optional). Both
of which are optional at install time.
At least 2 gigabytes would be recommended for this partition.When selecting partition sizes, keep the space
requirements in mind. Running out of space in
one partition while barely using another can be a
hassle.Some users have found that &man.sysinstall.8;'s
Auto-defaults partition sizer will
sometimes select smaller than adequate /var
and / partitions. Partition wisely and
generously.Swap Partitionswap sizingswap partitionAs a rule of thumb, the swap partition should be
about double the size of system memory (RAM). For example,
if the machine has 128 megabytes of memory,
the swap file should be 256 megabytes. Systems with
less memory may perform better with more swap.
Less than 256 megabytes of swap is not recommended and
memory expansion should be considered.
The kernel's VM paging algorithms are tuned to
perform best when the swap partition is at least two times the
size of main memory. Configuring too little swap can lead to
inefficiencies in the VM page scanning code and might create
issues later if more memory is added.On larger systems with multiple SCSI disks (or
multiple IDE disks operating on different controllers), it is
recommend that a swap is configured on each drive (up
to four drives). The swap partitions should be
approximately the same size. The kernel can handle arbitrary
sizes but internal data structures scale to 4 times the
largest swap partition. Keeping the swap partitions near the
same size will allow the kernel to optimally stripe swap space
across disks.
Large swap sizes are fine, even if swap is not
used much. It might be easier to recover
from a runaway program before being forced to reboot.Why Partition?Several users think a single large partition will be fine,
but there are several reasons why this is a bad idea.
First, each partition has different operational
characteristics and separating them allows the file system to
tune accordingly. For example, the root
and /usr partitions are read-mostly, without
much writing. While a lot of reading and writing could
occur in /var and
/var/tmp.By properly partitioning a system, fragmentation
introduced in the smaller write heavy partitions
will not bleed over into the mostly-read partitions.
Keeping the write-loaded partitions closer to
the disk's edge,
will
increase I/O performance in the partitions where it occurs
the most. Now while I/O
performance in the larger partitions may be needed,
shifting them more toward the edge of the disk will not
lead to a significant performance improvement over moving
/var to the edge.
Finally, there are safety concerns. A smaller, neater root
partition which is mostly read-only has a greater
chance of surviving a bad crash.Core Configurationrc filesrc.confThe principal location for system configuration information
is within /etc/rc.conf. This file
contains a wide range of configuration information, principally
used at system startup to configure the system. Its name
directly implies this; it is configuration information for the
rc* files.An administrator should make entries in the
rc.conf file to
override the default settings from
/etc/defaults/rc.conf. The defaults file
should not be copied verbatim to /etc - it
contains default values, not examples. All system-specific
changes should be made in the rc.conf
file itself.A number of strategies may be applied in clustered
applications to separate site-wide configuration from
system-specific configuration in order to keep administration
overhead down. The recommended approach is to place site-wide
configuration into another file,
such as /etc/rc.conf.site, and then include
this file into /etc/rc.conf, which will
contain only system-specific information.As rc.conf is read by &man.sh.1; it is
trivial to achieve this. For example:rc.conf: . rc.conf.site
hostname="node15.example.com"
network_interfaces="fxp0 lo0"
ifconfig_fxp0="inet 10.1.1.1"rc.conf.site: defaultrouter="10.1.1.254"
saver="daemon"
blanktime="100"The rc.conf.site file can then be
distributed to every system using rsync or a
similar program, while the rc.conf file
remains unique.Upgrading the system using &man.sysinstall.8;
or make world will not overwrite the
rc.conf
file, so system configuration information will not be lost.Application ConfigurationTypically, installed applications have their own
configuration files, with their own syntax, etc. It is
important that these files be kept separate from the base
system, so that they may be easily located and managed by the
package management tools./usr/local/etcTypically, these files are installed in
/usr/local/etc. In the case where an
application has a large number of configuration files, a
subdirectory will be created to hold them.Normally, when a port or package is installed, sample
configuration files are also installed. These are usually
identified with a .default suffix. If there
are no existing
configuration files for the application, they will be created by
copying the .default files.For example, consider the contents of the directory
/usr/local/etc/apache:-rw-r--r-- 1 root wheel 2184 May 20 1998 access.conf
-rw-r--r-- 1 root wheel 2184 May 20 1998 access.conf.default
-rw-r--r-- 1 root wheel 9555 May 20 1998 httpd.conf
-rw-r--r-- 1 root wheel 9555 May 20 1998 httpd.conf.default
-rw-r--r-- 1 root wheel 12205 May 20 1998 magic
-rw-r--r-- 1 root wheel 12205 May 20 1998 magic.default
-rw-r--r-- 1 root wheel 2700 May 20 1998 mime.types
-rw-r--r-- 1 root wheel 2700 May 20 1998 mime.types.default
-rw-r--r-- 1 root wheel 7980 May 20 1998 srm.conf
-rw-r--r-- 1 root wheel 7933 May 20 1998 srm.conf.defaultThe file sizes show that only the srm.conf
file has been changed. A later update of the Apache port would not
overwrite this changed file.TomRhodesContributed by Starting ServicesservicesMany users choose to install third party software on &os;
from the ports collection. In many of these situations it
may be necessary to configure the software in a manner which
will allow it to be started upon system initialization. Services,
such as mail/postfix or
www/apache13 are just two
of the many software packages which may be started during system
initialization. This section explains the procedures available
for starting third party software.In &os;, most included services, such as &man.cron.8;, are
started through the system start up scripts. These scripts may
differ depending on &os; or vendor version; however, the most
important aspect to consider is that their start up configuration
can be handled through simple startup scripts.Before the advent of rcNG, applications would drop a
simple start up script into the
- /usr/local/etc/rc.d
+ /usr/local/etc/rc.d
directory which would be read by the system initialization
scripts. These scripts would then be executed during the latter
stages of system start up.While many individuals have spent hours trying to merge the
old configuration style into the new system, the fact remains
that some third party utilities still require a script simply
dropped into the aforementioned directory. The subtle differences
in the scripts depend whether or not rcNG is being used. Prior
to &os; 5.1 the old configuration style is used and in
almost all cases a new style script would do just fine.While every script must meet some minimal requirements, most
of the time these requirements are &os; version
agnostic. Each script must have a .sh
extension appended to the end and every script must be
executable by the system. The latter may be achieved by using
the chmod command and setting the unique permissions
of 755. There should also be, at minimal,
an option to start the application and an
option to stop the application.The simplest start up script would probably look a little
bit like this one:#!/bin/sh
echo -n ' utility'
case "$1" in
start)
/usr/local/bin/utility
;;
stop)
kill -9 `cat /var/run/utility.pid`
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
exit 64
;;
esac
exit 0This script provides for a stop and
start option for
the application hereto referred simply as
utility. This application
could then have the following line placed in
/etc/rc.conf:utility_enable="YES"Could be started manually with:&prompt.root; /usr/local/etc/rc.d/utility.sh startWhile not all third party software requires the line in
rc.conf, almost every day a new port will
be modified to accept this configuration. Check the final output
of the installation for more information on a specific
application. Some third party software will provide start up
scripts which permit the application to be used with
rcNG; although, this will be discussed in the next section.Extended Application ConfigurationNow that &os; includes rcNG, configuration of application
start up has become more optimal; indeed, it has become a bit
more in depth. Using the key words discussed in the
rcNG section,
applications may now be set to start after certain other
services for example DNS; may permit extra
flags to be passed through rc.conf in
place of hard coded flags in the start up script, etc. A
basic script may look similar to the following:#!/bin/sh
#
# PROVIDE: utility
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: FreeBSD shutdown
#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
# SET THEM IN THE /etc/rc.conf FILE
#
utility_enable=${utility_enable-"NO"}
utility_flags=${utility_flags-""}
utility_pidfile=${utility_pidfile-"/var/run/utility.pid"}
. /etc/rc.subr
name="utility"
rcvar=`set_rcvar`
command="/usr/local/sbin/utility"
load_rc_config $name
pidfile="${utility_pidfile}"
start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${utility_flags} ${command_args}"
run_rc_command "$1"This script will ensure that the provided
utility will be started before the
login service but after the
daemon service. It also provides a method
for setting and tracking the PID, or process
ID file.This new method also allows for easier manipulation of the
command line arguments, inclusion of the default functions
provided in /etc/rc.subr, compatibility
with the &man.rcorder.8; utility and provide for easier
configuration via the rc.conf file. In
essence, this script could even be placed in
- /etc/rc.d directory.
+ /etc/rc.d directory.
Yet, that has the potential to upset the &man.mergemaster.8;
utility when used in conjunction with software upgrades.Using Services to Start ServicesOther services, such as POP3 server
daemons, IMAP, etc. could be started using
the &man.inetd.8;. This involves installing the service
utility from the ports collection with a configuration line
appended to the /etc/inetd.conf file,
or uncommenting one of the current configuration lines. Working
with inetd and its configuration is
described in depth in the
inetd section.In some cases, it may be more plausible to use the
&man.cron.8; daemon to start system services. This approach
has a number of advantages because cron runs
these processes as the crontab's file
owner. This allows regular users to start and maintain some
applications.The cron utility provides a unique
feature, @reboot, which may be used in place
of the time specification. This will cause the job to be run
when &man.cron.8; is started, normally during system
initialization.TomRhodesContributed by Configuring the cron UtilitycronconfigurationOne of the most useful utilities in &os; is &man.cron.8;. The
cron utility runs in the background and constantly
checks the /etc/crontab file. The cron
utility also checks the /var/cron/tabs directory, in
search of new crontab files. These
crontab files store information about specific
functions which cron is supposed to perform at
certain times.The cron utility uses two different
types of configuration files, the system crontab and user crontabs. The
only difference between these two formats is the sixth field. In the
system crontab, the sixth field is the name of a user for the command
to run as. This gives the system crontab the ability to run commands
as any user. In a user crontab, the sixth field is the command to run,
and all commands run as the user who created the crontab; this is an
important security feature.User crontabs allow individual users to schedule tasks without the
need for root privileges. Commands in a user's crontab run with the
permissions of the user who owns the crontab.The root user can have a user crontab just like
any other user. This one is different from
/etc/crontab (the system crontab). Because of the
system crontab, there is usually no need to create a user crontab
for root.Let us take a look at the /etc/crontab file
(the system crontab):# /etc/crontab - root's crontab for &os;
#
# $&os;: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp $
#
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#
#minute hour mday month wday who command
#
#
*/5 * * * * root /usr/libexec/atrun Like most &os; configuration files, the #
character represents a comment. A comment can be placed in
the file as a reminder of what and why a desired action is performed.
Comments cannot be on the same line as a command or else they will
be interpreted as part of the command; they must be on a new line.
Blank lines are ignored.First, the environment must be defined. The equals
(=) character is used to define any environment
settings, as with this example where it is used for the SHELL,
PATH, and HOME options. If the shell line is
omitted, cron will use the default, which is
sh. If the PATH variable is
omitted, no default will be used and file locations will need to
be absolute. If HOME is omitted, cron
will use the invoking users home directory.This line defines a total of seven fields. Listed here are the
values minute, hour,
mday, month, wday,
who, and command. These
are almost all self explanatory. minute is the time in minutes the
command will be run. hour is similar to the minute option, just in
hours. mday stands for day of the month. month is similar to hour
and minute, as it designates the month. The wday option stands for
day of the week. All these fields must be numeric values, and follow
the twenty-four hour clock. The who field is special,
and only exists in the /etc/crontab file.
This field specifies which user the command should be run as.
When a user installs his or her crontab file, they
will not have this option. Finally, the command option is listed.
This is the last field, so naturally it should designate the command
to be executed.This last line will define the values discussed above. Notice here
we have a */5 listing, followed by several more
* characters. These * characters
mean first-last, and can be interpreted as
every time. So, judging by this line,
it is apparent that the atrun command is to be invoked by
root every five minutes regardless of what
day or month it is. For more information on the atrun command,
see the &man.atrun.8; manual page.Commands can have any number of flags passed to them; however,
commands which extend to multiple lines need to be broken with the backslash
\ continuation character.This is the basic set up for every
crontab file, although there is one thing
different about this one. Field number six, where we specified
the username, only exists in the system
/etc/crontab file. This field should be
omitted for individual user crontab
files.Installing a CrontabYou must not use the procedure described here to
edit/install the system crontab. Simply use your favorite
editor: the cron utility will notice that the file
has changed and immediately begin using the updated version.
See
this FAQ entry for more information.To install a freshly written user
crontab, first use your favorite editor to create
a file in the proper format, and then use the
crontab utility. The most common usage
is:&prompt.user; crontab crontab-fileIn this example, crontab-file is the filename
of a crontab that was previously created.There is also an option to list installed
crontab files: just pass the
option to crontab and look
over the output.For users who wish to begin their own crontab file from scratch,
without the use of a template, the crontab -e
option is available. This will invoke the selected editor
with an empty file. When the file is saved, it will be
automatically installed by the crontab command.
If you later want to remove your user crontab
completely, use crontab with the
option.
TomRhodesContributed by Using rc under FreeBSD 5.XrcNG&os; has recently integrated the NetBSD
rc.d system for system initialization.
Users should notice the files listed in the
/etc/rc.d directory. Many of these files
are for basic services which can be controlled with the
, ,
and options.
For instance, &man.sshd.8; can be restarted with the following
command:&prompt.root; /etc/rc.d/sshd restartThis procedure is similar for other services. Of course,
services are usually started automatically as specified in
&man.rc.conf.5;. For example, enabling the Network Address
Translation daemon at startup is as simple as adding the
following line to /etc/rc.conf:natd_enable="YES"If a line is already
present, then simply change the to
. The rc scripts will automatically load
any other dependent services during the next reboot, as
described below.Since the rc.d system is primarily
intended to start/stop services at system startup/shutdown time,
the standard ,
and options will only
perform their action if the appropriate
/etc/rc.conf variables are set. For
instance the above sshd restart command will
only work if sshd_enable is set to
in /etc/rc.conf. To
, or
a service regardless of the settings in
/etc/rc.conf, the commands should be
prefixed with force. For instance to restart
sshd regardless of the current
/etc/rc.conf setting, execute the following
command:&prompt.root; /etc/rc.d/sshd forcerestartIt is easy to check if a service is enabled in
/etc/rc.conf by running the appropriate
rc.d script with the option
. Thus, an administrator can check that
sshd is in fact enabled in
/etc/rc.conf by running:&prompt.root; /etc/rc.d/sshd rcvar
# sshd
$sshd_enable=YESThe second line (# sshd) is the output
from the sshd command, not a root
console.To determine if a service is running, a
option is available. For instance to
verify that sshd is actually started:&prompt.root; /etc/rc.d/sshd status
sshd is running as pid 433.It is also possible to a service.
This will attempt to send a signal to an individual service, forcing the
service to reload its configuration files. In most cases this
means sending the service a SIGHUP
signal.The rcNG structure is not only used for network services, it also
contributes to most of the system initialization. For
instance, consider the bgfsck file. When
this script is executed, it will print out the following
message:Starting background file system checks in 60 seconds.Therefore this file is used for background file system
checks, which are done only during system initialization.Many system services depend on other services to function
properly. For example, NIS and other RPC-based services may
fail to start until after the rpcbind
(portmapper) service has started. To resolve this issue,
information about dependencies and other meta-data is included
in the comments at the top of each startup script. The
&man.rcorder.8; program is then used to parse these comments
during system initialization to determine the order in which
system services should be invoked to satisfy the dependencies.
The following words may be included at the top of each startup
file:PROVIDE: Specifies the services this file provides.REQUIRE: Lists services which are required for this
service. This file will run after
the specified services.BEFORE: Lists services which depend on this service.
This file will run before
the specified services.KEYWORD: &os; or NetBSD. This is used for *BSD dependent features.By using this method, an administrator can easily control system
services without the hassle of runlevels like
some other &unix; operating systems.Additional information about the &os; 5.X
rc.d system can be found in the &man.rc.8;
and &man.rc.subr.8; manual pages.MarcFonvieilleContributed by Setting Up Network Interface Cardsnetwork card configurationNowadays we can not think about a computer without thinking
about a network connection. Adding and configuring a network
card is a common task for any &os; administrator.Locating the Correct Drivernetwork card configurationlocating the driverBefore you begin, you should know the model of the card
you have, the chip it uses, and whether it is a PCI or ISA card.
&os; supports a wide variety of both PCI and ISA cards.
Check the Hardware Compatibility List for your release to see
if your card is supported.Once you are sure your card is supported, you need
to determine the proper driver for the card. The file
/usr/src/sys/i386/conf/LINT will give you
the list of network interfaces drivers with some information
about the supported chipsets/cards. If you have doubts about
which driver is the correct one, read the manual page of the
driver. The manual page will give you more information about
the supported hardware and even the possible problems that
could occur.If you own a common card, most of the time you will not
have to look very hard for a driver. Drivers for common
network cards are present in the GENERIC
kernel, so your card should show up during boot, like so:dc0: <82c169 PNIC 10/100BaseTX> port 0xa000-0xa0ff mem 0xd3800000-0xd38
000ff irq 15 at device 11.0 on pci0
dc0: Ethernet address: 00:a0:cc:da:da:da
miibus0: <MII bus> on dc0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: <82c169 PNIC 10/100BaseTX> port 0x9800-0x98ff mem 0xd3000000-0xd30
000ff irq 11 at device 12.0 on pci0
dc1: Ethernet address: 00:a0:cc:da:da:db
miibus1: <MII bus> on dc1
ukphy1: <Generic IEEE 802.3u media interface> on miibus1
ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, autoIn this example, we see that two cards using the &man.dc.4;
driver are present on the system.To use your network card, you will need to load the proper
driver. This may be accomplished in one of two ways. The
easiest way is to simply load a kernel module for your network
card with &man.kldload.8;. A module is not available for all
network card drivers (ISA cards and cards using the &man.ed.4;
driver, for example). Alternatively, you may statically compile
the support for your card into your kernel. Check
/usr/src/sys/i386/conf/LINT and the
manual page of the driver to know what to add in your kernel
configuration file. For more information about recompiling your
kernel, please see . If your card
was detected at boot by your kernel (GENERIC)
you do not have to build a new kernel.Configuring the Network Cardnetwork card configurationconfigurationOnce the right driver is loaded for the network card, the
card needs to be configured. As with many other things, the
network card may have been configured at installation time by
sysinstall.To display the configuration for the network interfaces on
your system, enter the following command:&prompt.user; ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:a0:cc:da:da:da
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:a0:cc:da:da:db
media: Ethernet 10baseT/UTP
status: no carrier
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500Old versions of &os; may require the
option following &man.ifconfig.8;, for more details about the
correct syntax of &man.ifconfig.8;, please refer to the manual
page. Note also that entries concerning IPv6
(inet6 etc.) were omitted in this
example.In this example, the following devices were
displayed:dc0: The first Ethernet
interfacedc1: The second Ethernet
interfacelp0: The parallel port
interfacelo0: The loopback devicetun0: The tunnel device used by
ppp&os; uses the driver name followed by the order in
which one the card is detected at the kernel boot to name the
network card. For example sis2 would
be the third network card on the system using the &man.sis.4;
driver.In this example, the dc0 device is
up and running. The key indicators are:UP means that the card is configured
and ready.The card has an Internet (inet)
address (in this case
192.168.1.3).It has a valid subnet mask (netmask;
0xffffff00 is the same as
255.255.255.0).It has a valid broadcast address (in this case,
192.168.1.255).The MAC address of the card (ether)
is 00:a0:cc:da:da:daThe physical media selection is on autoselection mode
(media: Ethernet autoselect (100baseTX
<full-duplex>)). We see that
dc1 was configured to run with
10baseT/UTP media. For more
information on available media types for a driver, please
refer to its manual page.The status of the link (status)
is active, i.e. the carrier is detected.
For dc1, we see
status: no carrier. This is normal when
an Ethernet cable is not plugged into the card.If the &man.ifconfig.8; output had shown something similar
to:dc0: flags=8843<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
ether 00:a0:cc:da:da:dait would indicate the card has not been configured.To configure your card, you need root
privileges. The network card configuration can be done from the
command line with &man.ifconfig.8; but you would have to do it
after each reboot of the system. The file
/etc/rc.conf is where to add the network
card's configuration.Open /etc/rc.conf in your favorite
editor. You need to add a line for each network card present on
the system, for example in our case, we added these lines:ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"You have to replace dc0,
dc1, and so on, with
the correct device for your cards, and the addresses with the
proper ones. You should read the card driver and
&man.ifconfig.8; manual pages for more details about the allowed
options and also &man.rc.conf.5; manual page for more
information on the syntax of
/etc/rc.conf.If you configured the network during installation, some
lines about the network card(s) may be already present. Double
check /etc/rc.conf before adding any
lines.You will also have to edit the file
/etc/hosts to add the names and the IP
addresses of various machines of the LAN, if they are not already
there. For more information please refer to &man.hosts.5;
and to /usr/share/examples/etc/hosts.Testing and TroubleshootingOnce you have made the necessary changes in
/etc/rc.conf, you should reboot your
system. This will allow the change(s) to the interface(s) to
be applied, and verify that the system restarts without any
configuration errors.Once the system has been rebooted, you should test the
network interfaces.Testing the Ethernet Cardnetwork card configurationtesting the cardTo verify that an Ethernet card is configured correctly,
you have to try two things. First, ping the interface itself,
and then ping another machine on the LAN.First test the local interface:&prompt.user; ping -c5 192.168.1.3
PING 192.168.1.3 (192.168.1.3): 56 data bytes
64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.082 ms
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.108 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.076 ms
--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.074/0.083/0.108/0.013 msNow we have to ping another machine on the LAN:&prompt.user; ping -c5 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.726 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.766 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.700 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.747 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.704 ms
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 msYou could also use the machine name instead of
192.168.1.2 if you have set up the
/etc/hosts file.Troubleshootingnetwork card configurationtroubleshootingTroubleshooting hardware and software configurations is always
a pain, and a pain which can be alleviated by checking the simple
things first. Is your network cable plugged in? Have you properly
configured the network services? Did you configure the firewall
correctly? Is the card you are using supported by &os;? Always
check the hardware notes before sending off a bug report. Update
your version of &os; to the latest STABLE version. Check the
mailing list archives, or perhaps search the Internet.If the card works, yet performance is poor, it would be
worthwhile to read over the &man.tuning.7; manual page. You
can also check the network configuration as incorrect network
settings can cause slow connections.Some users experience one or two device
timeout messages, which is normal for some cards. If they
continue, or are bothersome, you may wish to be sure the
device is not conflicting with another device. Double check
the cable connections. Perhaps you may just need to get
another card.At times, users see a few watchdog timeout
errors. The first thing to do here is to check your network
cable. Many cards require a PCI slot which supports Bus
Mastering. On some old motherboards, only one PCI slot allows
it (usually slot 0). Check the network card and the
motherboard documentation to determine if that may be the
problem.No route to host messages occur if the
system is unable to route a packet to the destination host.
This can happen if no default route is specified, or if a
cable is unplugged. Check the output of netstat
-rn and make sure there is a valid route to the host
you are trying to reach. If there is not, read on to .ping: sendto: Permission denied error
messages are often caused by a misconfigured firewall. If
ipfw is enabled in the kernel but no rules
have been defined, then the default policy is to deny all
traffic, even ping requests! Read on to for more information.Sometimes performance of the card is poor, or below average.
In these cases it is best to set the media selection mode
from autoselect to the correct media selection.
While this usually works for most hardware, it may not resolve
this issue for everyone. Again, check all the network settings,
and read over the &man.tuning.7; manual page.Virtual Hostsvirtual hostsIP aliasesA very common use of &os; is virtual site hosting, where
one server appears to the network as many servers. This is
achieved by assigning multiple network addresses to a single
interface.A given network interface has one real address,
and may have any number of alias addresses.
These aliases are
normally added by placing alias entries in
/etc/rc.conf.An alias entry for the interface fxp0
looks like:ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"Note that alias entries must start with alias0 and proceed
upwards in order, (for example, _alias1, _alias2, and so on).
The configuration process will stop at the first missing number.
The calculation of alias netmasks is important, but
fortunately quite simple. For a given interface, there must be
one address which correctly represents the network's netmask.
Any other addresses which fall within this network must have a
netmask of all 1s (expressed as either
255.255.255.255 or 0xffffffff).
For example, consider the case where the
fxp0 interface is
connected to two networks, the 10.1.1.0
network with a netmask of 255.255.255.0
and the 202.0.75.16 network with
a netmask of 255.255.255.240.
We want the system to appear at 10.1.1.1
through 10.1.1.5 and at
202.0.75.17 through
202.0.75.20. As noted above, only the
first address in a given network range (in this case,
10.0.1.1 and
202.0.75.17) should have a real
netmask; all the rest (10.1.1.2
through 10.1.1.5 and
202.0.75.18 through
202.0.75.20) must be configured with a
netmask of 255.255.255.255.The following entries configure the adapter correctly for
this arrangement: ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"Configuration Files/etc LayoutThere are a number of directories in which configuration
information is kept. These include:/etcGeneric system configuration information; data here is
system-specific./etc/defaultsDefault versions of system configuration files./etc/mailExtra &man.sendmail.8; configuration, other
MTA configuration files.
/etc/pppConfiguration for both user- and kernel-ppp programs.
/etc/namedbDefault location for &man.named.8; data. Normally
named.conf and zone files are stored
here./usr/local/etcConfiguration files for installed applications.
May contain per-application subdirectories./usr/local/etc/rc.dStart/stop scripts for installed applications./var/dbAutomatically generated system-specific database files,
such as the package database, the locate database, and so
onHostnameshostnameDNS/etc/resolv.confresolv.conf/etc/resolv.conf dictates how &os;'s
resolver accesses the Internet Domain Name System (DNS).The most common entries to resolv.conf are:
nameserverThe IP address of a name server the resolver
should query. The servers are queried in the order
listed with a maximum of three.searchSearch list for hostname lookup. This is normally
determined by the domain of the local hostname.domainThe local domain name.A typical resolv.conf:search example.com
nameserver 147.11.1.11
nameserver 147.11.100.30Only one of the search and
domain options should be used.If you are using DHCP, &man.dhclient.8; usually rewrites
resolv.conf with information received from the
DHCP server./etc/hostshosts/etc/hosts is a simple text
database reminiscent of the old Internet. It works in
conjunction with DNS and NIS providing name to IP address
mappings. Local computers connected via a LAN can be placed
in here for simplistic naming purposes instead of setting up
a &man.named.8; server. Additionally,
/etc/hosts can be used to provide a
local record of Internet names, reducing the need to query
externally for commonly accessed names.# $&os;$
#
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain myname.my.domain
127.0.0.1 localhost localhost.my.domain myname.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. PLEASE PLEASE PLEASE do not try
# to invent your own network numbers but instead get one from your
# network provider (if any) or from the Internet Registry (ftp to
# rs.internic.net, directory `/templates').
#/etc/hosts takes on the simple format
of:[Internet address] [official hostname] [alias1] [alias2] ...For example:10.0.0.1 myRealHostname.example.com myRealHostname foobar1 foobar2Consult &man.hosts.5; for more information.Log File Configurationlog filessyslog.confsyslog.confsyslog.conf is the configuration file
for the &man.syslogd.8; program. It indicates which types
of syslog messages are logged to particular
log files.# $&os;$
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manual page.
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
cron.* /var/log/cron
*.err root
*.notice;news.err root
*.alert root
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
#*.* /var/log/all.log
# uncomment this to enable logging to a remote log host named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.logConsult the &man.syslog.conf.5; manual page for more
information.newsyslog.confnewsyslog.confnewsyslog.conf is the configuration
file for &man.newsyslog.8;, a program that is normally scheduled
to run by &man.cron.8;. &man.newsyslog.8; determines when log
files require archiving or rearranging.
logfile is moved to
logfile.0, logfile.0
is moved to logfile.1, and so on.
Alternatively, the log files may be archived in &man.gzip.1; format
causing them to be named: logfile.0.gz,
logfile.1.gz, and so on.newsyslog.conf indicates which log
files are to be managed, how many are to be kept, and when
they are to be touched. Log files can be rearranged and/or
archived when they have either reached a certain size, or at a
certain periodic time/date.# configuration file for newsyslog
# $&os;$
#
# filename [owner:group] mode count size when [ZB] [/pid_file] [sig_num]
/var/log/cron 600 3 100 * Z
/var/log/amd.log 644 7 100 * Z
/var/log/kerberos.log 644 7 100 * Z
/var/log/lpd-errs 644 7 100 * Z
/var/log/maillog 644 7 * @T00 Z
/var/log/sendmail.st 644 10 * 168 B
/var/log/messages 644 5 100 * Z
/var/log/all.log 600 7 * @T00 Z
/var/log/slip.log 600 3 100 * Z
/var/log/ppp.log 600 3 100 * Z
/var/log/security 600 10 100 * Z
/var/log/wtmp 644 3 * @01T05 B
/var/log/daily.log 640 7 * @T00 Z
/var/log/weekly.log 640 5 1 $W6D0 Z
/var/log/monthly.log 640 12 * $M1D0 Z
/var/log/console.log 640 5 100 * ZConsult the &man.newsyslog.8; manual page for more
information.sysctl.confsysctl.confsysctlsysctl.conf looks much like
rc.conf. Values are set in a
variable=value
form. The specified values are set after the system goes into
multi-user mode. Not all variables are settable in this mode.A sample sysctl.conf turning off logging
of fatal signal exits and letting Linux programs know they are really
running under &os;:kern.logsigexit=0 # Do not log fatal signal exits (e.g. sig 11)
compat.linux.osname=&os;
compat.linux.osrelease=4.3-STABLETuning with sysctlsysctltuningwith sysctl&man.sysctl.8; is an interface that allows you to make changes
to a running &os; system. This includes many advanced
options of the TCP/IP stack and virtual memory system that can
dramatically improve performance for an experienced system
administrator. Over five hundred system variables can be read
and set using &man.sysctl.8;.At its core, &man.sysctl.8; serves two functions: to read and
to modify system settings.To view all readable variables:&prompt.user; sysctl -aTo read a particular variable, for example,
kern.maxproc:&prompt.user; sysctl kern.maxproc
kern.maxproc: 1044To set a particular variable, use the intuitive
variable=value
syntax:&prompt.root; sysctl kern.maxfiles=5000
kern.maxfiles: 2088 -> 5000Settings of sysctl variables are usually either strings,
numbers, or booleans (a boolean being 1 for yes
or a 0 for no).If you want to set automatically some variables each time
the machine boots, add them to the
/etc/sysctl.conf file. For more information
see the &man.sysctl.conf.5; manual page and the
.TomRhodesContributed by &man.sysctl.8; Read-onlyIn some cases it may be desirable to modify read-only &man.sysctl.8;
values. While this is not recommended, it is also sometimes unavoidable.For instance on some laptop models the &man.cardbus.4; device will
not probe memory ranges, and fail with errors which look similar to:cbb0: Could not map register memory
device_probe_and_attach: cbb0 attach returned 12Cases like the one above usually require the modification of some
default &man.sysctl.8; settings which are set read only. To overcome
these situations a user can put &man.sysctl.8; OIDs
in their local /boot/loader.conf. Default
settings are located in the /boot/defaults/loader.conf
file.Fixing the problem mentioned above would require a user to set
in the aforementioned
file. Now &man.cardbus.4; will work properly.Tuning DisksSysctl Variablesvfs.vmiodirenablevfs.vmiodirenableThe vfs.vmiodirenable sysctl variable
may be set to either 0 (off) or 1 (on); it is 1 by default.
This variable controls how directories are cached by the
system. Most directories are small, using just a single
fragment (typically 1 K) in the file system and less
(typically 512 bytes) in the buffer cache.
With this variable turned off (to 0), the buffer
cache will only cache a fixed number of directories even if
you have a huge amount of memory. When turned on (to 1), this sysctl
allows the buffer cache to use the VM Page Cache to cache the
directories, making all the memory available for caching
directories. However,
the minimum in-core memory used to cache a directory is the
physical page size (typically 4 K) rather than 512
bytes. We recommend keeping this option on if you are running
any services which manipulate large numbers of files. Such
services can include web caches, large mail systems, and news
systems. Keeping this option on will generally not reduce
performance even with the wasted memory but you should
experiment to find out.vfs.write_behindvfs.write_behindThe vfs.write_behind sysctl variable
defaults to 1 (on). This tells the file system
to issue media writes as full clusters are collected, which
typically occurs when writing large sequential files. The idea
is to avoid saturating the buffer cache with dirty buffers when
it would not benefit I/O performance. However, this may stall
processes and under certain circumstances you may wish to turn it
off.vfs.hirunningspacevfs.hirunningspaceThe vfs.hirunningspace sysctl variable
determines how much outstanding write I/O may be queued to disk
controllers system-wide at any given instance. The default is
usually sufficient but on machines with lots of disks you may
want to bump it up to four or five megabytes.
Note that setting too high a value (exceeding the buffer cache's
write threshold) can lead to extremely bad clustering
performance. Do not set this value arbitrarily high! Higher
write values may add latency to reads occurring at the same time.
There are various other buffer-cache and VM page cache
related sysctls. We do not recommend modifying these values. As
of &os; 4.3, the VM system does an extremely good job of
automatically tuning itself.vm.swap_idle_enabledvm.swap_idle_enabledThe vm.swap_idle_enabled sysctl variable
is useful in large multi-user systems where you have lots of
users entering and leaving the system and lots of idle processes.
Such systems tend to generate a great deal of continuous pressure
on free memory reserves. Turning this feature on and tweaking
the swapout hysteresis (in idle seconds) via
vm.swap_idle_threshold1 and
vm.swap_idle_threshold2 allows you to depress
the priority of memory pages associated with idle processes more
quickly then the normal pageout algorithm. This gives a helping
hand to the pageout daemon. Do not turn this option on unless
you need it, because the tradeoff you are making is essentially
pre-page memory sooner rather than later; thus eating more swap
and disk bandwidth. In a small system this option will have a
determinable effect but in a large system that is already doing
moderate paging this option allows the VM system to stage whole
processes into and out of memory easily.hw.ata.wchw.ata.wc&os; 4.3 flirted with turning off IDE write caching.
This reduced write bandwidth to IDE disks but was considered
necessary due to serious data consistency issues introduced
by hard drive vendors. The problem is that IDE
drives lie about when a write completes. With IDE write
caching turned on, IDE hard drives not only write data
to disk out of order, but will sometimes delay writing some
blocks indefinitely when under heavy disk loads. A crash or
power failure may cause serious file system corruption.
&os;'s default was changed to be safe. Unfortunately, the
result was such a huge performance loss that we changed
write caching back to on by default after the release. You
should check the default on your system by observing the
hw.ata.wc sysctl variable. If IDE write
caching is turned off, you can turn it back on by setting
the kernel variable back to 1. This must be done from the
boot loader at boot time. Attempting to do it after the
kernel boots will have no effect.For more information, please see &man.ata.4;.SCSI_DELAY
(kern.cam.scsi_delay)SCSI_DELAYkern.cam.scsi_delayThe SCSI_DELAY kernel config may be used to
reduce system boot times. The defaults are fairly high and can be
responsible for 15 seconds of delay in the
boot process. Reducing it to 5 seconds usually
works (especially with modern drives). Newer versions of &os;
(5.0 and higher) should use the kern.cam.scsi_delay
boot time tunable. The tunable, and kernel config option accept
values in terms of milliseconds and
notseconds.Soft UpdatesSoft UpdatestunefsThe &man.tunefs.8; program can be used to fine-tune a
file system. This program has many different options, but for
now we are only concerned with toggling Soft Updates on and
off, which is done by:&prompt.root; tunefs -n enable /filesystem
&prompt.root; tunefs -n disable /filesystemA filesystem cannot be modified with &man.tunefs.8; while
it is mounted. A good time to enable Soft Updates is before any
partitions have been mounted, in single-user mode.As of &os; 4.5, it is possible to enable Soft Updates
at filesystem creation time, through use of the -U
option to &man.newfs.8;.Soft Updates drastically improves meta-data performance, mainly
file creation and deletion, through the use of a memory cache. We
recommend to use Soft Updates on all of your file systems. There
are two downsides to Soft Updates that you should be aware of: First,
Soft Updates guarantees filesystem consistency in the case of a crash
but could very easily be several seconds (even a minute!) behind
updating the physical disk. If your system crashes you may lose more
work than otherwise. Secondly, Soft Updates delays the freeing of
filesystem blocks. If you have a filesystem (such as the root
filesystem) which is almost full, performing a major update, such as
make installworld, can cause the filesystem to run
out of space and the update to fail.More Details about Soft UpdatesSoft UpdatesdetailsThere are two traditional approaches to writing a file
systems meta-data back to disk. (Meta-data updates are
updates to non-content data like inodes or
directories.)Historically, the default behavior was to write out
meta-data updates synchronously. If a directory had been
changed, the system waited until the change was actually
written to disk. The file data buffers (file contents) were
passed through the buffer cache and backed up
to disk later on asynchronously. The advantage of this
implementation is that it operates safely. If there is
a failure during an update, the meta-data are always in a
consistent state. A file is either created completely
or not at all. If the data blocks of a file did not find
their way out of the buffer cache onto the disk by the time
of the crash, &man.fsck.8; is able to recognize this and
repair the filesystem by setting the file length to
0. Additionally, the implementation is clear and simple.
The disadvantage is that meta-data changes are slow. An
rm -r, for instance, touches all the files
in a directory sequentially, but each directory
change (deletion of a file) will be written synchronously
to the disk. This includes updates to the directory itself,
to the inode table, and possibly to indirect blocks
allocated by the file. Similar considerations apply for
unrolling large hierarchies (tar -x).The second case is asynchronous meta-data updates. This
is the default for Linux/ext2fs and
mount -o async for *BSD ufs. All
meta-data updates are simply being passed through the buffer
cache too, that is, they will be intermixed with the updates
of the file content data. The advantage of this
implementation is there is no need to wait until each
meta-data update has been written to disk, so all operations
which cause huge amounts of meta-data updates work much
faster than in the synchronous case. Also, the
implementation is still clear and simple, so there is a low
risk for bugs creeping into the code. The disadvantage is
that there is no guarantee at all for a consistent state of
the filesystem. If there is a failure during an operation
that updated large amounts of meta-data (like a power
failure, or someone pressing the reset button),
the filesystem
will be left in an unpredictable state. There is no opportunity
to examine the state of the filesystem when the system
comes up again; the data blocks of a file could already have
been written to the disk while the updates of the inode
table or the associated directory were not. It is actually
impossible to implement a fsck which is
able to clean up the resulting chaos (because the necessary
information is not available on the disk). If the
filesystem has been damaged beyond repair, the only choice
is to use &man.newfs.8; on it and restore it from backup.
The usual solution for this problem was to implement
dirty region logging, which is also
referred to as journaling, although that
term is not used consistently and is occasionally applied
to other forms of transaction logging as well. Meta-data
updates are still written synchronously, but only into a
small region of the disk. Later on they will be moved
to their proper location. Because the logging
area is a small, contiguous region on the disk, there
are no long distances for the disk heads to move, even
during heavy operations, so these operations are quicker
than synchronous updates.
Additionally the complexity of the implementation is fairly
limited, so the risk of bugs being present is low. A disadvantage
is that all meta-data are written twice (once into the
logging region and once to the proper location) so for
normal work, a performance pessimization
might result. On the other hand, in case of a crash, all
pending meta-data operations can be quickly either rolled-back
or completed from the logging area after the system comes
up again, resulting in a fast filesystem startup.Kirk McKusick, the developer of Berkeley FFS,
solved this problem with Soft Updates: all pending
meta-data updates are kept in memory and written out to disk
in a sorted sequence (ordered meta-data
updates). This has the effect that, in case of
heavy meta-data operations, later updates to an item
catch the earlier ones if the earlier ones are still in
memory and have not already been written to disk. So all
operations on, say, a directory are generally performed in
memory before the update is written to disk (the data
blocks are sorted according to their position so
that they will not be on the disk ahead of their meta-data).
If the system crashes, this causes an implicit log
rewind: all operations which did not find their way
to the disk appear as if they had never happened. A
consistent filesystem state is maintained that appears to
be the one of 30 to 60 seconds earlier. The
algorithm used guarantees that all resources in use
are marked as such in their appropriate bitmaps: blocks and inodes.
After a crash, the only resource allocation error
that occurs is that resources are
marked as used which are actually free.
&man.fsck.8; recognizes this situation,
and frees the resources that are no longer used. It is safe to
ignore the dirty state of the filesystem after a crash by
forcibly mounting it with mount -f. In
order to free resources that may be unused, &man.fsck.8;
needs to be run at a later time. This is the idea behind
the background fsck: at system startup
time, only a snapshot of the
filesystem is recorded. The fsck can be
run later on. All file systems can then be mounted
dirty, so the system startup proceeds in
multiuser mode. Then, background fscks
will be scheduled for all file systems where this is required, to free
resources that may be unused. (File systems that do not use
Soft Updates still need the usual foreground
fsck though.)The advantage is that meta-data operations are nearly as
fast as asynchronous updates (i.e. faster than with
logging, which has to write the
meta-data twice). The disadvantages are the complexity of
the code (implying a higher risk for bugs in an area that
is highly sensitive regarding loss of user data), and a
higher memory consumption. Additionally there are some
idiosyncrasies one has to get used to.
After a crash, the state of the filesystem appears to be
somewhat older. In situations where
the standard synchronous approach would have caused some
zero-length files to remain after the
fsck, these files do not exist at all
with a Soft Updates filesystem because neither the meta-data
nor the file contents have ever been written to disk.
Disk space is not released until the updates have been
written to disk, which may take place some time after
running rm. This may cause problems
when installing large amounts of data on a filesystem
that does not have enough free space to hold all the files
twice.Tuning Kernel Limitstuningkernel limitsFile/Process Limitskern.maxfileskern.maxfileskern.maxfiles can be raised or
lowered based upon your system requirements. This variable
indicates the maximum number of file descriptors on your
system. When the file descriptor table is full,
file: table is full will show up repeatedly
in the system message buffer, which can be viewed with the
dmesg command.Each open file, socket, or fifo uses one file
descriptor. A large-scale production server may easily
require many thousands of file descriptors, depending on the
kind and number of services running concurrently.kern.maxfile's default value is
dictated by the option in your
kernel configuration file. kern.maxfiles grows
proportionally to the value of . When
compiling a custom kernel, it is a good idea to set this kernel
configuration option according to the uses of your system. From
this number, the kernel is given most of its pre-defined limits.
Even though a production machine may not actually have 256 users
connected at once, the resources needed may be similar to a
high-scale web server.As of &os; 4.5, setting to
0 in your kernel configuration file will choose
a reasonable default value based on the amount of RAM present in
your system.kern.ipc.somaxconnkern.ipc.somaxconnThe kern.ipc.somaxconn sysctl variable
limits the size of the listen queue for accepting new TCP
connections. The default value of 128 is
typically too low for robust handling of new connections in a
heavily loaded web server environment. For such environments, it
is recommended to increase this value to 1024 or
higher. The service daemon may itself limit the listen queue size
(e.g. &man.sendmail.8;, or Apache) but
will often have a directive in its configuration file to adjust
the queue size. Large listen queues also do a better job of
avoiding Denial of Service (DoS) attacks.Network LimitsThe NMBCLUSTERS kernel configuration
option dictates the amount of network Mbufs available to the
system. A heavily-trafficked server with a low number of Mbufs
will hinder &os;'s ability. Each cluster represents
approximately 2 K of memory, so a value of 1024 represents 2
megabytes of kernel memory reserved for network buffers. A
simple calculation can be done to figure out how many are
needed. If you have a web server which maxes out at 1000
simultaneous connections, and each connection eats a 16 K receive
and 16 K send buffer, you need approximately 32 MB worth of
network buffers to cover the web server. A good rule of thumb is
to multiply by 2, so 2x32 MB / 2 KB =
64 MB / 2 kB = 32768. We recommend
values between 4096 and 32768 for machines with greater amounts
of memory. Under no circumstances should you specify an
arbitrarily high value for this parameter as it could lead to a
boot time crash. The option to
&man.netstat.1; may be used to observe network cluster
use.kern.ipc.nmbclusters loader tunable should
be used to tune this at boot time. Only older versions of &os;
will require you to use the NMBCLUSTERS kernel
&man.config.8; option.For busy servers that make extensive use of the
&man.sendfile.2; system call, it may be necessary to increase
the number of &man.sendfile.2; buffers via the
NSFBUFS kernel configuration option or by
setting its value in /boot/loader.conf
(see &man.loader.8; for details). A common indicator that
this parameter needs to be adjusted is when processes are seen
in the sfbufa state. The sysctl
variable kern.ipc.nsfbufs is a read-only
glimpse at the kernel configured variable. This parameter
nominally scales with kern.maxusers,
however it may be necessary to tune accordingly.Even though a socket has been marked as non-blocking,
calling &man.sendfile.2; on the non-blocking socket may
result in the &man.sendfile.2; call blocking until enough
struct sf_buf's are made
available.net.inet.ip.portrange.*net.inet.ip.portrange.*The net.inet.ip.portrange.* sysctl
variables control the port number ranges automatically bound to TCP
and UDP sockets. There are three ranges: a low range, a default
range, and a high range. Most network programs use the default
range which is controlled by the
net.inet.ip.portrange.first and
net.inet.ip.portrange.last, which default to
1024 and 5000, respectively. Bound port ranges are used for
outgoing connections, and it is possible to run the system out of
ports under certain circumstances. This most commonly occurs
when you are running a heavily loaded web proxy. The port range
is not an issue when running servers which handle mainly incoming
connections, such as a normal web server, or has a limited number
of outgoing connections, such as a mail relay. For situations
where you may run yourself out of ports, it is recommended to
increase net.inet.ip.portrange.last modestly.
A value of 10000, 20000 or
30000 may be reasonable. You should also
consider firewall effects when changing the port range. Some
firewalls may block large ranges of ports (usually low-numbered
ports) and expect systems to use higher ranges of ports for
outgoing connections — for this reason it is recommended that
net.inet.ip.portrange.first be lowered.TCP Bandwidth Delay ProductTCP Bandwidth Delay Product Limitingnet.inet.tcp.inflight_enableThe TCP Bandwidth Delay Product Limiting is similar to
TCP/Vegas in NetBSD. It can be
enabled by setting net.inet.tcp.inflight_enable
sysctl variable to 1. The system will attempt
to calculate the bandwidth delay product for each connection and
limit the amount of data queued to the network to just the amount
required to maintain optimum throughput.This feature is useful if you are serving data over modems,
Gigabit Ethernet, or even high speed WAN links (or any other link
with a high bandwidth delay product), especially if you are also
using window scaling or have configured a large send window. If
you enable this option, you should also be sure to set
net.inet.tcp.inflight_debug to
0 (disable debugging), and for production use
setting net.inet.tcp.inflight_min to at least
6144 may be beneficial. However, note that
setting high minimums may effectively disable bandwidth limiting
depending on the link. The limiting feature reduces the amount of
data built up in intermediate route and switch packet queues as
well as reduces the amount of data built up in the local host's
interface queue. With fewer packets queued up, interactive
connections, especially over slow modems, will also be able to
operate with lower Round Trip Times. However,
note that this feature only effects data transmission (uploading
/ server side). It has no effect on data reception (downloading).
Adjusting net.inet.tcp.inflight_stab is
not recommended. This parameter defaults to
20, representing 2 maximal packets added to the bandwidth delay
product window calculation. The additional window is required to
stabilize the algorithm and improve responsiveness to changing
conditions, but it can also result in higher ping times over slow
links (though still much lower than you would get without the
inflight algorithm). In such cases, you may wish to try reducing
this parameter to 15, 10, or 5; and may also have to reduce
net.inet.tcp.inflight_min (for example, to
3500) to get the desired effect. Reducing these parameters
should be done as a last resort only.Adding Swap SpaceNo matter how well you plan, sometimes a system does not run
as you expect. If you find you need more swap space, it is
simple enough to add. You have three ways to increase swap
space: adding a new hard drive, enabling swap over NFS, and
creating a swap file on an existing partition.Swap on a New Hard DriveThe best way to add swap, of course, is to use this as an
excuse to add another hard drive. You can always use another
hard drive, after all. If you can do this, go reread the
discussion of swap space
in
of the Handbook for some suggestions on how to best
arrange your swap.Swapping over NFSSwapping over NFS is only recommended if you do not have a
local hard disk to swap to. Swapping over NFS is slow and
inefficient in versions of &os; prior to 4.X. It is
reasonably fast and efficient in 4.0-RELEASE and newer. Even
with newer versions of &os;, NFS swapping will be limited
by the available network bandwidth and puts an additional
burden on the NFS server.SwapfilesYou can create a file of a specified size to use as a swap
file. In our example here we will use a 64MB file called
/usr/swap0. You can use any name you
want, of course.Creating a Swapfile on &os; 4.XBe certain that your kernel configuration includes
the vnode driver. It is not in recent versions of
GENERIC.pseudo-device vn 1 #Vnode driver (turns a file into a device)Create a vn-device:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vn0Create a swapfile (/usr/swap0):&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64Set proper permissions on (/usr/swap0):&prompt.root; chmod 0600 /usr/swap0Enable the swap file in /etc/rc.conf:swapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.Reboot the machine or to enable the swap file immediately,
type:&prompt.root; vnconfig -e /dev/vn0b /usr/swap0 swapCreating a Swapfile on &os; 5.XBe certain that your kernel configuration includes
the memory disk driver (&man.md.4;). It is default in
GENERIC kernel.device md # Memory "disks"Create a swapfile (/usr/swap0):&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64Set proper permissions on (/usr/swap0):&prompt.root; chmod 0600 /usr/swap0Enable the swap file in /etc/rc.conf:swapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.Reboot the machine or to enable the swap file immediately,
type:&prompt.root; mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0HitenPandyaWritten by TomRhodesPower and Resource ManagementIt is very important to utilize hardware resources in an
efficient manner. Before ACPI was introduced,
it was very difficult and inflexible for operating systems to manage
the power usage and thermal properties of a system. The hardware was
controlled by some sort of BIOS embedded
interface, such as Plug and Play BIOS (PNPBIOS), or
Advanced Power Management (APM) and so on.
Power and Resource Management is one of the key components of a modern
operating system. For example, you may want an operating system to
monitor system limits (and possibly alert you) in case your system
temperature increased unexpectedly.In this section of the &os; Handbook, we will provide
comprehensive information about ACPI. References
will be provided for further reading at the end. Please be aware
that ACPI is available on &os; 5.X and
above systems as a default kernel module. For &os; 4.9,
ACPI can be enabled by adding the line
device acpica to a kernel configuration and
rebuilding.What Is ACPI?Advanced Configuration and Power Interface
(ACPI) is a standard written by
an alliance of vendors to provide a standard interface for
hardware resources and power management (hence the name).
It is a key element in Operating System-directed
configuration and Power Management, i.e.: it provides
more control and flexibility to the operating system
(OS).
Modern systems stretched the limits of the
current Plug and Play interfaces (such as APM, which is used in
&os; 4.X), prior to the introduction of
ACPI. ACPI is the direct
successor to APM
(Advanced Power Management).Shortcomings of Advanced Power Management (APM)The Advanced Power Management (APM)
facility controls the power usage of a system based on its
activity. The APM BIOS is supplied by the (system) vendor and
it is specific to the hardware platform. An APM driver in the
OS mediates access to the APM Software Interface,
which allows management of power levels.There are four major problems in APM. Firstly, power
management is done by the (vendor-specific) BIOS, and the OS
does not have any knowledge of it. One example of this, is when
the user sets idle-time values for a hard drive in the APM BIOS,
that when exceeded, it (BIOS) would spin down the hard drive,
without the consent of the OS. Secondly, the APM logic is
embedded in the BIOS, and it operates outside the scope of the
OS. This means users can only fix problems in their APM BIOS by
flashing a new one into the ROM; which is a very dangerous
procedure with the potential to leave the system in an
unrecoverable state if it fails. Thirdly, APM is a vendor-specific
technology, which means that there is a lot of parity
(duplication of efforts) and bugs found in one vendor's BIOS,
may not be solved in others. Last but not the least, the APM
BIOS did not have enough room to implement a sophisticated power
policy, or one that can adapt very well to the purpose of the
machine.Plug and Play BIOS (PNPBIOS) was
unreliable in many situations. PNPBIOS is 16-bit technology,
so the OS has to use 16-bit emulation in order to
interface with PNPBIOS methods.The &os; APM driver is documented in
the &man.apm.4; manual page.Configuring ACPIThe acpi.ko driver is loaded by default
at start up by the &man.loader.8; and should not
be compiled into the kernel. The reasoning behind this is that modules
are easier to work with, say if switching to another acpi.ko
without doing a kernel rebuild. This has the advantage of making testing easier.
Another reason is that starting ACPI after a system has been
brought up is not too useful, and in some cases can be fatal. In doubt, just
disable ACPI all together. This driver should not and can not
be unloaded because the system bus uses it for various hardware interactions.
ACPI can be disabled with the &man.acpiconf.8; utility.
In fact most of the interaction with ACPI can be done via
&man.acpiconf.8;. Basically this means, if anything about ACPI
is in the &man.dmesg.8; output, then most likely it is already running.ACPI and APM cannot coexist and
should be used separately. The last one to load will terminate if the driver
notices the other running.In the simplest form, ACPI can be used to put the
system into a sleep mode with &man.acpiconf.8;, the
flag, and a 1-5 option. Most users will only need
1. Option 5 will do a soft-off
which is the same action as:&prompt.root; halt -pThe other options are available. Check out the &man.acpiconf.8;
manual page for more information.NateLawsonWritten by PeterSchultzWith contributions from TomRhodesUsing and Debugging &os; ACPIACPI is a fundamentally new way of
discovering devices, managing power usage, and providing
standardized access to various hardware previously managed
by the BIOS. Progress is being made toward
ACPI working on all systems, but bugs in some
motherboards' ACPI Machine
Language (AML) bytecode,
incompleteness in &os;'s kernel subsystems, and bugs in the &intel;
ACPI-CA interpreter continue to appear.This document is intended to help you assist the &os;
ACPI maintainers in identifying the root cause
of problems you observe and debugging and developing a solution.
Thanks for reading this and we hope we can solve your system's
problems.Submitting Debugging InformationBefore submitting a problem, be sure you are running the latest
BIOS version and, if available, embedded
controller firmware version.For those of you that want to submit a problem right away,
please send the following information to
freebsd-acpi@FreeBSD.org:Description of the buggy behavior, including system type
and model and anything that causes the bug to appear. Also,
please note as accurately as possible when the bug began
occurring if it is new for you.The &man.dmesg.8; output after boot
-v, including any error messages
generated by you exercising the bug.The &man.dmesg.8; output from boot
-v with ACPI
disabled, if disabling it helps fix the problem.Output from sysctl hw.acpi. This is also
a good way of figuring out what features your system
offers.URL where your
ACPI Source Language
(ASL)
can be found. Do not send the
ASL directly to the list as it can be
very large. Generate a copy of your ASL
by running this command:&prompt.root; acpidump -t -d > name-system.asl(Substitute your login name for
name and manufacturer/model for
system. Example:
njl-FooCo6000.asl)Most of the developers watch the &a.current;
but please submit problems to &a.acpi.name; to be sure it is
seen. Please be patient, all of us have full-time jobs
elsewhere. If your bug is not immediately apparent, we will
probably ask you to submit a PR via
&man.send-pr.1;. When entering a PR, please
include the same information as requested above. This will help
us track the problem and resolve it. Do not send a
PR without emailing &a.acpi.name; first as we use
PRs as reminders of existing problems, not a
reporting mechanism. It is likely that your problem has been
reported by someone before.BackgroundACPI is present in all modern computers
that conform to the ia32 (x86), ia64 (Itanium), and amd64 (AMD)
architectures. The full standard has many features including
CPU performance management, power planes
control, thermal zones, various battery systems, embedded
controllers, and bus enumeration. Most systems implement less
than the full standard. For instance, a desktop system usually
only implements the bus enumeration parts while a laptop might
have cooling and battery management support as well. Laptops
also have suspend and resume, with their own associated
complexity.An ACPI-compliant system has various
components. The BIOS and chipset vendors
provide various fixed tables (e.g., FADT)
in memory that specify things like the APIC
map (used for SMP), config registers, and
simple configuration values. Additionally, a table of bytecode
(the Differentiated System Description Table
DSDT) is provided that specifies a
tree-like name space of devices and methods.The ACPI driver must parse the fixed
tables, implement an interpreter for the bytecode, and modify
device drivers and the kernel to accept information from the
ACPI subsystem. For &os;, &intel; has
provided an interpreter (ACPI-CA) that is
shared with Linux and NetBSD. The path to the
ACPI-CA source code is
- src/sys/contrib/dev/acpica.
+ src/sys/contrib/dev/acpica.
The glue code that allows ACPI-CA to work on
&os; is in
src/sys/dev/acpica/Osd. Finally, drivers
that implement various ACPI devices are found
in
- src/sys/dev/acpica.
+ src/sys/dev/acpica.
Common ProblemsFor ACPI to work correctly, all the parts
have to work correctly. Here are some common problems, in order
of frequency of appearance, and some possible workarounds or
fixes.Suspend/ResumeACPI has three suspend to
RAM (STR) states,
S1-S3, and one suspend
to disk state (STD), called
S4. S5 is
soft off and is the normal state your system
is in when plugged in but not powered up.
S4 can actually be implemented two separate
ways. S4BIOS is a
BIOS-assisted suspend to disk.
S4OS is implemented
entirely by the operating system.Start by checking sysctl hw.acpi
for the suspend-related items. Here
are the results for a Thinkpad:hw.acpi.supported_sleep_state: S3 S4 S5
hw.acpi.s4bios: 0This means that we can use acpiconf -s
to test S3,
S4OS, and
S5. If was one
(1), we would have
S4BIOS
support instead of S4
OS.When testing suspend/resume, start with
S1, if supported. This state is most
likely to work since it does not require much driver support.
No one has implemented S2 but if you have
it, it is similar to S1. The next thing
to try is S3. This is the deepest
STR state and requires a lot of driver
support to properly reinitialize your hardware. If you have
problems resuming, feel free to email the &a.acpi.name; list but
do not expect the problem to be resolved since there are a lot
of drivers/hardware that need more testing and work.To help isolate the problem, remove as many drivers from
your kernel as possible. If it works, you can narrow down
which driver is the problem by loading drivers until it fails
again. Typically binary drivers like
nvidia.ko, X11
display drivers, and USB will have the most
problems while Ethernet interfaces usually work fine. If you
can properly load/unload the drivers, you can automate this by
putting the appropriate commands in
/etc/rc.suspend and
/etc/rc.resume. There is a
commented-out example for unloading and loading a driver. Try
setting to zero (0) if
your display is messed up after resume. Try setting longer or
shorter values for to see
if that helps.Another thing to try is load a recent Linux distribution
with ACPI support and test their
suspend/resume support on the same hardware. If it works
on Linux, it is likely a &os; driver problem and narrowing down
which driver causes the problems will help us fix the problem.
Note that the ACPI maintainers do not
usually maintain other drivers (e.g sound,
ATA, etc.) so any work done on tracking
down a driver problem should probably eventually be posted
to the &a.current.name; list and mailed to the driver
maintainer. If you are feeling adventurous, go ahead and
start putting some debugging &man.printf.3;s in a problematic
driver to track down where in its resume function it
hangs.Finally, try disabling ACPI and
enabling APM instead. If suspend/resume
works with APM, you may be better off
sticking with APM, especially on older
hardware (pre-2000). It took vendors a while to get
ACPI support correct and older hardware is
more likely to have BIOS problems with
ACPI.System Hangs (temporary or permanent)Most system hangs are a result of lost interrupts or an
interrupt storm. Chipsets have a lot of problems based on how
the BIOS configures interrupts before boot,
correctness of the APIC
(MADT) table, and routing of the
System Control Interrupt
(SCI).Interrupt storms can be distinguished from lost interrupts
by checking the output of vmstat -i
and looking at the line that has
acpi0. If the counter is increasing at more
than a couple per second, you have an interrupt storm. If the
system appears hung, try breaking to DDB
(CTRLALTESC on
console) and type show interrupts.Your best hope when dealing with interrupt problems is to
try disabling APIC support with
hint.apic.0.disabled="1" in
loader.conf.PanicsPanics are relatively rare for ACPI and
are the top priority to be fixed. The first step is to
isolate the steps to reproduce the panic (if possible)
and get a backtrace. Follow the advice for enabling
options DDB and setting up a serial console
(see )
or setting up a &man.dump.8; partition. You can get a
backtrace in DDB with
tr. If you have to handwrite the
backtrace, be sure to at least get the lowest five (5) and top
five (5) lines in the trace.Then, try to isolate the problem by booting with
ACPI disabled. If that works, you can
isolate the ACPI subsystem by using various
values of . See the
&man.acpi.4; manual page for some examples.System Powers Up After Suspend or ShutdownFirst, try setting
hw.acpi.disable_on_poweroff="0"
in &man.loader.conf.5;. This keeps ACPI
from disabling various events during the shutdown process.
Some systems need this value set to 1 (the
default) for the same reason. This usually fixes
the problem of a system powering up spontaneously after a
suspend or poweroff.Other ProblemsIf you have other problems with ACPI
(working with a docking station, devices not detected, etc.),
please email a description to the mailing list as well;
however, some of these issues may be related to unfinished
parts of the ACPI subsystem so they might
take a while to be implemented. Please be patient and
prepared to test patches we may send you.ASL, acpidump, and
IASLThe most common problem is the BIOS
vendors providing incorrect (or outright buggy!) bytecode. This
is usually manifested by kernel console messages like
this:ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\
(Node 0xc3f6d160), AE_NOT_FOUNDOften, you can resolve these problems by updating your
BIOS to the latest revision. Most console
messages are harmless but if you have other problems like
battery status not working, they're a good place to start
looking for problems in the AML. The
bytecode, known as AML, is compiled from a
source language called ASL. The
AML is found in the table known as the
DSDT. To get a copy of your
ASL, use &man.acpidump.8;. You should use
both the (show contents of the fixed tables)
and (disassemble AML to
ASL) options. See the
Submitting Debugging
Information section for an example syntax.The simplest first check you can do is to recompile your
ASL to check for errors. Warnings can
usually be ignored but errors are bugs that will usually prevent
ACPI from working correctly. To recompile
your ASL, issue the following command:&prompt.root; iasl your.aslFixing Your ASLIn the long run, our goal is for almost everyone to have
ACPI work without any user intervention. At
this point, however, we are still developing workarounds for
common mistakes made by the BIOS vendors.
The µsoft; interpreter (acpi.sys and
acpiec.sys) does not strictly check for
adherence to the standard, and thus many BIOS
vendors who only test ACPI under &windows;
never fix their ASL. We hope to continue to
identify and document exactly what non-standard behavior is
allowed by µsoft;'s interpreter and replicate it so &os; can
work without forcing users to fix the ASL.
As a workaround and to help us identify behavior, you can fix
the ASL manually. If this works for you,
please send a &man.diff.1; of the old and new
ASL so we can possibly work around the buggy
behavior in ACPI-CA and thus make your fix
unnecessary.Here is a list of common error messages, their cause, and
how to fix them:_OS dependenciesSome AML assumes the world consists of
various &windows; versions. You can tell &os; to claim it is
any OS to see if this fixes problems you
may have. An easy way to override this is to set
hw.acpi.osname="Windows 2001"
in /boot/loader.conf or other similar
strings you find in the ASL.Missing Return statementsSome methods do not explicitly return a value as the
standard requires. While ACPI-CA
does not handle this, &os; has a workaround that allows it to
return the value implicitly. You can also add explicit
Return statements where required if you know what value should
be returned. To force iasl to compile the
ASL, use the
flag.Overriding the Default AMLAfter you customize your.asl, you
will want to compile it, run:&prompt.root; iasl your.aslYou can add the flag to force creation
of the AML, even if there are errors during
compilation. Remember that some errors (e.g., missing Return
statements) are automatically worked around by the
interpreter.DSDT.aml is the default output
filename for iasl. You can load this
instead of your BIOS's buggy copy (which
is still present in flash memory) by editing
/boot/loader.conf as
follows:acpi_dsdt_load="YES"
acpi_dsdt_name="/boot/DSDT.aml"Be sure to copy your DSDT.aml to the
- /boot directory.
+ /boot directory.
Getting Debugging Output From
ACPIThe ACPI driver has a very flexible
debugging facility. It allows you to specify a set of subsystems
as well as the level of verbosity. The subsystems you wish to
debug are specified as layers and are broken down
into ACPI-CA components (ACPI_ALL_COMPONENTS)
and ACPI hardware support (ACPI_ALL_DRIVERS).
The verbosity of debugging output is specified as the
level and ranges from ACPI_LV_ERROR (just report
errors) to ACPI_LV_VERBOSE (everything). The
level is a bitmask so multiple options can be set
at once, separated by spaces. In practice, you will want to use
a serial console to log the output if it is so long
it flushes the console message buffer. A full list of the
individual layers and levels is found in the &man.acpi.4; manual
page.Debugging output is not enabled by default. To enable it,
add options ACPI_DEBUG to your kernel configuration file
if ACPI is compiled into the kernel. You can
add ACPI_DEBUG=1 to your
/etc/make.conf to enable it globally. If
it is a module, you can recompile just your
acpi.ko module as follows:&prompt.root; cd /sys/modules/acpi/acpi
&& make clean &&
make ACPI_DEBUG=1Install acpi.ko in
- /boot/kernel and add your
+ /boot/kernel and add your
desired level and layer to loader.conf.
This example enables debug messages for all
ACPI-CA components and all
ACPI hardware drivers
(CPU, LID, etc.) It will
only output error messages, the least verbose level.debug.acpi.layer="ACPI_ALL_COMPONENTS ACPI_ALL_DRIVERS"
debug.acpi.level="ACPI_LV_ERROR"If the information you want is triggered by a specific event
(say, a suspend and then resume), you can leave out changes to
loader.conf and instead use
sysctl to specify the layer and level after
booting and preparing your system for the specific event. The
sysctls are named the same as the tunables
in loader.conf.ReferencesMore information about ACPI may be found
in the following locations:The &a.acpi;The ACPI Mailing List Archives
The old ACPI Mailing List Archives
The ACPI 2.0 Specification
&os; Manual pages: &man.acpi.4;,
&man.acpi.thermal.4;, &man.acpidump.8;, &man.iasl.8;,
&man.acpidb.8;
DSDT debugging resource.
(Uses Compaq as an example but generally useful.)
diff --git a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
index 61e1fd3c39..b7dbfc9155 100644
--- a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
@@ -1,3808 +1,3808 @@
StorageSynopsisThis chapter covers the use of disks in FreeBSD. This
includes memory-backed disks, network-attached disks,
standard SCSI/IDE storage devices, and devices using the USB
interface.After reading this chapter, you will know:The terminology FreeBSD uses to describe the
organization of data on a physical disk (partitions and slices).How to add additional hard disks to your system.How to configure &os; to use USB storage devices.How to set up virtual file systems, such as memory
disks.How to use quotas to limit disk space usage.How to encrypt disks to secure them against attackers.How to create and burn CDs and DVDs on FreeBSD.The various storage media options for backups.How to use backup programs available under FreeBSD.How to backup to floppy disks.What snapshots are and how to use them efficiently.Before reading this chapter, you should:Know how to configure and install a new FreeBSD kernel
().Device NamesThe following is a list of physical storage devices
supported in FreeBSD, and the device names associated with
them.
Physical Disk Naming ConventionsDrive typeDrive device nameIDE hard drivesadIDE CDROM drivesacdSCSI hard drives and USB Mass storage devicesdaSCSI CDROM drivescdAssorted non-standard CDROM drivesmcd for Mitsumi CD-ROM,
scd for Sony CD-ROM,
matcd for Matsushita/Panasonic CD-ROM
The &man.matcd.4; driver has been removed
in FreeBSD 4.X branch since October 5th,
2002 and does not exist in FreeBSD 5.0 and
5.1 releases. However this driver is back in the
FreeBSD 5.X branch since June 16th,
2003.Floppy drivesfdSCSI tape drivessaIDE tape drivesastFlash drivesfla for &diskonchip; Flash deviceRAID drivesaacd for &adaptec; AdvancedRAID,
mlxd and mlyd
for &mylex;,
amrd for AMI &megaraid;,
idad for Compaq Smart RAID,
twed for &tm.3ware; RAID.
DavidO'BrienOriginally contributed by Adding DisksdisksaddingLets say we want to add a new SCSI disk to a machine that
currently only has a single drive. First turn off the computer
and install the drive in the computer following the instructions
of the computer, controller, and drive manufacturer. Due to the
wide variations of procedures to do this, the details are beyond
the scope of this document.Login as user root. After you have installed the
drive, inspect /var/run/dmesg.boot to ensure the new
disk was found. Continuing with our example, the newly added drive will
be da1 and we want to mount it on
/1 (if you are adding an IDE drive, the device name
will be wd1 in pre-4.0 systems, or
ad1 in 4.X and 5.X systems).partitionsslicesfdiskBecause FreeBSD runs on IBM-PC compatible computers, it must
take into account the PC BIOS partitions. These are different
from the traditional BSD partitions. A PC disk has up to four
BIOS partition entries. If the disk is going to be truly
dedicated to FreeBSD, you can use the
dedicated mode. Otherwise, FreeBSD will
have to live within one of the PC BIOS partitions. FreeBSD
calls the PC BIOS partitions slices so as
not to confuse them with traditional BSD partitions. You may
also use slices on a disk that is dedicated to FreeBSD, but used
in a computer that also has another operating system installed.
This is to not confuse the fdisk utility of
the other operating system.In the slice case the drive will be added as
/dev/da1s1e. This is read as: SCSI disk,
unit number 1 (second SCSI disk), slice 1 (PC BIOS partition 1),
and e BSD partition. In the dedicated
case, the drive will be added simply as
/dev/da1e.Due to the use of 32-bit integers to store the number of sectors
&man.bsdlabel.8; (called &man.disklabel.8; in &os; 4.X) is
limited to 2^32-1 sectors per disk or 2TB in most cases. The
&man.fdisk.8; format allows a starting sector of no more than
2^32-1 and a length of no more than 2^32-1, limiting partitions to
2TB and disks to 4TB in most cases. The &man.sunlabel.8; format
is limited to 2^32-1 sectors per partition and 8 partitions for
a total of 16TB. For larger disks, &man.gpt.8; partitions may be
used.Using &man.sysinstall.8;sysinstalladding diskssuNavigating SysinstallYou may use /stand/sysinstall to
partition and label a new disk using its easy to use menus.
Either login as user root or use the
su command. Run
/stand/sysinstall and enter the
Configure menu. Within the
FreeBSD Configuration Menu, scroll down and
select the Fdisk option.fdisk Partition EditorOnce inside fdisk, we can type A to
use the entire disk for FreeBSD. When asked if you want to
remain cooperative with any future possible operating
systems, answer YES. Write the
changes to the disk using W. Now exit the
FDISK editor by typing q. Next you will be
asked about the Master Boot Record. Since you are adding a
disk to an already running system, choose
None.Disk Label EditorBSD partitionsNext, you need to exit sysinstall
and start it again. Follow the directions above, although this
time choose the Label option. This will
enter the Disk Label Editor. This
is where you will create the traditional BSD partitions. A
disk can have up to eight partitions, labeled
a-h.
A few of the partition labels have special uses. The
a partition is used for the root partition
(/). Thus only your system disk (e.g,
the disk you boot from) should have an a
partition. The b partition is used for
swap partitions, and you may have many disks with swap
partitions. The c partition addresses the
entire disk in dedicated mode, or the entire FreeBSD slice in
slice mode. The other partitions are for general use.sysinstall's Label editor
favors the e
partition for non-root, non-swap partitions. Within the
Label editor, create a single file system by typing
C. When prompted if this will be a FS
(file system) or swap, choose FS and type in a
mount point (e.g, /mnt). When adding a
disk in post-install mode, sysinstall
will not create entries
in /etc/fstab for you, so the mount point
you specify is not important.You are now ready to write the new label to the disk and
create a file system on it. Do this by typing
W. Ignore any errors from
sysinstall that
it could not mount the new partition. Exit the Label Editor
and sysinstall completely.FinishThe last step is to edit /etc/fstab
to add an entry for your new disk.Using Command Line UtilitiesUsing SlicesThis setup will allow your disk to work correctly with
other operating systems that might be installed on your
computer and will not confuse other operating systems'
fdisk utilities. It is recommended
to use this method for new disk installs. Only use
dedicated mode if you have a good reason
to do so!&prompt.root; dd if=/dev/zero of=/dev/da1 bs=1k count=1
&prompt.root; fdisk -BI da1 #Initialize your new disk
&prompt.root; disklabel -B -w -r da1s1 auto #Label it.
&prompt.root; disklabel -e da1s1 # Edit the disklabel just created and add any partitions.
&prompt.root; mkdir -p /1
&prompt.root; newfs /dev/da1s1e # Repeat this for every partition you created.
&prompt.root; mount /dev/da1s1e /1 # Mount the partition(s)
&prompt.root; vi /etc/fstab # Add the appropriate entry/entries to your /etc/fstab.If you have an IDE disk, substitute ad
for da. On pre-4.X systems use
wd.DedicatedOS/2If you will not be sharing the new drive with another operating
system, you may use the dedicated mode. Remember
this mode can confuse Microsoft operating systems; however, no damage
will be done by them. IBM's &os2; however, will
appropriate any partition it finds which it does not
understand.&prompt.root; dd if=/dev/zero of=/dev/da1 bs=1k count=1
&prompt.root; disklabel -Brw da1 auto
&prompt.root; disklabel -e da1 # create the `e' partition
&prompt.root; newfs -d0 /dev/da1e
&prompt.root; mkdir -p /1
&prompt.root; vi /etc/fstab # add an entry for /dev/da1e
&prompt.root; mount /1An alternate method is:&prompt.root; dd if=/dev/zero of=/dev/da1 count=2
&prompt.root; disklabel /dev/da1 | disklabel -BrR da1 /dev/stdin
&prompt.root; newfs /dev/da1e
&prompt.root; mkdir -p /1
&prompt.root; vi /etc/fstab # add an entry for /dev/da1e
&prompt.root; mount /1Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the examples above the option
should be removed with &man.bsdlabel.8;.
For more information, please refer to the &man.bsdlabel.8;
manual page.RAIDSoftware RAIDChristopherShumwayOriginal work by JimBrownRevised by RAIDsoftwareRAIDCCDConcatenated Disk Driver (CCD) ConfigurationWhen choosing a mass storage solution the most important
factors to consider are speed, reliability, and cost. It is
rare to have all three in balance; normally a fast, reliable mass
storage device is expensive, and to cut back on cost either speed
or reliability must be sacrificed.In designing the system described below, cost was chosen
as the most important factor, followed by speed, then reliability.
Data transfer speed for this system is ultimately
constrained by the network. And while reliability is very important,
the CCD drive described below serves online data that is already
fully backed up on CD-R's and can easily be replaced.Defining your own requirements is the first step
in choosing a mass storage solution. If your requirements prefer
speed or reliability over cost, your solution will differ from
the system described in this section.Installing the HardwareIn addition to the IDE system disk, three Western
Digital 30GB, 5400 RPM IDE disks form the core
of the CCD disk described below providing approximately
90GB of online storage. Ideally,
each IDE disk would have its own IDE controller
and cable, but to minimize cost, additional
IDE controllers were not used. Instead the disks were
configured with jumpers so that each IDE controller has
one master, and one slave.Upon reboot, the system BIOS was configured to
automatically detect the disks attached. More importantly,
FreeBSD detected them on reboot:ad0: 19574MB <WDC WD205BA> [39770/16/63] at ata0-master UDMA33
ad1: 29333MB <WDC WD307AA> [59598/16/63] at ata0-slave UDMA33
ad2: 29333MB <WDC WD307AA> [59598/16/63] at ata1-master UDMA33
ad3: 29333MB <WDC WD307AA> [59598/16/63] at ata1-slave UDMA33If FreeBSD does not detect all the disks, ensure
that you have jumpered them correctly. Most IDE drives
also have a Cable Select jumper. This is
not the jumper for the master/slave
relationship. Consult the drive documentation for help in
identifying the correct jumper.Next, consider how to attach them as part of the file
system. You should research both &man.vinum.8; () and &man.ccd.4;. In this
particular configuration, &man.ccd.4; was chosen.Setting Up the CCDThe driver &man.ccd.4; allows you to take
several identical disks and concatenate them into one
logical file system. In order to use
&man.ccd.4;, you need a kernel with
&man.ccd.4; support built in.
Add this line to your kernel configuration file, rebuild, and
reinstall the kernel:pseudo-device ccd 4On 5.X systems, you have to use instead the following
line:device ccdIn FreeBSD 5.X, it is not necessary to specify
a number of &man.ccd.4; devices, as the &man.ccd.4; device driver is now
self-cloning — new device instances will automatically be
created on demand.The &man.ccd.4; support can also be
loaded as a kernel loadable module in FreeBSD 3.0 or
later.To set up &man.ccd.4;, you must first use
&man.disklabel.8; to label the disks:disklabel -r -w ad1 auto
disklabel -r -w ad2 auto
disklabel -r -w ad3 autoThis creates a disklabel for ad1c, ad2c and ad3c that
spans the entire disk.Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the examples above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The next step is to change the disk label type. You
can use &man.disklabel.8; to edit the
disks:disklabel -e ad1
disklabel -e ad2
disklabel -e ad3This opens up the current disk label on each disk with
the editor specified by the EDITOR
environment variable, typically &man.vi.1;.An unmodified disk label will look something like
this:8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 60074784 0 unused 0 0 0 # (Cyl. 0 - 59597)Add a new e partition for &man.ccd.4; to use. This
can usually be copied from the c partition,
but the must
be 4.2BSD. The disk label should
now look something like this:8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 60074784 0 unused 0 0 0 # (Cyl. 0 - 59597)
e: 60074784 0 4.2BSD 0 0 0 # (Cyl. 0 - 59597)Building the File SystemThe device node for
ccd0c may not exist yet, so to
create it, perform the following commands:cd /dev
sh MAKEDEV ccd0In FreeBSD 5.0, &man.devfs.5; will automatically
manage device nodes in /dev, so use of
MAKEDEV is not necessary.Now that you have all of the disks labeled, you must
build the &man.ccd.4;. To do that,
use &man.ccdconfig.8;, with options similar to the following:ccdconfig ccd0 32 0 /dev/ad1e /dev/ad2e /dev/ad3eThe use and meaning of each option is shown below:The first argument is the device to configure, in this case,
/dev/ccd0c. The /dev/
portion is optional.The interleave for the file system. The interleave
defines the size of a stripe in disk blocks, each normally 512 bytes.
So, an interleave of 32 would be 16,384 bytes.Flags for &man.ccdconfig.8;. If you want to enable drive
mirroring, you can specify a flag here. This
configuration does not provide mirroring for
&man.ccd.4;, so it is set at 0 (zero).The final arguments to &man.ccdconfig.8;
are the devices to place into the array. Use the complete pathname
for each device.After running &man.ccdconfig.8; the &man.ccd.4;
is configured. A file system can be installed. Refer to &man.newfs.8;
for options, or simply run: newfs /dev/ccd0cMaking it All AutomaticGenerally, you will want to mount the
&man.ccd.4; upon each reboot. To do this, you must
configure it first. Write out your current configuration to
/etc/ccd.conf using the following command:ccdconfig -g > /etc/ccd.confDuring reboot, the script /etc/rc
runs ccdconfig -C if /etc/ccd.conf
exists. This automatically configures the
&man.ccd.4; so it can be mounted.If you are booting into single user mode, before you can
&man.mount.8; the &man.ccd.4;, you
need to issue the following command to configure the
array:ccdconfig -CTo automatically mount the &man.ccd.4;,
place an entry for the &man.ccd.4; in
/etc/fstab so it will be mounted at
boot time:/dev/ccd0c /media ufs rw 2 2The Vinum Volume ManagerRAIDsoftwareRAIDVinumThe Vinum Volume Manager is a block device driver which
implements virtual disk drives. It isolates disk hardware
from the block device interface and maps data in ways which
result in an increase in flexibility, performance and
reliability compared to the traditional slice view of disk
storage. &man.vinum.8; implements the RAID-0, RAID-1 and
RAID-5 models, both individually and in combination.See for more
information about &man.vinum.8;.Hardware RAIDRAIDhardwareFreeBSD also supports a variety of hardware RAID
controllers. These devices control a RAID subsystem
without the need for FreeBSD specific software to manage the
array.Using an on-card BIOS, the card controls most of the disk operations
itself. The following is a brief setup description using a Promise IDE RAID
controller. When this card is installed and the system is started up, it
displays a prompt requesting information. Follow the instructions
to enter the card's setup screen. From here, you have the ability to
combine all the attached drives. After doing so, the disk(s) will look like
a single drive to FreeBSD. Other RAID levels can be set up
accordingly.
Rebuilding ATA RAID1 ArraysFreeBSD allows you to hot-replace a failed disk in an array. This requires
that you catch it before you reboot.You will probably see something like the following in /var/log/messages or in the &man.dmesg.8;
output:ad6 on monster1 suffered a hard error.
ad6: READ command timeout tag=0 serv=0 - resetting
ad6: trying fallback to PIO mode
ata3: resetting devices .. done
ad6: hard error reading fsbn 1116119 of 0-7 (ad6 bn 1116119; cn 1107 tn 4 sn 11)\\
status=59 error=40
ar0: WARNING - mirror lostUsing &man.atacontrol.8;, check for further information:&prompt.root; atacontrol list
ATA channel 0:
Master: no device present
Slave: acd0 <HL-DT-ST CD-ROM GCR-8520B/1.00> ATA/ATAPI rev 0
ATA channel 1:
Master: no device present
Slave: no device present
ATA channel 2:
Master: ad4 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device present
ATA channel 3:
Master: ad6 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device present
&prompt.root; atacontrol status ar0
ar0: ATA RAID1 subdisks: ad4 ad6 status: DEGRADEDYou will first need to detach the disk from the array so that you can
safely remove it:&prompt.root; atacontrol detach 3Replace the disk.Reattach the disk as a spare:&prompt.root; atacontrol attach 3
Master: ad6 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device presentRebuild the array:&prompt.root; atacontrol rebuild ar0The rebuild command hangs until complete. However, it is possible to open another
terminal (using AltFn)
and check on the progress by issuing the following command:&prompt.root; dmesg | tail -10
[output removed]
ad6: removed from configuration
ad6: deleted from ar0 disk1
ad6: inserted into ar0 disk1 as spare
&prompt.root; atacontrol status ar0
ar0: ATA RAID1 subdisks: ad4 ad6 status: REBUILDING 0% completedWait until this operation completes.MarcFonvieilleContributed by USB Storage DevicesUSBdisksA lot of external storage solutions, nowadays, use the
Universal Serial Bus (USB): hard drives, USB thumbdrives, CD-R
burners, etc. &os; provides support for these devices.ConfigurationThe USB mass storage devices driver, &man.umass.4;,
provides the support for USB storage devices. If you use the
GENERIC kernel, you do not have to change
anything in your configuration. If you use a custom kernel,
be sure that the following lines are present in your kernel
configuration file:device scbus
device da
device pass
device uhci
device ohci
device usb
device umassThe &man.umass.4; driver uses the SCSI subsystem to access
to the USB storage devices, your USB device will be seen as a
SCSI device by the system. Depending on the USB chipset on
your motherboard, you only need either device
uhci or device ohci, however
having both in the kernel configuration file is harmless. Do
not forget to compile and install the new kernel if you added
any lines.If your USB device is a CD-R or DVD burner, the SCSI CD-ROM
driver, &man.cd.4;, must be added to the kernel via the
line:device cdSince the burner is seen as a SCSI drive, the driver
&man.atapicam.4; should not be used in the kernel
configuration.Support for USB 2.0 controllers is provided on
&os; 5.X, and on the 4.X branch since &os; 4.10-RELEASE.
You have to add:device ehcito your configuration file for USB 2.0 support. Note
&man.uhci.4; and &man.ohci.4; drivers are still needed if you
want USB 1.X support.On &os; 4.X, the USB daemon (&man.usbd.8;) must be
running to be able to see some USB devices. To enable it,
add usbd_enable="YES" to your
/etc/rc.conf file and reboot the
machine.Testing the ConfigurationThe configuration is ready to be tested: plug in your USB
device, and in the system message buffer (&man.dmesg.8;), the
drive should appear as something like:umass0: USB Solid state disk, rev 1.10/1.00, addr 2
GEOM: create disk da0 dp=0xc2d74850
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <Generic Traveling Disk 1.11> Removable Direct Access SCSI-2 device
da0: 1.000MB/s transfers
da0: 126MB (258048 512 byte sectors: 64H 32S/T 126C)Of course, the brand, the device node
(da0) and other details can differ
according to your configuration.Since the USB device is seen as a SCSI one, the
camcontrol command can be used to list the
USB storage devices attached to the system:&prompt.root; camcontrol devlist
<Generic Traveling Disk 1.11> at scbus0 target 0 lun 0 (da0,pass0)If the drive comes with a file system, you should be able
to mount it. The will help you
to format and create partitions on the USB drive if
needed.If you unplug the device (the disk must be unmounted
before), you should see, in the system message buffer,
something like the following:umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
GEOM: destroy disk da0 dp=0xc2d74850
umass0: detachedFurther ReadingBeside the Adding
Disks and Mounting and
Unmounting File Systems sections, reading various
manual pages may be also useful: &man.umass.4;,
&man.camcontrol.8;, and &man.usbdevs.8;.MikeMeyerContributed by Creating and Using Optical Media (CDs)CDROMscreatingIntroductionCDs have a number of features that differentiate them from
conventional disks. Initially, they were not writable by the
user. They are designed so that they can be read continuously without
delays to move the head between tracks. They are also much easier
to transport between systems than similarly sized media were at the
time.CDs do have tracks, but this refers to a section of data to
be read continuously and not a physical property of the disk. To
produce a CD on FreeBSD, you prepare the data files that are going
to make up the tracks on the CD, then write the tracks to the
CD.ISO 9660file systemsISO 9660The ISO 9660 file system was designed to deal with these
differences. It unfortunately codifies file system limits that were
common then. Fortunately, it provides an extension mechanism that
allows properly written CDs to exceed those limits while still
working with systems that do not support those extensions.sysutils/cdrtoolsThe sysutils/cdrtools
port includes &man.mkisofs.8;, a program that you can use to
produce a data file containing an ISO 9660 file
system. It has options that support various extensions, and is
described below.CD burnerATAPIWhich tool to use to burn the CD depends on whether your CD burner
is ATAPI or something else. ATAPI CD burners use the burncd program that is part of
the base system. SCSI and USB CD burners should use
cdrecord from
the sysutils/cdrtools port.burncd has a limited number of
supported drives. To find out if a drive is supported, see the
CD-R/RW supported
drives list.CD burnerATAPI/CAM driverIf you run &os; 5.X, &os; 4.8-RELEASE version or
higher, it will be possible to use cdrecord and other tools
for SCSI drives on an ATAPI hardware with the ATAPI/CAM module.If you want a CD burning software with a graphical user
interface, you should have a look to
X-CD-Roast or
K3b. These tools are available as
packages or from the sysutils/xcdroast and sysutils/k3b ports.
X-CD-Roast and
K3b require the ATAPI/CAM module with ATAPI
hardware.mkisofsThe &man.mkisofs.8; program, which is part of the
sysutils/cdrtools port,
produces an ISO 9660 file system
that is an image of a directory tree in the &unix; file system name
space. The simplest usage is:&prompt.root; mkisofs -o imagefile.iso/path/to/treefile systemsISO 9660This command will create an imagefile.iso
containing an ISO 9660 file system that is a copy of the tree at
/path/to/tree. In the process, it will
map the file names to names that fit the limitations of the
standard ISO 9660 file system, and will exclude files that have
names uncharacteristic of ISO file systems.file systemsHFSfile systemsJolietA number of options are available to overcome those
restrictions. In particular, enables the
Rock Ridge extensions common to &unix; systems,
enables Joliet extensions used by Microsoft systems, and
can be used to create HFS file systems used
by &macos;.For CDs that are going to be used only on FreeBSD systems,
can be used to disable all filename
restrictions. When used with , it produces a
file system image that is identical to the FreeBSD tree you started
from, though it may violate the ISO 9660 standard in a number of
ways.CDROMscreating bootableThe last option of general use is . This is
used to specify the location of the boot image for use in producing an
El Torito bootable CD. This option takes an
argument which is the path to a boot image from the top of the
tree being written to the CD. By default, &man.mkisofs.8; creates an
ISO image in the so-called floppy disk emulation mode,
and thus expects the boot image to be exactly 1200, 1440 or
2880 KB in size. Some boot loaders, like the one used by the
FreeBSD distribution disks, do not use emulation mode; in this case,
the option should be used. So, if
/tmp/myboot holds a bootable FreeBSD system
with the boot image in
/tmp/myboot/boot/cdboot, you could produce the
image of an ISO 9660 file system in
/tmp/bootable.iso like so:&prompt.root; mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/mybootHaving done that, if you have vn
(FreeBSD 4.X), or md
(FreeBSD 5.X)
configured in your kernel, you can mount the file system with:&prompt.root; vnconfig -e vn0c /tmp/bootable.iso
&prompt.root; mount -t cd9660 /dev/vn0c /mntfor FreeBSD 4.X, and for FreeBSD 5.X:&prompt.root; mdconfig -a -t vnode -f /tmp/bootable.iso -u 0
&prompt.root; mount -t cd9660 /dev/md0 /mntAt which point you can verify that /mnt
and /tmp/myboot are identical.There are many other options you can use with
&man.mkisofs.8; to fine-tune its behavior. In particular:
modifications to an ISO 9660 layout and the creation of Joliet
and HFS discs. See the &man.mkisofs.8; manual page for details.burncdCDROMsburningIf you have an ATAPI CD burner, you can use the
burncd command to burn an ISO image onto a
CD. burncd is part of the base system, installed
as /usr/sbin/burncd. Usage is very simple, as
it has few options:&prompt.root; burncd -f cddevice data imagefile.iso fixateWill burn a copy of imagefile.iso on
cddevice. The default device is
/dev/acd0 (or /dev/acd0c under &os; 4.X). See &man.burncd.8; for options to
set the write speed, eject the CD after burning, and write audio
data.cdrecordIf you do not have an ATAPI CD burner, you will have to use
cdrecord to burn your
CDs. cdrecord is not part of the base system;
you must install it from either the port at sysutils/cdrtools
or the appropriate
package. Changes to the base system can cause binary versions of
this program to fail, possibly resulting in a
coaster. You should therefore either upgrade the
port when you upgrade your system, or if you are tracking -STABLE, upgrade the port when a
new version becomes available.While cdrecord has many options, basic usage
is even simpler than burncd. Burning an ISO 9660
image is done with:&prompt.root; cdrecord dev=deviceimagefile.isoThe tricky part of using cdrecord is finding
the to use. To find the proper setting, use
the flag of cdrecord,
which might produce results like this:CDROMsburning&prompt.root; cdrecord -scanbus
Cdrecord 1.9 (i386-unknown-freebsd4.2) Copyright (C) 1995-2000 Jörg Schilling
Using libscg version 'schily-0.1'
scsibus0:
0,0,0 0) 'SEAGATE ' 'ST39236LW ' '0004' Disk
0,1,0 1) 'SEAGATE ' 'ST39173W ' '5958' Disk
0,2,0 2) *
0,3,0 3) 'iomega ' 'jaz 1GB ' 'J.86' Removable Disk
0,4,0 4) 'NEC ' 'CD-ROM DRIVE:466' '1.26' Removable CD-ROM
0,5,0 5) *
0,6,0 6) *
0,7,0 7) *
scsibus1:
1,0,0 100) *
1,1,0 101) *
1,2,0 102) *
1,3,0 103) *
1,4,0 104) *
1,5,0 105) 'YAMAHA ' 'CRW4260 ' '1.0q' Removable CD-ROM
1,6,0 106) 'ARTEC ' 'AM12S ' '1.06' Scanner
1,7,0 107) *This lists the appropriate value for the
devices on the list. Locate your CD burner, and use the three
numbers separated by commas as the value for
. In this case, the CRW device is 1,5,0, so the
appropriate input would be
. There are easier
ways to specify this value; see &man.cdrecord.1; for
details. That is also the place to look for information on writing
audio tracks, controlling the speed, and other things.Duplicating Audio CDsYou can duplicate an audio CD by extracting the audio data from
the CD to a series of files, and then writing these files to a blank
CD. The process is slightly different for ATAPI and SCSI
drives.SCSI DrivesUse cdda2wav to extract the audio.&prompt.user; cdda2wav -v255 -D2,0 -B -OwavUse cdrecord to write the
.wav files.&prompt.user; cdrecord -v dev=2,0 -dao -useinfo *.wavMake sure that 2,0 is set
appropriately, as described in .ATAPI DrivesThe ATAPI CD driver makes each track available as
/dev/acddtnn,
where d is the drive number, and
nn is the track number written with two
decimal digits, prefixed with zero as needed.
So the first track on the first disk is
/dev/acd0t01, the second is
/dev/acd0t02, the third is
/dev/acd0t03, and so on.Make sure the appropriate files exist in
/dev.&prompt.root; cd /dev
&prompt.root; sh MAKEDEV acd0t99In FreeBSD 5.0, &man.devfs.5; will automatically
create and manage entries in /dev
for you, so it is not necessary to use
MAKEDEV.Extract each track using &man.dd.1;. You must also use a
specific block size when extracting the files.&prompt.root; dd if=/dev/acd0t01 of=track1.cdr bs=2352
&prompt.root; dd if=/dev/acd0t02 of=track2.cdr bs=2352
...
Burn the extracted files to disk using
burncd. You must specify that these are audio
files, and that burncd should fixate the disk
when finished.&prompt.root; burncd -f /dev/acd0 audio track1.cdr track2.cdr ... fixateDuplicating Data CDsYou can copy a data CD to a image file that is
functionally equivalent to the image file created with
&man.mkisofs.8;, and you can use it to duplicate
any data CD. The example given here assumes that your CDROM
device is acd0. Substitute your
correct CDROM device. Under &os; 4.X, a c must be appended
to the end of the device name to indicate the entire partition
or, in the case of CDROMs, the entire disc.&prompt.root; dd if=/dev/acd0 of=file.iso bs=2048Now that you have an image, you can burn it to CD as
described above.Using Data CDsNow that you have created a standard data CDROM, you
probably want to mount it and read the data on it. By
default, &man.mount.8; assumes that a file system is of type
ufs. If you try something like:&prompt.root; mount /dev/cd0 /mntyou will get a complaint about Incorrect super
block, and no mount. The CDROM is not a
UFS file system, so attempts to mount it
as such will fail. You just need to tell &man.mount.8; that
the file system is of type ISO9660, and
everything will work. You do this by specifying the
option &man.mount.8;. For
example, if you want to mount the CDROM device,
/dev/cd0, under
/mnt, you would execute:&prompt.root; mount -t cd9660 /dev/cd0 /mntNote that your device name
(/dev/cd0 in this example) could be
different, depending on the interface your CDROM uses. Also,
the option just executes
&man.mount.cd9660.8;. The above example could be shortened
to:&prompt.root; mount_cd9660 /dev/cd0 /mntYou can generally use data CDROMs from any vendor in this
way. Disks with certain ISO 9660 extensions might behave
oddly, however. For example, Joliet disks store all filenames
in two-byte Unicode characters. The FreeBSD kernel does not
speak Unicode (yet!), so non-English characters show up as
question marks. (If you are running FreeBSD 4.3 or later, the
CD9660 driver includes hooks to load an appropriate Unicode
conversion table on the fly. Modules for some of the common
encodings are available via the
sysutils/cd9660_unicode port.)Occasionally, you might get Device not
configured when trying to mount a CDROM. This
usually means that the CDROM drive thinks that there is no
disk in the tray, or that the drive is not visible on the bus.
It can take a couple of seconds for a CDROM drive to realize
that it has been fed, so be patient.Sometimes, a SCSI CDROM may be missed because it did not
have enough time to answer the bus reset. If you have a SCSI
CDROM please add the following option to your kernel
configuration and rebuild your kernel.options SCSI_DELAY=15000This tells your SCSI bus to pause 15 seconds during boot,
to give your CDROM drive every possible chance to answer the
bus reset.Burning Raw Data CDsYou can choose to burn a file directly to CD, without
creating an ISO 9660 file system. Some people do this for
backup purposes. This runs more quickly than burning a
standard CD:&prompt.root; burncd -f /dev/acd1 -s 12 data archive.tar.gz fixateIn order to retrieve the data burned to such a CD, you
must read data from the raw device node:&prompt.root; tar xzvf /dev/acd1You cannot mount this disk as you would a normal CDROM.
Such a CDROM cannot be read under any operating system
except FreeBSD. If you want to be able to mount the CD, or
share data with another operating system, you must use
&man.mkisofs.8; as described above.MarcFonvieilleContributed by CD burnerATAPI/CAM driverUsing the ATAPI/CAM DriverThis driver allows ATAPI devices (CD-ROM, CD-RW, DVD
drives etc...) to be accessed through the SCSI subsystem, and
so allows the use of applications like sysutils/cdrdao or
&man.cdrecord.1;.To use this driver, you will need to add the following
lines to your kernel configuration file:device atapicam
device scbus
device cd
device passYou also need the following line in your kernel
configuration file:device atawhich should already be present.Then rebuild, install your new kernel, and reboot your
machine. During the boot process, your burner should show up,
like so:acd0: CD-RW <MATSHITA CD-RW/DVD-ROM UJDA740> at ata1-master PIO4
cd0 at ata1 bus 0 target 0 lun 0
cd0: <MATSHITA CDRW/DVD UJDA740 1.00> Removable CD-ROM SCSI-0 device
cd0: 16.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closedThe drive could now be accessed via the
/dev/cd0 device name, for example to
mount a CD-ROM on /mnt, just type the
following:&prompt.root; mount -t cd9660 /dev/cd0 /mntAs root, you can run the following
command to get the SCSI address of the burner:&prompt.root; camcontrol devlist
<MATSHITA CDRW/DVD UJDA740 1.00> at scbus1 target 0 lun 0 (pass0,cd0)So 1,0,0 will be the SCSI address to
use with &man.cdrecord.1; and other SCSI application.For more information about ATAPI/CAM and SCSI system,
refer to the &man.atapicam.4; and &man.cam.4; manual
pages.MarcFonvieilleContributed by AndyPolyakovWith inputs from Creating and Using Optical Media (DVDs)DVDburningIntroductionCompared to the CD, the DVD is the next generation of
optical media storage technology. The DVD can hold more data
than any CD and is nowadays the standard for video
publishing.Five physical recordable formats can be defined for what
we will call a recordable DVD:DVD-R: This was the first DVD recordable format
available. The DVD-R standard is defined by the DVD Forum.
This format is write once.DVD-RW: This is the rewriteable version of
the DVD-R standard. A DVD-RW can be rewritten about 1000
times.DVD-RAM: This is also a rewriteable format
supported by the DVD Forum. A DVD-RAM can be seen as a
removable hard drive. However, this media is not
compatible with most DVD-ROM drives and DVD-Video players;
only a few DVD writers support the DVD-RAM format.DVD+RW: This is a rewriteable format defined by
the DVD+RW
Alliance. A DVD+RW can be rewritten about 1000
times.DVD+R: This format is the write once variation
of the DVD+RW format.A single layer recordable DVD can hold up to
4,700,000,000 bytes which is actually 4.38 GB or
4485 MB (1 kilobyte is 1024 bytes).A distinction must be made between the physical media and
the application. For example, a DVD-Video is a specific
file layout that can be written on any recordable DVD
physical media: DVD-R, DVD+R, DVD-RW etc. Before choosing
the type of media, you must be sure that both the burner and the
DVD-Video player (a standalone player or a DVD-ROM drive on
a computer) are compatible with the media under consideration.ConfigurationThe program &man.growisofs.1; will be used to perform DVD
recording. This command is part of the
dvd+rw-tools utilities (sysutils/dvd+rw-tools). The
dvd+rw-tools support all DVD media
types.These tools use the SCSI subsystem to access to the
devices, therefore the ATAPI/CAM
support must be added to your kernel. If your burner
uses the USB interface this addition is useless, and you should
read the for more details on USB
devices configuration.You also have to enable DMA access for ATAPI devices, this
can be done in adding the following line to the
/boot/loader.conf file:hw.ata.atapi_dma="1"Before attempting to use the
dvd+rw-tools you should consult the
dvd+rw-tools'
hardware compatibility notes for any information
related to your DVD burner.If you want a graphical user interface, you should have
a look to K3b (sysutils/k3b) which provides a
user friendly interface to &man.growisofs.1; and many others
burning tools.Burning Data DVDsThe &man.growisofs.1; command is a frontend to mkisofs, it will invoke
&man.mkisofs.8; to create the file system layout and will
perform the write on the DVD. This means you do not need to
create an image of the data before the burning process.To burn onto a DVD+R or a DVD-R the data from the /path/to/data directory, use the
+ class="directory">/path/to/data directory, use the
following command:&prompt.root; growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/dataThe options are passed to
&man.mkisofs.8; for the file system creation (in this case: an
ISO 9660 file system with Joliet and Rock Ridge extensions),
consult the &man.mkisofs.8; manual page for more
details.The option is used for the initial
session recording in any case: multiple sessions or not. The
DVD device, /dev/cd0, must be
changed according to your configuration. The
parameter will close the disk,
the recording will be unappendable. In return this should provide better
media compatibility with DVD-ROM drives.It is also possible to burn a pre-mastered image, for
example to burn the image
imagefile.iso, we will run:&prompt.root; growisofs -dvd-compat -Z /dev/cd0=imagefile.isoThe write speed should be detected and automatically set
according to the media and the drive being used. If you want
to force the write speed, use the
parameter. For more information, read the &man.growisofs.1;
manual page.DVDDVD-VideoBurning a DVD-VideoA DVD-Video is a specific file layout based on ISO 9660
and the micro-UDF (M-UDF) specifications. The DVD-Video also
presents a specific data structure hierarchy, it is the reason
why you need a particular program such as multimedia/dvdauthor to author the
DVD.If you already have an image of the DVD-Video file system,
just burn it in the same way as for any image, see the
previous section for an example. If you have made the DVD
authoring and the result is in, for example, the directory
- /path/to/video, the
+ /path/to/video, the
following command should be used to burn the DVD-Video:&prompt.root; growisofs -Z /dev/cd0 -dvd-video /path/to/videoThe option will be passed down to
&man.mkisofs.8; and will instruct it to create a DVD-Video file system
layout. Beside this, the option
implies &man.growisofs.1;
option.DVDDVD+RWUsing a DVD+RWUnlike CD-RW, a virgin DVD+RW needs to be formatted before
first use. The &man.growisofs.1; program will take care of it
automatically whenever appropriate, which is the
recommended way. However you can use the
dvd+rw-format command to format the
DVD+RW:&prompt.root; dvd+rw-format /dev/cd0You need to perform this operation just once, keep in mind
that only virgin DVD+RW medias need to be formatted. Then you
can burn the DVD+RW in the way seen in previous
sections.If you want to burn new data (burn a totally new file
system not append some data) onto a DVD+RW, you do not need to
blank it, you just have to write over the previous recording
(in performing a new initial session), like this:&prompt.root; growisofs -Z /dev/cd0 -J -R /path/to/newdataDVD+RW format offers the possibility to easily append data
to a previous recording. The operation consists in merging a
new session to the existing one, it is not multisession
writing, &man.growisofs.1; will grow the
ISO 9660 file system present on the media.For example, if we want to append data to our previous
DVD+RW, we have to use the following:&prompt.root; growisofs -M /dev/cd0 -J -R /path/to/nextdataThe same &man.mkisofs.8; options we used to burn the
initial session should be used during next writes.You may want to use the
option if you want better media compatibility with DVD-ROM
drives. In the DVD+RW case, this will not prevent you from
adding data.If for any reason you really want to blank the media, do
the following:&prompt.root; growisofs -Z /dev/cd0=/dev/zeroDVDDVD-RWUsing a DVD-RWA DVD-RW accepts two disc formats: the incremental
sequential one and the restricted overwrite. By default
DVD-RW discs are in sequential format.A virgin DVD-RW can be directly written without the need
of a formatting operation, however a non-virgin DVD-RW in
sequential format needs to be blanked before to be able to
write a new initial session.To blank a DVD-RW in sequential mode, run:&prompt.root; dvd+rw-format -blank=full /dev/cd0A full blanking () will take
about one hour on a 1x media. A fast blanking can be
performed using the option if the
DVD-RW will be recorded in Disk-At-Once (DAO) mode. To burn
the DVD-RW in DAO mode, use the command:&prompt.root; growisofs -use-the-force-luke=dao -Z /dev/cd0=imagefile.isoThe option
should not be required since &man.growisofs.1; attempts to
detect minimally (fast blanked) media and engage DAO
write.In fact one should use restricted overwrite mode with
any DVD-RW, this format is more flexible than the default
incremental sequential one.To write data on a sequential DVD-RW, use the same
instructions as for the other DVD formats:&prompt.root; growisofs -Z /dev/cd0 -J -R /path/to/dataIf you want to append some data to your previous
recording, you will have to use the &man.growisofs.1;
option. However, if you perform data
addition on a DVD-RW in incremental sequential mode, a new
session will be created on the disc and the result will be a
multi-session disc.A DVD-RW in restricted overwrite format does not need to
be blanked before a new initial session, you just have to
overwrite the disc with the option, this
is similar to the DVD+RW case. It is also possible to grow an
existing ISO 9660 file system written on the disc in a same
way as for a DVD+RW with the option. The
result will be a one-session DVD.To put a DVD-RW in the restricted overwrite format, the
following command must be used:&prompt.root; dvd+rw-format /dev/cd0To change back to the sequential format use:&prompt.root; dvd+rw-format -blank=full /dev/cd0MultisessionVery few DVD-ROM drives support
multisession DVDs, they will most of time, hopefully, only read
the first session. DVD+R, DVD-R and DVD-RW in sequential
format can accept multiple sessions, the notion of multiple
sessions does not exist for the DVD+RW and the DVD-RW
restricted overwrite formats.Using the following command after an initial (non-closed)
session on a DVD+R, DVD-R, or DVD-RW in sequential format,
will add a new session to the disc:&prompt.root; growisofs -M /dev/cd0 -J -R /path/to/nextdataUsing this command line with a DVD+RW or a DVD-RW in restricted
overwrite mode, will append data in merging the new session to
the existing one. The result will be a single-session disc.
This is the way used to add data after an initial write on these
medias.Some space on the media is used between each session for
end and start of sessions. Therefore, one should add
sessions with large amount of data to optimize media space.
The number of sessions is limited to 154 for a DVD+R,
about 2000 for a DVD-R, and 127 for a DVD+R Double
Layer.For More InformationTo obtain more information about a DVD, the
dvd+rw-mediainfo
/dev/cd0 command can be
ran with the disc in the drive.More information about the
dvd+rw-tools can be found in
the &man.growisofs.1; manual page, on the dvd+rw-tools
web site and in the cdwrite mailing
list archives.The dvd+rw-mediainfo output of the
resulting recording or the media with issues is mandatory
for any problem report. Without this output, it will be
quite impossible to help you.JulioMerinoOriginal work by MartinKarlssonRewritten by Creating and Using Floppy DisksStoring data on floppy disks is sometimes useful, for
example when one does not have any other removable storage media
or when one needs to transfer small amounts of data to another
computer.This section will explain how to use floppy disks in
FreeBSD. It will primarily cover formatting and usage of
3.5inch DOS floppies, but the concepts are similar for other
floppy disk formats.Formatting FloppiesThe DeviceFloppy disks are accessed through entries in
/dev, just like other devices. To
access the raw floppy disk in 4.X and earlier releases, one
uses
/dev/fdN,
where N stands for the drive
number, usually 0, or
/dev/fdNX,
where X stands for a
letter.In 5.0 or newer releases, simply use
/dev/fdN.The Disk Size in 4.X and Earlier ReleasesThere are also /dev/fdN.size
devices, where size is a floppy disk
size in kilobytes. These entries are used at low-level format
time to determine the disk size. 1440kB is the size that will be
used in the following examples.Sometimes the entries under /dev will
have to be (re)created. To do that, issue:&prompt.root; cd /dev && ./MAKEDEV "fd*"The Disk Size in 5.0 and Newer ReleasesIn 5.0, &man.devfs.5; will automatically
manage device nodes in /dev, so use of
MAKEDEV is not necessary.The desired disk size is passed to &man.fdformat.1; through
the flag. Supported sizes are listed in
&man.fdcontrol.8;, but be advised that 1440kB is what works best.FormattingA floppy disk needs to be low-level formated before it
can be used. This is usually done by the vendor, but
formatting is a good way to check media integrity. Although
it is possible to force larger (or smaller) disk sizes,
1440kB is what most floppy disks are designed for.To low-level format the floppy disk you need to use
&man.fdformat.1;. This utility expects the device name as an
argument.Make note of any error messages, as these can help
determine if the disk is good or bad.Formatting in 4.X and Earlier ReleasesUse the
/dev/fdN.size
devices to format the floppy. Insert a new 3.5inch floppy
disk in your drive and issue:&prompt.root; /usr/sbin/fdformat /dev/fd0.1440Formatting in 5.0 and Newer ReleasesUse the
/dev/fdN
devices to format the floppy. Insert a new 3.5inch floppy
disk in your drive and issue:&prompt.root; /usr/sbin/fdformat -f 1440 /dev/fd0The Disk LabelAfter low-level formatting the disk, you will need to
place a disk label on it. This disk label will be destroyed
later, but it is needed by the system to determine the size of
the disk and its geometry later.The new disk label will take over the whole disk, and will
contain all the proper information about the geometry of the
floppy. The geometry values for the disk label are listed in
/etc/disktab.You can run now &man.disklabel.8; like so:&prompt.root; /sbin/disklabel -B -r -w /dev/fd0 fd1440Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the example above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The File SystemNow the floppy is ready to be high-level formated. This
will place a new file system on it, which will let FreeBSD read
and write to the disk. After creating the new file system, the
disk label is destroyed, so if you want to reformat the disk, you
will have to recreate the disk label.The floppy's file system can be either UFS or FAT.
FAT is generally a better choice for floppies.To put a new file system on the floppy, issue:&prompt.root; /sbin/newfs_msdos /dev/fd0The disk is now ready for use.Using the FloppyTo use the floppy, mount it with &man.mount.msdos.8; (in
4.X and earlier releases) or &man.mount.msdosfs.8; (in 5.0 or
newer releases). One can also use
emulators/mtools from the ports
collection.Creating and Using Data Tapestape mediaThe major tape media are the 4mm, 8mm, QIC, mini-cartridge and
DLT.4mm (DDS: Digital Data Storage)tape mediaDDS (4mm) tapestape mediaQIC tapes4mm tapes are replacing QIC as the workstation backup media of
choice. This trend accelerated greatly when Conner purchased Archive,
a leading manufacturer of QIC drives, and then stopped production of
QIC drives. 4mm drives are small and quiet but do not have the
reputation for reliability that is enjoyed by 8mm drives. The
cartridges are less expensive and smaller (3 x 2 x 0.5 inches, 76 x 51
x 12 mm) than 8mm cartridges. 4mm, like 8mm, has comparatively short
head life for the same reason, both use helical scan.Data throughput on these drives starts ~150 kB/s, peaking at ~500 kB/s.
Data capacity starts at 1.3 GB and ends at 2.0 GB. Hardware
compression, available with most of these drives, approximately
doubles the capacity. Multi-drive tape library units can have 6
drives in a single cabinet with automatic tape changing. Library
capacities reach 240 GB.The DDS-3 standard now supports tape capacities up to 12 GB (or
24 GB compressed).4mm drives, like 8mm drives, use helical-scan. All the benefits
and drawbacks of helical-scan apply to both 4mm and 8mm drives.Tapes should be retired from use after 2,000 passes or 100 full
backups.8mm (Exabyte)tape mediaExabyte (8mm) tapes8mm tapes are the most common SCSI tape drives; they are the best
choice of exchanging tapes. Nearly every site has an Exabyte 2 GB 8mm
tape drive. 8mm drives are reliable, convenient and quiet. Cartridges
are inexpensive and small (4.8 x 3.3 x 0.6 inches; 122 x 84 x 15 mm).
One downside of 8mm tape is relatively short head and tape life due to
the high rate of relative motion of the tape across the heads.Data throughput ranges from ~250 kB/s to ~500 kB/s. Data sizes start
at 300 MB and go up to 7 GB. Hardware compression, available with
most of these drives, approximately doubles the capacity. These
drives are available as single units or multi-drive tape libraries
with 6 drives and 120 tapes in a single cabinet. Tapes are changed
automatically by the unit. Library capacities reach 840+ GB.The Exabyte Mammoth model supports 12 GB on one tape
(24 GB with compression) and costs approximately twice as much as
conventional tape drives.Data is recorded onto the tape using helical-scan, the heads are
positioned at an angle to the media (approximately 6 degrees). The
tape wraps around 270 degrees of the spool that holds the heads. The
spool spins while the tape slides over the spool. The result is a
high density of data and closely packed tracks that angle across the
tape from one edge to the other.QICtape mediaQIC-150QIC-150 tapes and drives are, perhaps, the most common tape drive
and media around. QIC tape drives are the least expensive serious
backup drives. The downside is the cost of media. QIC tapes are
expensive compared to 8mm or 4mm tapes, up to 5 times the price per GB
data storage. But, if your needs can be satisfied with a half-dozen
tapes, QIC may be the correct choice. QIC is the
most common tape drive. Every site has a QIC
drive of some density or another. Therein lies the rub, QIC has a
large number of densities on physically similar (sometimes identical)
tapes. QIC drives are not quiet. These drives audibly seek before
they begin to record data and are clearly audible whenever reading,
writing or seeking. QIC tapes measure (6 x 4 x 0.7 inches; 15.2 x
10.2 x 1.7 mm).Data throughput ranges from ~150 kB/s to ~500 kB/s. Data capacity
ranges from 40 MB to 15 GB. Hardware compression is available on many
of the newer QIC drives. QIC drives are less frequently installed;
they are being supplanted by DAT drives.Data is recorded onto the tape in tracks. The tracks run along
the long axis of the tape media from one end to the other. The number
of tracks, and therefore the width of a track, varies with the tape's
capacity. Most if not all newer drives provide backward-compatibility
at least for reading (but often also for writing). QIC has a good
reputation regarding the safety of the data (the mechanics are simpler
and more robust than for helical scan drives).Tapes should be retired from use after 5,000 backups.DLTtape mediaDLTDLT has the fastest data transfer rate of all the drive types
listed here. The 1/2" (12.5mm) tape is contained in a single spool
cartridge (4 x 4 x 1 inches; 100 x 100 x 25 mm). The cartridge has a
swinging gate along one entire side of the cartridge. The drive
mechanism opens this gate to extract the tape leader. The tape leader
has an oval hole in it which the drive uses to hook the tape. The
take-up spool is located inside the tape drive. All the other tape
cartridges listed here (9 track tapes are the only exception) have
both the supply and take-up spools located inside the tape cartridge
itself.Data throughput is approximately 1.5 MB/s, three times the throughput of
4mm, 8mm, or QIC tape drives. Data capacities range from 10 GB to 20 GB
for a single drive. Drives are available in both multi-tape changers
and multi-tape, multi-drive tape libraries containing from 5 to 900
tapes over 1 to 20 drives, providing from 50 GB to 9 TB of
storage.With compression, DLT Type IV format supports up to 70 GB
capacity.Data is recorded onto the tape in tracks parallel to the direction
of travel (just like QIC tapes). Two tracks are written at once.
Read/write head lifetimes are relatively long; once the tape stops
moving, there is no relative motion between the heads and the
tape.AITtape mediaAITAIT is a new format from Sony, and can hold up to 50 GB (with
compression) per tape. The tapes contain memory chips which retain an
index of the tape's contents. This index can be rapidly read by the
tape drive to determine the position of files on the tape, instead of
the several minutes that would be required for other tapes. Software
such as SAMS:Alexandria can operate forty or more AIT tape libraries,
communicating directly with the tape's memory chip to display the
contents on screen, determine what files were backed up to which
tape, locate the correct tape, load it, and restore the data from the
tape.Libraries like this cost in the region of $20,000, pricing them a
little out of the hobbyist market.Using a New Tape for the First TimeThe first time that you try to read or write a new, completely
blank tape, the operation will fail. The console messages should be
similar to:sa0(ncr1:4:0): NOT READY asc:4,1
sa0(ncr1:4:0): Logical unit is in process of becoming readyThe tape does not contain an Identifier Block (block number 0).
All QIC tape drives since the adoption of QIC-525 standard write an
Identifier Block to the tape. There are two solutions:mt fsf 1 causes the tape drive to write an
Identifier Block to the tape.Use the front panel button to eject the tape.Re-insert the tape and dump data to
the tape.dump will report DUMP: End of tape
detected and the console will show: HARDWARE
FAILURE info:280 asc:80,96.rewind the tape using: mt rewind.Subsequent tape operations are successful.Backups to FloppiesCan I Use Floppies for Backing Up My Data?backup floppiesfloppy disksFloppy disks are not really a suitable media for
making backups as:The media is unreliable, especially over long periods of
time.Backing up and restoring is very slow.They have a very limited capacity (the days of backing up
an entire hard disk onto a dozen or so floppies has long since
passed).However, if you have no other method of backing up your data then
floppy disks are better than no backup at all.If you do have to use floppy disks then ensure that you use good
quality ones. Floppies that have been lying around the office for a
couple of years are a bad choice. Ideally use new ones from a
reputable manufacturer.So How Do I Backup My Data to Floppies?The best way to backup to floppy disk is to use
&man.tar.1; with the (multi
volume) option, which allows backups to span multiple
floppies.To backup all the files in the current directory and sub-directory
use this (as root):&prompt.root; tar Mcvf /dev/fd0 *When the first floppy is full &man.tar.1; will prompt you to
insert the next volume (because &man.tar.1; is media independent it
refers to volumes; in this context it means floppy disk).Prepare volume #2 for /dev/fd0 and hit return:This is repeated (with the volume number incrementing) until all
the specified files have been archived.Can I Compress My Backups?targzipcompressionUnfortunately, &man.tar.1; will not allow the
option to be used for multi-volume archives.
You could, of course, &man.gzip.1; all the files,
&man.tar.1; them to the floppies, then
&man.gunzip.1; the files again!How Do I Restore My Backups?To restore the entire archive use:&prompt.root; tar Mxvf /dev/fd0There are two ways that you can use to restore only
specific files. First, you can start with the first floppy
and use:&prompt.root; tar Mxvf /dev/fd0 filenameThe utility &man.tar.1; will prompt you to insert subsequent floppies until it
finds the required file.Alternatively, if you know which floppy the file is on then you
can simply insert that floppy and use the same command as above. Note
that if the first file on the floppy is a continuation from the
previous one then &man.tar.1; will warn you that it cannot
restore it, even if you have not asked it to!Backup BasicsThe three major backup programs are
&man.dump.8;,
&man.tar.1;,
and
&man.cpio.1;.Dump and Restorebackup softwaredump / restoredumprestoreThe traditional &unix; backup programs are
dump and restore. They
operate on the drive as a collection of disk blocks, below the
abstractions of files, links and directories that are created by
the file systems. dump backs up an entire
file system on a device. It is unable to backup only part of a
file system or a directory tree that spans more than one
file system. dump does not write files and
directories to tape, but rather writes the raw data blocks that
comprise files and directories.If you use dump on your root directory, you
would not back up /home,
/usr or many other directories since
these are typically mount points for other file systems or
symbolic links into those file systems.dump has quirks that remain from its early days in
Version 6 of AT&T UNIX (circa 1975). The default
parameters are suitable for 9-track tapes (6250 bpi), not the
high-density media available today (up to 62,182 ftpi). These
defaults must be overridden on the command line to utilize the
capacity of current tape drives..rhostsIt is also possible to backup data across the network to a
tape drive attached to another computer with rdump and
rrestore. Both programs rely upon rcmd and
ruserok to access the remote tape drive. Therefore,
the user performing the backup must be listed in the
.rhosts file on the remote computer. The
arguments to rdump and rrestore must be suitable
to use on the remote computer. When
rdumping from a FreeBSD computer to an
Exabyte tape drive connected to a Sun called
komodo, use:&prompt.root; /sbin/rdump 0dsbfu 54000 13000 126 komodo:/dev/nsa8 /dev/da0a 2>&1Beware: there are security implications to
allowing .rhosts authentication. Evaluate your
situation carefully.It is also possible to use dump and
restore in a more secure fashion over
ssh.Using dump over ssh&prompt.root; /sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \
targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gzOr using dump's built-in method,
setting the environment variable RSH:Using dump over ssh with RSH set&prompt.root; RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0tarbackup softwaretar&man.tar.1; also dates back to Version 6 of AT&T UNIX
(circa 1975). tar operates in cooperation
with the file system; tar writes files and
directories to tape. tar does not support the
full range of options that are available from &man.cpio.1;, but
tar does not require the unusual command
pipeline that cpio uses.tarMost versions of tar do not support
backups across the network. The GNU version of
tar, which FreeBSD utilizes, supports remote
devices using the same syntax as rdump. To
tar to an Exabyte tape drive connected to a
Sun called komodo, use:&prompt.root; /usr/bin/tar cf komodo:/dev/nsa8 . 2>&1For versions without
remote device support, you can use a pipeline and
rsh to send the data to a remote tape
drive.&prompt.root; tar cf - . | rsh hostname dd of=tape-device obs=20bIf you are worried about the security of backing up over a
network you should use the ssh command
instead of rsh.cpiobackup softwarecpio&man.cpio.1; is the original &unix; file interchange tape
program for magnetic media. cpio has options
(among many others) to perform byte-swapping, write a number of
different archive formats, and pipe the data to other programs.
This last feature makes cpio an excellent
choice for installation media. cpio does not
know how to walk the directory tree and a list of files must be
provided through stdin.cpiocpio does not support backups across
the network. You can use a pipeline and rsh
to send the data to a remote tape drive.&prompt.root; for f in directory_list; dofind $f >> backup.listdone
&prompt.root; cpio -v -o --format=newc < backup.list | ssh user@host "cat > backup_device"Where directory_list is the list of
directories you want to back up,
user@host is the
user/hostname combination that will be performing the backups, and
backup_device is where the backups should
be written to (e.g., /dev/nsa0).paxbackup softwarepaxpaxPOSIXIEEE&man.pax.1; is IEEE/&posix;'s answer to
tar and cpio. Over the
years the various versions of tar and
cpio have gotten slightly incompatible. So
rather than fight it out to fully standardize them, &posix;
created a new archive utility. pax attempts
to read and write many of the various cpio
and tar formats, plus new formats of its own.
Its command set more resembles cpio than
tar.Amandabackup softwareAmandaAmandaAmanda (Advanced Maryland
Network Disk Archiver) is a client/server backup system,
rather than a single program. An Amanda server will backup to
a single tape drive any number of computers that have Amanda
clients and a network connection to the Amanda server. A
common problem at sites with a number of large disks is
that the length of time required to backup to data directly to tape
exceeds the amount of time available for the task. Amanda
solves this problem. Amanda can use a holding disk to
backup several file systems at the same time. Amanda creates
archive sets: a group of tapes used over a period of time to
create full backups of all the file systems listed in Amanda's
configuration file. The archive set also contains nightly
incremental (or differential) backups of all the file systems.
Restoring a damaged file system requires the most recent full
backup and the incremental backups.The configuration file provides fine control of backups and the
network traffic that Amanda generates. Amanda will use any of the
above backup programs to write the data to tape. Amanda is available
as either a port or a package, it is not installed by default.Do NothingDo nothing is not a computer program, but it is the
most widely used backup strategy. There are no initial costs. There
is no backup schedule to follow. Just say no. If something happens
to your data, grin and bear it!If your time and your data is worth little to nothing, then
Do nothing is the most suitable backup program for your
computer. But beware, &unix; is a useful tool, you may find that within
six months you have a collection of files that are valuable to
you.Do nothing is the correct backup method for
/usr/obj and other directory trees that can be
exactly recreated by your computer. An example is the files that
comprise the HTML or &postscript; version of this Handbook.
These document formats have been created from SGML input
files. Creating backups of the HTML or &postscript; files is
not necessary. The SGML files are backed up regularly.Which Backup Program Is Best?LISA&man.dump.8; Period. Elizabeth D. Zwicky
torture tested all the backup programs discussed here. The clear
choice for preserving all your data and all the peculiarities of &unix;
file systems is dump. Elizabeth created file systems containing
a large variety of unusual conditions (and some not so unusual ones)
and tested each program by doing a backup and restore of those
file systems. The peculiarities included: files with holes, files with
holes and a block of nulls, files with funny characters in their
names, unreadable and unwritable files, devices, files that change
size during the backup, files that are created/deleted during the
backup and more. She presented the results at LISA V in Oct. 1991.
See torture-testing
Backup and Archive Programs.Emergency Restore ProcedureBefore the DisasterThere are only four steps that you need to perform in
preparation for any disaster that may occur.disklabelFirst, print the disklabel from each of your disks
(e.g. disklabel da0 | lpr), your file system table
(/etc/fstab) and all boot messages,
two copies of
each.fix-it floppiesSecond, determine that the boot and fix-it floppies
(boot.flp and fixit.flp)
have all your devices. The easiest way to check is to reboot your
machine with the boot floppy in the floppy drive and check the boot
messages. If all your devices are listed and functional, skip on to
step three.Otherwise, you have to create two custom bootable
floppies which have a kernel that can mount all of your disks
and access your tape drive. These floppies must contain:
fdisk, disklabel,
newfs, mount, and
whichever backup program you use. These programs must be
statically linked. If you use dump, the
floppy must contain restore.Third, create backup tapes regularly. Any changes that you make
after your last backup may be irretrievably lost. Write-protect the
backup tapes.Fourth, test the floppies (either boot.flp
and fixit.flp or the two custom bootable
floppies you made in step two.) and backup tapes. Make notes of the
procedure. Store these notes with the bootable floppy, the
printouts and the backup tapes. You will be so distraught when
restoring that the notes may prevent you from destroying your backup
tapes (How? In place of tar xvf /dev/sa0, you
might accidentally type tar cvf /dev/sa0 and
over-write your backup tape).For an added measure of security, make bootable floppies and two
backup tapes each time. Store one of each at a remote location. A
remote location is NOT the basement of the same office building. A
number of firms in the World Trade Center learned this lesson the
hard way. A remote location should be physically separated from
your computers and disk drives by a significant distance.A Script for Creating a Bootable Floppy /mnt/sbin/init
gzip -c -best /sbin/fsck > /mnt/sbin/fsck
gzip -c -best /sbin/mount > /mnt/sbin/mount
gzip -c -best /sbin/halt > /mnt/sbin/halt
gzip -c -best /sbin/restore > /mnt/sbin/restore
gzip -c -best /bin/sh > /mnt/bin/sh
gzip -c -best /bin/sync > /mnt/bin/sync
cp /root/.profile /mnt/root
cp -f /dev/MAKEDEV /mnt/dev
chmod 755 /mnt/dev/MAKEDEV
chmod 500 /mnt/sbin/init
chmod 555 /mnt/sbin/fsck /mnt/sbin/mount /mnt/sbin/halt
chmod 555 /mnt/bin/sh /mnt/bin/sync
chmod 6555 /mnt/sbin/restore
#
# create the devices nodes
#
cd /mnt/dev
./MAKEDEV std
./MAKEDEV da0
./MAKEDEV da1
./MAKEDEV da2
./MAKEDEV sa0
./MAKEDEV pty0
cd /
#
# create minimum file system table
#
cat > /mnt/etc/fstab < /mnt/etc/passwd < /mnt/etc/master.passwd <After the DisasterThe key question is: did your hardware survive? You have been
doing regular backups so there is no need to worry about the
software.If the hardware has been damaged, the parts should be replaced
before attempting to use the computer.If your hardware is okay, check your floppies. If you are using
a custom boot floppy, boot single-user (type -s
at the boot: prompt). Skip the following
paragraph.If you are using the boot.flp and
fixit.flp floppies, keep reading. Insert the
boot.flp floppy in the first floppy drive and
boot the computer. The original install menu will be displayed on
the screen. Select the Fixit--Repair mode with CDROM or
floppy. option. Insert the
fixit.flp when prompted.
restore and the other programs that you need are
located in /mnt2/stand.Recover each file system separately.mountroot partitiondisklabelnewfsTry to mount (e.g. mount /dev/da0a
/mnt) the root partition of your first disk. If the
disklabel was damaged, use disklabel to re-partition and
label the disk to match the label that you printed and saved. Use
newfs to re-create the file systems. Re-mount the root
partition of the floppy read-write (mount -u -o rw
/mnt). Use your backup program and backup tapes to
recover the data for this file system (e.g. restore vrf
/dev/sa0). Unmount the file system (e.g. umount
/mnt). Repeat for each file system that was
damaged.Once your system is running, backup your data onto new tapes.
Whatever caused the crash or data loss may strike again. Another
hour spent now may save you from further distress later.* I Did Not Prepare for the Disaster, What Now?
]]>
MarcFonvieilleReorganized and enhanced by Network, Memory, and File-Backed File Systemsvirtual disksdisksvirtualAside from the disks you physically insert into your computer:
floppies, CDs, hard drives, and so forth; other forms of disks
are understood by FreeBSD - the virtual
disks.NFSCodadisksmemoryThese include network file systems such as the Network File System and Coda, memory-based
file systems and
file-backed file systems.According to the FreeBSD version you run, you will have to use
different tools for creation and use of file-backed and
memory-based file systems.The FreeBSD 4.X users will have to use &man.MAKEDEV.8;
to create the required devices. FreeBSD 5.0 and later use
&man.devfs.5; to allocate device nodes transparently for the
user.File-Backed File System under FreeBSD 4.Xdisksfile-backed (4.X)The utility &man.vnconfig.8; configures and enables vnode pseudo-disk
devices. A vnode is a representation
of a file, and is the focus of file activity. This means that
&man.vnconfig.8; uses files to create and operate a
file system. One possible use is the mounting of floppy or CD
images kept in files.To use &man.vnconfig.8;, you need &man.vn.4; support in your
kernel configuration file:pseudo-device vnTo mount an existing file system image:Using vnconfig to Mount an Existing File System
Image under FreeBSD 4.X&prompt.root; vnconfig vn0diskimage
&prompt.root; mount /dev/vn0c /mntTo create a new file system image with &man.vnconfig.8;:Creating a New File-Backed Disk with vnconfig&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
&prompt.root; vnconfig -s labels -c vn0newimage
&prompt.root; disklabel -r -w vn0 auto
&prompt.root; newfs vn0c
Warning: 2048 sector(s) in last cylinder unallocated
/dev/vn0c: 10240 sectors in 3 cylinders of 1 tracks, 4096 sectors
5.0MB in 1 cyl groups (16 c/g, 32.00MB/g, 1280 i/g)
super-block backups (for fsck -b #) at:
32
&prompt.root; mount /dev/vn0c /mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/vn0c 4927 1 4532 0% /mntFile-Backed File System under FreeBSD 5.Xdisksfile-backed (5.X)The utility &man.mdconfig.8; is used to configure and enable
memory disks, &man.md.4;, under FreeBSD 5.X. To use
&man.mdconfig.8;, you have to load &man.md.4; module or to add
the support in your kernel configuration file:device mdThe &man.mdconfig.8; command supports three kinds of
memory backed virtual disks: memory disks allocated with
&man.malloc.9;, memory disks using a file or swap space as
backing. One possible use is the mounting of floppy
or CD images kept in files.To mount an existing file system image:Using mdconfig to Mount an Existing File System
Image under FreeBSD 5.X&prompt.root; mdconfig -a -t vnode -f diskimage -u 0
&prompt.root; mount /dev/md0/mntTo create a new file system image with &man.mdconfig.8;:Creating a New File-Backed Disk with mdconfig&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
&prompt.root; mdconfig -a -t vnode -f newimage -u 0
&prompt.root; disklabel -r -w md0 auto
&prompt.root; newfs md0c
/dev/md0c: 5.0MB (10240 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 1.27MB, 81 blks, 256 inodes.
super-block backups (for fsck -b #) at:
32, 2624, 5216, 7808
&prompt.root; mount /dev/md0c /mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0c 4846 2 4458 0% /mntIf you do not specify the unit number with the
option, &man.mdconfig.8; will use the
&man.md.4; automatic allocation to select an unused device.
The name of the allocated unit will be output on stdout like
md4. For more details about
&man.mdconfig.8;, please refer to the manual page.Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the example above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The utility &man.mdconfig.8; is very useful, however it
asks many command lines to create a file-backed file system.
FreeBSD 5.0 also comes with a tool called &man.mdmfs.8;,
this program configures a &man.md.4; disk using
&man.mdconfig.8;, puts a UFS file system on it using
&man.newfs.8;, and mounts it using &man.mount.8;. For example,
if you want to create and mount the same file system image as
above, simply type the following:Configure and Mount a File-Backed Disk with mdmfs&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
&prompt.root; mdmfs -F newimage -s 5m md0/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0 4846 2 4458 0% /mntIf you use the option without unit
number, &man.mdmfs.8; will use &man.md.4; auto-unit feature to
automatically select an unused device. For more details
about &man.mdmfs.8;, please refer to the manual page.Memory-Based File System under FreeBSD 4.Xdisksmemory file system (4.X)The &man.md.4; driver is a simple, efficient means to create memory
file systems under FreeBSD 4.X. &man.malloc.9; is used
to allocate the memory.Simply take a file system you have prepared with, for
example, &man.vnconfig.8;, and:md Memory Disk under FreeBSD 4.X&prompt.root; dd if=newimage of=/dev/md0
5120+0 records in
5120+0 records out
&prompt.root; mount /dev/md0c/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0c 4927 1 4532 0% /mntFor more details, please refer to &man.md.4; manual
page.Memory-Based File System under FreeBSD 5.Xdisksmemory file system (5.X)The same tools are used for memory-based and file-backed
file systems: &man.mdconfig.8; or &man.mdmfs.8;. The storage
for memory-based file system is allocated with
&man.malloc.9;.Creating a New Memory-Based Disk with
mdconfig&prompt.root; mdconfig -a -t malloc -s 5m -u 1
&prompt.root; newfs -U md1
/dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 1.27MB, 81 blks, 256 inodes.
with soft updates
super-block backups (for fsck -b #) at:
32, 2624, 5216, 7808
&prompt.root; mount /dev/md1/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md1 4846 2 4458 0% /mntCreating a New Memory-Based Disk with
mdmfs&prompt.root; mdmfs -M -s 5m md2/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md2 4846 2 4458 0% /mntInstead of using a &man.malloc.9; backed file system, it is
possible to use swap, for that just replace
with in the
command line of &man.mdconfig.8;. The &man.mdmfs.8; utility
by default (without ) creates a swap-based
disk. For more details, please refer to &man.mdconfig.8;
and &man.mdmfs.8; manual pages.Detaching a Memory Disk from the Systemdisksdetaching a memory diskWhen a memory-based or file-based file system
is not used, you should release all resources to the system.
The first thing to do is to unmount the file system, then use
&man.mdconfig.8; to detach the disk from the system and release
the resources.For example to detach and free all resources used by
/dev/md4:&prompt.root; mdconfig -d -u 4It is possible to list information about configured
&man.md.4; devices in using the command mdconfig
-l.For FreeBSD 4.X, &man.vnconfig.8; is used to detach
the device. For example to detach and free all resources
used by /dev/vn4:&prompt.root; vnconfig -u vn4TomRhodesContributed by File System Snapshotsfile systemssnapshotsFreeBSD 5.0 offers a new feature in conjunction with
Soft Updates: File system snapshots.Snapshots allow a user to create images of specified file
systems, and treat them as a file.
Snapshot files must be created in the file system that the
action is performed on, and a user may create no more than 20
snapshots per file system. Active snapshots are recorded
in the superblock so they are persistent across unmount and
remount operations along with system reboots. When a snapshot
is no longer required, it can be removed with the standard &man.rm.1;
command. Snapshots may be removed in any order,
however all the used space may not be acquired because another snapshot will
possibly claim some of the released blocks.During initial creation, the flag (see the &man.chflags.1; manual page)
is set to ensure that even root cannot write to the snapshot.
The &man.unlink.1; command makes an exception for snapshot files
since it allows them to be removed
with the flag set, so it is not necessary to
clear the flag before removing a snapshot file.Snapshots are created with the &man.mount.8; command. To place
a snapshot of /var in the file
/var/snapshot/snap use the following
command:&prompt.root; mount -u -o snapshot /var/snapshot/snap /varAlternatively, you can use &man.mksnap.ffs.8; to create
a snapshot:&prompt.root; mksnap_ffs /var /var/snapshot/snapOnce a snapshot has been created, it has several
uses:Some administrators will use a snapshot file for backup purposes,
because the snapshot can be transfered to CDs or tape.File integrity, &man.fsck.8; may be ran on the snapshot.
Assuming that the file system was clean when it was mounted, you
should always get a clean (and unchanging) result.
This is essentially what the
background &man.fsck.8; process does.Run the &man.dump.8; utility on the snapshot.
A dump will be returned that is consistent with the
file system and the timestamp of the snapshot. &man.dump.8;
can also take a snapshot, create a dump image and then
remove the snapshot in one command using the
flag.&man.mount.8; the snapshot as a frozen image of the file system.
To &man.mount.8; the snapshot
/var/snapshot/snap run:&prompt.root; mdconfig -a -t vnode -f /var/snapshot/snap -u 4
&prompt.root; mount -r /dev/md4 /mntYou can now walk the hierarchy of your frozen /var
file system mounted at /mnt. Everything will
be in the same state it was during the snapshot creation time.
The only exception is that any earlier snapshots will appear
as zero length files. When the use of a snapshot has delimited,
it can be unmounted with:&prompt.root; umount /mnt
&prompt.root; mdconfig -d -u 4For more information about and
file system snapshots, including technical papers, you can visit
Marshall Kirk McKusick's website at
.File System Quotasaccountingdisk spacedisk quotasQuotas are an optional feature of the operating system that
allow you to limit the amount of disk space and/or the number of
files a user or members of a group may allocate on a per-file
system basis. This is used most often on timesharing systems where
it is desirable to limit the amount of resources any one user or
group of users may allocate. This will prevent one user or group
of users from consuming all of the available disk space.Configuring Your System to Enable Disk QuotasBefore attempting to use disk quotas, it is necessary to make
sure that quotas are configured in your kernel. This is done by
adding the following line to your kernel configuration
file:options QUOTAThe stock GENERIC kernel does not have
this enabled by default, so you will have to configure, build and
install a custom kernel in order to use disk quotas. Please refer
to for more information on kernel
configuration.Next you will need to enable disk quotas in
/etc/rc.conf. This is done by adding the
line:enable_quotas="YES"disk quotascheckingFor finer control over your quota startup, there is an
additional configuration variable available. Normally on bootup,
the quota integrity of each file system is checked by the
&man.quotacheck.8; program. The
&man.quotacheck.8; facility insures that the data in
the quota database properly reflects the data on the file system.
This is a very time consuming process that will significantly
affect the time your system takes to boot. If you would like to
skip this step, a variable in /etc/rc.conf
is made available for the purpose:check_quotas="NO"If you are running FreeBSD prior to 3.2-RELEASE, the
configuration is simpler, and consists of only one variable. Set
the following in your /etc/rc.conf:check_quotas="YES"Finally you will need to edit /etc/fstab
to enable disk quotas on a per-file system basis. This is where
you can either enable user or group quotas or both for all of your
file systems.To enable per-user quotas on a file system, add the
option to the options field in the
/etc/fstab entry for the file system you want
to enable quotas on. For example:/dev/da1s2g /home ufs rw,userquota 1 2Similarly, to enable group quotas, use the
option instead of
. To enable both user and
group quotas, change the entry as follows:/dev/da1s2g /home ufs rw,userquota,groupquota 1 2By default, the quota files are stored in the root directory of
the file system with the names quota.user and
quota.group for user and group quotas
respectively. See &man.fstab.5; for more
information. Even though the &man.fstab.5; manual page says that
you can specify
an alternate location for the quota files, this is not recommended
because the various quota utilities do not seem to handle this
properly.At this point you should reboot your system with your new
kernel. /etc/rc will automatically run the
appropriate commands to create the initial quota files for all of
the quotas you enabled in /etc/fstab, so
there is no need to manually create any zero length quota
files.In the normal course of operations you should not be required
to run the &man.quotacheck.8;,
&man.quotaon.8;, or &man.quotaoff.8;
commands manually. However, you may want to read their manual pages
just to be familiar with their operation.Setting Quota Limitsdisk quotaslimitsOnce you have configured your system to enable quotas, verify
that they really are enabled. An easy way to do this is to
run:&prompt.root; quota -vYou should see a one line summary of disk usage and current
quota limits for each file system that quotas are enabled
on.You are now ready to start assigning quota limits with the
&man.edquota.8; command.You have several options on how to enforce limits on the
amount of disk space a user or group may allocate, and how many
files they may create. You may limit allocations based on disk
space (block quotas) or number of files (inode quotas) or a
combination of both. Each of these limits are further broken down
into two categories: hard and soft limits.hard limitA hard limit may not be exceeded. Once a user reaches his
hard limit he may not make any further allocations on the file
system in question. For example, if the user has a hard limit of
500 blocks on a file system and is currently using 490 blocks, the
user can only allocate an additional 10 blocks. Attempting to
allocate an additional 11 blocks will fail.soft limitSoft limits, on the other hand, can be exceeded for a limited
amount of time. This period of time is known as the grace period,
which is one week by default. If a user stays over his or her
soft limit longer than the grace period, the soft limit will
turn into a hard limit and no further allocations will be allowed.
When the user drops back below the soft limit, the grace period
will be reset.The following is an example of what you might see when you run
the &man.edquota.8; command. When the
&man.edquota.8; command is invoked, you are placed into
the editor specified by the EDITOR environment
variable, or in the vi editor if the
EDITOR variable is not set, to allow you to edit
the quota limits.&prompt.root; edquota -u testQuotas for user test:
/usr: blocks in use: 65, limits (soft = 50, hard = 75)
inodes in use: 7, limits (soft = 50, hard = 60)
/usr/var: blocks in use: 0, limits (soft = 50, hard = 75)
inodes in use: 0, limits (soft = 50, hard = 60)You will normally see two lines for each file system that has
quotas enabled. One line for the block limits, and one line for
inode limits. Simply change the value you want updated to modify
the quota limit. For example, to raise this user's block limit
from a soft limit of 50 and a hard limit of 75 to a soft limit of
500 and a hard limit of 600, change:/usr: blocks in use: 65, limits (soft = 50, hard = 75)to: /usr: blocks in use: 65, limits (soft = 500, hard = 600)The new quota limits will be in place when you exit the
editor.Sometimes it is desirable to set quota limits on a range of
UIDs. This can be done by use of the option
on the &man.edquota.8; command. First, assign the
desired quota limit to a user, and then run
edquota -p protouser startuid-enduid. For
example, if user test has the desired quota
limits, the following command can be used to duplicate those quota
limits for UIDs 10,000 through 19,999:&prompt.root; edquota -p test 10000-19999For more information see &man.edquota.8; manual page.Checking Quota Limits and Disk Usagedisk quotascheckingYou can use either the &man.quota.1; or the
&man.repquota.8; commands to check quota limits and
disk usage. The &man.quota.1; command can be used to
check individual user or group quotas and disk usage. A user
may only examine his own quota, and the quota of a group he
is a member of. Only the super-user may view all user and group
quotas. The
&man.repquota.8; command can be used to get a summary
of all quotas and disk usage for file systems with quotas
enabled.The following is some sample output from the
quota -v command for a user that has quota
limits on two file systems.Disk quotas for user test (uid 1002):
Filesystem blocks quota limit grace files quota limit grace
/usr 65* 50 75 5days 7 50 60
/usr/var 0 50 75 0 50 60grace periodOn the /usr file system in the above
example, this user is currently 15 blocks over the soft limit of
50 blocks and has 5 days of the grace period left. Note the
asterisk * which indicates that the user is
currently over his quota limit.Normally file systems that the user is not using any disk
space on will not show up in the output from the
&man.quota.1; command, even if he has a quota limit
assigned for that file system. The option
will display those file systems, such as the
/usr/var file system in the above
example.Quotas over NFSNFSQuotas are enforced by the quota subsystem on the NFS server.
The &man.rpc.rquotad.8; daemon makes quota information available
to the &man.quota.1; command on NFS clients, allowing users on
those machines to see their quota statistics.Enable rpc.rquotad in
/etc/inetd.conf like so:rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotadNow restart inetd:&prompt.root; kill -HUP `cat /var/run/inetd.pid`LuckyGreenContributed by shamrock@cypherpunks.toEncrypting Disk PartitionsdisksencryptingFreeBSD offers excellent online protections against
unauthorized data access. File permissions and Mandatory
Access Control (MAC) (see ) help prevent
unauthorized third-parties from accessing data while the operating
system is active and the computer is powered up. However,
the permissions enforced by the operating system are irrelevant if an
attacker has physical access to a computer and can simply move
the computer's hard drive to another system to copy and analyze
the sensitive data.Regardless of how an attacker may have come into possession of
a hard drive or powered-down computer, GEOM Based Disk
Encryption (gbde) can protect the data on the
computer's file systems against even highly-motivated attackers
with significant resources. Unlike cumbersome encryption methods
that encrypt only individual files, gbde
transparently encrypts entire file systems. No cleartext ever
touches the hard drive's platter.Enabling gbde in the KernelBecome rootConfiguring gbde requires
super-user privileges.&prompt.user; su -
Password:Verify the Operating System Version&man.gbde.4; requires FreeBSD 5.0 or higher.&prompt.root; uname -r
5.0-RELEASEAdd &man.gbde.4; Support to the Kernel Configuration FileUsing your favorite text editor, add the following
line to your kernel configuration file:options GEOM_BDEConfigure, recompile, and install the FreeBSD kernel.
This process is described in .Reboot into the new kernel.Preparing the Encrypted Hard DriveThe following example assumes that you are adding a new hard
drive to your system that will hold a single encrypted partition.
This partition will be mounted as /private.
gbde can also be used to encrypt
/home and /var/mail, but
this requires more complex instructions which exceed the scope of
this introduction.Add the New Hard DriveInstall the new drive to the system as explained in . For the purposes of this example,
a new hard drive partition has been added as
/dev/ad4s1c. The
/dev/ad0s1*
devices represent existing standard FreeBSD partitions on
the example system.&prompt.root; ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4Create a Directory to Hold gbde Lock Files&prompt.root; mkdir /etc/gbdeThe gbde lock file contains
information that gbde requires to
access encrypted partitions. Without access to the lock file,
gbde will not be able to decrypt
the data contained in the encrypted partition without
significant manual intervention which is not supported by the
software. Each encrypted partition uses a separate lock
file.Initialize the gbde PartitionA gbde partition must be
initialized before it can be used. This initialization needs to
be performed only once:&prompt.root; gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c&man.gbde.8; will open your editor, permitting you to set
various configuration options in a template. For use with UFS1
or UFS2, set the sector_size to 2048:$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[...]
&man.gbde.8; will ask you twice to type the passphrase that
should be used to secure the data. The passphrase must be the
same both times. gbde's ability to
protect your data depends entirely on the quality of the
passphrase that you choose.
For tips on how to select a secure passphrase that is easy
to remember, see the Diceware
Passphrase website.The gbde init command creates a lock
file for your gbde partition that in
this example is stored as
/etc/gbde/ad4s1c.gbde lock files
must be backed up together with the
contents of any encrypted partitions. While deleting a lock
file alone cannot prevent a determined attacker from
decrypting a gbde partition,
without the lock file, the legitimate owner will be unable
to access the data on the encrypted partition without a
significant amount of work that is totally unsupported by
&man.gbde.8; and its designer.Attach the Encrypted Partition to the Kernel&prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c You will be asked to provide the passphrase that you
selected during the initialization of the encrypted partition.
The new encrypted device will show up in
/dev as
/dev/device_name.bde:&prompt.root; ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4 /dev/ad4s1c.bdeCreate a File System on the Encrypted DeviceOnce the encrypted device has been attached to the kernel,
you can create a file system on the device. To create a file
system on the encrypted device, use &man.newfs.8;. Since it is
much faster to initialize a new UFS2 file system than it is to
initialize the old UFS1 file system, using &man.newfs.8; with
the option is recommended.The option is the default
with &os; 5.1-RELEASE and later.&prompt.root; newfs -U -O2 /dev/ad4s1c.bdeThe &man.newfs.8; command must be performed on an
attached gbde partition which
is identified by a
*.bde
extension to the device name.Mount the Encrypted PartitionCreate a mount point for the encrypted file system.&prompt.root; mkdir /privateMount the encrypted file system.&prompt.root; mount /dev/ad4s1c.bde /privateVerify That the Encrypted File System is AvailableThe encrypted file system should now be visible to
&man.df.1; and be available for use.&prompt.user; df -H
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 1037M 72M 883M 8% /
/devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s1f 8.1G 55K 7.5G 0% /home
/dev/ad0s1e 1037M 1.1M 953M 0% /tmp
/dev/ad0s1d 6.1G 1.9G 3.7G 35% /usr
/dev/ad4s1c.bde 150G 4.1K 138G 0% /privateMounting Existing Encrypted File SystemsAfter each boot, any encrypted file systems must be
re-attached to the kernel, checked for errors, and mounted, before
the file systems can be used. The required commands must be
executed as user root.Attach the gbde Partition to the Kernel&prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1cYou will be asked to provide the passphrase that you
selected during initialization of the encrypted gbde
partition.Check the File System for ErrorsSince encrypted file systems cannot yet be listed in
/etc/fstab for automatic mounting, the
file systems must be checked for errors by running &man.fsck.8;
manually before mounting.&prompt.root; fsck -p -t ffs /dev/ad4s1c.bdeMount the Encrypted File System&prompt.root; mount /dev/ad4s1c.bde /privateThe encrypted file system is now available for use.Automatically Mounting Encrypted PartitionsIt is possible to create a script to automatically attach,
check, and mount an encrypted partition, but for security reasons
the script should not contain the &man.gbde.8; password. Instead,
it is recommended that such scripts be run manually while
providing the password via the console or &man.ssh.1;.Cryptographic Protections Employed by gbde&man.gbde.8; encrypts the sector payload using 128-bit AES in
CBC mode. Each sector on the disk is encrypted with a different
AES key. For more information on gbde's
cryptographic design, including how the sector keys are derived
from the user-supplied passphrase, see &man.gbde.4;.Compatibility Issues&man.sysinstall.8; is incompatible with
gbde-encrypted devices. All
*.bde devices must be detached from the
kernel before starting &man.sysinstall.8; or it will crash during
its initial probing for devices. To detach the encrypted device
used in our example, use the following command:&prompt.root; gbde detach /dev/ad4s1cAlso note that, as &man.vinum.4; does not use the
&man.geom.4; subsystem, you cannot use
gbde with
vinum volumes.
diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.sgml b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
index f5440a20d4..a6063ccafc 100644
--- a/en_US.ISO8859-1/books/handbook/install/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
@@ -1,5573 +1,5573 @@
JimMockRestructured, reorganized, and parts
rewritten by RandyPrattThe sysinstall walkthrough, screenshots, and general
copy by Installing FreeBSDSynopsisinstallationFreeBSD is provided with a text-based, easy to use installation
program called sysinstall. This is the
default installation program for FreeBSD, although vendors are free to
provide their own installation suite if they wish. This chapter
describes how to use sysinstall to install
FreeBSD.After reading this chapter, you will know:How to create the FreeBSD installation disks.How FreeBSD refers to, and subdivides, your hard disks.How to start sysinstall.The questions sysinstall will ask
you, what they mean, and how to answer them.Before reading this chapter, you should:Read the supported hardware list that shipped with the version
of FreeBSD you are installing, and verify that your hardware is
supported.In general, these installation instructions are written
for &i386; (PC compatible) architecture
computers. Where applicable, instructions specific to other
platforms (for example, Alpha) will be listed. Although this
guide is kept as up to date as possible, you may find minor
differences between the installer and what is shown here. It is
suggested that you use this chapter as a general guide rather
than a literal installation manual.Pre-installation TasksInventory Your ComputerBefore installing FreeBSD you should attempt to inventory the
components in your computer. The FreeBSD installation routines will
show you the components (hard disks, network cards, CDROM drives, and
so forth) with their model number and manufacturer. FreeBSD will also
attempt to determine the correct configuration for these devices,
which includes information about IRQ and IO port usage. Due to the
vagaries of PC hardware this process is not always completely
successful, and you may need to correct FreeBSD's determination of
your configuration.If you already have another operating system installed, such as
&windows; or Linux, it is a good idea to use the facilities provided
by those operating systems to see how your hardware is already
configured. If you are not sure what settings an expansion
card is using, you may find it printed on the card itself. Popular IRQ
numbers are 3, 5, and 7, and IO port addresses are normally written as
hexadecimal numbers, such as 0x330.We recommend you print or write down this information before
installing FreeBSD. It may help to use a table, like this:
Sample Device InventoryDevice NameIRQIO port(s)NotesFirst hard diskN/AN/A40 GB, made by Seagate, first IDE masterCDROMN/AN/AFirst IDE slaveSecond hard diskN/AN/A20 GB, made by IBM, second IDE masterFirst IDE controller140x1f0Network cardN/AN/A&intel; 10/100ModemN/AN/A&tm.3com; 56K faxmodem, on COM1…
Backup Your DataIf the computer you will be installing FreeBSD on contains
valuable data, then ensure you have it backed up, and that you have
tested the backups before installing FreeBSD. The FreeBSD
installation routine will prompt you before writing any
data to your disk, but once that process has started it cannot be
undone.Decide Where to Install FreeBSDIf you want FreeBSD to use your entire hard disk, then there is nothing
more to concern yourself with at this point — you can skip this
section.However, if you need FreeBSD to co-exist with other operating
systems then you need to have a rough understanding of how data is
laid out on the disk, and how this affects you.Disk Layouts for the &i386;A PC disk can be divided into discrete chunks. These chunks are
called partitions. By design, the PC only
supports four partitions per disk. These partitions are called
primary partitions. To work around this
limitation and allow more than four partitions, a new partition type
was created, the extended partition. A disk
may contain only one extended partition. Special partitions, called
logical partitions, can be created inside this
extended partition.Each partition has a partition ID, which is
a number used to identify the type of data on the partition. FreeBSD
partitions have the partition ID of 165.In general, each operating system that you use will identify
partitions in a particular way. For example, DOS, and its
descendants, like &windows;, assign each primary and logical partition a
drive letter, starting with
C:.FreeBSD must be installed into a primary partition. FreeBSD can
keep all its data, including any files that you create, on this one
partition. However, if you have multiple disks, then you can create a
FreeBSD partition on all, or some, of them. When you install FreeBSD,
you must have one partition available. This might be a blank
partition that you have prepared, or it might be an existing partition
that contains data that you no longer care about.If you are already using all the partitions on all your disks, then
you will have to free one of them for FreeBSD using the tools
provided by the other operating systems you use (e.g.,
fdisk on DOS or &windows;).If you have a spare partition then you can use that. However, you
may need to shrink one or more of your existing partitions
first.A minimal installation of FreeBSD takes as little as 100 MB of disk
space. However, that is a very minimal install,
leaving almost no space for your own files. A more realistic minimum
is 250 MB without a graphical environment, and 350 MB or more if you
want a graphical user interface. If you intend to install a lot of
third party software as well, then you will need more space.You can use a commercial tool such as &partitionmagic;
to resize your partitions to make space for
FreeBSD. The tools directory on the CDROM
contains two free software tools which can carry out this task, namely
FIPS and
PResizer. Documentation for both
of these is available in the same directory.
FIPS,
PResizer, and
&partitionmagic; can resize
FAT16 and FAT32
partitions — used in &ms-dos; through &windows; ME.
&partitionmagic; is the only known
application that can resize NTFS.Incorrect use of these tools can delete the data on your disk.
Be sure that you have recent, working backups before using
them.Using an Existing Partition UnchangedSuppose that you have a computer with a single 4 GB disk that
already has a version of &windows; installed, and you have split the
disk into two drive letters, C: and
D:, each of which is 2 GB in size. You have
1 GB of data on C:, and 0.5 GB of data on
D:.This means that your disk has two partitions on it, one per
drive letter. You can copy all your existing data from
D: to C:, which
will free up the second partition, ready for FreeBSD.Shrinking an Existing PartitionSuppose that you have a computer with a single 4 GB disk that
already has a version of &windows; installed. When you installed
&windows; you created one large partition, giving you a
C: drive that is 4 GB in size. You are
currently using 1.5 GB of space, and want FreeBSD to have 2 GB of
space.In order to install FreeBSD you will need to either:Backup your &windows; data, and then reinstall &windows;,
asking for a 2 GB partition at install time.Use one of the tools such as &partitionmagic;,
described above, to shrink your &windows;
partition.Disk Layouts for the AlphaAlphaYou will need a dedicated disk for FreeBSD on the
Alpha. It is not possible to share a disk with another
operating system at this time. Depending on the specific
Alpha machine you have, this disk can either be a SCSI disk
or an IDE disk, as long as your machine is capable of
booting from it.Following the conventions of the Digital / Compaq
manuals all SRM input is shown in uppercase. SRM is case
insensitive.To find the names and types of disks in your machine, use
the SHOW DEVICE command from the SRM
console prompt:>>>SHOW DEVICE
dka0.0.0.4.0 DKA0 TOSHIBA CD-ROM XM-57 3476
dkc0.0.0.1009.0 DKC0 RZ1BB-BS 0658
dkc100.1.0.1009.0 DKC100 SEAGATE ST34501W 0015
dva0.0.0.0.1 DVA0
ewa0.0.0.3.0 EWA0 00-00-F8-75-6D-01
pkc0.7.0.1009.0 PKC0 SCSI Bus ID 7 5.27
pqa0.0.0.4.0 PQA0 PCI EIDE
pqb0.0.1.4.0 PQB0 PCI EIDEThis example is from a Digital Personal Workstation
433au and shows three disks attached to the machine. The
first is a CDROM drive called DKA0 and
the other two are disks and are called
DKC0 and
DKC100 respectively.Disks with names of the form DKx
are SCSI disks. For example DKA100
refers to a SCSI disk with SCSI target ID 1 on the first SCSI bus (A),
whereas DKC300 refers to a SCSI disk
with SCSI ID 3 on the third SCSI bus (C). Devicename
PKx refers to the SCSI host bus adapter. As
seen in the SHOW DEVICE output SCSI
CDROM drives are treated as any other SCSI hard disk drive.IDE disks have names similar to DQx,
while PQx is the associated IDE
controller.Collect Your Network Configuration DetailsIf you intend to connect to a network as part of your FreeBSD
installation (for example, if you will be installing from an FTP
site or an
NFS server), then you need to know your network configuration. You
will be prompted for this information during the installation so that
FreeBSD can connect to the network to complete the install.Connecting to an Ethernet Network or Cable/DSL ModemIf you connect to an Ethernet network, or you have an Internet
connection using an Ethernet adapter via cable or DSL, then you will need the following
information:IP addressIP address of the default gatewayHostnameDNS server IP addressesSubnet MaskIf you do not know this information, then ask your system
administrator or service provider. They may say that this
information is assigned automatically, using
DHCP. If so, make a note of this.Connecting Using a ModemIf you dial up to an ISP using a regular modem then you can
still install FreeBSD over the Internet, it will just take a very
long time.You will need to know:The phone number to dial for your ISPThe COM: port your modem is connected toThe username and password for your ISP accountCheck for FreeBSD ErrataAlthough the FreeBSD project strives to ensure that each release
of FreeBSD is as stable as possible, bugs do occasionally creep into
the process. On very rare occasions those bugs affect the
installation process. As these problems are discovered and fixed, they
are noted in the FreeBSD Errata, which is found on the FreeBSD web site. You
should check the errata before installing to make sure that there are
no late-breaking problems which you should be aware of.Information about all the releases, including the errata for each
release, can be found on the
release
information section of the
FreeBSD web site.Obtain the FreeBSD Installation FilesThe FreeBSD installation process can install FreeBSD from files
located in any of the following places:Local MediaA CDROM or DVDA DOS partition on the same computerA SCSI or QIC tapeFloppy disksNetworkAn FTP site, going through a firewall, or using an HTTP proxy,
as necessaryAn NFS serverA dedicated parallel or serial connectionIf you have purchased FreeBSD on CD or DVD then you already have
everything you need, and should proceed to the next section
().If you have not obtained the FreeBSD installation files you should
skip ahead to which explains how
to prepare to install FreeBSD from any of the above. After reading
that section, you should come back here, and read on to
.Prepare the Boot MediaThe FreeBSD installation process is started by booting your
computer into the FreeBSD installer—it is not a program you run
within another operating system. Your computer normally boots using
the operating system installed on your hard disk, but it can also be
configured to use a bootable floppy disk.
Most modern computers can also
boot from a CDROM in the CDROM drive.If you have FreeBSD on CDROM or DVD (either one you purchased
or you prepared yourself), and your computer allows you to boot from
the CDROM or DVD (typically a BIOS option called Boot
Order or similar), then you can skip this section. The
FreeBSD CDROM and DVD images are bootable and can be used to install
FreeBSD without any other special preparation.To create boot floppy images, follow these steps:Acquire the Boot Floppy ImagesThe boot disks are available on your installation media
in the floppies/ directory, and
can also be downloaded from the floppies directory, ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/<arch>/<version>-RELEASE/floppies/.
Replace <arch> and
<version>
with the architecture and the version number
which you want to install, respectively.
For example, the boot floppy images for
&os; &rel.current;-RELEASE for &i386; are available
from .The floppy images have a .flp extension.
The floppies/ directory contains a number of
different images, and the ones you will need to use depends on the
version of FreeBSD you are installing, and in some cases, the
hardware you are installing to. If you are installing FreeBSD
4.x in most cases you will just need
two files, kern.flp and
mfsroot.flp. If you are
installing FreeBSD 5.x in most cases you will need three
floppies, boot.flp,
kern1.flp, and
kern2.flp. Additional device drivers may
be necessary for some systems. These drivers are provided
on the drivers.flp image. Check
README.TXT in the same directory for the
most up to date information about these floppy images.Your FTP program must use binary mode
to download these disk images. Some web browsers have been
known to use text (or
ASCII) mode, which will be apparent if you
cannot boot from the disks.Prepare the Floppy DisksYou must prepare one floppy disk per image file you had to
download. It is imperative that these disks are free from
defects. The easiest way to test this is to format the disks
for yourself. Do not trust pre-formatted floppies. The format
utility in &windows; will not tell about the presence of
bad blocks, it simply marks them as bad
and ignores them. It is advised that you use brand new
floppies if choosing this installation route.If you try to install FreeBSD and the installation
program crashes, freezes, or otherwise misbehaves, one of
the first things to suspect is the floppies. Try writing
the floppy image files to new disks and try
again.Write the Image Files to the Floppy DisksThe .flp files are
not regular files you copy to the disk.
They are images of the complete contents of the
disk. This means that you cannot simply
copy files from one disk to another.
Instead, you must use specific tools to write the
images directly to the disk.DOSIf you are creating the floppies on a computer running
&ms-dos;/&windows;, then we provide a tool to do
this called fdimage.If you are using the floppies from the CDROM, and your
CDROM is the E: drive, then you would
run this:E:\>tools\fdimage floppies\kern.flp A:Repeat this command for each .flp
file, replacing the floppy disk each time, being sure to label
the disks with the name of the file that you copied to them.
Adjust the command line as necessary, depending on where you have
placed the .flp files. If you do not have
the CDROM, then fdimage can be downloaded from
the tools
directory on the FreeBSD FTP site.If you are writing the floppies on a &unix; system (such as
another FreeBSD system) you can use the &man.dd.1; command to
write the image files directly to disk. On FreeBSD, you would
run:&prompt.root; dd if=kern.flp of=/dev/fd0On FreeBSD, /dev/fd0 refers to the
first floppy disk (the A: drive).
/dev/fd1 would be the
B: drive, and so on. Other &unix;
variants might have different names for the floppy disk
devices, and you will need to check the documentation for the
system as necessary.You are now ready to start installing FreeBSD.Starting the InstallationBy default, the installation will not make any changes to your
disk(s) until you see the following message:Last Chance: Are you SURE you want continue the installation?
If you're running this on a disk with data you wish to save then WE
STRONGLY ENCOURAGE YOU TO MAKE PROPER BACKUPS before proceeding!
We can take no responsibility for lost disk contents!The install can be exited at any time prior to the final
warning without changing the contents of the hard drive. If you are
concerned that you have configured something incorrectly you can just
turn the computer off before this point, and no damage will be
done.BootingBooting for the &i386;Start with your computer turned off.Turn on the computer. As it starts it should display an
option to enter the system set up menu, or BIOS, commonly reached
by keys like F2, F10,
Del, or
AltS. Use whichever keystroke is indicated on screen. In
some cases your computer may display a graphic while it starts.
Typically, pressing Esc will dismiss the graphic
and allow you to see the necessary messages.Find the setting that controls which devices the system boots
from. This is usually labeled as the Boot Order
and commonly shown as a list of devices, such as
Floppy, CDROM,
First Hard Disk, and so on.If you needed to prepare boot floppies, then make sure that the
floppy disk is selected. If you are booting from the CDROM then
make sure that that is selected instead. In case of doubt, you
should consult the manual that came with your computer, and/or its
motherboard.Make the change, then save and exit. The computer should now
restart.If you needed to prepare boot floppies, as described in
, then one of them will be the
first boot disc, probably the one containing
kern.flp. Put this disc in your floppy
drive.If you are booting from CDROM, then you will need to turn on
the computer, and insert the CDROM at the first
opportunity.If your computer starts up as normal and loads your existing
operating system, then either:The disks were not inserted early enough in the boot
process. Leave them in, and try restarting your
computer.The BIOS changes earlier did not work correctly. You
should redo that step until you get the right option.Your particular BIOS does not support booting from
the desired media.FreeBSD will start to boot. If you are booting from CDROM you
will see a display similar to this (version information omitted):Verifying DMI Pool Data ........
Boot from ATAPI CD-ROM :
1. FD 2.88MB System Type-(00)
Uncompressing ... done
BTX loader 1.00 BTX version is 1.01
Console: internal video/keyboard
BIOS drive A: is disk0
BIOS drive B: is disk1
BIOS drive C: is disk2
BIOS drive D: is disk3
BIOS 639kB/261120kB available memory
FreeBSD/i386 bootstrap loader, Revision 0.8
/kernel text=0x277391 data=0x3268c+0x332a8 |
|
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds... _If you are booting from floppy disc, you will see a display
similar to this (version information omitted):Verifying DMI Pool Data ........
BTX loader 1.00 BTX version is 1.01
Console: internal video/keyboard
BIOS drive A: is disk0
BIOS drive C: is disk1
BIOS 639kB/261120kB available memory
FreeBSD/i386 bootstrap loader, Revision 0.8
/kernel text=0x277391 data=0x3268c+0x332a8 |
Please insert MFS root floppy and press enter:Follow these instructions by removing the
kern.flp disc, insert the
mfsroot.flp disc, and press
Enter.Whether you booted from floppy or CDROM, the
boot process will then get to this point:Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds... _Either wait ten seconds, or press Enter. This
will then launch the kernel configuration menu.Booting for the AlphaAlphaStart with your computer turned off.Turn on the computer and wait for a boot monitor
prompt.If you needed to prepare boot floppies, as described in
then one of them will be the
first boot disc, probably the one containing
kern.flp. Put this disc in your floppy
drive and type the following command to boot the disk
(substituting the name of your floppy drive if
necessary):>>>BOOT DVA0 -FLAGS '' -FILE ''If you are booting from CDROM, insert the CDROM into
the drive and type the following command to start the
installation (substituting the name of the appropriate
CDROM drive if necessary):>>>BOOT DKA0 -FLAGS '' -FILE ''FreeBSD will start to boot. If you are booting from a
floppy disc, at some point you will see the message:Please insert MFS root floppy and press enter:Follow these instructions by removing the
kern.flp disc, insert the
mfsroot.flp disc, and press
Enter.Whether you booted from floppy or CDROM, the
boot process will then get to this point:Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds... _Either wait ten seconds, or press Enter. This
will then launch the kernel configuration menu.Kernel ConfigurationFrom FreeBSD versions 5.0 and later, userconfig has been deprecated
in favor of the new &man.device.hints.5; method. For more information
on &man.device.hints.5; please visit The kernel is the core of the operating
system. It is responsible for many things, including access to all
the devices you may have on your system, such as hard disks, network
cards, sound cards, and so on. Each piece of hardware supported by
the FreeBSD kernel has a driver associated with it. Each driver has a
two or three letter name, such as sa for the
SCSI sequential access driver, or sio for the
Serial I/O driver (which manages COM ports).When the kernel starts, each driver checks the system to see
whether or not the hardware it supports exists on your system. If it
does, then the driver configures the hardware and makes it available
to the rest of the kernel.This checking is commonly referred to as device
probing. Unfortunately, it is not always possible to do
this in a safe way. Some hardware drivers do not co-exist well,
and probing for one piece of hardware can sometimes leave
another in an inconsistent state. This is a basic
limitation of the PC design.Many older devices are called ISA devices—as opposed
to PCI devices. The ISA specification requires each device to have
some information hard coded into it, typically the Interrupt Request
Line number (IRQ) and IO port address that the driver uses. This
information is commonly set by using physical
jumpers on the card, or by using a DOS based
utility.This was often a source of problems, because it was not possible
to have two devices that shared the same IRQ or port address.Newer devices follow the PCI specification, which does not require
this, as the devices are supposed to cooperate with the BIOS, and are
told which IRQ and IO port addresses to use.If you have any ISA devices in your computer then FreeBSD's
driver for that device will need to be configured with the IRQ and
port address that you have set the card to. This is why carrying out
an inventory of your hardware (see ) can be useful.Unfortunately, the default IRQs and memory ports used by some
drivers clash. This is because some ISA devices are shipped with IRQs
or memory ports that clash. The defaults in FreeBSD's drivers are
deliberately set to mirror the manufacturer's defaults, so that, out
of the box, as many devices as possible will work.This is almost never an issue when running FreeBSD day-to-day.
Your computer will not normally contain two pieces of hardware that
clash, because one of them would not work (irrespective of the
operating system you are using).It becomes an issue when you are installing FreeBSD for the first
time because the kernel used to carry out the install has to contain
as many drivers as possible, so that many different hardware
configurations can be supported. This means that some of
those drivers will have conflicting configurations. The devices are
probed in a strict order, and if you own a device that is probed late
in the process, but conflicted with an earlier probe, then your
hardware might not function or be probed correctly when you install
FreeBSD.Because of this, the first thing you have the opportunity to do
when installing FreeBSD is look at the list of drivers that are
configured into the kernel, and either disable some of them, if you
do not own that device, or confirm (and alter) the driver's
configuration if you do own the device but the defaults are
wrong.This probably sounds much more complicated than it actually
is. shows the first kernel
configuration menu. We recommend that you choose the
Start kernel configuration in full-screen visual
mode option, as it presents the easiest interface for
the new user.Kernel Configuration Menu&txt.install.userconfig;The kernel configuration screen ()
is then divided into four sections:A collapsible list of all the drivers that are currently
marked as active, subdivided into groups such as
Storage, and Network. Each
driver is shown as a description, its two or three letter driver
name, and the IRQ and memory port used by that driver. In
addition, if an active driver conflicts with another active driver
then CONF is shown next to the driver name.
This section also shows the total number of conflicting drivers
that are currently active.Drivers that have been marked inactive. They remain in the
kernel, but they will not probe for their device when the kernel
starts. These are subdivided into groups in the same way as the
active driver list.More detail about the currently selected driver, including its
IRQ and memory port address.Information about the keystrokes that are valid at this point
in time.The Kernel Device Configuration Visual Interface&txt.install.userconfig2;Do not worry if any conflicts are listed,
it is to be expected; all the drivers are enabled, and
as has already been explained, some of them will conflict with one
another.You now have to work through the list of drivers, resolving the
conflicts.Resolving Driver ConflictsPress X. This will completely expand the
list of drivers, so you can see all of them. You will need to use
the arrow keys to scroll back and forth through the active driver
list. shows the result of
pressing X.Expanded Driver ListDisable all the drivers for devices that you do not have. To
disable a driver, highlight it with the arrow keys and press
Del. The driver will be moved to the
Inactive Drivers list.If you inadvertently disable a device that you need then press
Tab to switch to the Inactive
Drivers list, select the driver that you disabled, and
press Enter to move it back to the active
list.Do not disable sc0. This controls
the screen, and you will need this unless you are installing
over a serial cable.Only disable atkbd0 if you are
using a USB keyboard. If you have a normal keyboard then you
must keep atkbd0.If there are no conflicts listed then you can skip this step.
Otherwise, the remaining conflicts need to be examined. If they
do not have the indication of an allowed conflict
in the message area, then either the IRQ/address for device probe
will need to be changed, or the IRQ/address
on the hardware will need to be changed.To change the driver's configuration for IRQ and IO port
address, select the device and press Enter. The
cursor will move to the third section of the screen, and you can
change the values. You should enter the values for IRQ and port
address that you discovered when you made your hardware inventory.
Press Q to finish editing the device's
configuration and return to the active driver list.If you are not sure what these figures should be then you can
try using -1. Some FreeBSD drivers can safely
probe the hardware to discover what the correct value should be,
and a value of -1 configures them to do
this.The procedure for changing the address on the hardware varies
from device to device. For some devices you may need to
physically remove the card from your computer and adjust jumper
settings or DIP switches. Other cards may have come with a DOS
floppy that contains the programs used to reconfigure the card.
In any case, you should refer to the documentation that came with
the device. This will obviously entail restarting your computer,
so you will need to boot back into the FreeBSD installation
routine when you have reconfigured the card.When all the conflicts have been resolved the screen will look
similar to .Driver Configuration With No ConflictsAs you can see, the active driver list is now much smaller,
with only drivers for the hardware that actually exists being
listed.You can now save these changes, and move on to the next step
of the install. Press Q to quit the device
configuration interface. This message will appear:Save these parameters before exiting? ([Y]es/[N]o/[C]ancel)Answer Y to save the parameters to memory
(it will be saved to disk if you finish the install) and the
probing will start. After displaying the probe results in white
on black text sysinstall will start
and display its main menu
().Sysinstall Main MenuReviewing the Device Probe ResultsThe last few hundred lines that have been displayed on screen are
stored and can be reviewed.To review the buffer, press Scroll Lock. This
turns on scrolling in the display. You can then use the arrow keys, or
PageUp and PageDown to view the
results. Press Scroll Lock again to stop
scrolling.Do this now, to review the text that scrolled off the screen when
the kernel was carrying out the device probes. You will see text
similar to , although the precise
text will differ depending on the devices that you have in your
computer.Typical Device Probe Resultsavail memory = 253050880 (247120K bytes)
Preloaded elf kernel "kernel" at 0xc0817000.
Preloaded mfs_root "/mfsroot" at 0xc0817084.
md0: Preloaded image </mfsroot> 4423680 bytes at 0xc03ddcd4
md1: Malloc disk
Using $PIR table, 4 entries at 0xc00fde60
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
pcib1:<VIA 82C598MVP (Apollo MVP3) PCI-PCI (AGP) bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <Matrox MGA G200 AGP graphics accelerator> at 0.0 irq 11
isab0: <VIA 82C586 PCI-ISA bridge> at device 7.0 on pci0
isa0: <iSA bus> on isab0
atapci0: <VIA 82C586 ATA33 controller> port 0xe000-0xe00f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
uhci0 <VIA 83C572 USB controller> port 0xe400-0xe41f irq 10 at device 7.2 on pci
0
usb0: <VIA 83572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr1
uhub0: 2 ports with 2 removable, self powered
pci0: <unknown card> (vendor=0x1106, dev=0x3040) at 7.3
dc0: <ADMtek AN985 10/100BaseTX> port 0xe800-0xe8ff mem 0xdb000000-0xeb0003ff ir
q 11 at device 8.0 on pci0
dc0: Ethernet address: 00:04:5a:74:6b:b5
miibus0: <MII bus> on dc0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ed0: <NE2000 PCI Ethernet (RealTek 8029)> port 0xec00-0xec1f irq 9 at device 10.
0 on pci0
ed0 address 52:54:05:de:73:1b, type NE2000 (16 bit)
isa0: too many dependant configs (8)
isa0: unexpected small tag 14
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Generic PS/@ mouse, device ID 0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
pppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/15 bytes threshold
plip0: <PLIP network interface> on ppbus0
ad0: 8063MB <IBM-DHEA-38451> [16383/16/63] at ata0-master UDMA33
acd0: CD-RW <LITE-ON LTR-1210B> at ata1-slave PIO4
Mounting root from ufs:/dev/md0c
/stand/sysinstall running as init on vty0Check the probe results carefully to make sure that FreeBSD found
all the devices you expected. If a device was not found, then it will
not be listed. If the device's driver required configuring
with the IRQ and port address then you should check that you entered
them correctly.If you need to make changes to the UserConfig device probing,
it is easy to exit the sysinstall program
and start over again. It is also a good way to become more familiar
with the process.Select Sysinstall ExitUse the arrow keys to select
Exit Install from the Main
Install Screen menu. The following message will display: User Confirmation Requested
Are you sure you wish to exit? The system will reboot
(be sure to remove any floppies from the drives).
[ Yes ] NoThe install program will start again if the CDROM is left
in the drive and &gui.yes; is selected.If you are booting from floppies it will be necessary to remove
the mfsroot.flp floppy and replace it with
kern.flp before rebooting.Introducing SysinstallThe sysinstall utility is the installation
application provided by the FreeBSD Project. It is console based and is
divided into a number of menus and screens that you can use to
configure and control the installation process.The sysinstall menu system is controlled
by the arrow keys, Enter, Space, and
other keys. A detailed description of these keys and what they do is
contained in sysinstall's usage
information.To review this information, ensure that the
Usage entry is highlighted and that the
[Select] button is selected, as shown in , then press Enter.The instructions for using the menu system will be displayed. After
reviewing them, press Enter to return to the Main
Menu.Selecting Usage from Sysinstall Main MenuSelecting the Documentation MenuFrom the Main Menu, select Doc with
the arrow keys and
press Enter.Selecting Documentation MenuThis will display the Documentation Menu.Sysinstall Documentation MenuIt is important to read the documents provided.To view a document, select it with the arrow keys and
press Enter. When finished reading a document,
pressing Enter will return to the Documentation
Menu.To return to the Main Installation Menu, select
Exit with the
arrow keys and press Enter.Selecting the Keymap MenuTo change the keyboard mapping, use the arrow keys to select
Keymap from the menu and press
Enter. This is only required if you are
using a non-standard or non-US keyboard.Sysinstall Main MenuA different keyboard mapping may be chosen by selecting the
menu item using up/down arrow keys and pressing Space.
Pressing Space again will unselect the item.
When finished, choose the &gui.ok; using the arrow keys and press
Enter.Only a partial list is shown in this screen representation.
Selecting &gui.cancel; by pressing Tab will use the default
keymap and return to the Main Install Menu.Sysinstall Keymap MenuInstallation Options ScreenSelect Options and press
Enter.Sysinstall Main MenuSysinstall OptionsThe default values are usually fine for most users and do
not need to be changed. The release name will vary according
to the version being installed.The description of the selected item will appear at the
bottom of the screen highlighted in blue. Notice that one of the
options is Use Defaults to reset all
values to startup defaults.Press F1 to read the help screen about the
various options.Pressing Q will return to the Main Install
menu.Begin a Standard InstallationThe Standard installation is the
option recommended for those new to &unix; or FreeBSD. Use the arrow
keys to select Standard and
then press Enter to start the installation.Begin Standard InstallationAllocating Disk SpaceYour first task is to allocate disk space for FreeBSD, and label
that space so that sysinstall can prepare
it. In order to do this you need to know how FreeBSD expects to find
information on the disk.BIOS Drive NumberingBefore you install and configure FreeBSD on your system, there is an
important subject that you should be aware of, especially if you have
multiple hard drives.DOSMicrosoft WindowsIn a PC running a BIOS-dependent operating system such as
&ms-dos; or µsoft.windows;, the BIOS is able to abstract the
normal disk drive order, and
the operating system goes along with the change. This allows the user
to boot from a disk drive other than the so-called primary
master. This is especially convenient for some users who have
found that the simplest and cheapest way to keep a system backup is to
buy an identical second hard drive, and perform routine copies of the
first drive to the second drive using
Ghost or XCOPY
. Then, if the
first drive fails, or is attacked by a virus, or is scribbled upon by an
operating system defect, he can easily recover by instructing the BIOS
to logically swap the drives. It is like switching the cables on the
drives, but without having to open the case.SCSIBIOSMore expensive systems with SCSI controllers often include BIOS
extensions which allow the SCSI drives to be re-ordered in a similar
fashion for up to seven drives.A user who is accustomed to taking advantage of these features may
become surprised when the results with FreeBSD are not as expected.
FreeBSD does not use the BIOS, and does not know the logical BIOS
drive mapping. This can lead to very perplexing situations,
especially when drives are physically identical in geometry, and have
also been made as data clones of one another.When using FreeBSD, always restore the BIOS to natural drive
numbering before installing FreeBSD, and then leave it that way. If you
need to switch drives around, then do so, but do it the hard way, and
open the case and move the jumpers and cables.An Illustration from the Files of Bill and Fred's Exceptional
Adventures:Bill breaks-down an older Wintel box to make another FreeBSD box
for Fred. Bill installs a single SCSI drive as SCSI unit zero and
installs FreeBSD on it.Fred begins using the system, but after several days notices that
the older SCSI drive is reporting numerous soft errors and reports
this fact to Bill.After several more days, Bill decides it is time to address the
situation, so he grabs an identical SCSI drive from the disk drive
archive in the back room. An initial surface scan
indicates that
this drive is functioning well, so Bill installs this drive as SCSI
unit four and makes an image copy from drive zero to drive four. Now
that the new drive is installed and functioning nicely, Bill decides
that it is a good idea to start using it, so he uses features in the
SCSI BIOS to re-order the disk drives so that the system boots from
SCSI unit four. FreeBSD boots and runs just fine.Fred continues his work for several days, and soon Bill and Fred
decide that it is time for a new adventure — time to upgrade to a
newer version of FreeBSD. Bill removes SCSI unit zero because it was
a bit flaky and replaces it with another identical disk drive from
the archive. Bill then installs the new version of
FreeBSD onto the new SCSI unit zero using Fred's magic Internet FTP
floppies. The installation goes well.Fred uses the new version of FreeBSD for a few days, and certifies
that it is good enough for use in the engineering department. It is
time to copy all of his work from the old version. So Fred mounts
SCSI unit four (the latest copy of the older FreeBSD version). Fred
is dismayed to find that none of his precious work is present on SCSI
unit four.Where did the data go?When Bill made an image copy of the original SCSI unit zero onto
SCSI unit four, unit four became the new clone.
When Bill re-ordered the SCSI BIOS so that he could boot from
SCSI unit four, he was only fooling himself.
FreeBSD was still running on SCSI unit zero.
Making this kind of BIOS change will cause some or all of the Boot and
Loader code to be fetched from the selected BIOS drive, but when the
FreeBSD kernel drivers take-over, the BIOS drive numbering will be
ignored, and FreeBSD will transition back to normal drive numbering.
In the illustration at hand, the system continued to operate on the
original SCSI unit zero, and all of Fred's data was there, not on SCSI
unit four. The fact that the system appeared to be running on SCSI
unit four was simply an artifact of human expectations.We are delighted to mention that no data bytes were killed or
harmed in any way by our discovery of this phenomenon. The older SCSI
unit zero was retrieved from the bone pile, and all of Fred's work was
returned to him, (and now Bill knows that he can count as high as
zero).Although SCSI drives were used in this illustration, the concepts
apply equally to IDE drives.Creating Slices Using FDiskNo changes you make at this point will be written to the disk.
If you think you have made a mistake and want to start again you can
use the menus to exit sysinstall and try
again or press U to use the Undo option.
If you get confused and can not see how to exit you can
always turn your computer off.After choosing to begin a standard installation in
sysinstall you will be shown this
message: Message
In the next menu, you will need to set up a DOS-style ("fdisk")
partitioning scheme for your hard disk. If you simply wish to devote
all disk space to FreeBSD (overwriting anything else that might be on
the disk(s) selected) then use the (A)ll command to select the default
partitioning scheme followed by a (Q)uit. If you wish to allocate only
free space to FreeBSD, move to a partition marked "unused" and use the
(C)reate command.
[ OK ]
[ Press enter or space ]Press Enter as instructed. You will then be
shown a list of all the hard drives that the kernel found when it
carried out the device probes.
shows an example from a
system with two IDE disks. They have been called
ad0 and ad2.Select Drive for FDiskYou might be wondering why ad1 is not
listed here. Why has it been missed?Consider what would happen if you had two IDE hard disks, one
as the master on the first IDE controller, and one as the master on
the second IDE controller. If FreeBSD numbered these as it found
them, as ad0 and
ad1 then everything would work.But if you then added a third disk, as the slave device on the
first IDE controller, it would now be ad1,
and the previous ad1 would become
ad2. Because device names (such as
ad1s1a) are used to find filesystems, you
may suddenly discover that some of your filesystems no longer
appear correctly, and you would need to change your FreeBSD
configuration.To work around this, the kernel can be configured to name IDE
disks based on where they are, and not the order in which they were
found. With this scheme the master disk on the second IDE
controller will always be
ad2, even if there are no
ad0 or ad1
devices.This configuration is the default for the FreeBSD kernel, which
is why this display shows ad0 and
ad2. The machine on which this screenshot
was taken had IDE disks on both master channels of the IDE
controllers, and no disks on the slave channels.You should select the disk on which you want to install FreeBSD,
and then press &gui.ok;.
FDisk will start, with a display similar to
that shown in .The FDisk display is broken into three
sections.The first section, covering the first two lines of the display,
shows details about the currently selected disk, including its FreeBSD
name, the disk geometry, and the total size of the disk.The second section shows the slices that are currently on the
disk, where they start and end, how large they are, the name FreeBSD
gives them, and their description and sub-type. This example shows two
small unused slices, which are artifacts of disk layout schemes on the
PC. It also shows one large FAT slice, which almost certainly appears
as C: in &ms-dos; / &windows;, and an extended
slice, which may contain other drive letters for &ms-dos; / &windows;.The third section shows the commands that are available in
FDisk.Typical Fdisk Partitions before EditingWhat you do now will depend on how you want to slice up your
disk.If you want to use FreeBSD for the entire disk (which will delete
all the other data on this disk when you confirm that you want
sysinstall to continue later in the
installation process) then you can press A, which
corresponds to the Use Entire Disk option.
The existing slices will be removed, and replaced with a small area
flagged as unused (again, an artifact of PC disk
layout), and then one large slice for FreeBSD. If you do this, then
you should select the newly created FreeBSD slice using the arrow
keys, and press S to mark the slice as being
bootable. The screen will then look very similar to
. Note the
A in the Flags column, which
indicates that this slice is active, and will be
booted from.If you will be deleting an existing slice to make space for
FreeBSD then you should select the slice using the arrow keys, and
then press D. You can then press C,
and be prompted for size of slice you want to create. Enter the
appropriate figure and press Enter. The default
value in this box represents the largest possible slice you can
make, which could be the largest contiguous block of unallocated
space or the size of the entire hard disk.If you have already made space for FreeBSD (perhaps by using a
tool such as &partitionmagic;) then you can
press C to create a new slice. Again, you will be
prompted for the size of slice you would like to create.Fdisk Partition Using Entire DiskWhen finished, press Q. Your changes will be
saved in sysinstall, but will not yet be
written to disk.Install a Boot ManagerYou now have the option to install a boot manager. In general,
you should choose to install the FreeBSD boot manager if:You have more than one drive, and have installed FreeBSD onto
a drive other than the first one.You have installed FreeBSD alongside another operating system
on the same disk, and you want to choose whether to start FreeBSD
or the other operating system when you start the computer.If FreeBSD is going to be the only operating system on
this machine, installed on the first hard disk, then the
Standard boot manager will suffice.
Choose None if you are using a
third-party boot manager capable of booting FreeBSD.Make your choice and press Enter.Sysinstall Boot Manager MenuThe help screen, reached by pressing F1,
discusses the problems that can be encountered when trying to share
the hard disk between operating systems.Creating Slices on Another DriveIf there is more than one drive, it will return to the
Select Drives screen after the boot manager selection. If you wish to
install FreeBSD on to more than one disk, then you can select another
disk here and repeat the slice process using
FDisk.If you are installing FreeBSD on a drive other than your
first, then the FreeBSD boot manager needs to be installed on
both drives.Exit Select DriveThe Tab key toggles between the last drive
selected, &gui.ok;, and
&gui.cancel;.Press the Tab once to toggle to the
&gui.ok;, then
press Enter
to continue with the installation.Creating Partitions Using
DisklabelYou must now create some partitions inside each slice that you
have just created. Remember that each partition is lettered, from
a through to h, and that
partitions b, c, and
d have conventional meanings that you should adhere
to.Certain applications can benefit from particular partition
schemes, especially if you are laying out partitions across more than
one disk. However, for this, your first FreeBSD installation, you do
not need to give too much thought to how you partition the disk. It
is more important that you install FreeBSD and start learning how to
use it. You can always re-install FreeBSD to change your partition
scheme when you are more familiar with the operating system.This scheme features four partitions—one for swap space, and
three for filesystems.
Partition Layout for First DiskPartitionFilesystemSizeDescriptiona/100 MBThis is the root filesystem. Every other filesystem
will be mounted somewhere under this one. 100 MB is a
reasonable size for this filesystem. You will not be storing
too much data on it, as a regular FreeBSD install will put
about 40 MB of data here. The remaining space is for temporary
data, and also leaves expansion space if future versions of
FreeBSD need more space in /.bN/A2-3 x RAMThe system's swap space is kept on this partition.
Choosing the right amount of swap space can be a bit of an
art. A good rule of thumb is that your swap
space should be two or three times as much as the
available physical memory (RAM).
You should also have at least 64 MB of swap, so if you have
less than 32 MB of RAM in your computer then set the swap
amount to 64 MB.
If you have more than one disk then you can put swap
space on each disk. FreeBSD will then use each disk for
swap, which effectively speeds up the act of swapping. In
this case, calculate the total amount of swap you need
(e.g., 128 MB), and then divide this by the number of disks
you have (e.g., two disks) to give the amount of swap you
should put on each disk, in this example, 64 MB of swap per
disk.e/var50 MBThe /var directory contains
files that are constantly varying;
log files, and other administrative files. Many
of these files are read-from or written-to extensively during
FreeBSD's day-to-day running. Putting these files on another
filesystem allows FreeBSD to optimize the access of these
files without affecting other files in other directories that
do not have the same access pattern.f/usrRest of diskAll your other files will typically be stored in
/usr and its subdirectories.
If you will be installing FreeBSD on to more than one disk then
you must also create partitions in the other slices that you
configured. The easiest way to do this is to create two partitions on
each disk, one for the swap space, and one for a filesystem.
Partition Layout for Subsequent DisksPartitionFilesystemSizeDescriptionbN/ASee descriptionAs already discussed, you can split swap space across
each disk. Even though the a partition is
free, convention dictates that swap space stays on the
b partition.e/disknRest of diskThe rest of the disk is taken up with one big partition.
This could easily be put on the a
partition, instead of the e partition.
However, convention says that the a
partition on a slice is reserved for the filesystem that will
be the root (/) filesystem. You do not
have to follow this convention, but
sysinstall does, so following it
yourself makes the installation slightly cleaner. You can
choose to mount this filesystem anywhere; this example
suggests that you mount them as directories
/diskn, where
n is a number that changes for each
disk. But you can use another scheme if you prefer.
Having chosen your partition layout you can now create it using
sysinstall. You will see this
message: Message
Now, you need to create BSD partitions inside of the fdisk
partition(s) just created. If you have a reasonable amount of disk
space (200MB or more) and don't have any special requirements, simply
use the (A)uto command to allocate space automatically. If you have
more specific needs or just don't care for the layout chosen by
(A)uto, press F1 for more information on manual layout.
[ OK ]
[ Press enter or space ]Press Enter to start the FreeBSD partition
editor, called Disklabel. shows the display when you first
start Disklabel. The display is divided in
to three sections.The first few lines show the name of the disk you are currently
working on, and the slice that contains the partitions you are
creating (at this point Disklabel calls
this the Partition name rather than slice name).
This display also shows the amount of free space within the slice;
that is, space that was set aside in the slice, but that has not yet
been assigned to a partition.The middle of the display shows the partitions that have been
created, the name of the filesystem that each partition contains,
their size, and some options pertaining to the creation of the
filesystem.The bottom third of the screen shows the keystrokes that are valid
in Disklabel.Sysinstall Disklabel EditorDisklabel can automatically create
partitions for you and assign them default sizes. Try this now, by
Pressing A. You will see a display similar to that
shown in . Depending on the size of
the disk you are using, the defaults may or may not be appropriate.
This does not matter, as you do not have to accept the
defaults.Beginning with FreeBSD 4.5, the default partitioning assigns
the /tmp directory its own partition instead
of being part of the / partition. This
helps avoid filling the / partition with
temporary files.Sysinstall Disklabel Editor with Auto DefaultsIf you choose to not use the default partitions and wish to
replace them with your
own, use the arrow keys to select the first partition, and press
D to delete it. Repeat this to delete all the
suggested partitions.To create the first partition (a, mounted as
/ — root), make sure the proper disk slice at the top of
the screen is selected and press C. A dialog box
will appear prompting you for the size of the new partition (as shown
in ). You can enter the size as
the number of disk blocks you want to use, or as a
number followed by either M for megabytes,
G for gigabytes, or C for
cylinders.Beginning with FreeBSD 5.X, users can: select
UFS2 using the Custom Newfs
(Z) option, create labels with
Auto Defaults and modify them with the Custom Newfs option or
add during the regular creation period.
Do not forget to add for SoftUpdates if you use the Custom Newfs
option!Free Space for Root PartitionThe default size shown will create a partition that takes up the
rest of the slice. If you are using the partition sizes described
in the earlier example, then delete the existing figure using
Backspace, and then type in
64M, as shown in
. Then press
&gui.ok;.Edit Root Partition SizeHaving chosen the partition's size you will then be asked whether
this partition will contain a filesystem or swap space. The dialog
box is shown in . This first
partition will contain a filesystem, so check that
FS is selected and press
Enter.Choose the Root Partition TypeFinally, because you are creating a filesystem, you must tell
Disklabel where the filesystem is to be
mounted. The dialog box is shown in
. The root filesystem's mount
point is /, so type /, and
then press Enter.Choose the Root Mount PointThe display will then update to show you the newly created
partition. You should repeat this procedure for the other
partitions. When you create the swap partition, you will not be
prompted for the filesystem mount point, as swap partitions are never
mounted. When you create the final partition,
/usr, you can leave the suggested size as is, to
use the rest of the slice.Your final FreeBSD DiskLabel Editor screen will appear similar to
, although your values chosen may
be different. Press Q to finish.Sysinstall Disklabel EditorChoosing What to InstallSelect the Distribution SetDeciding which distribution set to install will depend largely
on the intended use of the system and the amount of disk space
available. The predefined options range from installing the
smallest possible configuration to everything. Those who are
new to &unix; and/or FreeBSD should almost certainly select one
of these canned options. Customizing a distribution set is
typically for the more experienced user.Press F1 for more information on the
distribution set options and what they contain. When finished
reviewing the help, pressing Enter will return
to the Select Distributions Menu.If a graphical user interface is desired then a distribution
set that is preceded by an X should be
chosen. The configuration of &xfree86; and selection of a default
desktop is part of the post-installation steps.The default version of &xfree86; that is installed depends on the
version of the FreeBSD that you are installing. For FreeBSD versions
prior to 4.6, &xfree86; 3.X is installed. For FreeBSD 4.6 and later,
&xfree86; 4.X is the default.You should check to see whether your video card is supported at the
&xfree86; web site. If
your video card
is not supported under the default version that FreeBSD will install,
you should select a distribution without X for installation. After
installation, install and configure the appropriate version of
&xfree86; using the ports collection.If compiling a custom kernel is anticipated, select an option
which includes the source code. For more information on why a
custom kernel should be built or how to build a custom kernel, see
.Obviously, the most versatile system is one that includes
everything. If there is adequate disk space, select
All as shown in
by using the arrow keys and
press Enter. If there is a concern about disk
space consider using an option that is more suitable for the
situation.
Do not fret over the perfect choice, as other distributions can be
added after installation.Choose DistributionsInstalling the Ports CollectionAfter selecting the desired distribution, an opportunity to
install the FreeBSD Ports Collection is presented. The ports
collection is an easy and convenient way to install software.
The ports collection does not contain the source code necessary
to compile the software. Instead, it is a collection of files which
automates the downloading, compiling and installation
of third-party software packages.
discusses how to use the ports
collection.The installation program does not check to see if you have
adequate space. Select this option only if you have
adequate hard disk space. As of FreeBSD &rel.current;, the FreeBSD
Ports Collection takes up about &ports.size; of disk space.
You can safely assume a larger value for more recent versions
of FreeBSD. User Confirmation Requested
Would you like to install the FreeBSD ports collection?
This will give you ready access to over &os.numports; ported software packages,
at a cost of around &ports.size; of disk space when "clean" and possibly much
more than that if a lot of the distribution tarballs are loaded
(unless you have the extra CDs from a FreeBSD CD/DVD distribution
available and can mount it on /cdrom, in which case this is far less
of a problem).
The ports collection is a very valuable resource and well worth having
on your /usr partition, so it is advisable to say Yes to this option.
For more information on the ports collection & the latest ports,
visit:
http://www.FreeBSD.org/ports
[ Yes ] NoSelect &gui.yes; with the arrow keys to
install the ports collection or &gui.no; to
skip this option. Press Enter to continue.
The Choose Distributions menu will redisplay.Confirm DistributionsIf satisfied with the options, select
Exit with the arrow keys, ensure that
&gui.ok; is highlighted, and pressing
Enter to continue.Choosing Your Installation MediaIf Installing from a CDROM or DVD, use the arrow keys to highlight
Install from a FreeBSD CD/DVD. Ensure
that &gui.ok; is highlighted, then press
Enter to proceed with the installation.For other methods of installation, select the appropriate
option and follow the instructions.Press F1 to display the Online Help for
installation media. Press Enter to return
to the media selection menu.Choose Installation MediaFTP Installation ModesinstallationnetworkFTPThere are three FTP installation modes you can choose from:
active FTP, passive FTP, or via a HTTP proxy.FTP Active: Install from an FTP
serverThis option will make all FTP transfers
use Active
mode. This will not work through firewalls, but will
often work with older FTP servers that do not support
passive mode. If your connection hangs with passive
mode (the default), try active!FTP Passive: Install from an FTP server through a
firewallFTPpassive modeThis option instructs sysinstall to use
Passive mode for all FTP operations.
This allows the user to pass through firewalls
that do not allow incoming connections on random TCP ports.
FTP via a HTTP proxy: Install from an FTP server
through a http proxyFTPvia a HTTP proxyThis option instructs sysinstall to use the HTTP
protocol (like a web browser) to connect to a proxy
for all FTP operations. The proxy will translate
the requests and send them to the FTP server.
This allows the user to pass through firewalls
that do not allow FTP at all, but offer a HTTP
proxy.
In this case, you have to specify the proxy in
addition to the FTP server.For a proxy FTP server, you should usually give the name of the
server you really want as a part of the username, after an
@ sign. The proxy server then fakes
the real server. For example, assuming you want to install from
ftp.FreeBSD.org, using the proxy FTP
server foo.example.com, listening on port
1024.In this case, you go to the options menu, set the FTP username
to ftp@ftp.FreeBSD.org, and the password to your
email address. As your installation media, you specify FTP (or
passive FTP, if the proxy supports it), and the URL
ftp://foo.example.com:1234/pub/FreeBSD.Since /pub/FreeBSD from
ftp.FreeBSD.org is proxied under
foo.example.com, you are able to install
from that machine (which will fetch the files
from ftp.FreeBSD.org as your
installation requests them).Committing to the InstallationThe installation can now proceed if desired. This is also
the last chance for aborting the installation to prevent changes
to the hard drive. User Confirmation Requested
Last Chance! Are you SURE you want to continue the installation?
If you're running this on a disk with data you wish to save then WE
STRONGLY ENCOURAGE YOU TO MAKE PROPER BACKUPS before proceeding!
We can take no responsibility for lost disk contents!
[ Yes ] NoSelect &gui.yes; and press
Enter to proceed.The installation time will vary according to the distribution
chosen, installation media, and the speed of the computer.
There will be a series of
messages displayed indicating the status.The installation is complete when the following message is
displayed: Message
Congratulations! You now have FreeBSD installed on your system.
We will now move on to the final configuration questions.
For any option you do not wish to configure, simply select No.
If you wish to re-enter this utility after the system is up, you may
do so by typing: /stand/sysinstall .
[ OK ]
[ Press enter to continue ]Press Enter to proceed with post-installation
configurations.Selecting &gui.no; and pressing
Enter will abort
the installation so no changes will be made to your system. The
following message will appear: Message
Installation complete with some errors. You may wish to scroll
through the debugging messages on VTY1 with the scroll-lock feature.
You can also choose "No" at the next prompt and go back into the
installation menus to retry whichever operations have failed.
[ OK ]This message is generated because nothing was installed.
Pressing Enter will return to the
Main Installation Menu to exit the installation.Post-installationConfiguration of various options follows the successful
installation. An option can be configured by re-entering the
configuration options before booting the new FreeBSD
system or after installation using
/stand/sysinstall and selecting
Configure.Network Device ConfigurationIf you previously configured PPP for an FTP install, this screen
will not display and can be configured later as described
above.For detailed information on Local Area Networks and
configuring FreeBSD as a gateway/router refer to the
Advanced Networking
chapter. User Confirmation Requested
Would you like to configure any Ethernet or SLIP/PPP network devices?
[ Yes ] NoTo configure a network device, select
&gui.yes; and press Enter.
Otherwise, select &gui.no; to continue.Selecting an Ethernet DeviceSelect the interface to be configured with the arrow keys and press
Enter. User Confirmation Requested
Do you want to try IPv6 configuration of the interface?
Yes [ No ]In this private local area network, the current Internet
type protocol (IPv4) was sufficient and &gui.no;
was selected with the arrow keys and Enter
pressed.If you are connected to an existing IPv6 network
with an RA server, then choose
&gui.yes; and press Enter.
It will take several seconds to scan for RA servers. User Confirmation Requested
Do you want to try DHCP configuration of the interface?
Yes [ No ]If DHCP (Dynamic Host Configuration Protocol) is not required
select &gui.no; with the arrow keys and press
Enter.Selecting &gui.yes; will execute
dhclient, and if successful, will fill
in the network configuration information automatically. Refer to
for more information.The following Network Configuration screen shows the
configuration of the Ethernet device for a system that will act
as the gateway for a Local Area Network.Set Network Configuration for ed0Use Tab to select the information fields and
fill in appropriate information:HostThe fully-qualified hostname, such as k6-2.example.com in
this case.DomainThe name of the domain that your machine is
in, such as example.com for this case.IPv4 GatewayIP address of host forwarding packets to non-local
destinations. You must fill this in if the machine is a node
on the network. Leave this field blank
if the machine is the gateway to the Internet for the
network. The IPv4 Gateway is also known as the default
gateway or default route.Name serverIP address of your local DNS server. There is no local
DNS server on this private local area network so the IP
address of the provider's DNS server
(208.163.10.2) was used.IPv4 addressThe IP address to be used for this interface was
192.168.0.1NetmaskThe address block being used for this local area
network is a Class C block
(192.168.0.0 -
192.168.255.255).
The default netmask is for a Class C network
(255.255.255.0).Extra options to ifconfigAny interface-specific options to ifconfig
you would like to add. There were none in this case.Use Tab to select &gui.ok;
when finished and press Enter. User Confirmation Requested
Would you like to Bring Up the ed0 interface right now?
[ Yes ] NoChoosing &gui.yes; and pressing
Enter will bring
the machine up on the network and be ready for use. However,
this does not accomplish much during installation, since
the machine still needs to be rebooted.Configure Gateway User Confirmation Requested
Do you want this machine to function as a network gateway?
[ Yes ] NoIf the machine will be acting as the gateway for a local area
network and forwarding packets between other machines then select
&gui.yes; and press Enter.
If the machine is a node on a network then
select &gui.no; and press
Enter to continue.Configure Internet Services User Confirmation Requested
Do you want to configure inetd and the network services that it provides?
Yes [ No ]If &gui.no; is selected, various services
such telnetd will not be enabled. This
means that remote users will not be able to
telnet into this machine. Local users
will be still be able to access remote machines with
telnet.These services can be enabled after installation by editing
/etc/inetd.conf with your favorite text editor.
See for more information.Select &gui.yes; if you wish to
configure these services during install. An additional
confirmation will display: User Confirmation Requested
The Internet Super Server (inetd) allows a number of simple Internet
services to be enabled, including finger, ftp and telnetd. Enabling
these services may increase risk of security problems by increasing
the exposure of your system.
With this in mind, do you wish to enable inetd?
[ Yes ] NoSelect &gui.yes; to continue. User Confirmation Requested
inetd(8) relies on its configuration file, /etc/inetd.conf, to determine
which of its Internet services will be available. The default FreeBSD
inetd.conf(5) leaves all services disabled by default, so they must be
specifically enabled in the configuration file before they will
function, even once inetd(8) is enabled. Note that services for
IPv6 must be separately enabled from IPv4 services.
Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to
use the current settings.
[ Yes ] NoSelecting &gui.yes; will allow adding
services by deleting the # at the beginning
of a line.Editing inetd.confAfter adding the desired services, pressing Esc
will display a menu which will allow exiting and saving
the changes.Anonymous FTP User Confirmation Requested
Do you want to have anonymous FTP access to this machine?
Yes [ No ]Deny Anonymous FTPSelecting the default &gui.no; and pressing
Enter will still allow users who have accounts
with passwords to use FTP to access the machine.Allow Anonymous FTPAnyone can access your machine if you elect to allow
anonymous FTP connections. The security implications should be
considered before enabling this option. For more information
about security see .To allow anonymous FTP, use the arrow keys to select
&gui.yes; and press Enter.
The following screen (or similar) will display:Default Anonymous FTP ConfigurationPressing F1 will display the help:This screen allows you to configure the anonymous FTP user.
The following configuration values are editable:
UID: The user ID you wish to assign to the anonymous FTP user.
All files uploaded will be owned by this ID.
Group: Which group you wish the anonymous FTP user to be in.
Comment: String describing this user in /etc/passwd
FTP Root Directory:
Where files available for anonymous FTP will be kept.
Upload subdirectory:
Where files uploaded by anonymous FTP users will go.The ftp root directory will be put in /var
by default. If you do not have enough room there for the
anticipated FTP needs, the /usr directory
could be used by setting the FTP Root Directory to
/usr/ftp.When you are satisfied with the values, press
Enter to continue. User Confirmation Requested
Create a welcome message file for anonymous FTP users?
[ Yes ] NoIf you select &gui.yes; and press
Enter, an editor will automatically start
allowing you to edit the message.Edit the FTP Welcome MessageThis is a text editor called ee. Use the
instructions to change the message or change the message later
using a text editor of your choice. Note the file name/location
at the bottom of the editor screen.Press Esc and a pop-up menu will default
to a) leave editor. Press
Enter to exit and continue. Press
Enter again to save changes if you made
any.Configure Network File SystemNetwork File System (NFS) allows sharing of files across a
network. A machine can be configured as a server, a client, or
both. Refer to for a more information.NFS Server User Confirmation Requested
Do you want to configure this machine as an NFS server?
Yes [ No ]If there is no need for a Network File System server,
select &gui.no; and press
Enter.If &gui.yes; is chosen, a message will
pop-up indicating that the exports file must be
created. Message
Operating as an NFS server means that you must first configure an
/etc/exports file to indicate which hosts are allowed certain kinds of
access to your local filesystems.
Press [Enter] now to invoke an editor on /etc/exports
[ OK ]Press Enter to continue. A text editor will
start allowing the exports file to be created
and edited.Editing exportsUse the instructions to add the actual exported filesystems
now or later using a text editor of your choice. Note the
file name/location at the bottom of the editor screen.Press Esc and a pop-up menu will default to
a) leave editor. Press
Enter to exit and continue.NFS ClientThe NFS client allows your machine to access NFS servers. User Confirmation Requested
Do you want to configure this machine as an NFS client?
Yes [ No ]With the arrow keys, select &gui.yes;
or &gui.no; as appropriate and
press Enter.Security ProfileA security profile is a set of
configuration options that attempts to achieve the desired
ratio of security to convenience by enabling and disabling
certain programs and other settings. The more severe the
security profile, the fewer programs will be enabled by
default. This is one of the basic principles of security: do
not run anything except what you must.Please note that the security profile is just a default
setting. All programs can be enabled and disabled after you
have installed FreeBSD by editing or adding the appropriate
line(s) to /etc/rc.conf. For more
information, please see the &man.rc.conf.5; manual
page.The following table describes what each of the security
profiles does. The columns are the choices you have for a
security profile, and the rows are the program or feature that
the profile enables or disables.
Possible Security ProfilesExtremeModerate&man.sendmail.8;NOYES&man.sshd.8;NOYES&man.portmap.8;NOMAYBE
The portmapper is enabled if the machine has
been configured as an NFS client or server earlier
in the installation.NFS serverNOYES&man.securelevel.8;YES
If you choose a security profile that sets the
securelevel to Extreme or
High, you must be aware of the
implications. Please read the &man.init.8;
manual page and pay particular attention to the
meanings of the security levels, or you may have
significant trouble later!NO
User Confirmation Requested
Do you want to select a default security profile for this host (select
No for "medium" security)?
[ Yes ] NoSelecting &gui.no; and pressing
Enter will set the security profile to medium.Selecting &gui.yes; and pressing
Enter will allow selecting a different security
profile.Security Profile OptionsPress F1 to display the help. Press
Enter to return to selection menu.Use the arrow keys to choose Medium
unless your are sure that another level is required for your needs.
With &gui.ok; highlighted, press
Enter.An appropriate confirmation message will display depending on
which security setting was chosen. Message
Moderate security settings have been selected.
Sendmail and SSHd have been enabled, securelevels are
disabled, and NFS server setting have been left intact.
PLEASE NOTE that this still does not save you from having
to properly secure your system in other ways or exercise
due diligence in your administration, this simply picks
a standard set of out-of-box defaults to start with.
To change any of these settings later, edit /etc/rc.conf
[OK] Message
Extreme security settings have been selected.
Sendmail, SSHd, and NFS services have been disabled, and
securelevels have been enabled.
PLEASE NOTE that this still does not save you from having
to properly secure your system in other ways or exercise
due diligence in your administration, this simply picks
a more secure set of out-of-box defaults to start with.
To change any of these settings later, edit /etc/rc.conf
[OK]Press Enter to continue with the
post-installation configuration.The security profile is not a silver bullet! Even if
you use the extreme setting, you need to keep up with
security issues by reading an appropriate mailing
list (),
using good passwords and passphrases, and
generally adhering to good security practices. It simply
sets up the desired security to convenience ratio out of the
box.System Console SettingsThere are several options available to customize the system
console. User Confirmation Requested
Would you like to customize your system console settings?
[ Yes ] NoTo view and configure the options, select
&gui.yes; and press
Enter.System Console Configuration OptionsA commonly used option is the screen saver. Use the arrow keys
to select Saver and then press
Enter.Screen Saver OptionsSelect the desired screen saver using the arrow keys
and then press Enter. The System Console
Configuration menu will redisplay.The default time interval is 300 seconds. To change the time
interval, select Saver again. At the
Screen Saver Options menu, select Timeout
using the arrow keys and press Enter. A pop-up
menu will appear:Screen Saver TimeoutThe value can be changed, then select &gui.ok;
and press Enter to return to the System Console
Configuration menu.System Console Configuration ExitSelecting Exit and pressing
Enter will continue with the post-installation
configurations.Setting the Time ZoneSetting the time zone for your machine will allow it to
automatically correct for any regional time changes and perform
other time zone related functions properly.The example shown is for a machine located in the Eastern
time zone of the United States. Your selections will vary according
to your geographical location. User Confirmation Requested
Would you like to set this machine's time zone now?
[ Yes ] NoSelect &gui.yes; and press
Enter to set the time zone. User Confirmation Requested
Is this machine's CMOS clock set to UTC? If it is set to local time
or you don't know, please choose NO here!
Yes [ No ]Select &gui.yes;
or &gui.no; according to how the machine's
clock is configured and press Enter.Select Your RegionThe appropriate region is selected using the arrow keys
and then pressing Enter.Select Your CountrySelect the appropriate country using the arrow keys
and press Enter.Select Your Time ZoneThe appropriate time zone is selected using the arrow
keys and pressing Enter. Confirmation
Does the abbreviation 'EDT' look reasonable?
[ Yes ] NoConfirm the abbreviation for the time zone is correct.
If it looks okay, press Enter to continue with
the post-installation configuration.Linux Compatibility User Confirmation Requested
Would you like to enable Linux binary compatibility?
[ Yes ] NoSelecting &gui.yes; and pressing
Enter will allow
running Linux software on FreeBSD. The install will add
the appropriate packages for Linux compatibility.If installing by FTP, the machine will need to be connected to
the Internet. Sometimes a remote ftp site will not have all the
distributions like the Linux binary compatibility. This can
be installed later if necessary.Mouse SettingsThis option will allow you to cut and paste text in the
console and user programs with a 3-button mouse. If using a 2-button
mouse, refer to manual page, &man.moused.8;, after installation for
details on emulating the 3-button style. This example depicts a
non-USB mouse configuration (such as a PS/2 or COM port mouse): User Confirmation Requested
Does this system have a non-USB mouse attached to it?
[ Yes ] No Select &gui.yes; for a non-USB mouse or
&gui.no; for a USB mouse and press
Enter.Select Mouse Protocol TypeUse the arrow keys to select Type and
press Enter.Set Mouse ProtocolThe mouse used in this example is a PS/2 type, so the default
Auto was appropriate. To change protocol,
use the arrow keys to select another option. Ensure that &gui.ok; is
highlighted and press Enter to exit this menu.Configure Mouse PortUse the arrow keys to select Port and
press Enter.Setting the Mouse PortThis system had a PS/2 mouse, so the default
PS/2 was appropriate. To change the port,
use the arrow keys and then press Enter.Enable the Mouse DaemonLast, use the arrow keys to select
Enable, and press
Enter to enable and test the mouse
daemon.Test the Mouse DaemonMove the mouse around the screen and verify the cursor
shown responds properly. If it does, select
&gui.yes; and press Enter. If
not, the mouse has not been configured correctly — select
&gui.no; and try using different configuration
options.Select Exit with the arrow keys
and press Enter to return to continue with the
post-installation configuration.Configure Additional Network ServicesConfiguring network services can be a daunting
task for new users if they lack previous
knowledge in this area. Networking, including the Internet,
is critical to all modern operating systems including &os;;
as a result, it is very useful to have some understanding
&os;'s extensive networking capabilities. Doing this
during the installation will ensure users have some
understanding of the various services available to them.Network services are programs that accept input from
anywhere on the network. Every effort is made to make sure
these programs will not do anything harmful.
Unfortunately, programmers are not perfect and through time
there have been cases where bugs in network services have been
exploited by attackers to do bad things. It is important that
you only enable the network services you know that you need. If
in doubt it is best if you do not enable a network service until
you find out that you do need it. You can always enable it
later by re-running sysinstall or by
using the features provided by the
/etc/rc.conf file.Selecting the Networking option will display
a menu similar to the one below:Network Configuration Upper-levelThe first option, Interfaces, was previously covered during
the , thus this option can
safely be ignored.Selecting the AMD option adds
support for the BSD automatic mount utility.
This is usually used in conjunction with the
NFS protocol (see below)
for automatically mounting remote file systems.
No special configuration is required here.Next in line is the AMD Flags
option. When selected, a menu will pop up for you
to enter specific AMD flags.
The menu already contains a set of default options:-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.mapThe option sets the default mount
location which is specified here as
/.amd_mnt. The
option specifies the default log file;
however, when syslogd is used all log
activity will be sent to the system log daemon. The
- /host directory is used
+ /host directory is used
to mount an exported file system from a remote
- host, while /net
+ host, while /net
directory is used to mount an exported file system from an
IP address. The
/etc/amd.map file defines the default
options for AMD exports.The Anon FTP option permits anonymous
FTP connections. Select this option to
make this machine an anonymous FTP server.
Be aware of the security risks involved with this option.
Another menu will be displayed to explain the security risks
and configuration in depth.The Gateway configuration menu will set
the machine up to be a gateway as explained previously. This
can be used to unset the Gateway option if you accidentally
selected it during the installation process.The Inetd option can be used to configure
or completely disable the &man.inetd.8; daemon as discussed
above.The Mail option is used to configure the system's
default MTA or Mail Transfer Agent.
Selecting this option will bring up the following menu:Select a default MTAHere you are offered a choice as to which
MTA to install
and set as the default. An MTA is nothing
more than a mail server which delivers email to users on the
system or the Internet.Selecting Sendmail will install
the popular sendmail server which
is the &os; default. The Sendmail local option
will set sendmail to be the default
MTA, but disable its ability to receive
incoming email from the Internet. The other options here,
Postfix and
Exim act similar to
Sendmail. They both deliver
email; however, some users prefer these alternatives to the
sendmail
MTA.After selecting an MTA, or choosing
not to select an MTA, the network configuration menu will appear
with the next option being NFS client.The NFS client option will
configure the system to communicate with a server via
NFS. An NFS server
makes file systems available to other machines on the
network via the NFS protocol. If this is
a stand alone machine, this option can remain unselected.
The system may require more configuration later; see
for more
information about client and server configuration.Below that option is the NFS server
option, permitting you to set the system up as an
NFS server. This adds the required
information to start up the RPC remote
procedure call services. RPC is used to
coordinate connections between hosts and programs.Next in line is the Ntpdate option,
which deals with time synchronization. When selected, a menu
like the one below shows up:Ntpdate ConfigurationFrom this menu, select the server which is the closest
to your location. Selecting a close one will make the time
synchronization more accurate as a server further from your
location may have more connection latency.The next option is the PCNFSD selection.
This option will install the
net/pcnfsd package from
the ports collection. This is a useful utility which provides
NFS authentication services for systems which
are unable to provide their own, such as Microsoft's
&ms-dos; operating system.Now you must scroll down a bit to see the other
options:Network Configuration Lower-levelThe &man.rpcbind.8;, &man.rpc.statd.8;, and
&man.rpc.lockd.8; utilities are all used for Remote Procedure
Calls (RPC).
The rpcbind utility manages communication
between NFS servers and clients, and is
required for NFS servers to operate
correctly. The rpc.statd daemon interacts
with the rpc.statd daemon on other hosts to
provide status monitoring. The reported status is usually held
in the /var/db/statd.status file. The
next option listed here is the rpc.lockd
option, which, when selected, will provide file locking
services. This is usually used with
rpc.statd to monitor what hosts are
requesting locks and how frequently they request them.
While these last two options are marvelous for debugging, they
are not required for NFS servers and clients
to operate correctly.As you progress down the list the next item here is
Routed, which is the routing daemon. The
&man.routed.8; utility manages network routing tables,
discovers multicast routers, and supplies a copy of the routing
tables to any physically connected host on the network upon
request. This is mainly used for machines which act as a
gateway for the local network. When selected, a menu will be
presented requesting the default location of the utility.
The default location is already defined for you and can be
selected with the Enter key. You will then
be presented with yet another menu, this time asking for the
flags you wish to pass on to routed. The
default is and it should already appear
on the screen.Next in line is the Rwhod option which,
when selected, will start the &man.rwhod.8; daemon
during system initialization. The rwhod
utility broadcasts system messages across the network
periodically, or collects them when in consumer
mode. More information can be found in the &man.ruptime.1; and
&man.rwho.1; manual pages.The next to the last option in the list is for the
&man.sshd.8; daemon. This is the secure shell server for
OpenSSH and it is highly recommended
over the standard telnet and
FTP servers. The sshd
server is used to create a secure connection from one host to
another by using encrypted connections.Finally there is the TCP Extensions
option. This enables the TCP Extensions
defined in RFC 1323 and
RFC 1644. While on many hosts this can
speed up connections, it can also cause some connections to be
dropped. It is not recommended for servers, but may be
beneficial for stand alone machines.Now that you have configured the network services, you can
scroll up to the very top item which is Exit
and continue on to the next configuration section.Configure X ServerIn order to use a graphical user interface such as
KDE, GNOME,
or others, the X server will need to be configured.In order to run &xfree86; as a
non root user you will need to
have x11/wrapper installed.
This is installed by default beginning with FreeBSD 4.7. For
earlier versions this can be added
from the Package Selection menu.To see whether your video card is supported, check the
&xfree86; web site. User Confirmation Requested
Would you like to configure your X server at this time?
[ Yes ] NoIt is necessary to know your monitor specifications and
video card information. Equipment damage can occur if settings
are incorrect. If you do not have this information, select
&gui.no; and perform the configuration
after installation when you have the information using
/stand/sysinstall, selecting
Configure and then
XFree86. Improper configuration
of the X server at this time can leave the machine in a
frozen state. It is often advised to configure the X server
once the installation has completed.
If you have graphics card and monitor information, select
&gui.yes; and press Enter
to proceed with configuring the X server.Select Configuration Method MenuThere are several ways to configure the X server.
Use the arrow keys to select one of the methods and press
Enter. Be sure to read all instructions
carefully.The xf86cfg and
xf86cfg -textmode methods may make the screen
go dark and take a few seconds to start. Be patient.The following will illustrate the use of the
xf86config configuration tool. The
configuration choices you make will depend on the hardware in the
system so your choices will probably be different than those
shown: Message
You have configured and been running the mouse daemon.
Choose "/dev/sysmouse" as the mouse port and "SysMouse" or
"MouseSystems" as the mouse protocol in the X configuration utility.
[ OK ]
[ Press enter to continue ]This indicates that the mouse daemon previously configured has been
detected.
Press Enter to continue.Starting xf86config will display
a brief introduction:This program will create a basic XF86Config file, based on menu selections you
make.
The XF86Config file usually resides in /usr/X11R6/etc/X11 or /etc/X11. A sample
XF86Config file is supplied with XFree86; it is configured for a standard
VGA card and monitor with 640x480 resolution. This program will ask for a
pathname when it is ready to write the file.
You can either take the sample XF86Config as a base and edit it for your
configuration, or let this program produce a base XF86Config file for your
configuration and fine-tune it.
Before continuing with this program, make sure you know what video card
you have, and preferably also the chipset it uses and the amount of video
memory on your video card. SuperProbe may be able to help with this.
Press enter to continue, or ctrl-c to abort.Pressing Enter will start the mouse
configuration. Be sure to follow the instructions and use
Mouse Systems as the mouse protocol and
/dev/sysmouse as the mouse port even if
using a PS/2 mouse is shown as an illustration.First specify a mouse protocol type. Choose one from the following list:
1. Microsoft compatible (2-button protocol)
2. Mouse Systems (3-button protocol) & FreeBSD moused protocol
3. Bus Mouse
4. PS/2 Mouse
5. Logitech Mouse (serial, old type, Logitech protocol)
6. Logitech MouseMan (Microsoft compatible)
7. MM Series
8. MM HitTablet
9. Microsoft IntelliMouse
If you have a two-button mouse, it is most likely of type 1, and if you have
a three-button mouse, it can probably support both protocol 1 and 2. There are
two main varieties of the latter type: mice with a switch to select the
protocol, and mice that default to 1 and require a button to be held at
boot-time to select protocol 2. Some mice can be convinced to do 2 by sending
a special sequence to the serial port (see the ClearDTR/ClearRTS options).
Enter a protocol number: 2
You have selected a Mouse Systems protocol mouse. If your mouse is normally
in Microsoft-compatible mode, enabling the ClearDTR and ClearRTS options
may cause it to switch to Mouse Systems mode when the server starts.
Please answer the following question with either 'y' or 'n'.
Do you want to enable ClearDTR and ClearRTS? n
You have selected a three-button mouse protocol. It is recommended that you
do not enable Emulate3Buttons, unless the third button doesn't work.
Please answer the following question with either 'y' or 'n'.
Do you want to enable Emulate3Buttons? y
Now give the full device name that the mouse is connected to, for example
/dev/tty00. Just pressing enter will use the default, /dev/mouse.
On FreeBSD, the default is /dev/sysmouse.
Mouse device: /dev/sysmouseThe keyboard is the next item to be configured. A generic
101-key model is shown for illustration. Any name may be used
for the variant or simply press Enter to accept
the default value.Please select one of the following keyboard types that is the better
description of your keyboard. If nothing really matches,
choose 1 (Generic 101-key PC)
1 Generic 101-key PC
2 Generic 102-key (Intl) PC
3 Generic 104-key PC
4 Generic 105-key (Intl) PC
5 Dell 101-key PC
6 Everex STEPnote
7 Keytronic FlexPro
8 Microsoft Natural
9 Northgate OmniKey 101
10 Winbook Model XP5
11 Japanese 106-key
12 PC-98xx Series
13 Brazilian ABNT2
14 HP Internet
15 Logitech iTouch
16 Logitech Cordless Desktop Pro
17 Logitech Internet Keyboard
18 Logitech Internet Navigator Keyboard
19 Compaq Internet
20 Microsoft Natural Pro
21 Genius Comfy KB-16M
22 IBM Rapid Access
23 IBM Rapid Access II
24 Chicony Internet Keyboard
25 Dell Internet Keyboard
Enter a number to choose the keyboard.
1
Please select the layout corresponding to your keyboard
1 U.S. English
2 U.S. English w/ ISO9995-3
3 U.S. English w/ deadkeys
4 Albanian
5 Arabic
6 Armenian
7 Azerbaidjani
8 Belarusian
9 Belgian
10 Bengali
11 Brazilian
12 Bulgarian
13 Burmese
14 Canadian
15 Croatian
16 Czech
17 Czech (qwerty)
18 Danish
Enter a number to choose the country.
Press enter for the next page
1
Please enter a variant name for 'us' layout. Or just press enter
for default variant
us
Please answer the following question with either 'y' or 'n'.
Do you want to select additional XKB options (group switcher,
group indicator, etc.)? nNext, we proceed to the configuration for the monitor. Do not
exceed the ratings of your monitor. Damage could occur. If you
have any doubts, do the configuration after you have the
information.Now we want to set the specifications of the monitor. The two critical
parameters are the vertical refresh rate, which is the rate at which the
whole screen is refreshed, and most importantly the horizontal sync rate,
which is the rate at which scanlines are displayed.
The valid range for horizontal sync and vertical sync should be documented
in the manual of your monitor. If in doubt, check the monitor database
/usr/X11R6/lib/X11/doc/Monitors to see if your monitor is there.
Press enter to continue, or ctrl-c to abort.
You must indicate the horizontal sync range of your monitor. You can either
select one of the predefined ranges below that correspond to industry-
standard monitor types, or give a specific range.
It is VERY IMPORTANT that you do not specify a monitor type with a horizontal
sync range that is beyond the capabilities of your monitor. If in doubt,
choose a conservative setting.
hsync in kHz; monitor type with characteristic modes
1 31.5; Standard VGA, 640x480 @ 60 Hz
2 31.5 - 35.1; Super VGA, 800x600 @ 56 Hz
3 31.5, 35.5; 8514 Compatible, 1024x768 @ 87 Hz interlaced (no 800x600)
4 31.5, 35.15, 35.5; Super VGA, 1024x768 @ 87 Hz interlaced, 800x600 @ 56 Hz
5 31.5 - 37.9; Extended Super VGA, 800x600 @ 60 Hz, 640x480 @ 72 Hz
6 31.5 - 48.5; Non-Interlaced SVGA, 1024x768 @ 60 Hz, 800x600 @ 72 Hz
7 31.5 - 57.0; High Frequency SVGA, 1024x768 @ 70 Hz
8 31.5 - 64.3; Monitor that can do 1280x1024 @ 60 Hz
9 31.5 - 79.0; Monitor that can do 1280x1024 @ 74 Hz
10 31.5 - 82.0; Monitor that can do 1280x1024 @ 76 Hz
11 Enter your own horizontal sync range
Enter your choice (1-11): 6
You must indicate the vertical sync range of your monitor. You can either
select one of the predefined ranges below that correspond to industry-
standard monitor types, or give a specific range. For interlaced modes,
the number that counts is the high one (e.g. 87 Hz rather than 43 Hz).
1 50-70
2 50-90
3 50-100
4 40-150
5 Enter your own vertical sync range
Enter your choice: 2
You must now enter a few identification/description strings, namely an
identifier, a vendor name, and a model name. Just pressing enter will fill
in default names.
The strings are free-form, spaces are allowed.
Enter an identifier for your monitor definition: HitachiThe selection of a video card driver from a list is
next. If you pass your card on the list, continue to press
Enter and the list will repeat. Only an
excerpt from the list is shown:Now we must configure video card specific settings. At this point you can
choose to make a selection out of a database of video card definitions.
Because there can be variation in Ramdacs and clock generators even
between cards of the same model, it is not sensible to blindly copy
the settings (e.g. a Device section). For this reason, after you make a
selection, you will still be asked about the components of the card, with
the settings from the chosen database entry presented as a strong hint.
The database entries include information about the chipset, what driver to
run, the Ramdac and ClockChip, and comments that will be included in the
Device section. However, a lot of definitions only hint about what driver
to run (based on the chipset the card uses) and are untested.
If you can't find your card in the database, there's nothing to worry about.
You should only choose a database entry that is exactly the same model as
your card; choosing one that looks similar is just a bad idea (e.g. a
GemStone Snail 64 may be as different from a GemStone Snail 64+ in terms of
hardware as can be).
Do you want to look at the card database? y
288 Matrox Millennium G200 8MB mgag200
289 Matrox Millennium G200 SD 16MB mgag200
290 Matrox Millennium G200 SD 4MB mgag200
291 Matrox Millennium G200 SD 8MB mgag200
292 Matrox Millennium G400 mgag400
293 Matrox Millennium II 16MB mga2164w
294 Matrox Millennium II 4MB mga2164w
295 Matrox Millennium II 8MB mga2164w
296 Matrox Mystique mga1064sg
297 Matrox Mystique G200 16MB mgag200
298 Matrox Mystique G200 4MB mgag200
299 Matrox Mystique G200 8MB mgag200
300 Matrox Productiva G100 4MB mgag100
301 Matrox Productiva G100 8MB mgag100
302 MediaGX mediagx
303 MediaVision Proaxcel 128 ET6000
304 Mirage Z-128 ET6000
305 Miro CRYSTAL VRX Verite 1000
Enter a number to choose the corresponding card definition.
Press enter for the next page, q to continue configuration.
288
Your selected card definition:
Identifier: Matrox Millennium G200 8MB
Chipset: mgag200
Driver: mga
Do NOT probe clocks or use any Clocks line.
Press enter to continue, or ctrl-c to abort.
Now you must give information about your video card. This will be used for
the "Device" section of your video card in XF86Config.
You must indicate how much video memory you have. It is probably a good
idea to use the same approximate amount as that detected by the server you
intend to use. If you encounter problems that are due to the used server
not supporting the amount memory you have (e.g. ATI Mach64 is limited to
1024K with the SVGA server), specify the maximum amount supported by the
server.
How much video memory do you have on your video card:
1 256K
2 512K
3 1024K
4 2048K
5 4096K
6 Other
Enter your choice: 6
Amount of video memory in Kbytes: 8192
You must now enter a few identification/description strings, namely an
identifier, a vendor name, and a model name. Just pressing enter will fill
in default names (possibly from a card definition).
Your card definition is Matrox Millennium G200 8MB.
The strings are free-form, spaces are allowed.
Enter an identifier for your video card definition:Next, the video modes are set for the resolutions
desired. Typically, useful ranges are 640x480, 800x600, and 1024x768
but those are a function of video card capability, monitor size,
and eye comfort. When selecting a color depth, select the highest
mode that your card will support.For each depth, a list of modes (resolutions) is defined. The default
resolution that the server will start-up with will be the first listed
mode that can be supported by the monitor and card.
Currently it is set to:
"640x480" "800x600" "1024x768" "1280x1024" for 8-bit
"640x480" "800x600" "1024x768" "1280x1024" for 16-bit
"640x480" "800x600" "1024x768" "1280x1024" for 24-bit
Modes that cannot be supported due to monitor or clock constraints will
be automatically skipped by the server.
1 Change the modes for 8-bit (256 colors)
2 Change the modes for 16-bit (32K/64K colors)
3 Change the modes for 24-bit (24-bit color)
4 The modes are OK, continue.
Enter your choice: 2
Select modes from the following list:
1 "640x400"
2 "640x480"
3 "800x600"
4 "1024x768"
5 "1280x1024"
6 "320x200"
7 "320x240"
8 "400x300"
9 "1152x864"
a "1600x1200"
b "1800x1400"
c "512x384"
Please type the digits corresponding to the modes that you want to select.
For example, 432 selects "1024x768" "800x600" "640x480", with a
default mode of 1024x768.
Which modes? 432
You can have a virtual screen (desktop), which is screen area that is larger
than the physical screen and which is panned by moving the mouse to the edge
of the screen. If you don't want virtual desktop at a certain resolution,
you cannot have modes listed that are larger. Each color depth can have a
differently-sized virtual screen
Please answer the following question with either 'y' or 'n'.
Do you want a virtual screen that is larger than the physical screen? n
For each depth, a list of modes (resolutions) is defined. The default
resolution that the server will start-up with will be the first listed
mode that can be supported by the monitor and card.
Currently it is set to:
"640x480" "800x600" "1024x768" "1280x1024" for 8-bit
"1024x768" "800x600" "640x480" for 16-bit
"640x480" "800x600" "1024x768" "1280x1024" for 24-bit
Modes that cannot be supported due to monitor or clock constraints will
be automatically skipped by the server.
1 Change the modes for 8-bit (256 colors)
2 Change the modes for 16-bit (32K/64K colors)
3 Change the modes for 24-bit (24-bit color)
4 The modes are OK, continue.
Enter your choice: 4
Please specify which color depth you want to use by default:
1 1 bit (monochrome)
2 4 bits (16 colors)
3 8 bits (256 colors)
4 16 bits (65536 colors)
5 24 bits (16 million colors)
Enter a number to choose the default depth.
4Finally, the configuration needs to be saved. Be sure
to enter /etc/XF86Config as the location
for saving the configuration.I am going to write the XF86Config file now. Make sure you don't accidently
overwrite a previously configured one.
Shall I write it to /etc/X11/XF86Config? yIf the configuration fails, you can try the configuration again
by selecting &gui.yes; when the following
message appears: User Confirmation Requested
The XFree86 configuration process seems to have
failed. Would you like to try again?
[ Yes ] NoIf you have trouble configuring &xfree86;, select
&gui.no; and press Enter
and continue with the installation process. After installation
you can use xf86cfg -textmode or
xf86config to access the command line
configuration utilities as root. There is
an additional method for configuring &xfree86; described in
. If you choose not to configure
&xfree86; at this time the next menu will be for package
selection.The default setting which allows the server to be killed
is the hotkey sequence CtrlAltBackspace. This
can be executed if something is wrong with the server settings and
prevent hardware damage.The default setting that allows video mode switching will
permit changing of the mode while running X with the hotkey
sequence
CtrlAlt+ or
CtrlAlt-.
After you have &xfree86;
running, the display can be adjusted for height, width,
or centering by using xvidtune.There are warnings that improper settings can
damage your equipment. Heed them. If in doubt, do not do
it. Instead, use the monitor controls to adjust the display for
X Window. There may be some display differences when switching
back to text mode, but it is better than damaging equipment.Read the &man.xvidtune.1; manual page before making
any adjustments.Following a successful &xfree86; configuration, it will proceed
to the selection of a default desktop.Select Default X DesktopThere are a variety of window managers available. They range
from very basic environments to full desktop environments with a
large suite of software. Some require only minimal disk space and
low memory while others with more features require much more. The
best way to determine which is most suitable for you is to try a few
different ones. Those are available from the ports collection or as
packages and can be added after installation.You can select one of the popular desktops to be installed
and configured as the default desktop. This will allow you
to start it right after installation.Select Default DesktopUse the arrow keys to select a desktop and press
Enter. Installation of the selected desktop will
proceed.Install PackagesPackages are pre-compiled binaries and are a convenient
way to install software.Installation of one package is shown for purposes of
illustration. Additional packages can also be added at this
time if desired. After installation
/stand/sysinstall can be used to add additional
packages. User Confirmation Requested
The FreeBSD package collection is a collection of hundreds of
ready-to-run applications, from text editors to games to WEB servers
and more. Would you like to browse the collection now?
[ Yes ] NoSelecting &gui.yes; and pressing
Enter will be
followed by the Package Selection screens:Select Package CategoryOnly packages on the current installation media are
available for installation at any given time.All packages available will be displayed if
All is selected or you can select a
particular category. Highlight your selection with the arrow
keys and press Enter.A menu will display showing all the packages available for
the selection made:Select PackagesThe bash shell is shown selected.
Select as many as desired by highlighting the package and pressing the
Space key. A short description of each package will
appear in the lower left corner of the screen.Pressing the Tab key will toggle between the last
selected package, &gui.ok;, and &gui.cancel;.When you have finished marking the packages for installation,
press Tab once to toggle to the &gui.ok; and press
Enter to return to the Package Selection menu.The left and right arrow keys will also toggle between &gui.ok;
and &gui.cancel;. This method can also be used to select &gui.ok; and
press Enter to return to the Package Selection
menu.Install PackagesUse the Tab and arrow keys to select [ Install ]
and press Enter. You will then need to confirm
that you want to install the packages:Confirm Package InstallationSelecting &gui.ok; and pressing Enter will start
the package installation. Installing messages will appear until
completed. Make note if there are any error messages.The final configuration continues after packages are
installed. If you end up not selecting any packages, and wish
to return to the final configuration, select
Install anyways.Add Users/GroupsYou should add at least one user during the installation so
that you can use the system without being logged in as
root. The root partition is generally small
and running applications as root can quickly
fill it. A bigger danger is noted below: User Confirmation Requested
Would you like to add any initial user accounts to the system? Adding
at least one account for yourself at this stage is suggested since
working as the "root" user is dangerous (it is easy to do things which
adversely affect the entire system).
[ Yes ] NoSelect &gui.yes; and press
Enter to continue with adding a user.Select UserSelect User with the arrow keys
and press Enter.Add User InformationThe following descriptions will appear in the lower part of
the screen as the items are selected with Tab
to assist with entering the required information:Login IDThe login name of the new user (mandatory).UIDThe numerical ID for this user (leave blank for
automatic choice).GroupThe login group name for this user (leave blank for
automatic choice).PasswordThe password for this user (enter this field with
care!).Full nameThe user's full name (comment).Member groupsThe groups this user belongs to (i.e. gets access
rights for).Home directoryThe user's home directory (leave blank for
default).Login shellThe user's login shell (leave blank for
default, e.g. /bin/sh).The login shell was changed from /bin/sh to
/usr/local/bin/bash to use the
bash shell that was previously installed as
a package. Do not try to use a shell that does not exist or you will
not be able to login. The most common shell used in the
BSD-world is the C shell, which can be indicated as
/bin/tcsh.The user was also added to the wheel group
to be able to become a superuser with root
privileges.When you are satisfied, press &gui.ok; and
the User and Group Management menu will redisplay:Exit User and Group ManagementGroups can also be added at this time if specific needs
are known. Otherwise, this may be accessed through using
/stand/sysinstall after installation is
completed.When you are finished adding users, select
Exit with the arrow keys and press
Enter to continue the installation.Set the root Password Message
Now you must set the system manager's password.
This is the password you'll use to log in as "root".
[ OK ]
[ Press enter to continue ]Press Enter to set the root
password.The password will need to be typed in twice correctly. Needless to
say, make sure you have a way of finding the password if you
forget.Changing local password for root.
New password :
Retype new password :The installation will continue after the password is
successfully entered.Exiting InstallIf you need to configure additional network devices or
any other configuration, you can do it at this point or
after installation with /stand/sysinstall. User Confirmation Requested
Visit the general configuration menu for a chance to set any last
options?
Yes [ No ]Select &gui.no; with the arrow keys
and press Enter to return to the Main
Installation Menu.Exit InstallSelect [X Exit Install] with the arrow
keys and press Enter. You will be asked to
confirm exiting the installation: User Confirmation Requested
Are you sure you wish to exit? The system will reboot (be sure to
remove any floppies from the drives).
[ Yes ] NoSelect &gui.yes; and remove the floppy if
booting from the floppy. The CDROM drive is locked until the machine
starts to reboot. The CDROM drive is then unlocked and the disk can
be removed from drive (quickly).The system will reboot so watch for any error messages that
may appear.FreeBSD BootupFreeBSD Bootup on the &i386;If everything went well, you will see messages scroll
off the screen and you will arrive at a login prompt. You can view
the content of the messages by pressing Scroll-Lock
and using PgUp and PgDn.
Pressing Scroll-Lock again will return
to the prompt.The entire message may not display (buffer limitation) but
it can be viewed from the command line after logging in by typing
dmesg at the prompt.Login using the username/password you set during installation
(rpratt, in this example). Avoid logging in as
root except when necessary.Typical boot messages (version information omitted):Copyright (c) 1992-2002 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
Timecounter "i8254" frequency 1193182 Hz
CPU: AMD-K6(tm) 3D processor (300.68-MHz 586-class CPU)
Origin = "AuthenticAMD" Id = 0x580 Stepping = 0
Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX>
AMD Features=0x80000800<SYSCALL,3DNow!>
real memory = 268435456 (262144K bytes)
config> di sn0
config> di lnc0
config> di le0
config> di ie0
config> di fe0
config> di cs0
config> di bt0
config> di aic0
config> di aha0
config> di adv0
config> q
avail memory = 256311296 (250304K bytes)
Preloaded elf kernel "kernel" at 0xc0491000.
Preloaded userconfig_script "/boot/kernel.conf" at 0xc049109c.
md0: Malloc disk
Using $PIR table, 4 entries at 0xc00fde60
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
pcib1: <VIA 82C598MVP (Apollo MVP3) PCI-PCI (AGP) bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <Matrox MGA G200 AGP graphics accelerator> at 0.0 irq 11
isab0: <VIA 82C586 PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 82C586 ATA33 controller> port 0xe000-0xe00f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
uhci0: <VIA 83C572 USB controller> port 0xe400-0xe41f irq 10 at device 7.2 on pci0
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
chip1: <VIA 82C586B ACPI interface> at device 7.3 on pci0
ed0: <NE2000 PCI Ethernet (RealTek 8029)> port 0xe800-0xe81f irq 9 at
device 10.0 on pci0
ed0: address 52:54:05:de:73:1b, type NE2000 (16 bit)
isa0: too many dependant configs (8)
isa0: unexpected small tag 14
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <keyboard controller (i8042)> at port 0x60-0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Generic PS/2 mouse, device ID 0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x1 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/15 bytes threshold
ppbus0: IEEE1284 device found /NIBBLE
Probing for PnP devices on ppbus0:
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
ad0: 8063MB <IBM-DHEA-38451> [16383/16/63] at ata0-master using UDMA33
ad2: 8063MB <IBM-DHEA-38451> [16383/16/63] at ata1-master using UDMA33
acd0: CDROM <DELTA OTC-H101/ST3 F/W by OIPD> at ata0-slave using PIO4
Mounting root from ufs:/dev/ad0s1a
swapon: adding /dev/ad0s1b as swap device
Automatic boot in progress...
/dev/ad0s1a: FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/ad0s1a: clean, 48752 free (552 frags, 6025 blocks, 0.9% fragmentation)
/dev/ad0s1f: FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/ad0s1f: clean, 128997 free (21 frags, 16122 blocks, 0.0% fragmentation)
/dev/ad0s1g: FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/ad0s1g: clean, 3036299 free (43175 frags, 374073 blocks, 1.3% fragmentation)
/dev/ad0s1e: filesystem CLEAN; SKIPPING CHECKS
/dev/ad0s1e: clean, 128193 free (17 frags, 16022 blocks, 0.0% fragmentation)
Doing initial network setup: hostname.
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::5054::5ff::fede:731b%ed0 prefixlen 64 tentative scopeid 0x1
ether 52:54:05:de:73:1b
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
Additional routing options: IP gateway=YES TCP keepalive=YES
routing daemons:.
additional daemons: syslogd.
Doing additional network setup:.
Starting final network daemons: creating ssh RSA host key
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
cd:76:89:16:69:0e:d0:6e:f8:66:d0:07:26:3c:7e:2d root@k6-2.example.com
creating ssh DSA host key
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
f9:a1:a9:47:c4:ad:f9:8d:52:b8:b8:ff:8c:ad:2d:e6 root@k6-2.example.com.
setting ELF ldconfig path: /usr/lib /usr/lib/compat /usr/X11R6/lib
/usr/local/lib
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout /usr/X11R6/lib/aout
starting standard daemons: inetd cron sshd usbd sendmail.
Initial rc.i386 initialization:.
rc.i386 configuring syscons: blank_time screensaver moused.
Additional ABI support: linux.
Local package initialization:.
Additional TCP options:.
FreeBSD/i386 (k6-2.example.com) (ttyv0)
login: rpratt
Password:Generating the RSA and DSA keys may take some time on slower
machines. This happens only on the initial boot-up of a new
installation. Subsequent boots will be faster.If the X server has been configured and a Default Desktop
chosen, it can be started by typing startx at
the command line.Bootup of FreeBSD on the AlphaAlphaOnce the install procedure has finished, you will be
able to start FreeBSD by typing something like this to the
SRM prompt:>>>BOOT DKC0This instructs the firmware to boot the specified
disk. To make FreeBSD boot automatically in the future, use
these commands:>>>SET BOOT_OSFLAGS A>>>SET BOOT_FILE ''>>>SET BOOTDEF_DEV DKC0>>>SET AUTO_ACTION BOOTThe boot messages will be similar (but not identical) to
those produced by FreeBSD booting on the &i386;.FreeBSD ShutdownIt is important to properly shutdown the operating
system. Do not just turn off power. First, become a superuser by
typing su at the command line and entering the
root password. This will work only if the user
is a member of the wheel group.
Otherwise, login as root and use
shutdown -h now.The operating system has halted.
Please press any key to reboot.It is safe to turn off the power after the shutdown command
has been issued and the message Please press any key to reboot
appears. If any key is pressed instead of turning off the power
switch, the system will reboot.You could also use the
CtrlAltDel
key combination to reboot the system, however this is not recommended
during normal operation.Supported HardwarehardwareFreeBSD currently runs on a wide variety of ISA, VLB, EISA, and PCI
bus-based PCs with Intel, AMD, Cyrix, or NexGen x86
processors, as well as a number of machines based on the Compaq Alpha
processor. Support for generic IDE or ESDI drive configurations,
various SCSI controllers, PCMCIA cards, USB devices, and network and
serial cards is also provided. FreeBSD also supports IBM's microchannel
(MCA) bus.A list of supported hardware is provided with each FreeBSD release
in the FreeBSD Hardware Notes. This document can usually be found in a
file named HARDWARE.TXT, in the top-level directory
of a CDROM or FTP distribution or in
sysinstall's documentation menu. It lists,
for a given architecture, what hardware devices are known to be
supported by each release of FreeBSD. Copies of the supported
hardware list for various releases and architectures can also be
found on the Release
Information page of the FreeBSD Web site.TroubleshootinginstallationtroubleshootingThe following section covers basic installation troubleshooting,
such as common problems people have reported. There are also a few
questions and answers for people wishing to dual-boot FreeBSD with
&ms-dos;.What to Do If Something Goes WrongDue to various limitations of the PC architecture, it is
impossible for probing to be 100% reliable, however, there are a
few things you can do if it fails.Check the Hardware Notes document for your version of
FreeBSD to make sure your hardware is
supported.If your hardware is supported and you still experience
lock-ups or other problems, reset your computer, and when the
visual kernel configuration option is given, choose it. This will
allow you to go through your hardware and supply information to the
system about it. The kernel on the boot disks is configured
assuming that most hardware devices are in their factory default
configuration in terms of IRQs, IO addresses, and DMA channels. If
your hardware has been reconfigured, you will most likely need to
use the configuration editor to tell FreeBSD where to find
things.It is also possible that a probe for a device not present will
cause a later probe for another device that is present to fail. In
that case, the probes for the conflicting driver(s) should be
disabled.Some installation problems can be avoided or alleviated
by updating the firmware on various hardware components, most notably
the motherboard. The motherboard firmware may also be referred to
as BIOS and most of the motherboard or computer
manufactures have a website where the upgrades and upgrade information
may be located.Most manufacturers strongly advise against upgrading the motherboard
BIOS unless there is a good reason for doing so, which
could possibly be a critical update of sorts. The upgrade process
can go wrong, causing permanent damage to the
BIOS chip.Do not disable any drivers you will need during the
installation, such as your screen (sc0).
If the installation wedges or fails mysteriously after leaving
the configuration editor, you have probably removed or changed
something you should not have. Reboot and try again.In configuration mode, you can:List the device drivers installed in the kernel.Disable device drivers for hardware that is not present in
your system.Change IRQs, DRQs, and IO port addresses used by a device
driver.After adjusting the kernel to match your hardware
configuration, type Q to boot with the new
settings. Once the installation has completed, any changes you
made in the configuration mode will be permanent so you do not have
to reconfigure every time you boot. It is still highly likely that
you will eventually want to build a custom kernel.Dealing with Existing &ms-dos; PartitionsDOSMany users wish to install &os; on PCs inhabited by
µsoft; based operating systems. For those instances, &os; has a
utility known as FIPS. This utility can be found
in the tools directory on the install CD-ROM, or downloaded
from one of various &os; mirrors.The FIPS utility allows you to split an
existing &ms-dos; partition into two pieces, preserving the original
partition and allowing you to install onto the second free piece.
You first need to defragment your &ms-dos; partition using the &windows;;
Disk Defragmenter utility (go into Explorer, right-click on
the hard drive, and choose to defrag your hard drive), or use
Norton Disk Tools. Now you can run the
FIPS utility. It will prompt you for the rest of
the information, just follow the on screen instructions. Afterwards, you can
reboot and install &os; on the new free slice. See the Distributions menu
for an estimate of how much free space you will need for the kind of
installation you want.There is also a very useful product from PowerQuest
(http://www.powerquest.com) called
&partitionmagic;. This application has far more
functionality than FIPS, and is highly recommended
if you plan to add/remove operating systems often. It does cost money, so if you
plan to install &os; and keep it installed, FIPS
will probably be fine for you.Using &ms-dos; and &windows; File SystemsAt this time, &os; does not support file systems compressed with the
Double Space™ application. Therefore the file
system will need to be uncompressed before &os; can access the data. This
can be done by running the Compression Agent
located in the Start> Programs >
System Tools menu.&os; can support &ms-dos; based file systems. This requires you use
the &man.mount.msdos.8; command (in &os; 5.X, the command is &man.mount.msdosfs.8;)
with the required parameters. The utilities most common usage is:&prompt.root; mount_msdos /dev/ad0s1 /mntIn this example, the &ms-dos; file system is located on the first partition of
the primary hard disk. Your situation may be different, check the output from
the dmesg, and mount commands. They should
produce enough information too give an idea of the partition layout.Extended &ms-dos; file systems are usually mapped after the &os;
partitions. In other words, the slice number may be higher than the ones
&os; is using. For instance, the first &ms-dos; partition may be
/dev/ad0s1, the &os; partition may be
/dev/ad0s2, with the extended &ms-dos; partition being
located on /dev/ad0s3. To some, this can be confusing
at first.NTFS partitions can also be mounted in a similar manner
using the &man.mount.ntfs.8; command.Alpha User's Questions and AnswersAlphaThis section answers some commonly asked questions about
installing FreeBSD on Alpha systems.Can I boot from the ARC or Alpha BIOS Console?ARCAlpha BIOSSRMNo. &os;, like Compaq Tru64 and VMS, will only boot
from the SRM console.Help, I have no space! Do I need to delete
everything first?Unfortunately, yes.Can I mount my Compaq Tru64 or VMS filesystems?No, not at this time.ValentinoVaschettoContributed by Advanced Installation GuideThis section describes how to install FreeBSD in exceptional
cases.Installing FreeBSD on a System without a Monitor or
Keyboardinstallationheadless (serial console)serial consoleThis type of installation is called a headless
install, because the machine that you are trying to install
FreeBSD on either does not have a monitor attached to it, or does not
even have a VGA output. How is this possible you ask? Using a
serial console. A serial console is basically using another
machine to act as the main display and keyboard for a
system. To do this, just follow the steps to create
installation floppies, explained in .To modify these floppies to boot into a serial console, follow
these steps:Enabling the Boot Floppies to Boot into a Serial ConsolemountIf you were to boot into the floppies that you just
made, FreeBSD would boot into its normal install mode. We
want FreeBSD to boot into a serial console for our
install. To do this, you have to mount the
kern.flp floppy onto your FreeBSD
system using the &man.mount.8; command.&prompt.root; mount /dev/fd0 /mntNow that you have the floppy mounted, you must
- change into the /mnt directory:
+ change into the /mnt directory:
&prompt.root; cd /mntHere is where you must set the floppy to boot into a
serial console. You have to make a file called
boot.config containing
/boot/loader -h. All this does is pass a flag to the bootloader to
boot into a serial console.&prompt.root; echo "/boot/loader -h" > boot.configNow that you have your floppy configured correctly,
you must unmount the floppy using the &man.umount.8;
command:&prompt.root; cd /
&prompt.root; umount /mntNow you can remove the floppy from the floppy
drive.Connecting Your Null Modem Cablenull modem cableYou now need to connect a
null modem cable between
the two machines. Just connect the cable to the serial
ports of the 2 machines. A normal serial cable
will not work here, you need a null modem
cable because it has some of the wires inside crossed
over.Booting Up for the InstallIt is now time to go ahead and start the install. Put
the kern.flp floppy in the floppy
drive of the machine you are doing the headless install
on, and power on the machine.Connecting to Your Headless MachinecuNow you have to connect to that machine with
&man.cu.1;:&prompt.root; cu -l /dev/cuaa0That's it! You should now be able to control the headless machine
through your cu session. It will ask you to
put in the mfsroot.flp, and then it will come up
with a selection of what kind of terminal to use. Select the
FreeBSD color console and proceed with your install!Preparing Your Own Installation MediaTo prevent repetition, FreeBSD disk in this context
means a FreeBSD CDROM or DVD that you have purchased or produced
yourself.There may be some situations in which you need to create your own
FreeBSD installation media and/or source. This might be physical media,
such as a tape, or a source that sysinstall
can use to retrieve the files, such as a local FTP site, or an &ms-dos;
partition.For example:You have many machines connected to your local network, and one
FreeBSD disk. You want to create a local FTP site using the
contents of the FreeBSD disk, and then have your machines use this
local FTP site instead of needing to connect to the Internet.You have a FreeBSD disk, and FreeBSD does not recognize your CD/DVD
drive, but &ms-dos;/&windows; does. You want to copy the FreeBSD
installations files to a DOS partition on the same computer, and
then install FreeBSD using those files.The computer you want to install on does not have a CD/DVD
drive or a network card, but you can connect a
Laplink-style serial or parallel cable to a computer
that does.You want to create a tape that can be used to install
FreeBSD.Creating an Installation CDROMAs part of each release, the FreeBSD project makes available two
CDROM images (ISO images). These images can be written
(burned) to CDs if you have a CD writer, and then used
to install FreeBSD. If you have a CD writer, and bandwidth is cheap,
then this is the easiest way to install FreeBSD.Download the Correct ISO ImagesThe ISO images for each release can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/ISO-IMAGES-arch/version or the closest mirror.
Substitute arch and
version as appropriate.That directory will normally contain the following images:
FreeBSD ISO Image Names and MeaningsFilenameContainsversion-mini.isoEverything you need to install FreeBSD.version-disc1.isoEverything you need to install FreeBSD, and as many
additional third party packages as would fit on the
disc.version-disc2.isoA live filesystem, which is used in
conjunction with the Repair facility in
sysinstall. A copy of the
FreeBSD CVS tree. As many additional third party packages
as would fit on the disc.
You must download one of either the mini
ISO image, or the image of disc one. Do not download both of them,
since the disc one image contains everything that the mini ISO
image contains.Use the mini ISO if Internet access is cheap for you. It will
let you install FreeBSD, and you can then install third party
packages by downloading them using the ports/packages system (see
) as
necessary.Use the image of disc one if you want a reasonable selection
of third party packages on the disc as well.The additional disc images are useful, but not essential,
especially if you have high-speed access to the Internet.Write the CDsYou must then write the CD images to disc. If you will be
doing this on another FreeBSD system then see
for more information (in
particular, and
).If you will be doing this on another platform then you will
need to use whatever utilities exist to control your CD writer on
that platform. The images provided are in the standard ISO format,
which many CD writing applications support.Creating a Local FTP Site with a FreeBSD DiskinstallationnetworkFTPFreeBSD disks are laid out in the same way as the FTP site. This
makes it very easy for you to create a local FTP site that can be used
by other machines on your network when installing FreeBSD.On the FreeBSD computer that will host the FTP site, ensure
that the CDROM is in the drive, and mounted on
/cdrom.&prompt.root; mount /cdromCreate an account for anonymous FTP in
/etc/passwd. Do this by editing
/etc/passwd using &man.vipw.8; and adding
this line:ftp:*:99:99::0:0:FTP:/cdrom:/nonexistentEnsure that the FTP service is enabled in
/etc/inetd.conf.Anyone with network connectivity to your machine can now
chose a media type of FTP and type in
ftp://your machine
after picking Other in the FTP sites menu during
the install.This approach is OK for a machine that is on your local network,
and that is protected by your firewall. Offering up FTP services to
other machines over the Internet (and not your local network)
exposes your computer to the attention of crackers and other
undesirables. We strongly recommend that you follow good security
practices if you do this.Creating Installation FloppiesinstallationfloppiesIf you must install from floppy disk (which we suggest you
do not do), either due to unsupported
hardware or simply because you insist on doing things the hard
way, you must first prepare some floppies for the installation.At a minimum, you will need as many 1.44 MB or 1.2 MB floppies
as it takes to hold all the files in the
bin (binary distribution) directory. If
you are preparing the floppies from DOS, then they
must be formatted using the &ms-dos;
FORMAT command. If you are using &windows;,
use Explorer to format the disks (right-click on the
A: drive, and select Format.Do not trust factory pre-formatted
floppies. Format them again yourself, just to be sure. Many
problems reported by our users in the past have resulted from
the use of improperly formatted media, which is why we are
making a point of it now.If you are creating the floppies on another FreeBSD machine,
a format is still not a bad idea, though you do not need to put
a DOS filesystem on each floppy. You can use the
disklabel and newfs
commands to put a UFS filesystem on them instead, as the
following sequence of commands (for a 3.5" 1.44 MB floppy)
illustrates:&prompt.root; fdformat -f 1440 fd0.1440
&prompt.root; disklabel -w -r fd0.1440 floppy3
&prompt.root; newfs -t 2 -u 18 -l 1 -i 65536 /dev/fd0Use fd0.1200 and
floppy5 for 5.25" 1.2 MB disks.Then you can mount and write to them like any other
filesystem.After you have formatted the floppies, you will need to copy
the files to them. The distribution files are split into chunks
conveniently sized so that five of them will fit on a conventional
1.44 MB floppy. Go through all your floppies, packing as many
files as will fit on each one, until you have all of the
distributions you want packed up in this fashion. Each
distribution should go into a subdirectory on the floppy, e.g.:
a:\bin\bin.aa,
a:\bin\bin.ab, and so on.Once you come to the Media screen during the install
process, select Floppy and you
will be prompted for the rest.Installing from an &ms-dos; Partitioninstallationfrom MS-DOSTo prepare for an installation from an &ms-dos; partition,
copy the files from the distribution into a directory
called freebsd in the root directory of the
partition. For example, c:\freebsd. The
directory structure of the CDROM or FTP site must be partially
reproduced within this directory, so we suggest using the DOS
xcopy command if you are copying it from a CD.
For example, to prepare for a minimal installation of
FreeBSD:C:\>md c:\freebsdC:\>xcopy e:\bin c:\freebsd\bin\ /sC:\>xcopy e:\manpages c:\freebsd\manpages\ /sAssuming that C: is where you have
free space and E: is where your CDROM
is mounted.If you do not have a CDROM drive, you can download the
distribution from ftp.FreeBSD.org.
Each distribution is in its own directory; for example, the
base distribution can be found in the &rel.current;/base/
directory.In the 4.X and older releases of &os; the base
distribution is called bin. Adjust the sample
commands and URLs above accordingly, if you are using one of these
versions.For as many distributions you wish to install from an &ms-dos;
partition (and you have the free space for), install each one
under c:\freebsd — the
BIN distribution is the only one required for
a minimum installation.Creating an Installation Tapeinstallationfrom QIC/SCSI TapeInstalling from tape is probably the easiest method, short
of an online FTP install or CDROM install. The installation
program expects the files to be simply tarred onto the tape.
After getting all of the distribution files you are interested
in, simply tar them onto the tape:&prompt.root; cd /freebsd/distdir
&prompt.root; tar cvf /dev/rwt0 dist1 ... dist2When you perform the installation, you should make
sure that you leave enough room in some temporary directory
(which you will be allowed to choose) to accommodate the
full contents of the tape you have created.
Due to the non-random access nature of tapes, this method of
installation requires quite a bit of temporary storage.When starting the installation, the tape must be in the
drive before booting from the boot
floppy. The installation probe may otherwise fail to find
it.Before Installing over a Networkinstallationnetworkserial (SLIP or PPP)installationnetworkparallel (PLIP)installationnetworkEthernetThere are three types of network installations available.
Serial port (SLIP or PPP), Parallel port (PLIP (laplink cable)),
or Ethernet (a standard Ethernet controller (includes some
PCMCIA)).The SLIP support is rather primitive, and limited primarily
to hard-wired links, such as a serial cable running between a
laptop computer and another computer. The link should be
hard-wired as the SLIP installation does not currently offer a
dialing capability; that facility is provided with the PPP
utility, which should be used in preference to SLIP whenever
possible.If you are using a modem, then PPP is almost certainly
your only choice. Make sure that you have your service
provider's information handy as you will need to know it fairly
early in the installation process.If you use PAP or CHAP to connect your ISP (in other words, if
you can connect to the ISP in &windows; without using a script), then
all you will need to do is type in dial at the
ppp prompt. Otherwise, you will need to
know how to dial your ISP using the AT commands
specific to your modem, as the PPP dialer provides only a very
simple terminal emulator. Please refer to the user-ppp handbook and FAQ entries for further information.
If you have problems, logging can be directed to the screen using
the command set log local ....If a hard-wired connection to another FreeBSD (2.0-R or
later) machine is available, you might also consider installing
over a laplink parallel port cable. The data rate
over the parallel port is much higher than what is typically
possible over a serial line (up to 50 kbytes/sec), thus resulting
in a quicker installation.Finally, for the fastest possible network installation, an
Ethernet adapter is always a good choice! FreeBSD supports most
common PC Ethernet cards; a table of supported cards (and their
required settings) is provided in the Hardware Notes for each
release of FreeBSD. If you are using one of the supported PCMCIA
Ethernet cards, also be sure that it is plugged in
before the laptop is powered on! FreeBSD does
not, unfortunately, currently support hot insertion of PCMCIA cards
during installation.You will also need to know your IP address on the network,
the netmask value for your address class, and the name of your
machine. If you are installing over a PPP connection and do not
have a static IP, fear not, the IP address can be dynamically
assigned by your ISP. Your system administrator can tell you
which values to use for your particular network setup. If you
will be referring to other hosts by name rather than IP address,
you will also need a name server and possibly the address of a
gateway (if you are using PPP, it is your provider's IP address)
to use in talking to it. If you want to install by FTP via a
HTTP proxy, you will also need the proxy's address.
If you do not know the answers to all or most of these questions,
then you should really probably talk to your system administrator
or ISP before trying this type of
installation.Before Installing via NFSinstallationnetworkNFSThe NFS installation is fairly straight-forward. Simply
copy the FreeBSD distribution files you want onto an NFS server
and then point the NFS media selection at it.If this server supports only privileged port
(as is generally the default for Sun workstations), you will
need to set the option in the
Options menu before installation can proceed.If you have a poor quality Ethernet card which suffers
from very slow transfer rates, you may also wish to toggle the
flag.In order for NFS installation to work, the server must
support subdir mounts, for example, if your FreeBSD &rel.current; distribution
directory lives on:
ziggy:/usr/archive/stuff/FreeBSD, then
ziggy will have to allow the direct mounting
of /usr/archive/stuff/FreeBSD, not just
/usr or
/usr/archive/stuff.In FreeBSD's /etc/exports file, this
is controlled by the options. Other NFS
servers may have different conventions. If you are getting
permission denied messages from the
server, then it is likely that you do not have this enabled
properly.
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index c381f5d9b5..6ccbc899a1 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -1,2211 +1,2211 @@
TomRhodesWritten by Mandatory Access ControlSynopsisMACMandatory Access Control&os; 5.X introduced new security extensions from the
TrustedBSD project based on the &posix;.1e draft. Two of the most
significant new security mechanisms are file system Access Control
Lists (ACLs) and Mandatory Access Control
(MAC) facilities. Mandatory Access Control allows
new access control modules to be loaded, implementing new security
policies. Some provide protections of a narrow subset of the
system, hardening a particular service, while others provide
comprehensive labeled security across all subjects and objects.
The mandatory part
of the definition comes from the fact that the enforcement of
the controls is done by administrators and the system, and is
not left up to the discretion of users as is done with
discretionary access control (DAC, the standard
file and System V IPC permissions on &os;).This chapter will focus on the
Mandatory Access Control Framework (MAC Framework), and a set
of pluggable policy modules implementing various security
policies.After reading this chapter, you will know:What MAC modules are currently
included in &os; and their associated policies.What MAC policies are capable of
implementing, the difference between a label and non-labeled
policy.How to efficiently configure a system to use
the MAC framework.How to configure the different policies used by the
MAC modules.How to implement a more secure environment using the
MAC framework and the examples
shown.How to test the MAC configuration
to ensure the framework has been properly implemented.Before reading this chapter, you should:Understand &unix; and &os; basics
().Be familiar with
the basics of kernel configuration/compilation
().Have some familiarity with security and how it
pertains to &os; ().The improper use of the
information in this chapter may cause loss of access to the system,
aggravation of users, or inability to access the features
provided by &xfree86;. More importantly, MAC should not
be relied upon to completely secure a system. The
MAC framework only augments
existing security policy; without sound security practices and
regular security checks, the system will never be completely
secure.It should also be noted that the examples contained
within this chapter are just that, examples. It is not
recommended that these particular settings be rolled out
on a production system. Implementing these policies takes
a good deal of thought. One who does not fully understand
exactly how everything works may find him or herself going
back through the entire system and reconfiguring many files
or directories.What Will Not Be CoveredThis chapter covers a broad range of security issues relating
to the MAC framework; however, the
development of new MAC policies
will not be covered. A number of modules included with the
MAC framework have specific characteristics
which are provided for both testing and new module
development. These include the &man.mac.test.4;,
&man.mac.stub.4; and &man.mac.none.4; modules/policies.
For more information on these modules and the various
mechanisms they provide, please review the manual pages.Key Terms in this ChapterBefore reading this chapter, a few key terms must be
explained. This will hopefully clear up any confusion that
may occur and avoid the abrupt introduction of new terms
and information.compartment: A compartment is a
a set of programs and data to be partitioned or separated,
where users are given explicit access to specific components
of a system. Also, a compartment represents a grouping,
such as a work group, department, project, or topic. Using
compartments, it is possible to implement a need-to-know
policy.integrity: Integrity, as a key
concept, is the level of trust which can be placed on data.
As the integrity of the data is elevated, so does the ability
to trust that data.label: A label is a security
attribute which can be applied to files, directories, or
other items in the system. It could be considered
to be a confidentiality stamp; when a label is placed on
a file it describes the security properties for that specific
file and will only permit access by files, users, resources,
etc. with a similar security setting. The meaning and
interpretation of label values depends on the policy: while
some policies might treat a label as representing the
integrity or secrecy of an object, other policies might use
labels to hold rules for access.level: The increased or decreased
setting of a security attribute. As the level increases,
its security is considered to elevate as well.multilabel: The
property is a file system option
which can be set in single user mode using the
&man.tunefs.8; utility; set during the boot operation
using the &man.fstab.5; file; or during the creation of
a new file system. This option will permit an administrator
to apply different MAC labels on different
objects. This option
only applies to labeled policies.object: An object or system
object is an entity through which information flows
under the direction of a subject.
This includes directories, files, fields, screens, keyboards,
memory, magnetic storage, printers or any other data
storage/moving device. Basically, an object is a data container or
a system resource; access to an object
effectively means access to the data.policy: A collection of rules
which defines how objectives are to be achieved. A
policy usually documents how certain
items are to be handled. This chapter will
consider the term policy in this
context as a security policy; i.e.
a collection of rules which will control the flow of data
and information and define whom will have access to that
data and information.sensitivity: Usually used when
discussing MLS. A sensitivity level is
a term used to describe how important or secret the data
should be. As the sensitivity level increases, so does the
importance of the data.single label: A single label is
when the entire file system uses one label to
enforce access control over the flow of data. When a file
system has this set, which is any time when the
option is not set, all
files will conform to the same label setting.subject: a subject is any
active entity that causes information to flow between
objects; e.g. a user, user processor,
system process, etc. On &os;, this is almost always a thread
acting in a process on behalf of a user.Explanation of MACWith all of these new terms in mind, consider how the
MAC framework augments the security of
the system as a whole. The various security policies provided by
the MAC framework could be used to
protect the network and file systems, block users from
accessing certain ports and sockets, and more. Perhaps
the best use of the policies is to blend them together, by loading
several security policy modules at a time, for a multi-layered
security environment. In a multi-layered security environment,
multiple policies are in effect to keep security in check. This
is different then a hardening policy, which typically hardens
elements of a system that is used only for specific purposes.
The only downside is administrative overhead in cases of
multiple file system labels, setting network access control
user by user, etc.These downsides are minimal when compared to the lasting
effect of the framework; for instance, the ability to pick choose
which policies are required for a specific configuration keeps
performance overhead down. The reduction of support for unneeded
policies can increase the overall performance of the system as well as
offer flexibility of choice. A good implementation would
consider the overall security requirements and effectively implement
the various policies offered by the framework.Thus a system utilizing MAC features
should at least guarantee that a user will not be permitted
to change security attributes at will; all user utilities,
programs and scripts must work within the constraints of
the access rules provided by the selected policies; and
that total control of the MAC access
rules are in the hands of the system administrator.It is the sole duty of the system administrator to
carefully select the correct policies. Some environments
may need to limit access control over the network; in these
cases, the &man.mac.portacl.4;, &man.mac.ifoff.4; and even
&man.mac.biba.4; policies might make good starting points. In other
cases, strict confidentiality of file system objects might
be required. Policies such as &man.mac.bsdextended.4;
and &man.mac.mls.4; exist for this purpose.Policy decisions could be made based on network
configuration. Perhaps only certain users should be permitted
access to facilities provided by &man.ssh.1; to access the
network or the Internet. The &man.mac.portacl.4; would be
the policy of choice for these situations. But what should be
done in the case of file systems? Should all access to certain
directories be severed from other groups or specific
users? Or should we limit user or utility access to specific
files by setting certain objects as classified?In the file system case, access to objects might be
considered confidential to some users but not to others.
For an example, a large development team might be broken
off into smaller groups of individuals. Developers in
project A might not be permitted to access objects written
by developers in project B. Yet they might need to access
objects created by developers in project C; that is quite a
situation indeed. Using the different policies provided by
the MAC framework; users could
be divided into these groups and then given access to the
appropriate areas without the fear of information
leakage.Thus, each policy has a unique way of dealing with
the overall security of a system. Policy selection should be based
on a well thought out security policy. In many cases, the
overall policy may need to be revised and reimplemented on
the system. Understanding the different policies offered by
the MAC framework will help administrators
choose the best policies for their situations.The default &os; kernel does not include the option for
the MAC framework; thus the following
kernel option must be added before trying any of the examples or
information in this chapter:options MACAnd the kernel will require a rebuild and a reinstall.While the various manual pages for MAC
modules state that they may be built into the kernel,
it is possible to lock the system out of
the network and more. Implementing MAC
is much like implementing a firewall, but care must be taken
to prevent being completely locked out of the system. The
ability to revert back to a previous configuration should be
considered while the implementation of MAC
remotely should be done with extreme caution.Understanding MAC LabelsA MAC label is a security attribute
which may be applied to subjects and objects throughout
the system.When setting a label, the user must be able to comprehend
what it is, exactly, that is being done. The attributes
available on an object depend on the policy loaded, and that
policies interpret their attributes in pretty different
ways. If improperly configured due to lack of comprehension, or
the inability to understand the implications, the result will
be the unexpected and perhaps, undesired, behavior of the
system.The security label on an object is used as a part of a
security access control decision by a policy. With some
policies, the label by itself contains all information necessary
to make a decision; in other models, the labels may be processed
as part of a larger rule set, etc.For instance, setting the label of biba/low
on a file will represent a label maintained by the Biba policy,
with a value of low.A few policies which support the labeling feature in
&os; offers three specific predefined labels. These
are the low, high, and equal labels. Although they enforce
access control in a different manner with each policy, you
can be sure that the low label will be the lowest setting,
the equal label will set the subject or object to be disabled
or unaffected, and the high label will enforce the highest
setting available in the Biba and MLS
policies.Within single label file system environments, only one label may be
used on objects. This will enforce one set of
access permissions across the entire system and in many
environments may be all that is required. There are a few
cases; however, where multiple labels may be set on objects
or subjects in the file system. For those cases, the
option may be passed to
&man.tunefs.8;.In the case of Biba and MLS, a numeric
label may be set to indicate the precise level of hierarchical
control. This numeric level is used to partition or sort
information into different groups of say, classification only
permitting access to that group or a higher group level.In most cases the administrator will only be setting up a
single label to use throughout the file system.Hey wait, this is similar to DAC!
I thought MAC gave control strictly to the
administrator. That statement still holds true, to some
extent root is the one in control and who
configures the policy so that users are placed in the
appropriate categories/access levels. Alas, many policies can
restrict the root user as well. Basic
control over objects will then be released to the group but
root may revoke or modify the settings
at any time. This is the hierarchal/clearance model covered
by policies such as Biba and MLS.Label ConfigurationVirtually all aspects of label policy configuration
will be performed using the base system utilities. These
commands provide a simple interface for object or subject
configuration or the manipulation and verification of
the configuration.All configuration may be done by use of the
&man.setfmac.8; and &man.setpmac.8; utilities.
The setfmac command is used to set
MAC labels on system objects while the
setpmac command is used to set the labels
on system subjects. Observe:&prompt.root; setfmac biba/high testIf no errors occurred with the command above, a prompt
will be returned. The only time these commands are not
quiescent is when an error occurred; similarly to the
&man.chmod.1; and &man.chown.8; commands. In some cases this
error may be a Permission denied and
is usually obtained when the label is being set or modified
on an object which is restricted.Other conditions
may produce different failures. For instance, the file may not
be owned by the user attempting to relabel the object, the
object may not exist or may be read only. A mandatory policy
will not allow the process to relabel the file, maybe because
of a property of the file, a property of the process, or a
property of the proposed new label value. For example: a user
running at low integrity tries to change the label of a high
integrity file. Or perhaps a user running at low integrity
tries to change the label of a low integrity file to a high
integrity label. The system administrator
may use the following commands to overcome this:&prompt.root; setfmac biba/high testPermission denied
&prompt.root; setpmac biba/low setfmac biba/high test
&prompt.root; getfmac test
test: biba/highAs we see above, setpmac
can be used to override the policy's settings by assigning
a different label to the invoked process. The
getpmac utility is usually used with currently
running processes, such as sendmail:
although it takes a process ID in place of
a command the logic is extremely similar. If users
attempt to manipulate a file not in their access, subject to the
rules of the loaded policies, the
Operation not permitted error
will be displayed by the mac_set_link
function.Users and Label SettingsUsers themselves are required to have labels so that
their files and processes may properly interact with the
security policy defined on the system. This is
configured through the login.conf file
by use of login classes. Every policy that uses labels
will implement the user class setting.An example entry containing every policy is listed
below:default:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5,biba/10(5-15),lomac10[2]:The label option is used to set the
user class default label which will be enforced by
MAC. Users will never be permitted to
modify this value, thus it can be considered not optional
in the user case. In a real configuration, however, the
administrator will never wish to enable every policy.
It is recommended that the rest of this chapter be reviewed
before any of this configuration is implemented.Users may change their label after the initial login;
however, this change is subject constraints of the policy.
The example above tells the Biba policy that a process's
minimum integrity is 5, its maximum is 15, but the default
effective label is 10. The process will run at 10 until
it chooses to change label, perhaps due to the user using
the setpmac command, which will be constrained by Biba to
the range set at login.In all cases, after a change to
login.conf, the login class capability
database must be rebuilt using cap_mkdb
and this will be reflected throughout every forthcoming
example or discussion.It is useful to note that many sites may have a
particularly large number of users requiring several
different user classes. In depth planning is required
as this may get extremely difficult to manage.Future versions of &os; will include a new way to
deal with mapping users to labels; however, this will
not be available until some time after &os; 5.3.Network Interfaces and Label SettingsLabels may also be set on network interfaces to help
control the flow of data across the network. In all cases
they function in the same way the policies function with
respect to objects. Users at high settings in
biba, for example, will not be permitted
to access network interfaces with a label of low.The may be passed to
ifconfig when setting the
MAC label on network interfaces. For
example:&prompt.root; ifconfig bge0 maclabel biba/equalwill set the MAC label of
biba/equal on the &man.bge.4; interface.
When using a setting similar to
biba/high(low-high) the entire label should
be quoted; otherwise an error will be returned.Each policy which supports labeling has some tunable
which may be used to disable the MAC
label on network interfaces. Setting the label to
will have a similar effect. Review
the output from sysctl, the policy manual
pages, or even the information found later in this chapter
for those tunables.Singlelabel or Multilabel?By default the system will use the
option. But what does this
mean to the administrator? There are several differences
which, in their own right, offer pros and cons to the
flexibility in the systems security model.The only permits for one
label, for instance biba/high to be used
for each subject or object. It provides for lower
administration overhead but decreases the flexibility of
policies which support labeling. Many administrators may
want to use the option in
their security policy.The option will permit each
subject or object to have its own independent
MAC label in
place of the standard option
which will allow only one label throughout the partition.
The and
label options are only required for the policies which
implement the labeling feature, including the Biba, Lomac,
MLS and SEBSD
policies.In many cases, the may not need
to be set at all. Consider the following situation and
security model:&os; web-server using the MAC
framework and a mix of the various policies.This machine only requires one label,
biba/high, for everything in the system.
Here the file system would not require the
option as a single label
will always be in effect.But, this machine will be a web server and should have
the web server run at biba/low to prevent
write up capabilities. The Biba policy and how it works
will be discussed later, so if the previous comment was
difficult to interpret just continue reading and return.
The server could use a separate partition set at
biba/low for most if not all of its
runtime state. Much is lacking from this example, for
instance the restrictions on data, configuration and user
settings; however, this is just a quick example to prove the
aforementioned point.If any of the non-labeling policies are to be used,
then the option would never
be required. These include the seeotheruids,
portacl and partition
policies.It should also be noted that using
with a partition and establishing
a security model based on
functionality could open the doors for higher administrative
overhead as everything in the file system would have a label.
This includes directories, files, and even device
nodes.The following command will set
on the file systems to have multiple labels. This may only be
done in single user mode:&prompt.root; tunefs -l enable /This is not a requirement for the swap file
system.Some users have experienced problems with setting the
flag on the root partition.
If this is the case, please review the
of this chapter.Controlling MAC with TunablesWithout any modules loaded, there are still some parts
of MAC which may be configured using
the sysctl interface. These tunables
are described below and in all cases the number one (1)
means enabled while the number zero (0) means
disabled:security.mac.enforce_fs defaults to
one (1) and enforces MAC file system
policies on the file systems.security.mac.enforce_kld defaults to
one (1) and enforces MAC kernel linking
policies on the dynamic kernel linker (see
&man.kld.4;).security.mac.enforce_network defaults
to one (1) and enforces MAC network
policies.security.mac.enforce_pipe defaults
to one (1) and enforces MAC policies
on pipes.security.mac.enforce_process defaults
to one (1) and enforces MAC policies
on processes which utilize inter-process
communication.security.mac.enforce_socket defaults
to one (1) and enforces MAC policies
on sockets (see the &man.socket.2; manual page).security.mac.enforce_system defaults
to one (1) and enforces MAC policies
on system activities such as accounting and
rebooting.security.mac.enforce_vm defaults
to one (1) and enforces MAC policies
on the virtual memory system.Every policy or MAC option supports
tunables. These usually hang off of the
security.mac.<policyname> tree.
To view all of the tunables from MAC
use the following command:&prompt.root; sysctl -da | grep macThis should be interpreted as all of the basic
MAC policies are enforced by default.
If the modules were built into the kernel the system
would be extremely locked down and most likely unable to
communicate with the local network or connect to the Internet,
etc. This is why building the modules into the kernel is not
completely recommended. Not because it limits the ability to
disable features on the fly with sysctl,
but it permits the administrator to instantly switch the
policies of a system without the requirement of rebuilding
and reinstalling a new system.Module ConfigurationEvery module included with the MAC
framework may be either compiled into the kernel as noted above
or loaded as a run-time kernel module.
The recommended method is to add the module name to the
/boot/loader.conf file so that it will load
during the initial boot operation.The following sections will discuss the various
MAC modules and cover their features.
Implementing them into a specific environment will also
be a consideration of this chapter. Some modules support
the use of labeling, which is controlling access by enforcing
a label such as this is allowed and this is not.
A label configuration file may control how files may be accessed,
network communication can be exchanged, and more. The previous
section showed how the flag could
be set on file systems to enable per-file or per-partition
access control.A single label configuration would enforce only one label
across the system, that is why the tunefs
option is called .The MAC seeotheruids ModuleMAC See Other UIDs PolicyModule name: mac_seeotheruids.koKernel configuration line:
options MAC_SEEOTHERUIDSBoot option:
mac_seeotheruids_load="YES"The &man.mac.seeotheruids.4; module mimics and extends
the security.bsd.see_other_uids and
security.bsd.see_other_gidssysctl tunables. This option does
not require any labels to be set before configuration and
can operate transparently with the other modules.After loading the module, the following
sysctl tunables may be used to control
the features:security.mac.seeotheruids.enabled
will enable the module's features and use the default
settings. These default settings will deny users the
ability to view processes and sockets owned by other
users.security.mac.seeotheruids.specificgid_enabled
will allow a certain group to be exempt from this policy.
To exempt specific groups from this policy, use the
security.mac.seeotheruids.specificgid=XXXsysctl tunable. In the above example,
the XXX should be replaced with the
numeric group ID to be exempted.security.mac.seeotheruids.primarygroup_enabled
is used to exempt specific primary groups from this policy.
When using this tunable, the
security.mac.seeotheruids.specificgid_enabled
may not be set.It should be noted that the root
user is not exempt from this policy. This is one of the
large differences between the MAC version
and the standard tunable version included by default:
security.bsd.seeotheruids.The MAC bsdextended ModuleMACFile System Firewall PolicyModule name: mac_bsdextended.koKernel configuration line:
options MAC_BSDEXTENDEDBoot option:
mac_bsdextended_load="YES"The &man.mac.bsdextended.4; module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
administrator to create a firewall-like ruleset to protect files,
utilities, and directories in the file system hierarchy.The policy may be created using a utility, &man.ugidfw.8;,
that has a syntax similar to that of &man.ipfw.8;. More tools
can be written by using the functions in the
&man.libugidfw.3; library.Extreme caution should be taken when working with this
module; incorrect use could block access to certain parts of
the file system.ExamplesAfter the &man.mac.bsdextended.4; module has
been loaded, the following command may be used to list the
current rule configuration:&prompt.root; ugidfw list
0 slots, 0 rulesAs expected, there are no rules defined. This means that
everything is still completely accessible. To create a rule
which will block all access by users but leave
root unaffected, simply run the
following command:&prompt.root; ugidfw add subject not uid root new object not uid root mode nIn releases prior to &os; 5.3, the
add parameter did not exist. In those
cases the set should be used
instead. See below for a command example.This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls. A more patriotic list of rules
might be:&prompt.root; ugidfw set 2 subject uid user1 object uid user2 mode n
&prompt.root; ugidfw set 3 subject uid user1 object gid user2 mode nThis will block any and all access, including directory
listings, to user2's home
directory from the username user1.In place of user1, the
could
be passed. This will enforce the same access restrictions
above for all users in place of just one user.The root user will be unaffected
by these changes.This should give a general idea of how the
&man.mac.bsdextended.4; module may be used to help fortify
a file system. For more information, see the
&man.mac.bsdextended.4; and the &man.ugidfw.8; manual
pages.The MAC ifoff ModuleMAC Interface Silencing PolicyModule name: mac_ifoff.koKernel configuration line:
options MAC_IFOFFBoot option: mac_ifoff_load="YES"The &man.mac.ifoff.4; module exists solely to disable network
interfaces on the fly and keep network interfaces from being
brought up during the initial system boot. It does not require
any labels to be set up on the system, nor does it have a
dependency on other MAC modules.Most of the control is done through the
sysctl tunables listed below.security.mac.ifoff.lo_enabled will
enable/disable all traffic on the loopback (&man.lo.4;)
interface.security.mac.ifoff.bpfrecv_enabled will
enable/disable all traffic on the Berkeley Packet Filter
interface (&man.bpf.4;)security.mac.ifoff.other_enabled will
enable/disable traffic on all other interfaces.One of the most common uses of &man.mac.ifoff.4; is network
monitoring in an environment where network traffic should not
be permitted during the boot sequence. Another suggested use
would be to write a script which uses
security/aide to automatically
block network traffic if it finds new or altered files in
protected directories.The MAC portacl ModuleMAC Port Access Control List PolicyModule name: mac_portacl.koKernel configuration line:
MAC_PORTACLBoot option: mac_portacl_load="YES"The &man.mac.portacl.4; module is used to limit binding to
local TCP and UDP ports
using a variety of sysctl variables. In
essence &man.mac.portacl.4; makes it possible to allow
non-root users to bind to specified
privileged ports, i.e. ports fewer than 1024.Once loaded, this module will enable the
MAC policy on all sockets. The following
tunables are available:security.mac.portacl.enabled will
enable/disable the policy completely.Due to
a bug the security.mac.portacl.enabledsysctl variable will not work on
&os; 5.2.1 or previous releases.security.mac.portacl.port_high will set
the highest port number that &man.mac.portacl.4;
will enable protection for.security.mac.portacl.suser_exempt will,
when set to a non-zero value, exempt the
root user from this policy.security.mac.portacl.rules will
specify the actual mac_portacl policy; see below.The actual mac_portacl policy, as
specified in the security.mac.portacl.rules
sysctl, is a text string of the form:
rule[,rule,...] with as many rules as
needed. Each rule is of the form:
idtype:id:protocol:port. The
idtype parameter can be
uid or gid and used to
interpret the id parameter as either a
user id or group id, respectively. The
protocol parameter is used to determine if
the rule should apply to TCP or
UDP by setting the parameter to
tcp or udp. The final
port parameter is the port number to allow
the specified user or group to bind to.Since the ruleset is interpreted directly by the kernel
only numeric values can be used for the user ID, group ID, and
port parameters. I.e. user, group, and port service names
cannot be used.By default, on &unix;-like systems, ports fewer than 1024
can only be used by/bound to privileged processes,
i.e. those run as root. For
&man.mac.portacl.4; to allow non-privileged processes to bind
to ports below 1024 this standard &unix; restriction has to be
disabled. This can be accomplished by setting the &man.sysctl.8;
variables net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh
to zero.See the examples below or review the &man.mac.portacl.4;
manual page for further information.ExamplesThe following examples should illuminate the above
discussion a little better:&prompt.root; sysctl security.mac.portacl.port_high=1023
&prompt.root; sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0First we set &man.mac.portacl.4; to cover the standard
privileged ports and disable the normal &unix; bind
restrictions.&prompt.root; sysctl security.mac.portacl.suser_exempt=1The root user should not be crippled
by this policy, thus set the
security.mac.portacl.suser_exempt to a
non-zero value. The &man.mac.portacl.4; module
has now been set up to behave the same way &unix;-like systems
behave by default.&prompt.root; sysctl security.mac.portacl.rules=uid:80:tcp:80Allow the user with UID 80 (normally
the www user) to bind to port 80.
This can be used to allow the www
user to run a web server without ever having
root privilege.&prompt.root; sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995Permit the user with the UID of
1001 to bind to the TCP ports 110
(pop3) and 995 (pop3s).
This will permit this user to start a server that accepts
connections on ports 110 and 995.MAC Policies with Labeling FeaturesThe next few sections will discuss MAC
policies which use labels.From here on this chapter will focus on the features
of &man.mac.biba.4;, &man.mac.lomac.4;,
&man.mac.partition.4;, and &man.mac.mls.4;.This is an example configuration only and should not be
considered for a production implementation. The goal is
to document and show the syntax as well as examples for
implementation and testing.For these policies to work correctly several
preparations must be made.Preparation for Labeling PoliciesThe following changes are required in the
login.conf file:An insecure class, or another
class of similar type, must be
added. The login class of insecure
is not required and just used as an example here; different
configurations may use another class name.The insecure class should have
the following settings and definitions. Several of these
can be altered but the line which defines the default
label is a requirement and must remain.insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5,biba/low:The &man.cap.mkdb.1; command needs to be ran on
&man.login.conf.5; before any of the
users can be switched over to the new class.The root should also be placed
into a login class; otherwise, almost every command
executed by root will require the
use of setpmac.Rebuilding the login.conf
database may cause some errors later with the daemon
class. Simply uncommenting the daemon account and
rebuilding the database should alleviate these
issues.Ensure that all partitions on which
MAC labeling will be implemented support
the . We must do this because
many of the examples here contain different labels for
testing purposes. Review the output from the
mount command as a precautionary
measure.Switch any users who will have the higher security
mechanisms enforced over to the new user class. A quick
run of &man.pw.8; or &man.vipw.8; should do the
trick.The MAC partition ModuleMAC Process Partition PolicyModule name: mac_partition.koKernel configuration line:
options MAC_PARTITIONBoot option:
mac_partition_load="YES"The &man.mac.partition.4; policy will drop processes into
specific partitions based on their
MAC label. Think of it as a special
type of &man.jail.8;, though that is hardly a worthy
comparison.This is one module that should be added to the
&man.loader.conf.5; file so that it loads
and enables the policy during the boot process.Most configuration for this policy is done using
the &man.setpmac.8; utility which will be explained below.
The following sysctl tunable is
available for this policy:security.mac.partition.enabled will
enable the enforcement of MAC process
partitions.When this policy is enabled, users will only be permitted
to see their processes but will not be permitted to work with
certain utilities. For instance, a user in the
insecure class above will not be permitted
to access the top command as well as many
other commands that must spawn a process.To set or drop utilities into a partition label, use the
setpmac utility:&prompt.root; setpmac partition/13 topThis will add the top command to the
label set on users in the insecure class.
Note that all processes spawned by users
in the insecure class will stay in the
partition/13 label.ExamplesThe following command will show you the partition label
and the process list:&prompt.root; ps ZaxThis next command will allow the viewing of another
user's process partition label and that user's currently
running processes:&prompt.root; ps -ZU trhodesUsers can see processes in root's
label unless the &man.mac.seeotheruids.4; policy is
loaded.A really crafty implementation could have all of the
services disabled in /etc/rc.conf and
started by a script that starts them with the proper
labeling set.The following policies support integer settings
in place of the three default labels offered. These options,
including their limitations, are further explained in
the module manual pages.The MAC Multi-Level Security ModuleMAC Multi-Level Security PolicyModule name: mac_mls.koKernel configuration line:
options MAC_MLSBoot option: mac_mls_load="YES"The &man.mac.mls.4; policy controls access between subjects
and objects in the system by enforcing a strict information
flow policy.In MLS environments, a
clearance level is set in each subject or objects
label, along with compartments. Since these clearance or
sensibility levels can reach numbers greater than six thousand;
it would be a daunting task for any system administrator to
thoroughly configure each subject or object. Thankfully, three
instant labels are already included in this
policy.These labels are mls/low,
mls/equal and mls/high.
Since these labels are described in depth in the manual page,
they will only get a brief description here:The mls/low label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with mls/low
will have a low clearance level and not be permitted to access
information of a higher level. In addition, this label will
prevent objects of a higher clearance level from writing or
passing information on to them.The mls/equal label should be
placed on objects considered to be exempt from the
policy.The mls/high label is the highest level
of clearance possible. Objects assigned this label will
hold dominance over all other objects in the system; however,
they will not permit the leaking of information to objects
of a lower class.MLS provides for:A hierarchical security level with a set of non
hierarchical categories;Fixed rules: no read up, no write down (a subject can
have read access to objects on its own level or below, but
not above. Similarly, a subject can have write access to
objects on its own level or above but not beneath.);Secrecy (preventing inappropriate disclosure
of data);Basis for the design of systems that concurrently handle
data at multiple sensitivity levels (without leaking
information between secret and confidential).The following sysctl tunables are
available for the configuration of special services and
interfaces:security.mac.mls.enabled is used to
enable/disable the MLS policy.security.mac.mls.ptys_equal will label
all &man.pty.4; devices as mls/equal during
creation.security.mac.mls.revocation_enabled is
used to revoke access to objects after their label changes
to a label of a lower grade.security.mac.mls.max_compartments is
used to set the maximum number of compartment levels with
objects; basically the maximum compartment number allowed
on a system.To manipulate the MLS labels, the
&man.setfmac.8; command has been provided. To assign a label
to an object, issue the following command:&prompt.root; setfmac mls/5 testTo get the MLS label for the file
test issue the following command:&prompt.root; getfmac testThis is a summary of the MLS
policy's features. Another approach is to create a master policy
- file in /etc which
+ file in /etc which
specifies the MLS policy information and to
feed that file into the setfmac command. This
method will be explained after all policies are covered.Observations: an object with lower clearance is unable to
observe higher clearance processes. A basic policy would be
to enforce mls/high on everything not to be
read, even if it needs to be written. Enforce
mls/low on everything not to be written, even
if it needs to be read. And finally enforce
mls/equal on the rest. All users marked
insecure should be set at
mls/low.The MAC Biba ModuleMAC Biba Integrity PolicyModule name: mac_biba.koKernel configuration line: options MAC_BIBABoot option: mac_biba_load="YES"The &man.mac.biba.4; module loads the MAC
Biba policy. This policy works much like that of the
MLS policy with the exception that the rules
for information flow
are slightly reversed. This is said to prevent the downward
flow of sensitive information whereas the MLS
policy prevents the upward flow of sensitive information; thus,
much of this section can apply to both policies.In Biba environments, an integrity label is
set on each subject or object. These labels are made up of
hierarchal grades, and non-hierarchal components. As an object's
or subject's grade ascends, so does its integrity.Supported labels are biba/low,
biba/equal, and biba/high;
as explained below:The biba/low label is considered the
lowest integrity an object or subject may have. Setting
this on objects or subjects will block their write access
to objects or subjects marked high. They still have read
access though.The biba/equal label should only be
placed on objects considered to be exempt from the
policy.The biba/high label will permit
writing to objects set at a lower label but not
permit reading that object. It is recommended that this
label be placed on objects that affect the integrity of
the entire system.Biba provides for:Hierarchical integrity level with a set of non
hierarchical integrity categories;Fixed rules: no write up, no read down (opposite of
MLS). A subject can have write access
to objects on its own level or below, but not above. Similarly, a
subject can have read access to objects on its own level
or above, but not below;Integrity (preventing inappropriate modification of
data);Integrity levels (instead of MLS sensitivity
levels).The following sysctl tunables can
be used to manipulate the Biba policy.security.mac.biba.enabled may be used
to enable/disable enforcement of the Biba policy on the
target machine.security.mac.biba.ptys_equal may be
used to disable the Biba policy on &man.pty.4;
devices.security.mac.biba.revocation_enabled
will force the revocation of access to objects if the label
is changed to dominate the subject.To access the Biba policy setting on system objects, use
the setfmac and getfmac
commands:&prompt.root; setfmac biba/low test
&prompt.root; getfmac test
test: biba/lowObservations: a lower integrity subject is unable to write
to a higher integrity subject; a higher integrity subject cannot
observe or read a lower integrity object.The MAC LOMAC ModuleMAC LOMACModule name: mac_lomac.koKernel configuration line: options MAC_LOMACBoot option: mac_lomac_load="YES"Unlike the MAC Biba policy, the
&man.mac.lomac.4; policy permits access to lower integrity
objects only after decreasing the integrity level to not disrupt
any integrity rules.The MAC version of the Low-watermark
integrity policy, not to be confused with the older &man.lomac.4;
implementation, works almost identically to Biba but with the
exception of using floating labels to support subject
demotion via an auxiliary grade compartment. This secondary
compartment takes the form of [auxgrade].
When assigning a lomac policy with an auxiliary grade, it
should look a little bit like: lomac/10[2]
where the number two (2) is the auxiliary grade.The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects. This is the
[auxgrade] option discussed above, thus the
policy may provide for greater compatibility and require less
initial configuration than Biba.ExamplesLike the Biba and MLS policies;
the setfmac and setpmac
utilities may be used to place labels on system objects:&prompt.root; setfmac /usr/home/trhodes lomac/high[low]
&prompt.root; getfmac /usr/home/trhodes lomac/high[low]Notice the auxiliary grade here is low,
this is a feature provided only by the MAC
LOMAC policy.Implementing a Secure Environment with MACMAC Example ImplementationThe following demonstration will implement a secure
environment using various MAC modules
with properly configured policies. This is only a test and
should not be considered the complete answer to everyone's
security woes. Just implementing a policy and ignoring it
never works and could be disastrous in a production
environment.Before beginning this process, the
multilabel option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors.Create an insecure User ClassBegin the procedure by adding the following user class
to the /etc/login.conf file:insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5:And adding the following line to the default user
class::label=mls/equal,biba/equal,partition/equal:Once this is completed, the following command must be
issued to rebuild the database:&prompt.root; cap_mkdb /etc/login.confBoot with the Correct ModulesAdd the following lines to
/boot/loader.conf so the required
modules will load during system initialization:mac_biba_load="YES"
mac_mls_load="YES"
mac_seeotheruids_load="YES"
mac_partition_load="YES"Set All Users to InsecureAll user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as &man.vi.1;.
The following sh script should do the
trick:&prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \/etc/passwd`; do pw usermod $x -L insecure; done;The cap_mkdb command will need to be
run on /etc/master.passwd after this
change.Complete the ConfigurationA contexts file should now be created; the following
example was taken from Robert Watson's example policy and
should be placed in
/etc/policy.contexts.# This is the default BIBA/MLS policy for this system.
.* biba/high,mls/high
/sbin/dhclient biba/high(low),mls/high(low)
/dev(/.*)? biba/equal,mls/equal
# This is not an exhaustive list of all "privileged" devices.
/dev/mdctl biba/high,mls/high
/dev/pci biba/high,mls/high
/dev/k?mem biba/high,mls/high
/dev/io biba/high,mls/high
/dev/agp.* biba/high,mls/high
(/var)?/tmp(/.*)? biba/equal,mls/equal
/tmp/\.X11-unix biba/high(equal),mls/high(equal)
/tmp/\.X11-unix/.* biba/equal,mls/equal
/proc(/.*)? biba/equal,mls/equal
/mnt.* biba/low,mls/low
(/usr)?/home biba/high(low),mls/high(low)
(/usr)?/home/.* biba/low,mls/low
/var/mail(/.*)? biba/low,mls/low
/var/spool/mqueue(/.*)? biba/low,mls/low
(/mnt)?/cdrom(/.*)? biba/high,mls/high
(/usr)?/home/(ftp|samba)(/.*)? biba/high,mls/high
/var/log/sendmail\.st biba/low,mls/low
/var/run/utmp biba/equal,mls/equal
/var/log/(lastlog|wtmp) biba/equal,mls/equalThis policy will enforce security by setting restrictions
on both the downward and upward flow of information with
regards to the directories and utilities listed on the
left.This can now be read into our system by issuing the
following command:&prompt.root; setfsmac -ef /etc/policy.contexts /
&prompt.root; setfsmac -ef /etc/policy.contexts /usrThe above file system layout may be different depending
on environment.The /etc/mac.conf file requires
the following modifications in the main section:default_labels file ?biba,?mls
default_labels ifnet ?biba,?mls
default_labels process ?biba,?mls,?partition
default_labels socket ?biba,?mlsTesting the ConfigurationMAC Configuration TestingAdd a user with the adduser command
and place that user in the insecure
class for these tests.The examples below will show a mix of
root and regular user tests; use the
prompt to distinguish between the two.Basic Labeling Tests&prompt.user; getpmac
biba/15(15-15),mls/15(15-15),partition/15
&prompt.root; setpmac partition/15,mls/equal topThe top process will be killed before we start
another top process.MAC Seeotheruids Tests&prompt.user; ps Zax
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps ZaxWe should not be permitted to see any processes
owned by other users.MAC Partition TestDisable the MAC
seeotheruids policy for the rest of these
tests:&prompt.root; sysctl security.mac.seeotheruids.enabled=0
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps ZaxAll users should be permitted to see every process in
their partition.Testing Biba and MLS Labels&prompt.root; setpmac partition/15,mls/equal,biba/high\(high-high\) top
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps ZaxThe Biba policy allows us to read higher-labeled
objects.&prompt.root; setpmac partition/15,mls/equal,biba/low top
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps ZaxThe Biba policy does not allow lower-labeled objects
to be read; however, MLS does.&prompt.user; ifconfig bge0 | grep maclabel
maclabel biba/low(low-low),mls/low(low-low)
&prompt.user; ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes
ping: sendto: Permission deniedUsers are unable to ping
example.com, or any domain
for that matter.To prevent this error from occurring, run the following
command:&prompt.root; sysctl security.mac.biba.trust_all_interfaces=1This sets the default interface label to insecure mode,
so the default Biba policy label will not be enforced.&prompt.root; ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\)
&prompt.user; ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes
64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms
--- 192.0.34.166 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 msBy setting a more correct label, we can issue
ping requests.Now to create a few files for some read and write
testing procedures:&prompt.root; touch test1 test2 test3 test4 test5
&prompt.root; getfmac test1
test1: biba/equal,mls/equal
&prompt.root; setfmac biba/low test1 test2; setfmac biba/high test4 test5; \
setfmac mls/low test1 test3; setfmac mls/high test2 test4
&prompt.root; setfmac mls/equal,biba/equal test3 && getfmac test?
test1: biba/low,mls/low
test2: biba/low,mls/high
test3: biba/equal,mls/equal
test4: biba/high,mls/high
test5: biba/high,mls/equal
&prompt.root; chown testuser:testuser test?All of these files should now be owned by our
testuser user. And now for some read
tests:&prompt.user; ls
test1 test2 test3 test4 test5
&prompt.user; ls test?
ls: test1: Permission denied
ls: test2: Permission denied
ls: test4: Permission denied
test3 test5We should not be permitted to observe pairs; e.g.:
(biba/low,mls/low),
(biba/low,mls/high) and
(biba/high,mls/high). And of course,
read access should be denied. Now for some write
tests:&prompt.user; for i in `echo test*`; do echo 1 > $i; done
-su: test1: Permission denied
-su: test4: Permission denied
-su: test5: Permission deniedLike with the read tests, write access should not be
permitted to write pairs; e.g.:
(biba/low,mls/high) and
(biba/equal,mls/equal).&prompt.user; cat test?
cat: test1: Permission denied
cat: test2: Permission denied
1
cat: test4: Permission deniedAnd now as root:&prompt.root; cat test2
1Another Example: Using MAC to Constrain a Web ServerA separate location for the web data which users
must be capable of accessing will be appointed. This
will permit biba/high processes access
rights to the web data.Begin by creating a directory to store the web
data in:&prompt.root; mkdir /usr/home/cvsNow initialize it with cvs:&prompt.root; cvs -d /usr/home/cvs initThe first goal is to enable the biba
policy, thus the mac_biba_enable="YES"
should be placed in
/boot/loader.conf. This assumes
that support for MAC has been enabled
in the kernel.From this point on everything in the system should
be set at biba/high by default.The following modification must be made to the
login.conf file, under the default
user class::ignoretime@:\
:umask=022:\
:label=biba/high:Every user should now be placed in the default class;
a command such as:&prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \/etc/passwd`; do pw usermod $x -L default; done;will accomplish this task in a few moments.Now create another class, web, a copy of default,
with the label setting of biba/low.Create a user who will be used to work with the
main web data stored in a cvs
repository. This user must be placed in our new login
class, web.Since the default is biba/high
everywhere, the repository will be the same. The web data must
also be the same for users to have read/write access to it;
however, since our web server will be serving data that
biba/high users must access, we will need to
downgrade the data as a whole.The perfect tools for this are &man.sh.1; and
&man.cron.8; and are already provided in &os;. The following
script should do everything we want:PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
CVSROOT=/home/repo; export CVSROOT;
cd /home/web;
cvs -qR checkout -P htdocs;
exit;In many cases the cvs
Id tags must be placed into the web
site data files.This script may now be placed into
web's home directory and the following
&man.crontab.1; entry added:# Check out the web data as biba/low every twelve hours:
0 */12 * * * web /home/web/checkout.shThis will check out the HTML sources
every twelve hours on the machine.The default startup method for the web server must also be
modified to start the process as biba/low.
This can be done by making the following modification to the
/usr/local/etc/rc.d/apache.sh
script:command="setpmac biba/low /usr/local/sbin/httpd"The Apache configuration must be
altered to work with the biba/low policy. In
this case the software must be configured to append to the
log files in a directory set at biba/low
or else access denied errors will be
returned.Following this example requires that the
docroot directive be set to
/home/web/htdocs; otherwise,
Apache will fail when trying
to locate the directory to serve documents from.Other configuration variables must be altered as well,
including the PID file,
Scoreboardfile,
DocumentRoot, log file locations, or any
other variable which requires write access.
When using biba, all write access will be
denied to the server in areas not set at
biba/low.Troubleshooting the MAC FrameworkMAC TroubleshootingDuring the development stage, a few users reported problems
with normal configuration. Some of these problems
are listed below:The option cannot be enabled on
/The flag does not stay
enabled on my root (/) partition!It seems that one out of every fifty users has this
problem, indeed, we had this problem during our initial
configuration. Further observation of this so called
bug has lead me to believe that it is a
result of either incorrect documentation or misinterpretation
of the documentation. Regardless of why it happened, the
following steps may be taken to resolve it:Edit /etc/fstab and set the root
partition at for read-only.Reboot into single user mode.Run tunefs
on /.Reboot the system into normal mode.Run mount/ and change the
back to in /etc/fstab
and reboot the system again.Double-check the output from the
mount to ensure that
has been properly set on the
root file system.Cannot start &xfree86; after MACAfter establishing a secure environment with
MAC, I am no longer able to start
&xfree86;!This could be caused by the MAC
partition policy or by a mislabeling in
one of the MAC labeling policies. To
debug, try the following:Check the error message; if the user is in the
insecure class, the
partition policy may be the culprit.
Try setting the user's class back to the
default class and rebuild the database
with the cap_mkdb command. If this
does not alleviate the problem, go to step two.Double-check the label policies. Ensure that the
policies are set correctly for the user in question, the
&xfree86; application, and
- the /dev
+ the /dev
entries.If neither of these resolve the problem, send the
error message and a description of your environment to
the TrustedBSD discussion lists located at the
TrustedBSD
website or to the &a.questions;
mailing list.Error: &man..secure.path.3; cannot stat .login_confWhen I attempt to switch from the root
to another user in the system, the error message
_secure_path: unable to state .login_conf.This message is usually shown when the user has a higher
label setting then that of the user whom they are attempting to
become. For instance a user on the system,
joe, has a default label of
. The root user,
who has a label of , cannot view
joe's home directory. This will happen
regardless if root has used the
su command to become joe,
or not. In this scenario, the Biba integrity model will not
permit root to view objects set at a lower
integrity level.The root username is broken!In normal or even single user mode, the
root is not recognized. The
whoami command returns 0 (zero) and
su returns who are you?.
What could be going on?This can happen if a labeling policy has been disabled,
either by a &man.sysctl.8; or the policy module was unloaded.
If the policy is being disabled or has been temporarily
disabled, then the login capabilities database needs to be
reconfigured with the option being
removed. Double check the login.conf
file to ensure that all options have
been removed and rebuild the database with the
cap_mkdb command.
diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
index fb01ea2f46..d23caf576f 100644
--- a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
@@ -1,2295 +1,2295 @@
BillLloydOriginal work by JimMockRewritten by Electronic MailSynopsisemailelectronic mailElectronic Mail, better known as email, is one of the
most widely used forms of communication today. This chapter provides
a basic introduction to running a mail server on &os;, as well as an
introduction to sending and receiving email using &os;; however,
it is not a complete reference and in fact many important
considerations are omitted. For more complete coverage of the
subject, the reader is referred to the many excellent books listed
in .After reading this chapter, you will know:What software components are involved in sending and receiving
electronic mail.Where basic sendmail configuration
files are located in FreeBSD.The difference between remote and
local mailboxes.How to block spammers from illegally using your mail server as a
relay.How to install and configure an alternate Mail Transfer Agent on
your system, replacing sendmail.How to troubleshoot common mail server problems.How to use SMTP with UUCP.How to set up the system to send mail only.How to use mail with a dialup connection.How to configure SMTP Authentication for added security.How to install and use a Mail User Agent, such as
mutt to send and receive email.How to download your mail from a remote POP
or IMAP server.How to automatically apply filters and rules to incoming
email.Before reading this chapter, you should:Properly set up your network connection
().Properly set up the DNS information for your mail host
().Know how to install additional third-party software
().Using Electronic MailPOPIMAPDNSThere are five major parts involved in an email exchange. They
are: the user program, the server daemon, DNS, a
remote or local mailbox, and of course, the
mailhost itself.The User ProgramThis includes command line programs such as
mutt,
pine, elm,
and mail, and GUI programs such as
balsa,
xfmail to name a few, and something
more sophisticated like a WWW browser. These
programs simply pass off the email transactions to the local
mailhost, either
by calling one of the server
daemons available, or delivering it over TCP.Mailhost Server Daemonmail server daemonssendmailmail server daemonspostfixmail server daemonsqmailmail server daemonsexim&os; ships with sendmail by
default, but also support numerous other mail server daemons,
just some of which include:exim;postfix;qmail.The server daemon usually has two functions—it is responsible
for receiving incoming mail as well as delivering outgoing mail. It is
not responsible for the collection of mail using protocols
such as POP or IMAP to
read your email, nor does it allow connecting to local
mbox or Maildir mailboxes. You may require
an additional daemon for
that.Older versions of sendmail
have some serious security issues which may result in an
attacker gaining local and/or remote access to your machine.
Make sure that you are running a current version to avoid
these problems. Optionally, install an alternative
MTA from the &os;
Ports Collection.Email and DNSThe Domain Name System (DNS) and its daemon
named play a large role in the delivery of
email. In order to deliver mail from your site to another, the
server daemon will look up the remote site in the DNS to determine the
host that will receive mail for the destination. This process
also occurs when mail is sent from a remote host to your mail
server.MX recordDNS is responsible for mapping
hostnames to IP addresses, as well as for storing information
specific to mail delivery, known as MX records. The MX (Mail
eXchanger) record specifies which host, or hosts, will receive
mail for a particular domain. If you do not have an MX record
for your hostname or domain, the mail will be delivered
directly to your host provided you have an A record pointing
your hostname to your IP address.You may view the MX records for any domain by using the
&man.host.1; command, as seen in the example below:&prompt.user; host -t mx FreeBSD.org
FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.orgReceiving MailemailreceivingReceiving mail for your domain is done by the mail host. It
will collect all mail sent to your domain and store it
either in mbox (the default method for storing mail) or Maildir format, depending
on your configuration.
Once mail has been stored, it may either be read locally using
applications such as &man.mail.1; or
mutt, or remotely accessed and
collected using protocols such as
POP or IMAP.
This means that should you only
wish to read mail locally, you are not required to install a
POP or IMAP server.Accessing remote mailboxes using POP and IMAPPOPIMAPIn order to access mailboxes remotely, you are required to
have access to a POP or IMAP
server. These protocols allow users to connect to their mailboxes from
remote locations with ease. Though both
POP and IMAP allow users
to remotely access mailboxes, IMAP offers
many advantages, some of which are:IMAP can store messages on a remote
server as well as fetch them.IMAP supports concurrent updates.IMAP can be extremely useful over
low-speed links as it allows users to fetch the structure
of messages without downloading them; it can also
perform tasks such as searching on the server in
order to minimize data transfer between clients and
servers.In order to install a POP or
IMAP server, the following steps should be
performed:Choose an IMAP or
POP server that best suits your needs.
The following POP and
IMAP servers are well known and serve
as some good examples:qpopper;teapop;imap-uw;courier-imap;Install the POP or
IMAP daemon of your choosing from the
ports
collection.Where required, modify /etc/inetd.conf
to load the POP or
IMAP server.It should be noted that both POP and
IMAP transmit information, including
username and password credentials in clear-text. This means
that if you wish to secure the transmission of information
across these protocols, you should consider tunneling
sessions over &man.ssh.1;. Tunneling sessions is
described in .Accessing local mailboxesMailboxes may be accessed locally by directly utilizing
MUAs on the server on which the mailbox
resides. This can be done using applications such as
mutt or &man.mail.1;.
The Mail Hostmail hostThe mail host is the name given to a server that is
responsible for delivering and receiving mail for your host, and
possibly your network.ChristopherShumwayContributed by sendmail Configurationsendmail&man.sendmail.8; is the default Mail Transfer Agent (MTA) in
FreeBSD. sendmail's job is to accept
mail from Mail User Agents (MUA) and deliver it
to the appropriate mailer as defined by its configuration file.
sendmail can also accept network
connections and deliver mail to local mailboxes or deliver it to
another program.sendmail uses the following
configuration files:/etc/mail/access/etc/mail/aliases/etc/mail/local-host-names/etc/mail/mailer.conf/etc/mail/mailertable/etc/mail/sendmail.cf/etc/mail/virtusertableFilenameFunction/etc/mail/accesssendmail access database
file/etc/mail/aliasesMailbox aliases/etc/mail/local-host-namesLists of hosts sendmail
accepts mail for/etc/mail/mailer.confMailer program configuration/etc/mail/mailertableMailer delivery table/etc/mail/sendmail.cfsendmail master
configuration file/etc/mail/virtusertableVirtual users and domain tables/etc/mail/accessThe access database defines what host(s) or IP addresses
have access to the local mail server and what kind of access
they have. Hosts can be listed as ,
, or simply passed
to sendmail's error handling routine with a given mailer error.
Hosts that are listed as , which is the
default, are allowed to send mail to this host as long as the
mail's final destination is the local machine. Hosts that are
listed as are rejected for all mail
connections. Hosts that have the option
for their hostname are allowed to send mail for any destination
through this mail server.Configuring the sendmail
Access Databasecyberspammer.com 550 We don't accept mail from spammers
FREE.STEALTH.MAILER@ 550 We don't accept mail from spammers
another.source.of.spam REJECT
okay.cyberspammer.com OK
128.32 RELAYIn this example we have five entries. Mail senders that
match the left hand side of the table are affected by the action
on the right side of the table. The first two examples give an
error code to sendmail's error
handling routine. The message is printed to the remote host when
a mail matches the left hand side of the table. The next entry
rejects mail from a specific host on the Internet,
another.source.of.spam. The next entry accepts
mail connections from a host
okay.cyberspammer.com, which is more exact than
the cyberspammer.com line above. More specific
matches override less exact matches. The last entry allows
relaying of electronic mail from hosts with an IP address that
begins with 128.32. These hosts would be able
to send mail through this mail server that are destined for other
mail servers.When this file is updated, you need to run
make in /etc/mail/ to
update the database./etc/mail/aliasesThe aliases database contains a list of virtual mailboxes
that are expanded to other user(s), files, programs or other
aliases. Here are a few examples that can be used in
/etc/mail/aliases:Mail Aliasesroot: localuser
ftp-bugs: joe,eric,paul
bit.bucket: /dev/null
procmail: "|/usr/local/bin/procmail"The file format is simple; the mailbox name on the left
side of the colon is expanded to the target(s) on the right.
The
first example simply expands the mailbox root
to the mailbox localuser, which is then
looked up again in the aliases database. If no match is found,
then the message is delivered to the local user
localuser. The next example shows a mail
list. Mail to the mailbox ftp-bugs is
expanded to the three local mailboxes joe,
eric, and paul. Note
that a remote mailbox could be specified as user@example.com. The
next example shows writing mail to a file, in this case
/dev/null. The last example shows sending
mail to a program, in this case the mail message is written to the
standard input of /usr/local/bin/procmail
through a &unix; pipe.When this file is updated, you need to run
make in /etc/mail/ to
update the database./etc/mail/local-host-namesThis is a list of hostnames &man.sendmail.8; is to accept as
the local host name. Place any domains or hosts that
sendmail is to be receiving mail for.
For example, if this mail server was to accept mail for the
domain example.com and the host
mail.example.com, its
local-host-names might look something like
this:example.com
mail.example.comWhen this file is updated, &man.sendmail.8; needs to be
restarted to read the changes./etc/mail/sendmail.cfsendmail's master configuration
file, sendmail.cf controls the overall
behavior of sendmail, including everything
from rewriting e-mail addresses to printing rejection messages to
remote mail servers. Naturally, with such a diverse role, this
configuration file is quite complex and its details are a bit
out of the scope of this section. Fortunately, this file rarely
needs to be changed for standard mail servers.The master sendmail configuration
file can be built from &man.m4.1; macros that define the features
and behavior of sendmail. Please see
/usr/src/contrib/sendmail/cf/README for
some of the details.When changes to this file are made,
sendmail needs to be restarted for
the changes to take effect./etc/mail/virtusertableThe virtusertable maps mail addresses for
virtual domains and
mailboxes to real mailboxes. These mailboxes can be local,
remote, aliases defined in
/etc/mail/aliases or files.Example Virtual Domain Mail Maproot@example.com root
postmaster@example.com postmaster@noc.example.net
@example.com joeIn the above example, we have a mapping for a domain
example.com. This file is processed in a
first match order down the file. The first item maps
root@example.com to the local mailbox root. The next entry maps
postmaster@example.com to the mailbox postmaster on the host
noc.example.net. Finally, if nothing from example.com has
matched so far, it will match the last mapping, which matches
every other mail message addressed to someone at
example.com.
This will be mapped to the local mailbox joe.AndrewBoothmanWritten by GregoryNeil ShapiroInformation taken from e-mails written by Changing Your Mail Transfer Agentemailchange mtaAs already mentioned, FreeBSD comes with
sendmail already installed as your
MTA (Mail Transfer Agent). Therefore by default it is
in charge of your outgoing and incoming mail.However, for a variety of reasons, some system
administrators want to change their system's MTA. These
reasons range from simply wanting to try out another MTA to
needing a specific feature or package which relies on another
mailer. Fortunately, whatever the reason, FreeBSD makes it
easy to make the change.Install a New MTAYou have a wide choice of MTAs available. A good
starting point is the
FreeBSD Ports Collection where
you will be able to find many. Of course you are free to use
any MTA you want from any location, as long as you can make
it run under FreeBSD.Start by installing your new MTA. Once it is installed
it gives you a chance to decide if it really fulfills your
needs, and also gives you the opportunity to configure your
new software before getting it to take over from
sendmail. When doing this, you
should be sure that installing the new software will not attempt
to overwrite system binaries such as
/usr/bin/sendmail. Otherwise, your new
mail software has essentially been put into service before
you have configured it.Please refer to your chosen MTA's documentation for
information on how to configure the software you have
chosen.Disable sendmailThe procedure used to start
sendmail changed significantly
between 4.5-RELEASE and 4.6-RELEASE. Therefore, the procedure
used to disable it is subtly different.FreeBSD 4.5-STABLE before 2002/4/4 and Earlier
(Including 4.5-RELEASE and Earlier)Enter:sendmail_enable="NO"into /etc/rc.conf. This will disable
sendmail's incoming mail service,
but if /etc/mail/mailer.conf (see below)
is not changed, sendmail will
still be used to send e-mail.FreeBSD 4.5-STABLE after 2002/4/4
(Including 4.6-RELEASE and Later)In order to completely disable
sendmail you must usesendmail_enable="NONE"in /etc/rc.conf.If you disable sendmail's
outgoing mail service in this way, it is important that you
replace it with a fully working alternative mail delivery
system. If you choose not to, system functions such as
&man.periodic.8; will be unable to deliver their results by
e-mail as they would normally expect to. Many parts of your
system may expect to have a functional
sendmail-compatible system. If
applications continue to use
sendmail's binaries to try to send
e-mail after you have disabled them, mail could go into an
inactive sendmail queue, and never be delivered.If you only want to disable
sendmail's incoming mail service,
you should setsendmail_enable="NO"in /etc/rc.conf. More information on
sendmail's startup options is
available from the &man.rc.sendmail.8; manual page.Running Your New MTA on BootYou may have a choice of two methods for running your
new MTA on boot, again depending on what version of FreeBSD
you are running.FreeBSD 4.5-STABLE before 2002/4/11
(Including 4.5-RELEASE and Earlier)Add a script to
/usr/local/etc/rc.d/ that
ends in .sh and is executable by
root. The script should accept start and
stop parameters. At startup time the
system scripts will execute the command/usr/local/etc/rc.d/supermailer.sh startwhich you can also use to manually start the server. At
shutdown time, the system scripts will use the
stop option, running the command/usr/local/etc/rc.d/supermailer.sh stopwhich you can also use to manually stop the server
while the system is running.FreeBSD 4.5-STABLE after 2002/4/11
(Including 4.6-RELEASE and Later)With later versions of FreeBSD, you can use the
above method or you can setmta_start_script="filename"in /etc/rc.conf, where
filename is the name of some
script that you want executed at boot to start your
MTA.Replacing sendmail as
the System's Default MailerThe program sendmail is so ubiquitous
as standard software on &unix; systems that some software
just assumes it is already installed and configured.
For this reason, many alternative MTA's provide their own compatible
implementations of the sendmail
command-line interface; this facilitates using them as
drop-in replacements for sendmail.Therefore, if you are using an alternative mailer,
you will need to make sure that software trying to execute
standard sendmail binaries such as
/usr/bin/sendmail actually executes
your chosen mailer instead. Fortunately, FreeBSD provides
a system called &man.mailwrapper.8; that does this job for
you.When sendmail is operating as installed, you will
find something like the following
in /etc/mail/mailer.conf:sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmailThis means that when any of these common commands
(such as sendmail itself) are run,
the system actually invokes a copy of mailwrapper named sendmail, which
checks mailer.conf and
executes /usr/libexec/sendmail/sendmail
instead. This system makes it easy to change what binaries
are actually executed when these default sendmail functions
are invoked.Therefore if you wanted
/usr/local/supermailer/bin/sendmail-compat
to be run instead of sendmail, you could change
/etc/mail/mailer.conf to read:sendmail /usr/local/supermailer/bin/sendmail-compat
send-mail /usr/local/supermailer/bin/sendmail-compat
mailq /usr/local/supermailer/bin/mailq-compat
newaliases /usr/local/supermailer/bin/newaliases-compat
hoststat /usr/local/supermailer/bin/hoststat-compat
purgestat /usr/local/supermailer/bin/purgestat-compatFinishingOnce you have everything configured the way you want it, you should
either kill the sendmail processes that
you no longer need and start the processes belonging to your new
software, or simply reboot. Rebooting will also
give you the opportunity to ensure that you have correctly
configured your system to start your new MTA automatically on boot.TroubleshootingemailtroubleshootingWhy do I have to use the FQDN for hosts on my site?You will probably find that the host is actually in a
different domain; for example, if you are in
foo.bar.edu and you wish to reach
a host called mumble in the bar.edu domain, you will have to
refer to it by the fully-qualified domain name, mumble.bar.edu, instead of just
mumble.BINDTraditionally, this was allowed by BSD BIND resolvers.
However the current version of BIND
that ships with FreeBSD no longer provides default abbreviations
for non-fully qualified domain names other than the domain you
are in. So an unqualified host mumble must
either be found as mumble.foo.bar.edu, or it will be searched
for in the root domain.This is different from the previous behavior, where the
search continued across mumble.bar.edu, and mumble.edu. Have a look at RFC 1535
for why this was considered bad practice, or even a security
hole.As a good workaround, you can place the line:
search foo.bar.edu bar.edu
instead of the previous:
domain foo.bar.edu
into your /etc/resolv.conf. However, make
sure that the search order does not go beyond the
boundary between local and public administration,
as RFC 1535 calls it.MX recordsendmail says mail
loops back to myselfThis is answered in the
sendmail FAQ as follows:I'm getting these error messages:
553 MX list for domain.net points back to relay.domain.net
554 <user@domain.net>... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be
forwarded to a specific host (in this case, relay.domain.net)
by using an MX record, but the relay machine does not recognize
itself as domain.net. Add domain.net to /etc/mail/local-host-names
[known as /etc/sendmail.cw prior to version 8.10]
(if you are using FEATURE(use_cw_file)) or add Cw domain.net
to /etc/mail/sendmail.cf.The sendmail FAQ can be found at
and is
recommended reading if you want to do any
tweaking of your mail setup.PPPHow can I run a mail server on a dial-up PPP host?You want to connect a FreeBSD box on a LAN to the
Internet. The FreeBSD box will be a mail gateway for the LAN.
The PPP connection is non-dedicated.UUCPMX recordThere are at least two ways to do this. One way is to use
UUCP.Another way is to get a full-time Internet server to provide secondary MX
services for your domain. For example, if your company's domain is
example.com and your Internet service provider has
set example.net up to provide secondary MX services
to your domain:example.com. MX 10 example.com.
MX 20 example.net.Only one host should be specified as the final recipient
(add Cw example.com in
/etc/mail/sendmail.cf on example.com).When the sending sendmail is trying to
deliver the mail it will try to connect to you (example.com) over the modem
link. It will most likely time out because you are not online.
The program sendmail will automatically deliver it to the
secondary MX site, i.e. your Internet provider (example.net). The secondary MX
site will then periodically try to connect to
your host and deliver the mail to the primary MX host (example.com).You might want to use something like this as a login
script:#!/bin/sh
# Put me in /usr/local/bin/pppmyisp
( sleep 60 ; /usr/sbin/sendmail -q ) &
/usr/sbin/ppp -direct pppmyispIf you are going to create a separate login script for a
user you could use sendmail -qRexample.com
instead in the script above. This will force all mail in your
queue for example.com to be processed immediately.A further refinement of the situation is as follows:Message stolen from the &a.isp;.> we provide the secondary MX for a customer. The customer connects to
> our services several times a day automatically to get the mails to
> his primary MX (We do not call his site when a mail for his domains
> arrived). Our sendmail sends the mailqueue every 30 minutes. At the
> moment he has to stay 30 minutes online to be sure that all mail is
> gone to the primary MX.
>
> Is there a command that would initiate sendmail to send all the mails
> now? The user has not root-privileges on our machine of course.
In the privacy flags section of sendmail.cf, there is a
definition Opgoaway,restrictqrun
Remove restrictqrun to allow non-root users to start the queue processing.
You might also like to rearrange the MXs. We are the 1st MX for our
customers like this, and we have defined:
# If we are the best MX for a host, try directly instead of generating
# local config error.
OwTrue
That way a remote site will deliver straight to you, without trying
the customer connection. You then send to your customer. Only works for
hosts, so you need to get your customer to name their mail
machine customer.com as well as
hostname.customer.com in the DNS. Just put an A record in
the DNS for customer.com.Why do I keep getting Relaying
Denied errors when sending mail from other
hosts?In default FreeBSD installations,
sendmail is configured to only
send mail from the host it is running on. For example, if
a POP server is available, then users
will be able to check mail from school, work, or other
remote locations but they still will not be able to send
outgoing emails from outside locations. Typically, a few
moments after the attempt, an email will be sent from
MAILER-DAEMON with a
5.7 Relaying Denied error
message.There are several ways to get around this. The most
straightforward solution is to put your ISP's address in
a relay-domains file at
/etc/mail/relay-domains. A quick way
to do this would be:&prompt.root; echo "your.isp.example.com" > /etc/mail/relay-domainsAfter creating or editing this file you must restart
sendmail. This works great if
you are a server administrator and do not wish to send mail
locally, or would like to use a point and click
client/system on another machine or even another ISP. It
is also very useful if you only have one or two email
accounts set up. If there is a large number of addresses
to add, you can simply open this file in your favorite
text editor and then add the domains, one per line:your.isp.example.com
other.isp.example.net
users-isp.example.org
www.example.orgNow any mail sent through your system, by any host in
this list (provided the user has an account on your
system), will succeed. This is a very nice way to allow
users to send mail from your system remotely without
allowing people to send SPAM through your system.Advanced TopicsThe following section covers more involved topics such as mail
configuration and setting up mail for your entire domain.Basic ConfigurationemailconfigurationOut of the box, you should be able to send email to external
hosts as long as you have set up
/etc/resolv.conf or are running your own
name server. If you would like to have mail for your host
delivered to the MTA (e.g., sendmail) on your own FreeBSD host, there are two methods:Run your own name server and have your own domain. For
example, FreeBSD.orgGet mail delivered directly to your host. This is done by
delivering mail directly to the current DNS name for your
machine. For example, example.FreeBSD.org.SMTPRegardless of which of the above you choose, in order to have
mail delivered directly to your host, it must have a permanent
static IP address (not a dynamic address, as with most PPP dial-up configurations). If you are behind a
firewall, it must pass SMTP traffic on to you. If you want to
receive mail directly at your host, you need to be sure of either of two
things:MX recordMake sure that the (lowest-numbered) MX record in your DNS points to your
host's IP address.Make sure there is no MX entry in your DNS for your
host.Either of the above will allow you to receive mail directly at
your host.Try this:&prompt.root; hostname
example.FreeBSD.org
&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XXIf that is what you see, mail directly to
yourlogin@example.FreeBSD.org should work without
problems (assuming sendmail is
running correctly on example.FreeBSD.org).If instead you see something like this:&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XX
example.FreeBSD.org mail is handled (pri=10) by hub.FreeBSD.orgAll mail sent to your host (example.FreeBSD.org) will end up being
collected on hub under the same username instead
of being sent directly to your host.The above information is handled by your DNS server. The DNS
record that carries mail routing information is the
Mail eXchange entry. If
no MX record exists, mail will be delivered directly to the host by
way of its IP address.The MX entry for freefall.FreeBSD.org at one time looked like
this:freefall MX 30 mail.crl.net
freefall MX 40 agora.rdrop.com
freefall MX 10 freefall.FreeBSD.org
freefall MX 20 who.cdrom.comAs you can see, freefall had many MX entries.
The lowest MX number is the host that receives mail directly if
available; if it is not accessible for some reason, the others
(sometimes called backup MXes) accept messages
temporarily, and pass it along when a lower-numbered host becomes
available, eventually to the lowest-numbered host.Alternate MX sites should have separate Internet connections
from your own in order to be most useful. Your ISP or another
friendly site should have no problem providing this service for
you.Mail for Your DomainIn order to set up a mailhost (a.k.a. mail
server) you need to have any mail sent to various workstations
directed to it. Basically, you want to claim any
mail for any hostname in your domain (in this case *.FreeBSD.org) and divert it to your mail
server so your users can receive their mail on
the master mail server.DNSTo make life easiest, a user account with the same
username should exist on both machines. Use
&man.adduser.8; to do this.The mailhost you will be using must be the designated mail
exchanger for each workstation on the network. This is done in
your DNS configuration like so:example.FreeBSD.org A 204.216.27.XX ; Workstation
MX 10 hub.FreeBSD.org ; MailhostThis will redirect mail for the workstation to the mailhost no
matter where the A record points. The mail is sent to the MX
host.You cannot do this yourself unless you are running a DNS
server. If you are not, or cannot run your own DNS server, talk
to your ISP or whoever provides your DNS.If you are doing virtual email hosting, the following
information will come in handy. For this example, we
will assume you have a customer with his own domain, in this
case customer1.org, and you want
all the mail for customer1.org
sent to your mailhost, mail.myhost.com. The entry in your DNS
should look like this:customer1.org MX 10 mail.myhost.comYou do not need an A record for customer1.org if you only
want to handle email for that domain.Be aware that pinging customer1.org will not work unless
an A record exists for it.The last thing that you must do is tell
sendmail on your mailhost what domains
and/or hostnames it should be accepting mail for. There are a few
different ways this can be done. Either of the following will
work:Add the hosts to your
/etc/mail/local-host-names file if you are using the
FEATURE(use_cw_file). If you are using
a version of sendmail earlier than 8.10, the file is
/etc/sendmail.cw.Add a Cwyour.host.com line to your
/etc/sendmail.cf or
/etc/mail/sendmail.cf if you are using
sendmail 8.10 or higher.SMTP with UUCPThe sendmail configuration that ships with FreeBSD is
designed for sites that connect directly to the Internet. Sites
that wish to exchange their mail via UUCP must install another
sendmail configuration file.Tweaking /etc/mail/sendmail.cf manually
is an advanced topic. sendmail version 8 generates config files
via &man.m4.1; preprocessing, where the actual configuration
occurs on a higher abstraction level. The &man.m4.1;
configuration files can be found under
/usr/src/usr.sbin/sendmail/cf.If you did not install your system with full sources, the
sendmail configuration set has been broken out into a separate source
distribution tarball. Assuming you have your FreeBSD source code
CDROM mounted, do:&prompt.root; cd /cdrom/src
&prompt.root; cat scontrib.?? | tar xzf - -C /usr/src/contrib/sendmailThis extracts to only a few hundred kilobytes. The file
README in the cf
directory can serve as a basic introduction to &man.m4.1;
configuration.The best way to support UUCP delivery is to use the
mailertable feature. This creates a database
that sendmail can use to make routing decisions.First, you have to create your .mc
file. The directory
/usr/src/usr.sbin/sendmail/cf/cf contains a
few examples. Assuming you have named your file
foo.mc, all you need to do in order to
convert it into a valid sendmail.cf
is:&prompt.root; cd /usr/src/usr.sbin/sendmail/cf/cf
&prompt.root; make foo.cf
&prompt.root; cp foo.cf /etc/mail/sendmail.cfA typical .mc file might look
like:VERSIONID(`Your version number') OSTYPE(bsd4.4)
FEATURE(accept_unresolvable_domains)
FEATURE(nocanonify)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
define(`UUCP_RELAY', your.uucp.relay)
define(`UUCP_MAX_SIZE', 200000)
define(`confDONT_PROBE_INTERFACES')
MAILER(local)
MAILER(smtp)
MAILER(uucp)
Cw your.alias.host.name
Cw youruucpnodename.UUCPThe lines containing
accept_unresolvable_domains,
nocanonify, and
confDONT_PROBE_INTERFACES features will
prevent any usage of the DNS during mail delivery. The
UUCP_RELAY clause is needed to support UUCP
delivery. Simply put an Internet hostname there that is able to
handle .UUCP pseudo-domain addresses; most likely, you will
enter the mail relay of your ISP there.Once you have this, you need an
/etc/mail/mailertable file. If you have
only one link to the outside that is used for all your mails,
the following file will suffice:#
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
. uucp-dom:your.uucp.relayA more complex example might look like this:#
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
#
horus.interface-business.de uucp-dom:horus
.interface-business.de uucp-dom:if-bus
interface-business.de uucp-dom:if-bus
.heep.sax.de smtp8:%1
horus.UUCP uucp-dom:horus
if-bus.UUCP uucp-dom:if-bus
. uucp-dom:The first three lines handle special cases where
domain-addressed mail should not be sent out to the default
route, but instead to some UUCP neighbor in order to
shortcut the delivery path. The next line handles
mail to the local Ethernet domain that can be delivered using
SMTP. Finally, the UUCP neighbors are mentioned in the .UUCP
pseudo-domain notation, to allow for a
uucp-neighbor
!recipient
override of the default rules. The last line is always a single
dot, matching everything else, with UUCP delivery to a UUCP
neighbor that serves as your universal mail gateway to the
world. All of the node names behind the
uucp-dom: keyword must be valid UUCP
neighbors, as you can verify using the command
uuname.As a reminder that this file needs to be converted into a
DBM database file before use. The command line to accomplish
this is best placed as a comment at the top of the mailertable file.
You always have to execute this command each time you change
your mailertable file.Final hint: if you are uncertain whether some particular
mail routing would work, remember the
option to sendmail. It starts sendmail in address test
mode; simply enter 3,0, followed
by the address you wish to test for the mail routing. The last
line tells you the used internal mail agent, the destination
host this agent will be called with, and the (possibly
translated) address. Leave this mode by typing CtrlD.&prompt.user; sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>3,0 foo@example.com
canonify input: foo @ example . com
...
parse returns: $# uucp-dom $@ your.uucp.relay $: foo < @ example . com . >
>^DBillMoranContributed by Setting Up to Send OnlyThere are many instances where you may only want to send
mail through a relay. Some examples are:Your computer is a desktop machine, but you want
to use programs such as &man.send-pr.1;. To do so, you should use
your ISP's mail relay.The computer is a server that does not handle mail
locally, but needs to pass off all mail to a relay for
processing.Just about any MTA is capable of filling
this particular niche. Unfortunately, it can be very difficult
to properly configure a full-featured MTA
just to handle offloading mail. Programs such as
sendmail and
postfix are largely overkill for
this use.Additionally, if you are using a typical Internet access
service, your agreement may forbid you from running a
mail server.The easiest way to fulfill those needs is to install the
mail/ssmtp port. Execute
the following commands as root:&prompt.root; cd /usr/ports/mail/ssmtp
&prompt.root; make install replace cleanOnce installed,
mail/ssmtp can be configured
with a four-line file located at
/usr/local/etc/ssmtp/ssmtp.conf:root=yourrealemail@example.com
mailhub=mail.example.com
rewriteDomain=example.com
hostname=_HOSTNAME_Make sure you use your real email address for
root. Enter your ISP's outgoing mail relay
in place of mail.example.com (some ISPs call
this the outgoing mail server or
SMTP server).Make sure you disable sendmail by
setting sendmail_enable="NONE"
in /etc/rc.conf.mail/ssmtp has some
other options available. See the example configuration file in
/usr/local/etc/ssmtp or the manual page of
ssmtp for some examples and more
information.Setting up ssmtp in this manner
will allow any software on your computer that needs to send
mail to function properly, while not violating your ISP's usage
policy or allowing your computer to be hijacked for spamming.Using Mail with a Dialup ConnectionIf you have a static IP address, you should not need to
adjust anything from the defaults. Set your host name to your
assigned Internet name and sendmail will do the rest.If you have a dynamically assigned IP number and use a
dialup PPP connection to the Internet, you will probably have a
mailbox on your ISPs mail server. Let's assume your ISP's domain
is example.net, and that your
user name is user, you have called your
machine bsd.home, and your ISP has
told you that you may use relay.example.net as a mail relay.In order to retrieve mail from your mailbox, you must
install a retrieval agent. The
fetchmail utility is a good choice as
it supports many different protocols. This program is available
as a package or from the ports collection (mail/fetchmail). Usually, your ISP will
provide POP. If you are using user PPP, you can
automatically fetch your mail when an Internet connection is
established with the following entry in
/etc/ppp/ppp.linkup:MYADDR:
!bg su user -c fetchmailIf you are using sendmail (as
shown below) to deliver mail to non-local accounts, you probably
want to have sendmail process your
mailqueue as soon as your Internet connection is established.
To do this, put this command after the
fetchmail command in
/etc/ppp/ppp.linkup: !bg su user -c "sendmail -q"Assume that you have an account for
user on bsd.home. In the home directory of
user on bsd.home, create a
.fetchmailrc file:poll example.net protocol pop3 fetchall pass MySecretThis file should not be readable by anyone except
user as it contains the password
MySecret.In order to send mail with the correct
from: header, you must tell
sendmail to use
user@example.net rather than
user@bsd.home. You may also wish to tell
sendmail to send all mail via relay.example.net, allowing quicker mail
transmission.The following .mc file should
suffice:VERSIONID(`bsd.home.mc version 1.0')
OSTYPE(bsd4.4)dnl
FEATURE(nouucp)dnl
MAILER(local)dnl
MAILER(smtp)dnl
Cwlocalhost
Cwbsd.home
MASQUERADE_AS(`example.net')dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(nocanonify)dnl
FEATURE(nodns)dnl
define(`SMART_HOST', `relay.example.net')
Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnlRefer to the previous section for details of how to turn
this .mc file into a
sendmail.cf file. Also, do not forget to
restart sendmail after updating
sendmail.cf.JamesGorhamWritten by SMTP AuthenticationHaving SMTP Authentication in place on
your mail server has a number of benefits.
SMTP Authentication can add another layer
of security to sendmail, and has the benefit of giving mobile
users who switch hosts the ability to use the same mail server
without the need to reconfigure their mail client settings
each time.Install security/cyrus-sasl
from the ports. You can find this port in
security/cyrus-sasl.
security/cyrus-sasl has
a number of compile time options to choose from and, for
the method we will be using here, make sure to select the
option.After installing security/cyrus-sasl,
edit /usr/local/lib/sasl/Sendmail.conf
(or create it if it does not exist) and add the following
line:pwcheck_method: passwdThis method will enable sendmail
to authenticate against your FreeBSD passwd
database. This saves the trouble of creating a new set of usernames
and passwords for each user that needs to use
SMTP authentication, and keeps the login
and mail password the same.Now edit /etc/make.conf and add the
following lines:SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsaslThese lines will give sendmail
the proper configuration options for linking
to cyrus-sasl at compile time.
Make sure that cyrus-sasl
has been installed before recompiling
sendmail.Recompile sendmail by executing the following commands:&prompt.root; cd /usr/src/usr.sbin/sendmail
&prompt.root; make cleandir
&prompt.root; make obj
&prompt.root; make
&prompt.root; make installThe compile of sendmail should not have any problems
if /usr/src has not been changed extensively
and the shared libraries it needs are available.After sendmail has been compiled
and reinstalled, edit your /etc/mail/freebsd.mc
file (or whichever file you use as your .mc file. Many administrators
choose to use the output from &man.hostname.1; as the .mc file for
uniqueness). Add these lines to it:dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnlThese options configure the different methods available to
sendmail for authenticating users.
If you would like to use a method other than
pwcheck, please see the
included documentation.Finally, run &man.make.1; while in /etc/mail.
That will run your new .mc file and create a .cf file named
freebsd.cf (or whatever name you have used
for your .mc file). Then use the
command make install restart, which will
copy the file to sendmail.cf, and will
properly restart sendmail.
For more information about this process, you should refer
to /etc/mail/Makefile.If all has gone correctly, you should be able to enter your login
information into the mail client and send a test message.
For further investigation, set the of
sendmail to 13 and watch
/var/log/maillog for any errors.You may wish to add the following lines to /etc/rc.conf
so this service will be available after every system boot:sasl_pwcheck_enable="YES"
sasl_pwcheck_program="/usr/local/sbin/pwcheck"This will ensure the initialization of SMTP_AUTH upon system
boot.For more information, please see the sendmail
page regarding
SMTP authentication.MarcSilverContributed by Mail User AgentsMail User AgentsA Mail User Agent (MUA) is an application
that is used to send and receive email. Furthermore, as email
evolves and becomes more complex,
MUA's are becoming increasingly powerful in the
way they interact with email; this gives users increased
functionality and flexibility. &os; contains support for
numerous mail user agents, all of which can be easily installed
using the FreeBSD Ports Collection.
Users may choose between graphical email clients such as
evolution or
balsa, console based clients such as
mutt, pine
or mail, or the web interfaces used by some
large organizations.mail&man.mail.1; is the default Mail User Agent
(MUA) in &os;. It is a
console based MUA that offers all the basic
functionality required to send and receive text-based email,
though it is limited in interaction abilities with attachments
and can only support local mailboxes.Although mail does not natively support
interaction with POP or
IMAP servers, these mailboxes may be
downloaded to a local mbox file using an
application such as fetchmail, which
will be discussed later in this chapter ().In order to send and receive email, simply invoke the
mail command as per the following
example:&prompt.user; mailThe contents of the user mailbox in
- /var/mail are
+ /var/mail are
automatically read by the mail utility.
Should the mailbox be empty, the utility exits with a
message indicating that no mails could be found. Once the
mailbox has been read, the application interface is started, and
a list of messages will be displayed. Messages are automatically
numbered, as can be seen in the following example:Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/marcs": 3 messages 3 new
>N 1 root@localhost Mon Mar 8 14:05 14/510 "test"
N 2 root@localhost Mon Mar 8 14:05 14/509 "user account"
N 3 root@localhost Mon Mar 8 14:05 14/509 "sample"Messages can now be read by using the tmail command, suffixed by the message number
that should be displayed. In this example, we will read the
first email:& t 1
Message 1:
From root@localhost Mon Mar 8 14:05:52 2004
X-Original-To: marcs@localhost
Delivered-To: marcs@localhost
To: marcs@localhost
Subject: test
Date: Mon, 8 Mar 2004 14:05:52 +0200 (SAST)
From: root@localhost (Charlie Root)
This is a test message, please reply if you receive it.As can be seen in the example above, the t
key will cause the message to be displayed with full headers.
To display the list of messages again, the h
key should be used.If the email requires a response, you may use
mail to reply, by using either the
R or rmail
keys. The R key instructs
mail to reply only to the sender of the
email, while r replies not only to the sender,
but also to other recipients of the message. You may also
suffix these commands with the mail number which you would like
make a reply to. Once this has been done, the response should
be entered, and the end of the message should be marked by a
single . on a new line. An example can be seen
below:& R 1
To: root@localhost
Subject: Re: test
Thank you, I did get your email.
.
EOTIn order to send new email, the m
key should be used, followed by the
recipient email address. Multiple recipients may also be
specified by separating each address with the ,
delimiter. The subject of the message may then be entered,
followed by the message contents. The end of the message should
be specified by putting a single . on a new
line.& mail root@localhost
Subject: I mastered mail
Now I can send and receive email using mail ... :)
.
EOTWhile inside the mail utility, the
? command may be used to display help at any
time, the &man.mail.1; manual page should also be consulted for
more help with mail.As previously mentioned, the &man.mail.1; command was not
originally designed to handle attachments, and thus deals with
them very poorly. Newer MUAs such as
mutt handle attachments in a much
more intelligent way. But should you still wish to use the
mail command, the converters/mpack port may be of
considerable use.muttmutt is a small yet very
powerful Mail User Agent, with excellent features,
just some of which include:The ability to thread messages;PGP support for digital signing and encryption of
email;MIME Support;Maildir Support;Highly customizable.All of these features help to make
mutt one of the most advanced mail
user agents available. See for more
information on mutt.The stable version of mutt may be
installed using the mail/mutt port, while the current
development version may be installed via the mail/mutt-devel port. After the port
has been installed, mutt can be
started by issuing the following command:&prompt.user; muttmutt will automatically read the
contents of the user mailbox in /var/mail and display the contents
+ class="directory">/var/mail and display the contents
if applicable. If no mails are found in the user mailbox, then
mutt will wait for commands from the
user. The example below shows mutt
displaying a list of messages:In order to read an email, simply select it using the cursor
keys, and press the Enter key. An example of
mutt displaying email can be seen
below:As with the &man.mail.1; command,
mutt allows users to reply only to
the sender of the message as well as to all recipients. To
reply only to the sender of the email, use the
r keyboard shortcut. To send a group reply,
which will be sent to the original sender as well as all the
message recipients, use the g shortcut.mutt makes use of the
&man.vi.1; command as an editor for creating and replying to
emails. This may be customized by the user by creating or
editing their own .muttrc file in their home directory and setting the
editor variable.In order to compose a new mail message, press
m. After a valid subject has been given,
mutt will start &man.vi.1; and the
mail can be written. Once the contents of the mail are
complete, save and quit from vi and
mutt will resume, displaying a
summary screen of the mail that is to be delivered. In order to
send the mail, press y. An example of the
summary screen can be seen below:mutt also contains extensive
help, which can be accessed from most of the menus by pressing
the ? key. The top line also displays the
keyboard shortcuts where appropriate.pinepine is aimed at a beginner
user, but also includes some advanced features.The pine software has had several remote vulnerabilities
discovered in the past, which allowed remote attackers to
execute arbitrary code as users on the local system, by the
action of sending a specially-prepared email. All such
known problems have been fixed, but the
pine code is written in a very insecure style and the &os;
Security Officer believes there are likely to be other
undiscovered vulnerabilities. You install
pine at your own risk.The current version of pine may
be installed using the mail/pine4 port. Once the port has
installed, pine can be started by
issuing the following command:&prompt.user; pineThe first time that pine is run
it displays a greeting page with a brief introduction, as well
as a request from the pine
development team to send an anonymous email message allowing
them to judge how many users are using their client. To send
this anonymous message, press Enter, or
alternatively press E to exit the greeting
without sending an anonymous message. An example of the
greeting page can be seen below:Users are then presented with the main menu, which can be
easily navigated using the cursor keys. This main menu provides
shortcuts for the composing new mails, browsing of mail directories,
and even the administration of address book entries. Below the
main menu, relevant keyboard shortcuts to perform functions
specific to the task at hand are shown.The default directory opened by pine
- is the inbox. To view the message index, press
+ is the inbox. To view the message index, press
I, or select the MESSAGE INDEX
option as seen below:The message index shows messages in the current directory,
and can be navigated by using the cursor keys. Highlighted
messages can be read by pressing the
Enter key.In the screenshot below, a sample message is displayed by
pine. Keyboard shortcuts are
displayed as a reference at the bottom of the screen. An
example of one of these shortcuts is the r key,
which tells the MUA to reply to the current
message being displayed.Replying to an email in pine is
done using the pico editor, which is
installed by default with pine.
The pico utility makes it easy to
navigate around the message and is slightly more forgiving on
novice users than &man.vi.1; or &man.mail.1;. Once the reply
is complete, the message can be sent by pressing
CtrlX. The pine application
will ask for confirmation.The pine application can be
customized using the SETUP option from the main
menu. Consult
for more information.MarcSilverContributed by Using fetchmailUsing fetchmailfetchmail is a full-featured
IMAP and POP client which
allows users to automatically download mail from remote
IMAP and POP servers and
save it into local mailboxes; there it can be accessed more easily.
fetchmail can be installed using the
mail/fetchmail port, and
offers various features, some of which include:Support of POP3,
APOP, KPOP,
IMAP, ETRN and
ODMR protocols.Ability to forward mail using SMTP, which
allows filtering, forwarding, and aliasing to function
normally.May be run in daemon mode to check periodically for new
messages.Can retrieve multiple mailboxes and forward them based
on configuration, to different local users.While it is outside the scope of this document to explain
all of fetchmail's features, some
basic features will be explained. The
fetchmail utility requires a
configuration file known as .fetchmailrc,
in order to run correctly. This file includes server information
as well as login credentials. Due to the sensitive nature of the
contents of this file, it is advisable to make it readable only by the owner,
with the following command:&prompt.user; chmod 600 .fetchmailrcThe following .fetchmailrc serves as an
example for downloading a single user mailbox using
POP. It tells
fetchmail to connect to example.com using a username of
joesoap and a password of
XXX. This example assumes that the user
joesoap is also a user on the local
system.poll example.com protocol pop3 username "joesoap" password "XXX"The next example connects to multiple POP
and IMAP servers and redirects to different
local usernames where applicable:poll example.com proto pop3:
user "joesoap", with password "XXX", is "jsoap" here;
user "andrea", with password "XXXX";
poll example2.net proto imap:
user "john", with password "XXXXX", is "myth" here;The fetchmail utility can be run in daemon
mode by running it with the flag, followed
by the interval (in seconds) that
fetchmail should poll servers listed
in the .fetchmailrc file. The following
example would cause fetchmail to poll
every 60 seconds:&prompt.user; fetchmail -d 60More information on fetchmail can
be found at .MarcSilverContributed by Using procmailUsing procmailThe procmail utility is an
incredibly powerful application used to filter incoming mail.
It allows users to define rules which can be
matched to incoming mails to perform specific functions or to
reroute mail to alternative mailboxes and/or email addresses.
procmail can be installed using the
mail/procmail port. Once
installed, it can be directly integrated into most
MTAs; consult your MTA
documentation for more information. Alternatively,
procmail can be integrated by adding
the following line to a .forward in the home
directory of the user utilizing
procmail features:"|exec /usr/local/bin/procmail || exit 75"The following section will display some basic
procmail rules, as well as brief
descriptions on what they do. These rules, and others must be
inserted into a .procmailrc file, which
must reside in the user's home directory.The majority of these rules can also be found in the
&man.procmailex.5; manual page.Forward all mail from user@example.com to an
external address of goodmail@example2.com::0
* ^From.*user@example.com
! goodmail@example2.comForward all mails shorter than 1000 bytes to an external
address of goodmail@example2.com::0
* < 1000
! goodmail@example2.comSend all mail sent to alternate@example.com
into a mailbox called alternate::0
* ^TOalternate@example.com
alternateSend all mail with a subject of Spam to
/dev/null::0
^Subject:.*Spam
/dev/nullA useful recipe that parses incoming &os;.org mailing lists
and places each list in its own mailbox::0
* ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
{
LISTNAME=${MATCH}
:0
* LISTNAME??^\/[^@]+
FreeBSD-${MATCH}
}
diff --git a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
index e99eb25dd0..2a5a749ee0 100644
--- a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
@@ -1,2857 +1,2857 @@
Obtaining FreeBSDCDROM and DVD PublishersRetail Boxed ProductsFreeBSD is available as a boxed product (FreeBSD CDs,
additional software, and printed documentation) from several
retailers:CompUSA
WWW: Frys Electronics
WWW: CD and DVD SetsFreeBSD CD and DVD sets are available from many online
retailers:BSD Mall by Daemon NewsPO Box 161Nauvoo, IL62354USA
Phone: +1 866 273-6255
Fax: +1 217 453-9956
Email: sales@bsdmall.com
WWW: BSD-Systems
Email: info@bsd-systems.co.uk
WWW: fastdiscs.com6 Eltham CloseLeeds, LS6 2TYUnited Kingdom
Phone: +44 870 1995 171
Email: sales@fastdiscs.com
WWW: FreeBSD Mall, Inc.3623 Sanford StreetConcord, CA94520-1405USA
Phone: +1 925 674-0783
Fax: +1 925 674-0821
Email: info@freebsdmall.com
WWW: FreeBSD Services Ltd11 Lapwing CloseBicesterOX26 6XRUnited Kingdom
WWW: Hinner EDVSt. Augustinus-Str. 10D-81825MünchenGermany
Phone: (089) 428 419
WWW: Ikarios22-24 rue Voltaire92000NanterreFrance
WWW: Ingram Micro1600 E. St. Andrew PlaceSanta Ana, CA92705-4926USA
Phone: 1 (800) 456-8000
WWW: JMC SoftwareIreland
Phone: 353 1 6291282
WWW: The Linux EmporiumHilliard House, Lester WayWallingfordOX10 9TAUnited Kingdom
Phone: +44 1491 837010
Fax: +44 1491 837016
WWW: Linux System Labs Australia21 Ray DriveBalwyn NorthVIC - 3104Australia
Phone: +61 3 9857 5918
Fax: +61 3 9857 8974
WWW: LinuxCenter.RuGalernaya Street, 55Saint-Petersburg190000Russia
Phone: +7-812-3125208
Email: info@linuxcenter.ru
WWW: UNIXDVD.COM LTD57 Primrose AvenueSheffieldS5 6FSUnited Kingdom
WWW: DistributorsIf you are a reseller and want to carry FreeBSD CDROM products,
please contact a distributor:Cylogistics809B Cuesta Dr., #2149Mountain View, CA94040USA
Phone: +1 650 694-4949
Fax: +1 650 694-4953
Email: sales@cylogistics.com
WWW: FreeBSD Services Ltd11 Lapwing CloseBicesterOX26 6XRUnited Kingdom
WWW: Kudzu, LLC7375 Washington Ave. S.Edina, MN55439USA
Phone: +1 952 947-0822
Fax: +1 952 947-0876
Email: sales@kudzuenterprises.comLinuxCenter.RuGalernaya Street, 55Saint-Petersburg190000Russia
Phone: +7-812-3125208
Email: info@linuxcenter.ru
WWW: Navarre Corp7400 49th Ave SouthNew Hope, MN55428USA
Phone: +1 763 535-8333
Fax: +1 763 535-0341
WWW: FTP SitesThe official sources for FreeBSD are available via anonymous FTP
from a worldwide set of mirror sites. The site
is well
connected and allows a large number of connections to it, but
you are probably better off finding a closer
mirror site (especially if you decide to set up some sort of
mirror site).The FreeBSD mirror
sites database is more accurate than the mirror listing in the
Handbook, as it gets its information from the DNS rather than relying on
static lists of hosts.Additionally, FreeBSD is available via anonymous FTP from the
following mirror sites. If you choose to obtain FreeBSD via anonymous
FTP, please try to use a site near you. The mirror sites listed as
Primary Mirror Sites typically have the entire FreeBSD archive (all
the currently available versions for each of the architectures) but
you will probably have faster download times from a site that is
in your country or region. The regional sites carry the most recent
versions for the most popular architecture(s) but might not carry
the entire FreeBSD archive. All sites provide access via anonymous
FTP but some sites also provide access via other methods. The access
methods available for each site are provided in parenthesis
after the hostname.
&chap.mirrors.ftp.inc;
Anonymous CVSIntroductionAnonymous CVS (or, as it is otherwise known,
anoncvs) is a feature provided by the CVS
utilities bundled with FreeBSD for synchronizing with a remote
CVS repository. Among other things, it allows users of FreeBSD
to perform, with no special privileges, read-only CVS operations
against one of the FreeBSD project's official anoncvs servers.
To use it, one simply sets the CVSROOT
environment variable to point at the appropriate anoncvs server,
provides the well-known password anoncvs with the
cvs login command, and then uses the
&man.cvs.1; command to access it like any local
repository.The cvs login command, stores the passwords
that are used for authenticating to the CVS server in a file
called .cvspass in your
HOME directory. If this file does not exist,
you might get an error when trying to use cvs
login for the first time. Just make an empty
.cvspass file, and retry to login.While it can also be said that the CVSup and anoncvs
services both perform essentially the same function, there are
various trade-offs which can influence the user's choice of
synchronization methods. In a nutshell,
CVSup is much more efficient in its
usage of network resources and is by far the most technically
sophisticated of the two, but at a price. To use
CVSup, a special client must first be
installed and configured before any bits can be grabbed, and
then only in the fairly large chunks which
CVSup calls
collections.Anoncvs, by contrast, can be used
to examine anything from an individual file to a specific
program (like ls or grep)
by referencing the CVS module name. Of course,
anoncvs is also only good for
read-only operations on the CVS repository, so if it is your
intention to support local development in one repository shared
with the FreeBSD project bits then
CVSup is really your only
option.Using Anonymous CVSConfiguring &man.cvs.1; to use an Anonymous CVS repository
is a simple matter of setting the CVSROOT
environment variable to point to one of the FreeBSD project's
anoncvs servers. At the time of this
writing, the following servers are available:Austria:
:pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
(Use cvs login and enter any
password when prompted.)France:
:pserver:anoncvs@anoncvs.fr.FreeBSD.org:/home/ncvs
(pserver (password anoncvs), ssh (no password))
Germany:
:pserver:anoncvs@anoncvs.de.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Germany:
:pserver:anoncvs@anoncvs2.de.FreeBSD.org:/home/ncvs
(rsh, pserver, ssh, ssh/2022)
Japan:
:pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Sweden:
freebsdanoncvs@anoncvs.se.FreeBSD.org:/home/ncvs
(ssh only - no password)USA:
freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs
(ssh only - no password)USA:
anoncvs@anoncvs1.FreeBSD.org:/home/ncvs (ssh only - no
password)Since CVS allows one to check out virtually
any version of the FreeBSD sources that ever existed (or, in
some cases, will exist), you need to be
familiar with the revision () flag to
&man.cvs.1; and what some of the permissible values for it in
the FreeBSD Project repository are.There are two kinds of tags, revision tags and branch tags.
A revision tag refers to a specific revision. Its meaning stays
the same from day to day. A branch tag, on the other hand,
refers to the latest revision on a given line of development, at
any given time. Because a branch tag does not refer to a
specific revision, it may mean something different tomorrow than
it means today. contains revision tags that users
might be interested
in. Again, none of these are valid for the ports collection
since the ports collection does not have multiple
revisions.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development. If
you wish to receive some past version, you can do so by
specifying a date with the flag.
See the &man.cvs.1; manual page for more details.ExamplesWhile it really is recommended that you read the manual page
for &man.cvs.1; thoroughly before doing anything, here are some
quick examples which essentially show how to use Anonymous
CVS:Checking Out Something from -CURRENT (&man.ls.1;) and
Deleting It Again:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutUsing SSH to check out the src/
tree:&prompt.user; cvs -d freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs co src
The authenticity of host 'anoncvs.freebsd.org (128.46.156.46)' can't be established.
DSA key fingerprint is 52:02:38:1a:2f:a8:71:d3:f5:83:93:8d:aa:00:6f:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'anoncvs.freebsd.org' (DSA) to the list of known hosts.Checking Out the Version of &man.ls.1; in the 3.X-STABLE
Branch:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co -rRELENG_3 ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutCreating a List of Changes (as Unified Diffs) to &man.ls.1;&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs rdiff -u -rRELENG_3_0_0_RELEASE -rRELENG_3_4_0_RELEASE ls
&prompt.user; cvs logoutFinding Out What Other Module Names Can Be Used:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co modules
&prompt.user; more modules/modules
&prompt.user; cvs release -d modules
&prompt.user; cvs logoutOther ResourcesThe following additional resources may be helpful in learning
CVS:CVS Tutorial from Cal Poly.CVS Home,
the CVS development and support community.CVSweb is
the FreeBSD Project web interface for CVS.Using CTMCTM is a method for keeping a
remote directory tree in sync with a central one. It has been
developed for usage with FreeBSD's source trees, though other
people may find it useful for other purposes as time goes by.
Little, if any, documentation currently exists at this time on the
process of creating deltas, so contact the &a.ctm-users.name; mailing list for more
information and if you wish to use CTM
for other things.Why Should I Use CTM?CTM will give you a local copy of
the FreeBSD source trees. There are a number of
flavors of the tree available. Whether you wish
to track the entire CVS tree or just one of the branches,
CTM can provide you the information.
If you are an active developer on FreeBSD, but have lousy or
non-existent TCP/IP connectivity, or simply wish to have the
changes automatically sent to you,
CTM was made for you. You will need
to obtain up to three deltas per day for the most active
branches. However, you should consider having them sent by
automatic email. The sizes of the updates are always kept as
small as possible. This is typically less than 5K, with an
occasional (one in ten) being 10-50K and every now and then a
large 100K+ or more coming around.You will also need to make yourself aware of the various
caveats related to working directly from the development sources
rather than a pre-packaged release. This is particularly true
if you choose the current sources. It is
recommended that you read Staying
current with FreeBSD.What Do I Need to Use
CTM?You will need two things: The CTM
program, and the initial deltas to feed it (to get up to
current levels).The CTM program has been part of
FreeBSD ever since version 2.0 was released, and lives in
/usr/src/usr.sbin/ctm if you have a copy
of the source available.If you are running a pre-2.0 version of FreeBSD, you can
fetch the current CTM sources
directly from:The deltas you feed
CTM can be had two ways, FTP or
email. If you have general FTP access to the Internet then the
following FTP sites support access to
CTM:or see section mirrors.FTP the relevant directory and fetch the
README file, starting from there.If you wish to get your deltas via email:Subscribe to one of the
CTM distribution lists.
&a.ctm-cvs-cur.name; supports the entire CVS tree.
&a.ctm-src-cur.name; supports the head of the development
branch. &a.ctm-src-4.name; supports the 4.X release
branch, etc.. (If you do not know how to subscribe yourself
to a list, click on the list name above or go to
&a.mailman.lists.link; and click on the list that you
wish to subscribe to. The list page should contain all of
the necessary subscription instructions.)When you begin receiving your CTM
updates in the mail, you may use the
ctm_rmail program to unpack and apply them.
You can actually use the ctm_rmail program
directly from a entry in /etc/aliases if
you want to have the process run in a fully automated fashion.
Check the ctm_rmail manual page for more
details.No matter what method you use to get the
CTM deltas, you should subscribe to
the &a.ctm-announce.name; mailing list. In
the future, this will be the only place where announcements
concerning the operations of the
CTM system will be posted. Click
on the list name above and follow the instructions
to subscribe to the
list.Using CTM for the First
TimeBefore you can start using CTM
deltas, you will need to get to a starting point for the deltas
produced subsequently to it.First you should determine what you already have. Everyone
can start from an empty directory. You must use
an initial Empty delta to start off your
CTM supported tree. At some point it
is intended that one of these started deltas be
distributed on the CD for your convenience, however, this does
not currently happen.Since the trees are many tens of megabytes, you should
prefer to start from something already at hand. If you have a
-RELEASE CD, you can copy or extract an initial source from it.
This will save a significant transfer of data.You can recognize these starter deltas by the
X appended to the number
(src-cur.3210XEmpty.gz for instance). The
designation following the X corresponds to
the origin of your initial seed.
Empty is an empty directory. As a rule a
base transition from Empty is produced
every 100 deltas. By the way, they are large! 70 to 80
Megabytes of gzip'd data is common for the
XEmpty deltas.Once you have picked a base delta to start from, you will also
need all deltas with higher numbers following it.Using CTM in Your Daily
LifeTo apply the deltas, simply say:&prompt.root; cd /where/ever/you/want/the/stuff
&prompt.root; ctm -v -v /where/you/store/your/deltas/src-xxx.*CTM understands deltas which have
been put through gzip, so you do not need to
gunzip them first, this saves disk space.Unless it feels very secure about the entire process,
CTM will not touch your tree. To
verify a delta you can also use the flag and
CTM will not actually touch your
tree; it will merely verify the integrity of the delta and see
if it would apply cleanly to your current tree.There are other options to CTM
as well, see the manual pages or look in the sources for more
information.That is really all there is to it. Every time you get a new
delta, just run it through CTM to
keep your sources up to date.Do not remove the deltas if they are hard to download again.
You just might want to keep them around in case something bad
happens. Even if you only have floppy disks, consider using
fdwrite to make a copy.Keeping Your Local ChangesAs a developer one would like to experiment with and change
files in the source tree. CTM
supports local modifications in a limited way: before checking
for the presence of a file foo, it first
looks for foo.ctm. If this file exists,
CTM will operate on it instead of
foo.This behavior gives us a simple way to maintain local
changes: simply copy the files you plan to modify to the
corresponding file names with a .ctm
suffix. Then you can freely hack the code, while CTM keeps the
.ctm file up-to-date.Other Interesting CTM OptionsFinding Out Exactly What Would Be Touched by an
UpdateYou can determine the list of changes that
CTM will make on your source
repository using the option to
CTM.This is useful if you would like to keep logs of the
changes, pre- or post- process the modified files in any
manner, or just are feeling a tad paranoid.Making Backups Before UpdatingSometimes you may want to backup all the files that would
be changed by a CTM update.Specifying the option
causes CTM to backup all files that
would be touched by a given CTM
delta to backup-file.Restricting the Files Touched by an UpdateSometimes you would be interested in restricting the scope
of a given CTM update, or may be
interested in extracting just a few files from a sequence of
deltas.You can control the list of files that
CTM would operate on by specifying
filtering regular expressions using the
and options.For example, to extract an up-to-date copy of
lib/libc/Makefile from your collection of
saved CTM deltas, run the commands:&prompt.root; cd /where/ever/you/want/to/extract/it/
&prompt.root; ctm -e '^lib/libc/Makefile' ~ctm/src-xxx.*For every file specified in a
CTM delta, the
and options are applied in the order given
on the command line. The file is processed by
CTM only if it is marked as
eligible after all the and
options are applied to it.Future Plans for CTMTons of them:Use some kind of authentication into the CTM system, so
as to allow detection of spoofed CTM updates.Clean up the options to CTM,
they became confusing and counter intuitive.Miscellaneous StuffThere is a sequence of deltas for the
ports collection too, but interest has not
been all that high yet.CTM MirrorsCTM/FreeBSD is available via anonymous
FTP from the following mirror sites. If you choose to obtain CTM via
anonymous FTP, please try to use a site near you.In case of problems, please contact the &a.ctm-users.name;
mailing list.California, Bay Area, official sourceSouth Africa, backup server for old deltasTaiwan/R.O.C.If you did not find a mirror near to you or the mirror is
incomplete, try to use a search engine such as
alltheweb.Using CVSupIntroductionCVSup is a software package for
distributing and updating source trees from a master CVS
repository on a remote server host. The FreeBSD sources are
maintained in a CVS repository on a central development machine
in California. With CVSup, FreeBSD
users can easily keep their own source trees up to date.CVSup uses the so-called
pull model of updating. Under the pull
model, each client asks the server for updates, if and when they
are wanted. The server waits passively for update requests from
its clients. Thus all updates are instigated by the client.
The server never sends unsolicited updates. Users must either
run the CVSup client manually to get
an update, or they must set up a cron job to
run it automatically on a regular basis.The term CVSup, capitalized just
so, refers to the entire software package. Its main components
are the client cvsup which runs on each
user's machine, and the server cvsupd which
runs at each of the FreeBSD mirror sites.As you read the FreeBSD documentation and mailing lists, you
may see references to sup.
Sup was the predecessor of
CVSup, and it served a similar
purpose. CVSup is used much in the
same way as sup and, in fact, uses configuration files which are
backward-compatible with sup's.
Sup is no longer used in the FreeBSD
project, because CVSup is both faster
and more flexible.InstallationThe easiest way to install CVSup
is to use the precompiled net/cvsup package
from the FreeBSD packages collection.
If you prefer to build CVSup from
source, you can use the net/cvsup
port instead. But be forewarned: the
net/cvsup port depends on the Modula-3
system, which takes a substantial amount of time and
disk space to download and build.If you are going to be using
CVSup on a machine which will not have
&xfree86; or &xorg; installed, such as a server, be
sure to use the port which does not include the
CVSup GUI,
net/cvsup-without-gui.CVSup ConfigurationCVSup's operation is controlled
by a configuration file called the supfile.
There are some sample supfiles in the
directory /usr/share/examples/cvsup/.The information in a supfile answers
the following questions for CVSup:Which files do you
want to receive?Which versions of them
do you want?Where do you want to
get them from?Where do you want to
put them on your own machine?Where do you want to
put your status files?In the following sections, we will construct a typical
supfile by answering each of these
questions in turn. First, we describe the overall structure of
a supfile.A supfile is a text file. Comments
begin with # and extend to the end of the
line. Lines that are blank and lines that contain only
comments are ignored.Each remaining line describes a set of files that the user
wishes to receive. The line begins with the name of a
collection, a logical grouping of files defined by
the server. The name of the collection tells the server which
files you want. After the collection name come zero or more
fields, separated by white space. These fields answer the
questions listed above. There are two types of fields: flag
fields and value fields. A flag field consists of a keyword
standing alone, e.g., delete or
compress. A value field also begins with a
keyword, but the keyword is followed without intervening white
space by = and a second word. For example,
release=cvs is a value field.A supfile typically specifies more than
one collection to receive. One way to structure a
supfile is to specify all of the relevant
fields explicitly for each collection. However, that tends to
make the supfile lines quite long, and it
is inconvenient because most fields are the same for all of the
collections in a supfile.
CVSup provides a defaulting mechanism
to avoid these problems. Lines beginning with the special
pseudo-collection name *default can be used
to set flags and values which will be used as defaults for the
subsequent collections in the supfile. A
default value can be overridden for an individual collection, by
specifying a different value with the collection itself.
Defaults can also be changed or augmented in mid-supfile by
additional *default lines.With this background, we will now proceed to construct a
supfile for receiving and updating the main
source tree of FreeBSD-CURRENT.Which files do you want
to receive?The files available via CVSup
are organized into named groups called
collections. The collections that are
available are described in the following section. In this
example, we
wish to receive the entire main source tree for the FreeBSD
system. There is a single large collection
src-all which will give us all of that.
As a first step toward constructing our
supfile, we
simply list the collections, one per line (in this case,
only one line):src-allWhich version(s) of them
do you want?With CVSup, you can receive
virtually any version of the sources that ever existed.
That is possible because the
cvsupd server works directly from
the CVS repository, which contains all of the versions. You
specify which one of them you want using the
tag= and value
fields.Be very careful to specify any tag=
fields correctly. Some tags are valid only for certain
collections of files. If you specify an incorrect or
misspelled tag, CVSup
will delete files which you probably
do not want deleted. In particular, use only
tag=. for the
ports-* collections.The tag= field names a symbolic tag
in the repository. There are two kinds of tags, revision
tags and branch tags. A revision tag refers to a specific
revision. Its meaning stays the same from day to day. A
branch tag, on the other hand, refers to the latest revision
on a given line of development, at any given time. Because
a branch tag does not refer to a specific revision, it may
mean something different tomorrow than it means
today. contains branch tags that
users might be interested in. When specifying a tag in
CVSup's configuration file, it
must be preceded with tag=
(RELENG_4 will become
tag=RELENG_4).
Keep in mind that only the tag=. is
relevant for the ports collection.Be very careful to type the tag name exactly as shown.
CVSup cannot distinguish
between valid and invalid tags. If you misspell the tag,
CVSup will behave as though you
had specified a valid tag which happens to refer to no
files at all. It will delete your existing sources in
that case.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development.
If you wish to receive some past version, you can do so by
specifying a date with the value
field. The &man.cvsup.1; manual page explains how to do
that.For our example, we wish to receive FreeBSD-CURRENT. We
add this line at the beginning of our
supfile:*default tag=.There is an important special case that comes into play
if you specify neither a tag= field nor a
date= field. In that case, you receive
the actual RCS files directly from the server's CVS
repository, rather than receiving a particular version.
Developers generally prefer this mode of operation. By
maintaining a copy of the repository itself on their
systems, they gain the ability to browse the revision
histories and examine past versions of files. This gain is
achieved at a large cost in terms of disk space,
however.Where do you want to get
them from?We use the host= field to tell
cvsup where to obtain its updates. Any
of the CVSup mirror
sites will do, though you should try to select one
that is close to you in cyberspace. In this example we will
use a fictional FreeBSD distribution site,
cvsup99.FreeBSD.org:*default host=cvsup99.FreeBSD.orgYou will need to change the host to one that actually
exists before running CVSup.
On any particular run of
cvsup, you can override the host setting
on the command line, with .Where do you want to put
them on your own machine?The prefix= field tells
cvsup where to put the files it receives.
In this example, we will put the source files directly into
our main source tree, /usr/src. The
src directory is already implicit in
the collections we have chosen to receive, so this is the
correct specification:*default prefix=/usrWhere should
cvsup maintain its status files?The CVSup client maintains
certain status files in what
is called the base directory. These files
help CVSup to work more
efficiently, by keeping track of which updates you have
already received. We will use the standard base directory,
/var/db:*default base=/var/dbIf your base directory does not already exist, now would
be a good time to create it. The cvsup
client will refuse to run if the base directory does not
exist.Miscellaneous supfile
settings:There is one more line of boiler plate that normally
needs to be present in the
supfile:*default release=cvs delete use-rel-suffix compressrelease=cvs indicates that the server
should get its information out of the main FreeBSD CVS
repository. This is virtually always the case, but there
are other possibilities which are beyond the scope of this
discussion.delete gives
CVSup permission to delete files.
You should always specify this, so that
CVSup can keep your source tree
fully up-to-date. CVSup is
careful to delete only those files for which it is
responsible. Any extra files you happen to have will be
left strictly alone.use-rel-suffix is ... arcane. If you
really want to know about it, see the &man.cvsup.1; manual
page. Otherwise, just specify it and do not worry about
it.compress enables the use of
gzip-style compression on the communication channel. If
your network link is T1 speed or faster, you probably should
not use compression. Otherwise, it helps
substantially.Putting it all together:Here is the entire supfile for our
example:*default tag=.
*default host=cvsup99.FreeBSD.org
*default prefix=/usr
*default base=/var/db
*default release=cvs delete use-rel-suffix compress
src-allThe refuse FileAs mentioned above, CVSup uses
a pull method. Basically, this means that
you connect to the CVSup server, and
it says, Here is what you can download from
me..., and your client responds OK, I will take
this, this, this, and this. In the default
configuration, the CVSup client will
take every file associated with the collection and tag you
chose in the configuration file. However, this is not always
what you want, especially if you are synching the doc, ports, or
www trees — most people cannot read four or five
languages, and therefore they do not need to download the
language-specific files. If you are
CVSuping the ports collection, you
can get around this by specifying each collection individually
(e.g., ports-astrology,
ports-biology, etc instead of simply
saying ports-all). However, since the doc
and www trees do not have language-specific collections, you
must use one of CVSup's many nifty
features: the refuse file.The refuse file essentially tells
CVSup that it should not take every
single file from a collection; in other words, it tells the
client to refuse certain files from the
server. The refuse file can be found (or, if you do not yet
have one, should be placed) in
base/sup/.
base is defined in your supfile;
our defined base is
/var/db,
which means that by default the refuse file is
/var/db/sup/refuse.The refuse file has a very simple format; it simply
contains the names of files or directories that you do not wish
to download. For example, if you cannot speak any languages other
than English and some German, and you do not feel the need to read
the German translation of documentation, you can put the following in your
refuse file:doc/da_*
doc/de_*
doc/el_*
doc/es_*
doc/fr_*
doc/it_*
doc/ja_*
doc/nl_*
doc/no_*
doc/pl_*
doc/pt_*
doc/ru_*
doc/sr_*
doc/zh_*and so forth for the other languages (you can find the
full list by browsing the FreeBSD
CVS repository).With this very useful feature, those users who are on
slow links or pay by the minute for their Internet connection
will be able to save valuable time as they will no longer need
to download files that they will never use. For more
information on refuse files and other neat
features of CVSup, please view its
manual page.Running CVSupYou are now ready to try an update. The command line for
doing this is quite simple:&prompt.root; cvsup supfilewhere supfile
is of course the name of the supfile you have just created.
Assuming you are running under X11, cvsup
will display a GUI window with some buttons to do the usual
things. Press the go button, and watch it
run.Since you are updating your actual
/usr/src tree in this example, you will
need to run the program as root so that
cvsup has the permissions it needs to update
your files. Having just created your configuration file, and
having never used this program before, that might
understandably make you nervous. There is an easy way to do a
trial run without touching your precious files. Just create an
empty directory somewhere convenient, and name it as an extra
argument on the command line:&prompt.root; mkdir /var/tmp/dest
&prompt.root; cvsup supfile /var/tmp/destThe directory you specify will be used as the destination
directory for all file updates.
CVSup will examine your usual files
in /usr/src, but it will not modify or
delete any of them. Any file updates will instead land in
/var/tmp/dest/usr/src.
CVSup will also leave its base
directory status files untouched when run this way. The new
versions of those files will be written into the specified
directory. As long as you have read access to
/usr/src, you do not even need to be
root to perform this kind of trial run.If you are not running X11 or if you just do not like GUIs,
you should add a couple of options to the command line when you
run cvsup:&prompt.root; cvsup -g -L 2 supfileThe tells
CVSup not to use its GUI. This is
automatic if you are not running X11, but otherwise you have to
specify it.The tells
CVSup to print out the
details of all the file updates it is doing. There are three
levels of verbosity, from to
. The default is 0, which means total
silence except for error messages.There are plenty of other options available. For a brief
list of them, type cvsup -H. For more
detailed descriptions, see the manual page.Once you are satisfied with the way updates are working, you
can arrange for regular runs of CVSup
using &man.cron.8;.
Obviously, you should not let CVSup
use its GUI when running it from &man.cron.8;.CVSup File CollectionsThe file collections available via
CVSup are organized hierarchically.
There are a few large collections, and they are divided into
smaller sub-collections. Receiving a large collection is
equivalent to receiving each of its sub-collections. The
hierarchical relationships among collections are reflected by
the use of indentation in the list below.The most commonly used collections are
src-all, and
ports-all. The other collections are used
only by small groups of people for specialized purposes, and
some mirror sites may not carry all of them.cvs-all release=cvsThe main FreeBSD CVS repository, including the
cryptography code.distrib release=cvsFiles related to the distribution and mirroring
of FreeBSD.doc-all release=cvsSources for the FreeBSD Handbook and other
documentation. This does not include files for
the FreeBSD web site.ports-all release=cvsThe FreeBSD Ports Collection.If you do not want to update the whole of
ports-all (the whole ports tree),
but use one of the subcollections listed below,
make sure that you always update
the ports-base subcollection!
Whenever something changes in the ports build
infrastructure represented by
ports-base, it is virtually certain
that those changes will be used by real
ports real soon. Thus, if you only update the
real ports and they use some of the new
features, there is a very high chance that their build
will fail with some mysterious error message. The
very first thing to do in this
case is to make sure that your
ports-base subcollection is up to
date.ports-archivers
release=cvsArchiving tools.ports-astro
release=cvsAstronomical ports.ports-audio
release=cvsSound support.ports-base
release=cvsThe Ports Collection build infrastructure -
various files located in the
Mk/ and
Tools/ subdirectories of
/usr/ports.Please see the important
warning above: you should
always update this
subcollection, whenever you update any part of
the FreeBSD Ports Collection!ports-benchmarks
release=cvsBenchmarks.ports-biology
release=cvsBiology.ports-cad
release=cvsComputer aided design tools.ports-chinese
release=cvsChinese language support.ports-comms
release=cvsCommunication software.ports-converters
release=cvscharacter code converters.ports-databases
release=cvsDatabases.ports-deskutils
release=cvsThings that used to be on the desktop
before computers were invented.ports-devel
release=cvsDevelopment utilities.ports-dns
release=cvsDNS related software.ports-editors
release=cvsEditors.ports-emulators
release=cvsEmulators for other operating
systems.ports-finance
release=cvsMonetary, financial and related applications.ports-ftp
release=cvsFTP client and server utilities.ports-games
release=cvsGames.ports-german
release=cvsGerman language support.ports-graphics
release=cvsGraphics utilities.ports-hungarian
release=cvsHungarian language support.ports-irc
release=cvsInternet Relay Chat utilities.ports-japanese
release=cvsJapanese language support.ports-java
release=cvs&java; utilities.ports-korean
release=cvsKorean language support.ports-lang
release=cvsProgramming languages.ports-mail
release=cvsMail software.ports-math
release=cvsNumerical computation software.ports-mbone
release=cvsMBone applications.ports-misc
release=cvsMiscellaneous utilities.ports-multimedia
release=cvsMultimedia software.ports-net
release=cvsNetworking software.ports-news
release=cvsUSENET news software.ports-palm
release=cvsSoftware support for Palm
series.ports-polish
release=cvsPolish language support.ports-portuguese
release=cvsPortuguese language support.ports-print
release=cvsPrinting software.ports-russian
release=cvsRussian language support.ports-security
release=cvsSecurity utilities.ports-shells
release=cvsCommand line shells.ports-sysutils
release=cvsSystem utilities.ports-textproc
release=cvstext processing utilities (does not
include desktop publishing).ports-vietnamese
release=cvsVietnamese language support.ports-www
release=cvsSoftware related to the World Wide
Web.ports-x11
release=cvsPorts to support the X window
system.ports-x11-clocks
release=cvsX11 clocks.ports-x11-fm
release=cvsX11 file managers.ports-x11-fonts
release=cvsX11 fonts and font utilities.ports-x11-toolkits
release=cvsX11 toolkits.ports-x11-serversX11 servers.ports-x11-wmX11 window managers.src-all release=cvsThe main FreeBSD sources, including the
cryptography code.src-base
release=cvsMiscellaneous files at the top of
/usr/src.src-bin
release=cvsUser utilities that may be needed in
single-user mode
(/usr/src/bin).src-contrib
release=cvsUtilities and libraries from outside the
FreeBSD project, used relatively unmodified
(/usr/src/contrib).src-crypto release=cvsCryptography utilities and libraries from
outside the FreeBSD project, used relatively
unmodified
(/usr/src/crypto).src-eBones release=cvsKerberos and DES
(/usr/src/eBones). Not
used in current releases of FreeBSD.src-etc
release=cvsSystem configuration files
(/usr/src/etc).src-games
release=cvsGames
(/usr/src/games).src-gnu
release=cvsUtilities covered by the GNU Public
License (/usr/src/gnu).src-include
release=cvsHeader files
(/usr/src/include).src-kerberos5
release=cvsKerberos5 security package
(/usr/src/kerberos5).src-kerberosIV
release=cvsKerberosIV security package
(/usr/src/kerberosIV).src-lib
release=cvsLibraries
(/usr/src/lib).src-libexec
release=cvsSystem programs normally executed by other
programs
(/usr/src/libexec).src-release
release=cvsFiles required to produce a FreeBSD
release
(/usr/src/release).src-sbin release=cvsSystem utilities for single-user mode
(/usr/src/sbin).src-secure
release=cvsCryptographic libraries and commands
(/usr/src/secure).src-share
release=cvsFiles that can be shared across multiple
systems
(/usr/src/share).src-sys
release=cvsThe kernel
(/usr/src/sys).src-sys-crypto
release=cvsKernel cryptography code
(/usr/src/sys/crypto).src-tools
release=cvsVarious tools for the maintenance of
FreeBSD
(/usr/src/tools).src-usrbin
release=cvsUser utilities
(/usr/src/usr.bin).src-usrsbin
release=cvsSystem utilities
(/usr/src/usr.sbin).www release=cvsThe sources for the FreeBSD WWW site.distrib release=selfThe CVSup server's own
configuration files. Used by CVSup
mirror sites.gnats release=currentThe GNATS bug-tracking database.mail-archive release=currentFreeBSD mailing list archive.www release=currentThe pre-processed FreeBSD WWW site files (not the
source files). Used by WWW mirror sites.For More InformationFor the CVSup FAQ and other
information about CVSup, see
The
CVSup Home Page.Most FreeBSD-related discussion of
CVSup takes place on the
&a.hackers;. New versions of the software are announced there,
as well as on the &a.announce;.Questions and bug reports should be addressed to the author
of the program at cvsup-bugs@polstra.com.CVSup SitesCVSup servers for FreeBSD are running
at the following sites:
&chap.mirrors.cvsup.inc;
CVS TagsWhen obtaining or updating sources using
cvs or
CVSup, a revision tag must be specified.
A revision tag refers to either a particular line of &os;
development, or a specific point in time. The first type are called
branch tags, and the second type are called
release tags.Branch TagsAll of these, with the exception of HEAD (which
is always a valid tag), only apply to the src/
tree. The ports/, doc/, and
www/ trees are not branched.HEADSymbolic name for the main line, or FreeBSD-CURRENT.
Also the default when no revision is specified.In CVSup, this tag is represented
by a . (not punctuation, but a literal
. character).In CVS, this is the default when no revision tag is
specified. It is usually not
a good idea to checkout or update to CURRENT sources
on a STABLE machine, unless that is your intent.RELENG_5The line of development for FreeBSD-5.X, also known
as FreeBSD 5-STABLE.RELENG_5_3The release branch for FreeBSD-5.3, used only
for security advisories and other critical fixes.RELENG_5_2The release branch for FreeBSD-5.2 and FreeBSD-5.2.1, used only
for security advisories and other critical fixes.RELENG_5_1The release branch for FreeBSD-5.1, used only
for security advisories and other critical fixes.RELENG_5_0The release branch for FreeBSD-5.0, used only
for security advisories and other critical fixes.RELENG_4The line of development for FreeBSD-4.X, also known
as FreeBSD 4-STABLE.RELENG_4_10The release branch for FreeBSD-4.10, used only
for security advisories and other critical fixes.RELENG_4_9The release branch for FreeBSD-4.9, used only
for security advisories and other critical fixes.RELENG_4_8The release branch for FreeBSD-4.8, used only
for security advisories and other critical fixes.RELENG_4_7The release branch for FreeBSD-4.7, used only
for security advisories and other critical fixes.RELENG_4_6The release branch for FreeBSD-4.6 and FreeBSD-4.6.2,
used only for security advisories and other
critical fixes.RELENG_4_5The release branch for FreeBSD-4.5, used only
for security advisories and other critical fixes.RELENG_4_4The release branch for FreeBSD-4.4, used only
for security advisories and other critical fixes.RELENG_4_3The release branch for FreeBSD-4.3, used only
for security advisories and other critical fixes.RELENG_3The line of development for FreeBSD-3.X, also known
as 3.X-STABLE.RELENG_2_2The line of development for FreeBSD-2.2.X, also known
as 2.2-STABLE. This branch is mostly obsolete.Release TagsThese tags refer to a specific point in time when a particular
version of &os; was released. The release engineering process is
documented in more detail by the
Release Engineering
Information and
Release
Process documents.
- The src tree uses tag names that
+ The src tree uses tag names that
start with RELENG_ tags.
- The ports and
- doc trees use tags whose names
+ The ports and
+ doc trees use tags whose names
begin with RELEASE tags.
- Finally, the www tree is not
+ Finally, the www tree is not
tagged with any special name for releases.RELENG_5_3_0_RELEASEFreeBSD 5.3RELENG_4_10_0_RELEASEFreeBSD 4.10RELENG_5_2_1_RELEASEFreeBSD 5.2.1RELENG_5_2_0_RELEASEFreeBSD 5.2RELENG_4_9_0_RELEASEFreeBSD 4.9RELENG_5_1_0_RELEASEFreeBSD 5.1RELENG_4_8_0_RELEASEFreeBSD 4.8RELENG_5_0_0_RELEASEFreeBSD 5.0RELENG_4_7_0_RELEASEFreeBSD 4.7RELENG_4_6_2_RELEASEFreeBSD 4.6.2RELENG_4_6_1_RELEASEFreeBSD 4.6.1RELENG_4_6_0_RELEASEFreeBSD 4.6RELENG_4_5_0_RELEASEFreeBSD 4.5RELENG_4_4_0_RELEASEFreeBSD 4.4RELENG_4_3_0_RELEASEFreeBSD 4.3RELENG_4_2_0_RELEASEFreeBSD 4.2RELENG_4_1_1_RELEASEFreeBSD 4.1.1RELENG_4_1_0_RELEASEFreeBSD 4.1RELENG_4_0_0_RELEASEFreeBSD 4.0RELENG_3_5_0_RELEASEFreeBSD-3.5RELENG_3_4_0_RELEASEFreeBSD-3.4RELENG_3_3_0_RELEASEFreeBSD-3.3RELENG_3_2_0_RELEASEFreeBSD-3.2RELENG_3_1_0_RELEASEFreeBSD-3.1RELENG_3_0_0_RELEASEFreeBSD-3.0RELENG_2_2_8_RELEASEFreeBSD-2.2.8RELENG_2_2_7_RELEASEFreeBSD-2.2.7RELENG_2_2_6_RELEASEFreeBSD-2.2.6RELENG_2_2_5_RELEASEFreeBSD-2.2.5RELENG_2_2_2_RELEASEFreeBSD-2.2.2RELENG_2_2_1_RELEASEFreeBSD-2.2.1RELENG_2_2_0_RELEASEFreeBSD-2.2.0AFS SitesAFS servers for FreeBSD are running at the following sites:SwedenThe path to the files are:
/afs/stacken.kth.se/ftp/pub/FreeBSD/stacken.kth.se # Stacken Computer Club, KTH, Sweden
130.237.234.43 #hot.stacken.kth.se
130.237.237.230 #fishburger.stacken.kth.se
130.237.234.3 #milko.stacken.kth.seMaintainer ftp@stacken.kth.sersync SitesThe following sites make FreeBSD available through the rsync
protocol. The rsync utility works in
much the same way as the &man.rcp.1; command,
but has more options and uses the rsync remote-update protocol
which transfers only the differences between two sets of files,
thus greatly speeding up the synchronization over the network.
This is most useful if you are a mirror site for the
FreeBSD FTP server, or the CVS repository. The
rsync suite is available for many
operating systems, on FreeBSD, see the
net/rsync
port or use the package.Czech Republicrsync://ftp.cz.FreeBSD.org/Available collections:ftp: A partial mirror of the FreeBSD FTP
server.FreeBSD: A full mirror of the FreeBSD FTP
server.Germanyrsync://grappa.unix-ag.uni-kl.de/Available collections:freebsd-cvs: The full FreeBSD CVS
repository.This machine also mirrors the CVS repositories of the
NetBSD and the OpenBSD projects, among others.Netherlandsrsync://ftp.nl.FreeBSD.org/Available collections:vol/3/freebsd-core: A full mirror of the
FreeBSD FTP server.United Kingdomrsync://rsync.mirror.ac.uk/Available collections:ftp.FreeBSD.org: A full mirror of the
FreeBSD FTP server.United States of Americarsync://ftp-master.FreeBSD.org/This server may only be used by FreeBSD primary mirror
sites.Available collections:FreeBSD: The master archive of the FreeBSD
FTP server.acl: The FreeBSD master ACL
list.rsync://ftp13.FreeBSD.org/Available collections:FreeBSD: A full mirror of the FreeBSD FTP
server.
diff --git a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
index 4d8426a9a5..b9bb250f56 100644
--- a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
@@ -1,1858 +1,1858 @@
RossLippertEdited by MultimediaSynopsisFreeBSD supports a wide variety of sound cards, allowing you
to enjoy high fidelity output from your computer. This includes
the ability to record and playback audio in the MPEG Audio Layer
3 (MP3), WAV, and Ogg Vorbis formats as well as many other
formats. The FreeBSD Ports Collection also contains
applications allowing you to edit your recorded audio, add sound
effects, and control attached MIDI devices.With some willingness to experiment, FreeBSD can support
playback of video files and DVD's. The number of applications
to encode, convert, and playback various video media is more
limited than the number of sound applications. For example as
of this writing, there is no good re-encoding application in the
FreeBSD Ports Collection, which could be use to convert
between formats, as there is with audio/sox. However, the software
landscape in this area is changing rapidly.This chapter will describe the necessary steps to configure
your sound card. The configuration and installation of X11
() has already taken care of the
hardware issues for your video card, though there may be some
tweaks to apply for better playback.After reading this chapter, you will know:How to configure your system so that your sound card is
recognized.Methods to test that your card is working using
sample applications.How to troubleshoot your sound setup.How to playback and encode MP3s and other audio.How video is supported by the X server.Some video player/encoder ports which give good results.How to playback DVD's, .mpg and .avi files.How to rip CD and DVD information into files.How to configure a TV card.How to configure an image scanner.Before reading this chapter, you should:Know how to configure and install a new kernel ().Trying to mount audio CDs
with the &man.mount.8; command will
result in an error, at least, and a kernel
panic, at worst. These media have specialized
encodings which differ from the usual ISO-filesystem.MosesMooreContributed by MarcFonvieilleEnhanced for &os; 5.X by Setting Up the Sound CardConfiguring the SystemPCIISAsound cardsBefore you begin, you should know the model of the card you
have, the chip it uses, and whether it is a PCI or ISA card.
FreeBSD supports a wide variety of both PCI and ISA cards.
Check the supported audio devices list of the Hardware Notes to see if
your card is supported. This document will also mention which
driver supports your card.kernelconfigurationTo use your sound device, you will need to load the proper
device driver. This may be accomplished in one of two ways.
The easiest way is to simply load a kernel module for your sound
card with &man.kldload.8; which can either be done from the
command line:&prompt.root; kldload snd_emu10k1or by adding the appropriate line to the file
/boot/loader.conf like this:snd_emu10k1_load="YES"These examples are for a Creative &soundblaster; Live! sound
card. Other available loadable sound modules are listed in
/boot/defaults/loader.conf.
If you are not sure which driver to use, you may try to load
the snd_driver module:&prompt.root; kldload snd_driverThis is a metadriver loading the most common device drivers
at once. This speeds up the search for the correct driver. It
is also possible to load all sound drivers via the
/boot/loader.conf facility.Under &os; 4.X, to load all sound drivers, you have
to load the snd module instead of
snd_driver.A second method is to statically
compile in support for your sound card in your kernel. The
section below provides the information you need to add support
for your hardware in this manner. For more information about
recompiling your kernel, please see .Configuring a Custom Kernel with Sound SupportThe first thing to do is adding the generic audio driver
&man.sound.4; to the kernel, for that you will need to
add the following line to the kernel configuration file:device soundUnder &os; 4.X, you would use the following
line:device pcmThen we have to add the support for our sound card.
Therefore, we need to know which driver supports the card.
Check the supported audio devices list of the Hardware Notes, to
determine the correct driver for your sound card. For
example, a Creative &soundblaster; Live! sound card is
supported by the &man.snd.emu10k1.4; driver. To add the support
for this card, use the following:device "snd_emu10k1"Be sure to read the manual page of the driver for the
syntax to use. Information regarding the syntax of sound
drivers in the kernel configuration can also be found in the
/usr/src/sys/conf/NOTES file
(/usr/src/sys/i386/conf/LINT for
&os; 4.X).Non-PnP ISA cards may require you to provide the kernel
with information on the sound card settings (IRQ, I/O port,
etc). This is done via the
/boot/device.hints file. At system boot,
the &man.loader.8; will read this file and pass the settings
to the kernel. For example, an old
Creative &soundblaster; 16 ISA non-PnP card will use the
&man.snd.sbc.4; driver, with the following line added to
the kernel configuration file:device sbcas well as the following in
/boot/device.hints:hint.sbc.0.at="isa"
hint.sbc.0.port="0x220"
hint.sbc.0.irq="5"
hint.sbc.0.drq="1"
hint.sbc.0.flags="0x15"In this case, the card uses the 0x220
I/O port and the IRQ 5.The syntax used in the
/boot/device.hints file is covered in the
sound driver manual page. On &os; 4.X, these settings
are directly written in the kernel configuration file. In the
case of our ISA card, we would only use this line:device sbc0 at isa? port 0x220 irq 5 drq 1 flags 0x15The settings shown above are the defaults. In some
cases, you may need to change the IRQ or the other settings to
match your card. See the &man.snd.sbc.4; manual page for more
information.Under &os; 4.X, some systems with built-in
motherboard sound devices may require the following option in
the kernel configuration:options PNPBIOSTesting the Sound CardAfter rebooting with the modified kernel, or after loading
the required module, the sound card should appear in your system
message buffer (&man.dmesg.8;) as something like:pcm0: <Intel ICH3 (82801CA)> port 0xdc80-0xdcbf,0xd800-0xd8ff irq 5 at device 31.5 on pci0
pcm0: [GIANT-LOCKED]
pcm0: <Cirrus Logic CS4205 AC97 Codec>The status of the sound card may be checked via the
/dev/sndstat file:&prompt.root; cat /dev/sndstat
FreeBSD Audio Driver (newpcm)
Installed devices:
pcm0: <Intel ICH3 (82801CA)> at io 0xd800, 0xdc80 irq 5 bufsz 16384
kld snd_ich (1p/2r/0v channels duplex default)The output from your system may vary. If no
pcm devices show up, go back and review
what was done earlier. Go through your kernel
configuration file again and make sure the correct
device is chosen. Common problems are listed in .If all goes well, you should now have a functioning sound
card. If your CD-ROM or DVD-ROM drive is properly coupled to
your sound card, you can put a CD in the drive and play it
with &man.cdcontrol.1;:&prompt.user; cdcontrol -f /dev/acd0 play 1Various applications, such as audio/workman can provide a friendlier
interface. You may want to install an application such as
audio/mpg123 to listen to
MP3 audio files. A quick way to test the card is sending data
to the /dev/dsp, like this:&prompt.user; cat filename > /dev/dspwhere filename can be any file.
This command line should produce some noise, confirming the
sound card is actually working.&os; 4.X users need to create the sound card device
nodes before being able to use it. If the card showed up in
message buffer as pcm0, you will have
to run the following as root:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV snd0If the card detection returned pcm1,
follow the same steps as shown above, replacing
snd0 with
snd1.MAKEDEV will create a group of device
nodes that will be used by the different sound related
applications.Sound card mixer levels can be changed via the &man.mixer.8;
command. More details can be found in the &man.mixer.8; manual
page.Common Problemsdevice nodesI/O portIRQDSPErrorSolutionunsupported subdevice XXOne or more of the device nodes was not created
correctly. Repeat the steps above.sb_dspwr(XX) timed outThe I/O port is not set correctly.bad irq XXThe IRQ is set incorrectly. Make sure that
the set IRQ and the sound IRQ are the same.xxx: gus pcm not attached, out of memoryThere is not enough available memory to use
the device.xxx: can't open /dev/dsp!Check with fstat | grep dsp
if another application is holding the device open.
Noteworthy troublemakers are esound and KDE's sound
support.MunishChopraContributed by Utilizing Multiple Sound SourcesIt is often desirable to have multiple sources of sound that
are able to play simultaneously, such as when
esound or
artsd do not support sharing of the
sound device with a certain application.FreeBSD lets you do this through Virtual Sound
Channels, which can be set with the &man.sysctl.8;
facility. Virtual channels allow you to multiplex your sound
card's playback channels by mixing sound in the kernel.To set the number of virtual channels, there are two sysctl
knobs which, if you are the root user, can
be set like this:&prompt.root; sysctl hw.snd.pcm0.vchans=4
&prompt.root; sysctl hw.snd.maxautovchans=4The above example allocates four virtual channels, which is a
practical number for everyday use. hw.snd.pcm0.vchans
is the number of virtual channels pcm0 has, and is configurable
once a device has been attached.
hw.snd.maxautovchans is the number of virtual channels
a new audio device is given when it is attached using
&man.kldload.8;. Since the pcm module
can be loaded independently of the hardware drivers,
hw.snd.maxautovchans can store how many
virtual channels any devices which are attached later will be
given.If you are not using &man.devfs.5;, you will have to point
your applications at /dev/dsp0.x, where
x is 0 to 3 if hw.snd.pcm.0.vchans is set
to 4 as in the above example. On a system using &man.devfs.5;, the above will automatically be
allocated transparently to the user.JosefEl-RayesContributed by Setting Default Values for Mixer ChannelsThe default values for the different mixer channels are
hardcoded in the sourcecode of the &man.pcm.4; driver. There are
a lot of different applications and daemons that allow
you to set values for the mixer they remember and set
each time they are started, but this is not a clean
solution, we want to have default values at the driver
level. This is accomplished by defining the appropriate
values in /boot/device.hints. E.g.:hint.pcm.0.vol="100"This will set the volume channel to a default value of
100, as soon as the &man.pcm.4; module gets loaded.Only &os; 5.3 and above support this.ChernLeeContributed by MP3 AudioMP3 (MPEG Layer 3 Audio) accomplishes near CD-quality sound,
leaving no reason to let your FreeBSD workstation fall short of
its offerings.MP3 PlayersBy far, the most popular &xfree86; MP3 player is
XMMS (X Multimedia System).
Winamp
skins can be used with XMMS since the
GUI is almost identical to that of Nullsoft's
Winamp.
XMMS also has native plug-in
support.XMMS can be installed from the
multimedia/xmms port or package.XMMS' interface is intuitive,
with a playlist, graphic equalizer, and more. Those familiar
with Winamp will find
XMMS simple to use.The audio/mpg123 port is an alternative,
command-line MP3 player.mpg123 can be run by specifying
the sound device and the MP3 file on the command line, as
shown below:&prompt.root; mpg123 -a /dev/dsp1.0 Foobar-GreatestHits.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Playing MPEG stream from Foobar-GreatestHits.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
/dev/dsp1.0 should be replaced with the
dsp device entry on your system.Ripping CD Audio TracksBefore encoding a CD or CD track to MP3, the audio data on
the CD must be ripped onto the hard drive. This is done by
copying the raw CDDA (CD Digital Audio) data to WAV
files.The cdda2wav tool, which is a part of
the sysutils/cdrtools
suite, is used for ripping audio information from CDs and the
information associated with them.With the audio CD in the drive, the following command can
be issued (as root) to rip an entire CD
into individual (per track) WAV files:&prompt.root; cdda2wav -D 0,1,0 -Bcdda2wav will support
ATAPI (IDE) CDROM drives. To rip from an IDE drive, specify
the device name in place of the SCSI unit numbers. For
example, to rip track 7 from an IDE drive:&prompt.root; cdda2wav -D /dev/acd0a -t 7The
indicates the SCSI device 0,1,0,
which corresponds to the output of cdrecord
-scanbus.To rip individual tracks, make use of the
option as shown:&prompt.root; cdda2wav -D 0,1,0 -t 7This example rips track seven of the audio CDROM. To rip
a range of tracks, for example, track one to seven, specify a
range:&prompt.root; cdda2wav -D 0,1,0 -t 1+7The utility &man.dd.1; can also be used to extract audio tracks
on ATAPI drives, read
for more information on that possibility.Encoding MP3sNowadays, the mp3 encoder of choice is
lame.
Lame can be found at
audio/lame in the ports tree.Using the ripped WAV files, the following command will
convert audio01.wav to
audio01.mp3:&prompt.root; lame -h -b 128 \
--tt "Foo Song Title" \
--ta "FooBar Artist" \
--tl "FooBar Album" \
--ty "2001" \
--tc "Ripped and encoded by Foo" \
--tg "Genre" \
audio01.wav audio01.mp3128 kbits seems to be the standard MP3 bitrate in use.
Many enjoy the higher quality 160, or 192. The higher the
bitrate, the more disk space the resulting MP3 will
consume--but the quality will be higher. The
option turns on the higher quality
but a little slower mode. The options beginning with
indicate ID3 tags, which usually contain
song information, to be embedded within the MP3 file.
Additional encoding options can be found by consulting the
lame man page.Decoding MP3sIn order to burn an audio CD from MP3s, they must be
converted to a non-compressed WAV format. Both
XMMS and
mpg123 support the output of MP3 to
an uncompressed file format.Writing to Disk in XMMS:Launch XMMS.Right-click on the window to bring up the
XMMS menu.Select Preference under
Options.Change the Output Plugin to Disk Writer
Plugin.Press Configure.Enter (or choose browse) a directory to write the
uncompressed files to.Load the MP3 file into XMMS
as usual, with volume at 100% and EQ settings turned
off.Press Play —
XMMS will appear as if it is
playing the MP3, but no music will be heard. It is
actually playing the MP3 to a file.Be sure to set the default Output Plugin back to what
it was before in order to listen to MP3s again.Writing to stdout in mpg123:Run mpg123 -s audio01.mp3
> audio01.pcmXMMS writes a file in the WAV
format, while mpg123 converts the
MP3 into raw PCM audio data. Both of these formats can be
used with cdrecord to create audio CDs.
You have to use raw PCM with &man.burncd.8;.
If you use WAV files, you will notice a small tick sound at the
beginning of each track, this sound is the header of the WAV
file. You can simply remove the header of a WAV file with the
utility SoX (it can be installed from
the audio/sox port or
package):&prompt.user; sox -t wav -r 44100 -s -w -c 2 track.wav track.rawRead for more information on using a
CD burner in FreeBSD.RossLippertContributed by Video PlaybackVideo playback is a very new and rapidly developing application
area. Be patient. Not everything is going to work as smoothly as
it did with sound.Before you begin, you should know the model of the video
card you have and the chip it uses. While &xorg; and &xfree86; support a
wide variety of video cards, fewer give good playback
performance. To obtain a list of extensions supported by the
X server using your card use the command &man.xdpyinfo.1; while
X11 is running.It is a good idea to have a short MPEG file which can be
treated as a test file for evaluating various players and
options. Since some DVD players will look for DVD media in
/dev/dvd by default, or have this device
name hardcoded in them, you might find it useful to make
symbolic links to the proper devices:&prompt.root; ln -sf /dev/acd0c /dev/dvd
&prompt.root; ln -sf /dev/racd0c /dev/rdvdOn FreeBSD 5.X, which uses &man.devfs.5; there
is a slightly different set of recommended links:&prompt.root; ln -sf /dev/acd0 /dev/dvd
&prompt.root; ln -sf /dev/acd0 /dev/rdvdNote that due to the nature of &man.devfs.5;,
manually created links like these will not persist if you reboot
your system. In order to create the symbolic links
automatically whenever you boot your system, add the following
lines to /etc/devfs.conf:link acd0 dvd
link acd0 rdvdAdditionally, DVD decryption, which requires invoking
special DVD-ROM functions, requires write permission on the DVD
devices.kernel optionsoptions CPU_ENABLE_SSEkernel optionsoptions USER_LDTSome of the ports discussed rely on the following kernel
options to build correctly. Before attempting to build, add
these options to the kernel configuration file, build a new kernel, and reboot:option CPU_ENABLE_SSE
option USER_LDToption USER_LDT does not exist on
&os; 5.X.To enhance the shared memory X11 interface, it is
recommended that the values of some &man.sysctl.8; variables
should be increased:kern.ipc.shmmax=67108864
kern.ipc.shmall=32768Determining Video CapabilitiesXVideoSDLDGAThere are several possible ways to display video under X11.
What will really work is largely hardware dependent. Each
method described below will have varying quality across
different hardware. Secondly, the rendering of video in X11 is
a topic receiving a lot of attention lately, and with each
version of &xorg;, or of &xfree86;, there may be significant improvement.A list of common video interfaces:X11: normal X11 output using shared memory.XVideo: an extension to the X11
interface which supports video in any X11 drawable.SDL: the Simple Directmedia Layer.DGA: the Direct Graphics Access.SVGAlib: low level console graphics layer.XVideo&xorg; and &xfree86; 4.X have an extension called
XVideo (aka Xvideo, aka Xv, aka xv) which
allows video to be directly displayed in drawable objects
through a special acceleration. This extension provides very
good quality playback even on low-end machines.To check whether the extension is running,
use xvinfo:&prompt.user; xvinfoXVideo is supported for your card if the result looks like:X-Video Extension version 2.2
screen #0
Adaptor #0: "Savage Streams Engine"
number of ports: 1
port base: 43
operations supported: PutImage
supported visuals:
depth 16, visualID 0x22
depth 16, visualID 0x23
number of attributes: 5
"XV_COLORKEY" (range 0 to 16777215)
client settable attribute
client gettable attribute (current value is 2110)
"XV_BRIGHTNESS" (range -128 to 127)
client settable attribute
client gettable attribute (current value is 0)
"XV_CONTRAST" (range 0 to 255)
client settable attribute
client gettable attribute (current value is 128)
"XV_SATURATION" (range 0 to 255)
client settable attribute
client gettable attribute (current value is 128)
"XV_HUE" (range -180 to 180)
client settable attribute
client gettable attribute (current value is 0)
maximum XvImage size: 1024 x 1024
Number of image formats: 7
id: 0x32595559 (YUY2)
guid: 59555932-0000-0010-8000-00aa00389b71
bits per pixel: 16
number of planes: 1
type: YUV (packed)
id: 0x32315659 (YV12)
guid: 59563132-0000-0010-8000-00aa00389b71
bits per pixel: 12
number of planes: 3
type: YUV (planar)
id: 0x30323449 (I420)
guid: 49343230-0000-0010-8000-00aa00389b71
bits per pixel: 12
number of planes: 3
type: YUV (planar)
id: 0x36315652 (RV16)
guid: 52563135-0000-0000-0000-000000000000
bits per pixel: 16
number of planes: 1
type: RGB (packed)
depth: 0
red, green, blue masks: 0x1f, 0x3e0, 0x7c00
id: 0x35315652 (RV15)
guid: 52563136-0000-0000-0000-000000000000
bits per pixel: 16
number of planes: 1
type: RGB (packed)
depth: 0
red, green, blue masks: 0x1f, 0x7e0, 0xf800
id: 0x31313259 (Y211)
guid: 59323131-0000-0010-8000-00aa00389b71
bits per pixel: 6
number of planes: 3
type: YUV (packed)
id: 0x0
guid: 00000000-0000-0000-0000-000000000000
bits per pixel: 0
number of planes: 0
type: RGB (packed)
depth: 1
red, green, blue masks: 0x0, 0x0, 0x0Also note that the formats listed (YUV2, YUV12, etc) are not
present with every implementation of XVideo and their absence may
hinder some players.If the result looks like:X-Video Extension version 2.2
screen #0
no adaptors presentThen XVideo is probably not supported for your card.If XVideo is not supported for your card, this only means
that it will be more difficult for your display to meet the
computational demands of rendering video. Depending on your
video card and processor, though, you might still be able to
have a satisfying experience. You should probably read about
ways of improving performance in the advanced reading .Simple Directmedia LayerThe Simple Directmedia Layer, SDL, was intended to be a
porting layer between µsoft.windows;, BeOS, and &unix;,
allowing cross-platform applications to be developed which made
efficient use of sound and graphics. The SDL layer provides a
low-level abstraction to the hardware which can sometimes be
more efficient than the X11 interface.The SDL can be found at devel/sdl12.Direct Graphics AccessDirect Graphics Access is an &xfree86; extension which allows
a program to bypass the X server and directly alter the
framebuffer. Because it relies on a low level memory mapping to
effect this sharing, programs using it must be run as
root.The DGA extension can be tested and benchmarked by
&man.dga.1;. When dga is running, it
changes the colors of the display whenever a key is pressed. To
quit, use q.Ports and Packages Dealing with Videovideo portsvideo packagesThis section discusses the software available from the
FreeBSD Ports Collection which can be used for video playback.
Video playback is a very active area of software development,
and the capabilities of various applications are bound to
diverge somewhat from the descriptions given here.Firstly, it is important to know that many of the video
applications which run on FreeBSD were developed as Linux
applications. Many of these applications are still
beta-quality. Some of the problems that you may encounter with
video packages on FreeBSD include:An application cannot playback a file which another
application produced.An application cannot playback a file which the
application itself produced.The same application on two different machines,
rebuilt on each machine for that machine, plays back the same
file differently.A seemingly trivial filter like rescaling of the image
size results in very bad artifacts from a buggy rescaling
routine.An application frequently dumps core.Documentation is not installed with the port and can be
- found either on the web or under the port's work
+ found either on the web or under the port's work
directory.Many of these applications may also exhibit
Linux-isms. That is, there may be
issues resulting from the way some standard libraries are
implemented in the Linux distributions, or some features of the
Linux kernel which have been assumed by the authors of the
applications. These issues are not always noticed and worked around
by the port maintainers, which can lead to problems like
these:The use of /proc/cpuinfo to detect
processor characteristics.A misuse of threads which causes a program to hang upon
completion instead of truly terminating.Software not yet in the FreeBSD Ports Collection
which is commonly used in conjunction with the application.So far, these application developers have been cooperative with
port maintainers to minimize the work-arounds needed for
port-ing.MPlayerMPlayer is a recently developed and rapidly developing
video player. The goals of the MPlayer team are speed and
flexibility on Linux and other Unices. The project was
started when the team founder got fed up with bad playback
performance on then available players. Some would say that
the graphical interface has been sacrificed for a streamlined
design. However, once
you get used to the command line options and the key-stroke
controls, it works very well.Building MPlayerMPlayermakingMPlayer resides in multimedia/mplayer.
MPlayer performs a variety of
hardware checks during the build process, resulting in a
binary which will not be portable from one system to
another. Therefore, it is important to build it from
ports and not to use a binary package. Additionally, a
number of options can be specified in the make
command line, as described in the Makefile and at the start of the build:&prompt.root; cd /usr/ports/multimedia/mplayer
&prompt.root; make
N - O - T - E
Take a careful look into the Makefile in order
to learn how to tune mplayer towards you personal preferences!
For example,
make WITH_GTK1
builds MPlayer with GTK1-GUI support.
If you want to use the GUI, you can either install
/usr/ports/multimedia/mplayer-skins
or download official skin collections from
http://www.mplayerhq.hu/homepage/dload.html
The default port options should be sufficient for most
users. However, if you need the XviD codec, you have to
specify the WITH_XVID option in the
command line. The default DVD device can also be defined
with the WITH_DVD_DEVICE option, by
default /dev/acd0 will be used.As of this writing, the MPlayer port will build its HTML
documentation and two executables,
mplayer, and
mencoder, which is a tool for
re-encoding video.The HTML documentation for MPlayer is very informative.
If the reader finds the information on video hardware and
interfaces in this chapter lacking, the MPlayer documentation
is a very thorough supplement. You should definitely take
the time to read the MPlayer
documentation if you are looking for information about video
support in &unix;.Using MPlayerMPlayeruseAny user of MPlayer must set up a
.mplayer subdirectory of her
home directory. To create this necessary subdirectory,
you can type the following:&prompt.user; cd /usr/ports/multimedia/mplayer
&prompt.user; make install-userThe command options for mplayer are
listed in the manual page. For even more detail there is HTML
documentation. In this section, we will describe only a few
common uses.To play a file, such as
testfile.avi,
through one of the various video interfaces set the
option:&prompt.user; mplayer -vo xv testfile.avi&prompt.user; mplayer -vo sdl testfile.avi&prompt.user; mplayer -vo x11 testfile.avi&prompt.root; mplayer -vo dga testfile.avi&prompt.root; mplayer -vo 'sdl:dga' testfile.aviIt is worth trying all of these options, as their relative
performance depends on many factors and will vary significantly
with hardware.To play from a DVD, replace the
testfile.avi with where N is
the title number to play and
DEVICE is the
device node for the DVD-ROM. For example, to play title 3
from /dev/dvd:&prompt.root; mplayer -vo xv dvd://3 -dvd-device /dev/dvdThe default DVD device can be defined during the build
of the MPlayer port via the
WITH_DVD_DEVICE option. By default,
this device is /dev/acd0. More
details can be found in the port
Makefile.To stop, pause, advance and so on, consult the
keybindings, which are output by running mplayer
-h or read the manual page.Additional important options for playback are:
which engages the fullscreen mode
and which helps performance.In order for the mplayer command line to not become too
large, the user can create a file
.mplayer/config and set default options
there:vo=xv
fs=yes
zoom=yesFinally, mplayer can be used to rip a
DVD title into a .vob file. To dump
out the second title from a DVD, type this:&prompt.root; mplayer -dumpstream -dumpfile out.vob dvd://2 -dvd-device /dev/dvdThe output file, out.vob, will be
MPEG and can be manipulated by the other packages described
in this section.mencodermencoderBefore using
mencoder it is a good idea to
familiarize yourself with the options from the HTML
documentation. There is a manual page, but it is not very
useful without the HTML documentation. There are innumerable ways to
improve quality, lower bitrate, and change formats, and some
of these tricks may make the difference between good
or bad performance. Here are a couple of examples to get
you going. First a simple copy:&prompt.user; mencoder input.avi -oac copy -ovc copy -o output.aviImproper combinations of command line options can yield
output files that are
unplayable even by mplayer. Thus, if you
just want to rip to a file, stick to the
in mplayer.To convert input.avi to the MPEG4
codec with MPEG3 audio encoding (audio/lame is required):&prompt.user; mencoder input.avi -oac mp3lame -lameopts br=192 \
-ovc lavc -lavcopts vcodec=mpeg4:vhq -o output.aviThis has produced output playable by mplayer
and xine.input.avi can be replaced with
and run as
root to re-encode a DVD title
directly. Since you are likely to be dissatisfied with
your results the first time around, it is recommended you
dump the title to a file and work on the file.The xine Video PlayerThe xine video player is a project of wide scope aiming not only at being an
all in one video solution, but also in producing a reusable base
library and a modular executable which can be extended with
plugins. It comes both as a package and as a port, multimedia/xine.The xine player
is still very rough around the edges, but it is clearly off to a
good start. In practice, xine requires either a fast CPU with a
fast video card, or support for the XVideo extension. The GUI is
usable, but a bit clumsy.As of this writing, there is no input module shipped with
xine which will play CSS encoded DVD's. There are third party
builds which do have modules for this built in them, but none
of these are in the FreeBSD Ports Collection.Compared to MPlayer, xine does more for the user, but at the
same time, takes some of the more fine-grained control away from
the user. The xine video player
performs best on XVideo interfaces.By default, xine player will
start up in a graphical user interface. The menus can then be
used to open a specific file:&prompt.user; xineAlternatively, it may be invoked to play a file immediately
without the GUI with the command:&prompt.user; xine -g -p mymovie.aviThe transcode UtilitiesThe software transcode is not a player, but a suite of tools for
re-encoding .avi and .mpg files. With transcode, one has the
ability to merge video files, repair broken files, using command
line tools with stdin/stdout stream
interfaces.Like MPlayer, transcode is very experimental software which
must be build from the port multimedia/transcode. Using a great
many options to the make command. We
recommend:&prompt.root; make WITH_LIBMPEG2=yesIf you plan to install multimedia/avifile, then add the
WITH_AVIFILE option to your
make command line, as shown here:&prompt.root; make WITH_AVIFILE=yes WITH_LIBMPEG2=yesHere are two examples of using transcode
for video conversion which produce rescaled output. The first
encodes the output to an openDIVX AVI file, while the second
encodes to the much more portable MPEG format.&prompt.user; transcode -i input.vob -x vob -V -Z 320x240 \
-y opendivx -N 0x55 -o output.avi&prompt.user; transcode -i input.vob -x vob -V -Z 320x240 \
-y mpeg -N 0x55 -o output.tmp
&prompt.user; tcmplex -o output.mpg -i output.tmp.m1v -p output.tmp.mpa -m 1There is a manual page for transcode, but
there is little documentation for the various tc* utilities (such as
tcmplex) which are also installed.
However, the command line option can
always be given to get curt usage instructions for a
command.In comparison, transcode runs
significantly slower than mencoder, but it
has a better chance of producing a more widely playable file.
MPEGs created by transcode have been known to
play on
&windows.media; Player and Apple's &quicktime;, for example.Further ReadingThe various video software packages for FreeBSD are
developing rapidly. It is quite possible that in the near
future many of the problems discussed here will have been
resolved. In the mean time, those who
want to get the very most out of FreeBSD's A/V capabilities will
have to cobble together knowledge from several FAQs and tutorials
and use a few different applications. This section exists to
give the reader pointers to such additional information.The
MPlayer documentation
is very technically informative.
These documents should probably be consulted by anyone wishing
to obtain a high level of expertise with &unix; video. The
MPlayer mailing list is hostile to anyone who has not bothered
to read the documentation, so if you plan on making bug reports
to them, RTFM.The
xine HOWTO
contains a chapter on performance improvement
which is general to all players.Finally, there are some other promising applications which
the reader may try:Avifile which
is also a port multimedia/avifile.Ogle
which is also a port multimedia/ogle.Xtheatermultimedia/dvdauthor, an open
source package for authoring DVD content.JosefEl-RayesOriginal contribution by MarcFonvieilleEnhanced and adapted by Setting Up TV CardsTV cardsIntroductionTV cards allow you to watch broadcast or cable TV on your
computer. Most of them accept composite video via an RCA or
S-video input and some of these cards come with a FM
radio tuner.&os; provides support for PCI-based TV cards using a
Brooktree Bt848/849/878/879 or a Conexant CN-878/Fusion 878a
Video Capture Chip with the &man.bktr.4; driver. You must
also ensure the board comes with a supported tuner, consult
the &man.bktr.4; manual page for a list of supported
tuners.Adding the DriverTo use your card, you will need to load the &man.bktr.4;
driver, this can be done by adding the following line to the
/boot/loader.conf file like this:bktr_load="YES"Alternatively, you may statically compile the support for
the TV card in your kernel, in that case add the following
lines to your kernel configuration:device bktr
device iicbus
device iicbb
device smbusThese additional device drivers are necessary because of the
card components being interconnected via an I2C bus. Then build
and install a new kernel.Once the support was added to your system, you have to
reboot your machine. During the boot process, your TV card
should show up, like this:bktr0: <BrookTree 848A> mem 0xd7000000-0xd7000fff irq 10 at device 10.0 on pci0
iicbb0: <I2C bit-banging driver> on bti2c0
iicbus0: <Philips I2C bus> on iicbb0 master-only
iicbus1: <Philips I2C bus> on iicbb0 master-only
smbus0: <System Management Bus> on bti2c0
bktr0: Pinnacle/Miro TV, Philips SECAM tuner.Of course these messages can differ according to your
hardware. However you should check if the tuner is correctly
detected; it is still possible to override some of the
detected parameters with &man.sysctl.8; MIBs and kernel
configuration file options. For example, if you want to force
the tuner to a Philips SECAM tuner, you should add the
following line to your kernel configuration file:options OVERRIDE_TUNER=6or you can directly use &man.sysctl.8;:&prompt.root; sysctl hw.bt848.tuner=6See the &man.bktr.4; manual page and the
/usr/src/sys/conf/NOTES file for more
details on the available options. (If you are under
&os; 4.X, /usr/src/sys/conf/NOTES is
replaced with
/usr/src/sys/i386/conf/LINT.)Useful ApplicationsTo use your TV card you need to install one of the
following applications:multimedia/fxtv
provides TV-in-a-window and image/audio/video capture
capabilities.multimedia/xawtv
is also a TV application, with the same features as
fxtv.misc/alevt decodes
and displays Videotext/Teletext.audio/xmradio, an
application to use the FM radio tuner coming with some
TV cards.audio/wmtune, a handy
desktop application for radio tuners.More applications are available in the &os; Ports
Collection.TroubleshootingIf you encounter any problem with your TV card, you should
check at first if the video capture chip and the tuner are
really supported by the &man.bktr.4; driver and if you used the right
configuration options. For more support and various questions
about your TV card you may want to contact and use the
archives of the &a.multimedia.name; mailing list.MarcFonvieilleWritten by Image Scannersimage scannersIntroduction&os;, like any modern operating system, allows the use of
image scanners. Standardized access to scanners is provided
by the SANE (Scanner Access Now
Easy) API available through the &os; Ports
Collection. SANE will also use
some &os; devices drivers to access to the scanner
hardware.&os; supports both SCSI and USB scanners. Be sure your
scanner is supported by SANE prior
to performing any configuration.
SANE has a supported
devices list that can provide you with information
about the support for a scanner and its status. The
&man.uscanner.4; manual page also provides a list of supported
USB scanners.Kernel ConfigurationAs mentioned above both SCSI and USB interfaces are
supported. According to your scanner interface, different
device drivers are required.USB InterfaceThe GENERIC kernel by default
includes the device drivers needed to support USB scanners.
Should you decide to use a custom kernel, be sure that the
following lines are present in your kernel configuration
file:device usb
device uhci
device ohci
device uscannerDepending upon the USB chipset on your motherboard, you
will only need either device uhci or
device ohci, however having both in the
kernel configuration file is harmless.If you do not want to rebuild your kernel and your
kernel is not the GENERIC one, you can
directly load the &man.uscanner.4; device driver module with
the &man.kldload.8; command:&prompt.root; kldload uscannerTo load this module at each system startup, add the
following line to
/boot/loader.conf:uscanner_load="YES"After rebooting with the correct kernel, or after
loading the required module, plug in your USB scanner. The
scanner should appear in your system message buffer
(&man.dmesg.8;) as something like:uscanner0: EPSON EPSON Scanner, rev 1.10/3.02, addr 2This shows that our scanner is using the
/dev/uscanner0 device node.On &os; 4.X, the USB daemon (&man.usbd.8;) must
be running to be able to see some USB devices. To enable
this, add usbd_enable="YES" to your
/etc/rc.conf file and reboot the
machine.SCSI InterfaceIf your scanner comes with a SCSI interface, it is
important to know which SCSI controller board you will use.
According to the SCSI chipset used, you will have to tune
your kernel configuration file. The
GENERIC kernel supports the most common
SCSI controllers. Be sure to read the
NOTES file (LINT
under &os; 4.X) and add the correct line to your kernel
configuration file. In addition to the SCSI adapter driver,
you need to have the following lines in your kernel
configuration file:device scbus
device passOnce your kernel has been properly compiled, you should
be able to see the devices in your system message buffer,
when booting:pass2 at aic0 bus 0 target 2 lun 0
pass2: <AGFA SNAPSCAN 600 1.10> Fixed Scanner SCSI-2 device
pass2: 3.300MB/s transfersIf your scanner was not powered-on at system boot, it is
still possible to manually force the detection by performing
a SCSI bus scan with the &man.camcontrol.8; command:&prompt.root; camcontrol rescan all
Re-scan of bus 0 was successful
Re-scan of bus 1 was successful
Re-scan of bus 2 was successful
Re-scan of bus 3 was successfulThen the scanner will appear in the SCSI devices
list:&prompt.root; camcontrol devlist
<IBM DDRS-34560 S97B> at scbus0 target 5 lun 0 (pass0,da0)
<IBM DDRS-34560 S97B> at scbus0 target 6 lun 0 (pass1,da1)
<AGFA SNAPSCAN 600 1.10> at scbus1 target 2 lun 0 (pass3)
<PHILIPS CDD3610 CD-R/RW 1.00> at scbus2 target 0 lun 0 (pass2,cd0)More details about SCSI devices, are available in the
&man.scsi.4; and &man.camcontrol.8; manual pages.SANE ConfigurationThe SANE system has been
splitted in two parts: the backends (graphics/sane-backends) and the
frontends (graphics/sane-frontends). The
backends part provides access to the scanner itself. The
SANE's supported
devices list specifies which backend will support your
image scanner. It is mandatory to determine the correct
backend for your scanner if you want to be able to use your
device. The frontends part provides the graphical scanning
interface (xscanimage).The first thing to do is install the graphics/sane-backends port or
package. Then, use the sane-find-scanner
command to check the scanner detection by the
SANE system:&prompt.root; sane-find-scanner -q
found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3The output will show the interface type of the scanner and
the device node used to attach the scanner to the system. The
vendor and the product model may not appear, it is not
important.Some USB scanners require you to load a firmware, this
is explained in the backend manual page. You should also read
&man.sane-find-scanner.1; and &man.sane.7; manual
pages.Now we have to check if the scanner will be identified by
a scanning frontend. By default, the
SANE backends comes with a command
line tool called &man.scanimage.1;. This command allows you
to list the devices and to perform an image acquisition from
the command line. The option is used to
list the scanner device:&prompt.root; scanimage -L
device `snapscan:/dev/pass3' is a AGFA SNAPSCAN 600 flatbed scannerNo output or a message saying that no scanners were
identified indicates that &man.scanimage.1; is unable to
identify the scanner. If this happens, you will need to edit
the backend configuration file and define the scanner device
used. The /usr/local/etc/sane.d/ directory
+ class="directory">/usr/local/etc/sane.d/ directory
contains all backends configuration files. This
identification problem does appear with certain USB
scanners.For example, with the USB scanner used in the ,
sane-find-scanner gives us the following
information:&prompt.root; sane-find-scanner -q
found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0The scanner is correctly detected, it uses the USB
interface and is attached to the
/dev/uscanner0 device node. We can now
check if the scanner is correctly identified:&prompt.root; scanimage -L
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).Since the scanner is not identified, we will need to edit
the /usr/local/etc/sane.d/epson.conf
file. The scanner model used was the &epson.perfection; 1650,
so we know the scanner will use the epson
backend. Be sure to read the help comments in the backends
configuration files. Line changes are quite simple: comment
out all lines that have the wrong interface for your scanner
(in our case, we will comment out all lines starting with the
word scsi as our scanner uses the USB
interface), then add at the end of the file a line specifying
the interface and the device node used. In this case, we add
the following line:usb /dev/uscanner0Please be sure to read the comments provided in the
backend configuration file as well as the backend manual page
for more details and correct syntax to use. We can now verify
if the scanner is identified:&prompt.root; scanimage -L
device `epson:/dev/uscanner0' is a Epson GT-8200 flatbed scannerOur USB scanner has been identified. It is not important
if the brand and the model do not match. The key item to be
concerned with is the
`epson:/dev/uscanner0' field, which give us
the right backend name and the right device node.Once the scanimage -L command is able
to see the scanner, the configuration is complete. The device
is now ready to scan.While &man.scanimage.1; does allow us to perform an
image acquisition from the command line, it is preferable to
use a graphical user interface to perform image scanning.
SANE offers a simple but efficient
graphical interface: xscanimage
(graphics/sane-frontends).Xsane (graphics/xsane) is another popular
graphical scanning frontend. This frontend offers advanced
features such as various scanning mode (photocopy, fax, etc.),
color correction, batch scans, etc. Both of these applications
are useable as a GIMP
plugin.Allowing Scanner Access to Other UsersAll previous operations have been done with
root privileges. You may however, need
other users to have access
to the scanner. The user will need read and write
permissions to the device node used by the scanner. As an
example, our USB scanner uses the device node
/dev/uscanner0 which is owned by the
operator group. Adding the user
joe to the
operator group will allow him to use
the scanner:&prompt.root; pw groupmod operator -m joeFor more details read the &man.pw.8; manual page. You
also have to set the correct write permissions (0660 or 0664)
on the /dev/uscanner0 device node, by
default the operator group can only
read the device node. This is done by adding the following
lines to the /etc/devfs.rules file:[system=5]
add path uscanner0 mode 660Then add the following to
/etc/rc.conf and reboot the
machine:devfs_system_ruleset="system"More information regarding these lines can be found in the
&man.devfs.8; manual page. Under &os; 4.X, the
operator group has, by default, read
and write permissions to
/dev/uscanner0.Of course, for security reasons, you should think twice
before adding a user to any group, especially the
operator group.
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
index 5bab973287..5a293d6a85 100644
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
@@ -1,5099 +1,5099 @@
MurrayStokelyReorganized by Network ServersSynopsisThis chapter will cover some of the more frequently used
network services on &unix; systems. We will cover how to
install, configure, test, and maintain many different types of
network services. Example configuration files are included
throughout this chapter for you to benefit from.After reading this chapter, you will know:How to manage the inetd
daemon.How to set up a network filesystem.How to set up a network information server for sharing
user accounts.How to set up automatic network settings using DHCP.How to set up a domain name server.How to set up the Apache HTTP Server.How to set up a File Transfer Protocol (FTP) Server.How to set up a file and print server for &windows;
clients using Samba.How to synchronize the time and date, and set up a
time server, with the NTP protocol.Before reading this chapter, you should:Understand the basics of the
/etc/rc scripts.Be familiar with basic network terminology.Know how to install additional third-party
software ().ChernLeeContributed by The inetdSuper-ServerOverview&man.inetd.8; is referred to as the Internet
Super-Server because it manages connections for
several services. When a
connection is received by inetd, it
determines which program the connection is destined for, spawns
the particular process and delegates the socket to it (the program
is invoked with the service socket as its standard input, output
and error descriptors). Running
one instance of inetd reduces the
overall system load as compared to running each daemon
individually in stand-alone mode.Primarily, inetd is used to
spawn other daemons, but several trivial protocols are handled
directly, such as chargen,
auth, and
daytime.This section will cover the basics in configuring
inetd through its command-line
options and its configuration file,
/etc/inetd.conf.Settingsinetd is initialized through
the /etc/rc.conf system. The
inetd_enable option is set to
NO by default, but is often times turned on
by sysinstall with the medium
security profile. Placing:
inetd_enable="YES" or
inetd_enable="NO" into
/etc/rc.conf can enable or disable
inetd starting at boot time.Additionally, different command-line options can be passed
to inetd via the
inetd_flags option.Command-Line Optionsinetd synopsis:-dTurn on debugging.-lTurn on logging of successful connections.-wTurn on TCP Wrapping for external services (on by
default).-WTurn on TCP Wrapping for internal services which are
built into inetd (on by
default).-c maximumSpecify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
parameter.-C rateSpecify the default maximum number of times a
service can be invoked from a single IP address in one
minute; the default is unlimited. May be overridden on a
per-service basis with the
parameter.-R rateSpecify the maximum number of times a service can be
invoked in one minute; the default is 256. A rate of 0
allows an unlimited number of invocations.-aSpecify one specific IP address to bind to.
Alternatively, a hostname can be specified, in which case
the IPv4 or IPv6 address which corresponds to that
hostname is used. Usually a hostname is specified when
inetd is run inside a
&man.jail.8;, in which case the hostname corresponds to
the &man.jail.8; environment.When hostname specification is used and both IPv4
and IPv6 bindings are desired, one entry with the
appropriate protocol type for each binding is required
for each service in
/etc/inetd.conf. For example, a
TCP-based service would need two entries, one using
tcp4 for the protocol and the other
using tcp6.-pSpecify an alternate file in which to store the
process ID.These options can be passed to
inetd using the
inetd_flags option in
/etc/rc.conf. By default,
inetd_flags is set to
-wW, which turns on TCP wrapping for
inetd's internal and external
services. For novice users, these parameters usually do not
need to be modified or even entered in
/etc/rc.conf.An external service is a daemon outside of
inetd, which is invoked when a
connection is received for it. On the other hand, an
internal service is one that
inetd has the facility of
offering within itself.inetd.confConfiguration of inetd is
controlled through the /etc/inetd.conf
file.When a modification is made to
/etc/inetd.conf,
inetd can be forced to re-read its
configuration file by sending a HangUP signal to the
inetd process as shown:Sending inetd a HangUP Signal&prompt.root; kill -HUP `cat /var/run/inetd.pid`Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
#. The format of
/etc/inetd.conf is as follows:service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-argumentsAn example entry for the ftpd daemon
using IPv4:ftp stream tcp nowait root /usr/libexec/ftpd ftpd -lservice-nameThis is the service name of the particular daemon.
It must correspond to a service listed in
/etc/services. This determines
which port inetd must listen
to. If a new service is being created, it must be
placed in /etc/services
first.socket-typeEither stream,
dgram, raw, or
seqpacket. stream
must be used for connection-based, TCP daemons, while
dgram is used for daemons utilizing
the UDP transport protocol.protocolOne of the following:ProtocolExplanationtcp, tcp4TCP IPv4udp, udp4UDP IPv4tcp6TCP IPv6udp6UDP IPv6tcp46Both TCP IPv4 and v6udp46Both UDP IPv4 and v6{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] indicates whether the
daemon invoked from inetd is
able to handle its own socket or not.
socket types must use the
option, while stream socket
daemons, which are usually multi-threaded, should use
. usually
hands off multiple sockets to a single daemon, while
spawns a child daemon for each
new socket.The maximum number of child daemons
inetd may spawn can be set
using the option. If a limit
of ten instances of a particular daemon is needed, a
/10 would be placed after
.In addition to , another
option limiting the maximum connections from a single
place to a particular daemon can be enabled.
does
just this. A value of ten here would limit any particular
IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent
intentional or unintentional resource consumption and
Denial of Service (DoS) attacks to a machine.In this field, or
is mandatory.
and
are
optional.A stream-type multi-threaded daemon without any
or
limits
would simply be: nowait.The same daemon with a maximum limit of ten daemons
would read: nowait/10.Additionally, the same setup with a limit of twenty
connections per IP address per minute and a maximum
total limit of ten child daemons would read:
nowait/10/20.These options are all utilized by the default
settings of the fingerd daemon,
as seen here:finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -suserThis is the username that the particular daemon
should run as. Most commonly, daemons run as the
root user. For security purposes, it is
common to find some servers running as the
daemon user, or the least privileged
nobody user.server-programThe full path of the daemon to be executed when a
connection is received. If the daemon is a service
provided by inetd internally,
then should be
used.server-program-argumentsThis works in conjunction with
by specifying the
arguments, starting with argv[0],
passed to the daemon on invocation. If
mydaemon -d is the command line,
mydaemon -d would be the value of
. Again, if
the daemon is an internal service, use
here.SecurityDepending on the security profile chosen at install, many
of inetd's daemons may be enabled
by default. If there is no apparent need for a particular
daemon, disable it! Place a # in front of the
daemon in question in /etc/inetd.conf,
and then send a hangup
signal to inetd. Some daemons, such as
fingerd, may not be desired at all
because they provide an attacker with too much
information.Some daemons are not security-conscious and have long, or
non-existent timeouts for connection attempts. This allows an
attacker to slowly send connections to a particular daemon,
thus saturating available resources. It may be a good idea to
place and
limitations on certain
daemons.By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; manual page for more information on placing
TCP restrictions on various inetd
invoked daemons.Miscellaneousdaytime,
time,
echo,
discard,
chargen, and
auth are all internally provided
services of inetd.The auth service provides
identity (ident,
identd) network services, and is
configurable to a certain degree.Consult the &man.inetd.8; manual page for more in-depth
information.TomRhodesReorganized and enhanced by BillSwingleWritten by Network File System (NFS)NFSAmong the many different filesystems that FreeBSD supports
is the Network File System, also known as NFS. NFS allows a system to share directories and
files with others over a network. By using NFS, users and programs can
access files on remote systems almost as if they were local
files.Some of the most notable benefits that
NFS can provide are:Local workstations use less disk space because commonly
used data can be stored on a single machine and still remain
accessible to others over the network.There is no need for users to have separate home
directories on every network machine. Home directories
could be set up on the NFS server and
made available throughout the network.Storage devices such as floppy disks, CDROM drives, and
&iomegazip; drives can be used by other machines on the network.
This may reduce the number of removable media drives
throughout the network.How NFS WorksNFS consists of at least two main
parts: a server and one or more clients. The client remotely
accesses the data that is stored on the server machine. In
order for this to function properly a few processes have to be
configured and running.In &os; 5.X, the portmap
utility has been replaced with the
rpcbind utility. Thus, in &os; 5.X
the user is required to replace every instance of
portmap with
rpcbind in the forthcoming
examples.The server has to be running the following daemons:NFSserverfile serverunix clientsportmapmountdnfsdDaemonDescriptionnfsdThe NFS daemon which services
requests from the NFS
clients.mountdThe NFS mount daemon which carries out
the requests that &man.nfsd.8; passes on to it.portmap The portmapper daemon allows
NFS clients to discover which port
the NFS server is using.The client can also run a daemon, known as
nfsiod. The
nfsiod daemon services the requests
from the NFS server. This is optional, and
improves performance, but is not required for normal and
correct operation. See the &man.nfsiod.8; manual page for
more information.
Configuring NFSNFSconfigurationNFS configuration is a relatively
straightforward process. The processes that need to be
running can all start at boot time with a few modifications to
your /etc/rc.conf file.On the NFS server, make sure that the
following options are configured in the
/etc/rc.conf file:portmap_enable="YES"
nfs_server_enable="YES"
mountd_flags="-r"mountd runs automatically
whenever the NFS server is enabled.On the client, make sure this option is present in
/etc/rc.conf:nfs_client_enable="YES"The /etc/exports file specifies which
filesystems NFS should export (sometimes
referred to as share). Each line in
/etc/exports specifies a filesystem to be
exported and which machines have access to that filesystem.
Along with what machines have access to that filesystem,
access options may also be specified. There are many such
options that can be used in this file but only a few will be
mentioned here. You can easily discover other options by
reading over the &man.exports.5; manual page.Here are a few example /etc/exports
entries:NFSexport examplesThe following examples give an idea of how to export
filesystems, although the settings may be different depending
on your environment and network configuration. For instance,
to export the /cdrom directory to three
example machines that have the same domain name as the server
(hence the lack of a domain name for each) or have entries in
your /etc/hosts file. The
flag makes the exported filesystem
read-only. With this flag, the remote system will not be able
to write any changes to the exported filesystem./cdrom -ro host1 host2 host3The following line exports /home to
three hosts by IP address. This is a useful setup if you have
a private network without a DNS server
configured. Optionally the /etc/hosts
file could be configured for internal hostnames; please review
&man.hosts.5; for more information. The
flag allows the subdirectories to be
mount points. In other words, it will not mount the
subdirectories but permit the client to mount only the
directories that are required or needed./home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4The following line exports /a so that
two clients from different domains may access the filesystem.
The flag allows the
root user on the remote system to write
data on the exported filesystem as root.
If the -maproot=root flag is not specified,
then even if a user has root access on
the remote system, he will not be able to modify files on
the exported filesystem./a -maproot=root host.example.com box.example.orgIn order for a client to access an exported filesystem,
the client must have permission to do so. Make sure the
client is listed in your /etc/exports
file.In /etc/exports, each line represents
the export information for one filesystem to one host. A
remote host can only be specified once per filesystem, and may
only have one default entry. For example, assume that
/usr is a single filesystem. The
following /etc/exports would be
invalid:/usr/src client
/usr/ports clientOne filesystem, /usr, has two lines
specifying exports to the same host, client.
The correct format for this situation is:/usr/src /usr/ports clientThe properties of one filesystem exported to a given host
must all occur on one line. Lines without a client specified
are treated as a single host. This limits how you can export
filesystems, but for most people this is not an issue.The following is an example of a valid export list, where
/usr and /exports
are local filesystems:# Export src and ports to client01 and client02, but only
# client01 has root privileges on it
/usr/src /usr/ports -maproot=root client01
/usr/src /usr/ports client02
# The client machines have root and can mount anywhere
# on /exports. Anyone in the world can mount /exports/obj read-only
/exports -alldirs -maproot=root client01 client02
/exports/obj -roYou must restart
mountd whenever you modify
/etc/exports so the changes can take effect.
This can be accomplished by sending the HUP signal
to the mountd process:&prompt.root; kill -HUP `cat /var/run/mountd.pid`Alternatively, a reboot will make FreeBSD set everything
up properly. A reboot is not necessary though.
Executing the following commands as root
should start everything up.On the NFS server:&prompt.root; portmap
&prompt.root; nfsd -u -t -n 4
&prompt.root; mountd -rOn the NFS client:&prompt.root; nfsiod -n 4Now everything should be ready to actually mount a remote file
system. In these examples the
server's name will be server and the client's
name will be client. If you only want to
temporarily mount a remote filesystem or would rather test the
configuration, just execute a command like this as root on the
client:NFSmounting&prompt.root; mount server:/home /mntThis will mount the /home directory
on the server at /mnt on the client. If
everything is set up correctly you should be able to enter
/mnt on the client and see all the files
that are on the server.If you want to automatically mount a remote filesystem
each time the computer boots, add the filesystem to the
/etc/fstab file. Here is an example:server:/home /mnt nfs rw 0 0The &man.fstab.5; manual page lists all the available
options.Practical UsesNFS has many practical uses. Some of
the more common ones are listed below:NFSusesSet several machines to share a CDROM or other media
among them. This is cheaper and often a more convenient
method to install software on multiple machines.On large networks, it might be more convenient to
configure a central NFS server in which
to store all the user home directories. These home
directories can then be exported to the network so that
users would always have the same home directory,
regardless of which workstation they log in to.Several machines could have a common
/usr/ports/distfiles directory. That
way, when you need to install a port on several machines,
you can quickly access the source without downloading it
on each machine.WylieStilwellContributed by ChernLeeRewritten by Automatic Mounts with amdamdautomatic mounter daemon&man.amd.8; (the automatic mounter daemon)
automatically mounts a
remote filesystem whenever a file or directory within that
filesystem is accessed. Filesystems that are inactive for a
period of time will also be automatically unmounted by
amd. Using
amd provides a simple alternative
to permanent mounts, as permanent mounts are usually listed in
/etc/fstab.amd operates by attaching
itself as an NFS server to the /host and
/net directories. When a file is accessed
within one of these directories, amd
looks up the corresponding remote mount and automatically mounts
it. /net is used to mount an exported
filesystem from an IP address, while /host
is used to mount an export from a remote hostname.An access to a file within
/host/foobar/usr would tell
amd to attempt to mount the
/usr export on the host
foobar.Mounting an Export with amdYou can view the available mounts of a remote host with
the showmount command. For example, to
view the mounts of a host named foobar, you
can use:&prompt.user; showmount -e foobar
Exports list on foobar:
/usr 10.10.10.0
/a 10.10.10.0
&prompt.user; cd /host/foobar/usrAs seen in the example, the showmount shows
/usr as an export. When changing directories to
/host/foobar/usr, amd
attempts to resolve the hostname foobar and
automatically mount the desired export.amd can be started by the
startup scripts by placing the following lines in
/etc/rc.conf:amd_enable="YES"Additionally, custom flags can be passed to
amd from the
amd_flags option. By default,
amd_flags is set to:amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"The /etc/amd.map file defines the
default options that exports are mounted with. The
/etc/amd.conf file defines some of the more
advanced features of amd.Consult the &man.amd.8; and &man.amd.conf.5; manual pages for more
information.JohnLindContributed by Problems Integrating with Other SystemsCertain Ethernet adapters for ISA PC systems have limitations
which can lead to serious network problems, particularly with NFS.
This difficulty is not specific to FreeBSD, but FreeBSD systems
are affected by it.The problem nearly always occurs when (FreeBSD) PC systems are
networked with high-performance workstations, such as those made
by Silicon Graphics, Inc., and Sun Microsystems, Inc. The NFS
mount will work fine, and some operations may succeed, but
suddenly the server will seem to become unresponsive to the
client, even though requests to and from other systems continue to
be processed. This happens to the client system, whether the
client is the FreeBSD system or the workstation. On many systems,
there is no way to shut down the client gracefully once this
problem has manifested itself. The only solution is often to
reset the client, because the NFS situation cannot be
resolved.Though the correct solution is to get a
higher performance and capacity Ethernet adapter for the
FreeBSD system, there is a simple workaround that will allow
satisfactory operation. If the FreeBSD system is the
server, include the option
on the mount from the client. If the
FreeBSD system is the client, then mount
the NFS filesystem with the option .
These options may be specified using the fourth field of the
fstab entry on the client for automatic
mounts, or by using the parameter of the
&man.mount.8; command for manual mounts.It should be noted that there is a different problem,
sometimes mistaken for this one, when the NFS servers and
clients are on different networks. If that is the case, make
certain that your routers are routing the
necessary UDP information, or you will not get anywhere, no
matter what else you are doing.In the following examples, fastws is the host
(interface) name of a high-performance workstation, and
freebox is the host (interface) name of a FreeBSD
system with a lower-performance Ethernet adapter. Also,
/sharedfs will be the exported NFS
filesystem (see &man.exports.5;), and
/project will be the mount point on the
client for the exported filesystem. In all cases, note that
additional options, such as or
and may be desirable in
your application.Examples for the FreeBSD system (freebox)
as the client in /etc/fstab on
freebox:fastws:/sharedfs /project nfs rw,-r=1024 0 0As a manual mount command on freebox:&prompt.root; mount -t nfs -o -r=1024 fastws:/sharedfs /projectExamples for the FreeBSD system as the server in
/etc/fstab on
fastws:freebox:/sharedfs /project nfs rw,-w=1024 0 0As a manual mount command on fastws:&prompt.root; mount -t nfs -o -w=1024 freebox:/sharedfs /projectNearly any 16-bit Ethernet adapter will allow operation
without the above restrictions on the read or write size.For anyone who cares, here is what happens when the
failure occurs, which also explains why it is unrecoverable.
NFS typically works with a block size of
8 K (though it may do fragments of smaller sizes). Since
the maximum Ethernet packet is around 1500 bytes, the NFS
block gets split into multiple Ethernet
packets, even though it is still a single unit to the
upper-level code, and must be received, assembled, and
acknowledged as a unit. The
high-performance workstations can pump out the packets which
comprise the NFS unit one right after the other, just as close
together as the standard allows. On the smaller, lower
capacity cards, the later packets overrun the earlier packets
of the same unit before they can be transferred to the host
and the unit as a whole cannot be reconstructed or
acknowledged. As a result, the workstation will time out and
try again, but it will try again with the entire 8 K
unit, and the process will be repeated, ad infinitum.By keeping the unit size below the Ethernet packet size
limitation, we ensure that any complete Ethernet packet
received can be acknowledged individually, avoiding the
deadlock situation.Overruns may still occur when a high-performance
workstations is slamming data out to a PC system, but with the
better cards, such overruns are not guaranteed on NFS
units. When an overrun occurs, the units
affected will be retransmitted, and there will be a fair
chance that they will be received, assembled, and
acknowledged.BillSwingleWritten by EricOgrenEnhanced by UdoErdelhoffNetwork Information System (NIS/YP)What Is It?NISSolarisHP-UXAIXLinuxNetBSDOpenBSDNIS,
which stands for Network Information Services, was developed
by Sun Microsystems to centralize administration of &unix;
(originally &sunos;) systems. It has now essentially become
an industry standard; all major &unix; like systems
(&solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, FreeBSD,
etc) support NIS.yellow pagesNISNIS
was formerly known as Yellow Pages, but because of trademark
issues, Sun changed the name. The old term (and yp) is still
often seen and used.NISdomainsIt is a RPC-based client/server system that allows a group
of machines within an NIS domain to share a common set of
configuration files. This permits a system administrator to
set up NIS client systems with only minimal configuration data
and add, remove or modify configuration data from a single
location.Windows NTIt is similar to the &windowsnt; domain system; although
the internal implementation of the two are not at all similar,
the basic functionality can be compared.Terms/Processes You Should KnowThere are several terms and several important user
processes that you will come across when attempting to
implement NIS on FreeBSD, whether you are trying to create an
NIS server or act as an NIS client:portmapTermDescriptionNIS domainnameAn NIS master server and all of its clients
(including its slave servers) have a NIS domainname.
Similar to an &windowsnt; domain name, the NIS
domainname does not have anything to do with
DNS.portmapMust be running in order to enable
RPC (Remote Procedure Call, a
network protocol used by NIS). If
portmap is not running, it
will be impossible to run an NIS server, or to act as
an NIS client.ypbindBinds an NIS client to its NIS
server. It will take the NIS domainname from the
system, and using RPC, connect to
the server. ypbind is the
core of client-server communication in an NIS
environment; if ypbind dies
on a client machine, it will not be able to access the
NIS server.ypservShould only be running on NIS servers; this is
the NIS server process itself. If &man.ypserv.8;
dies, then the server will no longer be able to
respond to NIS requests (hopefully, there is a slave
server to take over for it). There are some
implementations of NIS (but not the FreeBSD one), that
do not try to reconnect to another server if the
server it used before dies. Often, the only thing
that helps in this case is to restart the server
process (or even the whole server) or the
ypbind process on the
client.
rpc.yppasswddAnother process that should only be running on
NIS master servers; this is a daemon that will allow NIS
clients to change their NIS passwords. If this daemon
is not running, users will have to login to the NIS
master server and change their passwords there.How Does It Work?There are three types of hosts in an NIS environment:
master servers, slave servers, and clients. Servers act as a
central repository for host configuration information. Master
servers hold the authoritative copy of this information, while
slave servers mirror this information for redundancy. Clients
rely on the servers to provide this information to
them.Information in many files can be shared in this manner.
The master.passwd,
group, and hosts
files are commonly shared via NIS. Whenever a process on a
client needs information that would normally be found in these
files locally, it makes a query to the NIS server that it is
bound to instead.Machine TypesNISmaster serverA NIS master server. This
server, analogous to a &windowsnt; primary domain
controller, maintains the files used by all of the NIS
clients. The passwd,
group, and other various files used
by the NIS clients live on the master server.It is possible for one machine to be an NIS
master server for more than one NIS domain. However,
this will not be covered in this introduction, which
assumes a relatively small-scale NIS
environment.NISslave serverNIS slave servers. Similar to
the &windowsnt; backup domain controllers, NIS slave
servers maintain copies of the NIS master's data files.
NIS slave servers provide the redundancy, which is
needed in important environments. They also help to
balance the load of the master server: NIS Clients
always attach to the NIS server whose response they get
first, and this includes slave-server-replies.NISclientNIS clients. NIS clients, like
most &windowsnt; workstations, authenticate against the
NIS server (or the &windowsnt; domain controller in the
&windowsnt; workstations case) to log on.Using NIS/YPThis section will deal with setting up a sample NIS
environment.This section assumes that you are running
FreeBSD 3.3 or later. The instructions given here will
probably work for any version of FreeBSD
greater than 3.0, but there are no guarantees that this is
true.PlanningLet us assume that you are the administrator of a small
university lab. This lab, which consists of 15 FreeBSD
machines, currently has no centralized point of
administration; each machine has its own
/etc/passwd and
/etc/master.passwd. These files are
kept in sync with each other only through manual
intervention; currently, when you add a user to the lab, you
must run adduser on all 15 machines.
Clearly, this has to change, so you have decided to convert
the lab to use NIS, using two of the machines as
servers.Therefore, the configuration of the lab now looks something
like:Machine nameIP addressMachine roleellington10.0.0.2NIS mastercoltrane10.0.0.3NIS slavebasie10.0.0.4Faculty workstationbird10.0.0.5Client machinecli[1-11]10.0.0.[6-17]Other client machinesIf you are setting up a NIS scheme for the first time, it
is a good idea to think through how you want to go about it. No
matter what the size of your network, there are a few decisions
that need to be made.Choosing a NIS Domain NameNISdomainnameThis might not be the domainname that
you are used to. It is more accurately called the
NIS domainname. When a client broadcasts
its requests for info, it includes the name of the NIS
domain that it is part of. This is how multiple servers
on one network can tell which server should answer which
request. Think of the NIS domainname as the name for a
group of hosts that are related in some way.Some organizations choose to use their Internet
domainname for their NIS domainname. This is not
recommended as it can cause confusion when trying to debug
network problems. The NIS domainname should be unique
within your network and it is helpful if it describes the
group of machines it represents. For example, the Art
department at Acme Inc. might be in the
acme-art NIS domain. For this example,
assume you have chosen the name
test-domain.SunOSHowever, some operating systems (notably &sunos;) use
their NIS domain name as their Internet domain name. If one
or more machines on your network have this restriction, you
must use the Internet domain name as
your NIS domain name.Physical Server RequirementsThere are several things to keep in mind when choosing
a machine to use as a NIS server. One of the unfortunate
things about NIS is the level of dependency the clients
have on the server. If a client cannot contact the server
for its NIS domain, very often the machine becomes
unusable. The lack of user and group information causes
most systems to temporarily freeze up. With this in mind
you should make sure to choose a machine that will not be
prone to being rebooted regularly, or one that might be
used for development. The NIS server should ideally be a
stand alone machine whose sole purpose in life is to be an
NIS server. If you have a network that is not very
heavily used, it is acceptable to put the NIS server on a
machine running other services, just keep in mind that if
the NIS server becomes unavailable, it will affect
all of your NIS clients
adversely.NIS Servers The canonical copies of all NIS information are stored
on a single machine called the NIS master server. The
databases used to store the information are called NIS maps.
In FreeBSD, these maps are stored in
/var/yp/[domainname] where
[domainname] is the name of the NIS
domain being served. A single NIS server can support
several domains at once, therefore it is possible to have
several such directories, one for each supported domain.
Each domain will have its own independent set of
maps.NIS master and slave servers handle all NIS requests
with the ypserv daemon.
ypserv is responsible for receiving
incoming requests from NIS clients, translating the
requested domain and map name to a path to the corresponding
database file and transmitting data from the database back
to the client.Setting Up a NIS Master ServerNISserver configurationSetting up a master NIS server can be relatively
straight forward, depending on your needs. FreeBSD comes
with support for NIS out-of-the-box. All you need is to
add the following lines to
/etc/rc.conf, and FreeBSD will do the
rest for you.nisdomainname="test-domain"
This line will set the NIS domainname to
test-domain
upon network setup (e.g. after reboot).nis_server_enable="YES"
This will tell FreeBSD to start up the NIS server processes
when the networking is next brought up.nis_yppasswdd_enable="YES"
This will enable the rpc.yppasswdd
daemon which, as mentioned above, will allow users to
change their NIS password from a client machine.Depending on your NIS setup, you may need to add
further entries. See the section about NIS
servers that are also NIS clients, below, for
details.Now, all you have to do is to run the command
/etc/netstart as superuser. It will
set up everything for you, using the values you defined in
/etc/rc.conf.Initializing the NIS MapsNISmapsThe NIS maps are database files,
that are kept in the /var/yp
directory. They are generated from configuration files in
the /etc directory of the NIS master,
with one exception: the
/etc/master.passwd file. This is for
a good reason, you do not want to propagate passwords to
your root and other administrative
accounts to all the servers in the NIS domain. Therefore,
before we initialize the NIS maps, you should:&prompt.root; cp /etc/master.passwd /var/yp/master.passwd
&prompt.root; cd /var/yp
&prompt.root; vi master.passwdYou should remove all entries regarding system
accounts (bin,
tty, kmem,
games, etc), as well as any accounts
that you do not want to be propagated to the NIS clients
(for example root and any other UID 0
(superuser) accounts).Make sure the
/var/yp/master.passwd is neither group
nor world readable (mode 600)! Use the
chmod command, if appropriate.Tru64 UNIXWhen you have finished, it is time to initialize the
NIS maps! FreeBSD includes a script named
ypinit to do this for you (see its
manual page for more information). Note that this script
is available on most &unix; Operating Systems, but not on
all. On Digital UNIX/Compaq Tru64 UNIX it is called
ypsetup. Because we are generating
maps for an NIS master, we are going to pass the
option to ypinit.
To generate the NIS maps, assuming you already performed
the steps above, run:ellington&prompt.root; ypinit -m test-domain
Server Type: MASTER Domain: test-domain
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
At this point, we have to construct a list of this domains YP servers.
rod.darktech.org is already known as master server.
Please continue to add any slave servers, one per line. When you are
done with the list, type a <control D>.
master server : ellington
next host to add: coltrane
next host to add: ^D
The current list of NIS servers looks like this:
ellington
coltrane
Is this correct? [y/n: y] y
[..output from map generation..]
NIS Map update completed.
ellington has been setup as an YP master server without any errors.ypinit should have created
/var/yp/Makefile from
/var/yp/Makefile.dist.
When created, this file assumes that you are operating
in a single server NIS environment with only FreeBSD
machines. Since test-domain has
a slave server as well, you must edit
/var/yp/Makefile:ellington&prompt.root; vi /var/yp/MakefileYou should comment out the line that saysNOPUSH = "True"(if it is not commented out already).Setting up a NIS Slave ServerNISslave serverSetting up an NIS slave server is even more simple than
setting up the master. Log on to the slave server and edit the
file /etc/rc.conf as you did before.
The only difference is that we now must use the
option when running ypinit.
The option requires the name of the NIS
master be passed to it as well, so our command line looks
like:coltrane&prompt.root; ypinit -s ellington test-domain
Server Type: SLAVE Domain: test-domain Master: ellington
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
There will be no further questions. The remainder of the procedure
should take a few minutes, to copy the databases from ellington.
Transferring netgroup...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byuser...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byhost...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring group.bygid...
ypxfr: Exiting: Map successfully transferred
Transferring group.byname...
ypxfr: Exiting: Map successfully transferred
Transferring services.byname...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.byname...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.byname...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring netid.byname...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring ypservers...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byname...
ypxfr: Exiting: Map successfully transferred
coltrane has been setup as an YP slave server without any errors.
Don't forget to update map ypservers on ellington.You should now have a directory called
/var/yp/test-domain. Copies of the NIS
master server's maps should be in this directory. You will
need to make sure that these stay updated. The following
/etc/crontab entries on your slave
servers should do the job:20 * * * * root /usr/libexec/ypxfr passwd.byname
21 * * * * root /usr/libexec/ypxfr passwd.byuidThese two lines force the slave to sync its maps with
the maps on the master server. Although these entries are
not mandatory, since the master server attempts to ensure
any changes to its NIS maps are communicated to its slaves
and because password information is vital to systems
depending on the server, it is a good idea to force the
updates. This is more important on busy networks where map
updates might not always complete.Now, run the command /etc/netstart on the
slave server as well, which again starts the NIS server.NIS Clients An NIS client establishes what is called a binding to a
particular NIS server using the
ypbind daemon.
ypbind checks the system's default
domain (as set by the domainname command),
and begins broadcasting RPC requests on the local network.
These requests specify the name of the domain for which
ypbind is attempting to establish a binding.
If a server that has been configured to serve the requested
domain receives one of the broadcasts, it will respond to
ypbind, which will record the server's
address. If there are several servers available (a master and
several slaves, for example), ypbind will
use the address of the first one to respond. From that point
on, the client system will direct all of its NIS requests to
that server. ypbind will
occasionally ping the server to make sure it is
still up and running. If it fails to receive a reply to one of
its pings within a reasonable amount of time,
ypbind will mark the domain as unbound and
begin broadcasting again in the hopes of locating another
server.Setting Up a NIS ClientNISclient configurationSetting up a FreeBSD machine to be a NIS client is fairly
straightforward.Edit the file /etc/rc.conf and
add the following lines in order to set the NIS domainname
and start ypbind upon network
startup:nisdomainname="test-domain"
nis_client_enable="YES"To import all possible password entries from the NIS
server, remove all user accounts from your
/etc/master.passwd file and use
vipw to add the following line to
the end of the file:+:::::::::This line will afford anyone with a valid account in
the NIS server's password maps an account. There are
many ways to configure your NIS client by changing this
line. See the netgroups
section below for more information.
For more detailed reading see O'Reilly's book on
Managing NFS and NIS.You should keep at least one local account (i.e.
not imported via NIS) in your
/etc/master.passwd and this
account should also be a member of the group
wheel. If there is something
wrong with NIS, this account can be used to log in
remotely, become root, and fix things.To import all possible group entries from the NIS
server, add this line to your
/etc/group file:+:*::After completing these steps, you should be able to run
ypcat passwd and see the NIS server's
passwd map.NIS SecurityIn general, any remote user can issue an RPC to
&man.ypserv.8; and retrieve the contents of your NIS maps,
provided the remote user knows your domainname. To prevent
such unauthorized transactions, &man.ypserv.8; supports a
feature called securenets which can be used to
restrict access to a given set of hosts. At startup,
&man.ypserv.8; will attempt to load the securenets information
from a file called
/var/yp/securenets.This path varies depending on the path specified with the
option. This file contains entries that
consist of a network specification and a network mask separated
by white space. Lines starting with # are
considered to be comments. A sample securenets file might look
like this:# allow connections from local host -- mandatory
127.0.0.1 255.255.255.255
# allow connections from any host
# on the 192.168.128.0 network
192.168.128.0 255.255.255.0
# allow connections from any host
# between 10.0.0.0 to 10.0.15.255
# this includes the machines in the testlab
10.0.0.0 255.255.240.0If &man.ypserv.8; receives a request from an address that
matches one of these rules, it will process the request
normally. If the address fails to match a rule, the request
will be ignored and a warning message will be logged. If the
/var/yp/securenets file does not exist,
ypserv will allow connections from any
host.The ypserv program also has support for
Wietse Venema's tcpwrapper package.
This allows the administrator to use the
tcpwrapper configuration files for
access control instead of
/var/yp/securenets.While both of these access control mechanisms provide some
security, they, like the privileged port test, are
vulnerable to IP spoofing attacks. All
NIS-related traffic should be blocked at your firewall.Servers using /var/yp/securenets
may fail to serve legitimate NIS clients with archaic TCP/IP
implementations. Some of these implementations set all
host bits to zero when doing broadcasts and/or fail to
observe the subnet mask when calculating the broadcast
address. While some of these problems can be fixed by
changing the client configuration, other problems may force
the retirement of the client systems in question or the
abandonment of /var/yp/securenets.Using /var/yp/securenets on a
server with such an archaic implementation of TCP/IP is a
really bad idea and will lead to loss of NIS functionality
for large parts of your network.tcpwrapperThe use of the tcpwrapper
package increases the latency of your NIS server. The
additional delay may be long enough to cause timeouts in
client programs, especially in busy networks or with slow
NIS servers. If one or more of your client systems
suffers from these symptoms, you should convert the client
systems in question into NIS slave servers and force them
to bind to themselves.Barring Some Users from Logging OnIn our lab, there is a machine basie that
is supposed to be a faculty only workstation. We do not want
to take this machine out of the NIS domain, yet the
passwd file on the master NIS server
contains accounts for both faculty and students. What can we
do?There is a way to bar specific users from logging on to a
machine, even if they are present in the NIS database. To do
this, all you must do is add
-username to the
end of the /etc/master.passwd file on the
client machine, where username is
the username of the user you wish to bar from logging in.
This should preferably be done using vipw,
since vipw will sanity check your changes
to /etc/master.passwd, as well as
automatically rebuild the password database when you finish
editing. For example, if we wanted to bar user
bill from logging on to
basie we would:basie&prompt.root; vipw[add -bill to the end, exit]
vipw: rebuilding the database...
vipw: done
basie&prompt.root; cat /etc/master.passwd
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
+:::::::::
-bill
basie&prompt.root;UdoErdelhoffContributed by Using NetgroupsnetgroupsThe method shown in the previous section works reasonably
well if you need special rules for a very small number of
users and/or machines. On larger networks, you
will forget to bar some users from logging
onto sensitive machines, or you may even have to modify each
machine separately, thus losing the main benefit of NIS:
centralized administration.The NIS developers' solution for this problem is called
netgroups. Their purpose and semantics
can be compared to the normal groups used by &unix; file
systems. The main differences are the lack of a numeric ID
and the ability to define a netgroup by including both user
accounts and other netgroups.Netgroups were developed to handle large, complex networks
with hundreds of users and machines. On one hand, this is
a Good Thing if you are forced to deal with such a situation.
On the other hand, this complexity makes it almost impossible to
explain netgroups with really simple examples. The example
used in the remainder of this section demonstrates this
problem.Let us assume that your successful introduction of NIS in
your laboratory caught your superiors' interest. Your next
job is to extend your NIS domain to cover some of the other
machines on campus. The two tables contain the names of the
new users and new machines as well as brief descriptions of
them.User Name(s)Descriptionalpha, betaNormal employees of the IT departmentcharlie, deltaThe new apprentices of the IT departmentecho, foxtrott, golf, ...Ordinary employeesable, baker, ...The current internsMachine Name(s)Descriptionwar, death,
famine,
pollutionYour most important servers. Only the IT
employees are allowed to log onto these
machines.pride, greed,
envy, wrath,
lust, slothLess important servers. All members of the IT
department are allowed to login onto these
machines.one, two,
three, four,
...Ordinary workstations. Only the
real employees are allowed to use
these machines.trashcanA very old machine without any critical data.
Even the intern is allowed to use this box.If you tried to implement these restrictions by separately
blocking each user, you would have to add one
-user line to
each system's passwd for each user who is
not allowed to login onto that system. If you forget just one
entry, you could be in trouble. It may be feasible to do this
correctly during the initial setup, however you
will eventually forget to add the lines
for new users during day-to-day operations. After all, Murphy
was an optimist.Handling this situation with netgroups offers several
advantages. Each user need not be handled separately; you
assign a user to one or more netgroups and allow or forbid
logins for all members of the netgroup. If you add a new
machine, you will only have to define login restrictions for
netgroups. If a new user is added, you will only have to add
the user to one or more netgroups. Those changes are
independent of each other: no more for each combination
of user and machine do... If your NIS setup is planned
carefully, you will only have to modify exactly one central
configuration file to grant or deny access to machines.The first step is the initialization of the NIS map
netgroup. FreeBSD's &man.ypinit.8; does not create this map by
default, but its NIS implementation will support it once it has
been created. To create an empty map, simply typeellington&prompt.root; vi /var/yp/netgroupand start adding content. For our example, we need at
least four netgroups: IT employees, IT apprentices, normal
employees and interns.IT_EMP (,alpha,test-domain) (,beta,test-domain)
IT_APP (,charlie,test-domain) (,delta,test-domain)
USERS (,echo,test-domain) (,foxtrott,test-domain) \
(,golf,test-domain)
INTERNS (,able,test-domain) (,baker,test-domain)IT_EMP, IT_APP etc.
are the names of the netgroups. Each bracketed group adds
one or more user accounts to it. The three fields inside a
group are:The name of the host(s) where the following items are
valid. If you do not specify a hostname, the entry is
valid on all hosts. If you do specify a hostname, you
will enter a realm of darkness, horror and utter confusion.The name of the account that belongs to this
netgroup.The NIS domain for the account. You can import
accounts from other NIS domains into your netgroup if you
are one of the unlucky fellows with more than one NIS
domain.Each of these fields can contain wildcards. See
&man.netgroup.5; for details.netgroupsNetgroup names longer than 8 characters should not be
used, especially if you have machines running other
operating systems within your NIS domain. The names are
case sensitive; using capital letters for your netgroup
names is an easy way to distinguish between user, machine
and netgroup names.Some NIS clients (other than FreeBSD) cannot handle
netgroups with a large number of entries. For example, some
older versions of &sunos; start to cause trouble if a netgroup
contains more than 15 entries. You can
circumvent this limit by creating several sub-netgroups with
15 users or less and a real netgroup that consists of the
sub-netgroups:BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...]
BIGGRP2 (,joe16,domain) (,joe17,domain) [...]
BIGGRP3 (,joe31,domain) (,joe32,domain)
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3You can repeat this process if you need more than 225
users within a single netgroup.Activating and distributing your new NIS map is
easy:ellington&prompt.root; cd /var/yp
ellington&prompt.root; makeThis will generate the three NIS maps
netgroup,
netgroup.byhost and
netgroup.byuser. Use &man.ypcat.1; to
check if your new NIS maps are available:ellington&prompt.user; ypcat -k netgroup
ellington&prompt.user; ypcat -k netgroup.byhost
ellington&prompt.user; ypcat -k netgroup.byuserThe output of the first command should resemble the
contents of /var/yp/netgroup. The second
command will not produce output if you have not specified
host-specific netgroups. The third command can be used to
get the list of netgroups for a user.The client setup is quite simple. To configure the server
war, you only have to start
&man.vipw.8; and replace the line+:::::::::with+@IT_EMP:::::::::Now, only the data for the users defined in the netgroup
IT_EMP is imported into
war's password database and only
these users are allowed to login.Unfortunately, this limitation also applies to the
~ function of the shell and all routines
converting between user names and numerical user IDs. In
other words, cd
~user will not work,
ls -l will show the numerical ID instead of
the username and find . -user joe -print
will fail with No such user. To fix
this, you will have to import all user entries
without allowing them to login onto your
servers.This can be achieved by adding another line to
/etc/master.passwd. This line should
contain:+:::::::::/sbin/nologin, meaning
Import all entries but replace the shell with
/sbin/nologin in the imported
entries. You can replace any field in the
passwd entry by placing a default value in
your /etc/master.passwd.Make sure that the line
+:::::::::/sbin/nologin is placed after
+@IT_EMP:::::::::. Otherwise, all user
accounts imported from NIS will have /sbin/nologin as their
login shell.After this change, you will only have to change one NIS
map if a new employee joins the IT department. You could use
a similar approach for the less important servers by replacing
the old +::::::::: in their local version
of /etc/master.passwd with something like
this:+@IT_EMP:::::::::
+@IT_APP:::::::::
+:::::::::/sbin/nologinThe corresponding lines for the normal workstations
could be:+@IT_EMP:::::::::
+@USERS:::::::::
+:::::::::/sbin/nologinAnd everything would be fine until there is a policy
change a few weeks later: The IT department starts hiring
interns. The IT interns are allowed to use the normal
workstations and the less important servers; and the IT
apprentices are allowed to login onto the main servers. You
add a new netgroup IT_INTERN, add the new
IT interns to this netgroup and start to change the
configuration on each and every machine... As the old saying
goes: Errors in centralized planning lead to global
mess.NIS' ability to create netgroups from other netgroups can
be used to prevent situations like these. One possibility
is the creation of role-based netgroups. For example, you
could create a netgroup called
BIGSRV to define the login
restrictions for the important servers, another netgroup
called SMALLSRV for the less
important servers and a third netgroup called
USERBOX for the normal
workstations. Each of these netgroups contains the netgroups
that are allowed to login onto these machines. The new
entries for your NIS map netgroup should look like this:BIGSRV IT_EMP IT_APP
SMALLSRV IT_EMP IT_APP ITINTERN
USERBOX IT_EMP ITINTERN USERSThis method of defining login restrictions works
reasonably well if you can define groups of machines with
identical restrictions. Unfortunately, this is the exception
and not the rule. Most of the time, you will need the ability
to define login restrictions on a per-machine basis.Machine-specific netgroup definitions are the other
possibility to deal with the policy change outlined above. In
this scenario, the /etc/master.passwd of
each box contains two lines starting with +.
The first of them adds a netgroup with the accounts allowed to
login onto this machine, the second one adds all other
accounts with /sbin/nologin as shell. It
is a good idea to use the ALL-CAPS version of
the machine name as the name of the netgroup. In other words,
the lines should look like this:+@BOXNAME:::::::::
+:::::::::/sbin/nologinOnce you have completed this task for all your machines,
you will not have to modify the local versions of
/etc/master.passwd ever again. All
further changes can be handled by modifying the NIS map. Here
is an example of a possible netgroup map for this
scenario with some additional goodies:# Define groups of users first
IT_EMP (,alpha,test-domain) (,beta,test-domain)
IT_APP (,charlie,test-domain) (,delta,test-domain)
DEPT1 (,echo,test-domain) (,foxtrott,test-domain)
DEPT2 (,golf,test-domain) (,hotel,test-domain)
DEPT3 (,india,test-domain) (,juliet,test-domain)
ITINTERN (,kilo,test-domain) (,lima,test-domain)
D_INTERNS (,able,test-domain) (,baker,test-domain)
#
# Now, define some groups based on roles
USERS DEPT1 DEPT2 DEPT3
BIGSRV IT_EMP IT_APP
SMALLSRV IT_EMP IT_APP ITINTERN
USERBOX IT_EMP ITINTERN USERS
#
# And a groups for a special tasks
# Allow echo and golf to access our anti-virus-machine
SECURITY IT_EMP (,echo,test-domain) (,golf,test-domain)
#
# machine-based netgroups
# Our main servers
WAR BIGSRV
FAMINE BIGSRV
# User india needs access to this server
POLLUTION BIGSRV (,india,test-domain)
#
# This one is really important and needs more access restrictions
DEATH IT_EMP
#
# The anti-virus-machine mentioned above
ONE SECURITY
#
# Restrict a machine to a single user
TWO (,hotel,test-domain)
# [...more groups to follow]If you are using some kind of database to manage your user
accounts, you should be able to create the first part of the
map with your database's report tools. This way, new users
will automatically have access to the boxes.One last word of caution: It may not always be advisable
to use machine-based netgroups. If you are deploying a couple of
dozen or even hundreds of identical machines for student labs,
you should use role-based netgroups instead of machine-based
netgroups to keep the size of the NIS map within reasonable
limits.Important Things to RememberThere are still a couple of things that you will need to do
differently now that you are in an NIS environment.Every time you wish to add a user to the lab, you
must add it to the master NIS server only,
and you must remember to rebuild the NIS
maps. If you forget to do this, the new user will
not be able to login anywhere except on the NIS master.
For example, if we needed to add a new user
jsmith to the lab, we would:&prompt.root; pw useradd jsmith
&prompt.root; cd /var/yp
&prompt.root; make test-domainYou could also run adduser jsmith instead
of pw useradd jsmith.Keep the administration accounts out of the
NIS maps. You do not want to be propagating
administrative accounts and passwords to machines that
will have users that should not have access to those
accounts.Keep the NIS master and slave secure, and
minimize their downtime. If somebody either
hacks or simply turns off these machines, they have
effectively rendered many people without the ability to
login to the lab.This is the chief weakness of any centralized administration
system. If you do
not protect your NIS servers, you will have a lot of angry
users!NIS v1 Compatibility FreeBSD's ypserv has some
support for serving NIS v1 clients. FreeBSD's NIS
implementation only uses the NIS v2 protocol, however other
implementations include support for the v1 protocol for
backwards compatibility with older systems. The
ypbind daemons supplied with these
systems will try to establish a binding to an NIS v1 server
even though they may never actually need it (and they may
persist in broadcasting in search of one even after they
receive a response from a v2 server). Note that while support
for normal client calls is provided, this version of
ypserv does not handle v1 map
transfer requests; consequently, it cannot be used as a master
or slave in conjunction with older NIS servers that only
support the v1 protocol. Fortunately, there probably are not
any such servers still in use today.NIS Servers That Are Also NIS Clients Care must be taken when running
ypserv in a multi-server domain
where the server machines are also NIS clients. It is
generally a good idea to force the servers to bind to
themselves rather than allowing them to broadcast bind
requests and possibly become bound to each other. Strange
failure modes can result if one server goes down and others
are dependent upon it. Eventually all the clients will time
out and attempt to bind to other servers, but the delay
involved can be considerable and the failure mode is still
present since the servers might bind to each other all over
again.You can force a host to bind to a particular server by running
ypbind with the
flag. If you do not want to do this manually each time you
reboot your NIS server, you can add the following lines to
your /etc/rc.conf:nis_client_enable="YES" # run client stuff as well
nis_client_flags="-S NIS domain,server"See &man.ypbind.8; for further information.Password FormatsNISpassword formatsOne of the most common issues that people run into when trying
to implement NIS is password format compatibility. If your NIS
server is using DES encrypted passwords, it will only support
clients that are also using DES. For example, if you have
&solaris; NIS clients in your network, then you will almost certainly
need to use DES encrypted passwords.To check which format your servers
and clients are using, look at /etc/login.conf.
If the host is configured to use DES encrypted passwords, then the
default class will contain an entry like this:default:\
:passwd_format=des:\
:copyright=/etc/COPYRIGHT:\
[Further entries elided]Other possible values for the passwd_format
capability include blf and md5
(for Blowfish and MD5 encrypted passwords, respectively).If you have made changes to
/etc/login.conf, you will also need to
rebuild the login capability database, which is achieved by
running the following command as
root:&prompt.root; cap_mkdb /etc/login.confThe format of passwords already in
/etc/master.passwd will not be updated
until a user changes his password for the first time
after the login capability database is
rebuilt.Next, in order to ensure that passwords are encrypted with
the format that you have chosen, you should also check that
the crypt_default in
/etc/auth.conf gives precedence to your
chosen password format. To do this, place the format that you
have chosen first in the list. For example, when using DES
encrypted passwords, the entry would be:crypt_default = des blf md5Having followed the above steps on each of the &os; based
NIS servers and clients, you can be sure that they all agree
on which password format is used within your network. If you
have trouble authenticating on an NIS client, this is a pretty
good place to start looking for possible problems. Remember:
if you want to deploy an NIS server for a heterogenous
network, you will probably have to use DES on all systems
because it is the lowest common standard.GregSutterWritten by Automatic Network Configuration (DHCP)What Is DHCP?Dynamic Host Configuration ProtocolDHCPInternet Software Consortium (ISC)DHCP, the Dynamic Host Configuration Protocol, describes
the means by which a system can connect to a network and obtain the
necessary information for communication upon that network. FreeBSD
uses the ISC (Internet Software Consortium) DHCP implementation, so
all implementation-specific information here is for use with the ISC
distribution.What This Section CoversThis section describes both the client-side and
server-side components of the ISC DHCP system. The
client-side program, dhclient, comes
integrated within FreeBSD, and the server-side portion is
available from the net/isc-dhcp3-server port. The
&man.dhclient.8;, &man.dhcp-options.5;, and
&man.dhclient.conf.5; manual pages, in addition to the
references below, are useful resources.How It WorksUDPWhen dhclient, the DHCP client, is
executed on the client machine, it begins broadcasting
requests for configuration information. By default, these
requests are on UDP port 68. The server replies on UDP 67,
giving the client an IP address and other relevant network
information such as netmask, router, and DNS servers. All of
this information comes in the form of a DHCP
lease and is only valid for a certain time
(configured by the DHCP server maintainer). In this manner,
stale IP addresses for clients no longer connected to the
network can be automatically reclaimed.DHCP clients can obtain a great deal of information from
the server. An exhaustive list may be found in
&man.dhcp-options.5;.FreeBSD IntegrationFreeBSD fully integrates the ISC DHCP client,
dhclient. DHCP client support is provided
within both the installer and the base system, obviating the need
for detailed knowledge of network configurations on any network
that runs a DHCP server. dhclient has been
included in all FreeBSD distributions since 3.2.sysinstallDHCP is supported by
sysinstall. When configuring a
network interface within
sysinstall, the first question
asked is: Do you want to try DHCP configuration of
this interface?. Answering affirmatively will
execute dhclient, and if successful, will
fill in the network configuration information
automatically.There are two things you must do to have your system use
DHCP upon startup:DHCPrequirementsMake sure that the bpf
device is compiled into your kernel. To do this, add
device bpf (pseudo-device
bpf under &os; 4.X) to your kernel
configuration file, and rebuild the kernel. For more
information about building kernels, see .The
bpf device is already part of
the GENERIC kernel that is supplied
with FreeBSD, so if you do not have a custom kernel, you
should not need to create one in order to get DHCP
working.For those who are particularly security conscious,
you should be warned that bpf
is also the device that allows packet sniffers to work
correctly (although they still have to be run as
root). bpfis required to use DHCP, but if
you are very sensitive about security, you probably
should not add bpf to your
kernel in the expectation that at some point in the
future you will be using DHCP.Edit your /etc/rc.conf to
include the following:ifconfig_fxp0="DHCP"Be sure to replace fxp0 with the
designation for the interface that you wish to dynamically
configure, as described in
.If you are using a different location for
dhclient, or if you wish to pass additional
flags to dhclient, also include the
following (editing as necessary):dhcp_program="/sbin/dhclient"
dhcp_flags=""DHCPserverThe DHCP server, dhcpd, is included
as part of the net/isc-dhcp3-server port in the ports
collection. This port contains the ISC DHCP server and
documentation.FilesDHCPconfiguration files/etc/dhclient.confdhclient requires a configuration file,
/etc/dhclient.conf. Typically the file
contains only comments, the defaults being reasonably sane. This
configuration file is described by the &man.dhclient.conf.5;
manual page./sbin/dhclientdhclient is statically linked and
resides in /sbin. The &man.dhclient.8;
manual page gives more information about
dhclient./sbin/dhclient-scriptdhclient-script is the FreeBSD-specific
DHCP client configuration script. It is described in
&man.dhclient-script.8;, but should not need any user
modification to function properly./var/db/dhclient.leasesThe DHCP client keeps a database of valid leases in this
file, which is written as a log. &man.dhclient.leases.5;
gives a slightly longer description.Further ReadingThe DHCP protocol is fully described in
RFC 2131.
An informational resource has also been set up at
.Installing and Configuring a DHCP ServerWhat This Section CoversThis section provides information on how to configure
a FreeBSD system to act as a DHCP server using the ISC
(Internet Software Consortium) implementation of the DHCP
suite.The server portion of the suite is not provided as part of
FreeBSD, and so you will need to install the
net/isc-dhcp3-server
port to provide this service. See for
more information on using the ports collection.DHCP Server InstallationDHCPinstallationIn order to configure your FreeBSD system as a DHCP
server, you will need to ensure that the &man.bpf.4;
device is compiled into your kernel. To do this, add
device bpf (pseudo-device
bpf under &os; 4.X) to your kernel
configuration file, and rebuild the kernel. For more
information about building kernels, see .The bpf device is already
part of the GENERIC kernel that is
supplied with FreeBSD, so you do not need to create a custom
kernel in order to get DHCP working.Those who are particularly security conscious
should note that bpf
is also the device that allows packet sniffers to work
correctly (although such programs still need privileged
access). bpfis required to use DHCP, but if
you are very sensitive about security, you probably
should not include bpf in your
kernel purely because you expect to use DHCP at some
point in the future.The next thing that you will need to do is edit the sample
dhcpd.conf which was installed by the
net/isc-dhcp3-server port.
By default, this will be
/usr/local/etc/dhcpd.conf.sample, and you
should copy this to
/usr/local/etc/dhcpd.conf before proceeding
to make changes.Configuring the DHCP ServerDHCPdhcpd.confdhcpd.conf is
comprised of declarations regarding subnets and hosts, and is
perhaps most easily explained using an example :option domain-name "example.com";
option domain-name-servers 192.168.4.100;
option subnet-mask 255.255.255.0;
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;
subnet 192.168.4.0 netmask 255.255.255.0 {
range 192.168.4.129 192.168.4.254;
option routers 192.168.4.1;
}
host mailhost {
hardware ethernet 02:03:04:05:06:07;
fixed-address mailhost.example.com;
}This option specifies the domain that will be provided
to clients as the default search domain. See
&man.resolv.conf.5; for more information on what this
means.This option specifies a comma separated list of DNS
servers that the client should use.The netmask that will be provided to clients.A client may request a specific length of time that a
lease will be valid. Otherwise the server will assign
a lease with this expiry value (in seconds).This is the maximum length of time that the server will
lease for. Should a client request a longer lease, a lease
will be issued, although it will only be valid for
max-lease-time seconds.This option specifies whether the DHCP server should
attempt to update DNS when a lease is accepted or released.
In the ISC implementation, this option is
required.This denotes which IP addresses should be used in
the pool reserved for allocating to clients. IP
addresses between, and including, the ones stated are
handed out to clients.Declares the default gateway that will be provided to
clients.The hardware MAC address of a host (so that the DHCP server
can recognize a host when it makes a request).Specifies that the host should always be given the
same IP address. Note that using a hostname is
correct here, since the DHCP server will resolve the
hostname itself before returning the lease
information.Once you have finished writing your
dhcpd.conf, you can proceed to start the
server by issuing the following command:&prompt.root; /usr/local/etc/rc.d/isc-dhcpd.sh startShould you need to make changes to the configuration of your
server in the future, it is important to note that sending a
SIGHUP signal to
dhcpd does not
result in the configuration being reloaded, as it does with most
daemons. You will need to send a SIGTERM
signal to stop the process, and then restart it using the command
above.FilesDHCPconfiguration files/usr/local/sbin/dhcpddhcpd is statically linked and
resides in /usr/local/sbin. The
&man.dhcpd.8; manual page installed with the
port gives more information about
dhcpd./usr/local/etc/dhcpd.confdhcpd requires a configuration
file, /usr/local/etc/dhcpd.conf before it
will start providing service to clients. This file needs to
contain all the information that should be provided to clients
that are being serviced, along with information regarding the
operation of the server. This configuration file is described
by the &man.dhcpd.conf.5; manual page installed
by the port./var/db/dhcpd.leasesThe DHCP server keeps a database of leases it has issued
in this file, which is written as a log. The manual page
&man.dhcpd.leases.5;, installed by the port
gives a slightly longer description./usr/local/sbin/dhcrelaydhcrelay is used in advanced
environments where one DHCP server forwards a request from a
client to another DHCP server on a separate network. If you
require this functionality, then install the net/isc-dhcp3-relay port. The
&man.dhcrelay.8; manual page provided with the
port contains more detail.ChernLeeContributed by Domain Name System (DNS)OverviewBINDFreeBSD utilizes, by default, a version of BIND (Berkeley
Internet Name Domain), which is the most common implementation
of the DNS protocol. DNS is the protocol through which names
are mapped to IP addresses, and vice versa. For example, a
query for www.FreeBSD.org will
receive a reply with the IP address of The FreeBSD Project's
web server, whereas, a query for ftp.FreeBSD.org will return the IP
address of the corresponding FTP machine. Likewise, the
opposite can happen. A query for an IP address can resolve
its hostname. It is not necessary to run a name server to
perform DNS lookups on a system.
DNSDNS is coordinated across the Internet through a somewhat
complex system of authoritative root name servers, and other
smaller-scale name servers who host and cache individual domain
information.
This document refers to BIND 8.x, as it is the stable version
used in FreeBSD. BIND 9.x in FreeBSD can be installed through
the net/bind9 port.
RFC1034 and RFC1035 dictate the DNS protocol.
Currently, BIND is maintained by the
Internet Software Consortium .
TerminologyTo understand this document, some terms related to DNS must be
understood.resolverreverse DNSroot zoneTermDefinitionForward DNSMapping of hostnames to IP addressesOriginRefers to the domain covered in a particular zone
filenamed, BIND, name serverCommon names for the BIND name server package within
FreeBSDResolverA system process through which a
machine queries a name server for zone informationReverse DNSThe opposite of forward DNS; mapping of IP addresses to
hostnamesRoot zoneThe beginning of the Internet zone hierarchy.
All zones fall under the root zone, similar to how
all files in a file system fall under the root directory.ZoneAn individual domain, subdomain, or portion of the DNS administered by
the same authorityzonesexamplesExamples of zones:
. is the root zoneorg. is a zone under the root zoneexample.org is a
zone under the org. zonefoo.example.org. is
a subdomain, a zone under the example.org. zone1.2.3.in-addr.arpa is a zone referencing
all IP addresses which fall under the 3.2.1.* IP space.
As one can see, the more specific part of a hostname
appears to its left. For example, example.org. is more specific than
org., as org. is more
specific than the root zone. The layout of each part of a
hostname is much like a filesystem: the
/dev directory falls within the root, and
so on.Reasons to Run a Name ServerName servers usually come in two forms: an authoritative
name server, and a caching name server.An authoritative name server is needed when:one wants to serve DNS information to the
world, replying authoritatively to queries.a domain, such as example.org, is
registered and IP addresses need to be assigned to hostnames
under it.an IP address block requires reverse DNS entries (IP to
hostname).a backup name server, called a slave, must reply to queries
when the primary is down or inaccessible.A caching name server is needed when:a local DNS server may cache and respond more quickly
than querying an outside name server.a reduction in overall network traffic is desired (DNS
traffic has been measured to account for 5% or more of total
Internet traffic).When one queries for www.FreeBSD.org, the resolver usually
queries the uplink ISP's name server, and retrieves the reply.
With a local, caching DNS server, the query only has to be
made once to the outside world by the caching DNS server.
Every additional query will not have to look to the outside of
the local network, since the information is cached
locally.How It WorksIn FreeBSD, the BIND daemon is called
named for obvious reasons.FileDescriptionnamedthe BIND daemonndcname daemon control program/etc/namedbdirectory where BIND zone information resides/etc/namedb/named.confdaemon configuration file
Zone files are usually contained within the
/etc/namedb
directory, and contain the DNS zone information
served by the name server.
Starting BINDBINDstarting
Since BIND is installed by default, configuring it all is
relatively simple.
To ensure the named daemon is
started at boot, put the following line in
/etc/rc.conf:
named_enable="YES"To start the daemon manually (after configuring it):&prompt.root; ndc startConfiguration FilesBINDconfiguration filesUsing make-localhostBe sure to:
&prompt.root; cd /etc/namedb
&prompt.root; sh make-localhostto properly create the local reverse DNS zone file in
/etc/namedb/localhost.rev.
/etc/namedb/named.conf// $FreeBSD$
//
// Refer to the named(8) manual page for details. If you are ever going
// to setup a primary server, make sure you've understood the hairy
// details of how DNS is working. Even with simple mistakes, you can
// break connectivity for affected parties, or cause huge amount of
// useless Internet traffic.
options {
directory "/etc/namedb";
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the
Internet.
/*
forwarders {
127.0.0.1;
};
*/
Just as the comment says, to benefit from an uplink's cache,
forwarders can be enabled here. Under normal
circumstances, a name server will recursively query the Internet
looking at certain name servers until it finds the answer it is
looking for. Having this enabled will have it query the uplink's
name server (or name server provided) first, taking advantage of
its cache. If the uplink name server in question is a heavily
trafficked, fast name server, enabling this may be worthwhile.
127.0.0.1
will not work here.
Change this IP address to a name server at your uplink. /*
* If there is a firewall between you and name servers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
/*
* If running in a sandbox, you may have to specify a different
* location for the dumpfile.
*/
// dump-file "s/named_dump.db";
};
// Note: the following will be supported in a future release.
/*
host { any; } {
topology {
127.0.0.0/8;
};
};
*/
// Setting up secondaries is way easier and the rough picture for this
// is explained below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// into your /etc/resolv.conf so this server will be queried first.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "localhost.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example secondary config entries. It can be convenient to become
// a secondary at least for the zone where your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is the first bytes of the respective IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to setup a primary zone, better make sure you fully
// understand how DNS and BIND works, however. There are sometimes
// unobvious pitfalls. Setting up a secondary is comparably simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
//
// NOTE!!! FreeBSD runs BIND in a sandbox (see named_flags in rc.conf).
// The directory containing the secondary zones must be write accessible
// to BIND. The following sequence is suggested:
//
// mkdir /etc/namedb/s
// chown bind:bind /etc/namedb/s
// chmod 750 /etc/namedb/sFor more information on running BIND in a sandbox, see
Running named in a sandbox.
/*
zone "example.com" {
type slave;
file "s/example.com.bak";
masters {
192.168.1.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "s/0.168.192.in-addr.arpa.bak";
masters {
192.168.1.1;
};
};
*/In named.conf, these are examples of slave
entries for a forward and reverse zone.For each new zone served, a new zone entry must be added to
named.conf.For example, the simplest zone entry for
example.org can look like:zone "example.org" {
type master;
file "example.org";
};The zone is a master, as indicated by the
statement, holding its zone information in
/etc/namedb/example.org indicated by
the statement.zone "example.org" {
type slave;
file "example.org";
};In the slave case, the zone information is transferred from
the master name server for the particular zone, and saved in the
file specified. If and when the master server dies or is
unreachable, the slave name server will have the transferred
zone information and will be able to serve it.Zone Files
An example master zone file for example.org (existing within
/etc/namedb/example.org) is as follows:
$TTL 3600
example.org. IN SOA ns1.example.org. admin.example.org. (
5 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
; DNS Servers
@ IN NS ns1.example.org.
@ IN NS ns2.example.org.
; Machine Names
localhost IN A 127.0.0.1
ns1 IN A 3.2.1.2
ns2 IN A 3.2.1.3
mail IN A 3.2.1.10
@ IN A 3.2.1.30
; Aliases
www IN CNAME @
; MX Record
@ IN MX 10 mail.example.org.
Note that every hostname ending in a . is an
exact hostname, whereas everything without a trailing
. is referenced to the origin. For example,
www is translated into
www.origin.
In our fictitious zone file, our origin is
example.org., so www
would translate to www.example.org.
The format of a zone file follows:
recordname IN recordtype valueDNSrecords
The most commonly used DNS records:
SOAstart of zone authorityNSan authoritative name serverAa host addressCNAMEthe canonical name for an aliasMXmail exchangerPTRa domain name pointer (used in reverse DNS)
example.org. IN SOA ns1.example.org. admin.example.org. (
5 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 dayexample.org.the domain name, also the origin for this
zone file.ns1.example.org.the primary/authoritative name server for this
zone.admin.example.org.the responsible person for this zone,
email address with @
replaced. (admin@example.org becomes
admin.example.org)5the serial number of the file. This
must be incremented each time the zone file is
modified. Nowadays, many admins prefer a
yyyymmddrr format for the serial
number. 2001041002 would mean
last modified 04/10/2001, the latter
02 being the second time the zone
file has been modified this day. The serial number
is important as it alerts slave name servers for a
zone when it is updated.
@ IN NS ns1.example.org.
This is an NS entry. Every name server that is going to reply
authoritatively for the zone must have one of these entries.
The @ as seen here could have been
example.org.
The @ translates to the origin.
localhost IN A 127.0.0.1
ns1 IN A 3.2.1.2
ns2 IN A 3.2.1.3
mail IN A 3.2.1.10
@ IN A 3.2.1.30
The A record indicates machine names. As seen above,
ns1.example.org would resolve
to 3.2.1.2. Again, the
origin symbol, @, is used here, thus
meaning example.org would
resolve to 3.2.1.30.
www IN CNAME @
The canonical name record is usually used for giving aliases
to a machine. In the example, www is
aliased to the machine addressed to the origin, or
example.org
(3.2.1.30).
CNAMEs can be used to provide alias
hostnames, or round robin one hostname among multiple
machines.
MX record
@ IN MX 10 mail.example.org.
The MX record indicates which mail
servers are responsible for handling incoming mail for the
zone. mail.example.org is the
hostname of the mail server, and 10 being the priority of
that mail server.
One can have several mail servers, with priorities of 3, 2,
1. A mail server attempting to deliver to example.org would first try the
highest priority MX, then the second highest, etc, until the
mail can be properly delivered.
For in-addr.arpa zone files (reverse DNS), the same format is
used, except with PTR entries instead of
A or CNAME.
$TTL 3600
1.2.3.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
5 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
3600 ) ; Minimum
@ IN NS ns1.example.org.
@ IN NS ns2.example.org.
2 IN PTR ns1.example.org.
3 IN PTR ns2.example.org.
10 IN PTR mail.example.org.
30 IN PTR example.org.This file gives the proper IP address to hostname
mappings of our above fictitious domain.Caching Name ServerBINDcaching name serverA caching name server is a name server that is not
authoritative for any zones. It simply asks queries of its
own, and remembers them for later use. To set one up, just
configure the name server as usual, omitting any inclusions of
zones.Running named in a SandboxBINDrunning in a sandboxchrootFor added security you may want to run &man.named.8; as an
unprivileged user, and configure it to &man.chroot.8; into a
sandbox directory. This makes everything outside of the
sandbox inaccessible to the named
daemon. Should named be
compromised, this will help to reduce the damage that can be
caused. By default, FreeBSD has a user and a group called
bind, intended for this use.Various people would recommend that instead of configuring
named to chroot, you
should run named inside a &man.jail.8;.
This section does not attempt to cover this situation.Since named will not be able to
access anything outside of the sandbox (such as shared
libraries, log sockets, and so on), there are a number of steps
that need to be followed in order to allow
named to function correctly. In the
following checklist, it is assumed that the path to the sandbox
is /etc/namedb and that you have made no
prior modifications to the contents of this directory. Perform
the following steps as root:Create all directories that named
expects to see:&prompt.root; cd /etc/namedb
&prompt.root; mkdir -p bin dev etc var/tmp var/run master slave
&prompt.root; chown bind:bind slave var/*named only needs write access to
these directories, so that is all we give it.Rearrange and create basic zone and configuration files:&prompt.root; cp /etc/localtime etc
&prompt.root; mv named.conf etc && ln -sf etc/named.conf
&prompt.root; mv named.root master
&prompt.root; sh make-localhost && mv localhost.rev localhost-v6.rev master
&prompt.root; cat > master/named.localhost
$ORIGIN localhost.
$TTL 6h
@ IN SOA localhost. postmaster.localhost. (
1 ; serial
3600 ; refresh
1800 ; retry
604800 ; expiration
3600 ) ; minimum
IN NS localhost.
IN A 127.0.0.1
^DThis allows named to log the
correct time to &man.syslogd.8;.sysloglogsDNSIf you are running a version of &os; prior to 4.9-RELEASE, build a statically linked copy of
named-xfer, and copy it into the sandbox:&prompt.root; cd /usr/src/lib/libisc
&prompt.root; make cleandir && make cleandir && make depend && make all
&prompt.root; cd /usr/src/lib/libbind
&prompt.root; make cleandir && make cleandir && make depend && make all
&prompt.root; cd /usr/src/libexec/named-xfer
&prompt.root; make cleandir && make cleandir && make depend && make NOSHARED=yes all
&prompt.root; cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xferAfter your statically linked
named-xfer is installed some cleaning up
is required, to avoid leaving stale copies of libraries or
programs in your source tree:&prompt.root; cd /usr/src/lib/libisc
&prompt.root; make cleandir
&prompt.root; cd /usr/src/lib/libbind
&prompt.root; make cleandir
&prompt.root; cd /usr/src/libexec/named-xfer
&prompt.root; make cleandirThis step has been reported to fail occasionally. If this
happens to you, then issue the command:&prompt.root; cd /usr/src && make cleandir && make cleandirand delete your /usr/obj tree:&prompt.root; rm -fr /usr/obj && mkdir /usr/objThis will clean out any cruft from your
source tree, and retrying the steps above should then work.If you are running &os; version 4.9-RELEASE or later,
then the copy of named-xfer in
/usr/libexec is statically linked by
default, and you can simply use &man.cp.1; to copy it into
your sandbox.Make a dev/null that
named can see and write to:&prompt.root; cd /etc/namedb/dev && mknod null c 2 2
&prompt.root; chmod 666 nullSymlink /var/run/ndc to
/etc/namedb/var/run/ndc:&prompt.root; ln -sf /etc/namedb/var/run/ndc /var/run/ndcThis simply avoids having to specify the
option to &man.ndc.8; every time you
run it. Since the contents of
/var/run are deleted on boot, if
this is something that you find useful you may wish to
add this command to root's
crontab, making use of the
option. See &man.crontab.5;
for more information regarding this.sysloglogsnamedConfigure &man.syslogd.8; to create an extra
log socket that
named can write to. To do this,
add -l /etc/namedb/dev/log to the
syslogd_flags variable in
/etc/rc.conf.chrootArrange to have named start
and chroot itself to the sandbox by
adding the following to
/etc/rc.conf:named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"Note that the configuration file
/etc/named.conf is denoted by a full
pathname relative to the sandbox, i.e. in
the line above, the file referred to is actually
/etc/namedb/etc/named.conf.The next step is to edit
/etc/namedb/etc/named.conf so that
named knows which zones to load and
where to find them on the disk. There follows a commented
example (anything not specifically commented here is no
different from the setup for a DNS server not running in a
sandbox):options {
directory "/";
named-xfer "/bin/named-xfer";
version ""; // Don't reveal BIND version
query-source address * port 53;
};
// ndc control socket
controls {
unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
// Zones follow:
zone "localhost" IN {
type master;
file "master/named.localhost";
allow-transfer { localhost; };
notify no;
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "master/localhost.rev";
allow-transfer { localhost; };
notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
type master;
file "master/localhost-v6.rev";
allow-transfer { localhost; };
notify no;
};
zone "." IN {
type hint;
file "master/named.root";
};
zone "private.example.net" in {
type master;
file "master/private.example.net.db";
allow-transfer { 192.168.10.0/24; };
};
zone "10.168.192.in-addr.arpa" in {
type slave;
masters { 192.168.10.2; };
file "slave/192.168.10.db";
};The
directory statement is specified as
/, since all files that
named needs are within this
directory (recall that this is equivalent to a
normal user's
/etc/namedb).Specifies the full path
to the named-xfer binary (from
named's frame of reference). This
is necessary since named is
compiled to look for named-xfer in
/usr/libexec by default.Specifies the filename (relative
to the directory statement above) where
named can find the zone file for this
zone.Specifies the filename
(relative to the directory statement above)
where named should write a copy of
the zone file for this zone after successfully transferring it
from the master server. This is why we needed to change the
ownership of the directory slave to
bind in the setup stages above.After completing the steps above, either reboot your
server or restart &man.syslogd.8; and start &man.named.8;, making
sure to use the new options specified in
syslogd_flags and
named_flags. You should now be running a
sandboxed copy of named!SecurityAlthough BIND is the most common implementation of DNS,
there is always the issue of security. Possible and
exploitable security holes are sometimes found.
It is a good idea to read CERT's security advisories and
to subscribe to the &a.security-notifications;
to stay up to date with the current Internet and FreeBSD security
issues.
If a problem arises, keeping sources up to date and
having a fresh build of named would
not hurt.Further ReadingBIND/named manual pages:
&man.ndc.8; &man.named.8; &man.named.conf.5;Official ISC BIND
Page
BIND FAQO'Reilly
DNS and BIND 4th EditionRFC1034
- Domain Names - Concepts and FacilitiesRFC1035
- Domain Names - Implementation and SpecificationTomRhodesWritten by BIND9 and &os;bind9setting upThe release of &os; 5.3 brought the
BIND9 DNS server software
into the distribution. New security features, a new file system
layout and automated &man.chroot.8; configuration came with the
import. This section has been written in two parts, the first
will discuss new features and their configuration; the latter
will cover upgrades to aid in move to &os; 5.3. From this
moment on, the server will be referred to simply as
&man.named.8; in place of BIND. This section
skips over the terminology described in the previous section as
well as some of the theoretical discussions; thus, it is
recommended that the previous section be consulted before reading
any further here.Configuration files for named currently
reside in
- /var/named/etc/namedb/ and
+ /var/named/etc/namedb/ and
will need modification before use. This is where most of the
configuration will be performed.Configuration of a Master ZoneTo configure a master zone visit
- /var/named/etc/namedb/
+ /var/named/etc/namedb/
and run the following command:&prompt.root; sh make-localhostIf all went well a new file should exist in the
- master directory. The
+ master directory. The
filenames should be localhost.rev for
the local domain name and localhost-v6.rev
for IPv6 configurations. As the default
configuration file, configuration for its use will already
be present in the named.conf file.Configuration of a Slave ZoneConfiguration for extra domains or sub domains may be
done properly by setting them as a slave zone. In most cases,
the master/localhost.rev could just be
- copied over into the slave
+ copied over into the slave
directory and modified. Once completed, the files need
to be properly added in named.conf such
as in the following configuration for
example.com:zone "example.com" {
type slave;
file "slave/example.com";
masters {
10.0.0.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "slave/0.168.192.in-addr.arpa";
masters {
10.0.0.1;
};
};Note well that in this example, the master
IP address is the primary domain server
from which the zones are transferred; it does not necessary serve
as DNS server itself.System Initialization ConfigurationIn order for the named daemon to start
when the system is booted, the following option must be present
in the rc.conf file:named_enable="YES"While other options exist, this is the bare minimal
requirement. Consult the &man.rc.conf.5; manual page for
a list of the other options. If nothing is entered in the
rc.conf file then named
may be started on the command line by invoking:&prompt.root; /etc/rc.d/named startBIND9 SecurityWhile &os automatically drops named
into a &man.chroot.8; environment; there are several other
security mechanisms in place which could help to lure off
possible DNS service attacks.
Query Access Control ListsA query access control list can be used to restrict
queries against the zones. The configuration works by
defining the network inside of the acl
token and then listing IP addresses in
the zone configuration. To permit domains to query the
example host, just define it like this:acl "example.com" {
192.168.0.0/24;
};
zone "example.com" {
type slave;
file "slave/example.com";
masters {
10.0.0.1;
};
allow-query { example.com; };
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "slave/0.168.192.in-addr.arpa";
masters {
10.0.0.1;
};
allow-query { example.com; };
};Restrict VersionPermitting version lookups on the DNS
server could be opening the doors for an attacker. A
malicious user may use this information to hunt up known
exploits or bugs to utilize against the host. A false version
string can be placed the options section of
named.conf:options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "None of your business";MurrayStokelyContributed by Apache HTTP Serverweb serversetting upApacheOverview&os; is used to run some of the busiest web sites in the
world. The majority of web servers on the Internet are using
the Apache HTTP Server.
Apache software packages should be
included on your FreeBSD installation media. If you did not
install Apache when you first
installed FreeBSD, then you can install it from the www/apache13 or www/apache2 port.Once Apache has been installed
successfully, it must be configured.This section covers version 1.3.X of the
Apache HTTP Server as that is the
most widely used version for &os;. Apache 2.X introduces many
new technologies but they are not discussed here. For more
information about Apache 2.X, please see .ConfigurationApacheconfiguration fileThe main Apache HTTP Server configuration file is
installed as
/usr/local/etc/apache/httpd.conf on &os;.
This file is a typical &unix; text configuration file with
comment lines beginning with the #
character. A comprehensive description of all possible
configuration options is outside the scope of this book, so
only the most frequently modified directives will be described
here.ServerRoot "/usr/local"This specifies the default directory hierarchy for
the Apache installation. Binaries are stored in the
- bin and
- sbin subdirectories
+ bin and
+ sbin subdirectories
of the server root, and configuration files are stored in
- etc/apache.
+ etc/apache.
ServerAdmin you@your.addressThe address to which problems with the server should
be emailed. This address appears on some
server-generated pages, such as error documents.ServerName www.example.comServerName allows you to set a host name which is
sent back to clients for your server if it is different
to the one that the host is configured with (i.e., use www
instead of the host's real name).DocumentRoot "/usr/local/www/data"DocumentRoot: The directory out of which you will
serve your documents. By default, all requests are taken
from this directory, but symbolic links and aliases may
be used to point to other locations.It is always a good idea to make backup copies of your
Apache configuration file before making changes. Once you are
satisfied with your initial configuration you are ready to
start running Apache.Running ApacheApachestarting or stoppingApache does not run from the
inetd super server as many other
network servers do. It is configured to run standalone for
better performance for incoming HTTP requests from client web
browsers. A shell script wrapper is included to make
starting, stopping, and restarting the server as simple as
possible. To start up Apache for
the first time, just run:&prompt.root; /usr/local/sbin/apachectl startYou can stop the server at any time by typing :&prompt.root; /usr/local/sbin/apachectl stopAfter making changes to the configuration file for any
reason, you will need to restart the server:&prompt.root; /usr/local/sbin/apachectl restartTo launch Apache at system
startup, add the following line to
/etc/rc.conf:apache_enable="YES"If you would like to supply additional command line
options for the Apachehttpd program started at system boot, you
may specify them with an additional line in
rc.conf:apache_flags=""Now that the web server is running, you can view your web
site by pointing a web browser to
http://localhost/. The default web page
that is displayed is
/usr/local/www/data/index.html.Virtual HostingApache supports two different
types of Virtual Hosting. The first method is Name-based
Virtual Hosting. Name-based virtual hosting uses the clients
HTTP/1.1 headers to figure out the hostname. This allows many
different domains to share the same IP address.To setup Apache to use
Name-based Virtual Hosting add an entry like the following to
your httpd.conf:NameVirtualHost *If your webserver was named www.domain.tld and
you wanted to setup a virtual domain for
www.someotherdomain.tld then you would add
the following entries to
httpd.conf:<VirtualHost *>
ServerName www.domain.tld
DocumentRoot /www/domain.tld
<VirtualHost>
<VirtualHost *>
ServerName www.someotherdomain.tld
DocumentRoot /www/someotherdomain.tld
</VirtualHost>Replace the addresses with the addresses you want to use
and the path to the documents with what you are using.For more information about setting up virtual hosts,
please consult the official Apache
documentation at: Apache ModulesApachemodulesThere are many different Apache modules available to add
functionality to the basic server. The FreeBSD Ports
Collection provides an easy way to install
Apache together with some of the
more popular add-on modules.mod_sslweb serversecureSSLcryptographyThe mod_ssl module uses the OpenSSL library to provide
strong cryptography via the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols. This
module provides everything necessary to request a signed
certificate from a trusted certificate signing authority so
that you can run a secure web server on &os;.If you have not yet installed
Apache, then a version of Apache
1.3.X that includes mod_ssl may be installed with the www/apache13-modssl port. SSL
support is also available for Apache 2.X in the
www/apache2 port,
where it is enabled by default.mod_perlPerlThe Apache/Perl integration project brings together the
full power of the Perl programming language and the Apache
HTTP Server. With the mod_perl module it is possible to
write Apache modules entirely in Perl. In addition, the
persistent interpreter embedded in the server avoids the
overhead of starting an external interpreter and the penalty
of Perl start-up time.If you have not yet installed
Apache, then a version of Apache
that includes mod_perl may be installed with the www/apache13-modperl port.PHPPHPPHP, which stands for PHP: Hypertext
Preprocessor is a widely-used Open Source
general-purpose scripting language that is especially suited
for Web development and can be embedded into HTML. Its
syntax draws upon C, &java;, and Perl, and is easy to learn.
The main goal of the language is to allow web developers to
write dynamically generated webpages quickly, but you can do
much more with PHP.PHP may be installed from the lang/php5 port.MurrayStokelyContributed by File Transfer Protocol (FTP)FTP serverOverviewThe File Transfer Protocol (FTP) provides users with a
simple way to transfer files to and from an FTP server. &os;
includes FTP
server software, ftpd, in the base
system. This makes setting up and administering an FTP server on FreeBSD
very straightforward.ConfigurationThe most important configuration step is deciding which
accounts will be allowed access to the FTP server. A normal
FreeBSD system has a number of system accounts used for
various daemons, but unknown users should not be allowed to
log in with these accounts. The
/etc/ftpusers file is a list of users
disallowed any FTP access. By default, it includes the
aforementioned system accounts, but it is possible to add
specific users here that should not be allowed access to
FTP.You may want to restrict the access of some users without
preventing them completely from using FTP. This can be
accomplished with the /etc/ftpchroot
file. This file lists users and groups subject to FTP access
restrictions. The &man.ftpchroot.5; manual page has all of
the details so it will not be described in detail here.If you would like to enable anonymous FTP access to your
server, then you must create a user named
ftp on your &os; system. Users will then
be able to log on to your FTP server with a username of
ftp or anonymous and
with any password (by convention an email address for the user
should be used as the password). The FTP server will call
&man.chroot.2; when an anonymous user logs in, to restrict
access to only the home directory of the
ftp user.There are two text files that specify welcome messages to
be displayed to FTP clients. The contents of the file
/etc/ftpwelcome will be displayed to
users before they reach the login prompt. After a successful
login, the contents of the file
/etc/ftpmotd will be displayed. Note
that the path to this file is relative to the login environment, so the
file ~ftp/etc/ftpmotd would be displayed
for anonymous users.Once the FTP server has been configured properly, it must
be enabled in /etc/inetd.conf. All that
is required here is to remove the comment symbol
# from in front of the existing
ftpd line :ftp stream tcp nowait root /usr/libexec/ftpd ftpd -lAs explained in , a
HangUP Signal must be sent to inetd
after this configuration file is changed.You can now log on to your FTP server by typing:&prompt.user; ftp localhostMaintainingsysloglogsFTPThe ftpd daemon uses
&man.syslog.3; to log messages. By default, the system log
daemon will put messages related to FTP in the
/var/log/xferlog file. The location of
the FTP log can be modified by changing the following line in
/etc/syslog.conf:ftp.info /var/log/xferlogBe aware of the potential problems involved with running
an anonymous FTP server. In particular, you should think
twice about allowing anonymous users to upload files. You may
find that your FTP site becomes a forum for the trade of
unlicensed commercial software or worse. If you do need to
allow anonymous FTP uploads, then you should set up the
permissions so that these files can not be read by other
anonymous users until they have been reviewed.MurrayStokelyContributed by File and Print Services for µsoft.windows; clients (Samba)Samba serverMicrosoft Windowsfile serverWindows clientsprint serverWindows clientsOverviewSamba is a popular open source
software package that provides file and print services for
µsoft.windows; clients. Such clients can connect to and
use FreeBSD filespace as if it was a local disk drive, or
FreeBSD printers as if they were local printers.Samba software packages should
be included on your FreeBSD installation media. If you did
not install Samba when you first
installed FreeBSD, then you can install it from the net/samba3 port or package.ConfigurationA default Samba configuration
file is installed as
/usr/local/etc/smb.conf.default. This
file must be copied to
/usr/local/etc/smb.conf and customized
before Samba can be used.The smb.conf file contains runtime
configuration information for
Samba, such as definitions of the
printers and filesystem shares that you would
like to share with &windows; clients. The
Samba package includes a web based
tool called swat which provides a
simple way of configuring the smb.conf
file.Using the Samba Web Administration Tool (SWAT)The Samba Web Administration Tool (SWAT) runs as a
daemon from inetd. Therefore, the
following line in /etc/inetd.conf
should be uncommented before swat can be
used to configure Samba:swat stream tcp nowait/400 root /usr/local/sbin/swatAs explained in , a
HangUP Signal must be sent to
inetd after this configuration
file is changed.Once swat has been enabled in
inetd.conf, you can use a browser to
connect to . You will
first have to log on with the system root account.Once you have successfully logged on to the main
Samba configuration page, you can
browse the system documentation, or begin by clicking on the
Globals tab. The Globals section corresponds to the
variables that are set in the [global]
section of
/usr/local/etc/smb.conf.Global SettingsWhether you are using swat or
editing /usr/local/etc/smb.conf
directly, the first directives you are likely to encounter
when configuring Samba
are:workgroupNT Domain-Name or Workgroup-Name for the computers
that will be accessing this server.netbios nameNetBIOSThis sets the NetBIOS name by which a Samba server
is known. By default it is the same as the first
component of the host's DNS name.server stringThis sets the string that will be displayed with
the net view command and some other
networking tools that seek to display descriptive text
about the server.Security SettingsTwo of the most important settings in
/usr/local/etc/smb.conf are the
security model chosen, and the backend password format for
client users. The following directives control these
options:securityThe two most common options here are
security = share and security
= user. If your clients use usernames that
are the same as their usernames on your &os; machine
then you will want to use user level security. This
is the default security policy and it requires clients
to first log on before they can access shared
resources.In share level security, client do not need to log
onto the server with a valid username and password
before attempting to connect to a shared resource.
This was the default security model for older versions
of Samba.passdb backendNIS+LDAPSQL databaseSamba has several
different backend authentication models. You can
authenticate clients with LDAP, NIS+, a SQL database,
or a modified password file. The default
authentication method is smbpasswd,
and that is all that will be covered here.Assuming that the default smbpasswd
backend is used, the
/usr/local/private/smbpasswd file must
be created to allow Samba to
authenticate clients. If you would like to give all of
your &unix; user accounts access from &windows; clients, use the
following command:&prompt.root; grep -v "^#" /etc/passwd | make_smbpasswd > /usr/local/private/smbpasswd
&prompt.root; chmod 600 /usr/local/private/smbpasswdPlease see the Samba
documentation for additional information about configuration
options. With the basics outlined here, you should have
everything you need to start running
Samba.Starting SambaTo enable Samba when your
system boots, add the following line to
/etc/rc.conf:samba_enable="YES"You can then start Samba at any
time by typing:&prompt.root; /usr/local/etc/rc.d/samba.sh start
Starting SAMBA: removing stale tdbs :
Starting nmbd.
Starting smbd.Samba actually consists of
three separate daemons. You should see that both the
nmbd and smbd daemons
are started by the samba.sh script. If
you enabled winbind name resolution services in
smb.conf, then you will also see that
the winbindd daemon is started.You can stop Samba at any time
by typing :&prompt.root; /usr/local/etc/rc.d/samba.sh stopSamba is a complex software
suite with functionality that allows broad integration with
µsoft.windows; networks. For more information about
functionality beyond the basic installation described here,
please see .TomHukinsContributed by Clock Synchronization with NTPNTPOverviewOver time, a computer's clock is prone to drift. The
Network Time Protocol (NTP) is one way to ensure your clock stays
accurate.Many Internet services rely on, or greatly benefit from,
computers' clocks being accurate. For example, a web server
may receive requests to send a file if it has been modified since a
certain time. In a local area network environment, it is
essential that computers sharing files from the same file
server have synchronized clocks so that file timestamps stay
consistent. Services such as &man.cron.8; also rely on
an accurate system clock to run commands at the specified
times.NTPntpdFreeBSD ships with the &man.ntpd.8; NTP server which can be used to query
other NTP
servers to set the clock on your machine or provide time
services to others.Choosing Appropriate NTP ServersNTPchoosing serversIn order to synchronize your clock, you will need to find
one or more NTP servers to use. Your network
administrator or ISP may have set up an NTP server for this
purpose—check their documentation to see if this is the
case. There is an online
list of publicly accessible NTP servers which you can
use to find an NTP server near to you. Make sure you are
aware of the policy for any servers you choose, and ask for
permission if required.Choosing several unconnected NTP servers is a good idea in
case one of the servers you are using becomes unreachable or
its clock is unreliable. &man.ntpd.8; uses the responses it
receives from other servers intelligently—it will favor
unreliable servers less than reliable ones.Configuring Your MachineNTPconfigurationBasic ConfigurationntpdateIf you only wish to synchronize your clock when the
machine boots up, you can use &man.ntpdate.8;. This may be
appropriate for some desktop machines which are frequently
rebooted and only require infrequent synchronization, but
most machines should run &man.ntpd.8;.Using &man.ntpdate.8; at boot time is also a good idea
for machines that run &man.ntpd.8;. The &man.ntpd.8;
program changes the clock gradually, whereas &man.ntpdate.8;
sets the clock, no matter how great the difference between a
machine's current clock setting and the correct time.To enable &man.ntpdate.8; at boot time, add
ntpdate_enable="YES" to
/etc/rc.conf. You will also need to
specify all servers you wish to synchronize with and any
flags to be passed to &man.ntpdate.8; in
ntpdate_flags.NTPntp.confGeneral ConfigurationNTP is configured by the
/etc/ntp.conf file in the format
described in &man.ntp.conf.5;. Here is a simple
example:server ntplocal.example.com prefer
server timeserver.example.org
server ntp2a.example.net
driftfile /var/db/ntp.driftThe server option specifies which
servers are to be used, with one server listed on each line.
If a server is specified with the prefer
argument, as with ntplocal.example.com, that server is
preferred over other servers. A response from a preferred
server will be discarded if it differs significantly from
other servers' responses, otherwise it will be used without
any consideration to other responses. The
prefer argument is normally used for NTP
servers that are known to be highly accurate, such as those
with special time monitoring hardware.The driftfile option specifies which
file is used to store the system clock's frequency offset.
The &man.ntpd.8; program uses this to automatically
compensate for the clock's natural drift, allowing it to
maintain a reasonably correct setting even if it is cut off
from all external time sources for a period of time.The driftfile option specifies which
file is used to store information about previous responses
from the NTP servers you are using. This file contains
internal information for NTP. It should not be modified by
any other process.Controlling Access to Your ServerBy default, your NTP server will be accessible to all
hosts on the Internet. The restrict
option in /etc/ntp.conf allows you to
control which machines can access your server.If you want to deny all machines from accessing your NTP
server, add the following line to
/etc/ntp.conf:restrict default ignoreIf you only want to allow machines within your own
network to synchronize their clocks with your server, but
ensure they are not allowed to configure the server or used
as peers to synchronize against, addrestrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrapinstead, where 192.168.1.0 is
an IP address on your network and 255.255.255.0 is your network's
netmask./etc/ntp.conf can contain multiple
restrict options. For more details, see
the Access Control Support subsection of
&man.ntp.conf.5;.Running the NTP ServerTo ensure the NTP server is started at boot time, add the
line xntpd_enable="YES" to
/etc/rc.conf. If you wish to pass
additional flags to &man.ntpd.8;, edit the
xntpd_flags parameter in
/etc/rc.conf.To start the server without rebooting your machine, run
ntpd being sure to specify any additional
parameters from xntpd_flags in
/etc/rc.conf. For example:&prompt.root; ntpd -p /var/run/ntpd.pidUnder &os; 5.X, various options in
/etc/rc.conf have been renamed. Thus,
you have to replace every instance of xntpd
with ntpd in the options above.Using ntpd with a Temporary Internet
ConnectionThe &man.ntpd.8; program does not need a permanent
connection to the Internet to function properly. However, if
you have a temporary connection that is configured to dial out
on demand, it is a good idea to prevent NTP traffic from
triggering a dial out or keeping the connection alive. If you
are using user PPP, you can use filter
directives in /etc/ppp/ppp.conf. For
example: set filter dial 0 deny udp src eq 123
# Prevent NTP traffic from initiating dial out
set filter dial 1 permit 0 0
set filter alive 0 deny udp src eq 123
# Prevent incoming NTP traffic from keeping the connection open
set filter alive 1 deny udp dst eq 123
# Prevent outgoing NTP traffic from keeping the connection open
set filter alive 2 permit 0/0 0/0For more details see the PACKET
FILTERING section in &man.ppp.8; and the examples in
/usr/share/examples/ppp/.Some Internet access providers block low-numbered ports,
preventing NTP from functioning since replies never
reach your machine.Further InformationDocumentation for the NTP server can be found in
/usr/share/doc/ntp/ in HTML
format.
diff --git a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
index 4f4344d146..2078899ae6 100644
--- a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
@@ -1,4949 +1,4949 @@
SeanKellyContributed by JimMockRestructured and updated by PrintingSynopsisLPD spooling systemprintingFreeBSD can be used to print to a wide variety of printers, from the
oldest impact printer to the latest laser printers, and everything in
between, allowing you to produce high quality printed output from the
applications you run.FreeBSD can also be configured to act as a print server on a
network; in this capacity FreeBSD can receive print jobs from a variety
of other computers, including other FreeBSD computers, &windows; and &macos;
hosts. FreeBSD will ensure that one job at a time is printed, and can
keep statistics on which users and machines are doing the most printing,
produce banner pages showing who's printout is who's, and
more.After reading this chapter, you will know:How to configure the FreeBSD print spooler.How to install print filters, to handle special print jobs
differently, including converting incoming documents to print
formats that your printers understand.How to enable header, or banner pages on your printout.How to print to printers connected to other computers.How to print to printers connected directly to the
network.How to control printer restrictions, including limiting the size
of print jobs, and preventing certain users from printing.How to keep printer statistics, and account for printer
usage.How to troubleshoot printing problems.Before reading this chapter, you should:Know how to configure and install a new kernel
().IntroductionIn order to use printers with FreeBSD, you will need to set
them up to work with the Berkeley line printer spooling system,
also known as the LPD spooling system.
It is the standard printer control system in FreeBSD. This
chapter introduces the LPD spooling
system, often simply called LPD, and
will guide you through its configuration.If you are already familiar with
LPD or another printer spooling
system, you may wish to skip to section Setting up the spooling
system.LPD controls everything about a
host's printers. It is responsible for a number of things:It controls access to attached printers and printers
attached to other hosts on the network.print jobsIt enables users to submit files to be printed; these
submissions are known as jobs.It prevents multiple users from accessing a printer at the
same time by maintaining a queue for each
printer.It can print header pages (also known
as banner or burst
pages) so users can easily find jobs they have printed in a
stack of printouts.It takes care of communications parameters for printers
connected on serial ports.It can send jobs over the network to a
LPD spooler on another host.It can run special filters to format jobs to be printed for
various printer languages or printer capabilities.It can account for printer usage.Through a configuration file
(/etc/printcap), and by providing the special
filter programs, you can enable the LPD
system to do all or some
subset of the above for a great variety of printer hardware.Why You Should Use the SpoolerIf you are the sole user of your system, you may be wondering
why you should bother with the spooler when you do not need access
control, header pages, or printer accounting. While it is
possible to enable direct access to a printer, you should use the
spooler anyway since:LPD prints jobs in the background;
you do not have to wait
for data to be copied to the printer.&tex;LPD can conveniently run a job
to be printed through
filters to add date/time headers or convert a special file
format (such as a &tex; DVI file) into a format the printer will
understand. You will not have to do these steps
manually.Many free and commercial programs that provide a print
feature usually expect to talk to the spooler on your system.
By setting up the spooling system, you will more easily
support other software you may later add or already
have.Basic SetupTo use printers with the LPD spooling
system, you will need to
set up both your printer hardware and the
LPD software. This
document describes two levels of setup:See section Simple Printer
Setup to learn how to connect a printer, tell
LPD how to
communicate with it, and print plain text files to the
printer.See section Advanced
Printer Setup to find out how to print a variety of
special file formats, to print header pages, to print across a
network, to control access to printers, and to do printer
accounting.Simple Printer SetupThis section tells how to configure printer hardware and the
LPD software to use the printer.
It teaches the basics:Section Hardware
Setup gives some hints on connecting the printer to a
port on your computer.Section Software
Setup shows how to set up the
LPD spooler configuration
file (/etc/printcap).If you are setting up a printer that uses a network protocol
to accept data to print instead of a serial or parallel interface,
see Printers With
Networked Data Stream Interfaces.Although this section is called Simple Printer
Setup, it is actually fairly complex. Getting the printer
to work with your computer and the LPD
spooler is the hardest
part. The advanced options like header pages and accounting are
fairly easy once you get the printer working.Hardware SetupThis section tells about the various ways you can connect a
printer to your PC. It talks about the kinds of ports and
cables, and also the kernel configuration you may need to enable
FreeBSD to speak to the printer.If you have already connected your printer and have
successfully printed with it under another operating system, you
can probably skip to section Software Setup.Ports and CablesPrinters sold for use on PC's today generally come
with one or more of the following three interfaces:printersserialSerial interfaces, also known
as RS232C or RS232D, or COM ports, use a serial port
on your computer to send data to the printer. Serial
interfaces are common in the computer industry and cables
are readily available and also easy to construct. Serial
interfaces sometimes need special cables and might require
you to configure somewhat complex communications
options. Most PC serial ports have a maximum
transmission rate of 115200 bps, which makes printing
large graphic print jobs with them impractical.printersparallelParallel interfaces use a
parallel port on your computer to send data to the
printer. Parallel interfaces are common in the PC market
and are faster than RS232 serial.
Cables are readily available but more difficult to
construct by hand. There are usually no communications
options with parallel interfaces, making their
configuration exceedingly simple.centronicsparallel printersParallel interfaces are sometimes known as
Centronics interfaces, named after the
connector type on the printer.printersUSBUSB interfaces, named for the Universal Serial
Bus, can run at even faster speeds than parallel or
RS232 serial interfaces. Cables are simple and cheap.
USB is superior to RS232 Serial and to Parallel for
printing, but it is not as well supported under &unix;
systems. A way to avoid this problem is to purchase a
printer that has both a USB interface and a Parallel
interface, as many printers do.In general, Parallel interfaces usually offer just
one-way communication (computer to printer) while serial
and USB gives you two-way. Newer parallel ports (EPP and
ECP) and printers
can communicate in both directions under FreeBSD when a
IEEE1284 compliant cable is used.PostScriptTwo-way communication to the printer over a parallel
port is generally done in one of two ways. The first method
uses a custom built printer driver for FreeBSD that speaks
the proprietary language used by the printer. This is
common with inkjet printers and can be used for reporting
ink levels and other status information. The second
method is used when the printer supports
&postscript;.&postscript; jobs are
actually programs sent to the printer; they need not produce
paper at all and may return results directly to the computer.
&postscript; also uses two-way communication to tell the
computer about problems, such as errors in the &postscript;
program or paper jams. Your users may be appreciative of such
information. Furthermore, the best way to do effective
accounting with a &postscript; printer requires two-way
communication: you ask the printer for its page count (how
many pages it has printed in its lifetime), then send the
user's job, then ask again for its page count. Subtract the
two values and you know how much paper to charge the
user.Parallel PortsTo hook up a printer using a parallel interface, connect
the Centronics cable between the printer and the computer.
The instructions that came with the printer, the computer, or
both should give you complete guidance.Remember which parallel port you used on the computer.
The first parallel port is /dev/ppc0 to
FreeBSD; the second is /dev/ppc1, and so
on. The printer device name uses the same scheme:
/dev/lpt0 for the printer on the first
parallel ports etc.Serial PortsTo hook up a printer using a serial interface, connect the
proper serial cable between the printer and the computer. The
instructions that came with the printer, the computer, or both
should give you complete guidance.If you are unsure what the proper serial
cable is, you may wish to try one of the following
alternatives:A modem cable connects each pin
of the connector on one end of the cable straight through
to its corresponding pin of the connector on the other
end. This type of cable is also known as a
DTE-to-DCE cable.null-modem cableA null-modem cable connects some
pins straight through, swaps others (send data to receive
data, for example), and shorts some internally in each
connector hood. This type of cable is also known as a
DTE-to-DTE cable.A serial printer cable, required
for some unusual printers, is like the null-modem cable,
but sends some signals to their counterparts instead of
being internally shorted.baud rateparityflow control protocolYou should also set up the communications parameters for
the printer, usually through front-panel controls or DIP
switches on the printer. Choose the highest
bps (bits per second, sometimes
baud rate) rate that both your computer
and the printer can support. Choose 7 or 8 data bits; none,
even, or odd parity; and 1 or 2 stop bits. Also choose a flow
control protocol: either none, or XON/XOFF (also known as
in-band or software) flow control.
Remember these settings for the software configuration that
follows.Software SetupThis section describes the software setup necessary to print
with the LPD spooling system in FreeBSD.
Here is an outline of the steps involved:Configure your kernel, if necessary, for the port you
are using for the printer; section Kernel Configuration tells
you what you need to do.Set the communications mode for the parallel port, if
you are using a parallel port; section Setting the
Communication Mode for the Parallel Port gives
details.Test if the operating system can send data to the printer.
Section Checking Printer
Communications gives some suggestions on how to do
this.Set up LPD for the printer by
modifying the file
/etc/printcap. You will find out how
to do this later in this chapter.Kernel ConfigurationThe operating system kernel is compiled to work with a
specific set of devices. The serial or parallel interface for
your printer is a part of that set. Therefore, it might be
necessary to add support for an additional serial or parallel
port if your kernel is not already configured for one.To find out if the kernel you are currently using supports
a serial interface, type:&prompt.root; grep sioN /var/run/dmesg.bootWhere N is the number of the
serial port, starting from zero. If you see output similar to
the following:sio2 at port 0x3e8-0x3ef irq 5 on isa
sio2: type 16550Athen the kernel supports the port.To find out if the kernel supports a parallel interface,
type:&prompt.root; grep ppcN /var/run/dmesg.bootWhere N is the number of the
parallel port, starting from zero. If you see output similar
to the following:ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes thresholdthen the kernel supports the port.You might have to reconfigure your kernel in order for the
operating system to recognize and use the parallel or serial
port you are using for the printer.To add support for a serial port, see the section on
kernel configuration. To add support for a parallel port, see
that section and the section that
follows.Adding /dev Entries for the
PortsFreeBSD 5.0 includes the devfs
filesystem which automatically creates device nodes as
needed. If you are running a version of FreeBSD with
devfs enabled then you can safely skip
this section.Even though the kernel may support communication along a
serial or parallel port, you will still need a software
interface through which programs running on the system can
send and receive data. That is what entries in the
/dev directory are for.To add a /dev entry for a
port:Become root with the &man.su.1; command.
Enter the root password when prompted.Change to the /dev
directory:&prompt.root; cd /devType:&prompt.root; ./MAKEDEV portWhere port is the device
entry for the port you want to make. Use
lpt0 for the printer on the first parallel port,
lpt1 for the printer on the second port, and so on; use
ttyd0 for the first serial port,
ttyd1 for the second, and so on.Type:&prompt.root; ls -l portto make sure the device entry got created.Setting the Communication Mode for the Parallel
PortWhen you are using the parallel interface, you can choose
whether FreeBSD should use interrupt-driven or polled
communication with the printer. The generic printer
device driver (&man.lpt.4;) on FreeBSD 4.X and 5.X
uses the &man.ppbus.4; system, which controls the port
chipset with the &man.ppc.4; driver.The interrupt-driven method is
the default with the GENERIC kernel. With this method,
the operating system uses an IRQ line to determine when
the printer is ready for data.The polled method directs the
operating system to repeatedly ask the printer if it is
ready for more data. When it responds ready, the kernel
sends more data.The interrupt-driven method is usually somewhat faster
but uses up a precious IRQ line. Some newer HP printers
are claimed not to work correctly in interrupt mode,
apparently due to some (not yet exactly understood) timing
problem. These printers need polled mode. You should use
whichever one works. Some printers will work in both
modes, but are painfully slow in interrupt mode.You can set the communications mode in two ways: by
configuring the kernel or by using the &man.lptcontrol.8;
program.To set the communications mode by configuring
the kernel:Edit your kernel configuration file. Look for
an ppc0 entry. If you are setting up
the second parallel port, use ppc1
instead. Use ppc2 for the third port,
and so on.If you want interrupt-driven mode, for FreeBSD 4.X add the
irq specifier:device ppc0 at isa? irq NWhere N is the IRQ
number for your computer's parallel port.For FreeBSD 5.X, edit the following line:hint.ppc.0.irq="N"in the /boot/device.hints file
and replace N with the right
IRQ number. The kernel configuration file must
also contain the &man.ppc.4; driver:device ppcIf you want polled mode, do not add the
irq specifier:For FreeBSD 4.X, use the following line in
your kernel configuration file:device ppc0 at isa?For FreeBSD 5.X, simply remove in your
/boot/device.hints file, the
following line:hint.ppc.0.irq="N"In some cases, this is not enough to put the
port in polled mode under FreeBSD 5.X. Most of
time it comes from &man.acpi.4; driver, this latter
is able to probe and attach devices, and therefore,
control the access mode to the printer port. You
should check your &man.acpi.4; configuration to
correct this problem.Save the file. Then configure, build, and install the
kernel, then reboot. See kernel configuration for
more details.To set the communications mode with
&man.lptcontrol.8;:Type:&prompt.root; lptcontrol -i -d /dev/lptNto set interrupt-driven mode for
lptN.Type:&prompt.root; lptcontrol -p -d /dev/lptNto set polled-mode for
lptN.You could put these commands in your
/etc/rc.local file to set the mode each
time your system boots. See &man.lptcontrol.8; for more
information.Checking Printer CommunicationsBefore proceeding to configure the spooling system, you
should make sure the operating system can successfully send
data to your printer. It is a lot easier to debug printer
communication and the spooling system separately.To test the printer, we will send some text to it. For
printers that can immediately print characters sent to them,
the program &man.lptest.1; is perfect: it generates all 96
printable ASCII characters in 96 lines.PostScriptFor a &postscript; (or other language-based) printer, we
will need a more sophisticated test. A small &postscript;
program, such as the following, will suffice:%!PS
100 100 moveto 300 300 lineto stroke
310 310 moveto /Helvetica findfont 12 scalefont setfont
(Is this thing working?) show
showpageThe above &postscript; code can be placed into a file and
used as shown in the examples appearing in the following
sections.PCLWhen this document refers to a printer language, it is
assuming a language like &postscript;, and not Hewlett
Packard's PCL. Although PCL has great functionality, you
can intermingle plain text with its escape sequences.
&postscript; cannot directly print plain text, and that is the
kind of printer language for which we must make special
accommodations.Checking a Parallel PrinterprintersparallelThis section tells you how to check if FreeBSD can
communicate with a printer connected to a parallel
port.To test a printer on a parallel
port:Become root with &man.su.1;.Send data to the printer.If the printer can print plain text, then use
&man.lptest.1;. Type:&prompt.root; lptest > /dev/lptNWhere N is the number
of the parallel port, starting from zero.If the printer understands &postscript; or other
printer language, then send a small program to the
printer. Type:&prompt.root; cat > /dev/lptNThen, line by line, type the program
carefully as you cannot edit a
line once you have pressed RETURN
or ENTER. When you have finished
entering the program, press
CONTROL+D, or whatever your end
of file key is.Alternatively, you can put the program in a file
and type:&prompt.root; cat file > /dev/lptNWhere file is the
name of the file containing the program you want to
send to the printer.You should see something print. Do not worry if the
text does not look right; we will fix such things
later.Checking a Serial PrinterprintersserialThis section tells you how to check if FreeBSD can
communicate with a printer on a serial port.To test a printer on a serial
port:Become root with &man.su.1;.Edit the file /etc/remote. Add
the following entry:printer:dv=/dev/port:br#bps-rate:pa=paritybits-per-secondserial portparityWhere port is the device
entry for the serial port (ttyd0,
ttyd1, etc.),
bps-rate is the
bits-per-second rate at which the printer communicates,
and parity is the parity
required by the printer (either even,
odd, none, or
zero).Here is a sample entry for a printer connected via
a serial line to the third serial port at 19200 bps with
no parity:printer:dv=/dev/ttyd2:br#19200:pa=noneConnect to the printer with &man.tip.1;.
Type:&prompt.root; tip printerIf this step does not work, edit the file
/etc/remote again and try using
/dev/cuaaN
instead of
/dev/ttydN.Send data to the printer.If the printer can print plain text, then use
&man.lptest.1;. Type:&prompt.user; $lptestIf the printer understands &postscript; or other
printer language, then send a small program to the
printer. Type the program, line by line,
very carefully as backspacing
or other editing keys may be significant to the
printer. You may also need to type a special
end-of-file key for the printer so it knows it
received the whole program. For &postscript;
printers, press CONTROL+D.Alternatively, you can put the program in a file
and type:&prompt.user; >fileWhere file is the
name of the file containing the program. After
&man.tip.1; sends the file, press any required
end-of-file key.You should see something print. Do not worry if the
text does not look right; we will fix that later.Enabling the Spooler: the /etc/printcap
FileAt this point, your printer should be hooked up, your kernel
configured to communicate with it (if necessary), and you have
been able to send some simple data to the printer. Now, we are
ready to configure LPD to control access
to your printer.You configure LPD by editing the file
/etc/printcap. The
LPD spooling system
reads this file each time the spooler is used, so updates to the
file take immediate effect.printerscapabilitiesThe format of the &man.printcap.5; file is straightforward.
Use your favorite text editor to make changes to
/etc/printcap. The format is identical to
other capability files like
/usr/share/misc/termcap and
/etc/remote. For complete information
about the format, see the &man.cgetent.3;.The simple spooler configuration consists of the following
steps:Pick a name (and a few convenient aliases) for the
printer, and put them in the
/etc/printcap file; see the
Naming the Printer
section for more information on naming.header pagesTurn off header pages (which are on by default) by
inserting the sh capability; see the
Suppressing Header
Pages section for more information.Make a spooling directory, and specify its location with
the sd capability; see the Making the Spooling
Directory section for more information.Set the /dev entry to use for the
printer, and note it in /etc/printcap
with the lp capability; see the Identifying the Printer
Device for more information. Also, if the printer is
on a serial port, set up the communication parameters with
the ms# capability which is discussed in the Configuring Spooler
Communications Parameters section.Install a plain text input filter; see the Installing the Text
Filter section for details.Test the setup by printing something with the
&man.lpr.1; command. More details are available in the
Trying It Out and
Troubleshooting
sections.Language-based printers, such as &postscript; printers,
cannot directly print plain text. The simple setup outlined
above and described in the following sections assumes that if
you are installing such a printer you will print only files
that the printer can understand.Users often expect that they can print plain text to any of
the printers installed on your system. Programs that interface
to LPD to do their printing usually
make the same assumption.
If you are installing such a printer and want to be able to
print jobs in the printer language and
print plain text jobs, you are strongly urged to add an
additional step to the simple setup outlined above: install an
automatic plain-text-to-&postscript; (or other printer language)
conversion program. The section entitled Accommodating Plain
Text Jobs on &postscript; Printers tells how to do
this.Naming the PrinterThe first (easy) step is to pick a name for your printer
It really does not matter whether you choose functional or
whimsical names since you can also provide a number of aliases
for the printer.At least one of the printers specified in the
/etc/printcap should have the alias
lp. This is the default printer's name.
If users do not have the PRINTER environment
variable nor specify a printer name on the command line of any
of the LPD commands,
then lp will be the
default printer they get to use.Also, it is common practice to make the last alias for a
printer be a full description of the printer, including make
and model.Once you have picked a name and some common aliases, put
them in the /etc/printcap file. The name
of the printer should start in the leftmost column. Separate
each alias with a vertical bar and put a colon after the last
alias.In the following example, we start with a skeletal
/etc/printcap that defines two printers
(a Diablo 630 line printer and a Panasonic KX-P4455 &postscript;
laser printer):#
# /etc/printcap for host rose
#
rattan|line|diablo|lp|Diablo 630 Line Printer:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:In this example, the first printer is named
rattan and has as aliases
line, diablo,
lp, and Diablo 630 Line
Printer. Since it has the alias
lp, it is also the default printer. The
second is named bamboo, and has as aliases
ps, PS,
S, panasonic, and
Panasonic KX-P4455 PostScript v51.4.Suppressing Header Pagesprintingheader pagesThe LPD spooling system will
by default print a
header page for each job. The header
page contains the user name who requested the job, the host
from which the job came, and the name of the job, in nice
large letters. Unfortunately, all this extra text gets in the
way of debugging the simple printer setup, so we will suppress
header pages.To suppress header pages, add the sh
capability to the entry for the printer in
/etc/printcap. Here is an example
/etc/printcap with sh
added:#
# /etc/printcap for host rose - no header pages anywhere
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:Note how we used the correct format: the first line starts
in the leftmost column, and subsequent lines are indented with
a single TAB. Every line in an entry except the last ends in
a backslash character.Making the Spooling Directoryprinter spoolprint jobsThe next step in the simple spooler setup is to make a
spooling directory, a directory where
print jobs reside until they are printed, and where a number
of other spooler support files live.Because of the variable nature of spooling directories, it
is customary to put these directories under
/var/spool. It is not necessary to
backup the contents of spooling directories, either.
Recreating them is as simple as running &man.mkdir.1;.It is also customary to make the directory with a name
that is identical to the name of the printer, as shown
below:&prompt.root; mkdir /var/spool/printer-nameHowever, if you have a lot of printers on your network,
you might want to put the spooling directories under a single
directory that you reserve just for printing with
LPD. We
will do this for our two example printers
rattan and
bamboo:&prompt.root; mkdir /var/spool/lpd
&prompt.root; mkdir /var/spool/lpd/rattan
&prompt.root; mkdir /var/spool/lpd/bambooIf you are concerned about the privacy of jobs that
users print, you might want to protect the spooling
directory so it is not publicly accessible. Spooling
directories should be owned and be readable, writable, and
searchable by user daemon and group daemon, and no one else.
We will do this for our example printers:&prompt.root; chown daemon:daemon /var/spool/lpd/rattan
&prompt.root; chown daemon:daemon /var/spool/lpd/bamboo
&prompt.root; chmod 770 /var/spool/lpd/rattan
&prompt.root; chmod 770 /var/spool/lpd/bambooFinally, you need to tell LPD
about these directories
using the /etc/printcap file. You
specify the pathname of the spooling directory with the
sd capability:#
# /etc/printcap for host rose - added spooling directories
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:Note that the name of the printer starts in the first
column but all other entries describing the printer should be
indented with a tab and each line escaped with a
backslash.If you do not specify a spooling directory with
sd, the spooling system will use
/var/spool/lpd as a default.Identifying the Printer DeviceIn the Adding
/dev Entries for the Ports
section, we identified which entry in the
/dev directory FreeBSD will use to
communicate with the printer. Now, we tell
LPD that
information. When the spooling system has a job to print, it
will open the specified device on behalf of the filter program
(which is responsible for passing data to the printer).List the /dev entry pathname in the
/etc/printcap file using the
lp capability.In our running example, let us assume that
rattan is on the first parallel port, and
bamboo is on a sixth serial port; here are
the additions to /etc/printcap:#
# /etc/printcap for host rose - identified what devices to use
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:If you do not specify the lp capability
for a printer in your /etc/printcap file,
LPD uses /dev/lp
as a default.
/dev/lp currently does not exist in
FreeBSD.If the printer you are installing is connected to a
parallel port, skip to the section entitled, Installing the Text
Filter. Otherwise, be sure to follow the instructions
in the next section.Configuring Spooler Communication ParametersprintersserialFor printers on serial ports, LPD
can set up the bps rate,
parity, and other serial communication parameters on behalf of
the filter program that sends data to the printer. This is
advantageous since:It lets you try different communication parameters by
simply editing the /etc/printcap
file; you do not have to recompile the filter
program.It enables the spooling system to use the same filter
program for multiple printers which may have different
serial communication settings.The following /etc/printcap
capabilities control serial communication parameters of the
device listed in the lp capability:br#bps-rateSets the communications speed of the device to
bps-rate, where
bps-rate can be 50, 75, 110,
134, 150, 200, 300, 600, 1200, 1800, 2400, 4800, 9600,
19200, 38400, 57600, or 115200 bits-per-second.ms#stty-modeSets the options for the terminal device after
opening the device. &man.stty.1; explains the
available options.When LPD opens the device
specified by the lp capability, it sets
the characteristics of the device to those specified with
the ms# capability. Of particular
interest will be the parenb,
parodd, cs5,
cs6, cs7,
cs8, cstopb,
crtscts, and ixon
modes, which are explained in the &man.stty.1;
manual page.Let us add to our example printer on the sixth serial
port. We will set the bps rate to 38400. For the mode,
we will set no parity with -parenb,
8-bit characters with cs8,
no modem control with clocal and
hardware flow control with crtscts:bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:Installing the Text FilterprintingfiltersWe are now ready to tell LPD
what text filter to use to
send jobs to the printer. A text filter,
also known as an input filter, is a
program that LPD runs when it
has a job to print. When LPD
runs the text filter for a printer, it sets the filter's
standard input to the job to print, and its standard output to
the printer device specified with the lp
capability. The filter is expected to read the job from
standard input, perform any necessary translation for the
printer, and write the results to standard output, which will
get printed. For more information on the text filter, see
the Filters
section.For our simple printer setup, the text filter can be a
small shell script that just executes
/bin/cat to send the job to the printer.
FreeBSD comes with another filter called
lpf that handles backspacing and
underlining for printers that might not deal with such
character streams well. And, of course, you can use any other
filter program you want. The filter lpf is
described in detail in section entitled lpf: a Text
Filter.First, let us make the shell script
/usr/local/libexec/if-simple be a simple
text filter. Put the following text into that file with your
favorite text editor:#!/bin/sh
#
# if-simple - Simple text input filter for lpd
# Installed in /usr/local/libexec/if-simple
#
# Simply copies stdin to stdout. Ignores all filter arguments.
/bin/cat && exit 0
exit 2Make the file executable:&prompt.root; chmod 555 /usr/local/libexec/if-simpleAnd then tell LPD to use it by specifying it with the
if capability in
/etc/printcap. We will add it to the two
printers we have so far in the example
/etc/printcap:#
# /etc/printcap for host rose - added text filter
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\ :lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:\
:if=/usr/local/libexec/if-simple:A copy of the if-simple script
can be found in the /usr/share/examples/printing
+ class="directory">/usr/share/examples/printing
directory.Turn on LPD&man.lpd.8; is run from /etc/rc,
controlled by the lpd_enable variable. This
variable defaults to NO. If you have not done
so already, add the line:lpd_enable="YES"to /etc/rc.conf, and then either restart
your machine, or just run &man.lpd.8;.&prompt.root; lpdTrying It OutYou have reached the end of the simple
LPD setup.
Unfortunately, congratulations are not quite yet in order,
since we still have to test the setup and correct any
problems. To test the setup, try printing something. To
print with the LPD system, you
use the command &man.lpr.1;,
which submits a job for printing.You can combine &man.lpr.1; with the &man.lptest.1;
program, introduced in section Checking Printer
Communications to generate some test text.To test the simple LPD
setup:Type:&prompt.root; lptest 20 5 | lpr -Pprinter-nameWhere printer-name is a the
name of a printer (or an alias) specified in
/etc/printcap. To test the default
printer, type &man.lpr.1; without any
argument. Again, if you are testing a printer that expects
&postscript;, send a &postscript; program in that language instead
of using &man.lptest.1;. You can do so by putting the program
in a file and typing lpr
file.For a &postscript; printer, you should get the results of
the program. If you are using &man.lptest.1;, then your
results should look like the following:!"#$%&'()*+,-./01234
"#$%&'()*+,-./012345
#$%&'()*+,-./0123456
$%&'()*+,-./01234567
%&'()*+,-./012345678To further test the printer, try downloading larger
programs (for language-based printers) or running
&man.lptest.1; with different arguments. For example,
lptest 80 60 will produce 60 lines of 80
characters each.If the printer did not work, see the Troubleshooting
section.Advanced Printer SetupThis section describes filters for printing specially formatted
files, header pages, printing across networks, and restricting and
accounting for printer usage.FiltersprintingfiltersAlthough LPD handles network protocols,
queuing, access control,
and other aspects of printing, most of the real
work happens in the filters. Filters are
programs that communicate with the printer and handle its device
dependencies and special requirements. In the simple printer setup,
we installed a plain text filter—an extremely simple one that
should work with most printers (section Installing the Text
Filter).However, in order to take advantage of format conversion, printer
accounting, specific printer quirks, and so on, you should understand
how filters work. It will ultimately be the filter's responsibility
to handle these aspects. And the bad news is that most of the time
you have to provide filters yourself. The good
news is that many are generally available; when they are not, they are
usually easy to write.Also, FreeBSD comes with one,
/usr/libexec/lpr/lpf, that works with many
printers that can print plain text. (It handles backspacing and tabs
in the file, and does accounting, but that is about all it does.)
There are also several filters and filter components in the FreeBSD
Ports Collection.Here is what you will find in this section:Section How Filters
Work, tries to give an overview of a filter's role in the
printing process. You should read this section to get an
understanding of what is happening under the hood
when LPD uses filters. This knowledge
could help you anticipate
and debug problems you might encounter as you install more and
more filters on each of your printers.LPD expects every printer to be
able to print plain text by
default. This presents a problem for &postscript; (or other
language-based printers) which cannot directly print plain text.
Section Accommodating
Plain Text Jobs on &postscript; Printers tells you what you
should do to overcome this problem. You should read this
section if you have a &postscript; printer.&postscript; is a popular output format for many programs.
Some people even write &postscript; code directly. Unfortunately,
&postscript; printers are expensive. Section Simulating &postscript; on
Non &postscript; Printers tells how you can further modify
a printer's text filter to accept and print &postscript; data on a
non &postscript; printer. You should read
this section if you do not have a &postscript; printer.Section Conversion
Filters tells about a way you can automate the conversion
of specific file formats, such as graphic or typesetting data,
into formats your printer can understand. After reading this
section, you should be able to set up your printers such that
users can type lpr -t to print troff data, or
lpr -d to print &tex; DVI data, or lpr
-v to print raster image data, and so forth. I
recommend reading this section.Section Output
Filters tells all about a not often used feature of
LPD:
output filters. Unless you are printing header pages (see Header Pages),
you can probably skip that section altogether.Section lpf: a Text
Filter describes lpf, a fairly
complete if simple text filter for line printers (and laser
printers that act like line printers) that comes with FreeBSD. If
you need a quick way to get printer accounting working for plain
text, or if you have a printer which emits smoke when it sees
backspace characters, you should definitely consider
lpf.A copy of the various scripts described below can be
found in the /usr/share/examples/printing
+ class="directory">/usr/share/examples/printing
directory.How Filters WorkAs mentioned before, a filter is an executable program started
by LPD to handle the device-dependent part of
communicating with the printer.When LPD wants to print a file in a
job, it starts a filter
program. It sets the filter's standard input to the file to print,
its standard output to the printer, and its standard error to the
error logging file (specified in the lf
capability in /etc/printcap, or
/dev/console by default).troffWhich filter LPD starts and the
filter's arguments depend on
what is listed in the /etc/printcap file and
what arguments the user specified for the job on the
&man.lpr.1; command line. For example, if the user typed
lpr -t, LPD would
start the troff filter, listed
in the tf capability for the destination printer.
If the user wanted to print plain text, it would start the
if filter (this is mostly true: see Output Filters for
details).There are three kinds of filters you can specify in
/etc/printcap:The text filter, confusingly called the
input filter in
LPD documentation, handles
regular text printing. Think of it as the default filter.
LPD
expects every printer to be able to print plain text by default,
and it is the text filter's job to make sure backspaces, tabs,
or other special characters do not confuse the printer. If you
are in an environment where you have to account for printer
usage, the text filter must also account for pages printed,
usually by counting the number of lines printed and comparing
that to the number of lines per page the printer supports. The
text filter is started with the following argument list:
filter-name-c-wwidth-llength-iindent-n login-h hostacct-file
where
appears if the job is submitted with lpr
-lwidthis the value from the pw (page
width) capability specified in
/etc/printcap, default 132lengthis the value from the pl (page
length) capability, default 66indentis the amount of the indentation from lpr
-i, default 0loginis the account name of the user printing the
filehostis the host name from which the job was
submittedacct-fileis the name of the accounting file from the
af capability.printingfiltersA conversion filter converts a specific
file format into one the printer can render onto paper. For
example, ditroff typesetting data cannot be directly printed,
but you can install a conversion filter for ditroff files to
convert the ditroff data into a form the printer can digest and
print. Section Conversion
Filters tells all about them. Conversion filters also
need to do accounting, if you need printer accounting.
Conversion filters are started with the following arguments:
filter-name-xpixel-width-ypixel-height-n login-h hostacct-file
where pixel-width is the value
from the px capability (default 0) and
pixel-height is the value from the
py capability (default 0).The output filter is used only if there
is no text filter, or if header pages are enabled. In my
experience, output filters are rarely used. Section Output Filters describe
them. There are only two arguments to an output filter:
filter-name-wwidth-llength
which are identical to the text filters and
arguments.Filters should also exit with the
following exit status:exit 0If the filter printed the file successfully.exit 1If the filter failed to print the file but wants
LPD to
try to print the file again. LPD
will restart a filter if it exits with this status.exit 2If the filter failed to print the file and does not want
LPD to try again.
LPD will throw out the file.The text filter that comes with the FreeBSD release,
/usr/libexec/lpr/lpf, takes advantage of the
page width and length arguments to determine when to send a form
feed and how to account for printer usage. It uses the login, host,
and accounting file arguments to make the accounting entries.If you are shopping for filters, see if they are LPD-compatible.
If they are, they must support the argument lists described above.
If you plan on writing filters for general use, then have them
support the same argument lists and exit codes.Accommodating Plain Text Jobs on &postscript; Printersprint jobsIf you are the only user of your computer and &postscript; (or
other language-based) printer, and you promise to never send plain
text to your printer and to never use features of various programs
that will want to send plain text to your printer, then you do not
need to worry about this section at all.But, if you would like to send both &postscript; and plain text
jobs to the printer, then you are urged to augment your printer
setup. To do so, we have the text filter detect if the arriving job
is plain text or &postscript;. All &postscript; jobs must start with
%! (for other printer languages, see your printer
documentation). If those are the first two characters in the job,
we have &postscript;, and can pass the rest of the job directly. If
those are not the first two characters in the file, then the filter
will convert the text into &postscript; and print the result.How do we do this?printersserialIf you have got a serial printer, a great way to do it is to
install lprps. lprps is a
&postscript; printer filter which performs two-way communication with
the printer. It updates the printer's status file with verbose
information from the printer, so users and administrators can see
exactly what the state of the printer is (such as toner
low or paper jam). But more
importantly, it includes a program called psif
which detects whether the incoming job is plain text and calls
textps (another program that comes with
lprps) to convert it to &postscript;. It then uses
lprps to send the job to the printer.lprps is part of the FreeBSD Ports Collection
(see The Ports Collection). You can
fetch, build and install it yourself, of course. After installing
lprps, just specify the pathname to the
psif program that is part of
lprps. If you installed lprps
from the ports collection, use the following in the serial
&postscript; printer's entry in
/etc/printcap::if=/usr/local/libexec/psif:You should also specify the rw capability;
that tells LPD to open the printer in
read-write mode.If you have a parallel &postscript; printer (and therefore cannot
use two-way communication with the printer, which
lprps needs), you can use the following shell
script as the text filter:#!/bin/sh
#
# psif - Print PostScript or plain text on a PostScript printer
# Script version; NOT the version that comes with lprps
# Installed in /usr/local/libexec/psif
#
IFS="" read -r first_line
first_two_chars=`expr "$first_line" : '\(..\)'`
if [ "$first_two_chars" = "%!" ]; then
#
# PostScript job, print it.
#
echo "$first_line" && cat && printf "\004" && exit 0
exit 2
else
#
# Plain text, convert it, then print it.
#
( echo "$first_line"; cat ) | /usr/local/bin/textps && printf "\004" && exit 0
exit 2
fiIn the above script, textps is a program we
installed separately to convert plain text to &postscript;. You can
use any text-to-&postscript; program you wish. The FreeBSD Ports
Collection (see The Ports Collection)
includes a full featured text-to-&postscript; program called
a2ps that you might want to investigate.Simulating &postscript; on Non &postscript; PrintersPostScriptemulatingGhostscript&postscript; is the de facto standard for
high quality typesetting and printing. &postscript; is, however, an
expensive standard. Thankfully, Aladdin
Enterprises has a free &postscript; work-alike called
Ghostscript that runs with FreeBSD.
Ghostscript can read most &postscript; files and can render their
pages onto a variety of devices, including many brands of
non-PostScript printers. By installing Ghostscript and using a
special text filter for your printer, you can make your
non &postscript; printer act like a real &postscript; printer.Ghostscript is in the FreeBSD Ports Collection, if you
would like to install it from there. You can fetch, build, and
install it quite easily yourself, as well.To simulate &postscript;, we have the text filter detect if it is
printing a &postscript; file. If it is not, then the filter will pass
the file directly to the printer; otherwise, it will use Ghostscript
to first convert the file into a format the printer will
understand.Here is an example: the following script is a text filter
for Hewlett Packard DeskJet 500 printers. For other printers,
substitute the argument to the
gs (Ghostscript) command. (Type gs
-h to get a list of devices the current installation of
Ghostscript supports.)#!/bin/sh
#
# ifhp - Print Ghostscript-simulated PostScript on a DeskJet 500
# Installed in /usr/local/libexec/ifhp
#
# Treat LF as CR+LF (to avoid the "staircase effect" on HP/PCL
# printers):
#
printf "\033&k2G" || exit 2
#
# Read first two characters of the file
#
IFS="" read -r first_line
first_two_chars=`expr "$first_line" : '\(..\)'`
if [ "$first_two_chars" = "%!" ]; then
#
# It is PostScript; use Ghostscript to scan-convert and print it.
#
/usr/local/bin/gs -dSAFER -dNOPAUSE -q -sDEVICE=djet500 \
-sOutputFile=- - && exit 0
else
#
# Plain text or HP/PCL, so just print it directly; print a form feed
# at the end to eject the last page.
#
echo "$first_line" && cat && printf "\033&l0H" &&
exit 0
fi
exit 2Finally, you need to notify LPD of
the filter via the if capability::if=/usr/local/libexec/ifhp:That is it. You can type lpr plain.text and
lpr whatever.ps and both should print
successfully.Conversion FiltersAfter completing the simple setup described in Simple Printer Setup, the first
thing you will probably want to do is install conversion filters for
your favorite file formats (besides plain ASCII text).Why Install Conversion Filters?&tex;printing dvi filesConversion filters make printing various kinds of files easy.
As an example, suppose we do a lot of work with the &tex;
typesetting system, and we have a &postscript; printer. Every time
we generate a DVI file from &tex;, we cannot print it directly until
we convert the DVI file into &postscript;. The command sequence
goes like this:&prompt.user; dvips seaweed-analysis.dvi
&prompt.user; lpr seaweed-analysis.psBy installing a conversion filter for DVI files, we can skip
the hand conversion step each time by having
LPD do it for us.
Now, each time we get a DVI file, we are just one step away from
printing it:&prompt.user; lpr -d seaweed-analysis.dviWe got LPD to do the DVI file
conversion for us by specifying
the option. Section Formatting and Conversion
Options lists the conversion options.For each of the conversion options you want a printer to
support, install a conversion filter and
specify its pathname in /etc/printcap. A
conversion filter is like the text filter for the simple printer
setup (see section Installing
the Text Filter) except that instead of printing plain
text, the filter converts the file into a format the printer can
understand.Which Conversions Filters Should I Install?You should install the conversion filters you expect to use.
If you print a lot of DVI data, then a DVI conversion filter is in
order. If you have got plenty of troff to print out, then you
probably want a troff filter.The following table summarizes the filters that
LPD works
with, their capability entries for the
/etc/printcap file, and how to invoke them
with the lpr command:File type/etc/printcap capabilitylpr optioncifplotcfDVIdfplotgfditroffnfFORTRAN textrftrofftfrastervfplain textifnone, , or
In our example, using lpr -d means the
printer needs a df capability in its entry in
/etc/printcap.FORTRANDespite what others might contend, formats like FORTRAN text
and plot are probably obsolete. At your site, you can give new
meanings to these or any of the formatting options just by
installing custom filters. For example, suppose you would like to
directly print Printerleaf files (files from the Interleaf desktop
publishing program), but will never print plot files. You could
install a Printerleaf conversion filter under the
gf capability and then educate your users that
lpr -g mean print Printerleaf
files.Installing Conversion FiltersSince conversion filters are programs you install outside of
the base FreeBSD installation, they should probably go under
/usr/local. The directory
/usr/local/libexec is a popular location,
since they are specialized programs that only
LPD will run;
regular users should not ever need to run them.To enable a conversion filter, specify its pathname under the
appropriate capability for the destination printer in
/etc/printcap.In our example, we will add the DVI conversion filter to the
entry for the printer named bamboo. Here is
the example /etc/printcap file again, with
the new df capability for the printer
bamboo.#
# /etc/printcap for host rose - added df filter for bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:The DVI filter is a shell script named
/usr/local/libexec/psdf. Here is that
script:#!/bin/sh
#
# psdf - DVI to PostScript printer filter
# Installed in /usr/local/libexec/psdf
#
# Invoked by lpd when user runs lpr -d
#
exec /usr/local/bin/dvips -f | /usr/local/libexec/lprps "$@"This script runs dvips in filter mode (the
argument) on standard input, which is the job
to print. It then starts the &postscript; printer filter
lprps (see section Accommodating Plain
Text Jobs on &postscript; Printers) with the arguments
LPD
passed to this script. lprps will use those
arguments to account for the pages printed.More Conversion Filter ExamplesSince there is no fixed set of steps to install conversion
filters, let me instead provide more examples. Use these as
guidance to making your own filters. Use them directly, if
appropriate.This example script is a raster (well, GIF file, actually)
conversion filter for a Hewlett Packard LaserJet III-Si
printer:#!/bin/sh
#
# hpvf - Convert GIF files into HP/PCL, then print
# Installed in /usr/local/libexec/hpvf
PATH=/usr/X11R6/bin:$PATH; export PATH
giftopnm | ppmtopgm | pgmtopbm | pbmtolj -resolution 300 \
&& exit 0 \
|| exit 2It works by converting the GIF file into a portable anymap,
converting that into a portable graymap, converting that into a
portable bitmap, and converting that into LaserJet/PCL-compatible
data.Here is the /etc/printcap file with an
entry for a printer using the above filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:\
:vf=/usr/local/libexec/hpvf:The following script is a conversion filter for troff data
from the groff typesetting system for the &postscript; printer named
bamboo:#!/bin/sh
#
# pstf - Convert groff's troff data into PS, then print.
# Installed in /usr/local/libexec/pstf
#
exec grops | /usr/local/libexec/lprps "$@"The above script makes use of lprps again
to handle the communication with the printer. If the printer were
on a parallel port, we would use this script instead:#!/bin/sh
#
# pstf - Convert groff's troff data into PS, then print.
# Installed in /usr/local/libexec/pstf
#
exec gropsThat is it. Here is the entry we need to add to
/etc/printcap to enable the filter::tf=/usr/local/libexec/pstf:Here is an example that might make old hands at FORTRAN blush.
It is a FORTRAN-text filter for any printer that can directly
print plain text. We will install it for the printer
teak:#!/bin/sh
#
# hprf - FORTRAN text filter for LaserJet 3si:
# Installed in /usr/local/libexec/hprf
#
printf "\033&k2G" && fpr && printf "\033&l0H" &&
exit 0
exit 2And we will add this line to the
/etc/printcap for the printer
teak to enable this filter::rf=/usr/local/libexec/hprf:Here is one final, somewhat complex example. We will add a
DVI filter to the LaserJet printer teak
introduced earlier. First, the easy part: updating
/etc/printcap with the location of the DVI
filter::df=/usr/local/libexec/hpdf:Now, for the hard part: making the filter. For that, we need
a DVI-to-LaserJet/PCL conversion program. The FreeBSD Ports
Collection (see The Ports Collection)
has one: dvi2xx is the name of the package.
Installing this package gives us the program we need,
dvilj2p, which converts DVI into LaserJet IIp,
LaserJet III, and LaserJet 2000 compatible codes.dvilj2p makes the filter
hpdf quite complex since
dvilj2p cannot read from standard input. It
wants to work with a filename. What is worse, the filename has to
end in .dvi so using
/dev/fd/0 for standard input is problematic.
We can get around that problem by linking (symbolically) a
temporary file name (one that ends in .dvi)
to /dev/fd/0, thereby forcing
dvilj2p to read from standard input.The only other fly in the ointment is the fact that we cannot
use /tmp for the temporary link. Symbolic
links are owned by user and group bin. The
filter runs as user daemon. And the
/tmp directory has the sticky bit set. The
filter can create the link, but it will not be able clean up when
done and remove it since the link will belong to a different
user.Instead, the filter will make the symbolic link in the current
working directory, which is the spooling directory (specified by
the sd capability in
/etc/printcap). This is a perfect place for
filters to do their work, especially since there is (sometimes)
more free disk space in the spooling directory than under
/tmp.Here, finally, is the filter:#!/bin/sh
#
# hpdf - Print DVI data on HP/PCL printer
# Installed in /usr/local/libexec/hpdf
PATH=/usr/local/bin:$PATH; export PATH
#
# Define a function to clean up our temporary files. These exist
# in the current directory, which will be the spooling directory
# for the printer.
#
cleanup() {
rm -f hpdf$$.dvi
}
#
# Define a function to handle fatal errors: print the given message
# and exit 2. Exiting with 2 tells LPD to do not try to reprint the
# job.
#
fatal() {
echo "$@" 1>&2
cleanup
exit 2
}
#
# If user removes the job, LPD will send SIGINT, so trap SIGINT
# (and a few other signals) to clean up after ourselves.
#
trap cleanup 1 2 15
#
# Make sure we are not colliding with any existing files.
#
cleanup
#
# Link the DVI input file to standard input (the file to print).
#
ln -s /dev/fd/0 hpdf$$.dvi || fatal "Cannot symlink /dev/fd/0"
#
# Make LF = CR+LF
#
printf "\033&k2G" || fatal "Cannot initialize printer"
#
# Convert and print. Return value from dvilj2p does not seem to be
# reliable, so we ignore it.
#
dvilj2p -M1 -q -e- dfhp$$.dvi
#
# Clean up and exit
#
cleanup
exit 0Automated Conversion: an Alternative to Conversion
FiltersAll these conversion filters accomplish a lot for your
printing environment, but at the cost forcing the user to specify
(on the &man.lpr.1; command line) which one to use.
If your users are not particularly computer literate, having to
specify a filter option will become annoying. What is worse,
though, is that an incorrectly specified filter option may run a
filter on the wrong type of file and cause your printer to spew
out hundreds of sheets of paper.Rather than install conversion filters at all, you might want
to try having the text filter (since it is the default filter)
detect the type of file it has been asked to print and then
automatically run the right conversion filter. Tools such as
file can be of help here. Of course, it will
be hard to determine the differences between
some file types—and, of course, you can
still provide conversion filters just for them.apsfilterprintingfiltersapsfilterThe FreeBSD Ports Collection has a text filter that performs
automatic conversion called apsfilter. It can
detect plain text, &postscript;, and DVI files, run the proper
conversions, and print.Output FiltersThe LPD spooling system supports one
other type of filter that
we have not yet explored: an output filter. An output filter is
intended for printing plain text only, like the text filter, but
with many simplifications. If you are using an output filter but no
text filter, then:LPD starts an output filter once
for the entire job instead
of once for each file in the job.LPD does not make any provision
to identify the start or the
end of files within the job for the output filter.LPD does not pass the user's
login or host to the filter, so
it is not intended to do accounting. In fact, it gets only two
arguments:filter-name-wwidth-llengthWhere width is from the
pw capability and
length is from the
pl capability for the printer in
question.Do not be seduced by an output filter's simplicity. If you
would like each file in a job to start on a different page an output
filter will not work. Use a text filter (also
known as an input filter); see section Installing the Text Filter.
Furthermore, an output filter is actually more
complex in that it has to examine the byte stream being
sent to it for special flag characters and must send signals to
itself on behalf of LPD.However, an output filter is necessary if
you want header pages and need to send escape sequences or other
initialization strings to be able to print the header page. (But it
is also futile if you want to charge header
pages to the requesting user's account, since
LPD does not give any
user or host information to the output filter.)On a single printer, LPD
allows both an output filter and text or other filters. In
such cases, LPD will start the
output filter
to print the header page (see section Header Pages)
only. LPD then expects the
output filter to stop
itself by sending two bytes to the filter: ASCII 031
followed by ASCII 001. When an output filter sees these two bytes
(031, 001), it should stop by sending SIGSTOP
to itself. When
LPD's
done running other filters, it will restart the output filter by
sending SIGCONT to it.If there is an output filter but no text
filter and LPD is working on a plain
text job, LPD uses the output
filter to do the job. As stated before, the output filter will
print each file of the job in sequence with no intervening form
feeds or other paper advancement, and this is probably
not what you want. In almost all cases, you
need a text filter.The program lpf, which we introduced earlier
as a text filter, can also run as an output filter. If you need a
quick-and-dirty output filter but do not want to write the byte
detection and signal sending code, try lpf. You
can also wrap lpf in a shell script to handle any
initialization codes the printer might require.lpf: a Text FilterThe program /usr/libexec/lpr/lpf that comes
with FreeBSD binary distribution is a text filter (input filter)
that can indent output (job submitted with lpr
-i), allow literal characters to pass (job submitted
with lpr -l), adjust the printing position for
backspaces and tabs in the job, and account for pages printed. It
can also act like an output filter.lpf is suitable for many printing
environments. And although it has no capability to send
initialization sequences to a printer, it is easy to write a shell
script to do the needed initialization and then execute
lpf.page accountingaccountingprinterIn order for lpf to do page accounting
correctly, it needs correct values filled in for the
pw and pl capabilities in the
/etc/printcap file. It uses these values to
determine how much text can fit on a page and how many pages were in
a user's job. For more information on printer accounting, see Accounting for Printer
Usage.Header PagesIf you have lots of users, all of them using
various printers, then you probably want to consider header
pages as a necessary evil.banner pagesheader pagesheader pagesHeader pages, also known as banner or
burst pages identify to whom jobs belong after
they are printed. They are usually printed in large, bold letters,
perhaps with decorative borders, so that in a stack of printouts they
stand out from the real documents that comprise users' jobs. They
enable users to locate their jobs quickly. The obvious drawback to a
header page is that it is yet one more sheet that has to be printed
for every job, their ephemeral usefulness lasting not more than a few
minutes, ultimately finding themselves in a recycling bin or rubbish
heap. (Note that header pages go with each job, not each file in a
job, so the paper waste might not be that bad.)The LPD system can provide header
pages automatically for your
printouts if your printer can directly print
plain text. If you have a &postscript; printer, you will need an
external program to generate the header page; see Header Pages on
&postscript; Printers.Enabling Header PagesIn the Simple Printer
Setup section, we turned off header pages by specifying
sh (meaning suppress header) in the
/etc/printcap file. To enable header pages for
a printer, just remove the sh capability.Sounds too easy, right?You are right. You might have to provide
an output filter to send initialization strings to the printer.
Here is an example output filter for Hewlett Packard PCL-compatible
printers:#!/bin/sh
#
# hpof - Output filter for Hewlett Packard PCL-compatible printers
# Installed in /usr/local/libexec/hpof
printf "\033&k2G" || exit 2
exec /usr/libexec/lpr/lpfSpecify the path to the output filter in the
of capability. See the Output Filters section for more
information.Here is an example /etc/printcap file for
the printer teak that we introduced earlier; we
enabled header pages and added the above output filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:\
:vf=/usr/local/libexec/hpvf:\
:of=/usr/local/libexec/hpof:Now, when users print jobs to teak, they get
a header page with each job. If users want to spend time searching
for their printouts, they can suppress header pages by submitting
the job with lpr -h; see the Header Page Options section for
more &man.lpr.1; options.LPD prints a form feed character
after the header page. If
your printer uses a different character or sequence of characters
to eject a page, specify them with the ff
capability in /etc/printcap.Controlling Header PagesBy enabling header pages, LPD will
produce a long
header, a full page of large letters identifying the
user, host, and job. Here is an example (kelly printed the job
named outline from host rose): k ll ll
k l l
k l l
k k eeee l l y y
k k e e l l y y
k k eeeeee l l y y
kk k e l l y y
k k e e l l y yy
k k eeee lll lll yyy y
y
y y
yyyy
ll
t l i
t l
oooo u u ttttt l ii n nnn eeee
o o u u t l i nn n e e
o o u u t l i n n eeeeee
o o u u t l i n n e
o o u uu t t l i n n e e
oooo uuu u tt lll iii n n eeee
r rrr oooo ssss eeee
rr r o o s s e e
r o o ss eeeeee
r o o ss e
r o o s s e e
r oooo ssss eeee
Job: outline
Date: Sun Sep 17 11:04:58 1995LPD appends a form feed after this
text so the job starts on a
new page (unless you have sf (suppress form
feeds) in the destination printer's entry in
/etc/printcap).If you prefer, LPD can make a
short header;
specify sb (short banner) in the
/etc/printcap file. The header page will look
like this:rose:kelly Job: outline Date: Sun Sep 17 11:07:51 1995Also by default, LPD prints the
header page first, then the job.
To reverse that, specify hl (header last) in
/etc/printcap.Accounting for Header PagesUsing LPD's built-in header pages
enforces a particular paradigm
when it comes to printer accounting: header pages must be
free of charge.Why?Because the output filter is the only external program that will
have control when the header page is printed that could do
accounting, and it is not provided with any user or
host information or an accounting file, so it has no
idea whom to charge for printer use. It is also not enough to just
add one page to the text filter or any of the
conversion filters (which do have user and host information) since
users can suppress header pages with lpr -h.
They could still be charged for header pages they did not print.
Basically, lpr -h will be the preferred option of
environmentally-minded users, but you cannot offer any incentive to
use it.It is still not enough to have each of the
filters generate their own header pages (thereby being able to
charge for them). If users wanted the option of suppressing the
header pages with lpr -h, they will still get
them and be charged for them since LPD
does not pass any knowledge
of the option to any of the filters.So, what are your options?You can:Accept LPD's paradigm and make
header pages free.Install an alternative to LPD,
such as
LPRng. Section
Alternatives to the
Standard Spooler tells more about other spooling
software you can substitute for LPD.
Write a smart output filter. Normally,
an output filter is not meant to do anything more than
initialize a printer or do some simple character conversion. It
is suited for header pages and plain text jobs (when there is no
text (input) filter). But, if there is a text filter for the
plain text jobs, then LPD will start
the output filter only for
the header pages. And the output filter can parse the header
page text that LPD generates to
determine what user and host to
charge for the header page. The only other problem with this
method is that the output filter still does not know what
accounting file to use (it is not passed the name of the file
from the af capability), but if you have a
well-known accounting file, you can hard-code that into the
output filter. To facilitate the parsing step, use the
sh (short header) capability in
/etc/printcap. Then again, all that might
be too much trouble, and users will certainly appreciate the
more generous system administrator who makes header pages
free.Header Pages on &postscript; PrintersAs described above, LPD can generate
a plain text header page
suitable for many printers. Of course, &postscript; cannot directly
print plain text, so the header page feature of
LPD is
useless—or mostly so.One obvious way to get header pages is to have every conversion
filter and the text filter generate the header page. The filters
should use the user and host arguments to generate a suitable
header page. The drawback of this method is that users will always
get a header page, even if they submit jobs with lpr
-h.Let us explore this method. The following script takes three
arguments (user login name, host name, and job name) and makes a
simple &postscript; header page:#!/bin/sh
#
# make-ps-header - make a PostScript header page on stdout
# Installed in /usr/local/libexec/make-ps-header
#
#
# These are PostScript units (72 to the inch). Modify for A4 or
# whatever size paper you are using:
#
page_width=612
page_height=792
border=72
#
# Check arguments
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` <user> <host> <job>" 1>&2
exit 1
fi
#
# Save these, mostly for readability in the PostScript, below.
#
user=$1
host=$2
job=$3
date=`date`
#
# Send the PostScript code to stdout.
#
exec cat <<EOF
%!PS
%
% Make sure we do not interfere with user's job that will follow
%
save
%
% Make a thick, unpleasant border around the edge of the paper.
%
$border $border moveto
$page_width $border 2 mul sub 0 rlineto
0 $page_height $border 2 mul sub rlineto
currentscreen 3 -1 roll pop 100 3 1 roll setscreen
$border 2 mul $page_width sub 0 rlineto closepath
0.8 setgray 10 setlinewidth stroke 0 setgray
%
% Display user's login name, nice and large and prominent
%
/Helvetica-Bold findfont 64 scalefont setfont
$page_width ($user) stringwidth pop sub 2 div $page_height 200 sub moveto
($user) show
%
% Now show the boring particulars
%
/Helvetica findfont 14 scalefont setfont
/y 200 def
[ (Job:) (Host:) (Date:) ] {
200 y moveto show /y y 18 sub def }
forall
/Helvetica-Bold findfont 14 scalefont setfont
/y 200 def
[ ($job) ($host) ($date) ] {
270 y moveto show /y y 18 sub def
} forall
%
% That is it
%
restore
showpage
EOFNow, each of the conversion filters and the text filter can call
this script to first generate the header page, and then print the
user's job. Here is the DVI conversion filter from earlier in this
document, modified to make a header page:#!/bin/sh
#
# psdf - DVI to PostScript printer filter
# Installed in /usr/local/libexec/psdf
#
# Invoked by lpd when user runs lpr -d
#
orig_args="$@"
fail() {
echo "$@" 1>&2
exit 2
}
while getopts "x:y:n:h:" option; do
case $option in
x|y) ;; # Ignore
n) login=$OPTARG ;;
h) host=$OPTARG ;;
*) echo "LPD started `basename $0` wrong." 1>&2
exit 2
;;
esac
done
[ "$login" ] || fail "No login name"
[ "$host" ] || fail "No host name"
( /usr/local/libexec/make-ps-header $login $host "DVI File"
/usr/local/bin/dvips -f ) | eval /usr/local/libexec/lprps $orig_argsNotice how the filter has to parse the argument list in order to
determine the user and host name. The parsing for the other
conversion filters is identical. The text filter takes a slightly
different set of arguments, though (see section How Filters
Work).As we have mentioned before, the above scheme, though fairly
simple, disables the suppress header page option (the
option) to lpr. If users
wanted to save a tree (or a few pennies, if you charge for header
pages), they would not be able to do so, since every filter's going
to print a header page with every job.To allow users to shut off header pages on a per-job basis, you
will need to use the trick introduced in section Accounting for
Header Pages: write an output filter that parses the
LPD-generated header page and produces a &postscript; version. If the
user submits the job with lpr -h, then
LPD will
not generate a header page, and neither will your output filter.
Otherwise, your output filter will read the text from
LPD and send
the appropriate header page &postscript; code to the printer.If you have a &postscript; printer on a serial line, you can make
use of lprps, which comes with an output filter,
psof, which does the above. Note that
psof does not charge for header pages.Networked Printingprintersnetworknetwork printingFreeBSD supports networked printing: sending jobs to remote
printers. Networked printing generally refers to two different
things:Accessing a printer attached to a remote host. You install a
printer that has a conventional serial or parallel interface on
one host. Then, you set up LPD to
enable access to the printer
from other hosts on the network. Section Printers Installed on
Remote Hosts tells how to do this.Accessing a printer attached directly to a network. The
printer has a network interface in addition (or in place of) a
more conventional serial or parallel interface. Such a printer
might work as follows:It might understand the LPD
protocol and can even queue
jobs from remote hosts. In this case, it acts just like a
regular host running LPD. Follow
the same procedure in
section Printers
Installed on Remote Hosts to set up such a
printer.It might support a data stream network connection. In this
case, you attach the printer to one host on the
network by making that host responsible for spooling jobs and
sending them to the printer. Section Printers with
Networked Data Stream Interfaces gives some
suggestions on installing such printers.Printers Installed on Remote HostsThe LPD spooling system has built-in
support for sending jobs to
other hosts also running LPD (or are
compatible with LPD). This
feature enables you to install a printer on one host and make it
accessible from other hosts. It also works with printers that have
network interfaces that understand the
LPD protocol.To enable this kind of remote printing, first install a printer
on one host, the printer host, using the simple
printer setup described in the Simple
Printer Setup section. Do any advanced setup in Advanced Printer Setup that you
need. Make sure to test the printer and see if it works with the
features of LPD you have enabled.
Also ensure that the
local host has authorization to use the
LPD
service in the remote host (see Restricting Jobs
from Remote Printers).printersnetworknetwork printingIf you are using a printer with a network interface that is
compatible with LPD, then the
printer host in
the discussion below is the printer itself, and the
printer name is the name you configured for the
printer. See the documentation that accompanied your printer and/or
printer-network interface.If you are using a Hewlett Packard Laserjet then the printer
name text will automatically perform the LF to
CRLF conversion for you, so you will not require the
hpif script.Then, on the other hosts you want to have access to the printer,
make an entry in their /etc/printcap files with
the following:Name the entry anything you want. For simplicity, though,
you probably want to use the same name and aliases as on the
printer host.Leave the lp capability blank, explicitly
(:lp=:).Make a spooling directory and specify its location in the
sd capability. LPD
will store jobs here
before they get sent to the printer host.Place the name of the printer host in the
rm capability.Place the printer name on the printer
host in the rp
capability.That is it. You do not need to list conversion filters, page
dimensions, or anything else in the
/etc/printcap file.Here is an example. The host rose has two
printers, bamboo and rattan.
We will enable users on the host orchid to print
to those printers.
Here is the /etc/printcap file for
orchid (back from section Enabling Header
Pages). It already had the entry for the printer
teak; we have added entries for the two printers
on the host rose:#
# /etc/printcap for host orchid - added (remote) printers on rose
#
#
# teak is local; it is connected directly to orchid:
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/ifhp:\
:vf=/usr/local/libexec/vfhp:\
:of=/usr/local/libexec/ofhp:
#
# rattan is connected to rose; send jobs for rattan to rose:
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
#
# bamboo is connected to rose as well:
#
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:Then, we just need to make spooling directories on
orchid:&prompt.root; mkdir -p /var/spool/lpd/rattan /var/spool/lpd/bamboo
&prompt.root; chmod 770 /var/spool/lpd/rattan /var/spool/lpd/bamboo
&prompt.root; chown daemon:daemon /var/spool/lpd/rattan /var/spool/lpd/bambooNow, users on orchid can print to
rattan and bamboo. If, for
example, a user on orchid typed
&prompt.user; lpr -P bamboo -d sushi-review.dvi
the LPD system on orchid
would copy the job to the spooling
directory /var/spool/lpd/bamboo and note that it was a
DVI job. As soon as the host rose has room in its
bamboo spooling directory, the two
LPDs would transfer the
file to rose. The file would wait in rose's
queue until it was finally printed. It would be converted from DVI to
&postscript; (since bamboo is a &postscript; printer) on
rose.Printers with Networked Data Stream InterfacesOften, when you buy a network interface card for a printer, you
can get two versions: one which emulates a spooler (the more
expensive version), or one which just lets you send data to it as if
you were using a serial or parallel port (the cheaper version).
This section tells how to use the cheaper version. For the more
expensive one, see the previous section Printers Installed on
Remote Hosts.The format of the /etc/printcap file lets
you specify what serial or parallel interface to use, and (if you
are using a serial interface), what baud rate, whether to use flow
control, delays for tabs, conversion of newlines, and more. But
there is no way to specify a connection to a printer that is
listening on a TCP/IP or other network port.To send data to a networked printer, you need to develop a
communications program that can be called by the text and conversion
filters. Here is one such example: the script
netprint takes all data on standard input and
sends it to a network-attached printer. We specify the hostname of
the printer as the first argument and the port number to which to
connect as the second argument to netprint. Note
that this supports one-way communication only (FreeBSD to printer);
many network printers support two-way communication, and you might
want to take advantage of that (to get printer status, perform
accounting, etc.).#!/usr/bin/perl
#
# netprint - Text filter for printer attached to network
# Installed in /usr/local/libexec/netprint
#
$#ARGV eq 1 || die "Usage: $0 <printer-hostname> <port-number>";
$printer_host = $ARGV[0];
$printer_port = $ARGV[1];
require 'sys/socket.ph';
($ignore, $ignore, $protocol) = getprotobyname('tcp');
($ignore, $ignore, $ignore, $ignore, $address)
= gethostbyname($printer_host);
$sockaddr = pack('S n a4 x8', &AF_INET, $printer_port, $address);
socket(PRINTER, &PF_INET, &SOCK_STREAM, $protocol)
|| die "Can't create TCP/IP stream socket: $!";
connect(PRINTER, $sockaddr) || die "Can't contact $printer_host: $!";
while (<STDIN>) { print PRINTER; }
exit 0;We can then use this script in various filters. Suppose we had
a Diablo 750-N line printer connected to the network. The printer
accepts data to print on port number 5100. The host name of the
printer is scrivener. Here is the text filter for the
printer:#!/bin/sh
#
# diablo-if-net - Text filter for Diablo printer `scrivener' listening
# on port 5100. Installed in /usr/local/libexec/diablo-if-net
#
exec /usr/libexec/lpr/lpf "$@" | /usr/local/libexec/netprint scrivener 5100Restricting Printer Usageprintersrestricting access toThis section gives information on restricting printer usage. The
LPD system lets you control who can access
a printer, both locally or
remotely, whether they can print multiple copies, how large their jobs
can be, and how large the printer queues can get.Restricting Multiple CopiesThe LPD system makes it easy for
users to print multiple copies
of a file. Users can print jobs with lpr -#5
(for example) and get five copies of each file in the job. Whether
this is a good thing is up to you.If you feel multiple copies cause unnecessary wear and tear on
your printers, you can disable the option to
&man.lpr.1; by adding the sc capability to the
/etc/printcap file. When users submit jobs
with the option, they will see:lpr: multiple copies are not allowedNote that if you have set up access to a printer remotely (see
section Printers
Installed on Remote Hosts), you need the
sc capability on the remote
/etc/printcap files as well, or else users will
still be able to submit multiple-copy jobs by using another
host.Here is an example. This is the
/etc/printcap file for the host
rose. The printer rattan is
quite hearty, so we will allow multiple copies, but the laser
printer bamboo is a bit more delicate, so we will
disable multiple copies by adding the sc
capability:#
# /etc/printcap for host rose - restrict multiple copies on bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Now, we also need to add the sc capability on
the host orchid's
/etc/printcap (and while we are at it, let us
disable multiple copies for the printer
teak):#
# /etc/printcap for host orchid - no multiple copies for local
# printer teak or remote printer bamboo
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:sc:\
:if=/usr/local/libexec/ifhp:\
:vf=/usr/local/libexec/vfhp:\
:of=/usr/local/libexec/ofhp:
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:sc:By using the sc capability, we prevent the
use of lpr -#, but that still does not prevent
users from running &man.lpr.1;
multiple times, or from submitting the same file multiple times in
one job like this:&prompt.user; lpr forsale.sign forsale.sign forsale.sign forsale.sign forsale.signThere are many ways to prevent this abuse (including ignoring
it) which you are free to explore.Restricting Access to PrintersYou can control who can print to what printers by using the &unix;
group mechanism and the rg capability in
/etc/printcap. Just place the users you want
to have access to a printer in a certain group, and then name that
group in the rg capability.Users outside the group (including root)
will be greeted with
lpr: Not a member of the restricted group
if they try to print to the controlled printer.As with the sc (suppress multiple copies)
capability, you need to specify rg on remote
hosts that also have access to your printers, if you feel it is
appropriate (see section Printers Installed on
Remote Hosts).For example, we will let anyone access the printer
rattan, but only those in group
artists can use bamboo. Here
is the familiar /etc/printcap for host
rose:#
# /etc/printcap for host rose - restricted group for bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Let us leave the other example
/etc/printcap file (for the host
orchid) alone. Of course, anyone on
orchid can print to bamboo. It
might be the case that we only allow certain logins on
orchid anyway, and want them to have access to the
printer. Or not.There can be only one restricted group per printer.Controlling Sizes of Jobs Submittedprint jobsIf you have many users accessing the printers, you probably need
to put an upper limit on the sizes of the files users can submit to
print. After all, there is only so much free space on the
filesystem that houses the spooling directories, and you also need
to make sure there is room for the jobs of other users.print jobscontrollingLPD enables you to limit the maximum
byte size a file in a job
can be with the mx capability. The units are in
BUFSIZ blocks, which are 1024 bytes. If you put
a zero for this
capability, there will be no limit on file size; however, if no
mx capability is specified, then a default limit
of 1000 blocks will be used.The limit applies to files in a job, and
not the total job size.LPD will not refuse a file that is
larger than the limit you
place on a printer. Instead, it will queue as much of the file up
to the limit, which will then get printed. The rest will be
discarded. Whether this is correct behavior is up for
debate.Let us add limits to our example printers
rattan and bamboo. Since
those artists' &postscript; files tend to be large, we will limit them
to five megabytes. We will put no limit on the plain text line
printer:#
# /etc/printcap for host rose
#
#
# No limit on job size:
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:mx#0:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
#
# Limit of five megabytes:
#
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Again, the limits apply to the local users only. If you have
set up access to your printers remotely, remote users will not get
those limits. You will need to specify the mx
capability in the remote /etc/printcap files as
well. See section Printers Installed on
Remote Hosts for more information on remote
printing.There is another specialized way to limit job sizes from remote
printers; see section Restricting Jobs
from Remote Printers.Restricting Jobs from Remote PrintersThe LPD spooling system provides
several ways to restrict print
jobs submitted from remote hosts:Host restrictionsYou can control from which remote hosts a local
LPD accepts requests with the files
/etc/hosts.equiv and
/etc/hosts.lpd.
LPD checks to see if an
incoming request is from a host listed in either one of these
files. If not, LPD refuses the
request.The format of these files is simple: one host name per
line. Note that the file
/etc/hosts.equiv is also used by the
&man.ruserok.3; protocol, and affects programs like
&man.rsh.1; and &man.rcp.1;, so be careful.For example, here is the
/etc/hosts.lpd file on the host
rose:orchid
violet
madrigal.fishbaum.deThis means rose will accept requests from
the hosts orchid, violet,
and madrigal.fishbaum.de. If any
other host tries to access rose's
LPD, the job will be refused.Size restrictionsYou can control how much free space there needs to remain
on the filesystem where a spooling directory resides. Make a
file called minfree in the spooling
directory for the local printer. Insert in that file a number
representing how many disk blocks (512 bytes) of free space
there has to be for a remote job to be accepted.This lets you insure that remote users will not fill your
filesystem. You can also use it to give a certain priority to
local users: they will be able to queue jobs long after the
free disk space has fallen below the amount specified in the
minfree file.For example, let us add a minfree
file for the printer bamboo. We examine
/etc/printcap to find the spooling
directory for this printer; here is bamboo's
entry:bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:mx#5000:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:The spooling directory is given in the sd
capability. We will make three megabytes (which is 6144 disk blocks)
the amount of free disk space that must exist on the filesystem for
LPD to accept remote jobs:&prompt.root; echo 6144 > /var/spool/lpd/bamboo/minfree
User restrictionsYou can control which remote users can print to local
printers by specifying the rs capability in
/etc/printcap. When
rs appears in the entry for a
locally-attached printer, LPD will
accept jobs from remote
hosts if the user submitting the job also
has an account of the same login name on the local host.
Otherwise, LPD refuses the job.This capability is particularly useful in an environment
where there are (for example) different departments sharing a
network, and some users transcend departmental boundaries. By
giving them accounts on your systems, they can use your
printers from their own departmental systems. If you would
rather allow them to use only your
printers and not your computer resources, you can give them
token accounts, with no home directory and a
useless shell like /usr/bin/false.Accounting for Printer UsageaccountingprinterSo, you need to charge for printouts. And why not? Paper and ink
cost money. And then there are maintenance costs—printers are
loaded with moving parts and tend to break down. You have examined
your printers, usage patterns, and maintenance fees and have come up
with a per-page (or per-foot, per-meter, or per-whatever) cost. Now,
how do you actually start accounting for printouts?Well, the bad news is the LPD spooling
system does not provide
much help in this department. Accounting is highly dependent on the
kind of printer in use, the formats being printed, and
your requirements in charging for printer
usage.To implement accounting, you have to modify a printer's text
filter (to charge for plain text jobs) and the conversion filters (to
charge for other file formats), to count pages or query the printer
for pages printed. You cannot get away with using the simple output
filter, since it cannot do accounting. See section Filters.Generally, there are two ways to do accounting:Periodic accounting is the more common
way, possibly because it is easier. Whenever someone prints a
job, the filter logs the user, host, and number of pages to an
accounting file. Every month, semester, year, or whatever time
period you prefer, you collect the accounting files for the
various printers, tally up the pages printed by users, and charge
for usage. Then you truncate all the logging files, starting with
a clean slate for the next period.Timely accounting is less common,
probably because it is more difficult. This method has the
filters charge users for printouts as soon as they use the
printers. Like disk quotas, the accounting is immediate. You can
prevent users from printing when their account goes in the red,
and might provide a way for users to check and adjust their
print quotas. But this method requires some database
code to track users and their quotas.The LPD spooling system supports both
methods easily: since you
have to provide the filters (well, most of the time), you also have to
provide the accounting code. But there is a bright side: you have
enormous flexibility in your accounting methods. For example, you
choose whether to use periodic or timely accounting. You choose what
information to log: user names, host names, job types, pages printed,
square footage of paper used, how long the job took to print, and so
forth. And you do so by modifying the filters to save this
information.Quick and Dirty Printer AccountingFreeBSD comes with two programs that can get you set up with
simple periodic accounting right away. They are the text filter
lpf, described in section lpf: a Text Filter, and
&man.pac.8;, a program to gather and total
entries from printer accounting files.As mentioned in the section on filters (Filters),
LPD starts
the text and the conversion filters with the name of the accounting
file to use on the filter command line. The filters can use this
argument to know where to write an accounting file entry. The name
of this file comes from the af capability in
/etc/printcap, and if not specified as an
absolute path, is relative to the spooling directory.LPD starts lpf
with page width and length
arguments (from the pw and pl
capabilities). lpf uses these arguments to
determine how much paper will be used. After sending the file to
the printer, it then writes an accounting entry in the accounting
file. The entries look like this:2.00 rose:andy
3.00 rose:kelly
3.00 orchid:mary
5.00 orchid:mary
2.00 orchid:zhangYou should use a separate accounting file for each printer, as
lpf has no file locking logic built into it, and
two lpfs might corrupt each other's entries if
they were to write to the same file at the same time. An easy way
to insure a separate accounting file for each printer is to use
af=acct in /etc/printcap.
Then, each accounting file will be in the spooling directory for a
printer, in a file named acct.When you are ready to charge users for printouts, run the
&man.pac.8; program. Just change to the spooling directory for
the printer you want to collect on and type pac.
You will get a dollar-centric summary like the following: Login pages/feet runs price
orchid:kelly 5.00 1 $ 0.10
orchid:mary 31.00 3 $ 0.62
orchid:zhang 9.00 1 $ 0.18
rose:andy 2.00 1 $ 0.04
rose:kelly 177.00 104 $ 3.54
rose:mary 87.00 32 $ 1.74
rose:root 26.00 12 $ 0.52
total 337.00 154 $ 6.74These are the arguments &man.pac.8; expects:Which printer to summarize.
This option works only if there is an absolute path in the
af capability in
/etc/printcap.Sort the output by cost instead of alphabetically by user
name.Ignore host name in the accounting files. With this
option, user smith on host
alpha is the same user
smith on host gamma.
Without, they are different users.Compute charges with price
dollars per page or per foot instead of the price from the
pc capability in
/etc/printcap, or two cents (the
default). You can specify price as
a floating point number.Reverse the sort order.Make an accounting summary file and truncate the
accounting file.name…Print accounting information for the given user
names only.In the default summary that &man.pac.8; produces, you see the
number of pages printed by each user from various hosts. If, at
your site, host does not matter (because users can use any host),
run pac -m, to produce the following
summary: Login pages/feet runs price
andy 2.00 1 $ 0.04
kelly 182.00 105 $ 3.64
mary 118.00 35 $ 2.36
root 26.00 12 $ 0.52
zhang 9.00 1 $ 0.18
total 337.00 154 $ 6.74To compute the dollar amount due,
&man.pac.8; uses the pc capability in the
/etc/printcap file (default of 200, or 2 cents
per page). Specify, in hundredths of cents, the price per page or
per foot you want to charge for printouts in this capability. You
can override this value when you run &man.pac.8; with the
option. The units for the
option are in dollars, though, not hundredths of cents. For
example,
&prompt.root; pac -p1.50
makes each page cost one dollar and fifty cents. You can really
rake in the profits by using this option.Finally, running pac -s will save the summary
information in a summary accounting file, which is named the same as
the printer's accounting file, but with _sum
appended to the name. It then truncates the accounting file. When
you run &man.pac.8; again, it rereads the
summary file to get starting totals, then adds information from the
regular accounting file.How Can You Count Pages Printed?In order to perform even remotely accurate accounting, you need
to be able to determine how much paper a job uses. This is the
essential problem of printer accounting.For plain text jobs, the problem is not that hard to solve: you
count how many lines are in a job and compare it to how many lines
per page your printer supports. Do not forget to take into account
backspaces in the file which overprint lines, or long logical lines
that wrap onto one or more additional physical lines.The text filter lpf (introduced in lpf: a Text Filter) takes
into account these things when it does accounting. If you are
writing a text filter which needs to do accounting, you might want
to examine lpf's source code.How do you handle other file formats, though?Well, for DVI-to-LaserJet or DVI-to-&postscript; conversion, you
can have your filter parse the diagnostic output of
dvilj or dvips and look to see
how many pages were converted. You might be able to do similar
things with other file formats and conversion programs.But these methods suffer from the fact that the printer may not
actually print all those pages. For example, it could jam, run out
of toner, or explode—and the user would still get
charged.So, what can you do?There is only one sure way to do
accurate accounting. Get a printer that can
tell you how much paper it uses, and attach it via a serial line or
a network connection. Nearly all &postscript; printers support this
notion. Other makes and models do as well (networked Imagen laser
printers, for example). Modify the filters for these printers to
get the page usage after they print each job and have them log
accounting information based on that value
only. There is no line counting nor
error-prone file examination required.Of course, you can always be generous and make all printouts
free.Using PrintersprintersusageThis section tells you how to use printers you have set up with
FreeBSD. Here is an overview of the user-level commands:&man.lpr.1;Print jobs&man.lpq.1;Check printer queues&man.lprm.1;Remove jobs from a printer's queueThere is also an administrative command, &man.lpc.8;, described in
the section Administering the
LPD
Spooler, used to control printers and their queues.All three of the commands &man.lpr.1;, &man.lprm.1;, and &man.lpq.1;
accept an option to specify on which
printer/queue to operate, as listed in the
/etc/printcap file. This enables you to submit,
remove, and check on jobs for various printers. If you do not use the
option, then these commands use the printer
specified in the PRINTER environment variable. Finally,
if you do not have a PRINTER environment variable, these
commands default to the printer named lp.Hereafter, the terminology default printer
means the printer named in the PRINTER environment
variable, or the printer named lp when there is no
PRINTER environment variable.Printing JobsTo print files, type:&prompt.user; lpr filename...printingThis prints each of the listed files to the default printer. If
you list no files, &man.lpr.1; reads data to
print from standard input. For example, this command prints some
important system files:&prompt.user; lpr /etc/host.conf /etc/hosts.equivTo select a specific printer, type:&prompt.user; lpr -P printer-namefilename...This example prints a long listing of the current directory to the
printer named rattan:&prompt.user; ls -l | lpr -P rattanBecause no files were listed for the
&man.lpr.1; command, lpr read the data to print
from standard input, which was the output of the ls
-l command.The &man.lpr.1; command can also accept a wide variety of options
to control formatting, apply file conversions, generate multiple
copies, and so forth. For more information, see the section Printing Options.Checking Jobsprint jobsWhen you print with &man.lpr.1;, the data you wish to print is put
together in a package called a print job, which is sent
to the LPD spooling system. Each printer
has a queue of jobs, and
your job waits in that queue along with other jobs from yourself and
from other users. The printer prints those jobs in a first-come,
first-served order.To display the queue for the default printer, type &man.lpq.1;.
For a specific printer, use the option. For
example, the command
&prompt.user; lpq -P bamboo
shows the queue for the printer named bamboo. Here
is an example of the output of the lpq
command:bamboo is ready and printing
Rank Owner Job Files Total Size
active kelly 9 /etc/host.conf, /etc/hosts.equiv 88 bytes
2nd kelly 10 (standard input) 1635 bytes
3rd mary 11 ... 78519 bytesThis shows three jobs in the queue for bamboo.
The first job, submitted by user kelly, got assigned job
number 9. Every job for a printer gets a unique job number.
Most of the time you can ignore the job number, but you will need it
if you want to cancel the job; see section Removing Jobs for details.Job number nine consists of two files; multiple files given on the
&man.lpr.1; command line are treated as part of a single job. It
is the currently active job (note the word active
under the Rank column), which means the printer should
be currently printing that job. The second job consists of data
passed as the standard input to the &man.lpr.1; command. The third
job came from user mary; it is a much larger
job. The pathname of the file she is trying to print is too long to
fit, so the &man.lpq.1; command just shows three dots.The very first line of the output from &man.lpq.1; is also useful:
it tells what the printer is currently doing (or at least what
LPD thinks the printer is doing).The &man.lpq.1; command also support a option
to generate a detailed long listing. Here is an example of
lpq -l:waiting for bamboo to become ready (offline ?)
kelly: 1st [job 009rose]
/etc/host.conf 73 bytes
/etc/hosts.equiv 15 bytes
kelly: 2nd [job 010rose]
(standard input) 1635 bytes
mary: 3rd [job 011rose]
/home/orchid/mary/research/venus/alpha-regio/mapping 78519 bytesRemoving JobsIf you change your mind about printing a job, you can remove the
job from the queue with the &man.lprm.1; command. Often, you can
even use &man.lprm.1; to remove an active job, but some or all of the
job might still get printed.To remove a job from the default printer, first use
&man.lpq.1; to find the job number. Then type:&prompt.user; lprm job-numberTo remove the job from a specific printer, add the
option. The following command removes job number
10 from the queue for the printer bamboo:&prompt.user; lprm -P bamboo 10The &man.lprm.1; command has a few shortcuts:lprm -Removes all jobs (for the default printer) belonging to
you.lprm userRemoves all jobs (for the default printer) belonging to
user. The superuser can remove other
users' jobs; you can remove only your own jobs.lprmWith no job number, user name, or
appearing on the command line,
&man.lprm.1; removes the currently active job on the
default printer, if it belongs to you. The superuser can remove
any active job.Just use the option with the above shortcuts
to operate on a specific printer instead of the default. For example,
the following command removes all jobs for the current user in the
queue for the printer named rattan:&prompt.user; lprm -P rattan -If you are working in a networked environment, &man.lprm.1; will
let you remove jobs only from the
host from which the jobs were submitted, even if the same printer is
available from other hosts. The following command sequence
demonstrates this:&prompt.user; lpr -P rattan myfile
&prompt.user; rlogin orchid
&prompt.user; lpq -P rattan
Rank Owner Job Files Total Size
active seeyan 12 ... 49123 bytes
2nd kelly 13 myfile 12 bytes
&prompt.user; lprm -P rattan 13
rose: Permission denied
&prompt.user; logout
&prompt.user; lprm -P rattan 13
dfA013rose dequeued
cfA013rose dequeued
Beyond Plain Text: Printing OptionsThe &man.lpr.1; command supports a number of options that control
formatting text, converting graphic and other file formats, producing
multiple copies, handling of the job, and more. This section
describes the options.Formatting and Conversion OptionsThe following &man.lpr.1; options control formatting of the
files in the job. Use these options if the job does not contain
plain text or if you want plain text formatted through the
&man.pr.1; utility.&tex;For example, the following command prints a DVI file (from the
&tex; typesetting system) named fish-report.dvi
to the printer named bamboo:&prompt.user; lpr -P bamboo -d fish-report.dviThese options apply to every file in the job, so you cannot mix
(say) DVI and ditroff files together in a job. Instead, submit the
files as separate jobs, using a different conversion option for each
job.All of these options except and
require conversion filters installed for the
destination printer. For example, the option
requires the DVI conversion filter. Section Conversion
Filters gives details.Print cifplot files.Print DVI files.Print FORTRAN text files.Print plot data.Indent the output by number
columns; if you omit number, indent
by 8 columns. This option works only with certain conversion
filters.Do not put any space between the and
the number.Print literal text data, including control
characters.Print ditroff (device independent troff) data.-pFormat plain text with &man.pr.1; before printing. See
&man.pr.1; for more information.Use title on the
&man.pr.1; header instead of the file name. This option has
effect only when used with the
option.Print troff data.Print raster data.Here is an example: this command prints a nicely formatted
version of the &man.ls.1; manual page on the default printer:&prompt.user; zcat /usr/share/man/man1/ls.1.gz | troff -t -man | lpr -tThe &man.zcat.1; command uncompresses the source of the
&man.ls.1; manual page and passes it to the &man.troff.1;
command, which formats that source and makes GNU troff
output and passes it to &man.lpr.1;, which submits the job
to the LPD spooler. Because we
used the
option to &man.lpr.1;, the spooler will convert the GNU
troff output into a format the default printer can
understand when it prints the job.Job Handling OptionsThe following options to &man.lpr.1; tell
LPD to handle the job
specially:-# copiesProduce a number of copies of
each file in the job instead of just one copy. An
administrator may disable this option to reduce printer
wear-and-tear and encourage photocopier usage. See section
Restricting
Multiple Copies.This example prints three copies of
parser.c followed by three copies of
parser.h to the default printer:&prompt.user; lpr -#3 parser.c parser.h-mSend mail after completing the print job. With this
option, the LPD system will send
mail to your account when it
finishes handling your job. In its message, it will tell you
if the job completed successfully or if there was an error,
and (often) what the error was.-sDo not copy the files to the spooling directory, but make
symbolic links to them instead.If you are printing a large job, you probably want to use
this option. It saves space in the spooling directory (your
job might overflow the free space on the filesystem where the
spooling directory resides). It saves time as well since
LPD
will not have to copy each and every byte of your job to the
spooling directory.There is a drawback, though: since
LPD will refer to the
original files directly, you cannot modify or remove them
until they have been printed.If you are printing to a remote printer,
LPD will
eventually have to copy files from the local host to the
remote host, so the option will save
space only on the local spooling directory, not the remote.
It is still useful, though.-rRemove the files in the job after copying them to the
spooling directory, or after printing them with the
option. Be careful with this
option!Header Page OptionsThese options to &man.lpr.1; adjust the text that normally
appears on a job's header page. If header pages are suppressed for
the destination printer, these options have no effect. See section
Header Pages
for information about setting up header pages.-C textReplace the hostname on the header page with
text. The hostname is normally the
name of the host from which the job was submitted.-J textReplace the job name on the header page with
text. The job name is normally the
name of the first file of the job, or
stdin if you are printing standard
input.-hDo not print any header page.At some sites, this option may have no effect due to the
way header pages are generated. See Header
Pages for details.Administering PrintersAs an administrator for your printers, you have had to install,
set up, and test them. Using the &man.lpc.8; command, you
can interact with your printers in yet more ways. With &man.lpc.8;,
you canStart and stop the printersEnable and disable their queuesRearrange the order of the jobs in each queue.First, a note about terminology: if a printer is
stopped, it will not print anything in its queue.
Users can still submit jobs, which will wait in the queue until the
printer is started or the queue is
cleared.If a queue is disabled, no user (except
root) can submit jobs for the printer. An
enabled queue allows jobs to be submitted. A
printer can be started for a disabled queue, in
which case it will continue to print jobs in the queue until the queue
is empty.In general, you have to have root privileges
to use the &man.lpc.8; command. Ordinary users can use the &man.lpc.8;
command to get printer status and to restart a hung printer only.Here is a summary of the &man.lpc.8; commands. Most of the
commands take a printer-name argument to
tell on which printer to operate. You can use all
for the printer-name to mean all printers
listed in /etc/printcap.abort
printer-nameCancel the current job and stop the printer. Users can
still submit jobs if the queue is enabled.clean
printer-nameRemove old files from the printer's spooling directory.
Occasionally, the files that make up a job are not properly
removed by LPD, particularly if
there have been errors during
printing or a lot of administrative activity. This command
finds files that do not belong in the spooling directory and
removes them.disable
printer-nameDisable queuing of new jobs. If the printer is running, it
will continue to print any jobs remaining in the queue. The
superuser (root) can always submit jobs,
even to a disabled queue.This command is useful while you are testing a new printer
or filter installation: disable the queue and submit jobs as
root. Other users will not be able to submit
jobs until you complete your testing and re-enable the queue with
the enable command.down printer-namemessageTake a printer down. Equivalent to
disable followed by stop.
The message appears as the printer's
status whenever a user checks the printer's queue with
&man.lpq.1; or status with lpc
status.enable
printer-nameEnable the queue for a printer. Users can submit jobs but
the printer will not print anything until it is started.help
command-namePrint help on the command
command-name. With no
command-name, print a summary of the
commands available.restart
printer-nameStart the printer. Ordinary users can use this command if
some extraordinary circumstance hangs
LPD, but they cannot start
a printer stopped with either the stop or
down commands. The
restart command is equivalent to
abort followed by
start.start
printer-nameStart the printer. The printer will print jobs in its
queue.stop
printer-nameStop the printer. The printer will finish the current job
and will not print anything else in its queue. Even though the
printer is stopped, users can still submit jobs to an enabled
queue.topq printer-namejob-or-usernameRearrange the queue for
printer-name by placing the jobs with
the listed job numbers or the jobs
belonging to username at the top of
the queue. For this command, you cannot use
all as the
printer-name.up
printer-nameBring a printer up; the opposite of the
down command. Equivalent to
start followed by
enable.&man.lpc.8; accepts the above commands on the command line. If
you do not enter any commands, &man.lpc.8; enters an interactive mode,
where you can enter commands until you type exit,
quit, or end-of-file.Alternatives to the Standard SpoolerIf you have been reading straight through this manual, by now you
have learned just about everything there is to know about the
LPD
spooling system that comes with FreeBSD. You can probably appreciate
many of its shortcomings, which naturally leads to the question:
What other spooling systems are out there (and work with
FreeBSD)?LPRngLPRngLPRng, which purportedly means
LPR: the Next
Generation is a complete rewrite of PLP. Patrick Powell
and Justin Mason (the principal maintainer of PLP) collaborated to
make LPRng. The main site for
LPRng is .CUPSCUPSCUPS, the Common UNIX Printing
System, provides a portable printing layer for &unix;-based
operating systems. It has been developed by Easy Software
Products to promote a standard printing solution for all &unix;
vendors and users.CUPS uses the Internet Printing
Protocol (IPP) as the basis for managing
print jobs and queues. The Line Printer Daemon
(LPD) Server Message Block
(SMB), and AppSocket (a.k.a. JetDirect)
protocols are also supported with reduced functionality. CUPS
adds network printer browsing and PostScript Printer Description
(PPD) based printing options to support
real-world printing under &unix;.The main site for CUPS is .TroubleshootingAfter performing the simple test with &man.lptest.1;, you might
have gotten one of the following results instead of the correct
printout:It worked, after awhile; or, it did not eject a full
sheet.The printer printed the above, but it sat for awhile and
did nothing. In fact, you might have needed to press a
PRINT REMAINING or FORM FEED button on the printer to get any
results to appear.If this is the case, the printer was probably waiting to
see if there was any more data for your job before it printed
anything. To fix this problem, you can have the text filter
send a FORM FEED character (or whatever is necessary) to the
printer. This is usually sufficient to have the printer
immediately print any text remaining in its internal buffer.
It is also useful to make sure each print job ends on a full
sheet, so the next job does not start somewhere on the middle
of the last page of the previous job.The following replacement for the shell script
/usr/local/libexec/if-simple prints a
form feed after it sends the job to the printer:#!/bin/sh
#
# if-simple - Simple text input filter for lpd
# Installed in /usr/local/libexec/if-simple
#
# Simply copies stdin to stdout. Ignores all filter arguments.
# Writes a form feed character (\f) after printing job.
/bin/cat && printf "\f" && exit 0
exit 2It produced the staircase effect.You got the following on paper:!"#$%&'()*+,-./01234
"#$%&'()*+,-./012345
#$%&'()*+,-./0123456MS-DOSOS/2ASCIIYou have become another victim of the staircase
effect, caused by conflicting interpretations of
what characters should indicate a new line. &unix; style
operating systems use a single character: ASCII code 10, the
line feed (LF). &ms-dos;, &os2;, and others uses a pair of
characters, ASCII code 10 and ASCII code
13 (the carriage return or CR). Many printers use the &ms-dos;
convention for representing new-lines.When you print with FreeBSD, your text used just the line
feed character. The printer, upon seeing a line feed
character, advanced the paper one line, but maintained the
same horizontal position on the page for the next character
to print. That is what the carriage return is for: to move
the location of the next character to print to the left edge
of the paper.Here is what FreeBSD wants your printer to do:Printer received CRPrinter prints CRPrinter received LFPrinter prints CR + LFHere are some ways to achieve this:Use the printer's configuration switches or control
panel to alter its interpretation of these characters.
Check your printer's manual to find out how to do
this.If you boot your system into other operating systems
besides FreeBSD, you may have to
reconfigure the printer to use a an
interpretation for CR and LF characters that those other
operating systems use. You might prefer one of the other
solutions, below.Have FreeBSD's serial line driver automatically
convert LF to CR+LF. Of course, this works with printers
on serial ports only. To enable this
feature, use the ms# capability and
set the onlcr mode
in the /etc/printcap file
for the printer.Send an escape code to the
printer to have it temporarily treat LF characters
differently. Consult your printer's manual for escape
codes that your printer might support. When you find the
proper escape code, modify the text filter to send the
code first, then send the print job.PCLHere is an example text filter for printers that
understand the Hewlett-Packard PCL escape codes. This
filter makes the printer treat LF characters as a LF and
CR; then it sends the job; then it sends a form feed to
eject the last page of the job. It should work with
nearly all Hewlett Packard printers.#!/bin/sh
#
# hpif - Simple text input filter for lpd for HP-PCL based printers
# Installed in /usr/local/libexec/hpif
#
# Simply copies stdin to stdout. Ignores all filter arguments.
# Tells printer to treat LF as CR+LF. Ejects the page when done.
printf "\033&k2G" && cat && printf "\033&l0H" && exit 0
exit 2Here is an example /etc/printcap
from a host called orchid. It has a single printer
attached to its first parallel port, a Hewlett Packard
LaserJet 3Si named teak. It is using the
above script as its text filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:It overprinted each line.The printer never advanced a line. All of the lines of
text were printed on top of each other on one line.This problem is the opposite of the
staircase effect, described above, and is much rarer.
Somewhere, the LF characters that FreeBSD uses to end a line
are being treated as CR characters to return the print
location to the left edge of the paper, but not also down a
line.Use the printer's configuration switches or control panel
to enforce the following interpretation of LF and CR
characters:Printer receivesPrinter printsCRCRLFCR + LFThe printer lost characters.While printing, the printer did not print a few characters
in each line. The problem might have gotten worse as the
printer ran, losing more and more characters.The problem is that the printer cannot keep up with the
speed at which the computer sends data over a serial line
(this problem should not occur with printers on parallel
ports). There are two ways to overcome the problem:If the printer supports XON/XOFF flow control, have
FreeBSD use it by specifying the ixon mode
in the ms# capability.If the printer supports carrier flow control, specify
the crtscts mode in the
ms# capability.
Make sure the cable connecting the printer to the computer
is correctly wired for carrier flow control.It printed garbage.The printer printed what appeared to be random garbage,
but not the desired text.This is usually another symptom of incorrect
communications parameters with a serial printer. Double-check
the bps rate in the br capability, and the
parity setting in the
ms# capability; make sure the printer is
using the same settings as specified in the
/etc/printcap file.Nothing happened.If nothing happened, the problem is probably within
FreeBSD and not the hardware. Add the log file
(lf) capability to the entry for the
printer you are debugging in the
/etc/printcap file. For example, here is
the entry for rattan, with the
lf capability:rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:\
:lf=/var/log/rattan.logThen, try printing again. Check the log file (in our
example, /var/log/rattan.log) to see any
error messages that might appear. Based on the messages you
see, try to correct the problem.If you do not specify a lf capability,
LPD uses
/dev/console as a default.
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 1f0119f045..dea91e8e61 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,7583 +1,7583 @@
MatthewDillonMuch of this chapter has been taken from the
security(7) manual page by SecuritysecuritySynopsisThis chapter will provide a basic introduction to system security
concepts, some general good rules of thumb, and some advanced topics
under &os;. A lot of the topics covered here can be applied
to system and Internet security in general as well. The Internet
is no longer a friendly place in which everyone
wants to be your kind neighbor. Securing your system is imperative
to protect your data, intellectual property, time, and much more
from the hands of hackers and the like.&os; provides an array of utilities and mechanisms to ensure
the integrity and security of your system and network.After reading this chapter, you will know:Basic system security concepts, in respect to &os;.About the various crypt mechanisms available in &os;,
such as DES and MD5.How to set up one-time password authentication.How to configure TCP Wrappers for use
with inetd.How to set up KerberosIV on &os;
releases prior to 5.0.How to set up Kerberos5 on
post &os; 5.0 releases.How to create firewalls using IPFW.How to configure IPsec and create a VPN between
&os;/&windows; machines.How to configure and use OpenSSH, &os;'s SSH
implementation.What file system ACLs are and how to use them.How to utilize the &os; security advisories
publications.Before reading this chapter, you should:Understand basic &os; and Internet concepts.IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD &unix; multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. &unix;
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers — meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetwork, security becomes an even bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every
system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash, or otherwise make a
system unusable, but do not attempt to compromise the
root account (break root).
Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.DoS attacksDenial of Service (DoS)securityDoS attacksDenial of Service (DoS)Denial of Service (DoS)A denial of service attack is an action that deprives the
machine of needed resources. Typically, DoS attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
DoS attacks try to take advantage of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop,
short of cutting your system off from the Internet. It may not be
able to take your machine down, but it can saturate your
Internet connection.securityaccount compromisesA user account compromise is even more common than a DoS
attack. Many sysadmins still run standard
telnetd, rlogind,
rshd,
and ftpd servers on their machines.
These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root.
However, the reality is that in a well secured and maintained system,
access to a user account does not necessarily give the attacker
access to root. The distinction is important
because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more than mess with the user's files, or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.securitybackdoorsSystem administrators must keep in mind that there are
potentially many ways to break root on a machine.
The attacker may know the root password,
the attacker may find a bug in a root-run server and be able
to break root over a network
connection to that server, or the attacker may know of a bug in
a suid-root program that allows the attacker to break
root once he has broken into a user's account.
If an attacker has found a way to break root
on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. A backdoor provides the attacker with a way to easily
regain root access to the system, but it
also gives the smart system administrator a convenient way
to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security, because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root–run servers
and suid/sgid binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
file systems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.Securing &os;securitysecuring &os;Command vs. ProtocolThroughout this document, we will use
bold text to refer to an
application, and a monospaced font to refer
to specific commands. Protocols will use a normal font. This
typographical distinction is useful for instances such as ssh,
since it is
a protocol as well as command.The sections that follow will cover the methods of securing your
&os; system that were mentioned in the last section of this chapter.Securing the root Account and
Staff AccountssuFirst off, do not bother securing staff accounts if you have
not secured the root account.
Most systems have a password assigned to the root
account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your ptys are specified as being insecure in the
/etc/ttys file so that direct
root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct
root logins are disabled there as well.
You can do this by editing
your /etc/ssh/sshd_config file, and making
sure that PermitRootLogin is set to
NO. Consider every access method —
services such as FTP often fall through the cracks.
Direct root logins should only be allowed
via the system console.wheelOf course, as a sysadmin you have to be able to get to
root, so we open up a few holes.
But we make sure these holes require additional password
verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root.
You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access
should be placed in the
wheel group. It is also possible, when using
an authentication method such as Kerberos, to use Kerberos'
.k5login file in the root
account to allow a &man.ksu.1; to root
without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder
has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better than having
nothing at all, it is not necessarily the safest option.An indirect way to secure staff accounts, and ultimately
root access is to use an alternative
login access method and
do what is known as starring out the encrypted
password for the staff accounts. Using the &man.vipw.8;
command, one can replace each instance of an encrypted password
with a single * character.
This command will update the /etc/master.passwd
file and user/password database to disable password-authenticated
logins.A staff account entry such as:foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshShould be changed to this:foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshThis change will prevent normal logins from occurring,
since the encrypted password will never match
*. With this done,
staff members must use
another mechanism to authenticate themselves such as
&man.kerberos.1; or &man.ssh.1; using a public/private key
pair. When using something like Kerberos, one generally must
secure the machines which run the Kerberos servers and your
desktop workstation. When using a public/private key pair
with ssh, one must generally secure
the machine used to login from (typically
one's workstation). An additional layer of protection can be
added to the key pair by password protecting the key pair when
creating it with &man.ssh-keygen.1;. Being able to
star out the passwords for staff accounts also
guarantees that staff members can only login through secure
access methods that you have set up. This forces all staff
members to use secure, encrypted connections for all of their
sessions, which closes an important hole used by many
intruders: sniffing the network from an unrelated,
less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider, but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.KerberosIVUsing something like Kerberos also gives you the ability to
disable or change the password for a staff account in one place,
and have it immediately affect all the machines on which the staff
member may have an account. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with Kerberos: not only can a
Kerberos ticket be made to timeout after a while, but the Kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesntalkcomsatfingersandboxessshdtelnetdrshdrlogindThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of
imapd or
popper is like giving a universal
root ticket out to the entire world.
Never run a server that you have not checked out carefully.
Many servers do not need to be run as root.
For example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox is not perfect,
unless you go through a large amount of trouble, but the onion
approach to security still stands: If someone is able to break
in through a server running in a sandbox, they still have to
break out of the sandbox. The more layers the attacker must
break through, the lower the likelihood of his success. Root
holes have historically been found in virtually every server
ever run as root, including basic system servers.
If you are running a machine through which people only login via
sshd and never login via
telnetd or
rshd or
rlogind, then turn off those
services!&os; now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
/etc/defaults/rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.sendmailThere are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other
mechanisms to detect break-ins that might occur through them.The other big potential root holes in a
system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still,
root holes are occasionally found in these
binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe than sorry and the prudent
sysadmin will restrict suid binaries, that only staff should run,
to a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary,
the intruder might be able to read /dev/kmem
and thus read the encrypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
ptys, including Pt's used by users who login through secure
methods. An intruder that breaks the tty
group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
star out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control, then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and Kerberos for user accounts is
more problematic, due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
Kerberos for access to those accounts. Even though the encrypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder
to obtain read access to that file even if the attacker cannot
obtain root-write access.Your security scripts should always check for and report
changes to the password file (see the Checking file integrity section
below).Securing the Kernel Core, Raw Devices, and
File systemsIf an attacker breaks root he can do
just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under &os; it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems do not have the need for the
bpf device compiled in.sysctlBut even if you turn off the bpf
device, you still have
/dev/mem and
/dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf
device, or other sniffing
device, on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags,
such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files — everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too Draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive, because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important — detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker, rather than stop him, in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh key-pairs to
allow the limited-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method — allowing you to monitor the
file systems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub, or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limited-access box, at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found, relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh client on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
insecure links, but it is also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space, it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. You should probably scan them anyway, at least
once a week, since the object of this layer is to detect a break-in
whether or not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which might help
as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files, and the
logs themselves should be generated in as secure a manner as
possible — remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features, as long as they do not affect
convenience, and can add security features that
do affect convenience with some added thought.
Even more importantly, a security administrator should mix it up a
bit — if you use recommendations such as those given by this
document verbatim, you give away your methodologies to the
prospective attacker who also has access to this document.Denial of Service AttacksDenial of Service (DoS)This section covers Denial of Service attacks. A DoS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DoS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory,
until the machine dies. inetd
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual
page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to
inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option, which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter, when you start
sendmail, high enough to handle your
expected load, but not so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for
that sendmail to prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise.
Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other Internet-accessible
services. If you try to configure the firewall the other way
— as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services, or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall, to allow permissive-like operation,
without compromising your low ports. Also take note that &os;
allows you to control the range of port numbers used for dynamic
binding, via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. For example, you might use a normal
first/last range of 4000 to 5000, and a hiport range of 49152 to
65535, then block off everything under 4000 in your firewall
(except for certain specific Internet-accessible ports, of
course).ICMP_BANDLIMAnother common DoS attack is called a springboard attack
— to attack a server in a manner that causes the server to
generate responses which overloads the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The &os; kernel has a new kernel
compile option called
which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal
inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal
chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it
to less than rtminexpire. There are two
problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHsshKerberosIVThere are a few issues with both Kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol, but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
Kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an insecure machine, your keys
are usable. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login, and if an attacker has broken
root on the
insecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with Kerberos whenever possible for staff logins.
ssh can be compiled with Kerberos
support. This reduces your reliance on potentially exposed
ssh keys while at the same time
protecting passwords via Kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that Kerberos is unsuited to do). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.BillSwingleParts rewritten and updated by DES, MD5, and CryptsecuritycryptcryptDESMD5Every user on a &unix; system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
&unix; came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in
the US, but since the source code for DES could not be exported
outside the US, &os; had to find a way to both comply with
US law and retain compatibility with all the other &unix;
variants that still used DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how &os; came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing Your Crypt MechanismBefore &os; 4.4 libcrypt.a was a
symbolic link pointing to the library which was used for
encryption. &os; 4.4 changed libcrypt.a to
provide a configurable password authentication hash library.
Currently the library supports DES, MD5 and Blowfish hash
functions. By default &os; uses MD5 to encrypt
passwords.It is pretty easy to identify which encryption method
&os; is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
$1$. Passwords starting with
$2a$ are encrypted with the
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The password format used for new passwords is controlled
by the passwd_format login capability in
/etc/login.conf, which takes values of
des, md5 or
blf. See the &man.login.conf.5; manual page
for more information about login capabilities.One-time Passwordsone-time passwordssecurityone-time passwordsS/Key is a one-time password scheme based on a one-way hash
function. &os; uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
&os; base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.From version 5.0 of &os;, S/Key has been replaced with
the functionally equivalent OPIE (One-time Passwords In
Everything). OPIE uses the MD5 hash by default.There are three different sorts of passwords which we will discuss
below. The first is your usual &unix; style or
Kerberos password; we will call this a &unix; password.
The second sort is the one-time password which is generated by the
S/Key key program or the OPIE
&man.opiekey.1; program and accepted by the
keyinit or &man.opiepasswd.1; programs
and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key/opiekey programs (and
sometimes the
keyinit/opiepasswd programs)
which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your &unix;
password; they can be the same but this is not recommended. S/Key
and OPIE secret passwords are not limited to 8 characters like old
&unix; passwordsUnder &os; the standard login
password may be up to 128 characters in length.,
they can be as long as you like. Passwords of six or
seven word long phrases are fairly common. For the most part, the
S/Key or OPIE system operates completely independently of the &unix;
password system.Besides the password, there are two other pieces of data that
are important to S/Key and OPIE. One is what is known as the
seed or key, consisting of two letters
and five digits. The other is what is called the iteration
count, a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4/MD5 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
authentication system (primarily PAM) keeps
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1, S/Key and OPIE must be
reinitialized.There are three programs involved in each system
which we will discuss below. The key and
opiekey programs accept an iteration
count, a seed, and a secret password, and generate a one-time
password or a consecutive list of one-time passwords. The
keyinit and opiepasswd
programs are used to initialize S/Key and OPIE respectively,
and to change passwords, iteration counts, or seeds; they
take either a secret passphrase, or an iteration count,
seed, and one-time password. The keyinfo
and opieinfo programs examine the
relevant credentials files (/etc/skeykeys or
/etc/opiekeys) and print out the invoking user's
current iteration count and seed.There are four different sorts of operations we will cover. The
first is using keyinit or
opiepasswd over a secure connection to set up
one-time-passwords for the first time, or to change your password
or seed. The second operation is using keyinit
or opiepasswd over an insecure connection, in
conjunction with key or opiekey
over a secure connection, to do the same. The third is using
key/opiekey to log in over
an insecure connection. The fourth is using key
or opiekey to generate a number of keys which
can be written down or printed out to carry with you when going to
some location without secure connections to anywhere.Secure Connection InitializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g. on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTFor OPIE, opiepasswd is used instead:&prompt.user; opiepasswd -c
[grimreaper] ~ $ opiepasswd -f -c
Adding unfurl:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED
At the Enter new secret pass phrase: or
Enter secret password: prompts, you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular instance: your login name, the
iteration count, and seed. When logging in the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure Connection InitializationTo initialize or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run key
or opiekey; this might be in the form of a
desk accessory on a &macintosh;, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:
s/key access password:CURE MIKE BANE HIM RACY GOREFor OPIE, you need to use opiepasswd:&prompt.user; opiepasswd
Updating unfurl:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 498 to4268 ext
Response: GAME GAG WELT OUT DOWN CHAT
New secret pass phrase:
otp-md5 499 to4269
Response: LINE PAP MILK NELL BUOY TROY
ID mark OTP key is 499 gr4269
LINE PAP MILK NELL BUOY TROY
To accept the default seed (which the
keyinit program confusingly calls a
key), press Return.
Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GOREOr for OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT
Now switch back over to the insecure connection, and copy the
one-time password generated over to the relevant program.Generating a Single One-time PasswordOnce you have initialized S/Key or OPIE, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: Or for OPIE:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
otp-md5 498 gr4269 ext
Password: As a side note, the S/Key and OPIE prompts have a useful feature
(not shown here): if you press Return
at the password prompt, the
prompter will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in a password by hand, such as from a printout.MS-DOSWindowsMacOSAt this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run key or
opiekey on. (There are versions of these for DOS,
&windows; and &macos; as well.) They need both the iteration count and
the seed as command line options. You can cut-and-paste these
right from the login prompt on the machine that you are logging
in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGFor OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHATNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... Generating Multiple One-time PasswordsSometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key and
opiekey commands to
generate a number of one-time passwords beforehand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKOr for OPIE:&prompt.user; opiekey -n 5 30 zz99999
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <secret password>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHIThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting Use of &unix; PasswordsS/Key can place restrictions on the use of &unix; passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more information on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the default on &os; 4.X systems), then all users will
be allowed to use &unix; passwords. If the file exists, however,
then all users will be required to use S/Key unless explicitly
permitted to do otherwise by configuration statements in the
skey.access file. In all cases, &unix;
passwords are permitted on the console.Here is a sample skey.access configuration
file which illustrates the three most common sorts of configuration
statements:permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use &unix; passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
&unix; passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are ineducable.The third line (permit port) allows all
users logging in on the specified terminal line to use &unix;
passwords; this would be used for dial-ups.OPIE can restrict the use of &unix; passwords based on the IP
address of a login session just like S/Key does. The relevant file
is /etc/opieaccess, which is present by default
on &os; 5.0 and newer systems. Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.Here is a sample opieaccess file:permit 192.168.0.0 255.255.0.0This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
to use &unix; passwords at any time.If no rules in opieaccess are matched,
the default is to deny non-OPIE logins.TomRhodesWritten by: TCP WrappersTCP WrappersAnyone familiar with &man.inetd.8; has probably heard
of TCP Wrappers at some point. But few
individuals seem to fully comprehend its usefulness in a
network environment. It seems that everyone wants to
install a firewall to handle network connections. While a
firewall has a wide variety of uses, there are some things
that a firewall not handle such as sending text back to the
connection originator. The TCP software
does this and much more. In the next few sections many of
the TCP Wrappers features will be discussed,
and, when applicable, example configuration lines will be
provided.The TCP Wrappers software extends the
abilities of inetd to provide support for
every server daemon under its control. Using this method it
is possible to provide logging support, return messages to
connections, permit a daemon to only accept internal connections,
etc. While some of these features can be provided by implementing
a firewall, this will add not only an extra layer of protection
but go beyond the amount of control a firewall can
provide.The added functionality of TCP Wrappers
should not be considered a replacement for a good firewall;
however, but should used in conjunction with a firewall and
other security configurations to add an extra layer of protection
for the system.Since this is an extension to the configuration of
inetd, the reader is expected have
read the inetd configuration
section.While programs run by &man.inetd.8; are not exactly
daemons, they have traditionally been called
daemons. This is the term we will use in this section too.Initial ConfigurationThe only requirement of using TCP
Wrappers in &os; is to ensure the inetd
server is started from rc.conf with the
option; this is the default setting. Of
course, proper configuration of
/etc/hosts.allow is also expected, but
&man.syslogd.8; will throw messages in the system logs in
these cases.Unlike other implementations of TCP
Wrappers, the use of hosts.deny has
been deprecated. All configuration options should be placed
in /etc/hosts.allow.In the simplest configuration, daemon connection policies
are set to either be permitted or blocked depending on the
options in /etc/hosts.allow. The default
configuration in &os; is to allow a connection to every daemon
started with inetd. Changing this will be
discussed only after the basic configuration is covered.Basic configuration usually takes the form of
daemon : address : action. Where
daemon is the daemon name which
inetd started. The
address can be a valid hostname, an
IP address or an IPv6 address enclosed in
brackets ([ ]). The action field can be either allow
or deny to grant or deny access appropriately. Keep in mind
that configuration works off a first rule match semantic,
meaning that the configuration file is scanned in ascending
order for a matching rule. When a match is found the rule
is applied and the search process will halt.Several other options exist but they will be explained
in a later section. A simple configuration line may easily be
constructed from that information alone. For example, to
allow POP3 connections via the
mail/qpopper daemon,
the following lines should be appended to
hosts.allow:# This line is required for POP3 connections:
qpopper : ALL : allowAfter adding this line, inetd will need
restarted. This can be accomplished by use of the &man.kill.1;
command, or with the restart parameter
with /etc/rc.d/inetd.Advanced ConfigurationTCP Wrappers has advanced
options too; they will allow for more control over the
way connections are handled. In some cases it may be
a good idea to return a comment to certain hosts or
daemon connections. In other cases, perhaps a log file
should be recorded or an email sent to the administrator.
Other situations may require the use of a service for local
connections only. This is all possible through the use of
configuration options known as wildcards,
expansion characters and external command execution. The
next two sections are written to cover these situations.External CommandsSuppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
individual who attempted to establish that connection. How
could it be done? That action can be made possible by
using the option. When a connection
attempt is made, will be called to
execute a shell command or script. An example already exists
in the hosts.allow file:# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."This example shows that the message,
You are not allowed to use daemon
from hostname. will be returned
for any daemon not previously configured in the access file.
This is extremely useful for sending a reply back to the
connection initiator right after the established connection
is dropped. Note that any message returned
must be wrapped in quote
" characters; there are no exceptions to
this rule.It may be possible to launch a denial of service attack
on the server if an attacker, or group of attackers could
flood these daemons with connection requests.Another possibility is to use the
option in these cases. Like , the
implicitly denies the connection and
may be used to run external shell commands or scripts.
Unlike , will
not send a reply back to the individual who established the
connection. For an example, consider the following
configuration line:# We do not allow connections from example.com:
ALL : .example.com \
: spawn (/bin/echo %a from %h attempted to access %d >> \
/var/log/connections.log) \
: denyThis will deny all connection attempts from the
*.example.com domain;
simultaneously logging the hostname, IP
address and the daemon which they attempted to access in the
/var/log/connections.log file.Aside from the already explained substitution characters
above, e.g. %a, a few others exist. See the
&man.hosts.access.5; manual page for the complete list.Wildcard OptionsThus far the ALL example has been used
continuously throughout the examples. Other options exist
which could extend the functionality a bit further. For
instance, ALL may be used to match every
instance of either a daemon, domain or an
IP address. Another wildcard available is
PARANOID which may be used to match any
host which provides an IP address that may
be forged. In other words, paranoid may
be used to define an action to be taken whenever a connection
is made from an IP address that differs
from its hostname. The following example may shed some more
light on this discussion:# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : denyIn that example all connection requests to
sendmail which have an
IP address that varies from its hostname
will be denied.Using the PARANOID may severely
cripple servers if the client or server has a broken
DNS setup. Administrator discretion
is advised.To learn more about wildcards and their associated
functionality, see the &man.hosts.access.5; manual
page.Before any of the specific configuration lines above will
work, the first configuration line should be commented out
in hosts.allow. This was noted at the
beginning of this section.MarkMurrayContributed by MarkDapozBased on a contribution by KerberosIVKerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for &os;. However, you should refer to the
relevant manual pages for a complete description.Installing KerberosIVMITKerberosIVInstallingKerberos is an optional component of &os;. The easiest
way to install this software is by selecting the krb4 or
krb5 distribution in sysinstall
during the initial installation of &os;. This will install
the eBones (KerberosIV) or Heimdal (Kerberos5)
implementation of Kerberos. These implementations are
included because they are developed outside the USA/Canada and
were thus available to system owners outside those countries
during the era of restrictive export controls on cryptographic
code from the USA.Alternatively, the MIT implementation of Kerberos is
available from the ports collection as
security/krb5.Creating the Initial DatabaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, or if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be EXAMPLE.COM and the
server is grunt.example.com. We edit
or create the krb.conf file:&prompt.root; cat krb.conf
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a host's name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos manual pages.Now we have to add grunt.example.com
to the EXAMPLE.COM realm and also add an entry to
put all hosts in the .example.com
domain in the EXAMPLE.COM realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:EXAMPLE.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this:&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making It All RunKerberosIVInital StartupTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd.
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like &man.rcp.1;,
&man.rlogin.1; and &man.rsh.1;.Now let us add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the Server FileWe now have to extract all the instances which define the
services on each machine. For this we use the
ext_srvtab command. This will create a file
which must be copied or moved by secure
means to each Kerberos client's
/etc/kerberosIV directory. This file must
be present on each server and client, and is crucial to the
operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the servers can pick
it up. Use the &man.mv.1; command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the DatabaseWe now have to add some user entries into the database. First
let us create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting It All OutFirst we have to start the Kerberos daemons. Note that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automatically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: EXAMPLE.COM
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the ID jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@EXAMPLE.COM
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COMNow try changing the password using &man.passwd.1; to
check if the kpasswd daemon can get
authorization to the Kerberos database:&prompt.user; passwd
realm EXAMPLE.COM
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su PrivilegesKerberos allows us to give each user
who needs root privileges their own
separate &man.su.1; password.
We could now add an ID which is authorized to
&man.su.1; to root. This is
controlled by having an instance of root
associated with a principal. Using kdb_edit
we can create the entry jane.root in the
Kerberos database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's
.klogin file:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMNow try doing the &man.su.1;:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@EXAMPLE.COM
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COMUsing Other CommandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to &man.su.1; to
root if the necessary entries are in the
.klogin file in root's
home directory:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMLikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@EXAMPLE.COM
jack@EXAMPLE.COMThis allows anyone in the EXAMPLE.COM realm
who has authenticated themselves as jane or
jack (via kinit, see above)
to access to jane's
account or files on this system (grunt) via
&man.rlogin.1;, &man.rsh.1; or
&man.rcp.1;.For example, jane now logs into another system using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.example.com)
Password:
&prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or jack logs into jane's account on the same machine
(jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance):&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.example.com)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995TillmanHodgsonContributed by MarkMurrayBased on a contribution by Kerberos5Every &os; release beyond &os;-5.1 includes support
only for Kerberos5. Hence
Kerberos5 is the only version
included, and its configuration is similar in many aspects
to that of KerberosIV. The following
information only applies to
Kerberos5 in post &os;-5.0
releases. Users who wish to use the
KerberosIV package may install the
security/krb4 port.Kerberos is a network add-on
system/protocol that allows users to authenticate themselves
through the services of a secure server. Services such as remote
login, remote copy, secure inter-system file copying and other
high-risk tasks are made considerably safer and more
controllable.Kerberos can be described as an
identity-verifying proxy system. It can also be described as a
trusted third-party authentication system.
Kerberos provides only one
function — the secure authentication of users on the network.
It does not provide authorization functions (what users are
allowed to do) or auditing functions (what those users did).
After a client and server have used
Kerberos to prove their identity, they
can also encrypt all of their communications to assure privacy
and data integrity as they go about their business.Therefore it is highly recommended that
Kerberos be used with other security
methods which provide authorization and audit services.The following instructions can be used as a guide on how to set
up Kerberos as distributed for &os;.
However, you should refer to the relevant manual pages for a complete
description.For purposes of demonstrating a Kerberos
installation, the various name spaces will be handled as follows:The DNS domain (zone)
will be example.org.The Kerberos realm will be
EXAMPLE.ORG.Please use real domain names when setting up
Kerberos even if you intend to run
it internally. This avoids DNS problems
and assures inter-operation with other
Kerberos realms.HistoryKerberos5HistoryKerberos was created by
MIT as a solution to network security problems.
The Kerberos protocol uses strong
cryptography so that a client can prove its identity to a server
(and vice versa) across an insecure network connection.Kerberos is both the name of a
network authentication protocol and an adjective to describe
programs that implement the program
(Kerberos telnet, for example). The
current version of the protocol is version 5, described in
RFC 1510.Several free implementations of this protocol are available,
covering a wide range of operating systems. The Massachusetts
Institute of Technology (MIT), where
Kerberos was originally developed,
continues to develop their Kerberos
package. It is commonly used in the US
as a cryptography product, as such it
has historically been affected by US export
regulations. The MIT
Kerberos is available as a port
(security/krb5). Heimdal
Kerberos is another version 5
implementation, and was explicitly developed outside of the
US to avoid export
regulations (and is thus often included in non-commercial &unix;
variants). The Heimdal Kerberos
distribution is available as a port
(security/heimdal), and a
minimal installation of it is included in the base &os;
install.In order to reach the widest audience, these instructions assume
the use of the Heimdal distribution included in &os;.Setting up a Heimdal KDCKerberos5Key Distribution Center ConfigurationThe Key Distribution Center (KDC) is the
centralized authentication service that
Kerberos provides — it is the
computer that issues Kerberos tickets.
The KDC is considered trusted by
all other computers in the Kerberos
realm, and thus has heightened security concerns.Note that while running the Kerberos
server requires very few computing resources, a dedicated machine
acting only as a KDC is recommended for security
reasons.To begin setting up a KDC, ensure that your
/etc/rc.conf file contains the correct
settings to act as a KDC (you may need to adjust
paths to reflect your own system):kerberos5_server_enable="YES"
kadmind5_server_enable="YES"
kerberos_stash="YES"The is only available in
&os; 4.X.Next we will set up your Kerberos
config file, /etc/krb5.conf:[libdefaults]
default_realm = EXAMPLE.ORG
[realms]
EXAMPLE.ORG = {
kdc = kerberos.example.org
admin_server = kerberos.example.org
}
[domain_realm]
.example.org = EXAMPLE.ORGNote that this /etc/krb5.conf file implies
that your KDC will have the fully-qualified
hostname of kerberos.example.org.
You will need to add a CNAME (alias) entry to your zone file to
accomplish this if your KDC has a different
hostname.For large networks with a properly configured
BIND DNS server, the
above example could be trimmed to:[libdefaults]
default_realm = EXAMPLE.ORGWith the following lines being appended to the
example.org zonefile:_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
_kerberos IN TXT EXAMPLE.ORG.For clients to be able to find the
Kerberos services, you
must have either a fully configured
/etc/krb5.conf or a miminally configured
/etc/krb5.confand a
properly configured DNS server.Next we will create the Kerberos
database. This database contains the keys of all principals encrypted
with a master password. You are not
required to remember this password, it will be stored in a file
(/var/heimdal/m-key). To create the master
key, run kstash and enter a password.Once the master key has been created, you can initialize the
database using the kadmin program with the
-l option (standing for local).
This option instructs kadmin to modify the
database files directly rather than going through the
kadmind network service. This handles the
chicken-and-egg problem of trying to connect to the database
before it is created. Once you have the kadmin
prompt, use the init command to create your
realms initial database.Lastly, while still in kadmin, create your
first principal using the add command. Stick
to the defaults options for the principal for now, you can always
change them later with the modify command.
Note that you can use the ? command at any
prompt to see the available options.A sample database creation session is shown below:&prompt.root; kstash
Master key: xxxxxxxx
Verifying password - Master key: xxxxxxxx
&prompt.root; kadmin -l
kadmin> init EXAMPLE.ORG
Realm max ticket life [unlimited]:
kadmin> add tillman
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxxNow it is time to start up the KDC services.
Run /etc/rc.d/kerberos start and
/etc/rc.d/kadmind start to bring up the
services. Note that you won't have any kerberized daemons running
at this point but you should be able to confirm the that the
KDC is functioning by obtaining and listing a
ticket for the principal (user) that you just created from the
command-line of the KDC itself:&prompt.user; k5init tillman
tillman@EXAMPLE.ORG's Password:
&prompt.user; k5list
Credentials cache: FILE:/tmp/krb5cc_500
Principal: tillman@EXAMPLE.ORG
Issued Expires Principal
Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG@EXAMPLE.ORGKerberos enabling a server with
Heimdal servicesKerberos5Enabling ServicesFirst, we need a copy of the Kerberos
configuration file, /etc/krb5.conf. To do
so, simply copy it over to the client computer from the
KDC in a secure fashion (using network utilities,
such as &man.scp.1;, or physically via a
floppy disk).Next you need a /etc/krb5.keytab file.
This is the major difference between a server providing
Kerberos enabled daemons and a
workstation — the server must have a
keytab file. This file
contains the servers host key, which allows it and the
KDC to verify each others identity. It
must be transmitted to the server in a secure fashion, as the
security of the server can be broken if the key is made public.
This explicitly means that transferring it via a clear text
channel, such as FTP, is a very bad idea.Typically, you transfer to the keytab
to the server using the kadmin program.
This is handy because you also need to create the host principal
(the KDC end of the
krb5.keytab) using
kadmin.Note that you must have already obtained a ticket and that this
ticket must be allowed to use the kadmin
interface in the kadmind.acl. See the section
titled Remote administration in the Heimdal info
pages (info heimdal) for details on designing
access control lists. If you do not want to enable remote
kadmin access, you can simply securely connect
to the KDC (via local console,
&man.ssh.1; or Kerberos
&man.telnet.1;) and perform administration locally
using kadmin -l.After installing the /etc/krb5.conf file,
you can use kadmin from the
Kerberos server. The
add --random-key command will let you add the
servers host principal, and the ext command
will allow you to extract the servers host principal to its own
keytab. For example:&prompt.root; kadmin
kadmin> add --random-key host/myserver.example.org
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
kadmin> ext host/myserver.example.org
kadmin> exitNote that the ext command (short for
extract) stores the extracted key in
/etc/krb5.keytab by default.If you do not have kadmind running on the
KDC (possibly for security reasons) and thus
do not have access to kadmin remotely, you
can add the host principal
(host/myserver.EXAMPLE.ORG) directly on the
KDC and then extract it to a temporary file
(to avoid over-writing the /etc/krb5.keytab
on the KDC) using something like this:&prompt.root; kadmin
kadmin> ext --keytab=/tmp/example.keytab host/myserver.example.org
kadmin> exitYou can then securely copy the keytab to the server
computer (using scp or a floppy, for
example). Be sure to specify a non-default keytab name
to avoid over-writing the keytab on the
KDC.At this point your server can communicate with the
KDC (due to its krb5.conf
file) and it can prove its own identity (due to the
krb5.keytab file). It is now ready for
you to enable some Kerberos services.
For this example we will enable the telnet
service by putting a line like this into your
/etc/inetd.conf and then restarting the
&man.inetd.8; service with
/etc/rc.d/inetd restart:telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a userThe critical bit is that the -a
(for authentication) type is set to user. Consult the
&man.telnetd.8; manual page for more details.Kerberos enabling a client with HeimdalKerberos5Client ConfigurationSetting up a client computer is almost trivially easy. As
far as Kerberos configuration goes,
you only need the Kerberos
configuration file, located at /etc/krb5.conf.
Simply securely copy it over to the client computer from the
KDC.Test your client computer by attempting to use
kinit, klist, and
kdestroy from the client to obtain, show, and
then delete a ticket for the principal you created above. You
should also be able to use Kerberos
applications to connect to Kerberos
enabled servers, though if that does not work and obtaining a
ticket does the problem is likely with the server and not with
the client or the KDC.When testing an application like telnet,
try using a packet sniffer (such as &man.tcpdump.1;)
to confirm that your password is not sent in the clear. Try
using telnet with the -x
option, which encrypts the entire data stream (similar to
ssh).The core Kerberos client applications
(traditionally named kinit,
klist, kdestroy, and
kpasswd) are installed in
the base &os; install. Note that &os; versions prior to 5.0
renamed them to k5init,
k5list, k5destroy,
k5passwd, and k5stash
(though it is typically only used once).Various non-core Kerberos client
applications are also installed by default. This is where the
minimal nature of the base Heimdal installation is
felt: telnet is the only
Kerberos enabled service.The Heimdal port adds some of the missing client applications:
Kerberos enabled versions of
ftp, rsh,
rcp, rlogin, and a few
other less common programs. The MIT port also
contains a full suite of Kerberos
client applications.User configuration files: .k5login and .k5usersKerberos5User Configuration FilesUsers within a realm typically have their
Kerberos principal (such as
tillman@EXAMPLE.ORG) mapped to a local
user account (such as a local account named
tillman). Client applications such as
telnet usually do not require a user name
or a principal.Occasionally, however, you want to grant access to a local
user account to someone who does not have a matching
Kerberos principal. For example,
tillman@EXAMPLE.ORG may need access to the
local user account webdevelopers. Other
principals may also need access to that local account.The .k5login and
.k5users files, placed in a users home
directory, can be used similar to a powerful combination of
.hosts and .rhosts,
solving this problem. For example, if a
.k5login with the following
contents:tillman@example.org
jdoe@example.orgWere to be placed into the home directory of the local user
webdevelopers then both principals listed
would have access to that account without requiring a shared
password.Reading the manual pages for these commands is recommended.
Note that the ksu manual page covers
.k5users.Kerberos Tips, Tricks, and TroubleshootingKerberos5TroubleshootingWhen using either the Heimdal or MIT
Kerberos ports ensure that your
PATH environment variable lists the
Kerberos versions of the client
applications before the system versions.Do all the computers in your realm have synchronized
time settings? If not, authentication may fail.
describes how to synchronize
clocks using NTP.MIT and Heimdal inter-operate nicely.
Except for kadmin, the protocol for
which is not standardized.If you change your hostname, you also need to change your
host/ principal and update your keytab.
This also applies to special keytab entries like the
www/ principal used for Apache's
www/mod_auth_kerb.All hosts in your realm must be resolvable (both forwards
and reverse) in DNS (or
/etc/hosts as a minimum). CNAMEs
will work, but the A and PTR records must be correct and in
place. The error message isn't very intuitive:
Kerberos5 refuses authentication because Read req
failed: Key table entry not found.Some operating systems that may being acting as clients
to your KDC do not set the permissions
for ksu to be setuid
root. This means that
ksu does not work, which is a good
security idea but annoying. This is not a
KDC error.With MIT
Kerberos, if you want to allow a
principal to have a ticket life longer than the default ten
hours, you must use modify_principal in
kadmin to change the maxlife of both the
principal in question and the krbtgt
principal. Then the principal can use the
-l option with kinit
to request a ticket with a longer lifetime.If you run a packet sniffer on your
KDC to add in troubleshooting and then
run kinit from a workstation, you will
notice that your TGT is sent
immediately upon running kinit —
even before you type your password! The explanation is
that the Kerberos server freely
transmits a TGT (Ticket Granting
Ticket) to any unauthorized request; however, every
TGT is encrypted in a key derived from
the user's password. Therefore, when a user types their
password it is not being sent to the KDC,
it is being used to decrypt the TGT that
kinit already obtained. If the decryption
process results in a valid ticket with a valid time stamp,
the user has valid Kerberos
credentials. These credentials include a session key for
establishing secure communications with the
Kerberos server in the future, as
well as the actual ticket-granting ticket, which is actually
encrypted with the Kerberos
server's own key. This second layer of encryption is
unknown to the user, but it is what allows the
Kerberos server to verify
the authenticity of each TGT.If you want to use long ticket lifetimes (a week, for
example) and you are using OpenSSH
to connect to the machine where your ticket is stored, make
sure that Kerberos
is set to no
in your sshd_config or else your tickets
will be deleted when you log out.Remember that host principals can have a longer ticket
lifetime as well. If your user principal has a lifetime of a
week but the host you are connecting to has a lifetime of nine
hours, you will have an expired host principal in your cache
and the ticket cache will not work as expected.When setting up a krb5.dict file to
prevent specific bad passwords from being used (the manual page
for kadmind covers this briefly), remember
that it only applies to principals that have a password policy
assigned to them. The krb5.dict files
format is simple: one string per line. Creating a symbolic
link to /usr/share/dict/words might be
useful.Differences with the MIT portThe major difference between the MIT
and Heimdal installs relates to the kadmin
program which has a different (but equivalent) set of commands
and uses a different protocol. This has a large implications
if your KDC is MIT as you
will not be able to use the Heimdal kadmin
program to administer your KDC remotely
(or vice versa, for that matter).The client applications may also take slightly different
command line options to accomplish the same tasks. Following
the instructions on the MIT
Kerberos web site
()
is recommended. Be careful of path issues: the
MIT port installs into
/usr/local/ by default, and the
normal system applications may be run instead
of MIT if your PATH
environment variable lists the system directories first.With the MIT
security/krb5 port
that is provided by &os;, be sure to read the
/usr/local/share/doc/krb5/README.FreeBSD
file installed by the port if you want to understand why logins
via telnetd and klogind
behave somewhat oddly. Most importantly, correcting the
incorrect permissions on cache file behavior
requires that the login.krb5 binary be used
for authentication so that it can properly change ownership for
the forwarded credentials.Mitigating limitations found in KerberosKerberos5Limitations and ShortcomingsKerberos is an all-or-nothing approachEvery service enabled on the network must be modified to
work with Kerberos (or be otherwise
secured against network attacks) or else the users credentials
could be stolen and re-used. An example of this would be
Kerberos enabling all remote shells
(via rsh and telnet, for
example) but not converting the POP3 mail
server which sends passwords in plain text.Kerberos is intended for single-user workstationsIn a multi-user environment,
Kerberos is less secure.
This is because it stores the tickets in the
/tmp directory, which is readable by all
users. If a user is sharing a computer with several other
people simultaneously (i.e. multi-user), it is possible that
the user's tickets can be stolen (copied) by another
user.This can be overcome with the -c
filename command-line option or (preferably) the
KRB5CCNAME environment variable, but this
is rarely done. In principal, storing the ticket in the users
home directory and using simple file permissions can mitigate
this problem.The KDC is a single point of failureBy design, the KDC must be as secure as
the master password database is contained on it. The
KDC should have absolutely no other
services running on it and should be physically secured. The
danger is high because Kerberos
stores all passwords encrypted with the same key (the
master key), which in turn is stored as a file
on the KDC.As a side note, a compromised master key is not quite as
bad as one might normally fear. The master key is only used
to encrypt the Kerberos database
and as a seed for the random number generator. As long as
access to your KDC is secure, an attacker
cannot do much with the master key.Additionally, if the KDC is unavailable
(perhaps due to a denial of service attack or network problems)
the network services are unusable as authentication can not be
performed, a recipe for a denial-of-service attack. This can
alleviated with multiple KDCs (a single
master and one or more slaves) and with careful implementation
of secondary or fall-back authentication
(PAM is excellent for this).Kerberos ShortcomingsKerberos allows users, hosts
and services to authenticate between themselves. It does not
have a mechanism to authenticate the KDC
to the users, hosts or services. This means that a trojanned
kinit (for example) could record all user
names and passwords. Something like
security/tripwire or
other file system integrity checking tools can alleviate
this.Resources and further informationKerberos5External Resources
The Kerberos FAQDesigning
an Authentication System: a Dialog in Four ScenesRFC 1510,
The Kerberos Network Authentication Service
(V5)MIT
Kerberos home pageHeimdal
Kerberos home pageJoseph J.BarbishContributed by BradDavisConverted to SGML and updated by FirewallsfirewallsecurityfirewallsIntroductionAll software-based firewalls provide some way to filter
incoming and outgoing traffic that flows through your system.
The firewall uses one or more sets of rules to
inspect the network packets as they come in or go out of your
network connections and either allows the traffic through or
blocks it. The rules of the firewall can inspect one or more
characteristics of the packets, including but not limited to
the protocol type, the source or destination host address and
the source or destination port.Firewalls greatly enhance the security of your network,
your applications and services. They can be used to do one of
more of the following things:To protect and insulate the applications, services and
machines of your internal network from unwanted traffic
coming in from the public Internet.To limit or disable access from hosts of the internal
network to services of the public Internet.To support network address translation (NAT), which
allows your internal network to use private IP addresses
and share a single connection to the public Internet
(either with a single IP address or by a shared pool of
automatically assigned public addresses).Firewall Rule Set TypesConstructing a software application firewall rule set may
seem to be trivial, but most people get it wrong. The most
common mistake is to create an exclusive firewall rather
than an inclusive firewall.An exclusive firewall allows all services through except
for those matching a set of rules that block certain
services.An inclusive firewall does the reverse. It only allows
services matching the rules through and blocks everything else.
This way you can control what services can originate behind the
firewall destined for the public Internet and also control which
services originating from the public Internet may access your
network. Inclusive firewalls are much, much safer than exclusive
firewalls.When you use your browser to access a web site there are
many internal functions that happen before your screen fills
with the data from the target web site. Your browser does not
receive one large file containing all the data and display
format instructions at one time. Each internal function accesses
the public Internet in multiple send/receive cycles of packets
of information. When all the packets containing the data finally
arrive, the data contained in the packets is combined together
to fill your screen. Each service (DNS, HTTP, etc) has its own
port number. The port number 80 is for HTTP services. So you
can code your firewall to only allow web page session start
requests originating from your LAN to pass through the firewall
out to the public Internet.Security can be tightened further by telling the firewall to
monitor the send/receive cycles of all the packets making up
that session until the session completes. These are called
stateful capabilities and provides the maximum level of
protection.A firewall rule set that does not implement stateful
capabilities on all the services being authorized is an insecure
firewall that is still open to many of the most common methods
of attack.Firewall Software Applications&os; has two different firewall software products built
into the base system. They are IPFILTER (i.e. also known as IPF)
and IPFIREWALL (i.e. also known as IPFW). IPFIREWALL has the
built in DUMMYNET traffic shaper facilities for controlling
bandwidth usage. IPFILTER does not have a built in traffic
shaper facility for controlling bandwidth usage, but the ALTQ
port application can be used to accomplish the same function.
The DUMMYNET feature and ALTQ is generally useful only to large
ISPs or commercial users. Both IPF and IPFW use rules to control
the access of packets to and from your system, although they go
about it different ways and have different rule syntaxes.The IPFW sample rule set (found in
/etc/rc.firewall) delivered in the basic
install is outdated, complicated and does not use stateful
rules on the interface facing the public Internet. It
exclusively uses legacy stateless rules which only have the
ability to open or close the service ports. The IPFW example
stateful rules sets presented here supercede the
/etc/rc.firewall file distributed with the
system.Stateful rules have technically advanced interrogation
abilities capable of defending against the flood of different
methods currently employed by attackers.Both of these firewall software solutions IPF and IPFW still
maintain their legacy heritage of their original rule processing
order and reliance on non-stateful rules. These outdated
concepts are not covered here, only the new, modern stateful
rule construct and rule processing order is presented.You should read about both of them and make your own
decision on which one best fits your needs.The author prefers IPFILTER because its stateful rules are
much less complicated to use in a NAT environment and it has a
built in ftp proxy that simplifies the rules to allow secure
outbound FTP usage. If is also more appropriate to the knowledge
level of the inexperienced firewall user.Since all firewalls are based on interrogating the values
of selected packet control fields, the creator of the firewall
rules must have an understanding of how TCP/IP works, what the
different values in the packet control fields are and how these
values are used in a normal session conversation. For a good
explanation go to:
.The Packet Filter FirewallAs of July 2003 the OpenBSD firewall software application
known as PF was ported to &os; 5.3.
PF is a complete, fully featured firewall
that contains ALTQ
for bandwidth usage management in a way similar to the dummynet
provides in IPFW.
The OpenBSD project does an outstanding job of maintaining the
PF users' guide that it will not be made part of this handbook
firewall section as that would just be duplicated effort.For older 5.X version of &os; you can find
PF in the &os; ports collection here:
security/pf.More info can be found at the PF for &os; web site:
.The OpenBSD PF user's guide is here:
.
PF in &os; 5.X is at the level of OpenBSD version 3.5. The
port from the &os; ports collection at the level of OpenBSD
version 3.4. Keep that in mind when browsing the user's
guide.Enabling PFPF is included in the basic &os; install for versions newer than
5.3 as a separate run time loadable module. PF will dynamically load
its kernel loadable module when the rc.conf statement
pf_enable="YES" is used. The
loadable module was created with &man.pflog.4; logging
enabled.Kernel optionsIt is not a mandatory requirement that you enable PF by
compiling the following options into the &os; kernel. It is only
presented here as background information. Compiling PF into the
kernel causes the loadable module to never be used.Sample kernel config PF option statements are in the
/usr/src/sys/conf/NOTES kernel source and are
reproduced here:device pf
device pflog
device pfsyncdevice pf tells the compile to include
Packet Filter as part of its core kernel.device pflog enables the optional
&man.pflog.4; pseudo network device which can be used to log traffic
to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon can be used to
store the logging information to disk.device pfsync enables the optional
&man.pfsync.4; pseudo network device that is used to monitor
state changes. As this is not part of the loadable
module one has to build a custom kernel to use it.These settings will take affect only after you have built and
installed a kernel with them set.Available rc.conf OptionsYou need the following statements in /etc/rc.conf
to activate PF at boot time:pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startupIf you have a LAN behind this firewall and have to forward
packets for the computers in the LAN or want to do NAT you have to
enable the following option as well:gateway_enable="YES" # Enable as Lan gatewayThe IPFILTER (IPF) FirewallThe author of IPFILTER is Darren Reed. IPFILTER is not
operating system dependent. IPFILTER is a open source
application and has been ported to &os;, NetBSD, OpenBSD,
SunOS, HP/UX, and Solaris operating systems. IPFILTER is
actively being supported and maintained, with updated versions
being released regularly.IPFILTER is based on a kernel-side firewall and NAT
mechanism that can be controlled and monitored by userland
interface programs. The firewall rules can be set or deleted
with the &man.ipf.8; utility. The NAT rules can be set or
deleted with the &man.ipnat.1; utility. The &man.ipfstat.8;
utility can print run-time statistics for the kernel parts of
IPFILTER. The &man.ipmon.8; program can log IPFILTER actions
to the system log files.IPF was originally written using a rule processing logic
of the last matching rule wins and used only
stateless type of rules. Over time IPF has been enhanced to
include a quick option and a stateful
keep state option which drastically modernized
the rules processing logic. IPF's official documentation covers
the legacy rule coding parameters and the legacy rule file
processing logic. the modernized functions are only included as
additional options, completely understating their benefits in
producing a far superior secure firewall.The instructions contained in this section are based on
using rules that contain the quick option and
the stateful keep state option. This is the
basic framework for coding an inclusive firewall rule set.
An inclusive firewall only allows packets matching the
rules to pass through. This way you can control what services
can originate behind the firewall destine for the public
Internet and also control the services which can originate from
the public Internet accessing your private network. Everything
else is blocked and logged by default design. Inclusive
firewalls are much, much more secure than exclusive firewall
rule sets and is the only rule set type covered here in.For detailed explanation of the legacy rules processing
method see:
and
.The IPF FAQ is at
.
Enabling IPFIPF is included in the basic &os; install as a separate
run time loadable module. IPF will dynamically load its kernel
loadable module when the rc.conf statement
ipfilter_enable="YES" is used. The loadable
module was created with logging enabled and the default
pass all options. You do not need to compile IPF into
the &os; kernel just to change the default to block all
, you can do that by just coding a block all rule at
the end of your rule set.Kernel optionsIt is not a mandatory requirement that you enable IPF by
compiling the following options into the &os; kernel. It is
only presented here as background information. Compiling IPF
into the kernel causes the loadable module to never be used.
Sample kernel config IPF option statements are in the
/usr/src/sys/i386/conf/LINT kernel source
and are reproduced here.options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCKoptions IPFILTER tells the compile
to include IPFILTER as part of its core kernel.options IPFILTER_LOG enables the
option to have IPF log traffic by writing to the ipl packet
logging pseudo—device for every rule that has the log
keyword.options IPFILTER_DEFAULT_BLOCK
changes the default behavior so any packet not matching a
firewall pass rule gets blocked.These settings will take affect only after you have built
and installed a kernel with them set.Available rc.conf OptionsYou need the following statements in /etc/rc.conf
to activate IPF at boot time:ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
ipmon_enable="YES" # Start IP monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to namesIf you have a LAN behind this firewall that uses the
reserved private IP address ranges, then you need to add the
following to enable NAT function.gateway_enable="YES" # Enable as Lan gateway
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnatIPFThe ipf command is used to load your rules file. Normally
you create a file containing your custom rules and use this
command to replace in mass the currently running firewall
internal rules.ipf -Fa -f /etc/ipf.rules-Fa means flush all internal rules tables.-f means this is the file to read for the rules to load.This gives you the ability to make changes to their custom
rules file, run the above IPF command thus updating the running
firewall with a fresh copy of all the rules without having to
reboot the system. This method is very convenient for testing new
rules as the procedure can be executed as many times as needed.
See the &man.ipf.8; man page for details on the other flags
available with this command.The &man.ipf.8; command expects the rules file to be a
standard text file. It will not accept a rules file written as a
script with symbolic substitution.There is a way to build IPF rules that utilities the power of
script symbolic substitution. See the Building Rule Script
section.IPFSTATThe default behavior of &man.ipfstat.8; is to retrieve and
display the totals of the accumulated statistics gathered as a
result of applying the user coded rules against packets going
in and out of the firewall since it was last started, or since
the last time the accumulators were reset to zero by
ipf -Z command.See the &man.ipfstat.8; manual page for details.The default &man.ipfstat.8; command output will look
something like this:input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)When supplied with either -i for inbound or -o for outbound,
it will retrieve and display the appropriate list of filter
rules currently installed and in use by the kernel.ipfstat -in displays the inbound internal
rules table with rule number.ipfstat -on displays the outbound
internal rules table with the rule number.The output will look something like this:@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep stateipfstat -ih displays the inbound internal
rules table prefixed each rule with count of how many times the
rule was matched.ipfstat -oh displays the outbound
internal rules table prefixed each rule with count of how many
times the rule was matched.The output will look something like this:2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep stateOne of the most important functions of the ipfstat command
is the -t flag which activates the display state table in a way
similar to the way &man.top.1; shows the &os; running process
table. When your firewall is under attack this function gives
you the ability to identify, drill down to, and see the
attacking packets. The optional sub-flags give the ability to
select destination or source IP, port, protocol, you want to
monitor in real time. See the &man.ipfstat.8 man page for
details.IPMONIn order for ipmon to properly work, the
kernel option IPFILTER_LOG must be turned on. This command has
2 different modes it can be used in. Native mode is the default
mode when you type the command on the command line without the
-D flag.Daemon mode is for when you want to have a continuous
system log file available so you can review logging of past
events. This is how &os; and IPFILTER are configured to work
together. &os; has a built in facility to automatically
rotate syslogs. That is why outputting the log information to
syslogd is better than the default of outputting to a regular
file. In rc.conf file you see the
ipmon_flags statement uses the "-Ds" flagsipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to namesThe benefits of logging are obvious. It provides the
ability to review, after the fact, information like: what
packets had been dropped, what addresses they came from and
where they were going. These all give you a significant edge in
tracking down attackers.Even with the logging facility enabled, IPF will not
generate any rule logging on its own. The firewall
administrator decides what rules in the rule set he wants to
log and adds the log keyword to those rules. Normally only
deny rules are logged.Its very customary to include a default deny everything
rule with the log keyword included as your last rule in the
rule set. This way you get to see all the packets that did not
match any of the rules in the rule set.IPMON LoggingSyslogd uses its own special method for segregation of log
data. It uses special grouping called facility
and level. IPMON in -Ds mode uses Local0 as the
facility name. All IPMON logged data goes to
Local0. The following levels can be used to further segregate
the logged data if desired.LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered shortTo setup IPFILTER to log all data to
/var/log/ipfilter.log, you will need to create the
file. The following command will do that:touch /var/log/ipfilter.logThe syslog function is controlled by definition statements
in the /etc/syslog.conf file. The syslog.conf file offers
considerable flexibility in how syslog will deal with system
messages issued by software applications like IPF.Add the following statement to /etc/syslog.conf
:Local0.* /var/log/ipfilter.logThe Local0.* means to write all the logged messages to the
coded file location.To activate the changes to /etc/syslog.conf
you can reboot or bump the syslog task into
re-reading /etc/syslog.conf by
kill -HUP <pid>. You get the pid (i.e. process
number) by listing the tasks with the ps -ax
command. Find syslog in the display and the pid is the number
in the left column.Do not forget to change /etc/newsyslog.conf
to rotate the new log you just created above.
The Format of Logged MessagesMessages generated by ipmon consist of data fields
separated by white space. Fields common to all messages are:
The date of packet receipt.The time of packet receipt. This is in the form
HH:MM:SS.F, for hours, minutes, seconds, and fractions of a
second (which can be several digits long).The name of the interface the packet was processed on,
e.g. dc0.The group and rule number of the rule, e.g. @0:17.
These can be viewed with ipfstat -in.The action: p for passed, b for blocked, S for a short
packet, n did not match any rules, L for a log rule. The
order of precedence in showing flags is: S, p, b, n, L. A
capital P or B means that the packet has been logged due to
a global logging setting, not a particular rule.The addresses. This is actually three fields: the
source address and port (separated by a comma), the ->
symbol, and the destination address and port.
209.53.17.22,80 -> 198.73.220.17,1722.PR followed by the protocol name or number, e.g. PR
tcp.len followed by the header length and total length of
the packet, e.g. len 20 40.If the packet is a TCP packet, there will be an additional
field starting with a hyphen followed by letters corresponding
to any flags that were set. See the &man.ipmon.8; manual page
for a list of letters and their flags.If the packet is an ICMP packet, there will be two fields
at the end, the first always being ICMP, and
the next being the ICMP message and sub-message type,
separated by a slash, e.g. ICMP 3/3 for a port unreachable
message.Building the Rule ScriptSome experienced IPF users create a file containing the
rules and code them in a manner compatible with running them
as a script with symbolic substitution. The major benefit of
doing this is you only have to change the value associated
with the symbolic name and when the script is run all the rules
containing the symbolic name will have the value substituted in
the rules. Being a script, you can use symbolic substitution to
code frequent used values and substitute them in multiple
rules. You will see this in the following example.The script syntax used here is compatible with the sh, csh,
and tcsh shells.Symbolic substitution fields are prefixed with a dollar
sign $.Symbolic fields do not have the $ prefixThe value to populate the Symbolic field must be enclosed
with "double quotes".Start your rule file with something like this:############# Start of IPF rules script ########################
oif="dc0" # name of the outbound interface
odns="192.0.2.11" # ISP's dns server IP address Symbolic>
myip="192.0.2.7" # My Static IP address from ISP
ks="keep state"
fks="flags S keep state"
# You can use this same to build the /etc/ipf.rules file
#cat >> /etc/ipf.rules << EOF
# exec ipf command and read inline data, stop reading
# when word EOF is found. There has to be one line
# after the EOF line to work correctly.
/sbin/ipf -Fa -f - << EOF
# Allow out access to my ISP's Domain name server.
pass out quick on $oif proto tcp from any to $odns port = 53 $fks
pass out quick on $oif proto udp from any to $odns port = 53 $ks
# Allow out non-secure standard www function
pass out quick on $oif proto tcp from $myip to any port = 80 $fks
# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from $myip to any port = 443 $fks
EOF
################## End of IPF rules script ########################That is all there is to it. The rules are not important in
this example, how the Symbolic substitution field are populated
and used are. If the above example was in /etc/ipf.rules.script
file, you could reload these rules by entering on the command
line.sh /etc/ipf.rules.scriptThere is one problem with using a rules file with embedded
symbolics. IPF has no problem with it, but the rc startup
scripts that read rc.conf will have
problems.To get around this limitation with a rc scripts, remove
the following line:ipfilter_rules=Add a script like the following to your
/usr/local/etc/rc.d/ startup directory. The script
should have a obvious name like loadipfrules.sh
. The .sh extension is mandatory.
#!/bin/sh
sh /etc/ipf.rules.scriptThe permission on this script file must be read, write,
exec for owner root.chmod 700 /usr/local/etc/rc.d/ipf.loadrules.shNow when you system boots your IPF rules will be loaded
using the script.IPF Rule SetsA rule set is a group of ipf rules coded to pass or block
packets based on the values contained in the packet. The
bi-directional exchange of packets between hosts comprises a
session conversation. The firewall rule set processes the
packet 2 times, once on its arrival from the public Internet
host and again as it leaves for its return trip back to the
public Internet host. Each tcp/ip service (i.e. telnet, www,
mail, etc.) is predefined by its protocol, source and
destination IP address, or the source and destination port
number. This is the basic selection criteria used to create
rules which will pass or block services.IPF was originally written using a rules processing logic
of 'the last matching rule wins' and used only stateless
rules. Over time IPF has been enhanced to include a 'quick'
option and a stateful 'keep state' option which drastically
modernized the rules processing logic.The instructions contained in this section is based on
using rules that contain the 'quick' option. and the stateful
'keep state' option. This is the basic framework for coding an
inclusive firewall rule set.An inclusive firewall only allows services matching the
rules through. This way you can control what services can
originate behind the firewall destined for the public Internet
and also control the services which can originate from the
public Internet accessing your private network. Everything
else is blocked and logged by default design. Inclusive
firewalls are much, much securer than exclusive firewall rule
sets and is the only rule set type covered herein.Warning, when working with the firewall rules, always,
always do it from the root console of the system running the
firewall or you can end up locking your self out.Rule SyntaxThe rule syntax presented here has been simplified to only
address the modern stateful rule context and 'first matching
rule wins' logic. For the complete legacy rule syntax
description see the online ipf man page at &man.ipf.8# is used to mark the start of a comment and may appear at
the end of a rule line or on its own lines. Blank lines are
ignored.Rules contain keywords, These keywords have to be coded in
a specific order from left to right on the line. Keywords are
identified in bold type. Some keywords have sub-options which
may be keywords them selves and also include more sub-options.
Each of the headings in the below syntax has a bold section
header which expands on the content.ACTION IN-OUT OPTIONS SELECTION STATEFUL
PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL
ACTION = block | passIN-OUT = in | outOPTIONS = log | quick | on
interface-nameSELECTION = proto value |
source/destination IP | port = number | flags flag-valuePROTO = tcp/udp | udp | tcp |
icmpSRC_ADD,DST_ADDR = all | from
object to objectOBJECT = IP address | anyPORT_NUM = port numberTCP_FLAG = SSTATEFUL = keep stateACTIONThe action indicates what to do with the packet if it
matches the rest of the filter rule. Each rule must have a
action. The following actions are recognized:block indicates that the packet should be dropped if
the selection parameters match the packet.pass indicates that the packet should exit the firewall
if the selection parameters match the packet.IN-OUTThis is a mandatory requirement that each filter rule
explicitly state which side of the I/O it is to be used on.
The next keyword must be either in or out and one or the
other has to be coded or the rule will not pass syntax
check.in means this rule is being applied against an inbound
packet which has just been received on the interface
facing the public Internet.out means this rule is being applied against an
outbound packet destined for the interface facing the public
Internet.OPTIONSThese options must be used in the order shown here.
log indicates that the packet header will be written to
the ipl log (as described in the LOGGING section below) if
the selection parameters match the packet.quick indicates that if the selection parameters match
the packet, this rule will be the last rule checked,
allowing a "short-circuit" path to avoid processing any
following rules for this packet. This option is a mandatory
requirement for the modernized rules processing logic.
on indicates the interface name to be incorporated into
the selection parameters. Interface names are as displayed
by ifconfig. Using this option, the rule will only match if
the packet is going through that interface in the specified
direction (in/out). This option is a mandatory requirement
for the modernized rules processing logic.When a packet is logged, the headers of the packet are
written to the IPL packet logging pseudo-device.
Immediately following the log keyword, the following
qualifiers may be used (in this order):body indicates that the first 128 bytes of the packet
contents will be logged after the headers.first If the 'log' keyword is being used in conjunction
with a "keep state" option, it is recommended that this
option is also applied so that only the triggering packet
is logged and not every packet which there after matches
the 'keep state' information.SELECTIONThe keywords described in this section are used to
describe attributes of the packet to be interrogated when
determining whether rules match or don't match. There is a
keyword subject, and it has sub-option keywords, one of
which has to be selected. The following general-purpose
attributes are provided for matching, and must be used in
this order:PROTOProto is the subject keyword, it must be coded along
with one of it.s corresponding keyword sub-option values.
The value allows a specific protocol to be matched against.
This option is a mandatory requirement for the modernized
rules processing logic.tcp/udp | udp | tcp | icmp or any protocol names found
in /etc/protocols are recognized and may be used. The
special protocol keyword tcp/udp may be used to match
either a TCP or a UDP packet, and has been added as a
convenience to save duplication of otherwise identical
rules.SRC_ADDR/DST_ADDRThe 'all' keyword is essentially a synonym for "from
any to any" with no other match parameters.from src to dst The from and to keywords are used to
match against IP addresses. Rules must specify BOTH source
and destination parameters. .any. is a special keyword that
matches any IP address. As in 'from any to any' or 'from
0.0.0.0/0 to any' or 'from any to 0.0.0.0/0' or 'from
0.0.0.0 to any' or 'from any to 0.0.0.0'IP addresses may be specified as a dotted IP address
numeric form/mask-length, or as single dotted IP address
numeric form.There isn't a way to match ranges of IP addresses which
do not express themselves easily as mask-length. See this
link for help on writing mask-length:
PORTIf a port match is included, for either or both of
source and destination, then it is only applied to TCP and
UDP packets. When composing port comparisons, either the
service name from /etc/services or an integer port number
may be used. When the port appears as part of the from
object, it matches the source port number, when it appears
as part of the to object, it matches the destination port
number. The use of the port option with the .to. object is
a mandatory requirement for the modernized rules processing
logic. As in 'from any to any port = 80'Port comparisons may be done in a number of forms, with
a number of comparison operators, or port ranges may be
specified.port "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne"
| "lt" | "gt" | "le" | "ge".To specify port ranges, port "<>" | "><"Following the source and destination matching
parameters, the following two parameters are mandatory
requirements for the modernized rules processing logic.
TCP_FLAGFlags are only effective for TCP filtering. The letters
represents one of the possible flags that can be
interrogated in the TCP packet header.The modernized rules processing logic uses the 'flags
S' parameter to identify the tcp session start request.
STATEFUL'keep state' indicates that on a pass rule, any packets
that match the rules selection parameters is to activate
the stateful filtering facility.This option is a mandatory requirement for the
modernized rules processing logic.Stateful FilteringStateful filtering treats traffic as a bi-directional
exchange of packets comprising a session conversation. When
activated keep-state dynamically generates internal rules for
each anticipated packet being exchanged during the
bi-directional session conversation. It has the interrogation
abilities to determine if the session conversation between the
originating sender and the destination are following the valid
procedure of bi-directional packet exchange. Any packets that
do not properly fit the session conversation template are
automatically rejected as impostors.Keep state will also allow ICMP packets related to a TCP
or UDP session through. So if you get ICMP type 3 code 4 in
response to some web surfing allowed out by a keep state rule,
they will be automatically allowed in. Any packet that IPF can
be certain is part of a active session, even if it is a
different protocol, will be let in.What happens is:Packets destined to go out the interface connected to the
public Internet are first checked against the dynamic state
table, if the packet matches the next expected packet
comprising in a active session conversation, then it exits
the firewall and the state of the session conversation flow
is updated in the dynamic state table, the remaining packets
get checked against the outbound rule set.Packets coming in to the interface connected to the public
Internet are first checked against the dynamic state table, if
the packet matches the next expected packet comprising a
active session conversation, then it exits the firewall and
the state of the session conversation flow is updated in the
dynamic state table, the remaining packets get checked against
the inbound rule set.When the conversation completes it is removed from the
dynamic state table.Stateful filtering allows you to focus on blocking/passing
new sessions. If the new session is passed, all its subsequent
packets will be allowed through automatically and any
impostors automatically rejected. If a new session is blocked,
none of its subsequent packets will be allowed through.
Stateful filtering has technically advanced interrogation
abilities capable of defending against the flood of different
attack methods currently employed by attackers.Inclusive Rule set ExampleThe following rule set is an example of how to code a very
secure inclusive type of firewall. An inclusive firewall only
allows services matching pass rules through and blocks all
other by default. All firewalls have at the minimum two
interfaces which have to have rules to allow the firewall to
function.All Unix flavored systems including &os; are designed
to use interface l0 and IP address 127.0.0.1 for internal
communication with in the &os; operating system. The
firewall rules must contain rules to allow free unmolested
movement of these special internally used packets.The interface which faces the public Internet, is the one
which you code your rules to authorize and control access out
to the public Internet and access requests arriving from the
public Internet. This can be your .user ppp. tun0 interface
or your NIC card that is cabled to your DSL or cable modem.
In cases where one or more than one NICs are cabled to
Private LANs (local area networks) behind the firewall, those
interfaces must have a rule coded to allow free unmolested
movement of packets originating from those LAN interfaces.
The rules should be first organized into three major
sections, all the free unmolested interfaces, public interface
outbound, and the public interface inbound.The order of the rules in each of the public interface
sections should be in order of the most used rules being
placed before less often used rules with the last rule in the
section being a block log all packets on that interface and
direction.The Outbound section in the following rule set only
contains 'pass' rules which contain selection values that
uniquely identify the service that is authorized for public
Internet access. All the rules have the 'quick', 'on',
'proto', 'port', and 'keep state' option coded. The 'proto
tcp' rules have the 'flag' option included to identify the
session start request as the triggering packet to activate the
stateful facility.The Inbound section has all the blocking of undesirable
packets first for two different reasons. First is these things
being blocked may be part of an otherwise valid packet which
may be allowed in by the later authorized service rules.
Second reason is that by having a rule that explicitly blocks
selected packets that I receive on an infrequent bases and
don't want to see in the log, this keeps them from being
caught by the last rule in the section which blocks and logs
all packets which have fallen through the rules. The last rule
in the section which blocks and logs all packets is how you
create the legal evidence needed to prosecute the people who
are attacking your system.Another thing you should take note of, is there is no
response returned for any of the undesirable stuff, their
packets just get dropped and vanish. This way the attackers
has no knowledge if his packets have reached your system.
The less the attackers can learn about your system the more
secure it is. The inbound 'nmap OS fingerprint' attempts
rule I log the first occurrence because this is something a
attacker would do.Any time you see log messages on a rule with .log first.
you should do an ipstat -h command to see the number of times
the rule has been matched so you know if your are being
flooded, i.e. under attack.When you log packets with port numbers you do not
recognize, go to
and do a port number lookup to find what the purpose of that
port number is.Check out this link for port numbers used by Trojans
The following rule set is a complete very secure
'inclusive' type of firewall rule set that I have used on my
system. You can not go wrong using this rule set for your own.
Just comment out any pass rules for services to don.t want to
authorize.If you see messages in your log that you want to stop
seeing just add a block rule in the inbound section.You have to change the dc0 interface name in every rule
to the interface name of the Nic card that connects your
system to the public Internet. For user PPP it would be
tun0.Add the following statements to /etc/ipf.rules:#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan
#################################################################
#pass out quick on xl0 all
#pass in quick on xl0 all
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP.s DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
pass out quick on dc0 proto udp from any to xxx port = 53 keep state
# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for .user ppp. type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on dc0 proto udp from any to any port = 67 keep state
#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
# Allow out non-secure standard www function
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow out secure www function https over TLS SSL
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
# Allow out send & get email function
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
# Allow out Time
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
# Allow out nntp news
pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Allow out non-secure Telnet
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow out FBSD CVSUP function
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
# Allow out ping to public Internet
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
# Allow out whois for LAN PC to public Internet
pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
# Block and log only the first occurrence of everything
# else that.s trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on dc0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on dc0 from 127.0.0.0/8 to any #loopback
block in quick on dc0 from 0.0.0.0/8 to any #loopback
block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs
block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast
##### Block a bunch of different nasty things. ############
# That I don't want to see in the log
# Block frags
block in quick on dc0 all with frags
# Block short tcp packets
block in quick on dc0 proto tcp all with short
# block source routed packets
block in quick on dc0 all with opt lsrr
block in quick on dc0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on dc0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on dc0 all with ipopts
# Block public pings
block in quick on dc0 proto icmp all icmp-type 8
# Block ident
block in quick on dc0 proto tcp from any to any port = 113
# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on dc0 proto tcp/udp from any to any port = 137
block in log first quick on dc0 proto tcp/udp from any to any port = 138
block in log first quick on dc0 proto tcp/udp from any to any port = 139
block in log first quick on dc0 proto tcp/udp from any to any port = 81
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# .user ppp. type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
# Allow in standard www function because I have apache server
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on dc0 all
################### End of rules file #####################################
NATNAT stands for Network Address Translation. To those
familiar with Linux, this concept is called IP Masquerading,
NAT and IP Masquerading are the same thing. One of the many
things the IPF NAT function enables, is the ability to have a
private Local Area Network (LAN) behind the firewall sharing a
single ISP assigned IP address to the public Internet.You ask why would someone want to do this. ISPs normally
assign a dynamic IP address to their non-commercial users.
Dynamic means the IP address can be different each time you
dial in and logon to your ISP, or for cable and DSL modem
users when you power off and then power on your modems you can
get assigned a different IP address. This IP address is how
you are known to the public Internet.Now lets say you have 5 PCs at home and each one needs
Internet access. You would have to pay your ISP for an
individual Internet account for each PC and have 5 phone
lines.With NAT you only need a single account with your ISP,
then cable your other 4 PC.s to a switch and the switch to
the NIC in your &os; system which is going to service your
LAN as a gateway. NAT will automatically translate the private
LAN IP address for each separate PC on the LAN to the single
public IP address as it exits the firewall bound for the
public Internet. It also does the reverse translation for
returning packets.NAT is most often accomplished without the approval, or
knowledge, of your ISP and in most cases is grounds for your
ISP terminating your account if found out. Commercial users
pay a lot more for their Internet connection and usually get
assigned a block of static IP address which never change. The
ISP also expects and consents to their Commercial customers
using NAT for their internal private LANs.There is a special range of IP addresses reserved for
NATed private LAN IP address. According to RFC 1918, you can
use the following IP ranges for private nets which will never
be routed directly to the public Internet.Start IP 10.0.0.0-Ending IP 10.255.255.255
Start IP 172.16.0.0-Ending IP 172.31.255.255
Start IP 192.168.0.0-Ending IP 192.168.255.255
IPNATNAT rules are loaded by using the ipnat command. Typically
the NAT rules are stored in /etc/ipnat.rules
. See &man.ipnat.1 for details.When changing the NAT rules after NAT has been started,
Make your changes to the file containing the nat rules, then
run ipnat command with the -CF flags to delete the internal
in use NAT rules and flush the contents of the translation
table of all active entries.To reload the NAT rules issue a command like this:ipnat -CF -f /etc/ipnat.rulesTo display some statistics about your NAT, use this
command:ipnat -sTo list the NAT table's current mappings, use this
command:ipnat -lTo turn verbose mode on, and display information relating
to rule processing and active rules/table entries:ipnat -vIPNAT RulesNAT rules are very flexible and can accomplish many
different things to fit the needs of commercial and home
users.The rule syntax presented here has been simplified to
what is most commonly used in a non-commercial environment.
For a complete rule syntax description see the man ipf page
at &man.ipnat.5;.The syntax for a NAT rule looks something like this:
map IFLAN_IP_RANGE -> PUBLIC_ADDRESSThe keyword `map' starts the rule.Replace IF with the external
interface.The LAN_IP_RANGE is what your
internal clients use for IP Addressing, usually this is
something like 192.168.1.0/24.
The PUBLIC_ADDRESS can either
be the external IP address or the special keyword `0.32',
which means to use the IP address assigned to
IF.How NAT worksA packet arrives at the firewall from the LAN with a
public destination. It passes through the outbound filter
rules, NAT gets his turn at the packet and applies its rules
top down, first matching rule wins. NAT tests each of its
rules against the packets interface name and source IP
address. When a packets interface name matches a NAT rule then
the [source IP address, i.e. private Lan IP address] of the
packet is checked to see if it falls within the IP address
range specified to the left of the arrow symbol on the NAT
rule. On a match the packet has its source IP address
rewritten with the public IP address obtained by the `0.32'
keyword. NAT posts a entry in its internal NAT table so when
the packet returns from the public Internet it can be mapped
back to its original private IP address and then passed to
the filter rules for processing.Enabling IPNATTo enable IPNAT add these statements to
/etc/rc.confTo enable your machine to route traffic between
interfaces.gateway_enable="YES"To start IPNAT automatically each time:ipnat_enable="YES"To specify where to load the IPNAT rules fromipnat_rules="/etc/ipnat.rules"NAT for a very large LANFor networks that have large numbers of PC's on the Lan or
networks with more that a single LAN the process of funneling
all those private IP address into a single public IP address
becomes a resource problem that may cause problems with same
port numbers being used many times across many NATed LAN PC's
causing collisions. There are 2 ways to relieve this resource
problem.Assigning Ports to UseBLAHmap dc0 192.168.1.0/24 -> 0.32In the above rule the packet's source port is unchanged
as the packet passes through IPNAT. By adding the portmap
keyword you can tell IPNAT to only use source ports in a
range. For example the following rule will tell IPNAT to
modify the source port to be within that range.
map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp 20000:60000Additionally we can make things even easier by using
the `auto' keyword to tell IPNAT to determine by itself
which ports are available to use:map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp autoUsing a pool of public addressesIn very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. By changing the following rule:map dc0 192.168.1.0/24 -> 204.134.75.1Currently this rule maps all connections through
204.134.75.1. This can be
changed to specify a range:map dc0 192.168.1.0/24 -> 204.134.75.1-10Or a subnet using CIDR notation such as:map dc0 192.168.1.0/24 -> 204.134.75.0/24Port RedirectionAn very common practice is to have a web server, email
server, database server and DNS sever each segregated to a
different PC on the LAN. In this case the traffic from these
servers still have to be NATed, but there has to be some way
to direct the inbound traffic to the correct LAN PC's. IPNAT
has the redirection facilities of NAT to solve this problem.
Lets say you have your web server on LAN address
10.0.10.25 and your single
public IP address is 20.20.20.5
you would code the rule like this:map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80ormap dc0 0/32 port 80 -> 10.0.10.25 port 80or for a LAN DNS Server on LAN address of
10.0.10.33 that needs to
receive public DNS requestsmap dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udpFTP and NATFTP is a dinosaur left over from the time before the
Internet as it is know today, when research universities were
leased lined together and FTP was used to share files among
research Scientists. This was a time when data security was
not even an idea yet. Over the years the FTP protocol became
buried into the backbone of the emerging Internet and its
username and password being sent in clear text was never
changed to address new security concerns. FTP has two flavors,
it can run in active mode or passive mode. The difference is
in how the data channel is acquired. Passive mode is more
secure as the data channel is acquired be the ordinal ftp
session requester. For a real good explanation of FTP and the
different modes see
IPNAT RulesIPNAT has a special built in FTP proxy option which can be
specified on the NAT map rule. It can monitor all outbound
packet traffic for FTP active or passive start session
requests and dynamically create temporary filter rules
containing only the port number really in use for the data
channel. This eliminates the security risk FTP normally
exposes the firewall to from having large ranges of high order
port numbers open.This rule will handle all the traffic for the internal
LAN:map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcpThis rule handles the FTP traffic from the gateway.map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcpThis rule handles all non-FTP traffic from the internal
LAN.map dc0 10.0.10.0/29 -> 0/32The FTP map rule goes before our regular map rule. All
packets are tested against the first rule from the top.
Matches on interface name, then private LAN source IP
address, and then is it a FTP packet. If all that matches
then the special FTP proxy creates temp filter rules to let
the FTP session packets pass in and out, in addition to also
NATing the FTP packets. All LAN packets that are not FTP do
not match the first rule and fall through to the third rule
and are tested, matching on interface and source IP, then
are NATed.IPNAT FTP Filter RulesOnly one filter rule is needed for FTP if the NAT FTP
proxy is used.Without the FTP Proxy you will need the following three
rules# Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep stateFTP NAT Proxy BugAs of &os; 4.9 which includes IPFILTER version 3.4.31
the FTP proxy works as documented during the FTP session
until the session is told to close. When the close happens
packets returning from the remote FTP server are blocked and
logged coming in on port 21. The NAT FTP/proxy appears to
remove its temp rules prematurely, before receiving the
response from the remote FTP server acknowledging the close.
Posted problem report to ipf mailing list.Solution is to add filter rule like this one to get rid
of these unwanted log messages or do nothing and ignore FTP
inbound error messages in your log. Not like you do FTP
session to the public Internet all the time, so this is not
a big deal.Block in quick on rl0 proto tcp from any to any port = 21IPFWThe IPFIREWALL (IPFW) is a &os; sponsored firewall
software application authored and maintained by &os;
volunteer staff members. It uses the legacy Stateless rules and
a legacy rule coding technique to achieve what is referred to as
Simple Stateful logic.The IPFW stateless rule syntax is empowered with technically
sophisticated selection capabilities which far surpasses the
knowledge level of the customary firewall installer. IPFW is
targeted at the professional user or the advanced technical
computer hobbyist who have advanced packet selection
requirements. A high degree of detailed knowledge into how
different protocols use and create their unique packet header
information is necessary before the power of the IPFW rules can
be unleashed. Providing that level of explanation is out of the
scope of this section of the handbook.IPFW is composed of 7 components, the primary component is
the kernel firewall filter rule processor and its integrated
packet accounting facility, the logging facility, the 'divert'
rule which triggers the NAT facility, and the advanced special
purpose facilities, the dummynet traffic shaper facilities, the
'fwd rule' forward facility, the bridge facility, and the
ipstealth facility.Enabling IPFWIPFW is included in the basic &os; install as a
separate run time loadable module. IPFW will dynamically load
the kernel module when the rc.conf
statement firewall_enable="YES" is used. You do not need to
compile IPFW into the &os; kernel unless you want NAT
function enabled.After rebooting your system with firewall_enable="YES" in
rc.conf the following white highlighted
message is displayed on the screen as part of the boot
process:IP packet filtering initialized, divert disabled, rule-based forwarding
enabled, default to deny, logging disabledYou can disregard this message as it is out dated and no
longer is the true status of the IPFW loadable module. The
loadable module really does have logging ability compiled in.
To set the verbose logging limit, There is a knob you can
set in /etc/sysctl.conf by adding this
statement, logging will be enabled on future reboots.net.inet.ip.fw.verbose_limit=5Kernel OptionsIt is not a mandatory requirement that you enable IPFW by
compiling the following options into the &os; kernel unless
you need NAT function. It is presented here as background
information.options IPFIREWALLThis option enables IPFW as part of the kerneloptions IPFIREWALL_VERBOSEEnables logging of packets that pass through IPFW and
have the 'log' keyword specified in the rule set.options IPFIREWALL_VERBOSE_LIMIT=5This specifies the default number of packets from a
particular rule is to be logged. Without this option, each
repeated occurrences of the same packet will be logged, and
eventually consuming all the free disk space resulting in
services being denied do to lack of resources. The 5 is the
number of consecutive times to log evidence of this unique
occurrence.options IPFIREWALL_DEFAULT_TO_ACCEPTThis option will allow everything to pass through the
firewall by default. Which is a good idea when you are first
setting up your firewall.options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT
options IPV6FIREWALL_DEFAULT_TO_ACCEPTThese options are exactly the same as the IPv4 options
but they are for IPv6. If you don't use IPv6 you might want
to use IPV6FIREWALL without any rules to block all IPv6options IPDIVERTThis enables the use of NAT functionality.If you don't include IPFIREWALL_DEFAULT_TO_ACCEPT or set
your rules to allow incoming packets you will block all
packets going to and from this machine./etc/rc.conf OptionsIf you don't have IPFW compliled into your kernel you will
need to load it with the following statement in your
/etc/rc.conf:firewall_enable="YES"Set the script to run to activate your rules:firewall_script="/etc/ipfw.rules"Enable logging:firewall_logging="YES"The IPFW CommandThe ipfw command is the normal vehicle for making manual
single rule additions or deletions to the firewall active
internal rules while it is running. The problem with using this
method is once your system is shutdown or halted all the rules
you added or changed or deleted are lost. Writing all your
rules in a file and using that file to load the rules at boot
time, or to replace in mass the currently running firewall
rules with changes you made to the files content is the
recommended method used here.The IPFW command is still a very useful to display the
running firewall rules to the console screen. The IPFW
accounting facility dynamically creates a counter for each
rule that counts each packet that matches the rule. During the
process of testing a rule, listing the rule with its counter
is the only way of determining if the rule is functioning.
To list all the rules in sequence:ipfw listTo list all the rules with a time stamp of when the last
time the rule was matched:ipfw -t listTo list the accounting information, packet count for
matched rules along with the rules themselves. The first
column is the rule number, followed by the number of outgoing
matched packets, followed by the number of incoming matched
packets, and then the rule itself.ipfw -a listList the dynamic rules in addition to the static rules:
ipfw -d listAlso show the expired dynamic rules:ipfw -d -e listZero the counters:ipfw zeroZero the counters for just rule NUM
:ipfw zero NUMIPFW Rule SetsA rule set is a group of ipfw rules coded to allow or deny
packets based on the values contained in the packet. The
bi-directional exchange of packets between hosts comprises a
session conversation. The firewall rule set processes the
packet 2 times, once on its arrival from the public Internet
host and again as it leaves for its return trip back to the
public Internet host. Each tcp/ip service (i.e. telnet, www,
mail, etc.) is predefined by its protocol, and port number.
This is the basic selection criteria used to create rules
which will allow or deny services.When a packet enters the firewall it is compared against
the first rule in the rule set and progress one rule at a
time moving from top to bottom of the set in ascending rule
number sequence order. When the packet matches a rule
selection parameters, the rules action field value is executed
and the search of the rule set terminates for that packet.
This is referred to as the 'first match wins' search method.
If the packet does not match any of the rules, it gets caught
by the mandatory ipfw default rule, number 65535 which denies
all packets and discards them without any reply back to the
originating destination.The instructions contained here are based on using rules
that contain the stateful 'keep state', 'limit', 'in'/'out',
and via options. This is the basic framework for coding an
inclusive type firewall rule set.An inclusive firewall only allows services matching the
rules through. This way you can control what services can
originate behind the firewall destine for the public Internet
and also control the services which can originate from the
public Internet accessing your private network. Everything
else is denied by default design. Inclusive firewalls are
much, much more secure than exclusive firewall rule sets and
is the only rule set type covered here in.When working with the firewall rules be
careful, you can end up locking your self out.Rule SyntaxThe rule syntax presented here has been simplified to
what is necessary to create a standard inclusive type
firewall rule set. For a complete rule syntax description
see the online &man.ipfw.8; man page.Rules contain keywords, These keywords have to be coded
in a specific order from left to right on the line. Keywords
are identified in bold type. Some keywords have sub-options
which may be keywords them selves and also include more
sub-options.# is used to mark the start of a comment and may appear
at the end of a rule line or on its own lines. Blank lines
are ignored.CMD RULE# ACTION LOGGING SELECTION STATEFUL
CMDEach rule has to be prefixed with 'add' to add the
rule to the internal table.RULE#Each rule has to have a rule number to go with it.
ACTIONA rule can be associated with one of the following
actions, which will be executed when the packet matches
the selection criterion of the rule.allow | accept | pass | permitThese all mean the same thing which is to allow
packets that match the rule to exit the firewall rule
processing. The search terminates at this rule.check-stateChecks the packet against the dynamic rules table. If
a match is found, execute the action associated with the
rule which generated this dynamic rule, otherwise move to
the next rule. The Check-state rule does not have
selection criterion. If no check-state rule is present in
the rule set, the dynamic rules table is checked at the
first keep-state or limit rule.deny | dropBoth words mean the same thing which is to discard
packets that match this rule. The search terminates.
Logginglog or logamount
When a packet matches a rule with the log keyword, a
message will be logged to syslogd with a facility name of
SECURITY. The logging only occurs if the number of
packets logged so far for that particular rule does not
exceed the logamount parameter. If no logamount is
specified, the limit is taken from the sysctl variable
net.inet.ip.fw.verbose_limit. In both cases, a value of
zero removes the logging limit. Once the limit is
reached, logging can be re-enabled by clearing the
logging counter or the packet counter for that rule, see
the ipfw reset log command. Note: logging is done after
all other packet matching conditions have been
successfully verified, and before performing the final
action (accept, deny) on the packet. It is up to you to
decide which rules you want to enable logging on.SelectionThe keywords described in this section are used to
describe attributes of the packet to be interrogated when
determining whether rules match or don't match the packet.
The following general-purpose attributes are provided for
matching, and must be used in this order:udp | tcp | icmpor any protocol names found in /etc/protocols are
recognized and may be used. The value specified is
protocol to be matched against. This is a mandatory
requirement.from src to dstThe from and to keywords are used to match against IP
addresses. Rules must specify BOTH source and destination
parameters. any is a special keyword that matches any IP
address. me is a special keyword that matches any IP
address configured on an interface in your &os; system to
represent the PC the firewall is running on. (i.e. this
box) As in from me to any or from any to me or from
0.0.0.0/0 to any or from any to 0.0.0.0/0 or from 0.0.0.0
to any or from any to 0.0.0.0 or from me to 0.0.0.0. IP
addresses are specified as a dotted IP address numeric
form/mask-length, or as single dotted IP address numeric
form. This is a mandatory requirement. See this link for
help on writing mask-lengths. port numberFor protocols which support port numbers (such as TCP
and UDP). It is mandatory that you code the port number of
the service you want to match on. Service names (from
/etc/services) may be used instead of
numeric port values.in | outMatches incoming or outgoing packets, respectively. The in
and out are keywords and it is mandatory that you code one
or the other as part of your rule matching criterion.
via IFMatches packets going through the interface specified
by exact name. The via keyword causes the interface to
always be checked as part of the match process.setupThis is a mandatory keyword that identifies the
session start request for TCP packets.keep-stateThis is a mandatory> keyword. Upon a match, the
firewall will create a dynamic rule, whose default
behavior is to match bidirectional traffic between source
and destination IP/port using the same protocol.limit {src-addr | src-port | dst-addr |
dst-port}The firewall will only allow N connections with the
same set of parameters as specified in the rule. One or
more of source and destination addresses and ports can be
specified. The 'limit' and 'keep-state' can not be used on
same rule. Limit provides the same stateful function as
'keep-state' plus its own functions.Stateful Rule OptionStateful filtering treats traffic as a bi-directional
exchange of packets comprising a session conversation. It
has the interrogation abilities to determine if the session
conversation between the originating sender and the
destination are following the valid procedure of
bi-directional packet exchange. Any packets that do not
properly fit the session conversation template are
automatically rejected as impostors.'check-state' is used to identify where in the IPFW
rules set the packet is to be tested against the dynamic
rules facility. On a match the packet exits the firewall to
continue on its way and a new rule is dynamic created for
the next anticipated packet being exchanged during this
bi-directional session conversation. On a no match the
packet advances to the next rule in the rule set for
testing.The dynamic rules facility is vulnerable to resource
depletion from a SYN-flood attack which would open a huge
number of dynamic rules. To counter this attack, &os;
version 4.5 added another new option named limit. This
option is used to limit the number of simultaneous session
conversations by interrogating the rules source or
destinations fields as directed by the limit option and
using the packet's IP address found there, in a search of
the open dynamic rules counting the number of times this
rule and IP address combination occurred, if this count is
greater that the value specified on the limit option, the
packet is discarded.Logging Firewall MessagesThe benefits of logging are obvious, provides the
ability to review after the fact the rules you activated
logging on which provides information like, what packets had
been dropped, what addresses they came from, where they were
going, giving you a significant edge in tracking down
attackers.Even with the logging facility enabled, IPFW will not
generate any rule logging on it's own. The firewall
administrator decides what rules in the rule set he wants to
log and adds the log verb to those rules. Normally only deny
rules are logged. Like the deny rule for incoming ICMP
pings. It's very customary to duplicate the ipfw default
deny everything rule with the log verb included as your
last rule in the rule set. This way you get to see all the
packets that did not match any of the rules in the rule set.Logging is a two edged sword, if you're not careful, you
can lose yourself in the over abundance of log data and fill
your disk up with growing log files. DoS attacks that fill
up disk drives is one of the oldest attacks around. These
log message are not only written to syslogd, but also are
displayed on the root console screen and soon become very
annoying.The IPFIREWALL_VERBOSE_LIMIT=5 kernel option limits the
number of consecutive messages sent to the system logger
syslogd, concerning the packet matching of a given rule.
When this option is enabled in the kernel, the number of
consecutive messages concerning a particular rule is capped
at the number specified. There is nothing to be gained from
200 log messages saying the same identical thing. For
instance, 5 consecutive messages concerning a particular
rule would be logged to syslogd, the remainder identical
consecutive messages would be counted and posted to the
syslogd with a phrase like this:last message repeated 45 timesAll logged packets messages are written by default to
/var/log/security file, which is
defined in the /etc/syslog.conf file.
Building Rule ScriptMost experienced IPFW users create a file containing the
rules and code them in a manner compatible with running them
as a script. The major benefit of doing this is the firewall
rules can be refreshed in mass without the need of
rebooting the system to activate the new rules. This method
is very convenient in testing new rules as the procedure can
be executed as many times as needed. Being a script, you can
use symbolic substitution to code frequent used values and
substitution them in multiple rules. You will see this in
the following example.The script syntax used here is compatible with the 'sh',
'csh', 'tcsh' shells. Symbolic substitution fields are
prefixed with a dollar sign $. Symbolic fields do not have
the $ prefix. The value to populate the Symbolic field must
be enclosed to "double quotes".Start your rules file like this:############### start of example ipfw rules script #############
#
ipfw -q -f flush # Delete all rules
# Set defaults
oif="tun0" # out interface
odns="192.0.2.11" # ISP's dns server IP address
cmd="ipfw -q add " # build rule prefix
ks="keep-state" # just too lazy to key this each time
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ############That is all there is to it. The rules are not important
in this example, how the Symbolic substitution field are
populated and used are.If the above example was in
/etc/ipfw.rules file, you could reload
these rules by entering on the command line.sh /etc/ipfw.rulesThe /etc/ipfw.rules file could be
located any where you want and the file could be named any
thing you would like.The same thing could also be accomplished by running
these commands by hand:ipfw -q -f flush
ipfw -q add check-state
ipfw -q add deny all from any to any frag
ipfw -q add deny tcp from any to any established
ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-stateStateful RulesetThe following non-NATed rule set is a example of how to
code a very secure 'inclusive' type of firewall. An
inclusive firewall only allows services matching pass rules
through and blocks all other by default. All firewalls have
at the minimum two interfaces which have to have rules to
allow the firewall to function.All &unix; flavored operating systems, &os; included, are designed to
use interface lo and IP address
127.0.0.1 for internal
communication with in &os;. The firewall rules must contain
rules to allow free unmolested movement of these special
internally used packets.The interface which faces the public Internet, is the
one which you code your rules to authorize and control
access out to the public Internet and access requests
arriving from the public Internet. This can be your ppp tun0
interface or your NIC that is connected to your DSL or cable
modem.In cases where one or more than one NIC are connected to
a private LANs behind the firewall, those interfaces must
have rules coded to allow free unmolested movement of
packets originating from those LAN interfaces.The rules should be first organized into three major
sections, all the free unmolested interfaces, public
interface outbound, and the public interface inbound.
The order of the rules in each of the public interface
sections should be in order of the most used rules being
placed before less often used rules with the last rule in
the section being a block log all packets on that interface
and direction.The Outbound section in the following rule set only
contains 'allow' rules which contain selection values that
uniquely identify the service that is authorized for public
Internet access. All the rules have the, proto, port,
in/out, via and keep state option coded. The 'proto tcp'
rules have the 'setup' option included to identify the start
session request as the trigger packet to be posted to the
keep state stateful table.The Inbound section has all the blocking of undesirable
packets first for 2 different reasons. First is these things
being blocked may be part of an otherwise valid packet which
may be allowed in by the later authorized service rules.
Second reason is that by having a rule that explicitly
blocks selected packets that I receive on an infrequent
bases and don't want to see in the log, this keeps them from
being caught by the last rule in the section which blocks
and logs all packets which have fallen through the rules.
The last rule in the section which blocks and logs all
packets is how you create the legal evidence needed to
prosecute the people who are attacking your system.Another thing you should take note of, is there is no
response returned for any of the undesirable stuff, their
packets just get dropped and vanish. This way the attackers
has no knowledge if his packets have reached your system.
The less the attackers can learn about your system the more
secure it is. When you log packets with port numbers you do
not recognize, go to
and do a port number lookup to find what the purpose of that
port number is. Check out this link for port numbers used by
Trojans:
.An Example Inclusive RulesetThe following non-NATed rule set is a complete inclusive
type ruleset. You can not go wrong using this rule set for
you own. Just comment out any pass rules for services to
don't want. If you see messages in your log that you want to
stop seeing just add a deny rule in the inbound section. You
have to change the 'dc0' interface name in every rule to the
interface name of the NIC that connects your system to the
public Internet. For user ppp it would be 'tun0'.You will see a pattern in the usage of these rules.
All statements that are a request to start a session
to the public Internet use keep-state.All the authorized services that originate from the
public Internet have the limit option to stop flooding.
All rules use in or out to clarify direction.
All rules use via interface name to specify the
interface the packet is traveling over.The following rules go into
/etc/ipfw.rules.################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # public interface name of Nic card
# facing the public Internet
#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan.
# Change xl0 to your Lan Nic card interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This rule is not needed for .user ppp. connection to the public Internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to anyin via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to anyin via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to anyin via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to anyin via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to anyin via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to anyin via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to anyin via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to anyin via $pif #Class D & E multicast
# Deny public pings
$cmd 00310 deny icmp from any to anyin via $pif
# Deny ident
$cmd 00315 deny tcp from any to any 113in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137in via $pif
$cmd 00321 deny tcp from any to any 138in via $pif
$cmd 00322 deny tcp from any to any 139in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
An Example NAT and Stateful RulesetThere are some additional configuration statements that
need to be enabled to activate the NAT function of IPFW. The
kernel source needs 'option divert' statement added to the
other IPFIREWALL statements compiled into a custom kernel.
In addition to the normal IPFW options in
/etc/rc.conf, the following are needed.
natd_enable="YES" # Enable NATD function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possibleUtilizing stateful rules with divert natd rule (Network
Address Translation) greatly complicates the rule set coding
logic. The positioning of the check-state, and 'divert natd'
rules in the rule set becomes very critical. This is no
longer a simple fall-through logic flow. A new action type
is used, called 'skipto'. To use the skipto command it is
mandatory that you number each rule so you know exactly
where the skipto rule number is you are really jumping to.
The following is an uncommented example of one coding
method, selected here to explain the sequence of the packet
flow through the rule sets.The processing flow starts with the first rule from the
top of the rule file and progress one rule at a time deeper
into the file until the end is reach or the packet being
tested to the selection criteria matches and the packet is
released out of the firewall. It's important to take notice
of the location of rule numbers 100 101, 450, 500, and 510.
These rules control the translation of the outbound and
inbound packets so their entries in the keep-state dynamic
table always register the private Lan IP address. Next
notice that all the allow and deny rules specified the
direction the packet is going (IE outbound or inbound) and
the interface. Also notice that all the start outbound
session requests all skipto rule 500 for the network address
translation.Lets say a LAN user uses their web browser to get a web
page. Web pages use port 80 to communicate over. So the
packet enters the firewall, It does not match 100 because
it is headed out not in. It passes rule 101 because this is
the first packet so it has not been posted to the keep-state
dynamic table yet. The packet finally comes to rule 125 a
matches. It's outbound through the NIC facing the public
Internet. The packet still has it's source IP address as a
private Lan IP address. On the match to this rule, two
action take place. The keep-state option will post this rule
into the keep-state dynamic rules table and the specified
action is executed. The action is part of the info posted to
the dynamic table. In this case it's "skipto rule 500". Rule
500 NATs the packet IP address and out it goes. Remember
this, this is very important. This packet makes it's way to
the destination and returns and enters the top of the rule
set. This time it does match rule 100 and has it destination
IP address mapped back to it's corresponding Lan IP address.
It then is processed by the check-state rule, it's found in
the table as an existing session conversation and released
to the LAN. It goes to the LAN PC that sent it and a new
packet is sent requesting another segment of the data from
the remote server. This time it gets checked by the
check-state rule and it's outbound entry is found, the
associated action, 'skipto 500', is executed. the packet
jumps to rule 500 gets NATed and released on it's way out.
On the inbound side, everything coming in that is part
of an existing session conversation is being automatically
handled by the check-state rule and the properly placed
divert natd rules. All we have to address is denying all the
bad packets and only allowing in the authorized services.
Lets say there is a apache server running on the firewall
box and we want people on the public Internet to be able to
access the local web site. The new inbound start request
packet matches rule 100 and its IP address is mapped to LAN
IP for the firewall box. The packet is them matched against
all the nasty things we want to check for and finally
matches against rule 425. On a match two things occur, the
limit option is an extension to keep-state. The packet rule
is posted to the keep-state dynamic table but this time any
new session requests originating from that source IP address
is limited to 2. This defends against DoS attacks of service
running on the specified port number. The action is allow so
the packet is released to the LAN. On return the check-state
rule recognizes the packet as belonging to an existing
session conversation sends it to rule 500 for NATing and
released to outbound interface.Example Ruleset #1:#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119"
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # exclude Lan traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Authorized inbound packets
$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
######################## end of rules ##################
The following is pretty much the same as above but, uses
a self documenting coding style full of description comments
to help the inexperienced IPFW rule writer to better
understand what the rules are doing.Example Ruleset #2:
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # public interface name of Nic card
# facing the public Internet
#################################################################
# No restrictions on Inside Lan Interface for private network
# Change xl0 to your Lan Nic card interface name
#################################################################
$cmd 005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################TomRhodesWritten by: OpenSSLsecurityOpenSSLOne feature that many users overlook is the
OpenSSL toolkit included
in &os;. OpenSSL provides an
encryption transport layer on top of the normal communications
layer; thus allowing it to be intertwined with many network
applications and services.Some uses of OpenSSL may include
encrypted authentication of mail clients, web based transactions
such as credit card payments and more. Many ports such as
www/apache13-ssl, and
mail/sylpheed-claws
will offer compilation support for building with
OpenSSL.In most cases the ports collection will attempt to build
the security/openssl
unless the WITH_OPENSSL_BASE make variable
is explicitly set to yes.The version of OpenSSL included
in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
Transport Layer Security v1 (TLSv1) network security protocols
and can be used as a general cryptographic library for use
with applications.While OpenSSL supports the
IDEA algorithm, it is disabled by default
due to United States patents. To use it, the license should
be reviewed and, if the restrictions are acceptable, the
MAKE_IDEA variable must be set in
make.conf.Perhaps one of the most common uses of
OpenSSL provide certificates for
use with software applications. These certificates ensure
that the credentials of the company or individual is valid
and are not fraudulent. If the certificate in question has
not been verified by one of the several Certificate Authorities,
or CAs, a warning is usually produced. A
Certificate Authority is a company, such as VeriSign, who will
sign certificates in order to validate credentials of individuals
or companies. This process has a cost associated with it and
is definitely not a requirement for using certificates; however,
it can put some of the more paranoid users at ease.Generating CertificatesOpenSSLcertificate generationTo generate a certificate, the following command is
available:&prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem
Generating a 1024 bit RSA private key
................++++++
.......................................++++++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Pittsburgh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Systems Administrator
Common Name (eg, YOUR name) []:localhost.example.org
Email Address []:trhodes@FreeBSD.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SOME PASSWORD
An optional company name []:Another NameNotice the response directly after the
Common Name prompt shows a domain name.
This prompt requires a server name to be entered for
verification purposes; placing anything but a domain name
would yield a useless certificate. Other options for
instance expire time, alternate encryption algorithms, etc.
are available. A complete list may be obtained by viewing
the &man.openssl.1; manual page.A file, cert.pem should now exist in
the directory which the aforementioned command was issued. This
is the certificate which may be sent to any one of the many
CAs for signing.In cases where a signature from a CA is
not required, a self signed certificate can be created. First,
generate the CA key:&prompt.root; openssl gendsa -des3 -out \
myca.key 1024Use this key to create the certificate:&prompt.root; openssl req -new -x509 -days 365 -key \
myca.key -out new.crtTwo new files should appear in the directory: a certificate
authority signature file, myca.key and the
certificate itself, new.crt. These should
be placed in a directory, preferably under
- /etc, which is readable
+ /etc, which is readable
only by root. Permissions of 0700 should be fine for this and
they can be set with the chmod
utility.Using Certificates, an ExampleSo what can these files do? A good use would be to
encrypt connections to the Sendmail
MTA. This would dissolve the use of clear
text authentication for users who send mail via the local
MTA.This is not the best use in the world as some
MUAs will present the user with an
error if they have not installed the certificate locally.
Refer to the documentation included with the software for
more information on certificate installation.The following lines should be placed inside the
local .mc file:dnl SSL Options
define(`confCACERT_PATH',`/etc/certs')dnl
define(`confCACERT',`/etc/certs/new.crt')dnl
define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
- Where /etc/certs/
+ Where /etc/certs/
is the directory to be used for storing the certificate
and key files locally. The last few requirements are a rebuild
of the local .cf file. This is easily
achieved by typing makeinstall within the
- /etc/mail
+ /etc/mail
directory. Follow that up with makerestart which should start the
Sendmail daemon.If all went well there will be no error messages in the
/var/log/maillog file and
Sendmail will show up in the process
list.For a simple test, simply connect to the mail server
using the &man.telnet.1; utility:&prompt.root; telnet example.com 25
Trying 192.0.34.166...
Connected to example.com.
Escape character is '^]'.
220 example.com ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
ehlo example.com
250-example.com Hello example.com [192.0.34.166], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 example.com closing connection
Connection closed by foreign host.If the STARTTLS line appears in the output
then everything is working correctly.NikClaytonnik@FreeBSD.orgWritten by VPN over IPsecCreating a VPN between two networks, separated by the
Internet, using FreeBSD gateways.Hiten M.Pandyahmp@FreeBSD.orgWritten by Understanding IPsecThis section will guide you through the process of setting
up IPsec, and to use it in an environment which consists of
FreeBSD and µsoft.windows; 2000/XP
machines, to make them communicate securely. In order to set up
IPsec, it is necessary that you are familiar with the concepts
of building a custom kernel (see
).IPsec is a protocol which sits on top
of the Internet Protocol (IP) layer. It allows two or more
hosts to communicate in a secure manner (hence the name). The
FreeBSD IPsec network stack is based on the
KAME implementation,
which has support for both protocol families, IPv4 and
IPv6.FreeBSD 5.X contains a hardware
accelerated IPsec stack, known as Fast
IPsec, that was obtained from OpenBSD. It employs
cryptographic hardware (whenever possible) via the
&man.crypto.4; subsystem to optimize the performance of IPsec.
This subsystem is new, and does not support all the features
that are available in the KAME version of IPsec. However, in
order to enable hardware-accelerated IPsec, the following
kernel option has to be added to your kernel configuration
file:
options FAST_IPSEC # new IPsec (cannot define w/ IPSEC)
Note, that it is not currently possible to use the
Fast IPsec subsystem in lue with the KAME
implementation of IPsec. Consult the &man.fast.ipsec.4;
manual page for more information.IPsec consists of two sub-protocols:Encapsulated Security Payload
(ESP), protects the IP packet data from third
party interference, by encrypting the contents using
symmetric cryptography algorithms (like Blowfish,
3DES).Authentication Header (AH),
protects the IP packet header from third party interference
and spoofing, by computing a cryptographic checksum and
hashing the IP packet header fields with a secure hashing
function. This is then followed by an additional header
that contains the hash, to allow the information in the
packet to be authenticated.ESP and AH can
either be used together or separately, depending on the
environment.IPsec can either be used to directly encrypt the traffic
between two hosts (known as Transport
Mode); or to build virtual tunnels
between two subnets, which could be used for secure
communication between two corporate networks (known as
Tunnel Mode). The latter is more commonly
known as a Virtual Private Network (VPN).
The &man.ipsec.4; manual page should be consulted for detailed
information on the IPsec subsystem in FreeBSD.To add IPsec support to your kernel, add the following
options to your kernel configuration file:
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
If IPsec debugging support is desired, the following
kernel option should also be added:
options IPSEC_DEBUG #debug for IP security
The ProblemThere is no standard for what constitutes a VPN. VPNs can
be implemented using a number of different technologies, each of
which have their own strengths and weaknesses. This section
presents a scenario, and the strategies used for implementing a
VPN for this scenario.The Scenario: Two networks, connected to the Internet, to
behave as oneThe premise is as follows:You have at least two sitesBoth sites are using IP internallyBoth sites are connected to the Internet, through a
gateway that is running FreeBSD.The gateway on each network has at least one public IP
address.The internal addresses of the two networks can be
public or private IP addresses, it doesn't matter. You can
be running NAT on the gateway machine if necessary.The internal IP addresses of the two networks
do not collide. While I expect it is
theoretically possible to use a combination of VPN
technology and NAT to get this to work, I expect it to be a
configuration nightmare.If you find that you are trying to connect two networks,
both of which, internally, use the same private IP address range
(e.g. both of them use 192.168.1.x), then one of the networks will
have to be renumbered.The network topology might look something like this:Network #1 [ Internal Hosts ] Private Net, 192.168.1.2-254
[ Win9x/NT/2K ]
[ UNIX ]
|
|
.---[fxp1]---. Private IP, 192.168.1.1
| FreeBSD |
`---[fxp0]---' Public IP, A.B.C.D
|
|
-=-=- Internet -=-=-
|
|
.---[fxp0]---. Public IP, W.X.Y.Z
| FreeBSD |
`---[fxp1]---' Private IP, 192.168.2.1
|
|
Network #2 [ Internal Hosts ]
[ Win9x/NT/2K ] Private Net, 192.168.2.2-254
[ UNIX ]Notice the two public IP addresses. I'll use the letters to
refer to them in the rest of this article. Anywhere you see those
letters in this article, replace them with your own public IP
addresses. Note also that internally, the two gateway
machines have .1 IP addresses, and that the two networks have
different private IP addresses (192.168.1.x and 192.168.2.x respectively). All the
machines on the private networks have been configured to use the
.1 machine as their default
gateway.The intention is that, from a network point of view, each
network should view the machines on the other network as though
they were directly attached the same router -- albeit a slightly
slow router with an occasional tendency to drop packets.This means that (for example), machine 192.168.1.20 should be able to runping 192.168.2.34and have it work, transparently. &windows; machines should
be able to see the machines on the other network, browse file
shares, and so on, in exactly the same way that they can browse
machines on the local network.And the whole thing has to be secure. This means that
traffic between the two networks has to be encrypted.Creating a VPN between these two networks is a multi-step
process. The stages are as follows:Create a virtual network link between the two
networks, across the Internet. Test it, using tools like
&man.ping.8;, to make sure it works.Apply security policies to ensure that traffic between
the two networks is transparently encrypted and decrypted as
necessary. Test this, using tools like &man.tcpdump.1;, to
ensure that traffic is encrypted.Configure additional software on the FreeBSD gateways,
to allow &windows; machines to see one another across the
VPN.Step 1: Creating and testing a virtual
network linkSuppose that you were logged in to the gateway machine on
network #1 (with public IP address A.B.C.D, private IP address 192.168.1.1), and you ran ping
192.168.2.1, which is the private address of the machine
with IP address W.X.Y.Z. What
needs to happen in order for this to work?The gateway machine needs to know how to reach 192.168.2.1. In other words, it needs
to have a route to 192.168.2.1.Private IP addresses, such as those in the 192.168.x range are not supposed to
appear on the Internet at large. Instead, each packet you
send to 192.168.2.1 will need
to be wrapped up inside another packet. This packet will need
to appear to be from A.B.C.D,
and it will have to be sent to W.X.Y.Z. This process is called
encapsulation.Once this packet arrives at W.X.Y.Z it will need to
unencapsulated, and delivered to 192.168.2.1.You can think of this as requiring a tunnel
between the two networks. The two tunnel mouths are the IP
addresses A.B.C.D and W.X.Y.Z, and the tunnel must be told the
addresses of the private IP addresses that will be allowed to pass
through it. The tunnel is used to transfer traffic with private
IP addresses across the public Internet.This tunnel is created by using the generic interface, or
gif devices on FreeBSD. As you can
imagine, the gif interface on each
gateway host must be configured with four IP addresses; two for
the public IP addresses, and two for the private IP
addresses.Support for the gif device must be compiled in to the
&os; kernel on both machines. You can do this by adding the
line:pseudo-device gifto the kernel configuration files on both machines, and
then compile, install, and reboot as normal.Configuring the tunnel is a two step process. First the
tunnel must be told what the outside (or public) IP addresses
are, using &man.gifconfig.8;. Then the private IP addresses must be
configured using &man.ifconfig.8;.In &os; 5.X, the functionality provided by the
&man.gifconfig.8; utility has been merged into
&man.ifconfig.8;.On the gateway machine on network #1 you would run the
following two commands to configure the tunnel.gifconfig gif0 A.B.C.D W.X.Y.Z
ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
On the other gateway machine you run the same commands,
but with the order of the IP addresses reversed.gifconfig gif0 W.X.Y.Z A.B.C.D
ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
You can then run:gifconfig gif0to see the configuration. For example, on the network #1
gateway, you would see this:&prompt.root; gifconfig gif0
gif0: flags=8011<UP,POINTTOPOINT,MULTICAST> mtu 1280
inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffffff
physical address inet A.B.C.D --> W.X.Y.Z
As you can see, a tunnel has been created between the
physical addresses A.B.C.D and
W.X.Y.Z, and the traffic allowed
through the tunnel is that between 192.168.1.1 and 192.168.2.1.This will also have added an entry to the routing table
on both machines, which you can examine with the command netstat -rn.
This output is from the gateway host on network #1.&prompt.root; netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
...
192.168.2.1 192.168.1.1 UH 0 0 gif0
...
As the Flags value indicates, this is a
host route, which means that each gateway knows how to reach the
other gateway, but they do not know how to reach the rest of
their respective networks. That problem will be fixed
shortly.It is likely that you are running a firewall on both
machines. This will need to be circumvented for your VPN
traffic. You might want to allow all traffic between both
networks, or you might want to include firewall rules that
protect both ends of the VPN from one another.It greatly simplifies testing if you configure the
firewall to allow all traffic through the VPN. You can always
tighten things up later. If you are using &man.ipfw.8; on the
gateway machines then a command likeipfw add 1 allow ip from any to any via gif0will allow all traffic between the two end points of the
VPN, without affecting your other firewall rules. Obviously
you will need to run this command on both gateway hosts.This is sufficient to allow each gateway machine to ping
the other. On 192.168.1.1, you
should be able to runping 192.168.2.1and get a response, and you should be able to do the same
thing on the other gateway machine.However, you will not be able to reach internal machines
on either network yet. This is because of the routing --
although the gateway machines know how to reach one another,
they do not know how to reach the network behind each one.To solve this problem you must add a static route on each
gateway machine. The command to do this on the first gateway
would be:route add 192.168.2.0 192.168.2.1 netmask 0xffffff00
This says In order to reach the hosts on the
network 192.168.2.0, send the
packets to the host 192.168.2.1. You will need to
run a similar command on the other gateway, but with the
192.168.1.x addresses
instead.IP traffic from hosts on one network will now be able to
reach hosts on the other network.That has now created two thirds of a VPN between the two
networks, in as much as it is virtual and it is a
network. It is not private yet. You can test
this using &man.ping.8; and &man.tcpdump.1;. Log in to the
gateway host and runtcpdump dst host 192.168.2.1In another log in session on the same host runping 192.168.2.1You will see output that looks something like this:
16:10:24.018080 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:24.018109 192.168.1.1 > 192.168.2.1: icmp: echo reply
16:10:25.018814 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:25.018847 192.168.1.1 > 192.168.2.1: icmp: echo reply
16:10:26.028896 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:26.029112 192.168.1.1 > 192.168.2.1: icmp: echo reply
As you can see, the ICMP messages are going back and forth
unencrypted. If you had used the parameter to
&man.tcpdump.1; to grab more bytes of data from the packets you
would see more information.Obviously this is unacceptable. The next section will
discuss securing the link between the two networks so that it
all traffic is automatically encrypted.Summary:Configure both kernels with pseudo-device
gif.Edit /etc/rc.conf on gateway host
#1 and add the following lines (replacing IP addresses as
necessary).gifconfig_gif0="A.B.C.D W.X.Y.Z"
ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
Edit your firewall script
(/etc/rc.firewall, or similar) on both
hosts, and addipfw add 1 allow ip from any to any via gif0Make similar changes to
/etc/rc.conf on gateway host #2,
reversing the order of IP addresses.Step 2: Securing the linkTo secure the link we will be using IPsec. IPsec provides
a mechanism for two hosts to agree on an encryption key, and to
then use this key in order to encrypt data between the two
hosts.The are two areas of configuration to be considered here.There must be a mechanism for two hosts to agree on the
encryption mechanism to use. Once two hosts have agreed on
this mechanism there is said to be a security association
between them.There must be a mechanism for specifying which traffic
should be encrypted. Obviously, you don't want to encrypt
all your outgoing traffic -- you only want to encrypt the
traffic that is part of the VPN. The rules that you put in
place to determine what traffic will be encrypted are called
security policies.Security associations and security policies are both
maintained by the kernel, and can be modified by userland
programs. However, before you can do this you must configure the
kernel to support IPsec and the Encapsulated Security Payload
(ESP) protocol. This is done by configuring a kernel with:options IPSEC
options IPSEC_ESP
and recompiling, reinstalling, and rebooting. As before
you will need to do this to the kernels on both of the gateway
hosts.You have two choices when it comes to setting up security
associations. You can configure them by hand between two hosts,
which entails choosing the encryption algorithm, encryption keys,
and so forth, or you can use daemons that implement the Internet
Key Exchange protocol (IKE) to do this for you.I recommend the latter. Apart from anything else, it is
easier to set up.Editing and displaying security policies is carried out
using &man.setkey.8;. By analogy, setkey is
to the kernel's security policy tables as &man.route.8; is to
the kernel's routing tables. setkey can
also display the current security associations, and to continue
the analogy further, is akin to netstat -r
in that respect.There are a number of choices for daemons to manage
security associations with FreeBSD. This article will describe
how to use one of these, racoon. racoon is in the FreeBSD ports
collection, in the security/ category, and is installed in the
usual way.racoon must be run on both gateway hosts. On each host it
is configured with the IP address of the other end of the VPN,
and a secret key (which you choose, and must be the same on both
gateways).The two daemons then contact one another, confirm that they
are who they say they are (by using the secret key that you
configured). The daemons then generate a new secret key, and use
this to encrypt the traffic over the VPN. They periodically
change this secret, so that even if an attacker were to crack one
of the keys (which is as theoretically close to unfeasible as it
gets) it won't do them much good -- by the time they've cracked
the key the two daemons have chosen another one.racoon's configuration is stored in
${PREFIX}/etc/racoon. You should find a
configuration file there, which should not need to be changed
too much. The other component of racoon's configuration,
which you will need to change, is the pre-shared
key.The default racoon configuration expects to find this in
the file ${PREFIX}/etc/racoon/psk.txt. It is important to note
that the pre-shared key is not the key that will be used to
encrypt your traffic across the VPN link, it is simply a token
that allows the key management daemons to trust one another.psk.txt contains a line for each
remote site you are dealing with. In this example, where there
are two sites, each psk.txt file will contain one line (because
each end of the VPN is only dealing with one other end).On gateway host #1 this line should look like this:W.X.Y.Z secretThat is, the public IP address of the remote end,
whitespace, and a text string that provides the secret.
Obviously, you shouldn't use secret as your key -- the normal
rules for choosing a password apply.On gateway host #2 the line would look like thisA.B.C.D secretThat is, the public IP address of the remote end, and the
same secret key. psk.txt must be mode
0600 (i.e., only read/write to
root) before racoon will run.You must run racoon on both gateway machines. You will
also need to add some firewall rules to allow the IKE traffic,
which is carried over UDP to the ISAKMP (Internet Security Association
Key Management Protocol) port. Again, this should be fairly early in
your firewall ruleset.ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
Once racoon is running you can try pinging one gateway host
from the other. The connection is still not encrypted, but
racoon will then set up the security associations between the two
hosts -- this might take a moment, and you may see this as a
short delay before the ping commands start responding.Once the security association has been set up you can
view it using &man.setkey.8;. Runsetkey -Don either host to view the security association information.That's one half of the problem. They other half is setting
your security policies.To create a sensible security policy, let's review what's
been set up so far. This discussions hold for both ends of the
link.Each IP packet that you send out has a header that contains
data about the packet. The header includes the IP addresses of
both the source and destination. As we already know, private IP
addresses, such as the 192.168.x.y
range are not supposed to appear on the public Internet.
Instead, they must first be encapsulated inside another packet.
This packet must have the public source and destination IP
addresses substituted for the private addresses.So if your outgoing packet started looking like this:
.----------------------.
| Src: 192.168.1.1 |
| Dst: 192.168.2.1 |
| <other header info> |
+----------------------+
| <packet data> |
`----------------------'Then it will be encapsulated inside another packet, looking
something like this:
.--------------------------.
| Src: A.B.C.D |
| Dst: W.X.Y.Z |
| <other header info> |
+--------------------------+
| .----------------------. |
| | Src: 192.168.1.1 | |
| | Dst: 192.168.2.1 | |
| | <other header info> | |
| +----------------------+ |
| | <packet data> | |
| `----------------------' |
`--------------------------'This encapsulation is carried out by the
gif device. As
you can see, the packet now has real IP addresses on the outside,
and our original packet has been wrapped up as data inside the
packet that will be put out on the Internet.Obviously, we want all traffic between the VPNs to be
encrypted. You might try putting this in to words, as:If a packet leaves from A.B.C.D, and it is destined for W.X.Y.Z, then encrypt it, using the
necessary security associations.If a packet arrives from W.X.Y.Z, and it is destined for A.B.C.D, then decrypt it, using the
necessary security associations.That's close, but not quite right. If you did this, all
traffic to and from W.X.Y.Z, even
traffic that was not part of the VPN, would be encrypted. That's
not quite what you want. The correct policy is as followsIf a packet leaves from A.B.C.D, and that packet is encapsulating
another packet, and it is destined for W.X.Y.Z, then encrypt it, using the
necessary security associations.If a packet arrives from W.X.Y.Z, and that packet is encapsulating
another packet, and it is destined for A.B.C.D, then decrypt it, using the
necessary security associations.A subtle change, but a necessary one.Security policies are also set using &man.setkey.8;.
&man.setkey.8; features a configuration language for defining the
policy. You can either enter configuration instructions via
stdin, or you can use the option to specify a
filename that contains configuration instructions.The configuration on gateway host #1 (which has the public
IP address A.B.C.D) to force all
outbound traffic to W.X.Y.Z to be
encrypted is:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
Put these commands in a file (e.g.
/etc/ipsec.conf) and then run&prompt.root; setkey -f /etc/ipsec.conf tells &man.setkey.8; that we want
to add a rule to the secure policy database. The rest of this
line specifies which packets will match this policy. A.B.C.D/32 and W.X.Y.Z/32 are the IP addresses and
netmasks that identify the network or hosts that this policy will
apply to. In this case, we want it to apply to traffic between
these two hosts. tells the kernel that
this policy should only apply to packets that encapsulate other
packets. says that this policy applies
to outgoing packets, and says that the
packet will be secured.The second line specifies how this packet will be
encrypted. is the protocol that will be
used, while indicates that the packet
will be further encapsulated in an IPsec packet. The repeated
use of A.B.C.D and W.X.Y.Z is used to select the security
association to use, and the final
mandates that packets must be encrypted if they match this
rule.This rule only matches outgoing packets. You will need a
similar rule to match incoming packets.spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;Note the instead of
in this case, and the necessary reversal of
the IP addresses.The other gateway host (which has the public IP address
W.X.Y.Z) will need similar rules.spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;Finally, you need to add firewall rules to allow ESP and
IPENCAP packets back and forth. These rules will need to be
added to both hosts.ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
Because the rules are symmetric you can use the same rules
on each gateway host.Outgoing packets will now look something like this:
.------------------------------. --------------------------.
| Src: A.B.C.D | |
| Dst: W.X.Y.Z | |
| <other header info> | | Encrypted
+------------------------------+ | packet.
| .--------------------------. | -------------. | contents
| | Src: A.B.C.D | | | | are
| | Dst: W.X.Y.Z | | | | completely
| | <other header info> | | | |- secure
| +--------------------------+ | | Encap'd | from third
| | .----------------------. | | -. | packet | party
| | | Src: 192.168.1.1 | | | | Original |- with real | snooping
| | | Dst: 192.168.2.1 | | | | packet, | IP addr |
| | | <other header info> | | | |- private | |
| | +----------------------+ | | | IP addr | |
| | | <packet data> | | | | | |
| | `----------------------' | | -' | |
| `--------------------------' | -------------' |
`------------------------------' --------------------------'
When they are received by the far end of the VPN they will
first be decrypted (using the security associations that have
been negotiated by racoon). Then they will enter the
gif interface, which will unwrap
the second layer, until you are left with the innermost
packet, which can then travel in to the inner network.You can check the security using the same &man.ping.8; test from
earlier. First, log in to the
A.B.C.D gateway machine, and
run:tcpdump dst host 192.168.2.1In another log in session on the same host runping 192.168.2.1This time you should see output like the following:XXX tcpdump outputNow, as you can see, &man.tcpdump.1; shows the ESP packets. If
you try to examine them with the option you will see
(apparently) gibberish, because of the encryption.Congratulations. You have just set up a VPN between two
remote sites.SummaryConfigure both kernels with:options IPSEC
options IPSEC_ESP
Install security/racoon. Edit
${PREFIX}/etc/racoon/psk.txt on both
gateway hosts, adding an entry for the remote host's IP
address and a secret key that they both know. Make sure
this file is mode 0600.Add the following lines to
/etc/rc.conf on each host:ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
Create an /etc/ipsec.conf on each
host that contains the necessary spdadd lines. On gateway
host #1 this would be:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
On gateway host #2 this would be:
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
Add firewall rules to allow IKE, ESP, and IPENCAP
traffic to both hosts:
ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
The previous two steps should suffice to get the VPN up and
running. Machines on each network will be able to refer to one
another using IP addresses, and all traffic across the link will
be automatically and securely encrypted.ChernLeeContributed by OpenSSHOpenSSHsecurityOpenSSHOpenSSH is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for rlogin,
rsh, rcp, and
telnet. Additionally, any other TCP/IP
connections can be tunneled/forwarded securely through SSH.
OpenSSH encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.Advantages of Using OpenSSHNormally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.Enabling sshdOpenSSHenablingBe sure to make the following addition to your
rc.conf file:sshd_enable="YES"This will load &man.sshd.8;, the daemon program for OpenSSH,
the next time your system initializes. Alternatively, you can
simply run directly the sshd daemon by typing sshd on the command line.SSH ClientOpenSSHclientThe &man.ssh.1; utility works similarly to
&man.rlogin.1;.&prompt.root; ssh user@example.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******The login will continue just as it would have if a session was
created using rlogin or
telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter
yes only when
connecting for the first time. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in ~/.ssh/known_hosts, or
~/.ssh/known_hosts2 for SSH v2
fingerprints.By default, OpenSSH servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose
between the two. Version 2 is known to be more robust and
secure than its predecessor.The &man.ssh.1; command can be forced to use either protocol
by passing it the or argument
for v1 and v2, respectively.Secure CopyOpenSSHsecure copyscpThe &man.scp.1; command works similarly to
&man.rcp.1;; it copies a file to or from a remote machine,
except in a secure fashion.&prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT
user@example.com's password: *******
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root;Since the fingerprint was already saved for this host in the
previous example, it is verified when using &man.scp.1;
here.The arguments passed to &man.scp.1; are similar
to &man.cp.1;, with the file or files in the first
argument, and the destination in the second. Since the file is
fetched over the network, through SSH, one or more of the file
arguments takes on the form
.ConfigurationOpenSSHconfigurationThe system-wide configuration files for both the
OpenSSH daemon and client reside
within the /etc/ssh directory.ssh_config configures the client
settings, while sshd_config configures the
daemon.Additionally, the
(/usr/sbin/sshd by default), and
rc.conf
options can provide more levels of configuration.ssh-keygenInstead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user:&prompt.user; ssh-keygen -t rsa1
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
~/.ssh/identity, whereas the public key is
stored in ~/.ssh/identity.pub. The public
key must be placed in ~/.ssh/authorized_keys
of the remote machine in order for the setup to work.This will allow connection to the remote machine based upon
RSA authentication instead of passwords.The option will create RSA
keys for use by SSH protocol version 1. If you want to use
RSA keys with the SSH protocol version 2, you have to use the
command ssh-keygen -t rsa.If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.A SSH protocol version 2 DSA key can be created for the same purpose by using
the ssh-keygen -t dsa command.
This will
create a public/private DSA key for use in SSH protocol version 2 sessions only.
The public key is stored in ~/.ssh/id_dsa.pub,
while the private key is in ~/.ssh/id_dsa.DSA public keys are also placed in
~/.ssh/authorized_keys on the remote
machine.&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.The various options and files can be different
according to the OpenSSH version you have on your system, to
avoid problems you should consult the &man.ssh-keygen.1;
manual page.SSH TunnelingOpenSSHtunnelingOpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.The following command tells &man.ssh.1; to create a tunnel
for telnet:&prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
&prompt.user;The ssh command is used with the
following options:Forces ssh to use version 2 of
the protocol. (Do not use if you are working with older
SSH servers)Indicates no command, or tunnel only. If omitted,
ssh would initiate a normal
session.Forces ssh to run in the
background.Indicates a local tunnel in
localport:remotehost:remoteport
fashion.The remote SSH server.An SSH tunnel works by creating a listen socket on
localhost on the specified port.
It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.In the example, port 5023 on
localhost is being forwarded to port
23 on localhost
of the remote machine. Since 23 is telnet,
this would create a secure telnet session through an SSH tunnel.This can be used to wrap any number of insecure TCP
protocols such as SMTP, POP3, FTP, etc.Using SSH to Create a Secure Tunnel for SMTP&prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
user@mailserver.example.com's password: *****
&prompt.user; telnet localhost 5025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTPThis can be used in conjunction with an
&man.ssh-keygen.1; and additional user accounts to create a
more seamless/hassle-free SSH tunneling environment. Keys
can be used in place of typing a password, and the tunnels
can be run as a separate user.Practical SSH Tunneling ExamplesSecure Access of a POP3 ServerAt work, there is an SSH server that accepts
connections from the outside. On the same office network
resides a mail server running a POP3 server. The network,
or network path between your home and office may or may not
be completely trustable. Because of this, you need to check
your e-mail in a secure manner. The solution is to create
an SSH connection to your office's SSH server, and tunnel
through to the mail server.&prompt.user; ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
user@ssh-server.example.com's password: ******When the tunnel is up and running, you can point your
mail client to send POP3 requests to localhost
port 2110. A connection here will be forwarded securely across
the tunnel to mail.example.com.Bypassing a Draconian FirewallSome network administrators impose extremely draconian
firewall rules, filtering not only incoming connections,
but outgoing connections. You may be only given access
to contact remote machines on ports 22 and 80 for SSH
and web surfing.You may wish to access another (perhaps non-work
related) service, such as an Ogg Vorbis server to stream
music. If this Ogg Vorbis server is streaming on some other
port than 22 or 80, you will not be able to access it.The solution is to create an SSH connection to a machine
outside of your network's firewall, and use it to tunnel to
the Ogg Vorbis server.&prompt.user; ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org
user@unfirewalled-system.example.org's password: *******Your streaming client can now be pointed to
localhost port 8888, which will be
forwarded over to music.example.com port
8000, successfully evading the firewall.Further ReadingOpenSSH&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;&man.sshd.8; &man.sftp-server.8;TomRhodesContributed by ACLFile System Access Control ListsIn conjunction with file system enhancements like snapshots, FreeBSD 5.0
and later offers the security of File System Access Control Lists
(ACLs).Access Control Lists extend the standard &unix;
permission model in a highly compatible (&posix;.1e) way. This feature
permits an administrator to make use of and take advantage of a
more sophisticated security model.To enable ACL support for UFS
file systems, the following:options UFS_ACLmust be compiled into the kernel. If this option has
not been compiled in, a warning message will be displayed
when attempting to mount a file system supporting ACLs.
This option is included in the GENERIC kernel.
ACLs rely on extended attributes being enabled on
the file system. Extended attributes are natively supported in the next generation
&unix; file system, UFS2.A higher level of administrative overhead is required to
configure extended attributes on UFS1 than on
UFS2. The performance of extended attributes
on UFS2 is also substantially higher. As a
result, UFS2 is generally recommended in preference
to UFS1 for use with access control lists.ACLs are enabled by the mount-time administrative
flag, , which may be added to /etc/fstab.
The mount-time flag can also be automatically set in a persistent manner using
&man.tunefs.8; to modify a superblock ACLs flag in the
file system header. In general, it is preferred to use the superblock flag
for several reasons:The mount-time ACLs flag cannot be changed by a
remount (&man.mount.8; ), only by means of a complete
&man.umount.8; and fresh &man.mount.8;. This means that
ACLs cannot be enabled on the root file system after boot.
It also means that you cannot change the disposition of a file system once
it is in use.Setting the superblock flag will cause the file system to always be
mounted with ACLs enabled even if there is not an
fstab entry or if the devices re-order. This prevents
accidental mounting of the file system without ACLs
enabled, which can result in ACLs being improperly enforced,
and hence security problems.We may change the ACLs behavior to allow the flag to
be enabled without a complete fresh &man.mount.8;, but we consider it desirable to
discourage accidental mounting without ACLs enabled, because you
can shoot your feet quite nastily if you enable ACLs, then disable
them, then re-enable them without flushing the extended attributes. In general, once
you have enabled ACLs on a file system, they should not be disabled,
as the resulting file protections may not be compatible with those intended by the
users of the system, and re-enabling ACLs may re-attach the previous
ACLs to files that have since had their permissions changed,
resulting in other unpredictable behavior.File systems with ACLs enabled will show a +
(plus) sign in their permission settings when viewed. For example:drwx------ 2 robert robert 512 Dec 27 11:54 private
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_htmlHere we see that the directory1,
directory2, and directory3
directories are all taking advantage of ACLs. The
public_html directory is not.Making Use of ACLsThe file system ACLs can be viewed by the
&man.getfacl.1; utility. For instance, to view the
ACL settings on the test
file, one would use the command:&prompt.user; getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
group::r--
other::r--To change the ACL settings on this file,
invoke the &man.setfacl.1; utility. Observe:&prompt.user; setfacl -k testThe flag will remove all of the
currently defined ACLs from a file or file
system. The more preferable method would be to use
as it leaves the basic fields required for
ACLs to work.&prompt.user; setfacl -m u:trhodes:rwx,group:web:r--,o::--- testIn the aforementioned command, the
option was used to modify the default ACL
entries. Since there were no pre-defined entries, as they were
removed by the previous command, this will restore the default
options and assign the options listed. Take care to notice that
if you add a user or group which does not exist on the system,
an Invalid argument error will be printed
to stdout.TomRhodesContributed by FreeBSD Security Advisories&os; Security AdvisoriesLike many production quality operating systems, &os; publishes
Security Advisories. These advisories are usually
mailed to the security lists and noted in the Errata only
after the appropriate releases have been patched. This section
will work to explain what an advisory is, how to understand it,
and what measures to take in order to patch a system.What does an advisory look like?The &os; security advisories look similar to the one below,
taken from the &a.security-notifications.name; mailing list.=============================================================================
&os;-SA-XX:XX.UTIL Security Advisory
The &os; Project
Topic: denial of service due to some problem
Category: core
Module: sys
Announced: 2003-09-23
Credits: Person@EMAIL-ADDRESS
Affects: All releases of &os;
&os; 4-STABLE prior to the correction date
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
&os; only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I. Background
II. Problem Description
III. Impact
IV. Workaround
V. Solution
VI. Correction details
VII. ReferencesThe Topic field indicates exactly what the problem is.
It is basically an introduction to the current security
advisory and notes the utility with the
vulnerability.The Category refers to the affected part of the system
which may be one of core, contrib, or ports. The core
category means that the vulnerability affects a core
component of the &os; operating system. The contrib
category means that the vulnerability affects software
contributed to the &os; Project, such as
sendmail. Finally the ports
category indicates that the vulnerability affects add on
software available as part of the ports collection.The Module field refers to the component location, for
instance sys. In this example, we see that the module,
sys, is affected; therefore, this vulnerability
affects a component used within the kernel.The Announced field reflects the date said security
advisory was published, or announced to the world. This
means that the security team has verified that the problem
does exist and that a patch has been committed to the &os;
source code repository.The Credits field gives credit to the individual or
organization who noticed the vulnerability and reported
it.The Affects field explains which releases of &os; are
affected by this vulnerability. For the kernel, a quick
look over the output from ident on the
affected files will help in determining the revision.
For ports, the version number is listed after the port name
in /var/db/pkg. If the system does not
sync with the &os; CVS repository and rebuild
daily, chances are that it is affected.The Corrected field indicates the date, time, time
offset, and release that was corrected.The &os; only field indicates whether this vulnerability
affects just &os;, or if it affects other operating systems
as well.The Background field gives information on exactly what
the affected utility is. Most of the time this is why
the utility exists in &os;, what it is used for, and a bit
of information on how the utility came to be.The Problem Description field explains the security hole
in depth. This can include information on flawed code, or
even how the utility could be maliciously used to open
a security hole.The Impact field describes what type of impact the
problem could have on a system. For example, this could
be anything from a denial of service attack, to extra
privileges available to users, or even giving the attacker
superuser access.The Workaround field offers a feasible workaround to
system administrators who may be incapable of upgrading
the system. This may be due to time constraints, network
availability, or a slew of other reasons. Regardless,
security should not be taken lightly, and an affected system
should either be patched or the security hole workaround
should be implemented.The Solution field offers instructions on patching the
affected system. This is a step by step tested and verified
method for getting a system patched and working
securely.The Correction Details field displays the
CVS branch or release name with the
periods changed to underscore characters. It also shows
the revision number of the affected files within each
branch.The References field usually offers sources of other
information. This can included web URLs,
books, mailing lists, and newsgroups.