diff --git a/en_US.ISO8859-1/articles/contributing/article.sgml b/en_US.ISO8859-1/articles/contributing/article.sgml
index 361fa14e66..2358f3e8d4 100644
--- a/en_US.ISO8859-1/articles/contributing/article.sgml
+++ b/en_US.ISO8859-1/articles/contributing/article.sgml
@@ -1,6344 +1,6344 @@
Contributing to FreeBSDContributed by &a.jkh;.contributingSo you want to contribute something to FreeBSD? That is great! We can
always use the help, and FreeBSD is one of those systems that
relies on the contributions of its user base in order
to survive. Your contributions are not only appreciated, they are vital
to FreeBSD's continued growth!Contrary to what some people might also have you believe, you do not
need to be a hot-shot programmer or a close personal friend of the FreeBSD
core team in order to have your contributions accepted. The FreeBSD
Project's development is done by a large and growing number of
international contributors whose ages and areas of technical expertise
vary greatly, and there is always more work to be done than there are
people available to do it.Since the FreeBSD project is responsible for an entire operating
system environment (and its installation) rather than just a kernel or a
few scattered utilities, our TODO list also spans a
very wide range of tasks, from documentation, beta testing and
presentation to highly specialized types of kernel development. No matter
what your skill level, there is almost certainly something you can do to
help the project!Commercial entities engaged in FreeBSD-related enterprises are also
encouraged to contact us. Need a special extension to make your product
work? You will find us receptive to your requests, given that they are not
too outlandish. Working on a value-added product? Please let us know! We
may be able to work cooperatively on some aspect of it. The free software
world is challenging a lot of existing assumptions about how software is
developed, sold, and maintained throughout its life cycle, and we urge you
to at least give it a second look.What is NeededThe following list of tasks and sub-projects represents something of
an amalgam of the various core team TODO lists and
user requests we have collected over the last couple of months. Where
possible, tasks have been ranked by degree of urgency. If you are
interested in working on one of the tasks you see here, send mail to the
coordinator listed by clicking on their names. If no coordinator has
been appointed, maybe you would like to volunteer?High priority taskstodo listThe following tasks are considered to be urgent, usually because
they represent something that is badly broken or sorely needed:3-stage boot issues. Overall coordination: &a.hackers;Do WinNT compatible drive tagging so that the 3rd stage
can provide an accurate mapping of BIOS geometries for
disks.Filesystem problems. Overall coordination: &a.fs;Clean up and document the nullfs filesystem code.
Coordinator: &a.eivind;Fix the union file system. Coordinator: &a.dg;Implement Int13 vm86 disk driver. Coordinator:
&a.hackers;New bus architecture. Coordinator: &a.newbus;Port existing ISA drivers to new architecture.Move all interrupt-management code to appropriate parts of
the bus drivers.Port PCI subsystem to new architecture. Coordinator:
&a.dfr;Figure out the right way to handle removable devices and
then use that as a substrate on which PC-Card and CardBus
support can be implemented.Resolve the probe/attach priority issue once and for
all.Move any remaining buses over to the new
architecture.Kernel issues. Overall coordination: &a.hackers;Add more pro-active security infrastructure. Overall
coordination: &a.security;Build something like Tripwire(TM) into the kernel, with a
remote and local part. There are a number of cryptographic
issues to getting this right; contact the coordinator for
details. Coordinator: &a.eivind;Make the entire kernel use suser()
instead of comparing to 0. It is presently using about half
of each. Coordinator: &a.eivind;Split securelevels into different parts, to allow an
administrator to throw away those privileges he can throw
away. Setting the overall securelevel needs to have the same
effect as now, obviously. Coordinator: &a.eivind;Make it possible to upload a list of allowed
programs to BPF, and then block BPF from accepting other
programs. This would allow BPF to be used e.g. for DHCP,
without allowing an attacker to start snooping the local
network.Update the security checker script. We should at least
grab all the checks from the other BSD derivatives, and add
checks that a system with securelevel increased also have
reasonable flags on the relevant parts. Coordinator:
&a.eivind;Add authorization infrastructure to the kernel, to allow
different authorization policies. Part of this could be done
by modifying suser(). Coordinator:
&a.eivind;Add code to the NFS layer so that you cannot
chdir("..") out of an NFS partition. E.g.,
/usr is a UFS partition with
/usr/src NFS exported. Now it is
possible to use the NFS filehandle for
/usr/src to get access to
/usr.Medium priority tasksThe following tasks need to be done, but not with any particular
urgency:Full KLD based driver support/Configuration Manager.Write a configuration manager (in the 3rd stage boot?)
that probes your hardware in a sane manner, keeps only the
KLDs required for your hardware, etc.PCMCIA/PCCARD. Coordinators: &a.msmith; and &a.imp;Documentation!Reliable operation of the pcic driver (needs
testing).Recognizer and handler for sio.c
(mostly done).Recognizer and handler for ed.c
(mostly done).Recognizer and handler for ep.c
(mostly done).User-mode recognizer and handler (partially done).Advanced Power Management. Coordinators: &a.msmith; and
&a.phk;APM sub-driver (mostly done).IDE/ATA disk sub-driver (partially done).syscons/pcvt sub-driver.Integration with the PCMCIA/PCCARD drivers
(suspend/resume).Low priority tasksThe following tasks are purely cosmetic or represent such an
investment of work that it is not likely that anyone will get them
done anytime soon:The first N items are from Terry Lambert
terry@lambert.orgNetWare Server (protected mode ODI driver) loader and
sub-services to allow the use of ODI card drivers supplied with
network cards. The same thing for NDIS drivers and NetWare SCSI
drivers.An "upgrade system" option that works on Linux boxes instead
of just previous rev FreeBSD boxes.Symmetric Multiprocessing with kernel preemption (requires
kernel preemption).A concerted effort at support for portable computers. This is
somewhat handled by changing PCMCIA bridging rules and power
management event handling. But there are things like detecting
internal v.s.. external display and picking a different screen
resolution based on that fact, not spinning down the disk if the
machine is in dock, and allowing dock-based cards to disappear
without affecting the machines ability to boot (same issue for
PCMCIA).Smaller tasksMost of the tasks listed in the previous sections require either a
considerable investment of time or an in-depth knowledge of the
FreeBSD kernel (or both). However, there are also many useful tasks
which are suitable for "weekend hackers", or people without
programming skills.If you run FreeBSD-current and have a good Internet
connection, there is a machine current.FreeBSD.org which builds a full
release once a day — every now and again, try and install
the latest release from it and report any failures in the
process.Read the freebsd-bugs mailing list. There might be a
problem you can comment constructively on or with patches you
can test. Or you could even try to fix one of the problems
yourself.Read through the FAQ and Handbook periodically. If anything
is badly explained, out of date or even just completely wrong, let
us know. Even better, send us a fix (SGML is not difficult to
learn, but there is no objection to ASCII submissions).Help translate FreeBSD documentation into your native language
(if not already available) — just send an email to &a.doc;
asking if anyone is working on it. Note that you are not
committing yourself to translating every single FreeBSD document
by doing this — in fact, the documentation most in need of
translation is the installation instructions.Read the freebsd-questions mailing list and &ng.misc
occasionally (or even regularly). It can be very satisfying to
share your expertise and help people solve their problems;
sometimes you may even learn something new yourself! These forums
can also be a source of ideas for things to work on.If you know of any bug fixes which have been successfully
applied to -current but have not been merged into -stable after a
decent interval (normally a couple of weeks), send the committer a
polite reminder.Move contributed software to src/contrib
in the source tree.Make sure code in src/contrib is up to
date.Build the source tree (or just part of it) with extra warnings
enabled and clean up the warnings.Fix warnings for ports which do deprecated things like using
gets() or including malloc.h.If you have contributed any ports, send your patches back to
the original author (this will make your life easier when they
bring out the next version)Suggest further tasks for this list!Work through the PR databaseproblem reports databaseThe FreeBSD PR
list shows all the current active problem reports and
requests for enhancement that have been submitted by FreeBSD users.
Look through the open PRs, and see if anything there takes your
interest. Some of these might be very simple tasks, that just need an
extra pair of eyes to look over them and confirm that the fix in the
PR is a good one. Others might be much more complex.Start with the PRs that have not been assigned to anyone else, but
if one them is assigned to someone else, but it looks like something
you can handle, e-mail the person it is assigned to and ask if you can
work on it—they might already have a patch ready to be tested,
or further ideas that you can discuss with them.How to ContributeContributions to the system generally fall into one or more of the
following 6 categories:Bug reports and general commentaryAn idea or suggestion of general technical
interest should be mailed to the &a.hackers;. Likewise, people with
an interest in such things (and a tolerance for a
high volume of mail!) may subscribe to the
hackers mailing list by sending mail to &a.majordomo;. See mailing lists for more information
about this and other mailing lists.If you find a bug or are submitting a specific change, please
report it using the &man.send-pr.1; program or its WEB-based
equivalent. Try to fill-in each field of the bug report.
Unless they exceed 65KB, include any patches directly in the report.
When including patches, do not use cut-and-paste
because cut-and-paste turns tabs into spaces and makes them unusable.
Consider compressing patches and using &man.uuencode.1; if they exceed
20KB. Upload very large submissions to ftp.FreeBSD.org:/pub/FreeBSD/incoming/.After filing a report, you should receive confirmation along with
a tracking number. Keep this tracking number so that you can update
us with details about the problem by sending mail to
bug-followup@FreeBSD.org. Use the number as the
message subject, e.g. "Re: kern/3377". Additional
information for any bug report should be submitted this way.If you do not receive confirmation in a timely fashion (3 days to
a week, depending on your email connection) or are, for some reason,
unable to use the &man.send-pr.1; command, then you may ask
someone to file it for you by sending mail to the &a.bugs;.Changes to the documentationdocumentation submissionsChanges to the documentation are overseen by the &a.doc;. Send
submissions and changes (even small ones are welcome!) using
send-pr as described in Bug Reports and General
Commentary.Changes to existing source codeFreeBSD-currentAn addition or change to the existing source code is a somewhat
trickier affair and depends a lot on how far out of date you are with
the current state of the core FreeBSD development. There is a special
on-going release of FreeBSD known as FreeBSD-current
which is made available in a variety of ways for the convenience of
developers working actively on the system. See Staying current with FreeBSD for more
information about getting and using FreeBSD-current.Working from older sources unfortunately means that your changes
may sometimes be too obsolete or too divergent for easy re-integration
into FreeBSD. Chances of this can be minimized somewhat by
subscribing to the &a.announce; and the &a.current; lists, where
discussions on the current state of the system take place.Assuming that you can manage to secure fairly up-to-date sources
to base your changes on, the next step is to produce a set of diffs to
send to the FreeBSD maintainers. This is done with the &man.diff.1;
command, with the context diff form
being preferred. For example:diff&prompt.user; diff -c oldfile newfile
or
&prompt.user; diff -c -r olddir newdir
would generate such a set of context diffs for the given source file
or directory hierarchy. See the man page for &man.diff.1; for more
details.Once you have a set of diffs (which you may test with the
&man.patch.1; command), you should submit them for inclusion with
FreeBSD. Use the &man.send-pr.1; program as described in Bug Reports and General Commentary.
Do not just send the diffs to the &a.hackers; or
they will get lost! We greatly appreciate your submission (this is a
volunteer project!); because we are busy, we may not be able to
address it immediately, but it will remain in the pr database until we
do.uuencodeIf you feel it appropriate (e.g. you have added, deleted, or
renamed files), bundle your changes into a tar file
and run the &man.uuencode.1; program on it. Shar archives are also
welcome.If your change is of a potentially sensitive nature, e.g. you are
unsure of copyright issues governing its further distribution or you
are simply not ready to release it without a tighter review first,
then you should send it to &a.core; directly rather than submitting it
with &man.send-pr.1;. The core mailing list reaches a much smaller
group of people who do much of the day-to-day work on FreeBSD. Note
that this group is also very busy and so you
should only send mail to them where it is truly necessary.Please refer to &man.intro.9; and &man.style.9; style for
some information on coding style. We would appreciate it if you
were at least aware of this information before submitting
code.New code or major value-added packagesIn the case of a significant contribution of a large body
work, or the addition of an important new feature to FreeBSD, it
becomes almost always necessary to either send changes as uuencoded
tar files or upload them to a web or FTP site for other people to
access. If you do not have access to a web or FTP site, ask on an
appropriate FreeBSD mailing list for someone to host the changes for
you.When working with large amounts of code, the touchy subject of
copyrights also invariably comes up. Acceptable copyrights for code
included in FreeBSD are:BSD copyrightThe BSD copyright. This copyright is most preferred due to
its no strings attached nature and general
attractiveness to commercial enterprises. Far from discouraging
such commercial use, the FreeBSD Project actively encourages such
participation by commercial interests who might eventually be
inclined to invest something of their own into FreeBSD.GPLGNU Public LicenseThe GNU Public License, or GPL. This license is
not quite as popular with us due to the amount of extra effort
demanded of anyone using the code for commercial purposes, but
given the sheer quantity of GPL'd code we currently require
(compiler, assembler, text formatter, etc) it would be silly to
refuse additional contributions under this license. Code under
the GPL also goes into a different part of the tree, that being
/sys/gnu or
/usr/src/gnu, and is therefore easily
identifiable to anyone for whom the GPL presents a problem.Contributions coming under any other type of copyright must be
carefully reviewed before their inclusion into FreeBSD will be
considered. Contributions for which particularly restrictive
commercial copyrights apply are generally rejected, though the authors
are always encouraged to make such changes available through their own
channels.To place a BSD-style copyright on your work, include
the following text at the very beginning of every source code file you
wish to protect, replacing the text between the %%
with the appropriate information.Copyright (c) %%proper_years_here%%
%%your_name_here%%, %%your_state%% %%your_zip%%.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer as
the first lines of this file unmodified.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY %%your_name_here%% ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL %%your_name_here%% BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$Id$For your convenience, a copy of this text can be found in
/usr/share/examples/etc/bsd-style-copyright.Money, Hardware or Internet accessWe are always very happy to accept donations to further the cause
of the FreeBSD Project and, in a volunteer effort like ours, a little
can go a long way! Donations of hardware are also very important to
expanding our list of supported peripherals since we generally lack
the funds to buy such items ourselves.Donating fundsEmpty, pending information from the FreeBSD Foundation.Donating hardwaredonationsDonations of hardware in any of the 3 following categories are
also gladly accepted by the FreeBSD Project:General purpose hardware such as disk drives, memory or
complete systems should be sent to the FreeBSD, Inc. address
listed in the donating funds
section.Hardware for which ongoing compliance testing is desired.
We are currently trying to put together a testing lab of all
components that FreeBSD supports so that proper regression
testing can be done with each new release. We are still lacking
many important pieces (network cards, motherboards, etc) and if
you would like to make such a donation, please contact &a.dg;
for information on which items are still required.Hardware currently unsupported by FreeBSD for which you
would like to see such support added. Please contact the
&a.core; before sending such items as we will need to find a
developer willing to take on the task before we can accept
delivery of new hardware.Donating Internet accessWe can always use new mirror sites for FTP, WWW or
cvsup. If you would like to be such a mirror,
please contact the FreeBSD project administrators
hubs@FreeBSD.org for more information.Donors GalleryThe FreeBSD Project is indebted to the following donors and would
like to publicly thank them here!Contributors to the central server
project:The following individuals and businesses made it possible for
the FreeBSD Project to build a new central server machine to
eventually replace freefall.FreeBSD.org
by donating the following items:&a.mbarkah and his employer,
Hemisphere Online, donated a Pentium Pro
(P6) 200MHz CPUASA
Computers donated a Tyan 1662
motherboard.Joe McGuckin joe@via.net of ViaNet Communications donated
a Kingston ethernet controller.Jack O'Neill jack@diamond.xtalwind.net
donated an NCR 53C875 SCSI controller
card.Ulf Zimmermann ulf@Alameda.net of Alameda Networks donated
128MB of memory, a 4 Gb disk
drive and the case.Direct funding:The following individuals and businesses have generously
contributed direct funding to the project:Annelise Anderson
ANDRSN@HOOVER.STANFORD.EDU&a.dillonBlue Mountain
ArtsEpilogue Technology
Corporation&a.sefGlobal Technology
Associates, IncDon Scott WildeGianmarco Giovannelli
gmarco@masternet.itJosef C. Grosch joeg@truenorth.orgRobert T. Morris&a.chuckrKenneth P. Stox ken@stox.sa.enteract.com of
Imaginary Landscape,
LLC.Dmitry S. Kohmanyuk dk@dog.farm.orgLaser5 of Japan
(a portion of the profits from sales of their various FreeBSD
CDROMs).Fuki Shuppan
Publishing Co. donated a portion of their profits from
Hajimete no FreeBSD (FreeBSD, Getting
started) to the FreeBSD and XFree86 projects.ASCII Corp.
donated a portion of their profits from several FreeBSD-related
books to the FreeBSD project.Yokogawa Electric
Corp has generously donated significant funding to the
FreeBSD project.BuffNETPacific
SolutionsSiemens AG
via Andre Albsmeier
andre.albsmeier@mchp.siemens.deChris Silva ras@interaccess.comHardware contributors:The following individuals and businesses have generously
contributed hardware for testing and device driver
development/support:BSDi for providing the Pentium P5-90 and
486/DX2-66 EISA/VL systems that are being used for our
development work, to say nothing of the network access and other
donations of hardware resources.TRW Financial Systems, Inc. provided 130 PCs, three 68 GB
file servers, twelve Ethernets, two routers and an ATM switch for
debugging the diskless code.Dermot McDonnell donated the Toshiba XM3401B CDROM drive
currently used in freefall.&a.chuck; contributed his floppy tape streamer for
experimental work.Larry Altneu larry@ALR.COM, and &a.wilko;,
provided Wangtek and Archive QIC-02 tape drives in order to
improve the wt driver.Ernst Winter ewinter@lobo.muc.de contributed
a 2.88 MB floppy drive to the project. This will hopefully
increase the pressure for rewriting the floppy disk driver.
- ;-)
+
Tekram
Technologies sent one each of their DC-390, DC-390U
and DC-390F FAST and ULTRA SCSI host adapter cards for
regression testing of the NCR and AMD drivers with their cards.
They are also to be applauded for making driver sources for free
operating systems available from their FTP server ftp://ftp.tekram.com/scsi/FreeBSD/.Larry M. Augustin contributed not only a
Symbios Sym8751S SCSI card, but also a set of data books,
including one about the forthcoming Sym53c895 chip with Ultra-2
and LVD support, and the latest programming manual with
information on how to safely use the advanced features of the
latest Symbios SCSI chips. Thanks a lot!Christoph Kukulies kuku@FreeBSD.org donated
an FX120 12 speed Mitsumi CDROM drive for IDE CDROM driver
development.Special contributors:BSDi (formerly Walnut Creek CDROM)
has donated almost more than we can say (see the history document for more details).
In particular, we would like to thank them for the original
hardware used for freefall.FreeBSD.org, our primary
development machine, and for thud.FreeBSD.org, a testing and build
box. We are also indebted to them for funding various
contributors over the years and providing us with unrestricted
use of their T1 connection to the Internet.The interface
business GmbH, Dresden has been patiently supporting
&a.joerg; who has often preferred FreeBSD work over paid work, and
used to fall back to their (quite expensive) EUnet Internet
connection whenever his private connection became too slow or
flaky to work with it...Berkeley Software Design,
Inc. has contributed their DOS emulator code to the
remaining BSD world, which is used in the
doscmd command.Core Team Alumnicore teamThe following people were members of the FreeBSD core team during
the periods indicated. We thank them for their past efforts in the
service of the FreeBSD project.In rough chronological order:&a.ache (1993 - 2000)&a.jmb (1993 - 2000)&a.bde (1992 - 2000)&a.gibbs (1993 - 2000)&a.rich (1994 - 2000)&a.phk (1992 - 2000)&a.gpalmer (1993 - 2000)&a.sos (1993 - 2000)&a.wollman (1993 - 2000)&a.joerg (1995 - 2000)&a.jdp (1997 - 2000)&a.guido (1995 - 1999)&a.dyson (1993 - 1998)&a.nate (1992 - 1996)&a.rgrimes (1992 - 1995)Andreas Schulz (1992 - 1995)&a.csgr (1993 - 1995)&a.paul (1992 - 1995)&a.smace (1993 - 1994)Andrew Moore (1993 - 1994)Christoph Robitschko (1993 - 1994)J. T. Conklin (1992 - 1993)Development Team Alumnidevelopment teamThe following people were members of the FreeBSD development team
during the periods indicated. We thank them for their past efforts
in the service of the FreeBSD project.In rough chronological order:&a.tedm (???? - 2000)&a.karl (???? - 2000)&a.gclarkii (1993 - 2000)&a.jraynard (???? - 2000)&a.jgreco (???? - 1999)&a.ats (???? - 1999)Jamil Weatherby (1997 - 1999)meganm (???? - 1998)&a.dyson (???? - 1998)Amancio Hasty (1997 - 1998)Drew Derbyshire (1997 - 1998)Derived Software ContributorsThis software was originally derived from William F. Jolitz's 386BSD
release 0.1, though almost none of the original 386BSD specific code
remains. This software has been essentially re-implemented from the
4.4BSD-Lite release provided by the Computer Science Research Group
(CSRG) at the University of California, Berkeley and associated academic
contributors.There are also portions of NetBSD and OpenBSD that have been
integrated into FreeBSD as well, and we would therefore like to thank
all the contributors to NetBSD and OpenBSD for their work.Additional FreeBSD Contributors(in alphabetical order by first name):ABURAYA Ryushirou rewsirow@ff.iij4u.or.jpAMAGAI Yoshiji amagai@nue.orgAaron Bornstein aaronb@j51.comAaron Smith aaron@mutex.orgAchim Patzner ap@noses.comAda T Lim ada@bsd.orgAdam Baran badam@mw.mil.plAdam Glass glass@postgres.berkeley.eduAdam Herzog adam@herzogdesigns.comAdam Kranzel adam@alameda.eduAdam McDougall mcdouga9@egr.msu.eduAdam Strohl troll@digitalspark.netAdoal Xu adoal@iname.comAdrian Colley aecolley@ois.ieAdrian Hall ahall@mirapoint.comAdrian Mariano adrian@cam.cornell.eduAdrian Steinmann ast@marabu.chAdrian T. Filipi-Martin
atf3r@agate.cs.virginia.eduAjit Thyagarajan unknownAkio Morita
amorita@meadow.scphys.kyoto-u.ac.jpAkira SAWADA unknownAkira Watanabe
akira@myaw.ei.meisei-u.ac.jpAkito Fujita fujita@zoo.ncl.omron.co.jpAlain Kalker
A.C.P.M.Kalker@student.utwente.nlAlan Bawden alan@curry.epilogue.comAlec Wolman wolman@cs.washington.eduAled Morris aledm@routers.co.ukAleksandr A Babaylov .@babolo.ruAlex G. Bulushev bag@demos.suAlex D. Chen
dhchen@Canvas.dorm7.nccu.edu.twAlex Le Heux alexlh@funk.orgAlex Kapranoff kappa@zombie.antar.bryansk.ruAlex Perel veers@disturbed.netAlex Semenyaka alex@rinet.ruAlex Varju varju@webct.comAlex Zepeda garbanzo@hooked.netAlexander B. Povolotsky tarkhil@mgt.msk.ruAlexander Gelfenbain mail@gelf.comAlexander Leidinger
netchild@wurzelausix.CS.Uni-SB.DEAlexandre Peixoto
alexandref@tcoip.com.brAlexandre Snarskii snar@paranoia.ruAlistair G. Crooks agc@uts.amdahl.comAllan Bowhill bowhill@bowhill.vservers.comAllan Saddi asaddi@philosophysw.comAllen Campbell allenc@verinet.comAmakawa Shuhei amakawa@hoh.t.u-tokyo.ac.jpAmancio Hasty hasty@star-gate.comAmir Farah amir@comtrol.comAmir Shalem amir@boom.org.ilAmy Baron amee@beer.orgThe Anarcat beaupran@iro.umontreal.caAnatoly A. Orehovsky tolik@mpeks.tomsk.suAnatoly Vorobey mellon@pobox.comAnders Andersson anders@codefactory.seAnders Nordby anders@fix.noAnders Thulin Anders.X.Thulin@telia.seAndras Olah olah@cs.utwente.nlAndre Albsmeier
Andre.Albsmeier@mchp.siemens.deAndre Goeree abgoeree@uwnet.nlAndre Oppermann andre@pipeline.chAndreas Haakh ah@alman.robin.deAndreas Kohout shanee@rabbit.augusta.deAndreas Lohr andreas@marvin.RoBIN.deAndreas Schulz unknownAndreas Wetzel mickey@deadline.snafu.deAndreas Wrede andreas@planix.comAndres Vega Garcia unknownAndrew Atrens atreand@statcan.caAndrew Boothman andrew@cream.orgAndrew Gillham gillham@andrews.eduAndrew Gordon andrew.gordon@net-tel.co.ukAndrew Herbert andrew@werple.apana.org.auAndrew J. Korty ajk@purdue.eduAndrew L. Moore alm@mclink.comAndrew L. Neporada andrew@chg.ruAndrew McRae amcrae@cisco.comAndrew Stevenson andrew@ugh.net.auAndrew Timonin tim@pool1.convey.ruAndrew V. Stesin stesin@elvisti.kiev.uaAndrew Webster awebster@dataradio.comAndrey Novikov andrey@novikov.comAndrey Simonenko simon@comsys.ntu-kpi.kiev.uaAndrey Tchoritch andy@venus.sympad.netAndy Farkas andyf@speednet.com.auAndy Valencia ajv@csd.mot.comAndy Whitcroft andy@sarc.city.ac.ukAngelo Turetta ATuretta@stylo.itAnthony C. Chavez magus@xmission.comAnthony Yee-Hang Chan yeehang@netcom.comAnton N. Bruesov antonz@library.ntu-kpi.kiev.uaAnton Voronin anton@urc.ac.ruAntti Kaipila anttik@iki.fiarci vega@sophia.inria.frAre Bryne are.bryne@communique.noAri Suutari ari@suutari.iki.fiArindum Mukerji rmukerji@execpc.comArjan de Vet devet@IAEhv.nlArne Henrik Juul arnej@Lise.Unit.NOArun Sharma adsharma@sharmas.dhs.orgArnaud S. Launay asl@launay.orgAsk Bjoern Hansen ask@valueclick.comAtsushi Furuta furuta@sra.co.jpAtsushi Murai amurai@spec.co.jpAtushi Sakauchi sakauchi@yamame.toBakul Shah bvs@bitblocks.comBarry Bierbauch pivrnec@vszbr.czBarry Lustig barry@ictv.comBen Hutchinson benhutch@xfiles.org.ukBen Jackson unknownBen Walter bwalter@itachi.swcp.comBenjamin Lewis bhlewis@gte.netBerend de Boer berend@pobox.comBernd Rosauer br@schiele-ct.deBill Kish kish@osf.orgBill Trost trost@cloud.rain.comBlaz Zupan blaz@amis.netBob Van Valzah Bob@whitebarn.comBob Wilcox bob@obiwan.uucpBob Willcox bob@luke.pmr.comBoris Staeblow balu@dva.in-berlin.deBoyd Faulkner faulkner@mpd.tandem.comBoyd R. Faulkner faulkner@asgard.bga.comBrad Chapman chapmanb@arches.uga.eduBrad Hendrickse bradh@uunet.co.zaBrad Karp karp@eecs.harvard.eduBradley Dunn bradley@dunn.orgBrad Jones brad@kazrak.comBrandon Fosdick bfoz@glue.umd.eduBrandon Gillespie brandon@roguetrader.com&a.wlloydBrent J. Nordquist bjn@visi.comBrett Lymn blymn@mulga.awadi.com.AUBrett Taylor
brett@peloton.runet.eduBrian Campbell brianc@pobox.comBrian Clapper bmc@willscreek.comBrian Cully shmit@kublai.comBrian Handy
handy@lambic.space.lockheed.comBrian Litzinger brian@MediaCity.comBrian McGovern bmcgover@cisco.comBrian Moore ziff@houdini.eecs.umich.eduBrian R. Haug haug@conterra.comBrian Tao taob@risc.orgBrion Moss brion@queeg.comBruce Albrecht bruce@zuhause.mn.orgBruce Gingery bgingery@gtcs.comBruce J. Keeler loodvrij@gridpoint.comBruce Murphy packrat@iinet.net.auBruce Walter walter@fortean.comCarey Jones mcj@acquiesce.orgCarl Fongheiser cmf@netins.netCarl Mascott cmascott@world.std.comCasper casper@acc.amCastor Fu castor@geocast.comChad David davidc@acns.ab.caChain Lee chain@110.netCharles Hannum mycroft@ai.mit.eduCharles Henrich henrich@msu.eduCharles Mott cmott@scientech.comCharles Owens owensc@enc.eduChet Ramey chet@odin.INS.CWRU.EduChia-liang Kao clkao@CirX.ORGChiharu Shibata chi@bd.mbn.or.jpChip Norkus unknownChris Csanady cc@tarsier.ca.sandia.govChris Dabrowski chris@vader.orgChris Dillon cdillon@wolves.k12.mo.usChris Shenton
cshenton@angst.it.hq.nasa.gov&a.cshumway;Chris Stenton jacs@gnome.co.ukChris Timmons skynyrd@opus.cts.cwu.eduChris Torek torek@ee.lbl.govChristian Gusenbauer
cg@fimp01.fim.uni-linz.ac.atChristian Haury Christian.Haury@sagem.frChristian Weisgerber
naddy@mips.inka.deChristoph P. Kukulies kuku@FreeBSD.orgChristoph Robitschko
chmr@edvz.tu-graz.ac.atChristoph Weber-Fahr
wefa@callcenter.systemhaus.netChristopher G. Demetriou
cgd@postgres.berkeley.eduChristopher N. Harrell cnh@ivmg.netChristopher Preston rbg@gayteenresource.orgChristopher T. Johnson
cjohnson@neunacht.netgsi.comChrisy Luke chrisy@flix.netChuck Hein chein@cisco.comCliff Rowley dozprompt@onsea.comColman Reilly careilly@tcd.ieConrad Sabatier conrads@home.comCoranth Gryphon gryphon@healer.comCornelis van der Laan
nils@guru.ims.uni-stuttgart.deCove Schneider cove@brazil.nbn.comCraig Leres leres@ee.lbl.govCraig Loomis unknownCraig Metz cmetz@inner.netCraig Spannring cts@internetcds.comCraig Struble cstruble@vt.eduCristian Ferretti cfs@riemann.mat.puc.clCurt Mayer curt@toad.comCy Schubert cschuber@uumail.gov.bc.caCyrille Lefevre clefevre@citeweb.netCyrus Rahman cr@jcmax.comDai Ishijima ishijima@tri.pref.osaka.jpDaisuke Watanabe NU7D-WTNB@asahi-net.or.jpDamian Hamill damian@cablenet.netDan Cross tenser@spitfire.ecsel.psu.eduDan Langille dan@freebsddiary.orgDan Lukes dan@obluda.czDan Nelson dnelson@emsphone.comDan Papasian bugg@bugg.strangled.netDan Piponi wmtop@tanelorn.demon.co.ukDan Walters hannibal@cyberstation.netDaniel Hagan
dhagan@cs.vt.eduDaniel O'Connor doconnor@gsoft.com.auDaniel Poirot poirot@aio.jsc.nasa.govDaniel Rock rock@cs.uni-sb.deDaniel W. McRobb dwm@caimis.comDanny Egen unknownDanny J. Zerkel dzerkel@phofarm.comDave Adkins adkin003@tc.umn.eduDave Andersen angio@aros.netDave Blizzard dblizzar@sprynet.comDave Bodenstab imdave@synet.netDave Burgess burgess@hrd769.brooks.af.milDave Chapeskie dchapes@ddm.on.caDave Cornejo dave@dogwood.comDave Edmondson davided@sco.comDave Glowacki dglo@ssec.wisc.eduDave Marquardt marquard@austin.ibm.comDave Tweten tweten@FreeBSD.orgDavid A. Adkins adkin003@tc.umn.eduDavid A. Bader dbader@eece.unm.eduDavid Borman dab@bsdi.comDavid Dawes dawes@XFree86.orgDavid Filo unknownDavid Holland dholland@eecs.harvard.eduDavid Holloway daveh@gwythaint.tamis.comDavid Horwitt dhorwitt@ucsd.eduDavid Hovemeyer daveho@infocom.comDavid Jones dej@qpoint.torfree.netDavid Kelly dkelly@tomcat1.tbe.comDavid Kulp dkulp@neomorphic.comDavid L. Nugent davidn@blaze.net.auDavid Leonard d@scry.dstc.edu.auDavid Muir Sharnoff muir@idiom.comDavid S. Miller davem@jenolan.rutgers.eduDavid Sugar dyfet@gnu.orgDavid Wolfskill dhw@whistle.comDean Gaudet dgaudet@arctic.orgDean Huxley dean@fsa.caDenis Fortin unknownDenis Shaposhnikov dsh@vlink.ruDennis Glatting
dennis.glatting@software-munitions.comDenton Gentry denny1@home.comder Mouse mouse@Collatz.McRCIM.McGill.EDUDerek Inksetter derek@saidev.comDI. Christian Gusenbauer
cg@scotty.edvz.uni-linz.ac.atDirk Keunecke dk@panda.rhein-main.deDirk Nehrling nerle@pdv.deDishanker Rajakulendren draj@oceanfree.netDmitry A. Yankofm@astral.ntu-kpi.kiev.uaDmitry Khrustalev dima@xyzzy.machaon.ruDmitry Kohmanyuk dk@farm.orgDom Mitchell dom@myrddin.demon.co.ukDomas Mituzas midom@dammit.ltDominik Brettnacher domi@saargate.deDominik Rothert dr@domix.deDon Croyle croyle@gelemna.ft-wayne.in.usDonn Miller dmmiller@cvzoom.netDan Pelleg dpelleg+unison@cs.cmu.edu&a.whiteside;Don Morrison dmorrisn@u.washington.eduDon Yuniskis dgy@rtd.comDonald Maddox dmaddox@conterra.comDouglas Ambrisko ambrisko@whistle.comDouglas Carmichael dcarmich@mcs.comDouglas Crosher dtc@scrooge.ee.swin.oz.auDrew Derbyshire ahd@kew.comDustin Sallings dustin@spy.netEckart "Isegrim" Hofmann
Isegrim@Wunder-Nett.orgEd Gold
vegold01@starbase.spd.louisville.eduEd Hudson elh@p5.spnet.comEdward Chuang edwardc@firebird.org.twEdward Wang edward@edcom.comEdwin Groothus edwin@nwm.wan.philips.comEdwin Mons e@ik.nuEge Rekk aagero@aage.priv.noEiji-usagi-MATSUmoto usagi@clave.gr.jpEike Bernhardt eike.bernhardt@gmx.deELISA Font ProjectElmar Bartel
bartel@informatik.tu-muenchen.deEoin Lawless eoin@maths.tcd.ieEric A. Griff eagriff@global2000.netEric Blood eblood@cs.unr.eduEric D. Futch efutch@nyct.netEric J. Haug ejh@slustl.slu.eduEric J. Schwertfeger eric@cybernut.comEric L. Hernes erich@lodgenet.comEric P. Scott eps@sirius.comEric Sprinkle eric@ennovatenetworks.comErich Stefan Boleyn erich@uruk.orgErich Zigler erich@tacni.netErik H. Bakke erikhb@bgnett.noErik E. Rantapaa rantapaa@math.umn.eduErik H. Moe ehm@cris.comErnst de Haan ernst@heinz.jollem.comErnst Winter ewinter@lobo.muc.deEspen Skoglund esk@ira.uka.deEugene M. Kim astralblue@usa.netEugene Radchenko genie@qsar.chem.msu.suEugeny Kuzakov CoreDumped@coredumped.null.ruEvan Champion evanc@synapse.netFaried Nawaz fn@Hungry.COMFlemming Jacobsen fj@batmule.dkFong-Ching Liaw fong@juniper.netFrancis M J Hsieh mjshieh@life.nthu.edu.twFrancisco Reyes fjrm@yahoo.comFrank Bartels knarf@camelot.deFrank Chen Hsiung Chan
frankch@waru.life.nthu.edu.twFrank Durda IV uhclem@nemesis.lonestar.orgFrank MacLachlan fpm@n2.netFrank Nobis fn@Radio-do.deFrank ten Wolde franky@pinewood.nlFrank van der Linden frank@fwi.uva.nlFrank Volf volf@oasis.IAEhv.nlFred Cawthorne fcawth@jjarray.umn.eduFred Gilham gilham@csl.sri.comFred Templin templin@erg.sri.comFrederick Earl Gray fgray@rice.eduFUJIMOTO Kensaku
fujimoto@oscar.elec.waseda.ac.jpFURUSAWA Kazuhisa
furusawa@com.cs.osakafu-u.ac.jp&a.stanislav;Gabor Kincses gabor@acm.orgGabor Zahemszky zgabor@CoDe.huGareth McCaughan gjm11@dpmms.cam.ac.ukGary A. Browning gab10@griffcd.amdahl.comGary Howland gary@hotlava.comGary J. garyj@rks32.pcs.dec.comGary Kline kline@thought.orgGaspar Chilingarov nightmar@lemming.acc.amGea-Suan Lin gsl@tpts4.seed.net.twGene Raytsin pal@paladin7.netGeoff Rehmet csgr@alpha.ru.ac.zaGeorg Wagner georg.wagner@ubs.comGianlorenzo Masini masini@uniroma3.itGianmarco Giovannelli
gmarco@giovannelli.itGil Kloepfer Jr. gil@limbic.ssdl.comGilad Rom rom_glsa@ein-hashofet.co.ilGiles Lean giles@nemeton.com.auGinga Kawaguti
ginga@amalthea.phys.s.u-tokyo.ac.jpGiorgos Keramidas keramida@ceid.upatras.grGlen Foster gfoster@gfoster.comGlenn Johnson gljohns@bellsouth.netGodmar Back gback@facility.cs.utah.eduGoran Hammarback goran@astro.uu.seGord Matzigkeit gord@enci.ucalgary.caGordon Greeff gvg@uunet.co.zaGraham Wheeler gram@cdsec.comGreg A. Woods woods@zeus.leitch.comGreg Ansley gja@ansley.comGreg Robinson greg@rosevale.com.auGreg Troxel gdt@ir.bbn.comGreg Ungerer gerg@stallion.oz.auGregory Bond gnb@itga.com.auGregory D. Moncreaff
moncrg@bt340707.res.ray.comGuy Harris guy@netapp.comGuy Helmer ghelmer@cs.iastate.eduHAMADA Naoki hamada@astec.co.jpHannu Savolainen hannu@voxware.pp.fiHans Huebner hans@artcom.deHans Petter Bieker zerium@webindex.noHans Zuidam hans@brandinnovators.comHarlan Stenn Harlan.Stenn@pfcs.comHarold Barker hbarker@dsms.comHarry Newton harry_newton@telinco.co.ukHavard Eidnes
Havard.Eidnes@runit.sintef.noHeikki Suonsivu hsu@cs.hut.fiHeiko W. Rupp unknownHelmut F. Wirth hfwirth@ping.atHenrik Vestergaard Draboel
hvd@terry.ping.dkHerb Peyerl hpeyerl@NetBSD.orgHideaki Ohmon ohmon@tom.sfc.keio.ac.jpHidekazu Kuroki hidekazu@cs.titech.ac.jpHideki Yamamoto hyama@acm.orgHideyuki Suzuki
hideyuki@sat.t.u-tokyo.ac.jpHirayama Issei iss@mail.wbs.ne.jpHiroaki Sakai sakai@miya.ee.kagu.sut.ac.jpHiroharu Tamaru tamaru@ap.t.u-tokyo.ac.jpHironori Ikura hikura@kaisei.orgHiroshi Nishikawa nis@pluto.dti.ne.jpHiroya Tsubakimoto unknownHolger Lamm holger@eit.uni-kl.deHolger Veit Holger.Veit@gmd.deHolm Tiffe holm@geophysik.tu-freiberg.deHONDA Yasuhiro
honda@kashio.info.mie-u.ac.jpHorance Chou
horance@freedom.ie.cycu.edu.twHorihiro Kumagai kuma@jp.FreeBSD.orgHOSOBUCHI Noriyuki hoso@buchi.tama.or.jpHOTARU-YA hotaru@tail.netHr.Ladavac lada@ws2301.gud.siemens.co.atHubert Feyrer hubertf@NetBSD.ORGHugh F. Mahon hugh@nsmdserv.cnd.hp.comHugh Mahon h_mahon@fc.hp.comHung-Chi Chu hcchu@r350.ee.ntu.edu.twIan Holland ianh@tortuga.com.auIan Struble ian@broken.netIan Vaudrey i.vaudrey@bigfoot.comIgor Khasilev igor@jabber.paco.odessa.uaIgor Roshchin str@giganda.komkon.orgIgor Serikov bt@turtle.pangeatech.comIgor Sviridov siac@ua.netIgor Vinokurov igor@zynaps.ruIkuo Nakagawa ikuo@isl.intec.co.jpIlia Chipitsine ilia@jane.cgu.chel.suIlya V. Komarov mur@lynx.ruIMAI Takeshi take-i@ceres.dti.ne.jpIMAMURA Tomoaki
tomoak-i@is.aist-nara.ac.jpItsuro Saito saito@miv.t.u-tokyo.ac.jpIWASHITA Yoji shuna@pop16.odn.ne.jpJ. Bryant jbryant@argus.flash.netJ. David Lowe lowe@saturn5.comJ. Han hjh@photino.comJ. Hawk jhawk@MIT.EDUJ.T. Conklin jtc@cygnus.comJack jack@zeus.xtalwind.netJacob Bohn Lorensen jacob@jblhome.ping.mkJagane D Sundar jagane@netcom.comJake Hamby jehamby@anobject.comJames Clark jjc@jclark.comJames D. Stewart jds@c4systm.comJames da Silva jds@cs.umd.eduJames Jegers jimj@miller.cs.uwm.eduJames Raynard
fhackers@jraynard.demon.co.ukJames T. Liu jtliu@phlebas.rockefeller.eduJamie Heckford jamie@jamiesdomain.co.ukJan Conard
charly@fachschaften.tu-muenchen.deJan Jungnickel Jan@Jungnickel.comJan Koum jkb@FreeBSD.orgJanick Taillandier
Janick.Taillandier@ratp.frJanusz Kokot janek@gaja.ipan.lublin.plJarle Greipsland jarle@idt.unit.noJason DiCioccio geniusj@ods.orgJason Garman init@risen.orgJason R. Mastaler
jason-freebsd@mastaler.comJason Thorpe thorpej@NetBSD.orgJason Wright jason@OpenBSD.orgJason Young
doogie@forbidden-donut.anet-stl.comJavier Martin Rueda jmrueda@diatel.upm.esJay Fenlason hack@datacube.comJay Krell jay.krell@cornell.eduJaye Mathisen mrcpu@cdsnet.netJeff Bartig jeffb@doit.wisc.eduJeff Brown jabrown@caida.orgJeff Forys jeff@forys.cranbury.nj.usJeff Kletsky Jeff@Wagsky.comJeff Palmer scorpio@drkshdw.orgJeffrey Evans evans@scnc.k12.mi.usJeffrey Wheat jeff@cetlink.netJeremy Allison jallison@whistle.comJeremy Chadwick yoshi@parodius.comJeremy Chatfield jdc@xinside.comJeremy Karlson karlj000@unbc.caJeremy Prior unknownJeremy Shaffner jeremy@external.orgJesse McConnell jesse@cylant.comJesse Rosenstock jmr@ugcs.caltech.eduJian-Da Li jdli@csie.nctu.edu.twJim Babb babb@FreeBSD.orgJim Binkley jrb@cs.pdx.eduJim Bloom bloom@acm.orgJim Carroll jim@carroll.comJim Flowers jflowers@ezo.netJim Leppek jleppek@harris.comJim Lowe james@cs.uwm.eduJim Mattson jmattson@sonic.netJim Mercer jim@komodo.reptiles.orgJim Sloan odinn@atlantabiker.netJim Wilson wilson@moria.cygnus.comJimbo Bahooli
griffin@blackhole.iceworld.orgJin Guojun jin@george.lbl.govJoachim Kuebart kuebart@mathematik.uni-ulm.deJoao Carlos Mendes Luis jonny@jonny.eng.brJochen Pohl jpo.drs@sni.deJoe "Marcus" Clarke marcus@marcuscom.comJoe Abley jabley@automagic.orgJoe Jih-Shian Lu jslu@dns.ntu.edu.twJoe Orthoefer j_orthoefer@tia.netJoe Traister traister@mojozone.orgJoel Faedi Joel.Faedi@esial.u-nancy.frJoel Ray Holveck joelh@gnu.orgJoel Sutton jsutton@bbcon.com.auJordan DeLong fracture@allusion.netJoseph Scott joseph@randomnetworks.comJohan Granlund johan@granlund.nuJohan Karlsson k@numeri.campus.luth.seJohan Larsson johan@moon.campus.luth.seJohann Tonsing jtonsing@mikom.csir.co.zaJohannes Helander unknownJohannes Stille unknownJohn Beckett jbeckett@southern.eduJohn Beukema jbeukema@hk.super.netJohn Brezak unknownJohn Capo jc@irbs.comJohn F. Woods jfw@jfwhome.funhouse.comJohn Goerzen
jgoerzen@alexanderwohl.complete.orgJohn Heidemann johnh@isi.eduJohn Hood cgull@owl.orgJohn Kohl unknownJohn Lind john@starfire.mn.orgJohn Mackin john@physiol.su.oz.auJohn Merryweather Cooper jmcoopr@webmail.bmi.netJohn P johnp@lodgenet.comJohn Perry perry@vishnu.alias.netJohn Preisler john@vapornet.comJohn Reynolds jjreynold@home.comJohn Rochester jr@cs.mun.caJohn Sadler john_sadler@alum.mit.eduJohn Saunders john@pacer.nlc.net.auJohn Wehle john@feith.comJohn Woods jfw@eddie.mit.eduJohny Mattsson lonewolf@flame.orgJon Morgan morgan@terminus.trailblazer.comJonathan Belson jon@witchspace.comJonathan H N Chin jc254@newton.cam.ac.ukJonathan Hanna
jh@pc-21490.bc.rogers.wave.caJonathan Pennington john@coastalgeology.orgJorge Goncalves j@bug.fe.up.ptJorge M. Goncalves ee96199@tom.fe.up.ptJos Backus jbackus@plex.nlJose Marques jose@nobody.orgJosef Grosch
jgrosch@superior.mooseriver.comJoseph Stein joes@wstein.comJosh Gilliam josh@quick.netJosh Tiefenbach josh@ican.netJuergen Lock nox@jelal.hb.north.deJuha Inkari inkari@cc.hut.fiJukka A. Ukkonen jau@iki.fiJulian Assange proff@suburbia.netJulian Coleman j.d.coleman@ncl.ac.uk&a.jhsJulian Jenkins kaveman@magna.com.auJunichi Satoh junichi@jp.FreeBSD.orgJunji SAKAI sakai@jp.FreeBSD.orgJunya WATANABE junya-w@remus.dti.ne.jpJustas justas@mbank.lvJustin Stanford jus@security.za.netK.Higashino a00303@cc.hc.keio.ac.jpKai Vorma vode@snakemail.hut.fiKaleb S. Keithley kaleb@ics.comKaneda Hiloshi vanitas@ma3.seikyou.ne.jpKang-ming Liu gugod@gugod.orgKapil Chowksey kchowksey@hss.hns.comKarl Denninger karl@mcs.comKarl Dietz Karl.Dietz@triplan.comKarl Lehenbauer karl@NeoSoft.comKATO Tsuguru tkato@prontomail.ne.jpKawanobe Koh kawanobe@st.rim.or.jpKees Jan Koster kjk1@ukc.ac.ukKeith Bostic bostic@bostic.comKeith E. Walker kew@icehouse.netKeith Moore unknownKeith Sklower unknownKen Hornstein unknownKen Key key@cs.utk.eduKen Mayer kmayer@freegate.comKenji Saito marukun@mx2.nisiq.netKenji Tomita tommyk@da2.so-net.or.jpKenneth Furge kenneth.furge@us.endress.comKenneth Monville desmo@bandwidth.orgKenneth R. Westerback krw@tcn.netKenneth Stailey kstailey@gnu.ai.mit.eduKent Talarico kent@shipwreck.tsoft.netKent Vander Velden graphix@iastate.eduKentaro Inagaki JBD01226@niftyserve.ne.jpKevin Bracey kbracey@art.acorn.co.ukKevin Day toasty@dragondata.comKevin Lahey kml@nas.nasa.govKevin Meltzer perlguy@perlguy.comKevin Street street@iname.comKevin Van Maren vanmaren@fast.cs.utah.eduKiller killer@prosalg.noKim Scarborough sluggo@unknown.nuKiril Mitev kiril@ideaglobal.comKiroh HARADA kiroh@kh.rim.or.jpKlaus Herrmann klaus.herrmann@gmx.netKlaus Klein kleink@layla.inka.deKlaus-J. Wolf Yanestra@t-online.deKoichi Sato copan@ppp.fastnet.or.jpKonrad Heuer kheuer@gwdu60.gwdg.deKonstantin Chuguev Konstantin.Chuguev@dante.org.ukKostya Lukin lukin@okbmei.msk.suKouichi Hirabayashi kh@mogami-wire.co.jpKris Dow kris@vilnya.demon.co.ukKUNISHIMA Takeo kunishi@c.oka-pu.ac.jpKurt D. Zeilenga Kurt@Boolean.NETKurt Olsen kurto@tiny.mcs.usu.eduL. Jonas Olsson
ljo@ljo-slip.DIALIN.CWRU.EduLarry Altneu larry@ALR.COMLars Bernhardsson lab@fnurt.netLars Köller
Lars.Koeller@Uni-Bielefeld.DELaurence Lopez lopez@mv.mv.comLee Cremeans lcremean@tidalwave.netLeo Kim leo@florida.sarang.netLeo Serebryakov lev@serebryakov.spb.ruLiang Tai-hwa
avatar@www.mmlab.cse.yzu.edu.twLon Willett lon%softt.uucp@math.utah.eduLouis A. Mamakos louie@TransSys.COMLouis Mamakos loiue@TransSys.comLowell Gilbert lowell@world.std.comLucas James Lucas.James@ldjpc.apana.org.auLyndon Nerenberg lyndon@orthanc.ab.caM. L. Dodson bdodson@scms.utmb.EDUM.C. Wong unknownMagnus Enbom dot@tinto.campus.luth.seMahesh Neelakanta mahesh@gcomm.comMakoto MATSUSHITA matusita@jp.FreeBSD.orgMakoto WATANABE
watanabe@zlab.phys.nagoya-u.ac.jpMakoto YAMAKURA makoto@pinpott.spnet.ne.jpMalte Lance malte.lance@gmx.netMANTANI Nobutaka nobutaka@nobutaka.comManu Iyengar
iyengar@grunthos.pscwa.psca.comMarc Frajola marc@dev.comMarc Ramirez mrami@mramirez.sy.yale.eduMarc Slemko marcs@znep.comMarc van Kempen wmbfmk@urc.tue.nlMarc van Woerkom van.woerkom@netcologne.deMarcin Cieslak saper@system.plMark Andrews unknownMark Cammidge mark@gmtunx.ee.uct.ac.zaMark Diekhans markd@grizzly.comMark Huizer xaa@stack.nlMark J. Taylor mtaylor@cybernet.comMark Knight markk@knigma.orgMark Krentel krentel@rice.eduMark Mayo markm@vmunix.comMark Thompson thompson@tgsoft.comMark Tinguely tinguely@plains.nodak.eduMark Treacy unknownMark Valentine mark@thuvia.orgMarkus Holmberg saska@acc.umu.seMartin Birgmeier unknownMartin Blapp blapp@attic.chMartin Hinner mhi@linux.gyarab.czMartin Ibert mib@ppe.bb-data.deMartin Kammerhofer dada@sbox.tu-graz.ac.atMartin Minkus diskiller@cnbinc.comMartin Renters martin@tdc.on.caMartti Kuparinen
martti.kuparinen@ericsson.comMasachika ISHIZUKA
ishizuka@isis.min.ntt.jpMasahiro Sekiguchi
seki@sysrap.cs.fujitsu.co.jpMasahiro TAKEMURA
mastake@msel.t.u-tokyo.ac.jpMasanobu Saitoh msaitoh@spa.is.uec.ac.jpMasanori Kanaoka kana@saijo.mke.mei.co.jpMasanori Kiriake seiken@ARGV.ACMasatoshi TAMURA
tamrin@shinzan.kuee.kyoto-u.ac.jpMats Lofkvist mal@algonet.seMatt Bartley mbartley@lear35.cytex.comMatt Heckaman matt@LUCIDA.QC.CAMatt Thomas matt@3am-software.comMatt White mwhite+@CMU.EDUMatthew C. Mead mmead@Glock.COMMatthew Cashdollar mattc@rfcnet.comMatthew Emmerton root@gabby.gsicomp.on.caMatthew Flatt mflatt@cs.rice.eduMatthew Fuller fullermd@futuresouth.comMatthew Stein matt@bdd.netMatthew West mwest@uct.ac.zaMatthias Pfaller leo@dachau.marco.deMatthias Scheler tron@netbsd.orgMattias Gronlund
Mattias.Gronlund@sa.erisoft.seMattias Pantzare pantzer@ludd.luth.seMaurice Castro
maurice@planet.serc.rmit.edu.auMax Euston meuston@jmrodgers.comMax Khon fjoe@husky.iclub.nsu.ruMaxim Bolotin max@rsu.ruMaxim Konovalov maxim@macomnet.ruMaxime Henrion mhenrion@cybercable.frMicha Class
michael_class@hpbbse.bbn.hp.comMichael Alyn Miller malyn@strangeGizmo.comMichael Lucas mwlucas@blackhelicopters.orgMichael Lyngbøl michael@lyngbol.dkMichael Butler imb@scgt.oz.auMichael Butschky butsch@computi.erols.comMichael Clay mclay@weareb.orgMichael Galassi nerd@percival.rain.comMichael Hancock michaelh@cet.co.jpMichael Hohmuth hohmuth@inf.tu-dresden.deMichael Perlman canuck@caam.rice.eduMichael Petry petry@netwolf.NetMasters.comMichael Reifenberger root@totum.plaut.deMichael Sardo jaeger16@yahoo.comMichael Searle searle@longacre.demon.co.ukMichael Urban murban@tznet.comMichael Vasilenko acid@stu.cn.uaMichal Listos mcl@Amnesiac.123.orgMichio Karl Jinbo
karl@marcer.nagaokaut.ac.jpMiguel Angel Sagreras
msagre@cactus.fi.uba.arMihoko Tanaka m_tonaka@pa.yokogawa.co.jpMika Nystrom mika@cs.caltech.eduMikael Hybsch micke@dynas.seMikael Karpberg
karpen@ocean.campus.luth.seMike Bristow mike@urgle.comMike Del repenting@hotmail.comMike Durian durian@plutotech.comMike Durkin mdurkin@tsoft.sf-bay.orgMike E. Matsnev mike@azog.cs.msu.suMike Evans mevans@candle.comMike Futerko mike@LITech.lviv.uaMike Grupenhoff kashmir@umiacs.umd.eduMike Harding mvh@ix.netcom.comMike Hibler mike@marker.cs.utah.eduMike Karels unknownMike McGaughey mmcg@cs.monash.edu.auMike Meyer mwm@mired.orgMike Mitchell mitchell@ref.tfs.comMike Murphy mrm@alpharel.comMike Peck mike@binghamton.eduMike Sherwood mike@fate.comMike Spengler mks@msc.eduMikhail A. Sokolov mishania@demos.suMing-I Hseh PA@FreeBSD.ee.Ntu.edu.TWMitsuru Yoshida mitsuru@riken.go.jpMonte Mitzelfelt monte@gonefishing.orgMorgan Davis root@io.cts.comMOROHOSHI Akihiko moro@race.u-tokyo.ac.jpMostyn Lewis mostyn@mrl.comMotomichi Matsuzaki mzaki@e-mail.ne.jpMotoyuki Kasahara m-kasahr@sra.co.jpN.G.Smith ngs@sesame.hensa.ac.ukNadav Eiron nadav@barcode.co.ilNAGAO Tadaaki nagao@cs.titech.ac.jpNAKAJI Hiroyuki
nakaji@tutrp.tut.ac.jpNAKAMURA Kazushi nkazushi@highway.or.jpNAKAMURA Motonori
motonori@econ.kyoto-u.ac.jpNAKATA, Maho chat95@mbox.kyoto-inet.or.jpNanbor Wang nw1@cs.wustl.eduNaofumi Honda
honda@Kururu.math.sci.hokudai.ac.jpNaoki Hamada nao@tom-yam.or.jpNarvi narvi@haldjas.folklore.eeNathan Dorfman nathan@rtfm.netNeal Fachan kneel@ishiboo.comNiall Smart rotel@indigo.ieNicholas Esborn nick@netdot.netNick Barnes Nick.Barnes@pobox.comNick Handel nhandel@NeoSoft.comNick Hilliard nick@foobar.orgNick Johnson freebsd@spatula.netNick Williams njw@cs.city.ac.ukNickolay N. Dudorov nnd@itfs.nsk.suNIIMI Satoshi sa2c@and.or.jpNiklas Hallqvist niklas@filippa.appli.seNils M. Holm nmh@t3x.orgNisha Talagala nisha@cs.berkeley.eduNo Name adrian@virginia.eduNo Name alex@elvisti.kiev.uaNo Name anto@netscape.netNo Name bobson@egg.ics.nitch.ac.jpNo Name bovynf@awe.beNo Name burg@is.ge.comNo Name chris@gnome.co.ukNo Name colsen@usa.netNo Name coredump@nervosa.comNo Name dannyman@arh0300.urh.uiuc.eduNo Name davids@SECNET.COMNo Name derek@free.orgNo Name devet@adv.IAEhv.nlNo Name djv@bedford.netNo Name dvv@sprint.netNo Name enami@ba2.so-net.or.jpNo Name flash@eru.tubank.msk.suNo Name flash@hway.ruNo Name fn@pain.csrv.uidaho.eduNo Name frf@xocolatl.comNo Name gclarkii@netport.neosoft.comNo Name gordon@sheaky.lonestar.orgNo Name graaf@iae.nlNo Name greg@greg.rim.or.jpNo Name grossman@cygnus.comNo Name gusw@fub46.zedat.fu-berlin.deNo Name hfir@math.rochester.eduNo Name hnokubi@yyy.or.jpNo Name iaint@css.tuu.utas.edu.auNo Name invis@visi.comNo Name ishisone@sra.co.jpNo Name iverson@lionheart.comNo Name jpt@magic.netNo Name junker@jazz.snu.ac.krNo Name k-sugyou@ccs.mt.nec.co.jpNo Name kenji@reseau.toyonaka.osaka.jpNo Name kfurge@worldnet.att.netNo Name lh@aus.orgNo Name lhecking@nmrc.ucc.ieNo Name mrgreen@mame.mu.oz.auNo Name nakagawa@jp.FreeBSD.orgNo Name ohki@gssm.otsuka.tsukuba.ac.jpNo Name owaki@st.rim.or.jpNo Name pechter@shell.monmouth.comNo Name pete@pelican.pelican.comNo Name pritc003@maroon.tc.umn.eduNo Name risner@stdio.comNo Name roman@rpd.univ.kiev.uaNo Name root@ns2.redline.ruNo Name root@uglabgw.ug.cs.sunysb.eduNo Name stephen.ma@jtec.com.auNo Name sumii@is.s.u-tokyo.ac.jpNo Name takas-su@is.aist-nara.ac.jpNo Name tamone@eig.unige.chNo Name tjevans@raleigh.ibm.comNo Name tony-o@iij.ad.jp amurai@spec.co.jpNo Name torii@tcd.hitachi.co.jpNo Name uenami@imasy.or.jpNo Name uhlar@netlab.skNo Name vode@hut.fiNo Name wlloyd@mpd.caNo Name wlr@furball.wellsfargo.comNo Name wmbfmk@urc.tue.nlNo Name yamagata@nwgpc.kek.jpNo Name ziggy@ryan.orgNo Name ZW6T-KND@j.asahi-net.or.jpNobuhiro Yasutomi nobu@psrc.isac.co.jpNobuyuki Koganemaru
kogane@koganemaru.co.jpNOKUBI Hirotaka h-nokubi@yyy.or.jpNorio Suzuki nosuzuki@e-mail.ne.jpNoritaka Ishizumi graphite@jp.FreeBSD.orgNoriyuki Soda soda@sra.co.jpOddbjorn Steffenson oddbjorn@tricknology.orgOh Junseon hollywar@mail.holywar.netOlaf Wagner wagner@luthien.in-berlin.deOleg Semyonov os@altavista.netOleg Sharoiko os@rsu.ruOleg V. Volkov rover@lglobus.ruOlexander Kunytsa kunia@wolf.istc.kiev.uaOliver Breuninger ob@seicom.NETOliver Friedrichs oliver@secnet.comOliver Fromme
oliver.fromme@heim3.tu-clausthal.deOliver Helmling
oliver.helmling@stud.uni-bayreuth.deOliver Laumann
net@informatik.uni-bremen.deOliver Lehmann
Kai_Allard_Liao@gmx.deOliver Oberdorf oly@world.std.comOlof Johansson offe@ludd.luth.seOsokin Sergey aka oZZ ozz@FreeBSD.org.ruPace Willisson pace@blitz.comPaco Rosich rosich@modico.eleinf.uv.esPalle Girgensohn girgen@partitur.seParag Patel parag@cgt.comPascal Pederiva pascal@zuo.dec.comPasvorn Boonmark boonmark@juniper.netPatrick Alken cosine@ellipse.mcs.drexel.eduPatrick Bihan-Faou patrick@mindstep.comPatrick Hausen unknownPatrick Li pat@databits.netPatrick Seal patseal@hyperhost.netPaul Antonov apg@demos.suPaul F. Werkowski unknownPaul Fox pgf@foxharp.boston.ma.usPaul Koch koch@thehub.com.auPaul Kranenburg pk@NetBSD.orgPaul M. Lambert plambert@plambert.netPaul Mackerras paulus@cs.anu.edu.auPaul Popelka paulp@uts.amdahl.comPaul S. LaFollette, Jr. unknownPaul Sandys myj@nyct.netPaul T. Root proot@horton.iaces.comPaul Vixie paul@vix.comPaulo Menezes paulo@isr.uc.ptPaulo Menezes pm@dee.uc.ptPedro A M Vazquez vazquez@IQM.Unicamp.BRPedro Giffuni giffunip@asme.orgPer Wigren wigren@home.sePete Bentley pete@demon.netPete Fritchman petef@databits.netPeter Childs pjchilds@imforei.apana.org.auPeter Cornelius pc@inr.fzk.dePeter Haight peterh@prognet.comPeter Jeremy peter.jeremy@alcatel.com.auPeter M. Chen pmchen@eecs.umich.eduPeter Much peter@citylink.dinoex.sub.orgPeter Olsson unknownPeter Philipp pjp@bsd-daemon.netPeter Stubbs PETERS@staidan.qld.edu.auPeter van Heusden pvh@egenetics.comPhil Maker pjm@cs.ntu.edu.auPhil Sutherland
philsuth@mycroft.dialix.oz.auPhil Taylor phil@zipmail.co.ukPhilip Musumeci philip@rmit.edu.auPhilippe Lefebvre nemesis@balistik.netPierre Y. Dampure pierre.dampure@k2c.co.ukPius Fischer pius@ienet.comPomegranate daver@flag.blackened.netPowerdog Industries
kevin.ruddy@powerdog.comPriit Järv priit@cc.ttu.eeR Joseph Wright rjoseph@mammalia.orgR. Kym HorsellRalf Friedl friedl@informatik.uni-kl.deRandal S. Masutani randal@comtest.comRandall Hopper rhh@ct.picker.comRandall W. Dean rwd@osf.orgRandy Bush rbush@bainbridge.verio.netRasmus Kaj kaj@Raditex.seReinier Bezuidenhout
rbezuide@mikom.csir.co.zaRemy Card Remy.Card@masi.ibp.frRicardas Cepas rch@richard.eu.orgRiccardo Veraldi veraldi@cs.unibo.itRich Wood rich@FreeBSD.org.ukRichard Henderson richard@atheist.tamu.eduRichard Hwang rhwang@bigpanda.comRichard Kiss richard@homemail.comRichard J Kuhns rjk@watson.grauel.comRichard M. Neswold
rneswold@enteract.comRichard Seaman, Jr. dick@tar.comRichard Stallman rms@gnu.ai.mit.eduRichard Straka straka@user1.inficad.comRichard Tobin richard@cogsci.ed.ac.ukRichard Wackerbarth rkw@Dataplex.NETRichard Winkel rich@math.missouri.eduRichard Wiwatowski rjwiwat@adelaide.on.netRick Macklem rick@snowhite.cis.uoguelph.caRick Macklin unknownRob Austein sra@epilogue.comRob Mallory rmallory@qualcomm.comRob Snow rsnow@txdirect.netRobert Crowe bob@speakez.comRobert D. Thrush rd@phoenix.aii.comRobert Eckardt
roberte@MEP.Ruhr-Uni-Bochum.deRobert P Ricci ricci@cs.utah.eduRobert Sanders rsanders@mindspring.comRobert Sexton robert@kudra.comRobert Shady rls@id.netRobert Swindells swindellsr@genrad.co.ukRobert Withrow witr@rwwa.comRobert Yoder unknownRobin Carey
robin@mailgate.dtc.rankxerox.co.ukRod Taylor rod@idiotswitch.orgRoger Hardiman roger@cs.strath.ac.ukRoland Jesse jesse@cs.uni-magdeburg.deRoman Shterenzon roman@xpert.comRon Bickers rbickers@intercenter.netRon Lenk rlenk@widget.xmission.comRonald Kuehn kuehn@rz.tu-clausthal.deRudolf Cejka cejkar@dcse.fee.vutbr.czRuslan Belkin rus@home2.UA.netRuslan Shevchenko rssh@cam.grad.kiev.uaRussell L. Carter rcarter@pinyon.orgRussell Vincent rv@groa.uct.ac.zaRyan Younce ryany@pobox.comRyuichiro IMURA imura@af.airnet.ne.jpSakai Hiroaki sakai@miya.ee.kagu.sut.ac.jpSakari Jalovaara sja@tekla.fiSam Hartman hartmans@mit.eduSamuel Lam skl@ScalableNetwork.comSamuel Tardieu sam@inf.enst.frSamuele Zannoli zannoli@cs.unibo.itSander Janssen janssen@rendo.dekooi.nlSander Vesik sander@haldjas.folklore.eeSandro Sigala ssigala@globalnet.itSANETO Takanori sanewo@strg.sony.co.jpSASAKI Shunsuke ele@pop17.odn.ne.jpSascha Blank blank@fox.uni-trier.deSascha Wildner swildner@channelz.GUN.deSatoh Junichi junichi@astec.co.jpSAWADA Mizuki miz@qb3.so-net.ne.jpScot Elliott scot@poptart.orgScot W. Hetzel hetzels@westbend.netScott A. Kenney saken@rmta.ml.orgScott A. Moberly smoberly@xavier.dyndns.orgScott Blachowicz
scott.blachowicz@seaslug.orgScott Burris scott@pita.cns.ucla.eduScott Hazen Mueller scott@zorch.sf-bay.orgScott Michel scottm@cs.ucla.eduScott Mitchel scott@uk.FreeBSD.orgScott Reynolds scott@clmqt.marquette.mi.usSebastian Strollo seb@erix.ericsson.seSerge V. Vakulenko vak@zebub.msk.suSergei Chechetkin csl@whale.sunbay.crimea.uaSergei S. Laskavy laskavy@pc759.cs.msu.suSergey Gershtein sg@mplik.ruSergey Kosyakov ks@itp.ac.ruSergey N. Vorokov serg@tmn.ruSergey Potapov sp@alkor.ruSergey Samoyloff gonza@techline.ruSergey Shkonda serg@bcs.zp.uaSergey Skvortsov skv@protey.ruSergey V.Dorokhov svd@kbtelecom.nalnet.ruSergio Lenzi lenzi@bsi.com.brShaun Courtney shaun@emma.eng.uct.ac.zaShawn M. Carey smcarey@mailbox.syr.eduShigio Yamaguchi shigio@tamacom.comShinya Esu esu@yk.rim.or.jpShinya FUJIE fujie@tk.elec.waseda.ac.jpShuichi Tanaka stanaka@bb.mbn.or.jpSimon simon@masi.ibp.frSimon Burge simonb@telstra.com.auSimon Dick simond@irrelevant.orgSimon J Gerraty sjg@melb.bull.oz.auSimon Marlow simonm@dcs.gla.ac.ukSimon Shapiro shimon@simon-shapiro.orgSin'ichiro MIYATANI siu@phaseone.co.jpSlaven Rezic eserte@cs.tu-berlin.deSoochon Radee slr@mitre.orgSoren Dayton csdayton@midway.uchicago.eduSoren Dossing sauber@netcom.comSoren S. Jorvang soren@wheel.dkStefan Bethke stb@hanse.deStefan Eggers seggers@semyam.dinoco.deStefan Moeding s.moeding@ndh.netStefan Petri unknownStefan `Sec` Zehl sec@42.orgSteinar Haug sthaug@nethelp.noStephane E. Potvin sepotvin@videotron.caStephane Legrand stephane@lituus.frStephen Clawson
sclawson@marker.cs.utah.eduStephen F. Combs combssf@salem.ge.comStephen Farrell stephen@farrell.orgStephen Hocking sysseh@devetir.qld.gov.auStephen J. Roznowski sjr@home.netStephen McKay syssgm@devetir.qld.gov.auStephen Melvin melvin@zytek.comSteve Bauer sbauer@rock.sdsmt.eduSteve Coltrin spcoltri@unm.eduSteve Deering unknownSteve Gerakines steve2@genesis.tiac.netSteve Gericke steveg@comtrol.comSteve Piette steve@simon.chi.il.USSteve Schwarz schwarz@alpharel.comSteven Enderle panic@subphase.deSteven G. Kargl
kargl@troutmask.apl.washington.eduSteven H. Samorodin samorodi@NUXI.comSteven McCanne mccanne@cs.berkeley.eduSteven Plite splite@purdue.eduSteven Wallace unknownStijn Hoop stijn@win.tue.nlStuart Henderson
stuart@internationalschool.co.ukSue Blake sue@welearn.com.auSugimoto Sadahiro ixtl@komaba.utmc.or.jpSUGIMURA Takashi sugimura@jp.FreeBSD.orgSugiura Shiro ssugiura@duo.co.jpSujal Patel smpatel@wam.umd.eduSungman Cho smcho@tsp.korea.ac.krSune Stjerneby stjerneby@usa.netSURANYI Peter
suranyip@jks.is.tsukuba.ac.jpSuzuki Yoshiaki
zensyo@ann.tama.kawasaki.jpSvein Skogen
tds@nsn.noSybolt de Boer bolt@xs4all.nlTadashi Kumano kumano@strl.nhk.or.jpTaguchi Takeshi taguchi@tohoku.iij.ad.jpTAKAHASHI Kaoru kaoru@kaisei.orgTakahiro Yugawa yugawa@orleans.rim.or.jpTakashi Mega mega@minz.orgTakashi Uozu j1594016@ed.kagu.sut.ac.jpTakayuki Ariga a00821@cc.hc.keio.ac.jpTakeru NAIKI naiki@bfd.es.hokudai.ac.jpTakeshi Amaike amaike@iri.co.jpTakeshi MUTOH mutoh@info.nara-k.ac.jpTakeshi Ohashi
ohashi@mickey.ai.kyutech.ac.jpTakeshi WATANABE
watanabe@crayon.earth.s.kobe-u.ac.jpTakuya SHIOZAKI
tshiozak@makino.ise.chuo-u.ac.jpTatoku Ogaito tacha@tera.fukui-med.ac.jpTatsuya Kudoh cdr@cosmonet.orgTed Buswell tbuswell@mediaone.netTed Faber faber@isi.eduTed Lemon mellon@isc.orgTerry Lambert terry@lambert.orgTerry Lee terry@uivlsi.csl.uiuc.eduTetsuya Furukawa tetsuya@secom-sis.co.jpTheo de Raadt deraadt@OpenBSD.orgThomas thomas@mathematik.uni-Bremen.deThomas D. Dean tomdean@ix.netcom.comThomas David Rivers rivers@dignus.comThomas G. McWilliams tgm@netcom.comThomas Graichen
graichen@omega.physik.fu-berlin.deThomas König
Thomas.Koenig@ciw.uni-karlsruhe.deThomas Ptacek unknownThomas Quinot thomas@cuivre.fr.eu.orgThomas A. Stephens tas@stephens.orgThomas Stromberg tstrombe@rtci.comThomas Valentino Crimi
tcrimi+@andrew.cmu.eduThomas Wintergerst thomas@lemur.nord.deÞórður Ívarsson
totii@est.isThierry Thomas tthomas@mail.dotcom.frTimothy Jensen toast@blackened.comTim Kientzle kientzle@netcom.comTim Singletary
tsingle@sunland.gsfc.nasa.govTim Wilkinson tim@sarc.city.ac.ukTimo J. Rinne tri@iki.fiTobias Reifenberger treif@mayn.deTodd Miller millert@openbsd.orgTom root@majestix.cmr.noTom tom@sdf.comTom Gray - DCA dcasba@rain.orgTom Jobbins tom@tom.tjTom Pusateri pusateri@juniper.netTom Rush tarush@mindspring.comTom Samplonius tom@misery.sdf.comTomohiko Kurahashi
kura@melchior.q.t.u-tokyo.ac.jpTony Kimball alk@Think.COMTony Li tli@jnx.comTony Lynn wing@cc.nsysu.edu.twTony Maher tonym@angis.org.auTorbjorn Granlund tege@matematik.su.seToshihiko SHIMOKAWA toshi@tea.forus.or.jpToshihiro Kanda candy@kgc.co.jpToshiomi Moriki
Toshiomi.Moriki@ma1.seikyou.ne.jpTrefor S. trefor@flevel.co.ukTrenton Schulz twschulz@cord.eduTrevor Blackwell tlb@viaweb.comUdo Schweigert ust@cert.siemens.deUgo Paternostro paterno@dsi.unifi.itUlf Kieber kieber@sax.deUlli Linzen ulli@perceval.camelot.deURATA Shuichiro s-urata@nmit.tmg.nec.co.jpUwe Arndt arndt@mailhost.uni-koblenz.deVadim Belman vab@lflat.vas.mobilix.dkVadim Chekan vadim@gc.lviv.uaVadim Kolontsov vadim@tversu.ac.ruVadim Mikhailov mvp@braz.ruValentin Nechayev netch@lucky.net&a.logo;Van Jacobson van@ee.lbl.govVasily V. Grechishnikov
bazilio@ns1.ied-vorstu.ac.ruVasim Valejev vasim@uddias.diaspro.comVernon J. Schryver vjs@mica.denver.sgi.comVeselin Slavov vess@btc.netVic Abell abe@cc.purdue.eduVille Eerola ve@sci.fiVince Valenti vince@blue-box.netVincent Poy vince@venus.gaianet.netVincenzo Capuano
VCAPUANO@vmprofs.esoc.esa.deVirgil Champlin champlin@pa.dec.comVladimir A. Jakovenko
vovik@ntu-kpi.kiev.uaVladimir Kushnir kushn@mail.kar.netVsevolod Lobko seva@alex-ua.comW. Gerald Hicks wghicks@bellsouth.netW. Richard Stevens rstevens@noao.eduWalt Howard howard@ee.utah.eduWalt M. Shandruk walt@erudition.netWarren Toomey wkt@csadfa.cs.adfa.oz.auWayne Scott wscott@ichips.intel.comWerner Griessl
werner@btp1da.phy.uni-bayreuth.deWes Santee wsantee@wsantee.oz.netWietse Venema wietse@wzv.win.tue.nlWiljo Heinen wiljo@freeside.ki.open.deWillem Jan Withagen wjw@surf.IAE.nlWilliam Jolitz withheldWilliam Liao william@tale.netWojtek Pilorz
wpilorz@celebris.bdk.lublin.plWolfgang Helbig helbig@ba-stuttgart.deWolfgang Solfrank ws@tools.deWolfgang Stanglmeier wolf@FreeBSD.orgWu Ching-hong woju@FreeBSD.ee.Ntu.edu.TWYarema yds@ingress.comYaroslav Terletsky ts@polynet.lviv.uaYasuhiro Fukama yasuf@big.or.jpYasuhito FUTATSUKI futatuki@fureai.or.jpYen-Ming Lee leeym@bsd.ce.ntu.edu.twYen-Shuo Su yssu@CCCA.NCTU.edu.twYin-Jieh Chen yinjieh@Crazyman.Dorm13.NCTU.edu.twYixin Jin yjin@rain.cs.ucla.eduYoichi Asai yatt@msc.biglobe.ne.jpYoichi Nakayama yoichi@eken.phys.nagoya-u.ac.jpYoshiaki Uchikawa yoshiaki@kt.rim.or.jpYoshihiko SARUMRU mistral@imasy.or.jpYoshihisa NAKAGAWA
y-nakaga@ccs.mt.nec.co.jpYoshikazu Goto gotoh@ae.anritsu.co.jpYoshimasa Ohnishi
ohnishi@isc.kyutech.ac.jpYoshishige Arai ryo2@on.rim.or.jpYuichi MATSUTAKA matutaka@osa.att.ne.jpYujiro MIYATA
miyata@bioele.nuee.nagoya-u.ac.jpYu-Shun Wang yushunwa@isi.eduYusuke Nawano azuki@azkey.orgYuu Yashiki s974123@cc.matsuyama-u.ac.jpYuuki SAWADA mami@whale.cc.muroran-it.ac.jpYuuichi Narahara aconitum@po.teleway.ne.jpYuval Yarom yval@cs.huji.ac.ilYves Fonk yves@cpcoup5.tn.tudelft.nlYves Fonk yves@dutncp8.tn.tudelft.nlZach Heilig zach@gaffaneys.comZach Zurflu zach@pabst.bendnet.comZahemszhky Gabor zgabor@code.huZhong Ming-Xun zmx@mail.CDPA.nsysu.edu.tw386BSD Patch Kit Patch Contributors(in alphabetical order by first name):Adam Glass glass@postgres.berkeley.eduAdrian Hall ahall@mirapoint.comAndrey A. Chernov ache@astral.msk.suAndrew Herbert andrew@werple.apana.org.auAndrew Moore alm@netcom.comAndy Valencia ajv@csd.mot.comjtk@netcom.comArne Henrik Juul arnej@Lise.Unit.NOBakul Shah bvs@bitblocks.comBarry Lustig barry@ictv.comBob Wilcox bob@obiwan.uucpBranko LankesterBrett Lymn blymn@mulga.awadi.com.AUCharles Hannum mycroft@ai.mit.eduChris G. Demetriou
cgd@postgres.berkeley.eduChris Torek torek@ee.lbl.govChristoph Robitschko
chmr@edvz.tu-graz.ac.atDaniel Poirot poirot@aio.jsc.nasa.govDave Burgess burgess@hrd769.brooks.af.milDave Rivers rivers@ponds.uucpDavid Dawes dawes@physics.su.OZ.AUDavid Greenman dg@Root.COMEric J. Haug ejh@slustl.slu.eduFelix Gaehtgens
felix@escape.vsse.in-berlin.deFrank Maclachlan fpm@crash.cts.comGary A. Browning gab10@griffcd.amdahl.comGary Howland gary@hotlava.comGeoff Rehmet csgr@alpha.ru.ac.zaGoran Hammarback goran@astro.uu.seGuido van Rooij guido@gvr.orgGuy Antony Halse guy@rucus.ru.ac.zaGuy Harris guy@auspex.comHavard Eidnes
Havard.Eidnes@runit.sintef.noHerb Peyerl hpeyerl@novatel.cuc.ab.caHolger Veit Holger.Veit@gmd.deIshii Masahiro, R. Kym HorsellJ.T. Conklin jtc@cygnus.comJagane D Sundar jagane@netcom.comJames Clark jjc@jclark.comJames Jegers jimj@miller.cs.uwm.eduJames W. DolterJames da Silva jds@cs.umd.edu et alJay Fenlason hack@datacube.comJim Wilson wilson@moria.cygnus.comJörg Lohse
lohse@tech7.informatik.uni-hamburg.deJörg Wunsch
joerg_wunsch@uriah.heep.sax.deJohn DysonJohn Woods jfw@eddie.mit.eduJordan K. Hubbard jkh@whisker.hubbard.ieJulian Elischer julian@dialix.oz.auJulian Stacey jhs@FreeBSD.orgKarl Dietz Karl.Dietz@triplan.comKarl Lehenbauer karl@NeoSoft.comkarl@one.neosoft.comKeith Bostic bostic@toe.CS.Berkeley.EDUKen HughesKent Talarico kent@shipwreck.tsoft.netKevin Lahey kml%rokkaku.UUCP@mathcs.emory.edukml@mosquito.cis.ufl.eduKonstantinos Konstantinidis kkonstan@duth.grMarc Frajola marc@dev.comMark Tinguely tinguely@plains.nodak.edutinguely@hookie.cs.ndsu.NoDak.eduMartin Renters martin@tdc.on.caMichael Clay mclay@weareb.orgMichael Galassi nerd@percival.rain.comMike Durkin mdurkin@tsoft.sf-bay.orgNaoki Hamada nao@tom-yam.or.jpNate Williams nate@bsd.coe.montana.eduNick Handel nhandel@NeoSoft.comnick@madhouse.neosoft.comPace Willisson pace@blitz.comPaul Kranenburg pk@cs.few.eur.nlPaul Mackerras paulus@cs.anu.edu.auPaul Popelka paulp@uts.amdahl.comPeter da Silva peter@NeoSoft.comPhil Sutherland
philsuth@mycroft.dialix.oz.auPoul-Henning Kamp phk@FreeBSD.orgRalf Friedl friedl@informatik.uni-kl.deRick Macklem root@snowhite.cis.uoguelph.caRobert D. Thrush rd@phoenix.aii.comRodney W. Grimes rgrimes@cdrom.comSascha Wildner swildner@channelz.GUN.deScott Burris scott@pita.cns.ucla.eduScott Reynolds scott@clmqt.marquette.mi.usSean Eric Fagan sef@kithrup.comSimon J Gerraty sjg@melb.bull.oz.ausjg@zen.void.oz.auStephen McKay syssgm@devetir.qld.gov.auTerry Lambert terry@icarus.weber.eduTerry Lee terry@uivlsi.csl.uiuc.eduTor Egge Tor.Egge@idi.ntnu.noWarren Toomey wkt@csadfa.cs.adfa.oz.auWiljo Heinen wiljo@freeside.ki.open.deWilliam Jolitz withheldWolfgang Solfrank ws@tools.deWolfgang Stanglmeier wolf@dentaro.GUN.deYuval Yarom yval@cs.huji.ac.il
diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
index b11369b2fb..386b3cce54 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@@ -1,3884 +1,3884 @@
Advanced NetworkingSynopsisThe following chapter will cover some of the more frequently
used network services on Unix systems. This, of course, will
pertain to configuring said services on your FreeBSD system.Gateways and RoutesContributed by &a.gryphon;. 6 October
1995.routeroutinggatewaysubnetFor one machine to be able to find another, there must be a
mechanism in place to describe how to get from one to the other. This is
called Routing. A route is a defined pair of addresses: a
destination and a gateway. The pair
indicates that if you are trying to get to this
destination, send along through this
gateway. There are three types of destinations:
individual hosts, subnets, and default. The
default route is used if none of the other routes apply.
We will talk a little bit more about default routes later on. There are
also three types of gateways: individual hosts, interfaces (also called
links), and Ethernet hardware addresses.An exampleTo illustrate different aspects of routing, we will use the
following example which is the output of the command netstat
-r:Destination Gateway Flags Refs Use Netif Expire
default outside-gw UGSc 37 418 ppp0
localhost localhost UH 0 181 lo0
test0 0:e0:b5:36:cf:4f UHLW 5 63288 ed0 77
10.20.30.255 link#1 UHLW 1 2421
foobar.com link#1 UC 0 0
host1 0:e0:a8:37:8:1e UHLW 3 4601 lo0
host2 0:e0:a8:37:8:1e UHLW 0 5 lo0 =>
host2.foobar.com link#1 UC 0 0
224 link#1 UC 0 0default routeThe first two lines specify the default route (which we will cover
in the next section) and the localhost route.loopback deviceThe interface (Netif column) that it specifies
to use for localhost is
lo0, also known as the loopback device. This
says to keep all traffic for this destination internal, rather than
sending it out over the LAN, since it will only end up back where it
started anyway.EthernetMAC addressThe next thing that stands out are the 0:e0:... addresses. These are Ethernet hardware
addresses. FreeBSD will automatically identify any hosts
(test0 in the example) on the local Ethernet and add
a route for that host, directly to it over the Ethernet interface,
ed0. There is also a timeout
(Expire column) associated with this type of route,
which is used if we fail to hear from the host in a specific amount of
time. In this case the route will be automatically deleted. These
hosts are identified using a mechanism known as RIP (Routing
Information Protocol), which figures out routes to local hosts based
upon a shortest path determination.subnetFreeBSD will also add subnet routes for the local subnet (10.20.30.255 is the broadcast address for the
subnet 10.20.30, and foobar.com is the domain name associated
with that subnet). The designation link#1 refers
to the first Ethernet card in the machine. You will notice no
additional interface is specified for those.Both of these groups (local network hosts and local subnets) have
their routes automatically configured by a daemon called
routed. If this is not run, then only routes which
are statically defined (ie. entered explicitly) will exist.The host1 line refers to our host, which it
knows by Ethernet address. Since we are the sending host, FreeBSD
knows to use the loopback interface (lo0)
rather than sending it out over the Ethernet interface.The two host2 lines are an example of what
happens when we use an &man.ifconfig.8; alias (see the section of Ethernet for
reasons why we would do this). The => symbol
after the lo0 interface says that not only
are we using the loopback (since this is address also refers to the
local host), but specifically it is an alias. Such routes only show
up on the host that supports the alias; all other hosts on the local
network will simply have a link#1 line for
such.The final line (destination subnet 224) deals
with MultiCasting, which will be covered in a another section.The other column that we should talk about are the
Flags. Each route has different attributes that
are described in the column. Below is a short table of some of these
flags and their meanings:UUp: The route is active.HHost: The route destination is a single host.GGateway: Send anything for this destination on to this
remote system, which will figure out from there where to send
it.SStatic: This route was configured manually, not
automatically generated by the system.CClone: Generates a new route based upon this route for
machines we connect to. This type of route is normally used
for local networks.WWasCloned: Indicated a route that was auto-configured
based upon a local area network (Clone) route.LLink: Route involves references to Ethernet
hardware.Default routesdefault routeWhen the local system needs to make a connection to remote host,
it checks the routing table to determine if a known path exists. If
the remote host falls into a subnet that we know how to reach (Cloned
routes), then the system checks to see if it can connect along that
interface.If all known paths fail, the system has one last option: the
default route. This route is a special type of gateway
route (usually the only one present in the system), and is always
marked with a c in the flags field. For hosts on a
local area network, this gateway is set to whatever machine has a
direct connection to the outside world (whether via PPP link, or your
hardware device attached to a dedicated data line).If you are configuring the default route for a machine which
itself is functioning as the gateway to the outside world, then the
default route will be the gateway machine at your Internet Service
Provider's (ISP) site.Let us look at an example of default routes. This is a common
configuration:
[Local2] <--ether--> [Local1] <--PPP--> [ISP-Serv] <--ether--> [T1-GW]
The hosts Local1 and Local2 are
at your site, with the formed being your PPP connection to your ISP's
Terminal Server. Your ISP has a local network at their site, which
has, among other things, the server where you connect and a hardware
device (T1-GW) attached to the ISP's Internet feed.The default routes for each of your machines will be:hostdefault gatewayinterfaceLocal2Local1EthernetLocal1T1-GWPPPA common question is Why (or how) would we set the T1-GW to
be the default gateway for Local1, rather than the ISP server it is
connected to?.Remember, since the PPP interface is using an address on the ISP's
local network for your side of the connection, routes for any other
machines on the ISP's local network will be automatically generated.
Hence, you will already know how to reach the T1-GW machine, so there
is no need for the intermediate step of sending traffic to the ISP
server.As a final note, it is common to use the address ...1 as the gateway address for your local
network. So (using the same example), if your local class-C address
space was 10.20.30 and your ISP was
using 10.9.9 then the default routes
would be:
Local2 (10.20.30.2) --> Local1 (10.20.30.1)
Local1 (10.20.30.1, 10.9.9.30) --> T1-GW (10.9.9.1)
Dual homed hostsdual homed hostsThere is one other type of configuration that we should cover, and
that is a host that sits on two different networks. Technically, any
machine functioning as a gateway (in the example above, using a PPP
connection) counts as a dual-homed host. But the term is really only
used to refer to a machine that sits on two local-area
networks.In one case, the machine as two Ethernet cards, each having an
address on the separate subnets. Alternately, the machine may only
have one Ethernet card, and be using &man.ifconfig.8; aliasing. The former is
used if two physically separate Ethernet networks are in use, the
latter if there is one physical network segment, but two logically
separate subnets.Either way, routing tables are set up so that each subnet knows
that this machine is the defined gateway (inbound route) to the other
subnet. This configuration, with the machine acting as a Bridge
between the two subnets, is often used when we need to implement
packet filtering or firewall security in either or both
directions.Routing propagationrouting propogationWe have already talked about how we define our routes to the
outside world, but not about how the outside world finds us.We already know that routing tables can be set up so that all
traffic for a particular address space (in our examples, a class-C
subnet) can be sent to a particular host on that network, which will
forward the packets inbound.When you get an address space assigned to your site, your service
provider will set up their routing tables so that all traffic for your
subnet will be sent down your PPP link to your site. But how do sites
across the country know to send to your ISP?There is a system (much like the distributed DNS information) that
keeps track of all assigned address-spaces, and defines their point of
connection to the Internet Backbone. The Backbone are
the main trunk lines that carry Internet traffic across the country,
and around the world. Each backbone machine has a copy of a master
set of tables, which direct traffic for a particular network to a
specific backbone carrier, and from there down the chain of service
providers until it reaches your network.It is the task of your service provider to advertise to the
backbone sites that they are the point of connection (and thus the
path inward) for your site. This is known as route
propagation.TroubleshootingtracerouteSometimes, there is a problem with routing propagation, and some
sites are unable to connect to you. Perhaps the most useful command
for trying to figure out where a routing is breaking down is the
&man.traceroute.8; command. It is equally useful if you cannot seem
to make a connection to a remote machine (i.e. &man.ping.8;
fails).The &man.traceroute.8; command is run with the name of the remote
host you are trying to connect to. It will show the gateway hosts
along the path of the attempt, eventually either reaching the target
host, or terminating because of a lack of connection.For more information, see the manual page for
&man.traceroute.8;.BridgingWritten by Steve Peterson
steve@zpfe.com.IntroductionIP subnetbridgeIt is sometimes useful to divide one physical network (i.e., an
Ethernet segment) into two separate network segments, without having
to create IP subnets and use a router to connect the segments
together. A device that connects two networks together in this
fashion is called a bridge. and a FreeBSD system with two network
interface cards can act as a bridge.The bridge works by learning the MAC layer addresses (i.e.,
Ethernet addresses) of the devices on each of its network interfaces.
It forwards traffic between two networks only when its source and
destination are on different networks.In many respects, a bridge is like an Ethernet switch with very
few ports.Situations where bridging is appropriateThere are two common situations in which a bridge is used
today.High traffic on a segmentSituation one is where your physical network segment is
overloaded with traffic, but you don't want for whatever reason to
subnet the network and interconnect the subnets with a
router.Let's consider an example of a newspaper where the Editorial and
Production departments are on the same subnetwork. The Editorial
users all use server A for file service, and the Production users
are on server B. An Ethernet is used to connect all users together,
and high loads on the network are slowing things down.If the Editorial users could be segregated on one network
segment and the Production users on another, the two network
segments could be connected with a bridge. Only the network traffic
destined for interfaces on the "other" side of the bridge would be
sent to the other network, reducing congestion on each network
segment.Filtering/traffic shaping firewallfirewallIP MasqueradingThe second common situation is where firewall functionality is
needed without IP Masquerading (NAT).An example is a small company that is connected via DSL or ISDN
to their ISP. They have a 13 address global IP allocation for their
ISP and have 10 PCs on their network. In this situation, using a
router-based firewall is difficult because of subnetting
issues.routerDSLISDNA bridge-based firewall can be configured and dropped into the
path just downstream of their DSL/ISDN router without any IP
numbering issues.Configuring a bridgeNetwork interface card selectionA bridge requires at least two network cards to function.
Unfortunately, not all network interface cards as of FreeBSD 4.0
support bridging. Read &man.bridge.4; for details on the cards that
are supported.Install and test the two network cards before continuing.Kernel configuration changeskernel configurationkernel configurationoptions BRIDGETo enable kernel support for bridging, add theoptions BRIDGEstatement to your kernel configuration file, and rebuild your
kernel.Firewall supportfirewallIf you are planning to use the bridge as a firewall, you will
need to add the IPFIREWALL option as well. Read for general information on configuring the
bridge as a firewall.If you need to allow non-IP packets (such as ARP) to flow
through the bridge, there is an undocumented firewall option that
must be set. This option is
IPFIREWALL_DEFAULT_TO_ACCEPT. Note that this
changes the default rule for the firewall to accept any packet.
Make sure you know how this changes the meaning of your ruleset
before you set it.Traffic shaping supportIf you want to use the bridge as a traffic shaper, you will need
to add the DUMMYNET option to your kernel
configuration. Read &man.dummynet.4; for further
information.Enabling the bridgeAdd the linenet.link.ether.bridge=1to /etc/sysctl.conf to enable the bridge at
runtime. If you want the bridged packets to be filtered by &man.ipfw.8;,
you should also addnet.link.ether.bridge_ipfw=1as well.PerformanceMy bridge/firewall is a Pentium 90 with one 3Com 3C900B and one
3C905B. The protected side of the network runs at 10mbps half duplex
and the connection between the bridge and my router (a Cisco 675) runs
at 100mbps full duplex. With no filtering enabled, I've found that
the bridge adds about 0.4 milliseconds of latency to pings from the
protected 10mbps network to the Cisco 675.Other informationIf you want to be able to telnet into the bridge from the network,
it is OK to assign one of the network cards an IP address. The
consensus is that assigning both cards an address is a bad
idea.If you have multiple bridges on your network, there cannot be more
than one path between any two workstations. Technically, this means
that there is no support for spanning tree link management.NFSWritten by &a.unfurl;, 4 March 2000.NFSAmong the many different file systems that FreeBSD supports is
a very unique type, the Network File System or NFS. NFS allows you
to share directories and files on one machine with one or more other
machines via the network they are attached to. Using NFS, users and
programs can access files on remote systems as if they were local
files.NFS has several benefits:Local workstations don't need as much disk space because
commonly used data can be stored on a single machine and still
remain accessible to everyone on the network.There is no need for users to have unique home directories
on every machine on your network. Once they have an established
directory that is available via NFS it can be accessed from
anywhere.Storage devices such as floppies and CDROM drives can be
used by other machines on the network eliminating the need for
extra hardware.How It WorksNFS is composed of two sides – a client side and a
server side. Think of it as a want/have relationship. The client
wants the data that the server side
has. The server shares its data with the
client. In order for this system to function properly a few
processes have to be configured and running properly.The server has to be running the following daemons:NFSserverportmapmountdnfsdnfsd - The NFS Daemon which services
requests from NFS clients.mountd - The NFS Mount Daemon which
actually carries out requests that &man.nfsd.8; passes on to
it.portmap - The
portmapper daemon which allows NFS
clients to find out which port the NFS server is
using.The client side only needs to run a single daemon:NFSclientnfsiodnfsiod - The NFS async I/O Daemon which
services requests from its NFS server.Configuring NFSNFSconfigurationLuckily for us, on a FreeBSD system this setup is a snap. The
processes that need to be running can all be run at boot time with
a few modifications to your /etc/rc.conf
file.On the NFS server make sure you have:portmap_enable="YES"
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4"
mountd_flags="-r"mountd is automatically run whenever the
NFS server is enabled. The and
flags to nfsd tell it to
serve UDP and TCP clients. The flag tells
nfsd to start 4 copies of itself.On the client, make sure you have:nfs_client_enable="YES"
nfs_client_flags="-n 4"Like nfsd, the tells
nfsiod to start 4 copies of itself.The last configuration step requires that you create a file
called /etc/exports. The exports file
specifies which file systems on your server will be shared
(a.k.a., exported) and with what clients they will
be shared. Each line in the file specifies a file system to be
shared. There are a handful of options that can be used in this
file but only a few will be mentioned here. You can find out
about the rest in the &man.exports.5; man page.Here are a few example /etc/exports
entries:NFSexporting filesystemsThe following line exports /cdrom to
three silly machines that have the same domain name as the server
(hence the lack of a domain name for each) or have entries in your
/etc/hosts file. The
flag makes the shared file system read-only. With this flag, the
remote system will not be able to make any changes to the
shared file system./cdrom -ro moe larry curlyThe following line exports /home to three
hosts by IP address. This is a useful setup if you have a
private network but do not have DNS running. The
flag allows all the directories below
the specified file system to be exported as well./home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4The following line exports /a to two
machines that have different domain names than the server. The
flag allows
the root user on the remote system to write to the shared
file system as root. Without the -maproot=0 flag even if
someone has root access on the remote system they won't
be able to modify files on the shared file system./a -maproot=0 host.domain.com box.example.comIn order for a client to share an exported file system it must
have permission to do so. Make sure your client is listed in your
/etc/exports file.It's important to remember that you must restart mountd
whenever you modify /etc/exports so that
your changes take effect. This can be accomplished by sending
the hangup signal to the mountd process :&prompt.root; kill -HUP `cat /var/run/mountd.pid`Now that you have made all these changes you can just reboot
and let FreeBSD start everything for you at boot time or you can
run the following commands as root:On the NFS server:&prompt.root; portmap
&prompt.root; nfsd -u -t -n 4
&prompt.root; mountd -rOn the NFS client:&prompt.root; nfsiod -n 4Now you should be ready to actually mount a remote file
system. This can be done one of two ways. In these examples the
server's name will be server and the client's
name will be client. If you just want to
temporarily mount a remote file system or just want to test out
your config you can run a command like this as root on the
client:NFSmounting filesystems&prompt.root; mount server:/home /mntThis will mount /home on the server on
/mnt on the client. If everything is setup
correctly you should be able to go into /mnt on the client and see
all the files that are on the server.If you want to permanently (each time you reboot) mount a
remote file system you need to add it to your
/etc/fstab file. Here is an example
line:server:/home /mnt nfs rw 0 0Read the &man.fstab.5; man page for more options.Practical UsesThere are many very cool uses for NFS. Some of the more common
ones are listed below.NFSusesHave several machines on a network and share a CDROM or
floppy drive among them. This is cheaper and often more
convenient.With so many machines on a network, it gets old having your
personal files strewn all over the place. You can have a
central NFS server that houses all user home directories and
shares them with the rest of the machines on the LAN, so no
matter where you log in you will have the same home
directory.When you get to reinstalling FreeBSD on one of your
machines, NFS is the way to go! Just pop your distribution
CDROM into your file server and away you go!Have a common /usr/ports/distfiles
directory that all your machines share. That way, when you go
to install a port that you've already installed on a different
machine, you do not have to download the source all over
again!Problems integrating with other systemsContributed by &a.jlind;.Certain Ethernet adapters for ISA PC systems have limitations
which can lead to serious network problems, particularly with NFS.
This difficulty is not specific to FreeBSD, but FreeBSD systems
are affected by it.The problem nearly always occurs when (FreeBSD) PC systems are
networked with high-performance workstations, such as those made
by Silicon Graphics, Inc., and Sun Microsystems, Inc. The NFS
mount will work fine, and some operations may succeed, but
suddenly the server will seem to become unresponsive to the
client, even though requests to and from other systems continue to
be processed. This happens to the client system, whether the
client is the FreeBSD system or the workstation. On many systems,
there is no way to shut down the client gracefully once this
problem has manifested itself. The only solution is often to
reset the client, because the NFS situation cannot be
resolved.Though the correct solution is to get a higher
performance and capacity Ethernet adapter for the FreeBSD system,
there is a simple workaround that will allow satisfactory
operation. If the FreeBSD system is the
server, include the option
on the mount from the client. If the
FreeBSD system is the client, then mount the
NFS file system with the option . These
options may be specified using the fourth field of the
fstab entry on the client for automatic
mounts, or by using the parameter of the mount
command for manual mounts.It should be noted that there is a different problem,
sometimes mistaken for this one, when the NFS servers and clients
are on different networks. If that is the case, make
certain that your routers are routing the
necessary UDP information, or you will not get anywhere, no matter
what else you are doing.In the following examples, fastws is the host
(interface) name of a high-performance workstation, and
freebox is the host (interface) name of a FreeBSD
system with a lower-performance Ethernet adapter. Also,
/sharedfs will be the exported NFS
filesystem (see man exports), and
/project will be the mount point on the
client for the exported file system. In all cases, note that
additional options, such as or
and may be desirable in
your application.Examples for the FreeBSD system (freebox) as
the client: in /etc/fstab on freebox:fastws:/sharedfs /project nfs rw,-r=1024 0 0As a manual mount command on freebox:&prompt.root; mount -t nfs -o -r=1024 fastws:/sharedfs /projectExamples for the FreeBSD system as the server: in
/etc/fstab on fastws:freebox:/sharedfs /project nfs rw,-w=1024 0 0As a manual mount command on fastws:&prompt.root; mount -t nfs -o -w=1024 freebox:/sharedfs /projectNearly any 16-bit Ethernet adapter will allow operation
without the above restrictions on the read or write size.For anyone who cares, here is what happens when the failure
occurs, which also explains why it is unrecoverable. NFS
typically works with a block size of 8k (though it
may do fragments of smaller sizes). Since the maximum Ethernet
packet is around 1500 bytes, the NFS block gets
split into multiple Ethernet packets, even though it is still a
single unit to the upper-level code, and must be received,
assembled, and acknowledged as a unit. The
high-performance workstations can pump out the packets which
comprise the NFS unit one right after the other, just as close
together as the standard allows. On the smaller, lower capacity
cards, the later packets overrun the earlier packets of the same
unit before they can be transferred to the host and the unit as a
whole cannot be reconstructed or acknowledged. As a result, the
workstation will time out and try again, but it will try again
with the entire 8K unit, and the process will be repeated, ad
infinitum.By keeping the unit size below the Ethernet packet size
limitation, we ensure that any complete Ethernet packet received
can be acknowledged individually, avoiding the deadlock
situation.Overruns may still occur when a high-performance workstations
is slamming data out to a PC system, but with the better cards,
such overruns are not guaranteed on NFS units. When
an overrun occurs, the units affected will be retransmitted, and
there will be a fair chance that they will be received, assembled,
and acknowledged.Diskless OperationContributed by &a.martin;.diskless workstationnetboot.com/netboot.rom
allow you to boot your FreeBSD machine over the network and run FreeBSD
without having a disk on your client. Under 2.0 it is now possible to
have local swap. Swapping over NFS is also still supported.Supported Ethernet cards include: Western Digital/SMC 8003, 8013,
8216 and compatibles; NE1000/NE2000 and compatibles (requires
recompile)Setup InstructionsFind a machine that will be your server. This machine will
require enough disk space to hold the FreeBSD 2.0 binaries and
have bootp, tftp and NFS services available. Tested
machines:HP-UXHP9000/8xx running HP-UX 9.04 or later (pre 9.04 doesn't
work)SolarisSun/Solaris 2.3. (you may need to get bootp)Set up a bootp server to provide the client with IP address, gateway,
netmask.diskless:\
:ht=ether:\
:ha=0000c01f848a:\
:sm=255.255.255.0:\
:hn:\
:ds=192.1.2.3:\
:ip=192.1.2.4:\
:gw=192.1.2.5:\
:vm=rfc1048:TFTPbootpSet up a TFTP server (on same machine as bootp server) to
provide booting information to client. The name of this file is
cfg.X.X.X.X (or
/tftpboot/cfg.X.X.X.X,
it will try both) where X.X.X.X is the
IP address of the client. The contents of this file can be any
valid netboot commands. Under 2.0, netboot has the following
commands:helpprint help listip
print/set client's IP addressserver
print/set bootp/tftp server addressnetmask
print/set netmaskhostname nameprint/set hostnamekernel
print/set kernel namerootfs
print/set root filesystemswapfs
print/set swap filesystemswapsize
set diskless swapsize in KBytesdiskbootboot from diskautobootcontinue boot processtrans
|turn transceiver on|offflags
set boot flagsA typical completely diskless config file might contain:rootfs 192.1.2.3:/rootfs/myclient
swapfs 192.1.2.3:/swapfs
swapsize 20000
hostname myclient.mydomainA config file for a machine with local swap might contain:rootfs 192.1.2.3:/rootfs/myclient
hostname myclient.mydomainEnsure that your NFS server has exported the root (and swap if
applicable) filesystems to your client, and that the client has
root access to these filesystems A typical
/etc/exports file on FreeBSD might look
like:/rootfs/myclient -maproot=0:0 myclient.mydomain
/swapfs -maproot=0:0 myclient.mydomainAnd on HP-UX:/rootfs/myclient -root=myclient.mydomain
/swapfs -root=myclient.mydomainNFSswapping overIf you are swapping over NFS (completely diskless
configuration) create a swap file for your client using
dd. If your swapfs
command has the arguments /swapfs and
the size 20000 as in the example above, the swapfile for
myclient will be called
/swapfs/swap.X.X.X.X
where X.X.X.X is the client's IP
address, e.g.:&prompt.root; dd if=/dev/zero of=/swapfs/swap.192.1.2.4 bs=1k count=20000Also, the client's swap space might contain sensitive
information once swapping starts, so make sure to restrict read
and write access to this file to prevent unauthorized
access:&prompt.root; chmod 0600 /swapfs/swap.192.1.2.4Unpack the root filesystem in the directory the client will
use for its root filesystem (/rootfs/myclient
in the example above).On HP-UX systems: The server should be running HP-UX 9.04
or later for HP9000/800 series machines. Prior versions do not
allow the creation of device files over NFS.When extracting /dev in
/rootfs/myclient, beware that some
systems (HPUX) will not create device files that FreeBSD is
happy with. You may have to go to single user mode on the
first bootup (press control-c during the bootup phase), cd
/dev and do a sh ./MAKEDEV
all from the client to fix this.Run netboot.com on the client or make an
EPROM from the netboot.rom fileUsing Shared / and /usr
filesystemsAlthough this is not an officially sanctioned or supported way
of doing this, some people report that it works quite well. If
anyone has any suggestions on how to do this cleanly, please tell
&a.doc;.Compiling netboot for specific setupsNetboot can be compiled to support NE1000/2000 cards by changing
the configuration in
/sys/i386/boot/netboot/Makefile. See the
comments at the top of this file.ISDNA good resource for information on ISDN technology and hardware is
Dan Kegel's ISDN
Page.A quick simple road map to ISDN follows:If you live in Europe you might want to investigate the ISDN card
section.If you are planning to use ISDN primarily to connect to the
Internet with an Internet Provider on a dial-up non-dedicated basis,
you might look into Terminal Adapters. This will give you the
most flexibility, with the fewest problems, if you change
providers.If you are connecting two LANs together, or connecting to the
Internet with a dedicated ISDN connection, you might consider
the stand alone router/bridge option.Cost is a significant factor in determining what solution you will
choose. The following options are listed from least expensive to most
expensive.ISDN CardsContributed by &a.hm;.ISDNcardsThis section is really only relevant to ISDN users in countries
where the DSS1/Q.931 ISDN standard is supported.Some growing number of PC ISDN cards are supported under FreeBSD
2.2.X and up by the isdn4bsd driver package. It is still under
development but the reports show that it is successfully used all over
Europe.isdn4bsdThe latest isdn4bsd version is available from ftp://isdn4bsd@ftp.consol.de/pub/,
the main isdn4bsd FTP site (you have to log in as user
isdn4bsd , give your mail address as the password
and change to the pub directory. Anonymous FTP
as user ftp or anonymous
will not give the desired result).Isdn4bsd allows you to connect to other ISDN routers using either
IP over raw HDLC or by using synchronous PPP. A telephone answering
machine application is also available.Many ISDN PC cards are supported, mostly the ones with a Siemens
ISDN chipset (ISAC/HSCX), support for other chipsets (from Motorola,
Cologne Chip Designs) is currently under development. For an
up-to-date list of supported cards, please have a look at the README
file.In case you are interested in adding support for a different ISDN
protocol, a currently unsupported ISDN PC card or otherwise enhancing
isdn4bsd, please get in touch with hm@kts.org.A majordomo maintained mailing list is available. To join the
list, send mail to &a.majordomo; and
specify:subscribe freebsd-isdnin the body of your message.ISDN Terminal AdaptersTerminal adapters(TA), are to ISDN what modems are to regular
phone lines.modemMost TA's use the standard hayes modem AT command set, and can be
used as a drop in replacement for a modem.A TA will operate basically the same as a modem except connection
and throughput speeds will be much faster than your old modem. You
will need to configure PPP exactly the same
as for a modem setup. Make sure you set your serial speed as high as
possible.PPPThe main advantage of using a TA to connect to an Internet
Provider is that you can do Dynamic PPP. As IP address space becomes
more and more scarce, most providers are not willing to provide you
with a static IP anymore. Most stand-alone routers are not able to
accommodate dynamic IP allocation.TA's completely rely on the PPP daemon that you are running for
their features and stability of connection. This allows you to
upgrade easily from using a modem to ISDN on a FreeBSD machine, if you
already have PPP setup. However, at the same time any problems you
experienced with the PPP program and are going to persist.If you want maximum stability, use the kernel PPP option, not the user-land iijPPP.The following TA's are know to work with FreeBSD.Motorola BitSurfer and Bitsurfer ProAdtranMost other TA's will probably work as well, TA vendors try to make
sure their product can accept most of the standard modem AT command
set.The real problem with external TA's is like modems you need a good
serial card in your computer.You should read the FreeBSD Serial
Hardware tutorial for a detailed understanding of
serial devices, and the differences between asynchronous and
synchronous serial ports.A TA running off a standard PC serial port (asynchronous) limits
you to 115.2Kbs, even though you have a 128Kbs connection. To fully
utilize the 128Kbs that ISDN is capable of, you must move the TA to a
synchronous serial card.Do not be fooled into buying an internal TA and thinking you have
avoided the synchronous/asynchronous issue. Internal TA's simply have
a standard PC serial port chip built into them. All this will do, is
save you having to buy another serial cable, and find another empty
electrical socket.A synchronous card with a TA is at least as fast as a stand-alone
router, and with a simple 386 FreeBSD box driving it, probably more
flexible.The choice of sync/TA v.s. stand-alone router is largely a
religious issue. There has been some discussion of this in
the mailing lists. I suggest you search the archives for
the complete discussion.Stand-alone ISDN Bridges/RoutersISDNstand-alone bridges/routersISDN bridges or routers are not at all specific to FreeBSD
or any other operating system. For a more complete
description of routing and bridging technology, please refer
to a Networking reference book.In the context of this page, the terms router and bridge will
be used interchangeably.As the cost of low end ISDN routers/bridges comes down, it
will likely become a more and more popular choice. An ISDN
router is a small box that plugs directly into your local
Ethernet network(or card), and manages its own connection to
the other bridge/router. It has all the software to do PPP
and other protocols built in.A router will allow you much faster throughput that a
standard TA, since it will be using a full synchronous ISDN
connection.The main problem with ISDN routers and bridges is that
interoperability between manufacturers can still be a problem.
If you are planning to connect to an Internet provider, you
should discuss your needs with them.If you are planning to connect two LAN segments together,
ie: home LAN to the office LAN, this is the simplest lowest
maintenance solution. Since you are buying the equipment for
both sides of the connection you can be assured that the link
will work.For example to connect a home computer or branch office
network to a head office network the following setup could be
used.Branch office or Home network10 base 2Network uses a bus based topology with 10 base 2
Ethernet ("thinnet"). Connect router to network cable with
AUI/10BT transceiver, if necessary.---Sun workstation
|
---FreeBSD box
|
---Windows 95 (Do not admit to owning it)
|
Stand-alone router
|
ISDN BRI line10 Base 2 EthernetIf your home/branch office is only one computer you can use a
twisted pair crossover cable to connect to the stand-alone router
directly.Head office or other LAN10 base TNetwork uses a star topology with 10 base T Ethernet
("Twisted Pair"). -------Novell Server
| H |
| ---Sun
| |
| U ---FreeBSD
| |
| ---Windows 95
| B |
|___---Stand-alone router
|
ISDN BRI lineISDN Network DiagramOne large advantage of most routers/bridges is that they allow you
to have 2 separate independent PPP connections to
2 separate sites at the same time. This is not
supported on most TA's, except for specific(expensive) models that
have two serial ports. Do not confuse this with channel bonding, MPP
etc.This can be very useful feature, for example if you have an
dedicated ISDN connection at your office and would like to
tap into it, but don't want to get another ISDN line at work. A router
at the office location can manage a dedicated B channel connection
(64Kbs) to the Internet, as well as a use the other B channel for a
separate data connection. The second B channel can be used for
dial-in, dial-out or dynamically bond(MPP etc.) with the first B channel
for more bandwidth.IPX/SPXAn Ethernet bridge will also allow you to transmit more than just
IP traffic, you can also send IPX/SPX or whatever other protocols you
use.NIS/YPWritten by &a.unfurl;, 21 January 2000, enhanced
with parts and comments from Eric Ogren
eogren@earthlink.net and Udo Erdelhoff
ue@nathan.ruhr.de in June 2000.What is it?NISSolarisHP-UXAIXLinuxNetBSDOpenBSDNIS, which stands for Network Information Services, was
developed by Sun Microsystems to centralize administration of Unix
(originally SunOS) systems. It has now essentially become an
industry standard; all major Unix systems (Solaris, HP-UX, AIX, Linux,
NetBSD, OpenBSD, FreeBSD, etc) support NIS.yellow pagesNISNIS was formerly known as Yellow Pages (or yp), but due to
copyright violations, Sun was forced to change the name.NISdomainsIt is a RPC-based client/server system that allows a group
of machines within an NIS domain to share a common set of
configuration files. This permits a system administrator to set
up NIS client systems with only minimal configuration data and
add, remove or modify configuration data from a single
location.Windows NTIt is similar to Windows NT's domain system; although the
internal implementation of the two aren't at all similar,
the basic functionality can be compared.Terms/processes you should knowThere are several terms and several important user processes
that you will come across when
attempting to implement NIS on FreeBSD, whether you are trying to
create an NIS server or act an NIS client:The NIS domainname. An NIS master
server and all of its clients (including its slave servers) have
a NIS domainname. Similar to an NT domain name, the NIS
domainname does not have anything to do with DNS.portmapportmap. portmap
must be running in order to enable RPC (Remote Procedure Call, a
network protocol used by NIS). If portmap is
not running, it will be impossible to run an NIS server, or to
act as an NIS client.ypbind. ypbind
“binds” an NIS client to its NIS server.
It will take the NIS domainname from the system, and
using RPC, connect to the server. ypbind is
the core of client-server communication in an NIS environment; if
ypbind dies on a client machine, it will not
be able to access the NIS server.ypserv. ypserv,
which should only be running on NIS servers, is the NIS server
process itself. If &man.ypserv.8; dies, then the server will no longer be
able to respond to NIS requests (hopefully, there is a slave
server to take over for it).There are some implementations of NIS (but not the
FreeBSD one), that don't try to reconnect to another server
if the server it used before dies. Often, the only thing
that helps in this case is to restart the server process (or
even the whole server) or the ypbind process
on the client.rpc.yppasswdd.
rpc.yppasswdd, another process that should
only be running on NIS master servers, is a daemon that will
allow NIS clients to change their NIS passwords.
If this daemon is not running, users will have to login to the
NIS master server and change their passwords there.How does it work?There are three types of hosts in an NIS environment; master
servers, slave servers, and clients. Servers act as a central
repository for host configuration information. Master servers
hold the authoritative copy of this information, while slave
servers mirror this information for redundancy. Clients rely on
the servers to provide this information to them.Information in many files can be shared in this manner. The
master.passwd, group,
and hosts files are commonly shared via NIS.
Whenever a process on a client needs information that would
normally be found in these files locally, it makes a query to the
server it is bound to, to get this information.Machine typesNISmaster serverA NIS master server.
This server, analogous to a Windows
NT primary domain controller, maintains the files used by all
of the NIS clients. The passwd,
group, and other various files used by the
NIS clients live on the master server.It is possible for one machine to be an NIS
master server for more than one NIS domain. However, this will
not be covered in this introduction, which assumes a relatively
small-scale NIS environment.NISslave serverNIS slave servers.
Similar to NT's backup domain
controllers, NIS slave servers maintain copies of the NIS
master's data files. NIS slave servers provide the redundancy,
which is needed in important environments. They also help
to balance the load of the master server: NIS Clients always
attach to the NIS server whose response they get first, and
this includes slave-server-replies.NISclientNIS clients. NIS clients, like most
NT workstations, authenticate against the NIS server (or the NT
domain controller in the NT Workstation case) to log on.Using NIS/YPThis section will deal with setting up a sample NIS
environment.This section assumes that you are running FreeBSD 3.3
or later. The instructions given here will
probably work for any version of FreeBSD greater
than 3.0, but there are no guarantees that this is
true.PlanningLet's assume that you are the administrator of a small
university lab. This lab, which consists of 15 FreeBSD machines,
currently has no centralized point of administration; each machine
has its own /etc/passwd and
/etc/master.passwd. These files are kept in
sync with each other only through manual intervention;
currently, when you add a user to the lab, you must run
adduser on all 15 machines.
Clearly, this has to change, so you have decided to convert the
lab to use NIS, using two of the machines as servers.Therefore, the configuration of the lab now looks something
like:Machine nameIP addressMachine roleellington10.0.0.2NIS mastercoltrane10.0.0.3NIS slavebasie10.0.0.4Faculty workstationbird10.0.0.5Client machinecli[1-11]10.0.0.[6-17]Other client machinesIf you are setting up a NIS scheme for the first time, it
is a good idea to think through how you want to go about it. No
matter what the size of your network, there are a few decisions
that need to be made.Choosing a NIS Domain NameNISdomainnameThis might not be the domainname that you
are used to. It is more accurately called the
NIS domainname. When a client broadcasts its
requests for info, it includes the name of the NIS domain
that it is part of. This is how multiple servers on one
network can tell which server should answer which request.
Think of the NIS domainname as the name for a group of hosts
that are related in some way.Some organizations choose to use their Internet domainname
for their NIS domainname. This is not recommended as it can
cause confusion when trying to debug network problems. The
NIS domainname should be unique within your network and it is
helpful if it describes the group of machines it represents.
For example, the Art department at Acme Inc. might be in the
"acme-art" NIS domain. For this example, assume you have
chosen the name test-domain.SunOSHowever, some operating systems (notably SunOS) use their
NIS domain name as their Internet domain name.
If one or more machines on your network have this restriction,
you must use the Internet domain name as
your NIS domain name.Physical Server RequirementsThere are several things to keep in mind when choosing a
machine to use as a NIS server. One of the unfortunate things
about NIS is the level of dependency the clients have on the
server. If a client cannot contact the server for its NIS
domain, very often the machine becomes unusable. The lack of
user and group information causes most systems to temporarily
freeze up. With this in mind you should make sure to choose a
machine that won't be prone to being rebooted regularly, or
one that might be used for development. The NIS server should
ideally be a stand alone machine whose sole purpose in life is
to be an NIS server. If you have a network that is not very
heavily used, it is acceptable to put the NIS server on a
machine running other services, just keep in mind that if the
NIS server becomes unavailable, it will affect
all of your NIS clients adversely.NIS Servers The canonical copies of all NIS information are stored on
a single machine called the NIS master server. The databases
used to store the information are called NIS maps. In FreeBSD,
these maps are stored in
/var/yp/[domainname] where
[domainname] is the name of the NIS domain
being served. A single NIS server can support several domains
at once, therefore it is possible to have several such
directories, one for each supported domain. Each domain will
have its own independent set of maps.NIS master and slave servers handle all NIS requests with
the ypserv daemon. Ypserv
is responsible for receiving incoming requests from NIS clients,
translating the requested domain and map name to a path to the
corresponding database file and transmitting data from the
database back to the client.Setting up a NIS master serverNISserver configurationSetting up a master NIS server can be relatively straight
forward, depending on your needs. FreeBSD comes with support
for NIS out-of-the-box. All you need is to add the following
lines to /etc/rc.conf, and FreeBSD will
do the rest for you.nisdomainname="test-domain"
This line will set the NIS domainname to
test-domain
upon network setup (e.g. after reboot).nis_server_enable="YES"
This will tell FreeBSD to start up the NIS server processes
when the networking is next brought up.nis_yppasswdd_enable="YES"
This will enable the rpc.yppasswdd
daemon, which, as mentioned above, will allow users to
change their NIS password from a client machine.Now, all you have to do is to run the command
/etc/netstart as superuser. It will
setup everything for you, using the values you defined in
/etc/rc.conf.Initializing the NIS mapsNIS mapsThe NIS maps are database files,
that are kept in the /var/yp directory.
They are generated from configuration files in the
/etc directory of the NIS master, with one
exception: the /etc/master.passwd file.
This is for a good reason; you don't want to propagate
passwords to your root and other administrative accounts to
all the servers in the NIS domain. Therefore, before we
initialize the NIS maps, you should:&prompt.root; cp /etc/master.passwd /var/yp/master.passwd
&prompt.root; cd /var/yp
&prompt.root; vi master.passwdYou should remove all entries regarding system accounts
(bin, tty, kmem, games, etc), as well as any accounts that you
don't want to be propagated to the NIS clients (for example
root and any other UID 0 (superuser) accounts).Make sure the
/var/yp/master.passwd is neither group
nor world readable (mode 600)! Use the
chmod command, if appropriate.Tru64 UnixWhen you have finished, it's time to initialize the NIS
maps! FreeBSD includes a script named
ypinit to do this for you
(see its man page for more information). Note that this
script is available on most Unix OSs, but not on all.
On Digital Unix/Compaq Tru64 Unix it is called
ypsetup.
Because we are generating maps for an NIS master, we are
going to pass the option to
ypinit.
To generate the NIS maps, assuming you already performed
the steps above, run:ellington&prompt.root; ypinit -m test-domain
Server Type: MASTER Domain: test-domain
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
At this point, we have to construct a list of this domains YP servers.
rod.darktech.org is already known as master server.
Please continue to add any slave servers, one per line. When you are
done with the list, type a <control D>.
master server : ellington
next host to add: coltrane
next host to add: ^D
The current list of NIS servers looks like this:
ellington
coltrane
Is this correct? [y/n: y] y
[..output from map generation..]
NIS Map update completed.
ellington has been setup as an YP master server without any errors.ypinit should have created
/var/yp/Makefile from
/var/yp/Makefile.dist.
When created, this file assumes that you are operating
in a single server NIS environment with only FreeBSD
machines. Since test-domain has
a slave server as well, you must edit
/var/yp/Makefile:ellington&prompt.root; vi /var/yp/MakefileYou should comment out the line that says `NOPUSH =
"True"' (if it is not commented out already).Setting up a NIS slave serverNISconfiguring a slave serverSetting up an NIS slave server is even more simple than
setting up the master. Log on to the slave server and edit the
file /etc/rc.conf as you did before.
The only difference is that we now must use the
option when running ypinit.
The option requires the name of the NIS
master be passed to it as well, so our command line looks
like:coltrane&prompt.root; ypinit -s ellington test-domain
Server Type: SLAVE Domain: test-domain Master: ellington
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
There will be no further questions. The remainder of the procedure
should take a few minutes, to copy the databases from ellington.
Transferring netgroup...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byuser...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byhost...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring group.bygid...
ypxfr: Exiting: Map successfully transferred
Transferring group.byname...
ypxfr: Exiting: Map successfully transferred
Transferring services.byname...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.byname...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.byname...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring netid.byname...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring ypservers...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byname...
ypxfr: Exiting: Map successfully transferred
coltrane has been setup as an YP slave server without any errors.
Don't forget to update map ypservers on ellington.You should now have a directory called
/var/yp/test-domain. Copies of the NIS
master server's maps should be in this directory. You will
need to make sure that these stay updated. The following
/etc/crontab entries on your slave
servers should do the job:20 * * * * root /usr/libexec/ypxfr passwd.byname
21 * * * * root /usr/libexec/ypxfr passwd.byuidThese two lines force the slave to sync its maps with
the maps on the master server. Although this is
not mandatory, because the master server
tries to make sure any changes to its NIS maps are
communicated to its slaves, the password
information is so vital to systems that depend on the server,
that it is a good idea to force the updates. This is more
important on busy networks where map updates might not always
complete.Now, run the command /etc/netstart on the
slave server as well, which again starts the NIS server.NIS Clients An NIS client establishes what is called a binding to a
particular NIS server using the
ypbind daemon.
ypbind checks the system's default
domain (as set by the domainname command),
and begins broadcasting RPC requests on the local network.
These requests specify the name of the domain for which
ypbind is attempting to establish a binding.
If a server that has been configured to serve the requested
domain receives one of the broadcasts, it will respond to
ypbind, which will record the server's
address. If there are several servers available (a master and
several slaves, for example), ypbind will
use the address of the first one to respond. From that point
on, the client system will direct all of its NIS requests to
that server. Ypbind will
occasionally ping the server to make sure it is
still up and running. If it fails to receive a reply to one of
its pings within a reasonable amount of time,
ypbind will mark the domain as unbound and
begin broadcasting again in the hopes of locating another
server.Setting up an NIS clientNISclient configurationSetting up a FreeBSD machine to be a NIS client is fairly
straightforward.Edit the file /etc/rc.conf and
add the following lines in order to set the NIS domainname
and start ypbind upon network
startup:nisdomainname="test-domain"
nis_client_enable="YES"To import all possible password entries from the NIS
server, add this line to your
/etc/master.passwd file, using
vipw:+:::::::::This line will afford anyone with a valid account in
the NIS server's password maps an account. There are
many ways to configure your NIS client by changing this
line. See the netgroups
part below for more information.
For more detailed reading see O'Reilly's book on
Managing NFS and NIS.To import all possible group entries from the NIS
server, add this line to your
/etc/group file:+:*::After completing these steps, you should be able to run
ypcat passwd and see the NIS server's
passwd map.NIS SecurityIn general, any remote user can issue an RPC to &man.ypserv.8; and
retrieve the contents of your NIS maps, provided the remote user
knows your domainname. To prevent such unauthorized transactions,
&man.ypserv.8; supports a feature called securenets which can be used to
restrict access to a given set of hosts. At startup, &man.ypserv.8; will
attempt to load the securenets information from a file called
/var/yp/securenets.This path varies depending on the path specified with the
option. This file contains entries that
consist of a network specification and a network mask separated
by white space. Lines starting with # are
considered to be comments. A sample securenets file might look
like this:# allow connections from local host -- mandatory
127.0.0.1 255.255.255.255
# allow connections from any host
# on the 192.168.128.0 network
192.168.128.0 255.255.255.0
# allow connections from any host
# between 10.0.0.0 to 10.0.15.255
# this includes the machines in the testlab
10.0.0.0 255.255.240.0If &man.ypserv.8; receives a request from an address that matches one
of these rules, it will process the request normally. If the
address fails to match a rule, the request will be ignored and a
warning message will be logged. If the
/var/yp/securenets file does not exist,
ypserv will allow connections from any host.The ypserv program also has support for Wietse Venema's
tcpwrapper package. This allows the
administrator to use the tcpwrapper configuration
files for access control instead of
/var/yp/securenets.While both of these access control mechanisms provide some
security, they, like the privileged port test, are
vulnerable to IP spoofing attacks. All
NIS-related traffic should be blocked at your firewall.Servers using /var/yp/securenets
may fail to serve legitimate NIS clients with archaic TCP/IP
implementations. Some of these implementations set all
host bits to zero when doing broadcasts and/or fail to
observe the subnet mask when calculating the broadcast
address. While some of these problems can be fixed by
changing the client configuration, other problems may force
the retirement of the client systems in question or the
abandonment of /var/yp/securenets.Using /var/yp/securenets on a
server with such an archaic implementation of TCP/IP is a
really bad idea and will lead to loss of NIS functionality
for large parts of your network.tcpwrapperThe use of the tcpwrapper
package increases the latency of your NIS server. The
additional delay may be long enough to cause timeouts in
client programs, especially in busy networks or with slow
NIS servers. If one or more of your client systems
suffers from these symptoms, you should convert the client
systems in question into NIS slave servers and force them
to bind to themselves.Barring some users from logging onIn our lab, there is a machine basie that is
supposed to be a faculty only workstation. We don't want to take this
machine out of the NIS domain, yet the passwd
file on the master NIS server contains accounts for both faculty and
students. What can we do?There is a way to bar specific users from logging on to a
machine, even if they are present in the NIS database. To do this,
all you must do is add
-username to the end of
the /etc/master.passwd file on the client
machine, where username is the username of
the user you wish to bar from logging in. This should preferably be
done using vipw, since vipw
will sanity check your changes to
/etc/master.passwd, as well as
automatically rebuild the password database when you
finish editing. For example, if we wanted to bar user
bill from logging on to basie
we would:basie&prompt.root; vipw[add -bill to the end, exit]
vipw: rebuilding the database...
vipw: done
basie&prompt.root; cat /etc/master.passwd
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
+:::::::::
-bill
basie&prompt.root;Using netgroupsnetgroupsThe netgroups part was contributed by
Udo Erdelhoff ue@nathan.ruhr.de in July
2000.The method shown in the previous chapter works reasonably
well if you need special rules for a very small number of
users and/or machines. On larger networks, you
will forget to bar some users from logging
onto sensitive machines, or you may even have to modify each
machine separately, thus losing the main benefit of NIS,
centralized administration.The NIS developers' solution for this problem is called
netgroups. Their purpose and semantics
can be compared to the normal groups used by Unix file
systems. The main differences are the lack of a numeric id
and the ability to define a netgroup by including both user
accounts and other netgroups.Netgroups were developed to handle large, complex networks
with hundreds of users and machines. On one hand, this is
a Good Thing if you are forced to deal with such a situation.
On the other hand, this complexity makes it almost impossible to
explain netgroups with really simple examples. The example
used in the remainder of this chapter demonstrates this
problem.Let us assume that your successful introduction of NIS in
your laboratory caught your superiors' interest. Your next
job is to extend your NIS domain to cover some of the other
machines on campus. The two tables contain the names of the
new users and new machines as well as brief descriptions of
them.User Name(s)Descriptionalpha, betaNormal employees of the IT departmentcharlie, deltaThe new apprentices of the IT departmentecho, foxtrott, golf, ...Ordinary employeesable, baker, ...The current internsMachine Name(s)Descriptionwar, death, famine, pollutionYour most important servers. Only the IT
employees are allowed to log onto these
machines.
-
+
pride, greed, envy, wrath, lust, slothLess important servers. All members of the IT
department are allowed to login onto these machines.one, two, three, four, ...Ordinary workstations. Only the
real employees are allowed to use
these machines.trashcanA very old machine without any critical data.
Even the intern is allowed to use this box.If you tried to implement these restrictions by separately
blocking each user, you would have to add one
-user line to each system's
passwd
for each user who is not allowed to login onto that system.
If you forget just one entry, you could be in trouble. It may
be feasible to do this correctly during the initial setup,
however you will eventually forget to add
the lines for new users during day-to-day operations. After
all, Murphy was an optimist.Handling this situation with netgroups offers several
advantages. Each user need not be handled separately;
you assign a user to one or more netgroups and allow or forbid
logins for all members of the netgroup. If you add a new
machine, you will only have to define login restrictions for
netgroups. If a new user is added, you will only have to add
the user to one or more netgroups. Those changes are
independent of each other; no more for each combination
of user and machine do... If your NIS setup is planned
carefully, you will only have to modify exactly one central
configuration file to grant or deny access to machines.The first step is the initialization of the NIS map
netgroup. FreeBSD's &man.ypinit.8; does not create this map by
default, but its NIS implementation will support it once it has
been created. To create an empty map, simply typeellington&prompt.root; vi /var/yp/netgroupand start adding content. For our example, we need at
least four netgroups: IT employees, IT apprentices, normal
employees and interns.IT_EMP (,alpha,test-domain) (,beta,test-domain)
IT_APP (,charlie,test-domain) (,delta,test-domain)
USERS (,echo,test-domain) (,foxtrott,test-domain) \
(,golf,test-domain)
INTERNS (,able,test-domain) (,baker,test-domain)IT_EMP, IT_APP etc.
are the names of the netgroups. Each bracketed group adds
one or more user accounts to it. The three fields inside a
group are:The name of the host(s) where the following items are
valid. If you do not specify a hostname, the entry is
valid on all hosts. If you do specify a hostname, you
will enter a realm of darkness, horror and utter confusion.The name of the account that belongs to this
netgroup.The NIS domain for the account. You can import
accounts from other NIS domains into your netgroup if you
are one of unlucky fellows with more than one NIS
domain.Each of these fields can contain wildcards. See
&man.netgroup.5; for details.netgroupsNetgroup names longer than 8 characters should not be
used, especially if you have machines running other
operating systems within your NIS domain. The names are
case sensitive; using capital letters for your netgroup
names is an easy way to distinguish between user, machine
and netgroup names.Some NIS clients (other than FreeBSD) cannot handle
netgroups with a large number of entries. For example, some
older versions of SunOS start to cause trouble if a netgroup
contains more than 15 entries. You can
circumvent this limit by creating several sub-netgroups with
15 users or less and a real netgroup that consists of the
sub-netgroups:BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...]
BIGGRP2 (,joe16,domain) (,joe17,domain) [...]
BIGGRP3 (,joe31,domain) (,joe32,domain)
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3You can repeat this process if you need more than 225
users within a single netgroup.Activating and distributing your new NIS map is
easy:ellington&prompt.root; cd /var/yp
ellington&prompt.root; makeThis will generate the three NIS maps
netgroup,
netgroup.byhost and
netgroup.byuser. Use &man.ypcat.1; to
check if your new NIS maps are available:ellington&prompt.user; ypcat -k netgroup
ellington&prompt.user; ypcat -k netgroup.byhost
ellington&prompt.user; ypcat -k netgroup.byuserThe output of the first command should resemble the
contents of /var/yp/netgroup. The second
command will not produce output if you have not specified
host-specific netgroups. The third command can be used to
get the list of netgroups for a user.The client setup is quite simple. To configure the server
war, you only have to start
&man.vipw.8; and replace the line+:::::::::with+@IT_EMP:::::::::Now, only the data for the users defined in the netgroup
IT_EMP is imported into
war's password database and only
these users are allowed to login.Unfortunately, this limitation also applies to the ~
function of the shell and all routines converting between user
names and numerical user ids. In other words,
cd ~user will not work,
ls -l will show the numerical id instead of
the username and find . -user joe -print will
fail with No such user. To fix this, you will
have to import all user entries without allowing them
to login onto your servers.This can be achieved by adding another line to
/etc/master.passwd. This line should
contain +:::::::::/sbin/nologin, meaning
Import all entries but replace the shell with
/sbin/nologin in the imported
entries. You can replace any field
in the passwd entry by placing a default value in your
/etc/master.passwd.Make sure that the line
+:::::::::/sbin/nologin is placed after
+@IT_EMP:::::::::. Otherwise, all user
accounts imported from NIS will have /sbin/nologin as their
login shell.After this change, you will only have to change one NIS
map if a new employee joins the IT department. You could use
a similar approach for the less important servers by replacing
the old +::::::::: in their local version
of /etc/master.passwd with something like
this:+@IT_EMP:::::::::
+@IT_APP:::::::::
+:::::::::/sbin/nologinThe corresponding lines for the normal workstations
could be:+@IT_EMP:::::::::
+@USERS:::::::::
+:::::::::/sbin/nologinAnd everything would be fine until there is a policy
change a few weeks later: The IT department starts hiring
interns. The IT interns are allowed to use the normal
workstations and the less important servers; and the IT
apprentices are allowed to login onto the main servers. You
add a new netgroup IT_INTERN, add the new IT interns to this
netgroup and start to change the config on each and every
machine... As the old saying goes: Errors in
centralized planning lead to global mess.NIS' ability to create netgroups from other netgroups can
be used to prevent situations like these. One possibility
is the creation of role-based netgroups. For example, you
could create a netgroup called
BIGSRV to define the login
restrictions for the important servers, another netgroup
called SMALLSRV for the less
important servers and a third netgroup called
USERBOX for the normal
workstations. Each of these netgroups contains the netgroups
that are allowed to login onto these machines. The new
entries for your NIS map netgroup should look like this:BIGSRV IT_EMP IT_APP
SMALLSRV IT_EMP IT_APP ITINTERN
USERBOX IT_EMP ITINTERN USERSThis method of defining login restrictions works
reasonably well if you can define groups of machines with
identical restrictions. Unfortunately, this is the exception
and not the rule. Most of the time, you will need the ability
to define login restrictions on a per-machine basis.Machine-specific netgroup definitions are the other
possibility to deal with the policy change outlined above. In
this scenario, the /etc/master.passwd of
each box contains two lines starting with ``+''. The first of
them adds a netgroup with the accounts allowed to login onto
this machine, the second one adds all other accounts with
/sbin/nologin as shell. It is a good
idea to use the ALL-CAPS version of the machine name as the
name of the netgroup. In other words, the lines should look
like this:+@BOXNAME:::::::::
+:::::::::/sbin/nologinOnce you have completed this task for all your machines,
you will not have to modify the local versions of
/etc/master.passwd ever again. All
further changes can be handled by modifying the NIS map. Here
is an example of a possible netgroup map for this
scenario with some additional goodies.# Define groups of users first
IT_EMP (,alpha,test-domain) (,beta,test-domain)
IT_APP (,charlie,test-domain) (,delta,test-domain)
DEPT1 (,echo,test-domain) (,foxtrott,test-domain)
DEPT2 (,golf,test-domain) (,hotel,test-domain)
DEPT3 (,india,test-domain) (,juliet,test-domain)
ITINTERN (,kilo,test-domain) (,lima,test-domain)
D_INTERNS (,able,test-domain) (,baker,test-domain)
#
# Now, define some groups based on roles
USERS DEPT1 DEPT2 DEPT3
BIGSRV IT_EMP IT_APP
SMALLSRV IT_EMP IT_APP ITINTERN
USERBOX IT_EMP ITINTERN USERS
#
# And a groups for a special tasks
# Allow echo and golf to access our anti-virus-machine
SECURITY IT_EMP (,echo,test-domain) (,golf,test-domain)
#
# machine-based netgroups
# Our main servers
WAR BIGSRV
FAMINE BIGSRV
# User india needs access to this server
POLLUTION BIGSRV (,india,test-domain)
#
# This one is really important and needs more access restrictions
DEATH IT_EMP
#
# The anti-virus-machine mentioned above
ONE SECURITY
#
# Restrict a machine to a single user
TWO (,hotel,test-domain)
# [...more groups to follow]If you are using some kind of database to manage your user
accounts, you should be able to create the first part of the
map with your database's report tools. This way, new users
will automatically have access to the boxes.One last word of caution: It may not always be advisable
to use machine-based netgroups. If you are deploying a couple
dozen or even hundreds of identical machines for student labs,
you should use role-based netgroups instead of machine-based
netgroups to keep the size of the NIS map within reasonable
limits.Important things to rememberThere are still a couple of things that you will need to do
differently now that you are in an NIS environment.Every time you wish to add a user to the lab, you
must add it to the master NIS server only,
and you must remember to rebuild the NIS
maps. If you forget to do this, the new user will
not be able to login anywhere except on the NIS master.
For example, if we needed to add a new user
“jsmith” to the lab, we would:&prompt.root; pw useradd jsmith
&prompt.root; cd /var/yp
&prompt.root; make test-domainYou could also run adduser jsmith instead
of pw useradd jsmith.Keep the administration accounts out of the NIS
maps. You don't want to be propagating administrative
accounts and passwords to machines that will have users that
shouldn't have access to those accounts.Keep the NIS master and slave
secure, and minimize their downtime.
If somebody either hacks or simply turns off
these machines, they have effectively rendered many people without
the ability to login to the lab.This is the chief weakness of any centralized administration
system, and it is probably the most important weakness. If you do
not protect your NIS servers, you will have a lot of angry
users!NIS v1 compatibility FreeBSD's ypserv has some support
for serving NIS v1 clients. FreeBSD's NIS implementation only
uses the NIS v2 protocol, however other implementations include
support for the v1 protocol for backwards compatibility with older
systems. The ypbind daemons supplied
with these systems will try to establish a binding to an NIS v1
server even though they may never actually need it (and they may
persist in broadcasting in search of one even after they receive a
response from a v2 server). Note that while support for normal
client calls is provided, this version of ypserv does not handle
v1 map transfer requests; consequently, it cannot be used as a
master or slave in conjunction with older NIS servers that only
support the v1 protocol. Fortunately, there probably are not any
such servers still in use today.NIS servers that are also NIS clients Care must be taken when running ypserv in a multi-server
domain where the server machines are also NIS clients. It is
generally a good idea to force the servers to bind to themselves
rather than allowing them to broadcast bind requests and possibly
become bound to each other. Strange failure modes can result if
one server goes down and others are dependent upon on it.
Eventually all the clients will time out and attempt to bind to
other servers, but the delay involved can be considerable and the
failure mode is still present since the servers might bind to each
other all over again.You can force a host to bind to a particular server by running
ypbind with the
flag.libscrypt v.s. libdescryptNIScrypto libraryOne of the most common issues that people run into when trying
to implement NIS is crypt library compatibility. If your NIS
server is using the DES crypt libraries, it will only support
clients that are using DES as well. To check which one your server
and clients are using look at the symlinks in
/usr/lib. If the machine is configured to
use the DES libraries, it will look something like this:&prompt.user; ls -l /usr/lib/*crypt*
lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 /usr/lib/libcrypt.a@ -> libdescrypt.a
lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 /usr/lib/libcrypt.so@ -> libdescrypt.so
lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 /usr/lib/libcrypt.so.2@ -> libdescrypt.so.2
lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 /usr/lib/libcrypt_p.a@ -> libdescrypt_p.a
-r--r--r-- 1 root wheel 13018 Nov 8 14:27 /usr/lib/libdescrypt.a
lrwxr-xr-x 1 root wheel 16 Nov 8 14:27 /usr/lib/libdescrypt.so@ -> libdescrypt.so.2
-r--r--r-- 1 root wheel 12965 Nov 8 14:27 /usr/lib/libdescrypt.so.2
-r--r--r-- 1 root wheel 14750 Nov 8 14:27 /usr/lib/libdescrypt_p.aIf the machine is configured to use the standard FreeBSD MD5
crypt libraries they will look something like this:&prompt.user; ls -l /usr/lib/*crypt*
lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 /usr/lib/libcrypt.a@ -> libscrypt.a
lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 /usr/lib/libcrypt.so@ -> libscrypt.so
lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 /usr/lib/libcrypt.so.2@ -> libscrypt.so.2
lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 /usr/lib/libcrypt_p.a@ -> libscrypt_p.a
-r--r--r-- 1 root wheel 6194 Nov 8 14:27 /usr/lib/libscrypt.a
lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 /usr/lib/libscrypt.so@ -> libscrypt.so.2
-r--r--r-- 1 root wheel 7579 Nov 8 14:27 /usr/lib/libscrypt.so.2
-r--r--r-- 1 root wheel 6684 Nov 8 14:27 /usr/lib/libscrypt_p.aIf you have trouble authenticating on an NIS client, this
is a pretty good place to start looking for possible problems.
If you want to deploy an NIS server for a heterogenous
network, you will probably have to use DES on all systems
because it is the lowest common standard.DHCPWritten by &a.gsutter;, March 2000.What is DHCP?Dynamic Host Configuration Protocol (DHCP)Internet Software Consortium (ISC)DHCP, the Dynamic Host Configuration Protocol, describes
the means by which a system can connect to a network and obtain the
necessary information for communication upon that network. FreeBSD
uses the ISC (Internet Software Consortium) DHCP implementation, so
all implementation-specific information here is for use with the ISC
distribution.What This Section CoversThis handbook section attempts to describe only the parts
of the DHCP system that are integrated with FreeBSD;
consequently, the server portions are not described. The DHCP
manual pages, in addition to the references below, are useful
resources.How it WorksUDPWhen dhclient, the DHCP client, is executed on the client
machine, it begins broadcasting requests for configuration
information. By default, these requests are on UDP port 68. The
server replies on UDP 67, giving the client an IP address and
other relevant network information such as netmask, router, and
DNS servers. All of this information comes in the form of a DHCP
"lease" and is only valid for a certain time (configured by the
DHCP server maintainer). In this manner, stale IP addresses for
clients no longer connected to the network can be automatically
reclaimed.DHCP clients can obtain a great deal of information from
the server. An exhaustive list may be found in
&man.dhcp-options.5;.FreeBSD IntegrationFreeBSD fully integrates the ISC DHCP client,
dhclient. DHCP client support is provided
within both the installer and the base system, obviating the need
for detailed knowledge of network configurations on any network
that runs a DHCP server. dhclient has been
included in all FreeBSD distributions since 3.2.sysinstallDHCP is supported by sysinstall.
When configuring a network interface within sysinstall,
the first question asked is, "Do you want to try dhcp
configuration of this interface?" Answering affirmatively will
execute dhclient, and if successful, will fill in the network
configuration information automatically.There are two things you must do to have your system use
DHCP upon startup:DHCPrequirementsMake sure that the bpf
device is compiled into your kernel. To do this, add
pseudo-device bpf to your kernel
configuration file, and rebuild the kernel. For more
information about building kernels, see .The bpf device is already
part of the GENERIC kernel that is
supplied with FreeBSD, so if you don't have a custom
kernel, you shouldn't need to create one in order to get
DHCP working.For those who are particularly security conscious,
you should be warned that bpf
is also the device that allows packet sniffers to work
correctly (although they still have to be run as
root). bpfis required to use DHCP, but if
you are very sensitive about security, you probably
shouldn't add bpf to your
kernel in the expectation that at some point in the
future you will be using DHCP.Edit your /etc/rc.conf to
include the following:ifconfig_fxp0="DHCP"Be sure to replace fxp0 with the
designation for the interface that you wish to dynamically
configure.If you are using a different location for
dhclient, or if you wish to pass additional
flags to dhclient, also include the
following (editing as necessary):dhcp_program="/sbin/dhclient"
dhcp_flags=""DHCPserverThe DHCP server, dhcpd, is included
as part of the isc-dhcp2 port in the ports
collection. This port contains the full ISC DHCP distribution,
consisting of client, server, relay agent and documentation.
FilesDHCPconfiguration files/etc/dhclient.confdhclient requires a configuration file,
/etc/dhclient.conf. Typically the file
contains only comments, the defaults being reasonably sane. This
configuration file is described by the &man.dhclient.conf.5;
man page./sbin/dhclientdhclient is statically linked and
resides in /sbin. The &man.dhclient.8;
manual page gives more information about
dhclient./sbin/dhclient-scriptdhclient-script is the FreeBSD-specific
DHCP client configuration script. It is described in
&man.dhclient-script.8;, but should not need any user
modification to function properly./var/db/dhclient.leasesThe DHCP client keeps a database of valid leases in this
file, which is written as a log. &man.dhclient.leases.5;
gives a slightly longer description.Further ReadingThe DHCP protocol is fully described in
RFC 2131.
An informational resource has also been set up at
dhcp.org.DNSContributed by &a.chern;, April 12, 2001.
OverviewBINDFreeBSD utilizes, by default, a version of BIND (Berkeley
Internet Name Domain), which is the most common implementation of the
DNS protocol. DNS is the protocol through which names are mapped to
IP addresses, and vice versa. For example, a query for www.freebsd.org
will send back a reply for the IP address of The FreeBSD Project's
webpage, whereas, a query for ftp.freebsd.org will return the IP
address of the corresponding FTP machine. Likewise, the opposite can
happen. A query for an IP address can resolve its hostname.
DNSDNS is coordinated across the Internet through a somewhat
complex system of authoritative root name servers, and other
smaller-scale nameservers who host and relay individual domain
information.
This document refers to BIND 8.x, as it is the most current,
stable version used in FreeBSD.
RFC1034 and RFC1035 dictates the DNS protocol.
Currently, BIND is maintained by the
Internet Software Consortium (www.isc.org)Terminologyzoneszone - Each individual domain, subdomain,
or 'area' dictated by DNS is considered a zone.
Examples of zones:
. is the root zoneorg. is a zone under the root zonefoobardomain.org is a zone under the org. zonefoo.foobardomain.org. is a subdomain, a zone under the
foobardomain.org. zone
1.2.3.in-addr.arpa is a zone referencing all IP addresses
which fall under the 3.2.1.* IP space.
named, bind, name server - these are all
common names for the BIND name server package within FreeBSD.
resolverresolver - a network process by which a
system queries a nameserver for answers
root zoneroot zone - literally, a '.', refers to
the root, or beginning zone. All zones fall under this, as do all
files in fall under the root directory. It is the beginning of the
Internet zone hierarchy
origin - refers to the point of start for
the particular zone
forward dns - mapping of hostnames to IP
addresses
reverse DNSreverse dns - the opposite, mapping of IP
addresses to hostnames
Reasons to run a name server
You need your machine to host DNS information to the world
An authoritative nameserver replies exclusively
to requests.
For example, you register foobardomain.org
and wish to assign hostnames to the proper IP addresses.
A slave nameserver, which replies to queries for a
domain when the primary is down or inaccessible.
The above two can also be done with in-addr.arpa, IP
to hostname entries
You wish your machine to act as a local relay of DNS
information
DNS traffic has been measured to be about 5% or more
of the total Internet traffic.
A local DNS server may have some added benefit by
providing a local cache of DNS information.
For example, when one queries for www.freebsd.org,
their resolver goes out to (usually) your ISP's name
server, and retrieves the query.
With a local, caching DNS server, the query only has to
be made once to the outside world. Every additional
query will not have to go outside of the local network,
since the information is cached.
How it works
A DNS server in FreeBSD relies on the BIND daemon. This daemon is
called 'named' for obvious reasons.
named - the bind daemonndc - name daemon control program/etc/namedb - directory where all the bind
information resides
/etc/namedb/named.conf - daemon configuration
file
zone files are usually contained within the
/etc/namedb
directory, and contain the information (query answers from
your site) served by your name server.
Starting BINDBINDstarting
Since bind is installed by default, configuring it all is
relatively simple.
To ensure the named daemon is started at boot, put the following
modifications in your /etc/rc.confnamed_enable="YES"To start the daemon manually (after configuring it)&prompt.root; ndc startConfiguration filesBINDconfiguration filesmake-localhostBe sure to
&prompt.root; cd /etc/namedb
&prompt.root; sh make-localhostto properly create your local reverse dns zone file in
/etc/namedb/localhost.rev.
/etc/namedb/named.conf
- // $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.61 2001/07/19 18:38:43 chern Exp $
+ // $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.62 2001/07/21 09:13:54 murray Exp $
//
// Refer to the named(8) man page for details. If you are ever going
// to setup a primary server, make sure you've understood the hairy
// details of how DNS is working. Even with simple mistakes, you can
// break connectivity for affected parties, or cause huge amount of
// useless Internet traffic.
options {
directory "/etc/namedb";
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the
Internet.
/*
forwarders {
127.0.0.1;
};
*/
Just as the comment says, if you want to benefit from your
uplink's cache, you can enable this section of the config file.
Normally, your nameserver will recursively query different
nameservers until it finds the answer it is looking for. Having
this enabled will have it automatically see if your
uplink's (or whatever provided) ns has the requested query.
If your uplink has a heavily trafficked, fast nameserver,
enabling this properly could work to your advantage.
127.0.0.1 will *NOT* work here; change this to the IP of a
nameserver at your uplink.
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
/*
* If running in a sandbox, you may have to specify a different
* location for the dumpfile.
*/
// dump-file "s/named_dump.db";
};
// Note: the following will be supported in a future release.
/*
host { any; } {
topology {
127.0.0.0/8;
};
};
*/
// Setting up secondaries is way easier and the rough picture for this
// is explained below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// into your /etc/resolv.conf so this server will be queried first.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "localhost.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example secondary config entries. It can be convenient to become
// a secondary at least for the zone where your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is the first bytes of the respective IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to setup a primary zone, better make sure you fully
// understand how DNS and BIND works, however. There are sometimes
// unobvious pitfalls. Setting up a secondary is comparably simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
//
// NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf).
// The directory containing the secondary zones must be write accessible
// to bind. The following sequence is suggested:
//
// mkdir /etc/namedb/s
// chown bind:bind /etc/namedb/s
// chmod 750 /etc/namedb/s
/*
zone "domain.com" {
type slave;
file "s/domain.com.bak";
masters {
192.168.1.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "s/0.168.192.in-addr.arpa.bak";
masters {
192.168.1.1;
};
};
*/
These are example slave entries, read below to see more.
For each new domain added to your nameserver, you must add one
of these entries to your named.conf
The simplest zone entry, can look like
zone "foobardomain.org" {
type master;
file "foorbardomain.org";
};For a master entry with the zone information within
foobardomain.org, or
zone "foobardomain.org" {
type slave;
file "foobardomain.org";
};
for a slave. Note that slave zones automatically query the
listed master (authoritative) name servers for the zone file.
Zone files
An example master 'foobardomain.org' (existing within
/etc/namedb/foobardomain.org) is as follows:
$TTL 3600
foobardomain.org. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
5 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
; DNS Servers
@ IN NS ns1.foobardomain.org.
@ IN NS ns2.foobardomain.org.
; Machine Names
localhost IN A 127.0.0.1
ns1 IN A 3.2.1.2
ns2 IN A 3.2.1.3
mail IN A 3.2.1.10
@ IN A 3.2.1.30
; Aliases
www IN CNAME @
; MX Record
@ IN MX 10 mail.foobardomain.org.
Note that every hostname ending in a '.' is an exact
hostname, whereas everything without a trailing '.' is
referenced to the origin. For example, www is translated
into www + origin. In our fictitious zone file, our origin
is foobardomain.org, so www would be www.foobardomain.org.
The format of this file follows:
recordname IN recordtype valueDNSrecords
The most commonly used DNS records:
SOA - start of zone authorityNS - an authoritative nameserverA - A host addressCNAME - the canonical name for an
aliasMX - mail exchangePTR - a domain name pointer (used in
reverse dns)
foobardomain.org. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
5 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
foobardomain.org. - the domain name, also
the origin for this zone file.
ns1.foobardomain.org. - the
primary/authoritative nameserver for this zone
admin.foobardomain.org. - the
responsible person for this zone, e-mail address with @
replaced. (admin@foobardomain.org becomes
admin.foobardomain.org)
5 - the serial number of the file. this
must
be incremented each time the zone file is modified. Nowadays,
many admins prefer a yyyymmddrr format for the serial
number.
2001041002 would mean last modified 04/10/2001, the latter 02 being
the second time the zone file has been modified this day. The
serial number is important as it alerts slave nameservers for a zone
when it is updated.
@ IN NS ns1.foobardomain.org.
This is an NS entry. Every nameserver that is going to reply
authoritatively for the zone must have one of these entries.
The @ as seen here could have been foobardomain.org.
The @ translates to the origin.
localhost IN A 127.0.0.1
ns1 IN A 3.2.1.2
ns2 IN A 3.2.1.3
mail IN A 3.2.1.10
@ IN A 3.2.1.30
The A record indicates machine names. As seen above,
ns1.foobardomain.org would resolve to 3.2.1.2. Again, the
origin symbol, @, is used here, thus meaning foobardomain.org would
resolve to 3.2.1.30.
www IN CNAME @
The canonical name record is usually used for giving aliases
to a machine. In the example, www is aliased to the machine
addressed to the origin, or foobardomain.org (3.2.1.30).
CNAMEs can be used to provide alias hostnames, or round
robin one hostname among multiple machines.
@ IN MX 10 mail.foobardomain.org.
The MX record indicates which mail servers are responsible
for handling incoming mail for the zone.
mail.foobardomain.org is the hostname of the mail server,
and 10 being the priority of that mailserver.
One can have several mailservers, with priorities of 3, 2,
1. A mail server attempting to deliver to foobardomain.org
would first try the highest priority MX, then the second
highest, etc, until the mail can be properly delivered.
For in-addr.arpa zone files (reverse dns), the same format is
used, except with PTR entries instead of
A or CNAME.
$TTL 3600
1.2.3.in-addr.arpa. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
5 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
3600 ) ; Minimum
@ IN NS ns1.foobardomain.org.
@ IN NS ns2.foobardomain.org.
2 IN PTR ns1.foobardomain.org.
3 IN PTR ns2.foobardomain.org.
10 IN PTR mail.foobardomain.org.
30 IN PTR foobardomain.org.
This file gives the proper IP address to hostname mappings of our above
fictitious domain.
Caching Name ServerBINDcaching name server
A caching nameserver is simply a nameserver that is not
authoritative for any zones. It simply asks queries of its own,
and remembers them for later use. To set one up, just configure
the name server as usual, omitting any inclusions of zones.
Running named in a SandboxBINDrunning in a sandboxContributed by Mike Makonnen
mike_makonnen@yahoo.com, May 1, 2001chrootFor added security you may want to run &man.named.8; in a
sandbox. This will reduce the potential damage should it be
compromised. If you include a sandbox directory in its command
line, named will &man.chroot.8;
into that directory immediately upon finishing processing its
command line. It is also a good idea to have named run as a
non-privileged user in the sandbox. The default FreeBSD install
contains a user bind with group bind. If we wanted the sandbox in
the /etc/namedb/sandbox directory the command
line for named would look like this:
&prompt.root; /usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf> The following steps should be taken in order to
successfully run named in a sandbox. Throughout the following
discussion we will assume the path to your sandbox is
/etc/namedb/sandboxCreate the sandbox directory:
/etc/namedb/sandboxCreate other necessary directories off of the sandbox
directory: etc and
var/runcopy /etc/localtime to
sandbox/etcmake bind:bind the owner of all files and directories in
the sandbox:
&prompt.root; chown -R bind:bind /etc/namedb/sandbox&prompt.root; chmod -R 750 /etc/namedb/sandboxThere are some issues you need to be aware of when running
named in a sandbox.Your &man.named.conf.5; file and all your zone files must
be in the sandbox
sandbox/etc/localtime is needed
in order to have the correct time for your time zone in
log messages. &man.named.8; will write its process id to a file in
sandbox/var/runThe Unix socket used for communication by the &man.ndc.8;
utility will be created in
sandbox/var/runWhen using the &man.ndc.8; utility you need to specify the
location of the Unix socket created in the sandbox, by
&man.named.8;, by using the -c switch:
&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndcIf you enable logging to file, the log files must be
in the sandbox&man.named.8; can be started in a sandbox properly, if the
following is in /etc/rc.confnamed_flags="-u bind -g bind -t /etc/namedb/sandbox"How to use the nameserverIf setup properly, the nameserver should be accessible through
the network and locally. /etc/resolv.conf must
contain a nameserver entry with the local IP address so it will query the
local name server first.
To access it over the network, the machine must have the
nameserver's IP address set properly in its own nameserver
configuration options.
SecurityAlthough BIND is the most common implementation of DNS,
there is always the issue of security. Possible and
exploitable security holes are sometimes found.
It is a good idea to subscribe to CERT and
freebsd-announce
to stay up to date with the current Internet and FreeBSD security
issues.
If a problem arises, keeping your sources up to date and having a
fresh build of named can't hurt.
Further Reading
&man.ndc.8; &man.named.8; &man.named.conf.5;
Official ISC BIND Page
http://www.isc.org/products/BIND/
BIND FAQ
http://www.nominum.com/resources/faqs/bind-faqs.htmlO'Reilly DNS and BIND 4th EditionRFC1034 - Domain Names -
Concepts and FacilitiesRFC1035 - Domain Names -
Implementation and SpecificationNetwork Address Translation daemon (natd)Contributed by &a.chern;, June 2001.
OverviewnatdFreeBSD's Network Address Translation daemon, commonly known as
&man.natd.8; is a daemon that accepts incoming raw IP packets,
changes the source to the local machine and re-injects these packets
back into the outgoing IP packet stream. natd does this by changing
the source IP address and port such that when data is received back, it is
able to determine the original location of the data and forward it
back to its original requester.Internet connection sharingIP masqueradingThe most common use of NAT is to perform what is commonly known as
Internet Connection Sharing.SetupDue to the diminishing IP space in ipv4, and the increased number
of users on high-speed consumer lines such as cable or DSL, people are
in more and more need of an Internet Connection Sharing solution. The
ability to connect several computers online through one connection and
IP address makes &man.natd.8; a reasonable choice.Most commonly, a user has a machine connected to a cable or DSL
line with one IP address and wishes to use this one connected computer to
provide Internet access to several more over a LAN.To do this, the FreeBSD machine on the Internet must act as a
gateway. This gateway machine must have two NICs--one for connecting
to the Internet router, the other connecting to a LAN. All the
machines on the LAN are connected through a hub or switch. _______ __________ ________
| | | | | |
| Hub |-----| Client B |-----| Router |----- Internet
|_______| |__________| |________|
|
____|_____
| |
| Client A |
|__________|Network LayoutWith this setup, the machine without Internet access can use
the machine with access as a gateway to access the outside
world.kernelconfigurationConfigurationThe following options must be in the kernel configuration
file:options IPFIREWALL
options IPDIVERTAdditionally, at choice, the following may also be suitable:options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSEThe following must be in /etc/rc.conf:gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="fxp0"
natd_flags=""gateway_enable="YES"Sets up the machine to act as a gateway. Running
sysctl -w net.inet.ip.forwarding=1
would have the same effect.firewall_enable="YES"Enables the firewall rules in
/etc/rc.firewall at boot.firewall_type="OPEN"This specifies a predefined firewall ruleset that
allows anything in. See
/etc/rc.firewall for additional
types.natd_interface="fxp0"Indicates which interface to forward packets through.
(the interface connected to the Internet)natd_flags=""Any additional configuration options passed to
&man.natd.8; on boot.Having the previous options defined in
/etc/rc.conf would run
natd -interface fxp0 at boot. This can also
be run manually.Each machine and interface behind the LAN should be assigned IP address
numbers in the private network space as defined by
RFC 1918
and have a default gateway of the natd machine's internal IP address.For example, client a and b behind the LAN have IP addresses of 192.168.0.2
and 192.168.0.3, while the natd machine's LAN interface has an IP address of
192.168.0.1. Client a and b's default gateway must be set to that of
the natd machine, 192.168.0.1. The natd machine's external, or
Internet interface does not require any special modification for natd
to work.Port RedirectionThe drawback with natd is that the LAN clients are not accessible
from the Internet. Clients on the LAN can make outgoing connections to
the world but cannot receive incoming ones. This presents a problem
if trying to run Internet services on one of the LAN client machines.
A simple way around this is to redirect selected Internet ports on the
natd machine to a LAN client.
For example, an IRC server runs on Client A, and a web server runs
on Client B. For this to work properly, connections received on ports
6667 (irc) and 80 (web) must be redirected to the respective machines.
The -redirect_port must be passed to
&man.natd.8; with the proper options. The syntax is as follows: -redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]In the above example, the argument should be:
-redirect_port tcp 192.168.0.2:6667 6667
-redirect_port tcp 192.168.0.3:80 80
This will redirect the proper tcp ports to the
LAN client machines.
The -redirect_port argument can be used to indicate port
ranges over individual ports. For example, tcp
192.168.0.2:2000-3000 2000-3000 would redirect
all connections received on ports 2000 to 3000 to ports 2000
to 3000 on Client A.These options can be used when directly running
&man.natd.8; or placed within the
natd_flags="" option in
/etc/rc.conf.For further configuration options, consult &man.natd.8;Address Redirectionaddress redirectionAddress redirection is useful if several IP addresses are available, yet
they must be on one machine. With this, &man.natd.8; can assign each
LAN client its own external IP address. &man.natd.8; then rewrites outgoing
packets from the LAN clients with the proper external IP address and redirects
all traffic incoming on that particular IP address back to the specific LAN
client. This is also known as static NAT. For example, the IP addresses
128.1.1.1, 128.1.1.2, and 128.1.1.3 belong to the natd gateway
machine. 128.1.1.1 can be used as the natd gateway machine's external
IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN
clients A and B.The -redirect_address syntax is as follows:localIPThe internal IP address of the LAN client.publicIPThe external IP address corresponding to the LAN client.In the example, this argument would read:Like -redirect_port, these arguments are also placed within
natd_flags of /etc/rc.conf. With address
redirection, there is no need for port redirection since all data
received on a particular IP address is redirected.The external IP addresses on the natd machine must be active and aliased
to the external interface. Look at &man.rc.conf.5; to do so.
diff --git a/en_US.ISO8859-1/books/handbook/contrib/chapter.sgml b/en_US.ISO8859-1/books/handbook/contrib/chapter.sgml
index 361fa14e66..2358f3e8d4 100644
--- a/en_US.ISO8859-1/books/handbook/contrib/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/contrib/chapter.sgml
@@ -1,6344 +1,6344 @@
Contributing to FreeBSDContributed by &a.jkh;.contributingSo you want to contribute something to FreeBSD? That is great! We can
always use the help, and FreeBSD is one of those systems that
relies on the contributions of its user base in order
to survive. Your contributions are not only appreciated, they are vital
to FreeBSD's continued growth!Contrary to what some people might also have you believe, you do not
need to be a hot-shot programmer or a close personal friend of the FreeBSD
core team in order to have your contributions accepted. The FreeBSD
Project's development is done by a large and growing number of
international contributors whose ages and areas of technical expertise
vary greatly, and there is always more work to be done than there are
people available to do it.Since the FreeBSD project is responsible for an entire operating
system environment (and its installation) rather than just a kernel or a
few scattered utilities, our TODO list also spans a
very wide range of tasks, from documentation, beta testing and
presentation to highly specialized types of kernel development. No matter
what your skill level, there is almost certainly something you can do to
help the project!Commercial entities engaged in FreeBSD-related enterprises are also
encouraged to contact us. Need a special extension to make your product
work? You will find us receptive to your requests, given that they are not
too outlandish. Working on a value-added product? Please let us know! We
may be able to work cooperatively on some aspect of it. The free software
world is challenging a lot of existing assumptions about how software is
developed, sold, and maintained throughout its life cycle, and we urge you
to at least give it a second look.What is NeededThe following list of tasks and sub-projects represents something of
an amalgam of the various core team TODO lists and
user requests we have collected over the last couple of months. Where
possible, tasks have been ranked by degree of urgency. If you are
interested in working on one of the tasks you see here, send mail to the
coordinator listed by clicking on their names. If no coordinator has
been appointed, maybe you would like to volunteer?High priority taskstodo listThe following tasks are considered to be urgent, usually because
they represent something that is badly broken or sorely needed:3-stage boot issues. Overall coordination: &a.hackers;Do WinNT compatible drive tagging so that the 3rd stage
can provide an accurate mapping of BIOS geometries for
disks.Filesystem problems. Overall coordination: &a.fs;Clean up and document the nullfs filesystem code.
Coordinator: &a.eivind;Fix the union file system. Coordinator: &a.dg;Implement Int13 vm86 disk driver. Coordinator:
&a.hackers;New bus architecture. Coordinator: &a.newbus;Port existing ISA drivers to new architecture.Move all interrupt-management code to appropriate parts of
the bus drivers.Port PCI subsystem to new architecture. Coordinator:
&a.dfr;Figure out the right way to handle removable devices and
then use that as a substrate on which PC-Card and CardBus
support can be implemented.Resolve the probe/attach priority issue once and for
all.Move any remaining buses over to the new
architecture.Kernel issues. Overall coordination: &a.hackers;Add more pro-active security infrastructure. Overall
coordination: &a.security;Build something like Tripwire(TM) into the kernel, with a
remote and local part. There are a number of cryptographic
issues to getting this right; contact the coordinator for
details. Coordinator: &a.eivind;Make the entire kernel use suser()
instead of comparing to 0. It is presently using about half
of each. Coordinator: &a.eivind;Split securelevels into different parts, to allow an
administrator to throw away those privileges he can throw
away. Setting the overall securelevel needs to have the same
effect as now, obviously. Coordinator: &a.eivind;Make it possible to upload a list of allowed
programs to BPF, and then block BPF from accepting other
programs. This would allow BPF to be used e.g. for DHCP,
without allowing an attacker to start snooping the local
network.Update the security checker script. We should at least
grab all the checks from the other BSD derivatives, and add
checks that a system with securelevel increased also have
reasonable flags on the relevant parts. Coordinator:
&a.eivind;Add authorization infrastructure to the kernel, to allow
different authorization policies. Part of this could be done
by modifying suser(). Coordinator:
&a.eivind;Add code to the NFS layer so that you cannot
chdir("..") out of an NFS partition. E.g.,
/usr is a UFS partition with
/usr/src NFS exported. Now it is
possible to use the NFS filehandle for
/usr/src to get access to
/usr.Medium priority tasksThe following tasks need to be done, but not with any particular
urgency:Full KLD based driver support/Configuration Manager.Write a configuration manager (in the 3rd stage boot?)
that probes your hardware in a sane manner, keeps only the
KLDs required for your hardware, etc.PCMCIA/PCCARD. Coordinators: &a.msmith; and &a.imp;Documentation!Reliable operation of the pcic driver (needs
testing).Recognizer and handler for sio.c
(mostly done).Recognizer and handler for ed.c
(mostly done).Recognizer and handler for ep.c
(mostly done).User-mode recognizer and handler (partially done).Advanced Power Management. Coordinators: &a.msmith; and
&a.phk;APM sub-driver (mostly done).IDE/ATA disk sub-driver (partially done).syscons/pcvt sub-driver.Integration with the PCMCIA/PCCARD drivers
(suspend/resume).Low priority tasksThe following tasks are purely cosmetic or represent such an
investment of work that it is not likely that anyone will get them
done anytime soon:The first N items are from Terry Lambert
terry@lambert.orgNetWare Server (protected mode ODI driver) loader and
sub-services to allow the use of ODI card drivers supplied with
network cards. The same thing for NDIS drivers and NetWare SCSI
drivers.An "upgrade system" option that works on Linux boxes instead
of just previous rev FreeBSD boxes.Symmetric Multiprocessing with kernel preemption (requires
kernel preemption).A concerted effort at support for portable computers. This is
somewhat handled by changing PCMCIA bridging rules and power
management event handling. But there are things like detecting
internal v.s.. external display and picking a different screen
resolution based on that fact, not spinning down the disk if the
machine is in dock, and allowing dock-based cards to disappear
without affecting the machines ability to boot (same issue for
PCMCIA).Smaller tasksMost of the tasks listed in the previous sections require either a
considerable investment of time or an in-depth knowledge of the
FreeBSD kernel (or both). However, there are also many useful tasks
which are suitable for "weekend hackers", or people without
programming skills.If you run FreeBSD-current and have a good Internet
connection, there is a machine current.FreeBSD.org which builds a full
release once a day — every now and again, try and install
the latest release from it and report any failures in the
process.Read the freebsd-bugs mailing list. There might be a
problem you can comment constructively on or with patches you
can test. Or you could even try to fix one of the problems
yourself.Read through the FAQ and Handbook periodically. If anything
is badly explained, out of date or even just completely wrong, let
us know. Even better, send us a fix (SGML is not difficult to
learn, but there is no objection to ASCII submissions).Help translate FreeBSD documentation into your native language
(if not already available) — just send an email to &a.doc;
asking if anyone is working on it. Note that you are not
committing yourself to translating every single FreeBSD document
by doing this — in fact, the documentation most in need of
translation is the installation instructions.Read the freebsd-questions mailing list and &ng.misc
occasionally (or even regularly). It can be very satisfying to
share your expertise and help people solve their problems;
sometimes you may even learn something new yourself! These forums
can also be a source of ideas for things to work on.If you know of any bug fixes which have been successfully
applied to -current but have not been merged into -stable after a
decent interval (normally a couple of weeks), send the committer a
polite reminder.Move contributed software to src/contrib
in the source tree.Make sure code in src/contrib is up to
date.Build the source tree (or just part of it) with extra warnings
enabled and clean up the warnings.Fix warnings for ports which do deprecated things like using
gets() or including malloc.h.If you have contributed any ports, send your patches back to
the original author (this will make your life easier when they
bring out the next version)Suggest further tasks for this list!Work through the PR databaseproblem reports databaseThe FreeBSD PR
list shows all the current active problem reports and
requests for enhancement that have been submitted by FreeBSD users.
Look through the open PRs, and see if anything there takes your
interest. Some of these might be very simple tasks, that just need an
extra pair of eyes to look over them and confirm that the fix in the
PR is a good one. Others might be much more complex.Start with the PRs that have not been assigned to anyone else, but
if one them is assigned to someone else, but it looks like something
you can handle, e-mail the person it is assigned to and ask if you can
work on it—they might already have a patch ready to be tested,
or further ideas that you can discuss with them.How to ContributeContributions to the system generally fall into one or more of the
following 6 categories:Bug reports and general commentaryAn idea or suggestion of general technical
interest should be mailed to the &a.hackers;. Likewise, people with
an interest in such things (and a tolerance for a
high volume of mail!) may subscribe to the
hackers mailing list by sending mail to &a.majordomo;. See mailing lists for more information
about this and other mailing lists.If you find a bug or are submitting a specific change, please
report it using the &man.send-pr.1; program or its WEB-based
equivalent. Try to fill-in each field of the bug report.
Unless they exceed 65KB, include any patches directly in the report.
When including patches, do not use cut-and-paste
because cut-and-paste turns tabs into spaces and makes them unusable.
Consider compressing patches and using &man.uuencode.1; if they exceed
20KB. Upload very large submissions to ftp.FreeBSD.org:/pub/FreeBSD/incoming/.After filing a report, you should receive confirmation along with
a tracking number. Keep this tracking number so that you can update
us with details about the problem by sending mail to
bug-followup@FreeBSD.org. Use the number as the
message subject, e.g. "Re: kern/3377". Additional
information for any bug report should be submitted this way.If you do not receive confirmation in a timely fashion (3 days to
a week, depending on your email connection) or are, for some reason,
unable to use the &man.send-pr.1; command, then you may ask
someone to file it for you by sending mail to the &a.bugs;.Changes to the documentationdocumentation submissionsChanges to the documentation are overseen by the &a.doc;. Send
submissions and changes (even small ones are welcome!) using
send-pr as described in Bug Reports and General
Commentary.Changes to existing source codeFreeBSD-currentAn addition or change to the existing source code is a somewhat
trickier affair and depends a lot on how far out of date you are with
the current state of the core FreeBSD development. There is a special
on-going release of FreeBSD known as FreeBSD-current
which is made available in a variety of ways for the convenience of
developers working actively on the system. See Staying current with FreeBSD for more
information about getting and using FreeBSD-current.Working from older sources unfortunately means that your changes
may sometimes be too obsolete or too divergent for easy re-integration
into FreeBSD. Chances of this can be minimized somewhat by
subscribing to the &a.announce; and the &a.current; lists, where
discussions on the current state of the system take place.Assuming that you can manage to secure fairly up-to-date sources
to base your changes on, the next step is to produce a set of diffs to
send to the FreeBSD maintainers. This is done with the &man.diff.1;
command, with the context diff form
being preferred. For example:diff&prompt.user; diff -c oldfile newfile
or
&prompt.user; diff -c -r olddir newdir
would generate such a set of context diffs for the given source file
or directory hierarchy. See the man page for &man.diff.1; for more
details.Once you have a set of diffs (which you may test with the
&man.patch.1; command), you should submit them for inclusion with
FreeBSD. Use the &man.send-pr.1; program as described in Bug Reports and General Commentary.
Do not just send the diffs to the &a.hackers; or
they will get lost! We greatly appreciate your submission (this is a
volunteer project!); because we are busy, we may not be able to
address it immediately, but it will remain in the pr database until we
do.uuencodeIf you feel it appropriate (e.g. you have added, deleted, or
renamed files), bundle your changes into a tar file
and run the &man.uuencode.1; program on it. Shar archives are also
welcome.If your change is of a potentially sensitive nature, e.g. you are
unsure of copyright issues governing its further distribution or you
are simply not ready to release it without a tighter review first,
then you should send it to &a.core; directly rather than submitting it
with &man.send-pr.1;. The core mailing list reaches a much smaller
group of people who do much of the day-to-day work on FreeBSD. Note
that this group is also very busy and so you
should only send mail to them where it is truly necessary.Please refer to &man.intro.9; and &man.style.9; style for
some information on coding style. We would appreciate it if you
were at least aware of this information before submitting
code.New code or major value-added packagesIn the case of a significant contribution of a large body
work, or the addition of an important new feature to FreeBSD, it
becomes almost always necessary to either send changes as uuencoded
tar files or upload them to a web or FTP site for other people to
access. If you do not have access to a web or FTP site, ask on an
appropriate FreeBSD mailing list for someone to host the changes for
you.When working with large amounts of code, the touchy subject of
copyrights also invariably comes up. Acceptable copyrights for code
included in FreeBSD are:BSD copyrightThe BSD copyright. This copyright is most preferred due to
its no strings attached nature and general
attractiveness to commercial enterprises. Far from discouraging
such commercial use, the FreeBSD Project actively encourages such
participation by commercial interests who might eventually be
inclined to invest something of their own into FreeBSD.GPLGNU Public LicenseThe GNU Public License, or GPL. This license is
not quite as popular with us due to the amount of extra effort
demanded of anyone using the code for commercial purposes, but
given the sheer quantity of GPL'd code we currently require
(compiler, assembler, text formatter, etc) it would be silly to
refuse additional contributions under this license. Code under
the GPL also goes into a different part of the tree, that being
/sys/gnu or
/usr/src/gnu, and is therefore easily
identifiable to anyone for whom the GPL presents a problem.Contributions coming under any other type of copyright must be
carefully reviewed before their inclusion into FreeBSD will be
considered. Contributions for which particularly restrictive
commercial copyrights apply are generally rejected, though the authors
are always encouraged to make such changes available through their own
channels.To place a BSD-style copyright on your work, include
the following text at the very beginning of every source code file you
wish to protect, replacing the text between the %%
with the appropriate information.Copyright (c) %%proper_years_here%%
%%your_name_here%%, %%your_state%% %%your_zip%%.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer as
the first lines of this file unmodified.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY %%your_name_here%% ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL %%your_name_here%% BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$Id$For your convenience, a copy of this text can be found in
/usr/share/examples/etc/bsd-style-copyright.Money, Hardware or Internet accessWe are always very happy to accept donations to further the cause
of the FreeBSD Project and, in a volunteer effort like ours, a little
can go a long way! Donations of hardware are also very important to
expanding our list of supported peripherals since we generally lack
the funds to buy such items ourselves.Donating fundsEmpty, pending information from the FreeBSD Foundation.Donating hardwaredonationsDonations of hardware in any of the 3 following categories are
also gladly accepted by the FreeBSD Project:General purpose hardware such as disk drives, memory or
complete systems should be sent to the FreeBSD, Inc. address
listed in the donating funds
section.Hardware for which ongoing compliance testing is desired.
We are currently trying to put together a testing lab of all
components that FreeBSD supports so that proper regression
testing can be done with each new release. We are still lacking
many important pieces (network cards, motherboards, etc) and if
you would like to make such a donation, please contact &a.dg;
for information on which items are still required.Hardware currently unsupported by FreeBSD for which you
would like to see such support added. Please contact the
&a.core; before sending such items as we will need to find a
developer willing to take on the task before we can accept
delivery of new hardware.Donating Internet accessWe can always use new mirror sites for FTP, WWW or
cvsup. If you would like to be such a mirror,
please contact the FreeBSD project administrators
hubs@FreeBSD.org for more information.Donors GalleryThe FreeBSD Project is indebted to the following donors and would
like to publicly thank them here!Contributors to the central server
project:The following individuals and businesses made it possible for
the FreeBSD Project to build a new central server machine to
eventually replace freefall.FreeBSD.org
by donating the following items:&a.mbarkah and his employer,
Hemisphere Online, donated a Pentium Pro
(P6) 200MHz CPUASA
Computers donated a Tyan 1662
motherboard.Joe McGuckin joe@via.net of ViaNet Communications donated
a Kingston ethernet controller.Jack O'Neill jack@diamond.xtalwind.net
donated an NCR 53C875 SCSI controller
card.Ulf Zimmermann ulf@Alameda.net of Alameda Networks donated
128MB of memory, a 4 Gb disk
drive and the case.Direct funding:The following individuals and businesses have generously
contributed direct funding to the project:Annelise Anderson
ANDRSN@HOOVER.STANFORD.EDU&a.dillonBlue Mountain
ArtsEpilogue Technology
Corporation&a.sefGlobal Technology
Associates, IncDon Scott WildeGianmarco Giovannelli
gmarco@masternet.itJosef C. Grosch joeg@truenorth.orgRobert T. Morris&a.chuckrKenneth P. Stox ken@stox.sa.enteract.com of
Imaginary Landscape,
LLC.Dmitry S. Kohmanyuk dk@dog.farm.orgLaser5 of Japan
(a portion of the profits from sales of their various FreeBSD
CDROMs).Fuki Shuppan
Publishing Co. donated a portion of their profits from
Hajimete no FreeBSD (FreeBSD, Getting
started) to the FreeBSD and XFree86 projects.ASCII Corp.
donated a portion of their profits from several FreeBSD-related
books to the FreeBSD project.Yokogawa Electric
Corp has generously donated significant funding to the
FreeBSD project.BuffNETPacific
SolutionsSiemens AG
via Andre Albsmeier
andre.albsmeier@mchp.siemens.deChris Silva ras@interaccess.comHardware contributors:The following individuals and businesses have generously
contributed hardware for testing and device driver
development/support:BSDi for providing the Pentium P5-90 and
486/DX2-66 EISA/VL systems that are being used for our
development work, to say nothing of the network access and other
donations of hardware resources.TRW Financial Systems, Inc. provided 130 PCs, three 68 GB
file servers, twelve Ethernets, two routers and an ATM switch for
debugging the diskless code.Dermot McDonnell donated the Toshiba XM3401B CDROM drive
currently used in freefall.&a.chuck; contributed his floppy tape streamer for
experimental work.Larry Altneu larry@ALR.COM, and &a.wilko;,
provided Wangtek and Archive QIC-02 tape drives in order to
improve the wt driver.Ernst Winter ewinter@lobo.muc.de contributed
a 2.88 MB floppy drive to the project. This will hopefully
increase the pressure for rewriting the floppy disk driver.
- ;-)
+
Tekram
Technologies sent one each of their DC-390, DC-390U
and DC-390F FAST and ULTRA SCSI host adapter cards for
regression testing of the NCR and AMD drivers with their cards.
They are also to be applauded for making driver sources for free
operating systems available from their FTP server ftp://ftp.tekram.com/scsi/FreeBSD/.Larry M. Augustin contributed not only a
Symbios Sym8751S SCSI card, but also a set of data books,
including one about the forthcoming Sym53c895 chip with Ultra-2
and LVD support, and the latest programming manual with
information on how to safely use the advanced features of the
latest Symbios SCSI chips. Thanks a lot!Christoph Kukulies kuku@FreeBSD.org donated
an FX120 12 speed Mitsumi CDROM drive for IDE CDROM driver
development.Special contributors:BSDi (formerly Walnut Creek CDROM)
has donated almost more than we can say (see the history document for more details).
In particular, we would like to thank them for the original
hardware used for freefall.FreeBSD.org, our primary
development machine, and for thud.FreeBSD.org, a testing and build
box. We are also indebted to them for funding various
contributors over the years and providing us with unrestricted
use of their T1 connection to the Internet.The interface
business GmbH, Dresden has been patiently supporting
&a.joerg; who has often preferred FreeBSD work over paid work, and
used to fall back to their (quite expensive) EUnet Internet
connection whenever his private connection became too slow or
flaky to work with it...Berkeley Software Design,
Inc. has contributed their DOS emulator code to the
remaining BSD world, which is used in the
doscmd command.Core Team Alumnicore teamThe following people were members of the FreeBSD core team during
the periods indicated. We thank them for their past efforts in the
service of the FreeBSD project.In rough chronological order:&a.ache (1993 - 2000)&a.jmb (1993 - 2000)&a.bde (1992 - 2000)&a.gibbs (1993 - 2000)&a.rich (1994 - 2000)&a.phk (1992 - 2000)&a.gpalmer (1993 - 2000)&a.sos (1993 - 2000)&a.wollman (1993 - 2000)&a.joerg (1995 - 2000)&a.jdp (1997 - 2000)&a.guido (1995 - 1999)&a.dyson (1993 - 1998)&a.nate (1992 - 1996)&a.rgrimes (1992 - 1995)Andreas Schulz (1992 - 1995)&a.csgr (1993 - 1995)&a.paul (1992 - 1995)&a.smace (1993 - 1994)Andrew Moore (1993 - 1994)Christoph Robitschko (1993 - 1994)J. T. Conklin (1992 - 1993)Development Team Alumnidevelopment teamThe following people were members of the FreeBSD development team
during the periods indicated. We thank them for their past efforts
in the service of the FreeBSD project.In rough chronological order:&a.tedm (???? - 2000)&a.karl (???? - 2000)&a.gclarkii (1993 - 2000)&a.jraynard (???? - 2000)&a.jgreco (???? - 1999)&a.ats (???? - 1999)Jamil Weatherby (1997 - 1999)meganm (???? - 1998)&a.dyson (???? - 1998)Amancio Hasty (1997 - 1998)Drew Derbyshire (1997 - 1998)Derived Software ContributorsThis software was originally derived from William F. Jolitz's 386BSD
release 0.1, though almost none of the original 386BSD specific code
remains. This software has been essentially re-implemented from the
4.4BSD-Lite release provided by the Computer Science Research Group
(CSRG) at the University of California, Berkeley and associated academic
contributors.There are also portions of NetBSD and OpenBSD that have been
integrated into FreeBSD as well, and we would therefore like to thank
all the contributors to NetBSD and OpenBSD for their work.Additional FreeBSD Contributors(in alphabetical order by first name):ABURAYA Ryushirou rewsirow@ff.iij4u.or.jpAMAGAI Yoshiji amagai@nue.orgAaron Bornstein aaronb@j51.comAaron Smith aaron@mutex.orgAchim Patzner ap@noses.comAda T Lim ada@bsd.orgAdam Baran badam@mw.mil.plAdam Glass glass@postgres.berkeley.eduAdam Herzog adam@herzogdesigns.comAdam Kranzel adam@alameda.eduAdam McDougall mcdouga9@egr.msu.eduAdam Strohl troll@digitalspark.netAdoal Xu adoal@iname.comAdrian Colley aecolley@ois.ieAdrian Hall ahall@mirapoint.comAdrian Mariano adrian@cam.cornell.eduAdrian Steinmann ast@marabu.chAdrian T. Filipi-Martin
atf3r@agate.cs.virginia.eduAjit Thyagarajan unknownAkio Morita
amorita@meadow.scphys.kyoto-u.ac.jpAkira SAWADA unknownAkira Watanabe
akira@myaw.ei.meisei-u.ac.jpAkito Fujita fujita@zoo.ncl.omron.co.jpAlain Kalker
A.C.P.M.Kalker@student.utwente.nlAlan Bawden alan@curry.epilogue.comAlec Wolman wolman@cs.washington.eduAled Morris aledm@routers.co.ukAleksandr A Babaylov .@babolo.ruAlex G. Bulushev bag@demos.suAlex D. Chen
dhchen@Canvas.dorm7.nccu.edu.twAlex Le Heux alexlh@funk.orgAlex Kapranoff kappa@zombie.antar.bryansk.ruAlex Perel veers@disturbed.netAlex Semenyaka alex@rinet.ruAlex Varju varju@webct.comAlex Zepeda garbanzo@hooked.netAlexander B. Povolotsky tarkhil@mgt.msk.ruAlexander Gelfenbain mail@gelf.comAlexander Leidinger
netchild@wurzelausix.CS.Uni-SB.DEAlexandre Peixoto
alexandref@tcoip.com.brAlexandre Snarskii snar@paranoia.ruAlistair G. Crooks agc@uts.amdahl.comAllan Bowhill bowhill@bowhill.vservers.comAllan Saddi asaddi@philosophysw.comAllen Campbell allenc@verinet.comAmakawa Shuhei amakawa@hoh.t.u-tokyo.ac.jpAmancio Hasty hasty@star-gate.comAmir Farah amir@comtrol.comAmir Shalem amir@boom.org.ilAmy Baron amee@beer.orgThe Anarcat beaupran@iro.umontreal.caAnatoly A. Orehovsky tolik@mpeks.tomsk.suAnatoly Vorobey mellon@pobox.comAnders Andersson anders@codefactory.seAnders Nordby anders@fix.noAnders Thulin Anders.X.Thulin@telia.seAndras Olah olah@cs.utwente.nlAndre Albsmeier
Andre.Albsmeier@mchp.siemens.deAndre Goeree abgoeree@uwnet.nlAndre Oppermann andre@pipeline.chAndreas Haakh ah@alman.robin.deAndreas Kohout shanee@rabbit.augusta.deAndreas Lohr andreas@marvin.RoBIN.deAndreas Schulz unknownAndreas Wetzel mickey@deadline.snafu.deAndreas Wrede andreas@planix.comAndres Vega Garcia unknownAndrew Atrens atreand@statcan.caAndrew Boothman andrew@cream.orgAndrew Gillham gillham@andrews.eduAndrew Gordon andrew.gordon@net-tel.co.ukAndrew Herbert andrew@werple.apana.org.auAndrew J. Korty ajk@purdue.eduAndrew L. Moore alm@mclink.comAndrew L. Neporada andrew@chg.ruAndrew McRae amcrae@cisco.comAndrew Stevenson andrew@ugh.net.auAndrew Timonin tim@pool1.convey.ruAndrew V. Stesin stesin@elvisti.kiev.uaAndrew Webster awebster@dataradio.comAndrey Novikov andrey@novikov.comAndrey Simonenko simon@comsys.ntu-kpi.kiev.uaAndrey Tchoritch andy@venus.sympad.netAndy Farkas andyf@speednet.com.auAndy Valencia ajv@csd.mot.comAndy Whitcroft andy@sarc.city.ac.ukAngelo Turetta ATuretta@stylo.itAnthony C. Chavez magus@xmission.comAnthony Yee-Hang Chan yeehang@netcom.comAnton N. Bruesov antonz@library.ntu-kpi.kiev.uaAnton Voronin anton@urc.ac.ruAntti Kaipila anttik@iki.fiarci vega@sophia.inria.frAre Bryne are.bryne@communique.noAri Suutari ari@suutari.iki.fiArindum Mukerji rmukerji@execpc.comArjan de Vet devet@IAEhv.nlArne Henrik Juul arnej@Lise.Unit.NOArun Sharma adsharma@sharmas.dhs.orgArnaud S. Launay asl@launay.orgAsk Bjoern Hansen ask@valueclick.comAtsushi Furuta furuta@sra.co.jpAtsushi Murai amurai@spec.co.jpAtushi Sakauchi sakauchi@yamame.toBakul Shah bvs@bitblocks.comBarry Bierbauch pivrnec@vszbr.czBarry Lustig barry@ictv.comBen Hutchinson benhutch@xfiles.org.ukBen Jackson unknownBen Walter bwalter@itachi.swcp.comBenjamin Lewis bhlewis@gte.netBerend de Boer berend@pobox.comBernd Rosauer br@schiele-ct.deBill Kish kish@osf.orgBill Trost trost@cloud.rain.comBlaz Zupan blaz@amis.netBob Van Valzah Bob@whitebarn.comBob Wilcox bob@obiwan.uucpBob Willcox bob@luke.pmr.comBoris Staeblow balu@dva.in-berlin.deBoyd Faulkner faulkner@mpd.tandem.comBoyd R. Faulkner faulkner@asgard.bga.comBrad Chapman chapmanb@arches.uga.eduBrad Hendrickse bradh@uunet.co.zaBrad Karp karp@eecs.harvard.eduBradley Dunn bradley@dunn.orgBrad Jones brad@kazrak.comBrandon Fosdick bfoz@glue.umd.eduBrandon Gillespie brandon@roguetrader.com&a.wlloydBrent J. Nordquist bjn@visi.comBrett Lymn blymn@mulga.awadi.com.AUBrett Taylor
brett@peloton.runet.eduBrian Campbell brianc@pobox.comBrian Clapper bmc@willscreek.comBrian Cully shmit@kublai.comBrian Handy
handy@lambic.space.lockheed.comBrian Litzinger brian@MediaCity.comBrian McGovern bmcgover@cisco.comBrian Moore ziff@houdini.eecs.umich.eduBrian R. Haug haug@conterra.comBrian Tao taob@risc.orgBrion Moss brion@queeg.comBruce Albrecht bruce@zuhause.mn.orgBruce Gingery bgingery@gtcs.comBruce J. Keeler loodvrij@gridpoint.comBruce Murphy packrat@iinet.net.auBruce Walter walter@fortean.comCarey Jones mcj@acquiesce.orgCarl Fongheiser cmf@netins.netCarl Mascott cmascott@world.std.comCasper casper@acc.amCastor Fu castor@geocast.comChad David davidc@acns.ab.caChain Lee chain@110.netCharles Hannum mycroft@ai.mit.eduCharles Henrich henrich@msu.eduCharles Mott cmott@scientech.comCharles Owens owensc@enc.eduChet Ramey chet@odin.INS.CWRU.EduChia-liang Kao clkao@CirX.ORGChiharu Shibata chi@bd.mbn.or.jpChip Norkus unknownChris Csanady cc@tarsier.ca.sandia.govChris Dabrowski chris@vader.orgChris Dillon cdillon@wolves.k12.mo.usChris Shenton
cshenton@angst.it.hq.nasa.gov&a.cshumway;Chris Stenton jacs@gnome.co.ukChris Timmons skynyrd@opus.cts.cwu.eduChris Torek torek@ee.lbl.govChristian Gusenbauer
cg@fimp01.fim.uni-linz.ac.atChristian Haury Christian.Haury@sagem.frChristian Weisgerber
naddy@mips.inka.deChristoph P. Kukulies kuku@FreeBSD.orgChristoph Robitschko
chmr@edvz.tu-graz.ac.atChristoph Weber-Fahr
wefa@callcenter.systemhaus.netChristopher G. Demetriou
cgd@postgres.berkeley.eduChristopher N. Harrell cnh@ivmg.netChristopher Preston rbg@gayteenresource.orgChristopher T. Johnson
cjohnson@neunacht.netgsi.comChrisy Luke chrisy@flix.netChuck Hein chein@cisco.comCliff Rowley dozprompt@onsea.comColman Reilly careilly@tcd.ieConrad Sabatier conrads@home.comCoranth Gryphon gryphon@healer.comCornelis van der Laan
nils@guru.ims.uni-stuttgart.deCove Schneider cove@brazil.nbn.comCraig Leres leres@ee.lbl.govCraig Loomis unknownCraig Metz cmetz@inner.netCraig Spannring cts@internetcds.comCraig Struble cstruble@vt.eduCristian Ferretti cfs@riemann.mat.puc.clCurt Mayer curt@toad.comCy Schubert cschuber@uumail.gov.bc.caCyrille Lefevre clefevre@citeweb.netCyrus Rahman cr@jcmax.comDai Ishijima ishijima@tri.pref.osaka.jpDaisuke Watanabe NU7D-WTNB@asahi-net.or.jpDamian Hamill damian@cablenet.netDan Cross tenser@spitfire.ecsel.psu.eduDan Langille dan@freebsddiary.orgDan Lukes dan@obluda.czDan Nelson dnelson@emsphone.comDan Papasian bugg@bugg.strangled.netDan Piponi wmtop@tanelorn.demon.co.ukDan Walters hannibal@cyberstation.netDaniel Hagan
dhagan@cs.vt.eduDaniel O'Connor doconnor@gsoft.com.auDaniel Poirot poirot@aio.jsc.nasa.govDaniel Rock rock@cs.uni-sb.deDaniel W. McRobb dwm@caimis.comDanny Egen unknownDanny J. Zerkel dzerkel@phofarm.comDave Adkins adkin003@tc.umn.eduDave Andersen angio@aros.netDave Blizzard dblizzar@sprynet.comDave Bodenstab imdave@synet.netDave Burgess burgess@hrd769.brooks.af.milDave Chapeskie dchapes@ddm.on.caDave Cornejo dave@dogwood.comDave Edmondson davided@sco.comDave Glowacki dglo@ssec.wisc.eduDave Marquardt marquard@austin.ibm.comDave Tweten tweten@FreeBSD.orgDavid A. Adkins adkin003@tc.umn.eduDavid A. Bader dbader@eece.unm.eduDavid Borman dab@bsdi.comDavid Dawes dawes@XFree86.orgDavid Filo unknownDavid Holland dholland@eecs.harvard.eduDavid Holloway daveh@gwythaint.tamis.comDavid Horwitt dhorwitt@ucsd.eduDavid Hovemeyer daveho@infocom.comDavid Jones dej@qpoint.torfree.netDavid Kelly dkelly@tomcat1.tbe.comDavid Kulp dkulp@neomorphic.comDavid L. Nugent davidn@blaze.net.auDavid Leonard d@scry.dstc.edu.auDavid Muir Sharnoff muir@idiom.comDavid S. Miller davem@jenolan.rutgers.eduDavid Sugar dyfet@gnu.orgDavid Wolfskill dhw@whistle.comDean Gaudet dgaudet@arctic.orgDean Huxley dean@fsa.caDenis Fortin unknownDenis Shaposhnikov dsh@vlink.ruDennis Glatting
dennis.glatting@software-munitions.comDenton Gentry denny1@home.comder Mouse mouse@Collatz.McRCIM.McGill.EDUDerek Inksetter derek@saidev.comDI. Christian Gusenbauer
cg@scotty.edvz.uni-linz.ac.atDirk Keunecke dk@panda.rhein-main.deDirk Nehrling nerle@pdv.deDishanker Rajakulendren draj@oceanfree.netDmitry A. Yankofm@astral.ntu-kpi.kiev.uaDmitry Khrustalev dima@xyzzy.machaon.ruDmitry Kohmanyuk dk@farm.orgDom Mitchell dom@myrddin.demon.co.ukDomas Mituzas midom@dammit.ltDominik Brettnacher domi@saargate.deDominik Rothert dr@domix.deDon Croyle croyle@gelemna.ft-wayne.in.usDonn Miller dmmiller@cvzoom.netDan Pelleg dpelleg+unison@cs.cmu.edu&a.whiteside;Don Morrison dmorrisn@u.washington.eduDon Yuniskis dgy@rtd.comDonald Maddox dmaddox@conterra.comDouglas Ambrisko ambrisko@whistle.comDouglas Carmichael dcarmich@mcs.comDouglas Crosher dtc@scrooge.ee.swin.oz.auDrew Derbyshire ahd@kew.comDustin Sallings dustin@spy.netEckart "Isegrim" Hofmann
Isegrim@Wunder-Nett.orgEd Gold
vegold01@starbase.spd.louisville.eduEd Hudson elh@p5.spnet.comEdward Chuang edwardc@firebird.org.twEdward Wang edward@edcom.comEdwin Groothus edwin@nwm.wan.philips.comEdwin Mons e@ik.nuEge Rekk aagero@aage.priv.noEiji-usagi-MATSUmoto usagi@clave.gr.jpEike Bernhardt eike.bernhardt@gmx.deELISA Font ProjectElmar Bartel
bartel@informatik.tu-muenchen.deEoin Lawless eoin@maths.tcd.ieEric A. Griff eagriff@global2000.netEric Blood eblood@cs.unr.eduEric D. Futch efutch@nyct.netEric J. Haug ejh@slustl.slu.eduEric J. Schwertfeger eric@cybernut.comEric L. Hernes erich@lodgenet.comEric P. Scott eps@sirius.comEric Sprinkle eric@ennovatenetworks.comErich Stefan Boleyn erich@uruk.orgErich Zigler erich@tacni.netErik H. Bakke erikhb@bgnett.noErik E. Rantapaa rantapaa@math.umn.eduErik H. Moe ehm@cris.comErnst de Haan ernst@heinz.jollem.comErnst Winter ewinter@lobo.muc.deEspen Skoglund esk@ira.uka.deEugene M. Kim astralblue@usa.netEugene Radchenko genie@qsar.chem.msu.suEugeny Kuzakov CoreDumped@coredumped.null.ruEvan Champion evanc@synapse.netFaried Nawaz fn@Hungry.COMFlemming Jacobsen fj@batmule.dkFong-Ching Liaw fong@juniper.netFrancis M J Hsieh mjshieh@life.nthu.edu.twFrancisco Reyes fjrm@yahoo.comFrank Bartels knarf@camelot.deFrank Chen Hsiung Chan
frankch@waru.life.nthu.edu.twFrank Durda IV uhclem@nemesis.lonestar.orgFrank MacLachlan fpm@n2.netFrank Nobis fn@Radio-do.deFrank ten Wolde franky@pinewood.nlFrank van der Linden frank@fwi.uva.nlFrank Volf volf@oasis.IAEhv.nlFred Cawthorne fcawth@jjarray.umn.eduFred Gilham gilham@csl.sri.comFred Templin templin@erg.sri.comFrederick Earl Gray fgray@rice.eduFUJIMOTO Kensaku
fujimoto@oscar.elec.waseda.ac.jpFURUSAWA Kazuhisa
furusawa@com.cs.osakafu-u.ac.jp&a.stanislav;Gabor Kincses gabor@acm.orgGabor Zahemszky zgabor@CoDe.huGareth McCaughan gjm11@dpmms.cam.ac.ukGary A. Browning gab10@griffcd.amdahl.comGary Howland gary@hotlava.comGary J. garyj@rks32.pcs.dec.comGary Kline kline@thought.orgGaspar Chilingarov nightmar@lemming.acc.amGea-Suan Lin gsl@tpts4.seed.net.twGene Raytsin pal@paladin7.netGeoff Rehmet csgr@alpha.ru.ac.zaGeorg Wagner georg.wagner@ubs.comGianlorenzo Masini masini@uniroma3.itGianmarco Giovannelli
gmarco@giovannelli.itGil Kloepfer Jr. gil@limbic.ssdl.comGilad Rom rom_glsa@ein-hashofet.co.ilGiles Lean giles@nemeton.com.auGinga Kawaguti
ginga@amalthea.phys.s.u-tokyo.ac.jpGiorgos Keramidas keramida@ceid.upatras.grGlen Foster gfoster@gfoster.comGlenn Johnson gljohns@bellsouth.netGodmar Back gback@facility.cs.utah.eduGoran Hammarback goran@astro.uu.seGord Matzigkeit gord@enci.ucalgary.caGordon Greeff gvg@uunet.co.zaGraham Wheeler gram@cdsec.comGreg A. Woods woods@zeus.leitch.comGreg Ansley gja@ansley.comGreg Robinson greg@rosevale.com.auGreg Troxel gdt@ir.bbn.comGreg Ungerer gerg@stallion.oz.auGregory Bond gnb@itga.com.auGregory D. Moncreaff
moncrg@bt340707.res.ray.comGuy Harris guy@netapp.comGuy Helmer ghelmer@cs.iastate.eduHAMADA Naoki hamada@astec.co.jpHannu Savolainen hannu@voxware.pp.fiHans Huebner hans@artcom.deHans Petter Bieker zerium@webindex.noHans Zuidam hans@brandinnovators.comHarlan Stenn Harlan.Stenn@pfcs.comHarold Barker hbarker@dsms.comHarry Newton harry_newton@telinco.co.ukHavard Eidnes
Havard.Eidnes@runit.sintef.noHeikki Suonsivu hsu@cs.hut.fiHeiko W. Rupp unknownHelmut F. Wirth hfwirth@ping.atHenrik Vestergaard Draboel
hvd@terry.ping.dkHerb Peyerl hpeyerl@NetBSD.orgHideaki Ohmon ohmon@tom.sfc.keio.ac.jpHidekazu Kuroki hidekazu@cs.titech.ac.jpHideki Yamamoto hyama@acm.orgHideyuki Suzuki
hideyuki@sat.t.u-tokyo.ac.jpHirayama Issei iss@mail.wbs.ne.jpHiroaki Sakai sakai@miya.ee.kagu.sut.ac.jpHiroharu Tamaru tamaru@ap.t.u-tokyo.ac.jpHironori Ikura hikura@kaisei.orgHiroshi Nishikawa nis@pluto.dti.ne.jpHiroya Tsubakimoto unknownHolger Lamm holger@eit.uni-kl.deHolger Veit Holger.Veit@gmd.deHolm Tiffe holm@geophysik.tu-freiberg.deHONDA Yasuhiro
honda@kashio.info.mie-u.ac.jpHorance Chou
horance@freedom.ie.cycu.edu.twHorihiro Kumagai kuma@jp.FreeBSD.orgHOSOBUCHI Noriyuki hoso@buchi.tama.or.jpHOTARU-YA hotaru@tail.netHr.Ladavac lada@ws2301.gud.siemens.co.atHubert Feyrer hubertf@NetBSD.ORGHugh F. Mahon hugh@nsmdserv.cnd.hp.comHugh Mahon h_mahon@fc.hp.comHung-Chi Chu hcchu@r350.ee.ntu.edu.twIan Holland ianh@tortuga.com.auIan Struble ian@broken.netIan Vaudrey i.vaudrey@bigfoot.comIgor Khasilev igor@jabber.paco.odessa.uaIgor Roshchin str@giganda.komkon.orgIgor Serikov bt@turtle.pangeatech.comIgor Sviridov siac@ua.netIgor Vinokurov igor@zynaps.ruIkuo Nakagawa ikuo@isl.intec.co.jpIlia Chipitsine ilia@jane.cgu.chel.suIlya V. Komarov mur@lynx.ruIMAI Takeshi take-i@ceres.dti.ne.jpIMAMURA Tomoaki
tomoak-i@is.aist-nara.ac.jpItsuro Saito saito@miv.t.u-tokyo.ac.jpIWASHITA Yoji shuna@pop16.odn.ne.jpJ. Bryant jbryant@argus.flash.netJ. David Lowe lowe@saturn5.comJ. Han hjh@photino.comJ. Hawk jhawk@MIT.EDUJ.T. Conklin jtc@cygnus.comJack jack@zeus.xtalwind.netJacob Bohn Lorensen jacob@jblhome.ping.mkJagane D Sundar jagane@netcom.comJake Hamby jehamby@anobject.comJames Clark jjc@jclark.comJames D. Stewart jds@c4systm.comJames da Silva jds@cs.umd.eduJames Jegers jimj@miller.cs.uwm.eduJames Raynard
fhackers@jraynard.demon.co.ukJames T. Liu jtliu@phlebas.rockefeller.eduJamie Heckford jamie@jamiesdomain.co.ukJan Conard
charly@fachschaften.tu-muenchen.deJan Jungnickel Jan@Jungnickel.comJan Koum jkb@FreeBSD.orgJanick Taillandier
Janick.Taillandier@ratp.frJanusz Kokot janek@gaja.ipan.lublin.plJarle Greipsland jarle@idt.unit.noJason DiCioccio geniusj@ods.orgJason Garman init@risen.orgJason R. Mastaler
jason-freebsd@mastaler.comJason Thorpe thorpej@NetBSD.orgJason Wright jason@OpenBSD.orgJason Young
doogie@forbidden-donut.anet-stl.comJavier Martin Rueda jmrueda@diatel.upm.esJay Fenlason hack@datacube.comJay Krell jay.krell@cornell.eduJaye Mathisen mrcpu@cdsnet.netJeff Bartig jeffb@doit.wisc.eduJeff Brown jabrown@caida.orgJeff Forys jeff@forys.cranbury.nj.usJeff Kletsky Jeff@Wagsky.comJeff Palmer scorpio@drkshdw.orgJeffrey Evans evans@scnc.k12.mi.usJeffrey Wheat jeff@cetlink.netJeremy Allison jallison@whistle.comJeremy Chadwick yoshi@parodius.comJeremy Chatfield jdc@xinside.comJeremy Karlson karlj000@unbc.caJeremy Prior unknownJeremy Shaffner jeremy@external.orgJesse McConnell jesse@cylant.comJesse Rosenstock jmr@ugcs.caltech.eduJian-Da Li jdli@csie.nctu.edu.twJim Babb babb@FreeBSD.orgJim Binkley jrb@cs.pdx.eduJim Bloom bloom@acm.orgJim Carroll jim@carroll.comJim Flowers jflowers@ezo.netJim Leppek jleppek@harris.comJim Lowe james@cs.uwm.eduJim Mattson jmattson@sonic.netJim Mercer jim@komodo.reptiles.orgJim Sloan odinn@atlantabiker.netJim Wilson wilson@moria.cygnus.comJimbo Bahooli
griffin@blackhole.iceworld.orgJin Guojun jin@george.lbl.govJoachim Kuebart kuebart@mathematik.uni-ulm.deJoao Carlos Mendes Luis jonny@jonny.eng.brJochen Pohl jpo.drs@sni.deJoe "Marcus" Clarke marcus@marcuscom.comJoe Abley jabley@automagic.orgJoe Jih-Shian Lu jslu@dns.ntu.edu.twJoe Orthoefer j_orthoefer@tia.netJoe Traister traister@mojozone.orgJoel Faedi Joel.Faedi@esial.u-nancy.frJoel Ray Holveck joelh@gnu.orgJoel Sutton jsutton@bbcon.com.auJordan DeLong fracture@allusion.netJoseph Scott joseph@randomnetworks.comJohan Granlund johan@granlund.nuJohan Karlsson k@numeri.campus.luth.seJohan Larsson johan@moon.campus.luth.seJohann Tonsing jtonsing@mikom.csir.co.zaJohannes Helander unknownJohannes Stille unknownJohn Beckett jbeckett@southern.eduJohn Beukema jbeukema@hk.super.netJohn Brezak unknownJohn Capo jc@irbs.comJohn F. Woods jfw@jfwhome.funhouse.comJohn Goerzen
jgoerzen@alexanderwohl.complete.orgJohn Heidemann johnh@isi.eduJohn Hood cgull@owl.orgJohn Kohl unknownJohn Lind john@starfire.mn.orgJohn Mackin john@physiol.su.oz.auJohn Merryweather Cooper jmcoopr@webmail.bmi.netJohn P johnp@lodgenet.comJohn Perry perry@vishnu.alias.netJohn Preisler john@vapornet.comJohn Reynolds jjreynold@home.comJohn Rochester jr@cs.mun.caJohn Sadler john_sadler@alum.mit.eduJohn Saunders john@pacer.nlc.net.auJohn Wehle john@feith.comJohn Woods jfw@eddie.mit.eduJohny Mattsson lonewolf@flame.orgJon Morgan morgan@terminus.trailblazer.comJonathan Belson jon@witchspace.comJonathan H N Chin jc254@newton.cam.ac.ukJonathan Hanna
jh@pc-21490.bc.rogers.wave.caJonathan Pennington john@coastalgeology.orgJorge Goncalves j@bug.fe.up.ptJorge M. Goncalves ee96199@tom.fe.up.ptJos Backus jbackus@plex.nlJose Marques jose@nobody.orgJosef Grosch
jgrosch@superior.mooseriver.comJoseph Stein joes@wstein.comJosh Gilliam josh@quick.netJosh Tiefenbach josh@ican.netJuergen Lock nox@jelal.hb.north.deJuha Inkari inkari@cc.hut.fiJukka A. Ukkonen jau@iki.fiJulian Assange proff@suburbia.netJulian Coleman j.d.coleman@ncl.ac.uk&a.jhsJulian Jenkins kaveman@magna.com.auJunichi Satoh junichi@jp.FreeBSD.orgJunji SAKAI sakai@jp.FreeBSD.orgJunya WATANABE junya-w@remus.dti.ne.jpJustas justas@mbank.lvJustin Stanford jus@security.za.netK.Higashino a00303@cc.hc.keio.ac.jpKai Vorma vode@snakemail.hut.fiKaleb S. Keithley kaleb@ics.comKaneda Hiloshi vanitas@ma3.seikyou.ne.jpKang-ming Liu gugod@gugod.orgKapil Chowksey kchowksey@hss.hns.comKarl Denninger karl@mcs.comKarl Dietz Karl.Dietz@triplan.comKarl Lehenbauer karl@NeoSoft.comKATO Tsuguru tkato@prontomail.ne.jpKawanobe Koh kawanobe@st.rim.or.jpKees Jan Koster kjk1@ukc.ac.ukKeith Bostic bostic@bostic.comKeith E. Walker kew@icehouse.netKeith Moore unknownKeith Sklower unknownKen Hornstein unknownKen Key key@cs.utk.eduKen Mayer kmayer@freegate.comKenji Saito marukun@mx2.nisiq.netKenji Tomita tommyk@da2.so-net.or.jpKenneth Furge kenneth.furge@us.endress.comKenneth Monville desmo@bandwidth.orgKenneth R. Westerback krw@tcn.netKenneth Stailey kstailey@gnu.ai.mit.eduKent Talarico kent@shipwreck.tsoft.netKent Vander Velden graphix@iastate.eduKentaro Inagaki JBD01226@niftyserve.ne.jpKevin Bracey kbracey@art.acorn.co.ukKevin Day toasty@dragondata.comKevin Lahey kml@nas.nasa.govKevin Meltzer perlguy@perlguy.comKevin Street street@iname.comKevin Van Maren vanmaren@fast.cs.utah.eduKiller killer@prosalg.noKim Scarborough sluggo@unknown.nuKiril Mitev kiril@ideaglobal.comKiroh HARADA kiroh@kh.rim.or.jpKlaus Herrmann klaus.herrmann@gmx.netKlaus Klein kleink@layla.inka.deKlaus-J. Wolf Yanestra@t-online.deKoichi Sato copan@ppp.fastnet.or.jpKonrad Heuer kheuer@gwdu60.gwdg.deKonstantin Chuguev Konstantin.Chuguev@dante.org.ukKostya Lukin lukin@okbmei.msk.suKouichi Hirabayashi kh@mogami-wire.co.jpKris Dow kris@vilnya.demon.co.ukKUNISHIMA Takeo kunishi@c.oka-pu.ac.jpKurt D. Zeilenga Kurt@Boolean.NETKurt Olsen kurto@tiny.mcs.usu.eduL. Jonas Olsson
ljo@ljo-slip.DIALIN.CWRU.EduLarry Altneu larry@ALR.COMLars Bernhardsson lab@fnurt.netLars Köller
Lars.Koeller@Uni-Bielefeld.DELaurence Lopez lopez@mv.mv.comLee Cremeans lcremean@tidalwave.netLeo Kim leo@florida.sarang.netLeo Serebryakov lev@serebryakov.spb.ruLiang Tai-hwa
avatar@www.mmlab.cse.yzu.edu.twLon Willett lon%softt.uucp@math.utah.eduLouis A. Mamakos louie@TransSys.COMLouis Mamakos loiue@TransSys.comLowell Gilbert lowell@world.std.comLucas James Lucas.James@ldjpc.apana.org.auLyndon Nerenberg lyndon@orthanc.ab.caM. L. Dodson bdodson@scms.utmb.EDUM.C. Wong unknownMagnus Enbom dot@tinto.campus.luth.seMahesh Neelakanta mahesh@gcomm.comMakoto MATSUSHITA matusita@jp.FreeBSD.orgMakoto WATANABE
watanabe@zlab.phys.nagoya-u.ac.jpMakoto YAMAKURA makoto@pinpott.spnet.ne.jpMalte Lance malte.lance@gmx.netMANTANI Nobutaka nobutaka@nobutaka.comManu Iyengar
iyengar@grunthos.pscwa.psca.comMarc Frajola marc@dev.comMarc Ramirez mrami@mramirez.sy.yale.eduMarc Slemko marcs@znep.comMarc van Kempen wmbfmk@urc.tue.nlMarc van Woerkom van.woerkom@netcologne.deMarcin Cieslak saper@system.plMark Andrews unknownMark Cammidge mark@gmtunx.ee.uct.ac.zaMark Diekhans markd@grizzly.comMark Huizer xaa@stack.nlMark J. Taylor mtaylor@cybernet.comMark Knight markk@knigma.orgMark Krentel krentel@rice.eduMark Mayo markm@vmunix.comMark Thompson thompson@tgsoft.comMark Tinguely tinguely@plains.nodak.eduMark Treacy unknownMark Valentine mark@thuvia.orgMarkus Holmberg saska@acc.umu.seMartin Birgmeier unknownMartin Blapp blapp@attic.chMartin Hinner mhi@linux.gyarab.czMartin Ibert mib@ppe.bb-data.deMartin Kammerhofer dada@sbox.tu-graz.ac.atMartin Minkus diskiller@cnbinc.comMartin Renters martin@tdc.on.caMartti Kuparinen
martti.kuparinen@ericsson.comMasachika ISHIZUKA
ishizuka@isis.min.ntt.jpMasahiro Sekiguchi
seki@sysrap.cs.fujitsu.co.jpMasahiro TAKEMURA
mastake@msel.t.u-tokyo.ac.jpMasanobu Saitoh msaitoh@spa.is.uec.ac.jpMasanori Kanaoka kana@saijo.mke.mei.co.jpMasanori Kiriake seiken@ARGV.ACMasatoshi TAMURA
tamrin@shinzan.kuee.kyoto-u.ac.jpMats Lofkvist mal@algonet.seMatt Bartley mbartley@lear35.cytex.comMatt Heckaman matt@LUCIDA.QC.CAMatt Thomas matt@3am-software.comMatt White mwhite+@CMU.EDUMatthew C. Mead mmead@Glock.COMMatthew Cashdollar mattc@rfcnet.comMatthew Emmerton root@gabby.gsicomp.on.caMatthew Flatt mflatt@cs.rice.eduMatthew Fuller fullermd@futuresouth.comMatthew Stein matt@bdd.netMatthew West mwest@uct.ac.zaMatthias Pfaller leo@dachau.marco.deMatthias Scheler tron@netbsd.orgMattias Gronlund
Mattias.Gronlund@sa.erisoft.seMattias Pantzare pantzer@ludd.luth.seMaurice Castro
maurice@planet.serc.rmit.edu.auMax Euston meuston@jmrodgers.comMax Khon fjoe@husky.iclub.nsu.ruMaxim Bolotin max@rsu.ruMaxim Konovalov maxim@macomnet.ruMaxime Henrion mhenrion@cybercable.frMicha Class
michael_class@hpbbse.bbn.hp.comMichael Alyn Miller malyn@strangeGizmo.comMichael Lucas mwlucas@blackhelicopters.orgMichael Lyngbøl michael@lyngbol.dkMichael Butler imb@scgt.oz.auMichael Butschky butsch@computi.erols.comMichael Clay mclay@weareb.orgMichael Galassi nerd@percival.rain.comMichael Hancock michaelh@cet.co.jpMichael Hohmuth hohmuth@inf.tu-dresden.deMichael Perlman canuck@caam.rice.eduMichael Petry petry@netwolf.NetMasters.comMichael Reifenberger root@totum.plaut.deMichael Sardo jaeger16@yahoo.comMichael Searle searle@longacre.demon.co.ukMichael Urban murban@tznet.comMichael Vasilenko acid@stu.cn.uaMichal Listos mcl@Amnesiac.123.orgMichio Karl Jinbo
karl@marcer.nagaokaut.ac.jpMiguel Angel Sagreras
msagre@cactus.fi.uba.arMihoko Tanaka m_tonaka@pa.yokogawa.co.jpMika Nystrom mika@cs.caltech.eduMikael Hybsch micke@dynas.seMikael Karpberg
karpen@ocean.campus.luth.seMike Bristow mike@urgle.comMike Del repenting@hotmail.comMike Durian durian@plutotech.comMike Durkin mdurkin@tsoft.sf-bay.orgMike E. Matsnev mike@azog.cs.msu.suMike Evans mevans@candle.comMike Futerko mike@LITech.lviv.uaMike Grupenhoff kashmir@umiacs.umd.eduMike Harding mvh@ix.netcom.comMike Hibler mike@marker.cs.utah.eduMike Karels unknownMike McGaughey mmcg@cs.monash.edu.auMike Meyer mwm@mired.orgMike Mitchell mitchell@ref.tfs.comMike Murphy mrm@alpharel.comMike Peck mike@binghamton.eduMike Sherwood mike@fate.comMike Spengler mks@msc.eduMikhail A. Sokolov mishania@demos.suMing-I Hseh PA@FreeBSD.ee.Ntu.edu.TWMitsuru Yoshida mitsuru@riken.go.jpMonte Mitzelfelt monte@gonefishing.orgMorgan Davis root@io.cts.comMOROHOSHI Akihiko moro@race.u-tokyo.ac.jpMostyn Lewis mostyn@mrl.comMotomichi Matsuzaki mzaki@e-mail.ne.jpMotoyuki Kasahara m-kasahr@sra.co.jpN.G.Smith ngs@sesame.hensa.ac.ukNadav Eiron nadav@barcode.co.ilNAGAO Tadaaki nagao@cs.titech.ac.jpNAKAJI Hiroyuki
nakaji@tutrp.tut.ac.jpNAKAMURA Kazushi nkazushi@highway.or.jpNAKAMURA Motonori
motonori@econ.kyoto-u.ac.jpNAKATA, Maho chat95@mbox.kyoto-inet.or.jpNanbor Wang nw1@cs.wustl.eduNaofumi Honda
honda@Kururu.math.sci.hokudai.ac.jpNaoki Hamada nao@tom-yam.or.jpNarvi narvi@haldjas.folklore.eeNathan Dorfman nathan@rtfm.netNeal Fachan kneel@ishiboo.comNiall Smart rotel@indigo.ieNicholas Esborn nick@netdot.netNick Barnes Nick.Barnes@pobox.comNick Handel nhandel@NeoSoft.comNick Hilliard nick@foobar.orgNick Johnson freebsd@spatula.netNick Williams njw@cs.city.ac.ukNickolay N. Dudorov nnd@itfs.nsk.suNIIMI Satoshi sa2c@and.or.jpNiklas Hallqvist niklas@filippa.appli.seNils M. Holm nmh@t3x.orgNisha Talagala nisha@cs.berkeley.eduNo Name adrian@virginia.eduNo Name alex@elvisti.kiev.uaNo Name anto@netscape.netNo Name bobson@egg.ics.nitch.ac.jpNo Name bovynf@awe.beNo Name burg@is.ge.comNo Name chris@gnome.co.ukNo Name colsen@usa.netNo Name coredump@nervosa.comNo Name dannyman@arh0300.urh.uiuc.eduNo Name davids@SECNET.COMNo Name derek@free.orgNo Name devet@adv.IAEhv.nlNo Name djv@bedford.netNo Name dvv@sprint.netNo Name enami@ba2.so-net.or.jpNo Name flash@eru.tubank.msk.suNo Name flash@hway.ruNo Name fn@pain.csrv.uidaho.eduNo Name frf@xocolatl.comNo Name gclarkii@netport.neosoft.comNo Name gordon@sheaky.lonestar.orgNo Name graaf@iae.nlNo Name greg@greg.rim.or.jpNo Name grossman@cygnus.comNo Name gusw@fub46.zedat.fu-berlin.deNo Name hfir@math.rochester.eduNo Name hnokubi@yyy.or.jpNo Name iaint@css.tuu.utas.edu.auNo Name invis@visi.comNo Name ishisone@sra.co.jpNo Name iverson@lionheart.comNo Name jpt@magic.netNo Name junker@jazz.snu.ac.krNo Name k-sugyou@ccs.mt.nec.co.jpNo Name kenji@reseau.toyonaka.osaka.jpNo Name kfurge@worldnet.att.netNo Name lh@aus.orgNo Name lhecking@nmrc.ucc.ieNo Name mrgreen@mame.mu.oz.auNo Name nakagawa@jp.FreeBSD.orgNo Name ohki@gssm.otsuka.tsukuba.ac.jpNo Name owaki@st.rim.or.jpNo Name pechter@shell.monmouth.comNo Name pete@pelican.pelican.comNo Name pritc003@maroon.tc.umn.eduNo Name risner@stdio.comNo Name roman@rpd.univ.kiev.uaNo Name root@ns2.redline.ruNo Name root@uglabgw.ug.cs.sunysb.eduNo Name stephen.ma@jtec.com.auNo Name sumii@is.s.u-tokyo.ac.jpNo Name takas-su@is.aist-nara.ac.jpNo Name tamone@eig.unige.chNo Name tjevans@raleigh.ibm.comNo Name tony-o@iij.ad.jp amurai@spec.co.jpNo Name torii@tcd.hitachi.co.jpNo Name uenami@imasy.or.jpNo Name uhlar@netlab.skNo Name vode@hut.fiNo Name wlloyd@mpd.caNo Name wlr@furball.wellsfargo.comNo Name wmbfmk@urc.tue.nlNo Name yamagata@nwgpc.kek.jpNo Name ziggy@ryan.orgNo Name ZW6T-KND@j.asahi-net.or.jpNobuhiro Yasutomi nobu@psrc.isac.co.jpNobuyuki Koganemaru
kogane@koganemaru.co.jpNOKUBI Hirotaka h-nokubi@yyy.or.jpNorio Suzuki nosuzuki@e-mail.ne.jpNoritaka Ishizumi graphite@jp.FreeBSD.orgNoriyuki Soda soda@sra.co.jpOddbjorn Steffenson oddbjorn@tricknology.orgOh Junseon hollywar@mail.holywar.netOlaf Wagner wagner@luthien.in-berlin.deOleg Semyonov os@altavista.netOleg Sharoiko os@rsu.ruOleg V. Volkov rover@lglobus.ruOlexander Kunytsa kunia@wolf.istc.kiev.uaOliver Breuninger ob@seicom.NETOliver Friedrichs oliver@secnet.comOliver Fromme
oliver.fromme@heim3.tu-clausthal.deOliver Helmling
oliver.helmling@stud.uni-bayreuth.deOliver Laumann
net@informatik.uni-bremen.deOliver Lehmann
Kai_Allard_Liao@gmx.deOliver Oberdorf oly@world.std.comOlof Johansson offe@ludd.luth.seOsokin Sergey aka oZZ ozz@FreeBSD.org.ruPace Willisson pace@blitz.comPaco Rosich rosich@modico.eleinf.uv.esPalle Girgensohn girgen@partitur.seParag Patel parag@cgt.comPascal Pederiva pascal@zuo.dec.comPasvorn Boonmark boonmark@juniper.netPatrick Alken cosine@ellipse.mcs.drexel.eduPatrick Bihan-Faou patrick@mindstep.comPatrick Hausen unknownPatrick Li pat@databits.netPatrick Seal patseal@hyperhost.netPaul Antonov apg@demos.suPaul F. Werkowski unknownPaul Fox pgf@foxharp.boston.ma.usPaul Koch koch@thehub.com.auPaul Kranenburg pk@NetBSD.orgPaul M. Lambert plambert@plambert.netPaul Mackerras paulus@cs.anu.edu.auPaul Popelka paulp@uts.amdahl.comPaul S. LaFollette, Jr. unknownPaul Sandys myj@nyct.netPaul T. Root proot@horton.iaces.comPaul Vixie paul@vix.comPaulo Menezes paulo@isr.uc.ptPaulo Menezes pm@dee.uc.ptPedro A M Vazquez vazquez@IQM.Unicamp.BRPedro Giffuni giffunip@asme.orgPer Wigren wigren@home.sePete Bentley pete@demon.netPete Fritchman petef@databits.netPeter Childs pjchilds@imforei.apana.org.auPeter Cornelius pc@inr.fzk.dePeter Haight peterh@prognet.comPeter Jeremy peter.jeremy@alcatel.com.auPeter M. Chen pmchen@eecs.umich.eduPeter Much peter@citylink.dinoex.sub.orgPeter Olsson unknownPeter Philipp pjp@bsd-daemon.netPeter Stubbs PETERS@staidan.qld.edu.auPeter van Heusden pvh@egenetics.comPhil Maker pjm@cs.ntu.edu.auPhil Sutherland
philsuth@mycroft.dialix.oz.auPhil Taylor phil@zipmail.co.ukPhilip Musumeci philip@rmit.edu.auPhilippe Lefebvre nemesis@balistik.netPierre Y. Dampure pierre.dampure@k2c.co.ukPius Fischer pius@ienet.comPomegranate daver@flag.blackened.netPowerdog Industries
kevin.ruddy@powerdog.comPriit Järv priit@cc.ttu.eeR Joseph Wright rjoseph@mammalia.orgR. Kym HorsellRalf Friedl friedl@informatik.uni-kl.deRandal S. Masutani randal@comtest.comRandall Hopper rhh@ct.picker.comRandall W. Dean rwd@osf.orgRandy Bush rbush@bainbridge.verio.netRasmus Kaj kaj@Raditex.seReinier Bezuidenhout
rbezuide@mikom.csir.co.zaRemy Card Remy.Card@masi.ibp.frRicardas Cepas rch@richard.eu.orgRiccardo Veraldi veraldi@cs.unibo.itRich Wood rich@FreeBSD.org.ukRichard Henderson richard@atheist.tamu.eduRichard Hwang rhwang@bigpanda.comRichard Kiss richard@homemail.comRichard J Kuhns rjk@watson.grauel.comRichard M. Neswold
rneswold@enteract.comRichard Seaman, Jr. dick@tar.comRichard Stallman rms@gnu.ai.mit.eduRichard Straka straka@user1.inficad.comRichard Tobin richard@cogsci.ed.ac.ukRichard Wackerbarth rkw@Dataplex.NETRichard Winkel rich@math.missouri.eduRichard Wiwatowski rjwiwat@adelaide.on.netRick Macklem rick@snowhite.cis.uoguelph.caRick Macklin unknownRob Austein sra@epilogue.comRob Mallory rmallory@qualcomm.comRob Snow rsnow@txdirect.netRobert Crowe bob@speakez.comRobert D. Thrush rd@phoenix.aii.comRobert Eckardt
roberte@MEP.Ruhr-Uni-Bochum.deRobert P Ricci ricci@cs.utah.eduRobert Sanders rsanders@mindspring.comRobert Sexton robert@kudra.comRobert Shady rls@id.netRobert Swindells swindellsr@genrad.co.ukRobert Withrow witr@rwwa.comRobert Yoder unknownRobin Carey
robin@mailgate.dtc.rankxerox.co.ukRod Taylor rod@idiotswitch.orgRoger Hardiman roger@cs.strath.ac.ukRoland Jesse jesse@cs.uni-magdeburg.deRoman Shterenzon roman@xpert.comRon Bickers rbickers@intercenter.netRon Lenk rlenk@widget.xmission.comRonald Kuehn kuehn@rz.tu-clausthal.deRudolf Cejka cejkar@dcse.fee.vutbr.czRuslan Belkin rus@home2.UA.netRuslan Shevchenko rssh@cam.grad.kiev.uaRussell L. Carter rcarter@pinyon.orgRussell Vincent rv@groa.uct.ac.zaRyan Younce ryany@pobox.comRyuichiro IMURA imura@af.airnet.ne.jpSakai Hiroaki sakai@miya.ee.kagu.sut.ac.jpSakari Jalovaara sja@tekla.fiSam Hartman hartmans@mit.eduSamuel Lam skl@ScalableNetwork.comSamuel Tardieu sam@inf.enst.frSamuele Zannoli zannoli@cs.unibo.itSander Janssen janssen@rendo.dekooi.nlSander Vesik sander@haldjas.folklore.eeSandro Sigala ssigala@globalnet.itSANETO Takanori sanewo@strg.sony.co.jpSASAKI Shunsuke ele@pop17.odn.ne.jpSascha Blank blank@fox.uni-trier.deSascha Wildner swildner@channelz.GUN.deSatoh Junichi junichi@astec.co.jpSAWADA Mizuki miz@qb3.so-net.ne.jpScot Elliott scot@poptart.orgScot W. Hetzel hetzels@westbend.netScott A. Kenney saken@rmta.ml.orgScott A. Moberly smoberly@xavier.dyndns.orgScott Blachowicz
scott.blachowicz@seaslug.orgScott Burris scott@pita.cns.ucla.eduScott Hazen Mueller scott@zorch.sf-bay.orgScott Michel scottm@cs.ucla.eduScott Mitchel scott@uk.FreeBSD.orgScott Reynolds scott@clmqt.marquette.mi.usSebastian Strollo seb@erix.ericsson.seSerge V. Vakulenko vak@zebub.msk.suSergei Chechetkin csl@whale.sunbay.crimea.uaSergei S. Laskavy laskavy@pc759.cs.msu.suSergey Gershtein sg@mplik.ruSergey Kosyakov ks@itp.ac.ruSergey N. Vorokov serg@tmn.ruSergey Potapov sp@alkor.ruSergey Samoyloff gonza@techline.ruSergey Shkonda serg@bcs.zp.uaSergey Skvortsov skv@protey.ruSergey V.Dorokhov svd@kbtelecom.nalnet.ruSergio Lenzi lenzi@bsi.com.brShaun Courtney shaun@emma.eng.uct.ac.zaShawn M. Carey smcarey@mailbox.syr.eduShigio Yamaguchi shigio@tamacom.comShinya Esu esu@yk.rim.or.jpShinya FUJIE fujie@tk.elec.waseda.ac.jpShuichi Tanaka stanaka@bb.mbn.or.jpSimon simon@masi.ibp.frSimon Burge simonb@telstra.com.auSimon Dick simond@irrelevant.orgSimon J Gerraty sjg@melb.bull.oz.auSimon Marlow simonm@dcs.gla.ac.ukSimon Shapiro shimon@simon-shapiro.orgSin'ichiro MIYATANI siu@phaseone.co.jpSlaven Rezic eserte@cs.tu-berlin.deSoochon Radee slr@mitre.orgSoren Dayton csdayton@midway.uchicago.eduSoren Dossing sauber@netcom.comSoren S. Jorvang soren@wheel.dkStefan Bethke stb@hanse.deStefan Eggers seggers@semyam.dinoco.deStefan Moeding s.moeding@ndh.netStefan Petri unknownStefan `Sec` Zehl sec@42.orgSteinar Haug sthaug@nethelp.noStephane E. Potvin sepotvin@videotron.caStephane Legrand stephane@lituus.frStephen Clawson
sclawson@marker.cs.utah.eduStephen F. Combs combssf@salem.ge.comStephen Farrell stephen@farrell.orgStephen Hocking sysseh@devetir.qld.gov.auStephen J. Roznowski sjr@home.netStephen McKay syssgm@devetir.qld.gov.auStephen Melvin melvin@zytek.comSteve Bauer sbauer@rock.sdsmt.eduSteve Coltrin spcoltri@unm.eduSteve Deering unknownSteve Gerakines steve2@genesis.tiac.netSteve Gericke steveg@comtrol.comSteve Piette steve@simon.chi.il.USSteve Schwarz schwarz@alpharel.comSteven Enderle panic@subphase.deSteven G. Kargl
kargl@troutmask.apl.washington.eduSteven H. Samorodin samorodi@NUXI.comSteven McCanne mccanne@cs.berkeley.eduSteven Plite splite@purdue.eduSteven Wallace unknownStijn Hoop stijn@win.tue.nlStuart Henderson
stuart@internationalschool.co.ukSue Blake sue@welearn.com.auSugimoto Sadahiro ixtl@komaba.utmc.or.jpSUGIMURA Takashi sugimura@jp.FreeBSD.orgSugiura Shiro ssugiura@duo.co.jpSujal Patel smpatel@wam.umd.eduSungman Cho smcho@tsp.korea.ac.krSune Stjerneby stjerneby@usa.netSURANYI Peter
suranyip@jks.is.tsukuba.ac.jpSuzuki Yoshiaki
zensyo@ann.tama.kawasaki.jpSvein Skogen
tds@nsn.noSybolt de Boer bolt@xs4all.nlTadashi Kumano kumano@strl.nhk.or.jpTaguchi Takeshi taguchi@tohoku.iij.ad.jpTAKAHASHI Kaoru kaoru@kaisei.orgTakahiro Yugawa yugawa@orleans.rim.or.jpTakashi Mega mega@minz.orgTakashi Uozu j1594016@ed.kagu.sut.ac.jpTakayuki Ariga a00821@cc.hc.keio.ac.jpTakeru NAIKI naiki@bfd.es.hokudai.ac.jpTakeshi Amaike amaike@iri.co.jpTakeshi MUTOH mutoh@info.nara-k.ac.jpTakeshi Ohashi
ohashi@mickey.ai.kyutech.ac.jpTakeshi WATANABE
watanabe@crayon.earth.s.kobe-u.ac.jpTakuya SHIOZAKI
tshiozak@makino.ise.chuo-u.ac.jpTatoku Ogaito tacha@tera.fukui-med.ac.jpTatsuya Kudoh cdr@cosmonet.orgTed Buswell tbuswell@mediaone.netTed Faber faber@isi.eduTed Lemon mellon@isc.orgTerry Lambert terry@lambert.orgTerry Lee terry@uivlsi.csl.uiuc.eduTetsuya Furukawa tetsuya@secom-sis.co.jpTheo de Raadt deraadt@OpenBSD.orgThomas thomas@mathematik.uni-Bremen.deThomas D. Dean tomdean@ix.netcom.comThomas David Rivers rivers@dignus.comThomas G. McWilliams tgm@netcom.comThomas Graichen
graichen@omega.physik.fu-berlin.deThomas König
Thomas.Koenig@ciw.uni-karlsruhe.deThomas Ptacek unknownThomas Quinot thomas@cuivre.fr.eu.orgThomas A. Stephens tas@stephens.orgThomas Stromberg tstrombe@rtci.comThomas Valentino Crimi
tcrimi+@andrew.cmu.eduThomas Wintergerst thomas@lemur.nord.deÞórður Ívarsson
totii@est.isThierry Thomas tthomas@mail.dotcom.frTimothy Jensen toast@blackened.comTim Kientzle kientzle@netcom.comTim Singletary
tsingle@sunland.gsfc.nasa.govTim Wilkinson tim@sarc.city.ac.ukTimo J. Rinne tri@iki.fiTobias Reifenberger treif@mayn.deTodd Miller millert@openbsd.orgTom root@majestix.cmr.noTom tom@sdf.comTom Gray - DCA dcasba@rain.orgTom Jobbins tom@tom.tjTom Pusateri pusateri@juniper.netTom Rush tarush@mindspring.comTom Samplonius tom@misery.sdf.comTomohiko Kurahashi
kura@melchior.q.t.u-tokyo.ac.jpTony Kimball alk@Think.COMTony Li tli@jnx.comTony Lynn wing@cc.nsysu.edu.twTony Maher tonym@angis.org.auTorbjorn Granlund tege@matematik.su.seToshihiko SHIMOKAWA toshi@tea.forus.or.jpToshihiro Kanda candy@kgc.co.jpToshiomi Moriki
Toshiomi.Moriki@ma1.seikyou.ne.jpTrefor S. trefor@flevel.co.ukTrenton Schulz twschulz@cord.eduTrevor Blackwell tlb@viaweb.comUdo Schweigert ust@cert.siemens.deUgo Paternostro paterno@dsi.unifi.itUlf Kieber kieber@sax.deUlli Linzen ulli@perceval.camelot.deURATA Shuichiro s-urata@nmit.tmg.nec.co.jpUwe Arndt arndt@mailhost.uni-koblenz.deVadim Belman vab@lflat.vas.mobilix.dkVadim Chekan vadim@gc.lviv.uaVadim Kolontsov vadim@tversu.ac.ruVadim Mikhailov mvp@braz.ruValentin Nechayev netch@lucky.net&a.logo;Van Jacobson van@ee.lbl.govVasily V. Grechishnikov
bazilio@ns1.ied-vorstu.ac.ruVasim Valejev vasim@uddias.diaspro.comVernon J. Schryver vjs@mica.denver.sgi.comVeselin Slavov vess@btc.netVic Abell abe@cc.purdue.eduVille Eerola ve@sci.fiVince Valenti vince@blue-box.netVincent Poy vince@venus.gaianet.netVincenzo Capuano
VCAPUANO@vmprofs.esoc.esa.deVirgil Champlin champlin@pa.dec.comVladimir A. Jakovenko
vovik@ntu-kpi.kiev.uaVladimir Kushnir kushn@mail.kar.netVsevolod Lobko seva@alex-ua.comW. Gerald Hicks wghicks@bellsouth.netW. Richard Stevens rstevens@noao.eduWalt Howard howard@ee.utah.eduWalt M. Shandruk walt@erudition.netWarren Toomey wkt@csadfa.cs.adfa.oz.auWayne Scott wscott@ichips.intel.comWerner Griessl
werner@btp1da.phy.uni-bayreuth.deWes Santee wsantee@wsantee.oz.netWietse Venema wietse@wzv.win.tue.nlWiljo Heinen wiljo@freeside.ki.open.deWillem Jan Withagen wjw@surf.IAE.nlWilliam Jolitz withheldWilliam Liao william@tale.netWojtek Pilorz
wpilorz@celebris.bdk.lublin.plWolfgang Helbig helbig@ba-stuttgart.deWolfgang Solfrank ws@tools.deWolfgang Stanglmeier wolf@FreeBSD.orgWu Ching-hong woju@FreeBSD.ee.Ntu.edu.TWYarema yds@ingress.comYaroslav Terletsky ts@polynet.lviv.uaYasuhiro Fukama yasuf@big.or.jpYasuhito FUTATSUKI futatuki@fureai.or.jpYen-Ming Lee leeym@bsd.ce.ntu.edu.twYen-Shuo Su yssu@CCCA.NCTU.edu.twYin-Jieh Chen yinjieh@Crazyman.Dorm13.NCTU.edu.twYixin Jin yjin@rain.cs.ucla.eduYoichi Asai yatt@msc.biglobe.ne.jpYoichi Nakayama yoichi@eken.phys.nagoya-u.ac.jpYoshiaki Uchikawa yoshiaki@kt.rim.or.jpYoshihiko SARUMRU mistral@imasy.or.jpYoshihisa NAKAGAWA
y-nakaga@ccs.mt.nec.co.jpYoshikazu Goto gotoh@ae.anritsu.co.jpYoshimasa Ohnishi
ohnishi@isc.kyutech.ac.jpYoshishige Arai ryo2@on.rim.or.jpYuichi MATSUTAKA matutaka@osa.att.ne.jpYujiro MIYATA
miyata@bioele.nuee.nagoya-u.ac.jpYu-Shun Wang yushunwa@isi.eduYusuke Nawano azuki@azkey.orgYuu Yashiki s974123@cc.matsuyama-u.ac.jpYuuki SAWADA mami@whale.cc.muroran-it.ac.jpYuuichi Narahara aconitum@po.teleway.ne.jpYuval Yarom yval@cs.huji.ac.ilYves Fonk yves@cpcoup5.tn.tudelft.nlYves Fonk yves@dutncp8.tn.tudelft.nlZach Heilig zach@gaffaneys.comZach Zurflu zach@pabst.bendnet.comZahemszhky Gabor zgabor@code.huZhong Ming-Xun zmx@mail.CDPA.nsysu.edu.tw386BSD Patch Kit Patch Contributors(in alphabetical order by first name):Adam Glass glass@postgres.berkeley.eduAdrian Hall ahall@mirapoint.comAndrey A. Chernov ache@astral.msk.suAndrew Herbert andrew@werple.apana.org.auAndrew Moore alm@netcom.comAndy Valencia ajv@csd.mot.comjtk@netcom.comArne Henrik Juul arnej@Lise.Unit.NOBakul Shah bvs@bitblocks.comBarry Lustig barry@ictv.comBob Wilcox bob@obiwan.uucpBranko LankesterBrett Lymn blymn@mulga.awadi.com.AUCharles Hannum mycroft@ai.mit.eduChris G. Demetriou
cgd@postgres.berkeley.eduChris Torek torek@ee.lbl.govChristoph Robitschko
chmr@edvz.tu-graz.ac.atDaniel Poirot poirot@aio.jsc.nasa.govDave Burgess burgess@hrd769.brooks.af.milDave Rivers rivers@ponds.uucpDavid Dawes dawes@physics.su.OZ.AUDavid Greenman dg@Root.COMEric J. Haug ejh@slustl.slu.eduFelix Gaehtgens
felix@escape.vsse.in-berlin.deFrank Maclachlan fpm@crash.cts.comGary A. Browning gab10@griffcd.amdahl.comGary Howland gary@hotlava.comGeoff Rehmet csgr@alpha.ru.ac.zaGoran Hammarback goran@astro.uu.seGuido van Rooij guido@gvr.orgGuy Antony Halse guy@rucus.ru.ac.zaGuy Harris guy@auspex.comHavard Eidnes
Havard.Eidnes@runit.sintef.noHerb Peyerl hpeyerl@novatel.cuc.ab.caHolger Veit Holger.Veit@gmd.deIshii Masahiro, R. Kym HorsellJ.T. Conklin jtc@cygnus.comJagane D Sundar jagane@netcom.comJames Clark jjc@jclark.comJames Jegers jimj@miller.cs.uwm.eduJames W. DolterJames da Silva jds@cs.umd.edu et alJay Fenlason hack@datacube.comJim Wilson wilson@moria.cygnus.comJörg Lohse
lohse@tech7.informatik.uni-hamburg.deJörg Wunsch
joerg_wunsch@uriah.heep.sax.deJohn DysonJohn Woods jfw@eddie.mit.eduJordan K. Hubbard jkh@whisker.hubbard.ieJulian Elischer julian@dialix.oz.auJulian Stacey jhs@FreeBSD.orgKarl Dietz Karl.Dietz@triplan.comKarl Lehenbauer karl@NeoSoft.comkarl@one.neosoft.comKeith Bostic bostic@toe.CS.Berkeley.EDUKen HughesKent Talarico kent@shipwreck.tsoft.netKevin Lahey kml%rokkaku.UUCP@mathcs.emory.edukml@mosquito.cis.ufl.eduKonstantinos Konstantinidis kkonstan@duth.grMarc Frajola marc@dev.comMark Tinguely tinguely@plains.nodak.edutinguely@hookie.cs.ndsu.NoDak.eduMartin Renters martin@tdc.on.caMichael Clay mclay@weareb.orgMichael Galassi nerd@percival.rain.comMike Durkin mdurkin@tsoft.sf-bay.orgNaoki Hamada nao@tom-yam.or.jpNate Williams nate@bsd.coe.montana.eduNick Handel nhandel@NeoSoft.comnick@madhouse.neosoft.comPace Willisson pace@blitz.comPaul Kranenburg pk@cs.few.eur.nlPaul Mackerras paulus@cs.anu.edu.auPaul Popelka paulp@uts.amdahl.comPeter da Silva peter@NeoSoft.comPhil Sutherland
philsuth@mycroft.dialix.oz.auPoul-Henning Kamp phk@FreeBSD.orgRalf Friedl friedl@informatik.uni-kl.deRick Macklem root@snowhite.cis.uoguelph.caRobert D. Thrush rd@phoenix.aii.comRodney W. Grimes rgrimes@cdrom.comSascha Wildner swildner@channelz.GUN.deScott Burris scott@pita.cns.ucla.eduScott Reynolds scott@clmqt.marquette.mi.usSean Eric Fagan sef@kithrup.comSimon J Gerraty sjg@melb.bull.oz.ausjg@zen.void.oz.auStephen McKay syssgm@devetir.qld.gov.auTerry Lambert terry@icarus.weber.eduTerry Lee terry@uivlsi.csl.uiuc.eduTor Egge Tor.Egge@idi.ntnu.noWarren Toomey wkt@csadfa.cs.adfa.oz.auWiljo Heinen wiljo@freeside.ki.open.deWilliam Jolitz withheldWolfgang Solfrank ws@tools.deWolfgang Stanglmeier wolf@dentaro.GUN.deYuval Yarom yval@cs.huji.ac.il
diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.sgml b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
index f8befd6df2..2c31e2c034 100644
--- a/en_US.ISO8859-1/books/handbook/install/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
@@ -1,2125 +1,2125 @@
JimMockRestructured, reorganized, and parts
rewrittenInstalling FreeBSDSynopsisinstallationThe following chapter will attempt to guide you through the
installation of FreeBSD on your system. It can be installed through a
variety of methods, including anonymous FTP (assuming you have
network connectivity via modem or local network), CDROM, floppy
disk, tape, an MS-DOS partition, or even NFS.No matter which method you choose, you will need to get started
by creating the installation disks as described
in the next section.
Booting into the FreeBSD installer, even if you are not planning on
installing FreeBSD right away, will provide important information
about compatibility with your hardware. This information may
dictate which installation options are even possible for you. It
can also provide clues early-on in the process to potential problems
you may come across later.installationnetworkanonymous FTPIf you plan to install FreeBSD via anonymous FTP, the only
things you will need are the installation floppies. The
installation program itself will handle anything else that is
required.For more information about obtaining FreeBSD, see the Obtaining FreeBSD section of the
Appendix.By now, you are probably wondering what exactly it is you need
to do. Continue on to the installation guide.Installation GuideThe following sections will guide you through preparing for and
actually installing FreeBSD. If you find something missing, please
let us know about it by sending email to the &a.doc;.Preparing for the InstallationThere are various things you should do in preparation for the
installation. The following describes what needs to be done prior to
each type of installation.The first thing to do is to make sure your hardware is
supported by FreeBSD. The list of supported hardware should
- come in handy here. ;-) It would also be a good idea to make a
+ come in handy here. It would also be a good idea to make a
list of any special cards you have installed,
such as SCSI controllers, Ethernet cards, sound cards, etc..
The list should include their IRQs and IO port addresses.Creating the Installation Floppiesinstallationboot floppiesinstallationCDROMYou may need to prepare some floppy disks. These disks will
be used to boot your computer in to the FreeBSD install process.
This step is not necessary if you are
installing from CDROM, and your computer
supports booting from the CDROM. If you do not meet these
requirements then you will need to create some floppies to boot
from.If you are not sure whether your computer can boot from the
CDROM it does not hurt to try. Just insert the CDROM as
normal and restart your computer. You might need to adjust some
options in your BIOS so that your computer will try and boot
from the CDROM drive before the hard disk.Even if you have the CDROM it might make sense for you to
download the files. There have been occasions where bugs in the
FreeBSD installer have been discovered after the CDs have been
released. When this happens the copies of the images on the FTP
site will be fixed as soon as possible. Obviously, it is not
possible to update the CDs after they have been pressed.Acquire the boot floppy imagesThese are files with a .flp
extension. If you have a CDROM release of FreeBSD then you
will find the files in the floppies
subdirectory. Alternatively, you can download the images from
the floppies directory of the FreeBSD FTP site or your local mirror.The names of the files you will need varies between
FreeBSD releases (sometimes) and the architecture you will be
installing on. The installation
boot image information on the FTP site provides
up-to-the-minute information about the specific files you will
need.Prepare the floppy disksYou must prepare one floppy disk per image file you had to
download. It is imperative that these disks are free from
defects. The easiest way to test this is to format the disks
for yourself. Do not trust pre-formatted floppies.If you try to install FreeBSD and the installation
program crashes, freezes, or otherwise misbehaves one of
the first things to suspect is the floppies. Try writing
the floppy image files to some other disks, and try
again.Write the image files to the floppy disks.The image files, such as kern.flp,
are not regular files you copy to the
disk. Instead, they are images of the complete contents of
the disk.This means that you can not use
commands like DOS' copy to write the
files. Instead, you must use specific tools to write the
images directly to the disk.DOSIf you are creating the floppies on a computer running DOS
then we provide a tool to do this called
fdimage.If you are using the floppies from the CDROM, and your
CDROM is the E: drive then you would
run this:E:\>tools\fdimage floppies\kern.flp A:Repeat this command for each .flp
file, replacing the floppy disk each time. Adjust the command
line as necessary, depending on where you have placed the
.flp files. If you do not have the
CDROM then fdimage can be downloaded from
the tools directory on the FreeBSD FTP site.If you are writing the floppies on a Unix system (such as
another FreeBSD system) you can use the &man.dd.1; command to
write the image files directly to disk. On FreeBSD you would
run:&prompt.root; dd if=kern.flp of=/dev/fd0On FreeBSD /dev/fd0 refers to the
first floppy disk (the A: drive).
/dev/fd1 would be the
B: drive, and so on. Other Unix
variants might have different names for the floppy disk
devices, and you will need to check the documentation for the
system as necessary.Before Installing from CDROMIf your CDROM is of an unsupported type, please skip ahead
to the MS-DOS Preparation
section.There is not a whole lot of preparation needed if you are
installing from one of BSDi's
FreeBSD CDROMs (other CDROM distributions may work as well,
though we cannot say for certain as we have no hand or say in
how they created). You can either boot into the CD installation
directly from DOS using the install.bat or
you can make floppies with the makeflp.bat
command.If the CD has El Torito boot support and your system
supports booting directly from the CDROM drive (many older
systems do NOT), simply insert the first
CD of the set into the drive and reboot your system. You
will be put into the installation menu directly from the CD.DOSIf you are installing from an MS-DOS partition and have
the proper drivers to access your CD, run the
install.bat script provided on the CDROM.
This will attempt to boot the FreeBSD installation directly
from DOS.You must do this from actual DOS (i.e., boot in DOS
mode) and not from a DOS window under Windows.For the easiest interface of all (from DOS), type
view. This will bring up a DOS menu utility
that leads you through all of the available options.UnixIf you are creating the boot floppies from a Unix machine,
see the Creating the Boot
Floppies section of this guide for examples.Once you have booted from DOS or floppy, you should then be
able to select CDROM as the media type during the install
process and load the entire distribution from CDROM. No other
types of installation media should be required.After your system is fully installed and you have rebooted
(from the hard disk), you can mount the CDROM at any time by
typing:&prompt.root; mount /cdromBefore removing the CD from the drive again, you must first
unmount it. This is done with the following command:&prompt.root; umount /cdromDo not just remove it from the drive!Before invoking the installation, be sure that the CDROM
is in the drive so that the install probe can find it. This
is also true if you wish the CDROM to be added to the default
system configuration automatically during the installation (whether
or not you actually use it as the installation media).installationnetworkFTPFinally, if you would like people to be able to FTP install
FreeBSD directly from the CDROM in your machine, you will find
it quite easy. After the machine is fully installed, you simply
need to add the following line to the password file (using the
vipw command):ftp:*:99:99::0:0:FTP:/cdrom:/nonexistentAnyone with network connectivity to your machine can now
chose a media type of FTP and type in
ftp://your machine
after picking Other in the FTP sites menu during
the install.If you choose to enable anonymous FTP during the
installation of your system, the installation program will do
the above for you.Before installing from FloppiesinstallationfloppiesIf you must install from floppy disk (which we suggest you
do NOT do), either due to unsupported
hardware or simply because you insist on doing things the hard
way, you must first prepare some floppies for the installation.At a minimum, you will need as many 1.44MB or 1.2MB floppies
as it takes to hold all the files in the
bin (binary distribution) directory. If
you are preparing the floppies from DOS, then they
MUST be formatted using the MS-DOS
FORMAT command. If you are using Windows,
use Explorer to format the disks (right-click on the
A: drive, and select "Format".Do NOT trust factory pre-formatted
floppies! Format them again yourself, just to be sure. Many
problems reported by our users in the past have resulted from
the use of improperly formatted media, which is why we are
making a point of it now.If you are creating the floppies on another FreeBSD machine,
a format is still not a bad idea, though you do not need to put
a DOS filesystem on each floppy. You can use the
disklabel and newfs
commands to put a UFS filesystem on them instead, as the
following sequence of commands (for a 3.5" 1.44MB floppy)
illustrates:&prompt.root; fdformat -f 1440 fd0.1440
&prompt.root; disklabel -w -r fd0.1440 floppy3
&prompt.root; newfs -t 2 -u 18 -l 1 -i 65536 /dev/fd0Use fd0.1200 and
floppy5 for 5.25" 1.2MB disks.Then you can mount and write to them like any other
filesystem.After you have formatted the floppies, you will need to copy
the files to them. The distribution files are split into chunks
conveniently sized so that 5 of them will fit on a conventional
1.44MB floppy. Go through all your floppies, packing as many
files as will fit on each one, until you have all of the
distributions you want packed up in this fashion. Each
distribution should go into a subdirectory on the floppy, e.g.:
a:\bin\bin.aa,
a:\bin\bin.ab, and so on.Once you come to the Media screen during the install
process, select Floppy and you will be prompted
for the rest.Before Installing from MS-DOSinstallationfrom MS-DOSTo prepare for an installation from an MS-DOS partition,
copy the files from the distribution into a directory named,
for example, c:\FreeBSD. The directory
structure of the CDROM or FTP site must be partially reproduced
within this directory, so we suggest using the DOS
xcopy command if you are copying it from a
CD. For example, to prepare for a minimal installation of
FreeBSD:C:\>md c:\FreeBSDC:\>xcopy e:\bin c:\FreeBSD\bin\ /sC:\>xcopy e:\manpages c:\FreeBSD\manpages\ /sAssuming that C: is where you have
free space and E: is where your CDROM
is mounted.If you do not have a CDROM drive, you can download the
distribution from
ftp.FreeBSD.org. Each distribution is in its own directory;
for example, the bin distribution can be
found in the &rel.current;/bin directory.For as many distributions you wish to install from an MS-DOS
partition (and you have the free space for), install each one
under c:\FreeBSD — the
BIN distribution is the only one required for
a minimum installation.Before Installing from QIC/SCSI Tapeinstallationfrom QIC/SCSI TapeInstalling from tape is probably the easiest method, short
of an online FTP install or CDROM install. The installation
program expects the files to be simply tarred onto the tape, so
after getting all of the distribution files you are interested
in, simply tar them onto the tape like so:&prompt.root; cd /freebsd/distdir
&prompt.root; tar cvf /dev/rwt0 dist1 ... dist2When you go to do the installation, you should also make
sure that you leave enough room in some temporary directory
(which you will be allowed to choose) to accommodate the
full contents of the tape you have created.
Due to the non-random access nature of tapes, this method of
installation requires quite a bit of temporary storage. You
should expect to require as much temporary storage as you have
stuff written on tape.When starting the installation, the tape must be in the
drive before booting from the boot
floppy. The installation probe may otherwise fail to find
it.Before Installing over a Networkinstallationnetworkserial (SLIP or PPP)installationnetworkparallel (PLIP)installationnetworkEthernetThere are three types of network installations you can do.
Serial port (SLIP or PPP), Parallel port (PLIP (laplink cable)),
or Ethernet (a standard Ethernet controller (includes some
PCMCIA)).The SLIP support is rather primitive, and limited primarily
to hard-wired links, such as a serial cable running between a
laptop computer and another computer. The link should be
hard-wired as the SLIP installation does not currently offer a
dialing capability; that facility is provided with the PPP
utility, which should be used in preference to SLIP whenever
possible.If you are using a modem, then PPP is almost certainly
your only choice. Make sure that you have your service
provider's information handy as you will need to know it fairly
early in the installation process.If you use PAP or CHAP to connect your ISP (in other
words, if you can connect to the ISP in Windows without
using a script), then all you will need to do is type in
dial at the
ppp prompt. Otherwise,
you will need to know
how to dial your ISP using the AT commands
specific to your modem, as the PPP dialer provides only a very
simple terminal emulator. Please refer
to the user-ppp handbook and FAQ entries for further
information. If you have problems, logging can be directed to
the screen using the command set log local
....If a hard-wired connection to another FreeBSD (2.0-R or
later) machine is available, you might also consider installing
over a laplink parallel port cable. The data rate
over the parallel port is much higher than what is typically
possible over a serial line (up to 50kbytes/sec), thus resulting
in a quicker installation.Finally, for the fastest possible network installation, an
Ethernet adapter is always a good choice! FreeBSD supports most
common PC Ethernet cards; a table of supported cards (and their
required settings) is provided in the Supported Hardware list. If you are
using one of the supported PCMCIA Ethernet cards, also be sure
that it is plugged in before the laptop is
powered on! FreeBSD does not, unfortunately, currently support
hot insertion of PCMCIA cards during installation.You will also need to know your IP address on the network,
the netmask value for your address class, and the name of your
machine. If you are installing over a PPP connection and do not
have a static IP, fear not, the IP address can be dynamically
assigned by your ISP. Your system administrator can tell you
which values to use for your particular network setup. If you
will be referring to other hosts by name rather than IP address,
you will also need a name server and possibly the address of a
gateway (if you are using PPP, it is your provider's IP address)
to use in talking to it. If you want to install by FTP via a
HTTP proxy (see below), you will also need the proxy's address.
If you do not know the answers to all or most of these questions,
then you should really probably talk to your system administrator
or ISP before trying this type of
installation.Before Installing via NFSinstallationnetworkNFSThe NFS installation is fairly straight-forward. Simply
copy the FreeBSD distribution files you want onto a server
somewhere and then point the NFS media selection at it.If this server supports only privileged port
(as is generally the default for Sun workstations), you will
need to set this option in the Options menu before
installation can proceed.If you have a poor quality Ethernet card which suffers
from very slow transfer rates, you may also wish to toggle the
appropriate Options flag.In order for NFS installation to work, the server must
support subdir mounts, e.g., if your FreeBSD 3.4 distribution
directory lives
on:ziggy:/usr/archive/stuff/FreeBSD, then
ziggy will have to allow the direct mounting
of /usr/archive/stuff/FreeBSD, not just
/usr or
/usr/archive/stuff.In FreeBSD's /etc/exports file, this
is controlled by the . Other NFS
servers may have different conventions. If you are getting
permission denied messages from the server, then
it is likely that you do not have this enabled
properly.Before Installing via FTPinstallationnetworkFTPFTP installation may be done from any FreeBSD mirror site
containing a reasonably up-to-date version of FreeBSD. A full
list of FTP mirrors located all over the world is provided
during the install process.If you are installing from an FTP site not listed in this
menu, or are having trouble getting your name server
configured properly, you can also specify a URL to use by
selecting the choice labeled Other in that menu.
You can also use the IP address of a machine you wish to
install from, so the following would work in the absence of a
name server:ftp://209.55.82.20/pub/FreeBSD/&rel.current;-RELEASEThere are three FTP installation modes you can choose from:
active or passive FTP or via a HTTP proxy.FTP ActiveThis option will make all FTP transfers
use Active
mode. This will not work through firewalls, but will
often work with older FTP servers that do not support
passive mode. If your connection hangs with passive
mode (the default), try active!FTP PassiveFTPPassive modeThis option instructs FreeBSD to use
Passive mode for all FTP operations.
This allows the user to pass through firewalls
that do not allow incoming connections on random port
addresses.FTP via a HTTP proxyFTPvia a HTTP proxyThis option instructs FreeBSD to use the HTTP
protocol (like a web browser) to connect to a proxy
for all FTP operations. The proxy will translate
the requests and send them to the FTP server.
This allows the user to pass through firewalls
that do not allow FTP at all, but offer a HTTP
proxy.
In this case, you have to specify the proxy in
addition to the FTP server.There is another type of FTP proxy other tha HTTP
proxies. This type is very uncommon, though. If you
are not absolutely certain, you can assume that you
have a HTTP proxy as described above.For a proxy FTP server, you should usually give the name
of the server you really want as a part of the username, after
an @ sign. The proxy server then
fakes the real server. For example, assuming
you want to install from ftp.FreeBSD.org, using the proxy FTP
server foo.bar.com, listening on
port 1024.In this case, you go to the options menu, set the FTP
username to ftp@ftp.FreeBSD.org, and the password to your
email address. As your installation media, you specify FTP
(or passive FTP, if the proxy supports it), and the URL
ftp://foo.bar.com:1234/pub/FreeBSD.Since /pub/FreeBSD from ftp.FreeBSD.org is proxied under foo.bar.com, you are able to install from
that machine (which will fetch the files
from ftp.FreeBSD.org as your
installation requests them.Check your BIOS drive numberingIf you have used features in your BIOS to renumber your disk
drives without re-cabling them then you should read first to avoid confusion.Installing FreeBSDOnce you have completed the pre-installation step relevant to
your situation, you are ready to install FreeBSD!Although you should not experience any difficulty, there is
always the chance that you may, no matter how slight it is. If this
is the case in your situation, then you may wish to go back and
re-read the relevant preparation section or sections. Perhaps you
will come across something you missed the first time. If you are
having hardware problems, or FreeBSD refuses to boot at all, read
the Hardware Guide for a
list of possible solutions.sysinstallThe FreeBSD boot floppies contain all of the online
documentation you should need to be able to navigate through an
installation. If it does not, please let us know what you found
to be the most confusing or most lacking. Send your comments to
the &a.doc;. It is the objective of the installation program
(sysinstall) to be self-documenting enough that painful
step-by-step guides are no longer necessary. It may
take us a little while to reach that objective, but nonetheless,
- it is still our objective :-)
+ it is still our objective.
Meanwhile, you may also find the following typical
installation sequence to be helpful:Boot the kern.flp floppy and when
asked, remove it and insert the
mfsroot.flp and hit return. After a
boot sequence which can take anywhere from 30 seconds to 3
minutes, depending on your hardware, you should be presented
with a menu of initial choices. If the
kern.flp floppy does not boot at all or
the boot hangs at some stage, read the Q&A section of the
Hardware Guide for
possible causes.Press F1. You should see some basic usage instructions on
the menu screen and general navigation. If you have not used
this menu system before then please read
this thoroughly.Select the Options item and set any special preferences
you may have.installationstandardinstallationexpressinstallationcustomSelect a Standard, Express, or Custom install, depending on
whether or not you would like the installation to help you
through a typical installation, give you a high degree of
control over each step, or simply whiz through it (using
reasonable defaults when possible) as fast as possible. If
you have never used FreeBSD before, the Standard installation
method is most recommended.The final configuration menu choice allows you to further
configure your FreeBSD installation by giving you menu-driven
access to various system defaults. Some items, like
networking, may be especially important if you did a CDROM,
tape, or floppy install and have not yet configured your
network interfaces (assuming you have any). Properly
configuring such interfaces here will allow FreeBSD to come up
on the network when you first reboot from the hard
disk.Supported HardwarehardwareFreeBSD currently runs on a wide variety of ISA, VLB, EISA, and
PCI bus based PCs, ranging from the 386SX to Pentium class machines
(though the 386SX is not recommended). Support for generic IDE or
ESDI drive configurations, various SCSI controllers, and network and
serial cards is also provided. FreeBSD also supports IBM's
microchannel (MCA) bus.In order to run FreeBSD, a recommended minimum of eight
megabytes of RAM is suggested. Sixteen megabytes is the preferred
amount of RAM as you may have some trouble with anything less than
sixteen depending on your hardware.What follows is a list of hardware currently known to work with
FreeBSD. There may be other hardware that works as well, but we
have simply not received any confirmation of it.Disk Controllersdisk controllersWD1003 (any generic MFM/RLL)WD1007 (any generic IDE/ESDI)IDEATAAdaptec 1535 ISA SCSI controllersAdaptec 154X series ISA SCSI controllersAdaptec 174X series EISA SCSI controllers in standard and
enhanced modeAdaptec 274X/284X/2920C/294X/2950/3940/3950
(Narrow/Wide/Twin) series EISA/VLB/PCI SCSI controllersAdaptec AIC-7850, AIC-7860, AIC-7880, AIC-789X on-board SCSI
controllersAdaptec 1510 series ISA SCSI controllers (not for bootable
devices)Adaptec 152X series ISA SCSI controllersAdaptec AIC-6260 and AIC-6360 based boards, which include
the AHA-152X and SoundBlaster SCSI cardsAdvanSys SCSI controllers (all models)BusLogic MultiMaster W Series Host Adapters
including BT-948, BT-958, BT-9580BusLogic MultiMaster C Series Host Adapters
including BT-946C, BT-956C, BT-956CD, BT-445C, BT-747C,
BT-757C, BT-757CD, BT-545C, BT-540CFBusLogic MultiMaster S Series Host Adapters
including BT-445S, BT-747S, BT-747D, BT-757S, BT-757D,
BT-545S, BT-542D, BT-742A, BT-542BBusLogic MultiMaster A Series Host Adapters
including BT-742A, BT-542BAMI FastDisk controllers that are true BusLogic
MultiMaster clones are also supported.BusLogic/Mylex Flashpoint adapters are NOT
yet supported.DPT SmartCACHE Plus, SmartCACHE III, SmartRAID III,
SmartCACHE IV, and SmartRAID IV SCSI/RAID are supported. The
DPT SmartRAID/CACHE V is not yet supported. The DPT PM3754U2-16M
SCSI RAID Controller is also supported.Compaq Intelligent Disk Array Controllers: IDA, IDA-2, IAES,
SMART, SMART-2/E, Smart-2/P, SMART-2SL, Integrated Array, and
Smart Arrays 3200, 3100ES, 221, 4200, 4200, 4250ES.SymBios (formerly NCR) 53C810, 53C810a, 53C815, 53C820,
53C825a, 53C860, 53C875, 53C875j, 53C885, and 53C896 PCI SCSI
controllers including ASUS SC-200, Data Technology DTC3130
(all variants), Diamond FirePort (all), NCR cards (all),
SymBios cards (all), Tekram DC390W, 390U, and 390F, and Tyan
S1365QLogic 1020, 1040, 1040B, and 2100 SCSI and Fibre
Channel AdaptersDTC 3290 EISA SCSI controller in 1542 evaluation
modeWith all supported SCSI controllers, full support is provided
for SCSI-I and SCSI-II peripherals, including hard disks, optical
disks, tape drives (including DAT and 8mm Exabyte), medium
changers, processor target devices, and CDROM drives. WORM
devices that support CDROM commands are supported for read-only
access by the CDROM driver. WORM/CD-R/CD-RW writing support is
provided by cdrecord, which is in the ports tree.The following CDROM type systems are supported at this
time:cd - SCSI interface (includes
ProAudio Spectrum and SoundBlaster SCSI)matcd - Matsushita/Panasonic
(Creative SoundBlaster) proprietary interface (562/563
models)scd - Sony proprietary interface
(all models)acd - ATAPI IDE interfaceThe following drivers were supported under the old SCSI
subsystem, but are NOT YET supported under the new CAM SCSI
subsystem:NCR5380/NCR53400 (ProAudio Spectrum) SCSI
controllerUltraStor 14F, 24F, and 34F SCSI controllersSeagate ST01/02 SCSI controllersFuture Domain 8XX/950 series SCSI controllersWD7000 SCSI controllerThere is work-in-progress to port the UltraStor driver
to the new CAM framework, but no estimates on when or if it
will be completed.Unmaintained drivers, which might or might not work for your
hardware:Floppy tape interface (Colorado/Mountain/Insight)mcd - Mitsumi proprietary CDROM
interface (all models)Network Cardsnetwork cardsAdaptec Duralink PCI fast ethernet adapters based on the
Adaptec AIC-6195 fast ethernet controller chip, including the
following:ANA-62011 64-bit single port 10/100baseTX
adapterANA-62022 64-bit dual port 10/100baseTX adapterANA-62044 64-bit quad port 10/100baseTX adapterANA-69011 32-bit single port 10/100baseTX
adapterANA-62020 64-bit single port 100baseFX adapterAllied-Telesyn AT1700 and RE2000 cardsAlteon Networks PCI gigabit ethernet NICs based on the
Tigon 1 and Tigon 2 chipsets including the Alteon AceNIC
(Tigon 1 and 2), 3Com 3c985-SX (Tigon 1 and 2), Netgear GA620
(Tigon 2), Silicon Graphics Gigabit Ethernet, DEC/Compaq
EtherWORKS 1000, NEC Gigabit EthernetAMD PCnet/PCI (79c970 and 53c974 or 79c974)RealTek 8129/8139 fast ethernet NICs including the
following:Allied-Telesyn AT2550Allied-Telesyn AT2500TXGenius GF100TXR (RTL8139)NDC Communications NE100TX-EOvisLink LEF-8129TXOvisLink LEF-8139TXNetronix Inc. EA-1210 NetEther 10/100KTX-9130TX 10/100 Fast EthernetAccton Cheetah EN1207D (MPX 5030/5038;
RealTek 8139 clone)SMC EZ Card 10/100 PCI 1211-TXLite-On 98713, 98713A, 98715, and 98725 fast ethernet
NICs, including the LinkSys EtherFast LNE100TX, NetGear
FA310-TX Rev. D1, Matrox FastNIC 10/100, Kingston
KNE110TXMacronix 98713, 98713A, 98715, 98715A, and 98725 fast
ethernet NICs including the NDC Communications SFA100A
(98713A), CNet Pro120A (98713 or 98713A), CNet Pro120B
(98715), SVEC PN102TX (98713)Macronix/Lite-On PNIC II LC82C115 fast ethernet NICs
including the LinkSys EtherFast LNE100TX version 2Winbond W89C840F fast ethernet NICs including the
Trendware TE100-PCIEVIA Technologies VT3043 Rhine I and
VT86C100A Rhine II fast ethernet NICs including
the Hawking Technologies PN102TX and D-Link DFE-530TXSilicon Integrated Systems SiS 900 and SiS 7016 PCI fast
ethernet NICsSundance Technologies ST201 PCI fast ethernet NICs
including the D-Link DFE-550TXSysKonnect SK-984x PCI gigabit ethernet cards including
the SK-9841 1000baseLX (single mode fiber, single port),
the SK-9842 1000baseSX (multimode fiber, single port), the
SK-9843 1000baseLX (single mode fiber, dual port), and the
SK-9844 1000baseSX (multimode fiber, dual port).Texas Instruments ThunderLAN PCI NICs, including the
Compaq Netelligent 10, 10/100, 10/100 Proliant, 10/100
Dual-Port, 10/100 TX Embedded UTP, 10 T PCI UTP/Coax, and
10/100 TX UTP, the Compaq NetFlex 3P, 3P Integrated, and 3P
w/BNC, the Olicom OC-2135/2138, OC-2325, OC-2326 10/100 TX
UTP, and the Racore 8165 10/100baseTX and 8148
10baseT/100baseTX/100baseFX multi-personality cardsADMtek AL981-based and AN985-based PCI fast ethernet
NICsASIX Electronics AX88140A PCI NICs including the Alfa Inc.
GFC2204 and CNet Pro110BDEC EtherWORKS III NICs (DE203, DE204, and DE205)DEC EtherWORKS II NICs (DE200, DE201, DE202, and
DE422)DEC DC21040, DC21041, or DC21140 based NICs (SMC
Etherpower 8432T, DE245, etc.)DEC FDDI (DEFPA/DEFEA) NICsEfficient ENI-155p ATM PCIFORE PCA-200E ATM PCIFujitsu MB86960A/MB86965AHP PC Lan+ cards (model numbers: 27247B and 27252A)Intel EtherExpress ISA (not recommended due to driver
instability)Intel EtherExpress Pro/10Intel EtherExpress Pro/100B PCI Fast EthernetIsolan AT 4141-0 (16 bit)Isolink 4110 (8 bit)Novell NE1000, NE2000, and NE2100 Ethernet
interfacesPCI network cards emulating the NE2000, including the
RealTek 8029, NetVin 5000, Winbond W89C940, Surecom NE-34, VIA
VT86C9263Com 3C501, 3C503 Etherlink II, 3C505 Etherlink/+, 3C507
Etherlink 16/TP, 3C509, 3C579, 3C589 (PCMCIA),
3C590/592/595/900/905/905B/905C PCI and EISA (Fast) Etherlink
III / (Fast) Etherlink XL, 3C980/3C980B Fast Etherlink XL
server adapter, 3CSOHO100-TX OfficeConnect adapterToshiba ethernet cardsPCMCIA ethernet cards from IBM and National Semiconductor
are also supportedUSB PeripheralsUSB PeripheralsA wide range of USB peripherals are supported. Owing to the
generic nature of most USB devices, with some exceptions any
device of a given class will be supported even if not explicitly
listed here.USB keyboardsUSB miceUSB printers and USB to parallel printer conversion
cablesUSB hubsMotherboard chipsets:ALi Aladdin-VIntel 82371SB (PIIX3) and 82371AB and EB (PIIX4)
chipsetsNEC uPD 9210 Host ControllerVIA 83C572 USB Host Controllerand any other UHCI or OHCI compliant motherboard chipset
(no exceptions known).PCI plug-in USB host controllersADS Electronics PCI plug-in card (2 ports)Entrega PCI plug-in card (4 ports)Specific USB devices reported to be working:Agiler Mouse 29UOAndromeda hubApple iMac mouse and keyboardATen parallel printer adapterBelkin F4U002 parallel printer adapter and Belkin
mouseBTC BTC7935 keyboard with mouse portCherry G81-3504Chic mouseCypress mouseEntrega USB-to-parallel printer adapterGenius Niche mouseIomega USB Zip 100 MBKensington Mouse-in-a-BoxLogitech M2452 keyboardLogitech wheel mouse (3 buttons)Logitech PS/2 / USB mouse (3 buttons)MacAlly mouse (3 buttons)MacAlly self-powered hub (4 ports)Microsoft Intellimouse (3 buttons)Microsoft keyboardNEC hubTrust Ami Mouse (3 buttons)ISDN (European DSS1 [Q.921/Q.931] protocol)ISDNAsuscom I-IN100-ST-DV (experimental, may work)Asuscom ISDNlink 128KAVM A1AVM Fritz!Card classicAVM Fritz!Card PCIAVM Fritz!Card PCMCIA (currently FreeBSD 3.X only)AVM Fritz!Card PnP (currently FreeBSD 3.X only)Creatix ISDN-S0/8Creatix ISDN-S0/16Creatix ISDN-S0 PnPDr.Neuhaus Niccy 1008Dr.Neuhaus Niccy 1016Dr.Neuhaus Niccy GO@ (ISA PnP)Dynalink IS64PH (no longer maintained)ELSA 1000pro ISAELSA 1000pro PCIELSA PCC-16ITK ix1 micro (currently FreeBSD 3.X only)ITK ix1 micro V.3 (currently FreeBSD 3.X only)Sagem Cybermod (ISA PnP, may work)Sedlbauer Win SpeedSiemens I-Surf 2.0Stollman Tina-pp (under development)Teles S0/8Teles S0/16Teles S0/16.3 (the c Versions - like 16.3c
- are unsupported!)Teles S0 PnP (experimental, may work)3Com/USRobotics Sportster ISDN TA intern (non-PnP
version)Sound DevicesThe following soundcards or codecs are supported (devices marked
'experimental' are only supported in FreeBSD-CURRENT and might
work only unstably):sound cards16550 UART (Midi) (experimental, needs a trick in the hints
file)Advance Asound 100, 110 and Logic ALS120Aureal Vortex1/Vortex2 and Vortex Advantage based soundcards
by a
third
party driverCreative Labs SB16, SB32, SB AWE64 (including Gold),
Vibra16, SB PCI (experimental), SB Live! (experimental)
and most SoundBlaster compatible cardsCreative Labs SB Midi Port (experimental), SB OPL3
Synthesizer (experimental)Crystal Semiconductor CS461x/462x Audio Accelerator,
the support for the CS461x Midi port is experimentalCrystal Semiconductor CS428x Audio ControllerCS4237, CS4236, CS4232, CS4231 (ISA)ENSONIQ AudioPCI ES1370/1371ESS ES1868, ES1869, ES1879, ES1888Gravis UltraSound PnP, MAXNeoMagic 256AV/ZX (PCI)OPTi931 (ISA)OSS-compatible sequencer (Midi) (experimental)Trident 4DWave DX/NX (PCI)Yahama OPL-SAx (ISA)Miscellaneous DevicesAST 4 port serial card using shared IRQARNET 8 port serial card using shared IRQARNET (now Digiboard) Sync 570/i high-speed serialBoca BB1004 4-Port serial card (Modems NOT
supported)Boca IOAT66 6-Port serial card (Modems supported)Boca BB1008 8-Port serial card (Modems NOT
supported)Boca BB2016 16-Port serial card (Modems supported)Cyclades Cyclom-y Serial BoardMoxa SmartIO CI-104J 4-Port serial cardSTB 4 port card using shared IRQSDL Communications RISCom/8 Serial BoardSDL Communications RISCom/N2 and N2pci high-speed sync
serial boardsSpecialix SI/XIO/SX multiport serial cards, with both the
older SIHOST2.x and the new enhanced
(transputer based, aka JET) host cards; ISA, EISA and PCI are
supportedStallion multiport serial boards: EasyIO, EasyConnection
8/32 & 8/64, ONboard 4/16 and BrumbyAdlib, SoundBlaster, SoundBlaster Pro, ProAudioSpectrum,
Gravis UltraSound, and Roland MPU-401 sound cardsConnectix QuickCamMatrox Meteor Video frame grabberCreative Labs Video Spigot frame grabberCortex1 frame grabberVarious frame grabbers based on the Brooktree Bt848
and Bt878 chipHP4020, HP6020, Philips CDD2000/CDD2660 and Plasmon CD-R
drivesBus micePS/2 miceStandard PC JoystickX-10 power controllersGPIB and Transputer drivesGenius and Mustek hand scannersFloppy tape drives (some rather old models only, driver is
rather stale)Lucent Technologies WaveLAN/IEEE 802.11 PCMCIA and ISA
standard speed (2Mbps) and turbo speed (6Mbps) wireless
network adapters and workalikes (NCR WaveLAN/IEEE 802.11,
Cabletron RoamAbout 802.11 DS)The ISA versions of these adapters are actually PCMCIA
cards combined with an ISA to PCMCIA bridge card, so both
kinds of devices work with the same driver.TroubleshootinginstallationtroubleshootingThe following section covers basic installation troubleshooting,
such as common problems people have reported. There are also a few
questions and answers for people wishing to dual-boot FreeBSD with
MS-DOS.What to do if something goes wrong...Due to various limitations of the PC architecture, it is
impossible for probing to be 100% reliable, however, there are a
few things you can do if it fails.Check the supported
hardware list to make sure your hardware is
supported.If your hardware is supported and you still experience
lock-ups or other problems, reset your computer, and when the
visual kernel configuration option is given, choose it. This will
allow you to go through your hardware and supply information to the
system about it. The kernel on the boot disks is configured
assuming that most hardware devices are in their factory default
configuration in terms of IRQs, IO addresses, and DMA channels. If
your hardware has been reconfigured, you will most likely need to
use the configuration editor to tell FreeBSD where to find
things.It is also possible that a probe for a device not present will
cause a later probe for another device that is present to fail. In
that case, the probes for the conflicting driver(s) should be
disabled.Do not disable any drivers you will need during the
installation, such as your screen (sc0).
If the installation wedges or fails mysteriously after leaving
the configuration editor, you have probably removed or changed
something you should not have. Reboot and try again.In configuration mode, you can:List the device drivers installed in the kernel.Change device drivers for hardware that is not present in
your system.Change IRQs, DRQs, and IO port addresses used by a device
driver.After adjusting the kernel to match your hardware
configuration, type Q to boot with the new
settings. Once the installation has completed, any changes you
made in the configuration mode will be permanent so you do not have
to reconfigure every time you boot. It is still highly likely that
you will eventually want to build a custom kernel.MS-DOS User's Questions and AnswersDOSMany users wish to install FreeBSD on PCs inhabited by MS-DOS.
Here are some commonly asked questions about installing FreeBSD on
such systems.Help, I have no space! Do I need to delete everything
first?If your machine is already running MS-DOS and has little
or no free space available for the FreeBSD installation, all
hope is not lost! You may find the FIPS utility, provided
in the tools directory on the FreeBSD
CDROM or various FreeBSD FTP sites to be quite
useful.FIPSFIPS allows you to split an existing MS-DOS partition
into two pieces, preserving the original partition and
allowing you to install onto the second free piece. You
first defragment your MS-DOS partition using the Windows
DEFRAG utility (go into Explorer, right-click on the
hard drive, and choose to defrag your
hard drive), or Norton Disk Tools. You then must run FIPS. It
will prompt you for the rest of the information it needs.
Afterwards, you can reboot and install FreeBSD on the new
free slice. See the Distributions menu
for an estimate of how much free space you will need for the
kind of installation you want.Partition MagicThere is also a very useful
product from PowerQuest
called Partition Magic. This
application has far more functionality than FIPS, and is
highly recommended if you plan to often add/remove
operating systems (like me). However, it does cost
money, and if you plan to install FreeBSD once and then
leave it there, FIPS will probably be fine for you.Can I use compressed MS-DOS filesystems from
FreeBSD?No. If you are using a utility such as Stacker(tm) or
DoubleSpace(tm), FreeBSD will only be able to use whatever
portion of the filesystem you leave uncompressed. The rest
of the filesystem will show up as one large file (the
stacked/double spaced file!). Do not remove that
file or you will probably regret it
greatly!It is probably better to create another uncompressed
primary MS-DOS partition and use this for communications
between MS-DOS and FreeBSD.Can I mount my extended MS-DOS partition?partitionsslicesYes. DOS extended partitions are mapped in at the end
of the other slices in FreeBSD, e.g., your
D: drive might be
/dev/da0s5, your
E: drive,
/dev/da0s6, and so on. This example
assumes, of course, that your extended partition is on SCSI
drive 0. For IDE drives, substitute ad
for da appropriately if installing
4.0-RELEASE or later, and substitute
wd for da if you
are installing a version of FreeBSD prior to 4.0. You otherwise
mount extended partitions exactly like you would any other
DOS drive, for example:&prompt.root; mount -t msdos /dev/ad0s5 /dos_dAdvanced Installation GuideWritten by &a.logo;, May 2001.This section describes how to install FreeBSD in exceptional
cases.Installing FreeBSD on a system without a monitor or
keyboardinstallationheadless (serial console)serial consoleThis type of installation is called a "headless install",
because the machine that you are trying to install FreeBSD on
either doesnt have a monitor attached to it, or doesnt even
have a VGA output. How is this possible you ask? Using a
serial console. A serial console is basically using another
machine to act as the main display and keyboard for a
system. To do this, just follow these steps:Fetch the right boot floppy imagesFirst you will need to get the right disk images so
that you can boot into the install program. The secret
with using a serial console is that you tell the boot
loader to send I/O through a serial port instead of
displaying console output to the VGA device and trying to
read input from a local keyboard. Enough of that now,
let's get back to getting these disk images.You will need to get kern.flp and
mfsroot.flp from the
floppies directory.Write the image files to the floppy disks.The image files, such as
kern.flp, are
not regular files that you copy to
the disk. Instead, they are images of the complete
contents of the disk.This means that you can not use
commands like DOS' copy to write the
files. Instead, you must use specific tools to write the
images directly to the disk.fdimageIf you are creating the floppies on a computer running
DOS then we provide a tool to do this called
fdimage.If you are using the floppies from the CDROM, and
your CDROM is the E: drive then
you would run this:E:\>tools\fdimage floppies\kern.flp A:Repeat this command for each .flp
file, replacing the floppy disk each time. Adjust the
command line as necessary, depending on where you have
placed the .flp files. If you do not
have the CDROM then fdimage can be
downloaded from the tools
directory on the FreeBSD FTP site.If you are writing the floppies on a Unix system (such
as another FreeBSD system) you can use the &man.dd.1;
command to write the image files directly to disk. On
FreeBSD you would run:&prompt.root; dd if=kern.flp of=/dev/fd0On FreeBSD /dev/fd0 refers to
the first floppy disk (the A:
drive). /dev/fd1 would be the
B: drive, and so on. Other Unix
variants might have different names for the floppy disk
devices, and you will need to check the documentation for
the system as necessary.Enabling the boot floppies to boot into a serial
consoleDo not try to mount the floppy if it is write-protectedmountIf you were to boot into the floppies that you just
made, FreeBSD would boot into its normal install mode. We
want FreeBSD to boot into a serial console for our
install. To do this, you have to mount the
kern.flp floppy onto your FreeBSD
system using the &man.mount.8; command.&prompt.root; mount /dev/fd0 /mntNow that you have the floppy mounted, you must
change into the floppy directory&prompt.root; cd /mntHere is where you must set the floppy to boot into a
serial console. You have to make a file called
boot.config containing "/boot/loader
-h". All this does is pass a flag to the bootloader to
boot into a serial console.&prompt.root; echo "/boot/loader -h" > boot.configNow that you have your floppy configured correctly,
you must unmount the floppy using the &man.umount.8;
command&prompt.root; cd /
&prompt.root; umount /mntNow you can remove the floppy from the floppy
driveConnecting your null modem cablenull modem cableYou now need to connect a null modem cable between
the two machines. Just connect the cable to the serial
ports of the 2 machines. A normal serial cable
will not work here, you need a null modem
cable because it has some of the wires inside crossed
over.Booting up for the installIt's now time to go ahead and start the install. Put
the kern.flp floppy in the floppy
drive of the machine you're doing the headless install
on, and power on the machine.Connecting to your headless machinecuNow you have to connect to that machine with
&man.cu.1;:&prompt.root; cu -l /dev/cuaa0That's it! You should be able to control the headless
machine through your cu session now. It will ask you to put
in the mfsroot.flp, and then it will come
up with a selection of what kind of terminal to use. Just
select the FreeBSD color console and proceed with your
install!
diff --git a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
index 951865cfab..080b60841c 100644
--- a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
@@ -1,863 +1,862 @@
JimMockRestructured, reorganized, and parts
rewrittenIntroductionSynopsisThank you for your interest in FreeBSD! The following chapter
covers various items about the FreeBSD Project, such as its history,
goals, development model, and so on.4.4BSD-LiteFreeBSD is a 4.4BSD-Lite based operating system for the Intel
architecture (x86) and DEC Alpha based systems. Ports to other
architectures are also underway. For a brief overview of FreeBSD,
see the next section. You can also
read about the history of FreeBSD,
or the current release. If you
are interested in contributing something to the Project (code,
hardware, unmarked bills), see the contributing to FreeBSD section.Welcome to FreeBSD!Since you are still here reading this, you most likely have some
idea as to what FreeBSD is and what it can do for you. If you are
new to FreeBSD, read on for more information.What is FreeBSD?Intel architecture (x86)DEC Alpha architectureIn general, FreeBSD is a state-of-the-art operating system
based on 4.4BSD-Lite. It runs on computer systems based on the
Intel architecture (x86), and also the DEC Alpha
architecture.FreeBSD is used to power some of the biggest sites on the
Internet, including:Yahoo!Yahoo!HotmailHotmailApacheApacheBe, Inc.Be, Inc.Blue Mountain ArtsBlue Mountain
ArtsPair NetworksPair
NetworksWhistle CommunicationsWhistle
CommunicationsBSDiBSDiand many more.What can FreeBSD do?FreeBSD has many noteworthy features. Some of these
are:preemptive multitaskingPreemptive multitasking with
dynamic priority adjustment to ensure smooth and fair
sharing of the computer between applications and users, even
under the heaviest of loads.multi-user facilitiesMulti-user facilities which allow many
people to use a FreeBSD system simultaneously for a variety
of things. This means, for example, that system peripherals
such as printers and tape drives are properly shared between
all users on the system or the network and that individual
resource limits can be placed on users or groups of users,
protecting critical system resources from over-use.TCP/IP networkingStrong TCP/IP networking with
support for industry standards such as SLIP, PPP, NFS, DHCP,
and NIS. This means that your FreeBSD machine can
inter-operate easily with other systems as well as act as an
enterprise server, providing vital functions such as NFS
(remote file access) and e-mail services or putting your
organization on the Internet with WWW, FTP, routing and
firewall (security) services.memory protectionMemory protection ensures that
applications (or users) cannot interfere with each other. One
application crashing will not affect others in any way.FreeBSD is a 32-bit operating
system (64-bit on the Alpha) and was
designed as such from the ground up.X-WindowsThe industry standard X Window System
(X11R6) provides a graphical user interface (GUI) for the cost
of a common VGA card and monitor and comes with full
sources.binary compatibilityLinuxbinary compatibilitySCObinary compatibilitySVR4binary compatibilityBSD/OSbinary compatibilityNetBSDBinary compatibility with many
programs built for Linux, SCO, SVR4, BSDI and NetBSD.Thousands of ready-to-run
applications are available from the FreeBSD
ports and packages
collection. Why search the net when you can find it all right
here?Thousands of additional and
easy-to-port applications are available
on the Internet. FreeBSD is source code compatible with most
popular commercial Unix systems and thus most applications
require few, if any, changes to compile.virtual memoryDemand paged virtual memory and
merged VM/buffer cache design efficiently
satisfies applications with large appetites for memory while
still maintaining interactive response to other users.Symetric Multi-Processing (SMP)SMP support for machines with
multiple CPUs.compilersCcompilersC++compilersFortranA full complement of C,
C++, Fortran, and
Perl development tools.
Many additional languages for advanced research
and development are also available in the ports and packages
collection.source codeSource code for the entire system
means you have the greatest degree of control over your
environment. Why be locked into a proprietary solution
at the mercy of your vendor when you can have a truly Open
System?Extensive on-line
documentation.And many more!4.4BSD-LiteComputer Systems Resarch Group (CSRG)U.C. BerkeleyFreeBSD is based on the 4.4BSD-Lite release from Computer
Systems Research Group (CSRG) at the University of California at
Berkeley, and carries on the distinguished tradition of BSD
systems development. In addition to the fine work provided by
CSRG, the FreeBSD Project has put in many thousands of hours in
fine tuning the system for maximum performance and reliability in
real-life load situations. As many of the commercial giants
struggle to field PC operating systems with such features,
performance and reliability, FreeBSD can offer them
now!The applications to which FreeBSD can be put are truly
limited only by your own imagination. From software development
to factory automation, inventory control to azimuth correction of
remote satellite antennae; if it can be done with a commercial
Unix product then it is more than likely that you can do it with
FreeBSD, too! FreeBSD also benefits significantly from the
literally thousands of high quality applications developed by
research centers and universities around the world, often
available at little to no cost. Commercial applications are also
available and appearing in greater numbers every day.Because the source code for FreeBSD itself is generally
available, the system can also be customized to an almost unheard
of degree for special applications or projects, and in ways not
generally possible with operating systems from most major
commercial vendors. Here is just a sampling of some of the
applications in which people are currently using FreeBSD:Internet Services: The robust TCP/IP
networking built into FreeBSD makes it an ideal platform for a
variety of Internet services such as:FTP serversFTP serversweb serversWorld Wide Web servers (standard or secure
[SSL])firewallsIP masqueradingFirewalls and NAT (IP masquerading)
gateways.electronic mailElectronic Mail serversUSENETUSENET News or Bulletin Board SystemsAnd more...With FreeBSD, you can easily start out small with an
inexpensive 386 class PC and upgrade all the way up to a
quad-processor Xeon with RAID storage as your enterprise
grows.Education: Are you a student of
computer science or a related engineering field? There is no
better way of learning about operating systems, computer
architecture and networking than the hands on, under the hood
experience that FreeBSD can provide. A number of freely
available CAD, mathematical and graphic design packages also
make it highly useful to those whose primary interest in a
computer is to get other work
done!Research: With source code for the
entire system available, FreeBSD is an excellent platform for
research in operating systems as well as other branches of
computer science. FreeBSD's freely available nature also makes
it possible for remote groups to collaborate on ideas or
shared development without having to worry about special
licensing agreements or limitations on what may be discussed
in open forums.routerDNS ServerNetworking: Need a new router? A
name server (DNS)? A firewall to keep people out of your
internal network? FreeBSD can easily turn that unused 386 or
486 PC sitting in the corner into an advanced router with
sophisticated packet-filtering capabilities.X-WindowsXFree86X-WindowsAccellerated-XX Window workstation: FreeBSD is a
fine choice for an inexpensive X terminal solution, either
using the freely available XFree86 server or one of the
excellent commercial servers provided by X Inside. Unlike an
X terminal, FreeBSD allows many applications to be run
locally, if desired, thus relieving the burden on a central
server. FreeBSD can even boot diskless, making
individual workstations even cheaper and easier to
administer.GNU Compiler CollectionSoftware Development: The basic
FreeBSD system comes with a full complement of development
tools including the renowned GNU C/C++ compiler and
debugger.FreeBSD is available in both source and binary form on CDROM
and via anonymous FTP. Please see
for more information about obtaining FreeBSD.About the FreeBSD ProjectThe following section provides some background information on
the project, including a brief history, project goals, and the
development model of the project.A Brief History of FreeBSDContributed by &a.jkh;.386BSD PatchkitHubbard, JordanWilliams, NateGrimes, RodFreeBSD ProjectHistoryThe FreeBSD project had its genesis in the early part of 1993,
partially as an outgrowth of the Unofficial 386BSD
Patchkit by the patchkit's last 3 coordinators: Nate
Williams, Rod Grimes and myself.386BSDOur original goal was to produce an intermediate snapshot of
386BSD in order to fix a number of problems with it that the
patchkit mechanism just was not capable of solving. Some of you
may remember the early working title for the project being
386BSD 0.5 or 386BSD Interim in
reference to that fact.Jolitz, Bill386BSD was Bill Jolitz's operating system, which had been up
to that point suffering rather severely from almost a year's worth
of neglect. As the patchkit swelled ever more uncomfortably with
each passing day, we were in unanimous agreement that something
had to be done and decided to try and assist Bill by providing
this interim cleanup snapshot. Those plans came to
a rude halt when Bill Jolitz suddenly decided to withdraw his
sanction from the project without any clear indication of what
would be done instead.Greenman, DavidWalnut Creek CDROMIt did not take us long to decide that the goal remained
worthwhile, even without Bill's support, and so we adopted the
name FreeBSD, coined by David Greenman. Our initial
objectives were set after consulting with the system's current
users and, once it became clear that the project was on the road
to perhaps even becoming a reality, I contacted Walnut Creek CDROM
with an eye towards improving FreeBSD's distribution channels for
those many unfortunates without easy access to the Internet.
Walnut Creek CDROM not only supported the idea of distributing
FreeBSD on CD but also went so far as to provide the project with a
machine to work on and a fast Internet connection. Without Walnut
Creek CDROM's almost unprecedented degree of faith in what was, at
the time, a completely unknown project, it is quite unlikely that
FreeBSD would have gotten as far, as fast, as it has today.4.3BSD-LiteNet/2U.C. Berkeley386BSDFree Software FoundationThe first CDROM (and general net-wide) distribution was
FreeBSD 1.0, released in December of 1993. This was based on the
4.3BSD-Lite (Net/2) tape from U.C. Berkeley, with
many components also provided by 386BSD and the Free Software
Foundation. It was a fairly reasonable success for a first
offering, and we followed it with the highly successful FreeBSD
1.1 release in May of 1994.NovellU.C. BerkeleyNet/2AT&TAround this time, some rather unexpected storm clouds formed
on the horizon as Novell and U.C. Berkeley settled their
long-running lawsuit over the legal status of the Berkeley Net/2
tape. A condition of that settlement was U.C. Berkeley's
concession that large parts of Net/2 were encumbered
code and the property of Novell, who had in turn acquired it from
AT&T some time previously. What Berkeley got in return was
Novell's blessing that the 4.4BSD-Lite release, when
it was finally released, would be declared unencumbered and all
existing Net/2 users would be strongly encouraged to switch. This
included FreeBSD, and the project was given until the end of July
1994 to stop shipping its own Net/2 based product. Under the
terms of that agreement, the project was allowed one last release
before the deadline, that release being FreeBSD 1.1.5.1.FreeBSD then set about the arduous task of literally
re-inventing itself from a completely new and rather incomplete
set of 4.4BSD-Lite bits. The Lite releases were
light in part because Berkeley's CSRG had removed large chunks of
code required for actually constructing a bootable running system
(due to various legal requirements) and the fact that the Intel
port of 4.4 was highly incomplete. It took the project until
November of 1994 to make this transition, at which point it
released FreeBSD 2.0 to the net and on CDROM (in late December).
Despite being still more than a little rough around the edges,
the release was a significant success and was followed by the
more robust and easier to install FreeBSD 2.0.5 release in June of
1995.We released FreeBSD 2.1.5 in August of 1996, and it appeared
to be popular enough among the ISP and commercial communities that
another release along the 2.1-STABLE branch was merited. This was
FreeBSD 2.1.7.1, released in February 1997 and capping the end of
mainstream development on 2.1-STABLE. Now in maintenance mode,
only security enhancements and other critical bug fixes will be
done on this branch (RELENG_2_1_0).FreeBSD 2.2 was branched from the development mainline
(-CURRENT) in November 1996 as the RELENG_2_2
branch, and the first full release (2.2.1) was released in April
1997. Further releases along the 2.2 branch were done in the
summer and fall of '97, the last of which (2.2.8) appeared in
November 1998. The first official 3.0 release appeared in
October 1998 and spelled the beginning of the end for the 2.2
branch.The tree branched again on Jan 20, 1999, leading to the
4.0-CURRENT and 3.X-STABLE branches. From 3.X-STABLE, 3.1 was
released on February 15, 1999, 3.2 on May 15, 1999, 3.3 on
September 16, 1999, 3.4 on December 20, 1999, and 3.5 on
June 24, 2000, which was followed a few days later by a minor
point release update to 3.5.1, to incorporate some last-minute
security fixes to Kerberos. This will be the final release in the
3.X branch.There was another branch on March 13, 2000, which saw the
emergence of the 4.X-STABLE branch, now considered to be the
"current -stable branch". There have been several releases
from it so far: 4.0-RELEASE came out in March 2000, 4.1 was
released in July 2000, 4.2 in November 2000, and 4.3 in April
2001. There will be more releases along the 4.X-stable
(RELENG_4) branch throughout 2001.Long-term development projects continue to take place in the
5.0-CURRENT (trunk) branch, and SNAPshot releases of 5.0 on
CDROM (and, of course, on the net) are continually made available
from
the snapshot server as work progresses.JordanHubbardContributedFreeBSD Project GoalsFreeBSD ProjectGoalsThe goals of the FreeBSD Project are to provide software that
may be used for any purpose and without strings attached. Many of
us have a significant investment in the code (and project) and
would certainly not mind a little financial compensation now and
then, but we are definitely not prepared to insist on it. We
believe that our first and foremost mission is to
provide code to any and all comers, and for whatever purpose, so
that the code gets the widest possible use and provides the widest
possible benefit. This is, I believe, one of the most fundamental
goals of Free Software and one that we enthusiastically
support.GNU General Public License (GPL)GNU Lesser General Public License (LGPL)BSD CopyrightThat code in our source tree which falls under the GNU
General Public License (GPL) or Library General Public License
(LGPL) comes with slightly more strings attached, though at
least on the side of enforced access rather than the usual
opposite. Due to the additional complexities that can evolve
in the commercial use of GPL software we do, however, prefer
software submitted under the more relaxed BSD copyright when
it's a reasonable option to do so.SatoshiAsamiContributedThe FreeBSD Development ModelFreeBSD ProjectDevelopment ModelThe development of FreeBSD is a very open and flexible
process, FreeBSD being literally built from the contributions of
hundreds of people around the world, as can be seen from our
our list of contributors in . We are
constantly on the lookout for new developers and ideas, and those
interested in becoming more closely involved with the project
need simply contact us at the &a.hackers;. The &a.announce; is
also available to those wishing to make other FreeBSD users aware
of major areas of work.Useful things to know about the FreeBSD project and its
development process, whether working independently or in close
cooperation:The CVS repositoryCVS RepositoryConcurrent Version System (see CVS repository)The central source tree for FreeBSD is maintained by
CVS
(Concurrent Version System), a freely available source code
control tool that comes bundled with FreeBSD. The primary
CVS
repository resides on a machine in Santa Clara CA, USA
from where it is replicated to numerous mirror machines
throughout the world. The CVS tree, as well as the -CURRENT and -STABLE trees which are checked out
of it, can be easily replicated to your own machine as well.
Please refer to the Synchronizing
your source tree section for more information on
doing this.The committers listcommittersThe committers
are the people who have write access to
the CVS tree, and are thus authorized to make modifications
to the FreeBSD source (the term committer
comes from the &man.cvs.1; commit
command, which is used to bring new changes into the CVS
repository). The best way of making submissions for review
by the committers list is to use the &man.send-pr.1;
command, though if something appears to be jammed in the
system then you may also reach them by sending mail to
cvs-committers@FreeBSD.org.The FreeBSD core teamcore teamThe FreeBSD core team
would be equivalent to the board of directors if the FreeBSD
Project were a company. The primary task of the core team
is to make sure the project, as a whole, is in good shape
and is heading in the right directions. Inviting dedicated
and responsible developers to join our group of committers
is one of the functions of the core team, as is the
recruitment of new core team members as others move on.
The current core team was elected from a pool of committer
candidates in October 2000. Elections are held every 2 years.
Some core team members also have specific areas of responsibility, meaning
that they are committed to ensuring that some large portion
of the system works as advertised.Most members of the core team are volunteers when it
comes to FreeBSD development and do not benefit from the
project financially, so commitment should
also not be misconstrued as meaning guaranteed
support. The board of directors
analogy above is not actually very accurate, and it may be
more suitable to say that these are the people who gave up
their lives in favor of FreeBSD against their better
- judgment! ;-)
+ judgment!
Outside contributorscontributorsLast, but definitely not least, the largest group of
developers are the users themselves who provide feedback and
bug fixes to us on an almost constant basis. The primary
way of keeping in touch with FreeBSD's more non-centralized
development is to subscribe to the &a.hackers; (see mailing list info) where
such things are discussed.The list of
those who have contributed something, which made its way into
our source tree, is a long and growing one, so why not join
- it by contributing something back to FreeBSD today?
- :-)
+ it by contributing something back to FreeBSD today?
Providing code is not the only way of contributing to
the project; for a more complete list of things that need
doing, please refer to the how to
contribute section in this handbook.In summary, our development model is organized as a loose set
of concentric circles. The centralized model is designed for the
convenience of the users of FreeBSD, who are
thereby provided with an easy way of tracking one central code
base, not to keep potential contributors out! Our desire is to
present a stable operating system with a large set of coherent
application programs that the users
can easily install and use, and this model works very well in
accomplishing that.All we ask of those who would join us as FreeBSD developers is
some of the same dedication its current people have to its
continued success!The Current FreeBSD ReleaseNetBSDOpenBSD386BSDFree Software FoundationU.C. BerkeleyComputer Systems Resarch Group (CSRG)FreeBSD is a freely available, full source 4.4BSD-Lite based
release for Intel i386, i486, Pentium, Pentium Pro, Celeron,
Pentium II, Pentium III (or compatible) and DEC Alpha based computer
systems. It is based primarily on software from U.C. Berkeley's
CSRG group, with some enhancements from NetBSD, OpenBSD, 386BSD, and
the Free Software Foundation.Since our release of FreeBSD 2.0 in late 94, the performance,
feature set, and stability of FreeBSD has improved dramatically.
The largest change is a revamped virtual memory system with a merged
VM/file buffer cache that not only increases performance, but also
reduces FreeBSD's memory footprint, making a 5MB configuration a
more acceptable minimum. Other enhancements include full NIS client
and server support, transaction TCP support, dial-on-demand PPP,
integrated DHCP support, an improved SCSI subsystem, ISDN support,
support for ATM, FDDI, Fast and Gigabit Ethernet (1000Mbit)
adapters, improved support for the latest Adaptec controllers, and
many hundreds of bug fixes.We have also taken the comments and suggestions of many of our
users to heart and have attempted to provide what we hope is a more
sane and easily understood installation process. Your feedback on
this (constantly evolving) process is especially welcome!In addition to the base distributions, FreeBSD offers a
ported software collection with thousands of commonly
sought-after programs. At the time of this printing, there
were over &os.numports; ports! The list of ports ranges from
http (WWW) servers, to games, languages, editors, and almost
everything in between. The entire ports collection requires
approximately 100MB of storage, all ports being expressed as
deltas to their original sources. This makes
it much easier for us to update ports, and greatly reduces the
disk space demands made by the older 1.0 ports collection. To
compile a port, you simply change to the directory of the
program you wish to install, type make
install, and let the system do the rest. The full
original distribution for each port you build is retrieved
dynamically off the CDROM or a local FTP site, so you need
only enough disk space to build the ports you want. Almost
every port is also provided as a pre-compiled
package, which can be installed with a simple
command (pkg_add) by those who do not wish
to compile their own ports from source.A number of additional documents which you may find very helpful
in the process of installing and using FreeBSD may now also be found
in the /usr/share/doc directory on any machine
running FreeBSD 2.1 or later. You may view the locally installed
manuals with any HTML capable browser using the following
URLs:The FreeBSD Handbook/usr/share/doc/handbook/index.htmlThe FreeBSD FAQ/usr/share/doc/faq/index.htmlYou can also view the master (and most frequently updated)
copies at http://www.FreeBSD.org/.
diff --git a/en_US.ISO8859-1/books/handbook/kernelopts/chapter.sgml b/en_US.ISO8859-1/books/handbook/kernelopts/chapter.sgml
index 508e5e16cc..e091d006fd 100644
--- a/en_US.ISO8859-1/books/handbook/kernelopts/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/kernelopts/chapter.sgml
@@ -1,160 +1,160 @@
Adding New Kernel Configuration OptionsContributed by &a.joerg;You should be familiar with the section about kernel configuration before reading
here.What's a Kernel Option, Anyway?The use of kernel options is basically described in the kernel configuration section.
There's also an explanation of historic and
new-style options. The ultimate goal is to eventually
turn all the supported options in the kernel into new-style ones, so for
people who correctly did a make depend in their
kernel compile directory after running
&man.config.8;, the build process will automatically pick up modified
options, and only recompile those files where it is necessary. Wiping
out the old compile directory on each run of &man.config.8; as it is
still done now can then be eliminated again.Basically, a kernel option is nothing else than the definition of a
C preprocessor macro for the kernel compilation process. To make the
build truly optional, the corresponding part of the kernel source (or
kernel .h file) must be written with the option
concept in mind, i.e., the default can be overridden by the
config option. This is usually done with something like:#ifndef THIS_OPTION
#define THIS_OPTION (some_default_value)
#endif /* THIS_OPTION */This way, an administrator mentioning another value for the option
in his config file will take the default out of effect, and replace it
with his new value. Clearly, the new value will be substituted into the
source code during the preprocessor run, so it must be a valid C
expression in whatever context the default value would have been
used.It is also possible to create value-less options that simply enable
or disable a particular piece of code by embracing it in#ifdef THAT_OPTION
[your code here]
#endifSimply mentioning THAT_OPTION in the config file
(with or without any value) will then turn on the corresponding piece of
code.People familiar with the C language will immediately recognize that
everything could be counted as a config option where there
is at least a single #ifdef referencing it...
However, it's unlikely that many people would putoptions notyet,notdefin their config file, and then wonder why the kernel compilation
- falls over. :-)
+ falls over.
Clearly, using arbitrary names for the options makes it very hard to
track their usage throughout the kernel source tree. That is the
rationale behind the new-style option scheme, where
each option goes into a separate .h file in the
kernel compile directory, which is by convention named
opt_foo.h. This way,
the usual Makefile dependencies could be applied, and
make can determine what needs to be recompiled once
an option has been changed.The old-style option mechanism still has one advantage for local
options or maybe experimental options that have a short anticipated
lifetime: since it is easy to add a new #ifdef to the
kernel source, this has already made it a kernel config option. In this
case, the administrator using such an option is responsible himself for
knowing about its implications (and maybe manually forcing the
recompilation of parts of his kernel). Once the transition of all
supported options has been done, &man.config.8; will warn whenever an
unsupported option appears in the config file, but it will nevertheless
include it into the kernel Makefile.Now What Do I Have to Do for it?First, edit sys/conf/options (or
sys/<arch>/conf/options.<arch>,
e. g. sys/i386/conf/options.i386), and select an
opt_foo.h file where
your new option would best go into.If there is already something that comes close to the purpose of the
new option, pick this. For example, options modifying the overall
behavior of the SCSI subsystem can go into
opt_scsi.h. By default, simply mentioning an
option in the appropriate option file, say FOO,
implies its value will go into the corresponding file
opt_foo.h. This can be overridden on the
right-hand side of a rule by specifying another filename.If there is no
opt_foo.h already
available for the intended new option, invent a new name. Make it
meaningful, and comment the new section in the
options[.<arch>]
file. &man.config.8; will automagically pick up the change, and create
that file next time it is run. Most options should go in a header file
by themselves..Packing too many options into a single
opt_foo.h will cause too
many kernel files to be rebuilt when one of the options has been changed
in the config file.Finally, find out which kernel files depend on the new option.
Unless you have just invented your option, and it does not exist
anywhere yet, &prompt.user; find /usr/src/sys -type f | xargs fgrep NEW_OPTION
is your friend in finding them. Go and edit all those files, and add
#include "opt_foo.h"on
top before all the #include <xxx.h> stuff.
This sequence is most important as the options could override defaults
from the regular include files, if the defaults are of the form
#ifndef NEW_OPTION #define NEW_OPTION (something)
#endif in the regular header.Adding an option that overrides something in a system header file
(i.e., a file sitting in /usr/include/sys/) is
almost always a mistake.
opt_foo.h cannot be
included into those files since it would break the headers more
seriously, but if it is not included, then places that include it may
get an inconsistent value for the option. Yes, there are precedents for
this right now, but that does not make them more correct.
diff --git a/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml b/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
index 8cd484d370..a57611ac60 100644
--- a/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
@@ -1,2286 +1,2286 @@
Linux Binary CompatibilityRestructured and parts updated by &a.jim;, 22 March
2000. Originally contributed by &a.handy; and
&a.rich;SynopsisLinux binary compatibilitybinary compatibilityLinuxThe following chapter will cover FreeBSD's Linux binary
compatibility features, how to install it, and how it works.At this point, you may be asking yourself why exactly, does
FreeBSD need to be able to run Linux binaries? The answer to that
question is quite simple. Many companies and developers develop
only for Linux, since it is the latest hot thing in
the computing world. That leaves the rest of us FreeBSD users
bugging these same companies and developers to put out native
FreeBSD versions of their applications. The problem is, that most
of these companies do not really realize how many people would use
their product if there were FreeBSD versions too, and most continue
to only develop for Linux. So what is a FreeBSD user to do? This
is where the Linux binary compatibility of FreeBSD comes into
play.In a nutshell, the compatibility allows FreeBSD users to run
about 90% of all Linux applications without modification. This
includes applications such as Star Office,
the Linux version of Netscape,
Adobe Acrobat,
RealPlayer
5 and 7, VMWare,
Oracle,
WordPerfect, Doom,
Quake, and more. It is also reported
that in some situations, Linux binaries perform better on FreeBSD
than they do under Linux.Linux/proc filesystemThere are, however, some Linux-specific operating system
features that are not supported under FreeBSD. Linux binaries will
not work on FreeBSD if they overly use the Linux
/proc filesystem (which is different from
FreeBSD's /proc filesystem), or i386-specific
calls, such as enabling virtual 8086 mode.For information on installing the Linux binary compatibility
mode, see the next section.InstallationWith the advent of 3.0-RELEASE, it is no longer necessary to
specify options LINUX or
options COMPAT_LINUX in your kernel
configuration.KLD (kernel loadable object)The Linux binary compatibility is now done via a KLD object
(Kernel LoaDable object), so it can be installed
on-the-fly without having to reboot. You will,
however, need to have the following in
/etc/rc.conf:linux_enable=YESThis, in turn, triggers the following action in
/etc/rc.i386:# Start the Linux binary compatibility if requested.
#
case ${linux_enable} in
[Yy][Ee][Ss])
echo -n ' linux'; linux > /dev/null 2>&1
;;
esacIf you wish to verify that the KLD is loaded,
kldstat will do that:&prompt.user; kldstat
Id Refs Address Size Name
1 2 0xc0100000 16bdb8 kernel
7 1 0xc24db000 d000 linux.kokernel optionsLINUXIf for some reason you do not want to or cannot load the KLD,
then you may statically link the binary compatibility in the kernel
by adding options LINUX to your kernel
configuration file. Then install your new kernel as described in
the kernel configuration section
of this handbook.Installing Linux Runtime LibrariesLinuxinstalling Linux librariesThis can be done one of two ways, either by using the
linux_base port, or
by installing them manually.Installing using the linux_base portports collectionThis is by far the easiest method to use when installing the
runtime libraries. It is just like installing any other port
from the ports collection.
Simply do the following:&prompt.root; cd /usr/ports/emulators/linux_base
&prompt.root; make install distcleanYou should now have working Linux binary compatibility.
Some programs may complain about incorrect minor versions of the
system libraries. In general, however, this does not seem to be
a problem.Installing libraries manuallyIf you do not have the ports collection
installed, you can install the libraries by hand instead. You
will need the Linux shared libraries that the program depends on
and the runtime linker. Also, you will need to create a
shadow root directory,
/compat/linux, for Linux libraries on your
FreeBSD system. Any shared libraries opened by Linux programs
run under FreeBSD will look in this tree first. So, if a Linux
program loads, for example, /lib/libc.so,
FreeBSD will first try to open
/compat/linux/lib/libc.so, and if that does
not exist, it will then try /lib/libc.so.
Shared libraries should be installed in the shadow tree
/compat/linux/lib rather than the paths
that the Linux ld.so reports.Generally, you will need to look for the shared libraries
that Linux binaries depend on only the first few times that you
install a Linux program on your FreeBSD system. After a while,
you will have a sufficient set of Linux shared libraries on your
system to be able to run newly imported Linux binaries without
any extra work.How to install additional shared librariesshared librariesWhat if you install the linux_base port
and your application still complains about missing shared
libraries? How do you know which shared libraries Linux
binaries need, and where to get them? Basically, there are 2
possibilities (when following these instructions you will need
to be root on your FreeBSD system).If you have access to a Linux system, see what shared
libraries the application needs, and copy them to your FreeBSD
system. Look at the following example:Let us assume you used FTP to get the Linux binary of
Doom, and put it on a Linux system you have access to. You
then can check which shared libraries it needs by running
ldd linuxdoom, like so:&prompt.user; ldd linuxdoom
libXt.so.3 (DLL Jump 3.1) => /usr/X11/lib/libXt.so.3.1.0
libX11.so.3 (DLL Jump 3.1) => /usr/X11/lib/libX11.so.3.1.0
libc.so.4 (DLL Jump 4.5pl26) => /lib/libc.so.4.6.29symbolic linksYou would need to get all the files from the last column,
and put them under /compat/linux, with
the names in the first column as symbolic links pointing to
them. This means you eventually have these files on your
FreeBSD system:/compat/linux/usr/X11/lib/libXt.so.3.1.0
/compat/linux/usr/X11/lib/libXt.so.3 -> libXt.so.3.1.0
/compat/linux/usr/X11/lib/libX11.so.3.1.0
/compat/linux/usr/X11/lib/libX11.so.3 -> libX11.so.3.1.0
/compat/linux/lib/libc.so.4.6.29 /compat/linux/lib/libc.so.4 -> libc.so.4.6.29
Note that if you already have a Linux shared library
with a matching major revision number to the first column
of the ldd output, you will not need to
copy the file named in the last column to your system, the
one you already have should work. It is advisable to copy
the shared library anyway if it is a newer version,
though. You can remove the old one, as long as you make
the symbolic link point to the new one. So, if you have
these libraries on your system:/compat/linux/lib/libc.so.4.6.27
/compat/linux/lib/libc.so.4 -> libc.so.4.6.27and you find a new binary that claims to require a
later version according to the output of
ldd:libc.so.4 (DLL Jump 4.5pl26) -> libc.so.4.6.29If it is only one or two versions out of date in the
in the trailing digit then do not worry about copying
/lib/libc.so.4.6.29 too, because the
program should work fine with the slightly older version.
However, if you like, you can decide to replace the
libc.so anyway, and that should leave
you with:/compat/linux/lib/libc.so.4.6.29
/compat/linux/lib/libc.so.4 -> libc.so.4.6.29
The symbolic link mechanism is
only needed for Linux binaries. The
FreeBSD runtime linker takes care of looking for matching
major revision numbers itself and you do not need to worry
about it.
Installing Linux ELF binariesLinuxELF binariesELF binaries sometimes require an extra step of
branding. If you attempt to run an unbranded ELF
binary, you will get an error message like the following;&prompt.user; ./my-linux-elf-binary
ELF binary type not known
AbortTo help the FreeBSD kernel distinguish between a FreeBSD ELF
binary from a Linux binary, use the &man.brandelf.1;
utility.&prompt.user; brandelf -t Linux my-linux-elf-binaryGNU toolchainThe GNU toolchain now places the appropriate branding
information into ELF binaries automatically, so you this step
should become increasingly more rare in the future.Configuring the host name resolverIf DNS does not work or you get this message:resolv+: "bind" is an invalid keyword resolv+:
"hosts" is an invalid keywordYou will need to configure a
/compat/linux/etc/host.conf file
containing:order hosts, bind
multi onThe order here specifies that /etc/hosts
is searched first and DNS is searched second. When
/compat/linux/etc/host.conf is not
installed, Linux applications find FreeBSD's
/etc/host.conf and complain about the
incompatible FreeBSD syntax. You should remove
bind if you have not configured a name server
using the /etc/resolv.conf file.Installing MathematicaUpdated for Mathematica
version 4.X by &a.murray
and merged with work by Bojan Bistrovic
bojanb@physics.odu.edu.applicationsMathematicaThis document describes the process of installing the Linux
version of Mathematica 4.X onto
a FreeBSD system.The Linux version of Mathematica
runs perfectly under FreeBSD
however the binaries shipped by Wolfram need to be branded so that
FreeBSD knows to use the Linux ABI to execute them.The Linux version of Mathematica
or Mathematica for Students can
be ordered directly from Wolfram at http://www.wolfram.com/.Branding the Linux binariesThe Linux binaries are located in the Unix
directory of the Mathematica CDROM
distributed by Wolfram. You
need to copy this directory tree to your local hard drive so that
you can brand the Linux binaries with &man.brandelf.1; before
running the installer:&prompt.root; mount /cdrom
&prompt.root; cp -rp /cdrom/Unix/ /localdir/
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/Kernel/Binaries/Linux/*
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/FrontEnd/Binaries/Linux/*
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/Installation/Binaries/Linux/*
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/Graphics/Binaries/Linux/*
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/Converters/Binaries/Linux/*
&prompt.root; brandelf -t Linux /localdir/Files/SystemFiles/LicenseManager/Binaries/Linux/mathlm
&prompt.root; cd /localdir/Installers/Linux/
&prompt.root; ./MathInstallerAlternatively, you can simply set the default ELF brand
to Linux for all unbranded binaries with the command:&prompt.root; sysctl -w kern.fallback_elf_brand=3This will make FreeBSD assume that unbranded ELF binaries
use the Linux ABI and so you should be able to run the
installer straight from the CDROM.Obtaining your Mathematica PasswordBefore you can run Mathematica
you will have to obtain a
password from Wolfram that corresponds to your machine
ID.EthernetMAC addressOnce you have installed the Linux compatibility runtime
libraries and unpacked Mathematica
you can obtain the
machine ID by running the program
mathinfo in the Install directory. This
machine ID is based solely on the MAC address of your first
Ethernet card.&prompt.root; cd /localdir/Files/SystemFiles/Installation/Binaries/Linux
&prompt.root; mathinfo
disco.example.com 7115-70839-20412When you register with Wolfram, either by email, phone or fax,
you will give them the machine ID and they will
respond with a corresponding password consisting of groups of
numbers. You can then enter this information when you attempt to
run Mathematica for the first time
exactly as you would for any other
Mathematica platform.Running the Mathematica front end over a networkMathematica uses some special
fonts to display characters not
present in any of the standard font sets (integrals, sums, Greek
letters, etc.). The X protocol requires these fonts to be install
locally. This means you will have to copy
these fonts from the CDROM or from a host with
Mathematica
installed to your local machine. These fonts are normally stored
in /cdrom/Unix/Files/SystemFiles/Fonts on the
CDROM, or
/usr/local/mathematica/SystemFiles/Fonts on
your hard drive. The actual fonts are in the subdirectories
Type1 and X. There are
several ways to use them, as described below.The first way is to copy them into one of the existing font
directories in /usr/X11R6/lib/X11/fonts.
This will require editing the fonts.dir file,
adding the font names to it, and changing the number of fonts on
the first line. Alternatively, you should also just be able to
run mkfontdir in the directory you have copied
them to.The second way to do this is to copy the directories to
/usr/X11R6/lib/X11/fonts:&prompt.root; cd /usr/X11R6/lib/X11/fonts
&prompt.root; mkdir X
&prompt.root; mkdir MathType1
&prompt.root; cd /cdrom/Unix/Files/SystemFiles/Fonts
&prompt.root; cp X/* /usr/X11R6/lib/X11/fonts/X
&prompt.root; cp Type1/* /usr/X11R6/lib/X11/fonts/MathType1
&prompt.root; cd /usr/X11R6/lib/X11/fonts/X
&prompt.root; mkfontdir
&prompt.root; cd ../MathType1
&prompt.root; mkfontdirNow add the new font directories to your font path:&prompt.root; xset fp+ /usr/X11R6/lib/X11/fonts/X
&prompt.root; xset fp+ /usr/X11R6/lib/X11/fonts/MathType1
&prompt.root; xset fp rehashIf you are using the XFree86 server, you can have these font
directories loaded automatically by adding them to your
XF86Config file.fontsIf you do not already have a directory
called /usr/X11R6/lib/X11/fonts/Type1, you
can change the name of the MathType1
directory in the example above to
Type1.Installing OracleContributed by Marcel Moolenaar
marcel@cup.hp.comapplicationsOraclePrefaceThis document describes the process of installing Oracle 8.0.5 and
Oracle 8.0.5.1 Enterprise Edition for Linux onto a FreeBSD
machineInstalling the Linux environmentMake sure you have both linux_base and
linux_devtools from the ports collection
installed. These ports are added to the collection after the release
of FreeBSD 3.2. If you are using FreeBSD 3.2 or an older version for
that matter, update your ports collection. You may want to consider
updating your FreeBSD version too. If you run into difficulties with
linux_base-6.1 or
linux_devtools-6.1 you may have to use version
5.2 of these packages.If you want to run the intelligent agent, you'll
also need to install the Red Hat Tcl package:
tcl-8.0.3-20.i386.rpm. The general command
for installing packages with the official RPM port is :&prompt.root; rpm -i --ignoreos --root /compat/linux --dbpath /var/lib/rpm packageInstallation of the package should not generate any errors.Creating the Oracle environmentBefore you can install Oracle, you need to set up a proper
environment. This document only describes what to do
specially to run Oracle for Linux on FreeBSD, not
what has been described in the Oracle installation guide.Kernel Tuningkernel tuningAs described in the Oracle installation guide, you need to set
the maximum size of shared memory. Don't use
SHMMAX under FreeBSD. SHMMAX
is merely calculated out of SHMMAXPGS and
PGSIZE. Therefore define
SHMMAXPGS. All other options can be used as
described in the guide. For example:options SHMMAXPGS=10000
options SHMMNI=100
options SHMSEG=10
options SEMMNS=200
options SEMMNI=70
options SEMMSL=61Set these options to suit your intended use of Oracle.Also, make sure you have the following options in your kernel
config-file:options SYSVSHM #SysV shared memory
options SYSVSEM #SysV semaphores
options SYSVMSG #SysV interprocess communicationOracle accountCreate an Oracle account just as you would create any other
account. The Oracle account is special only that you need to give
it a Linux shell. Add /compat/linux/bin/bash to
/etc/shells and set the shell for the Oracle
account to /compat/linux/bin/bash.EnvironmentBesides the normal Oracle variables, such as
ORACLE_HOME and ORACLE_SID you must
set the following environment variables:VariableValueLD_LIBRARY_PATH$ORACLE_HOME/libCLASSPATH$ORACLE_HOME/jdbc/lib/classes111.zipPATH/compat/linux/bin
/compat/linux/sbin
/compat/linux/usr/bin
/compat/linux/usr/sbin
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
$ORACLE_HOME/binIt is advised to set all the environment variables in
.profile. A complete example is:ORACLE_BASE=/oracle; export ORACLE_BASE
ORACLE_HOME=/oracle; export ORACLE_HOME
LD_LIBRARY_PATH=$ORACLE_HOME/lib
export LD_LIBRARY_PATH
ORACLE_SID=ORCL; export ORACLE_SID
ORACLE_TERM=386x; export ORACLE_TERM
CLASSPATH=$ORACLE_HOME/jdbc/lib/classes111.zip
export CLASSPATH
PATH=/compat/linux/bin:/compat/linux/sbin:/compat/linux/usr/bin:/compat/linux/usr/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:$ORACLE_HOME/bin
export PATHInstalling OracleDue to a slight inconsistency in the Linux emulator, you need to
create a directory named .oracle in
/var/tmp before you start the installer. Either
make it world writable or let it be owner by the oracle user. You
should be able to install Oracle without any problems. If you have
problems, check your Oracle distribution and/or configuration first!
After you have installed Oracle, apply the patches described in the
next two subsections.A frequent problem is that the TCP protocol adapter is not
installed right. As a consequence, you cannot start any TCP listeners.
The following actions help solve this problem:&prompt.root; cd $ORACLE_HOME/network/lib
&prompt.root; make -f ins_network.mk ntcontab.o
&prompt.root; cd $ORACLE_HOME/lib
&prompt.root; ar r libnetwork.a ntcontab.o
&prompt.root; cd $ORACLE_HOME/network/lib
&prompt.root; make -f ins_network.mk installDon't forget to run root.sh again!Patching root.shWhen installing Oracle, some actions, which need to be performed
as root, are recorded in a shell script called
root.sh. root.sh is
written in the orainst directory. Apply the
following patch to root.sh, to have it use to proper location of
chown or alternatively run the script under a
Linux native shell.*** orainst/root.sh.orig Tue Oct 6 21:57:33 1998
--- orainst/root.sh Mon Dec 28 15:58:53 1998
***************
*** 31,37 ****
# This is the default value for CHOWN
# It will redefined later in this script for those ports
# which have it conditionally defined in ss_install.h
! CHOWN=/bin/chown
#
# Define variables to be used in this script
--- 31,37 ----
# This is the default value for CHOWN
# It will redefined later in this script for those ports
# which have it conditionally defined in ss_install.h
! CHOWN=/usr/sbin/chown
#
# Define variables to be used in this scriptWhen you don't install Oracle from CD, you can patch the source
for root.sh. It is called
rthd.sh and is located in the
orainst directory in the source tree.Patching genclntshThe script genclntsh is used to create
a single shared client
library. It is used when building the demos. Apply the following
patch to comment out the definition of PATH:*** bin/genclntsh.orig Wed Sep 30 07:37:19 1998
--- bin/genclntsh Tue Dec 22 15:36:49 1998
***************
*** 32,38 ****
#
# Explicit path to ensure that we're using the correct commands
#PATH=/usr/bin:/usr/ccs/bin export PATH
! PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin export PATH
#
# each product MUST provide a $PRODUCT/admin/shrept.lst
--- 32,38 ----
#
# Explicit path to ensure that we're using the correct commands
#PATH=/usr/bin:/usr/ccs/bin export PATH
! #PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin export PATH
#
# each product MUST provide a $PRODUCT/admin/shrept.lstRunning OracleWhen you have followed the instructions, you should be able to run
Oracle as if it was run on Linux
itself.Installing SAP R/3 (4.6B - IDES)Contributed by Holger Kippholger.kipp@alogis.comConverted to SGML by &a.logo;applicationsSAP R/3PrefaceThis document describes a possible way of installing a
SAP R/3 4.6B IDES-System
with Oracle 8.0.5
for Linux onto a FreeBSD 4.3 machine, including the installation
of FreeBSD 4.3-STABLE and
Oracle 8.0.5.Even though this document tries to describe all important
steps in a greater detail, it is not intended as a replacement
for the Oracle and
SAP R/3 installation guides.Please see the documentation that comes with the
SAP R/3
Linux edition for SAP- and
Oracle-specific questions, as well
as resources from Oracle and
SAP OSS.SoftwareThe following CDROMs have been used for
SAP-installation:NameNumberDescriptionKERNEL51009113SAP Kernel Oracle /
Installation / AIX, Linux, SolarisRDBMS51007558Oracle / RDBMS 8.0.5.X /
LinuxEXPORT151010208IDES / DB-Export / Disc
1 of 6EXPORT251010209IDES / DB-Export / Disc
2 of 6EXPORT351010210IDES / DB-Export /
Disc3 of 6EXPORT451010211IDES / DB-Export /
Disc4 of 6EXPORT551010212IDES / DB-Export /
Disc5 of 6EXPORT651010213IDES / DB-Export /
Disc6 of 6Additionally, I used the Oracle 8
Server (Pre-production version 8.0.5 for Linux,
Kernel Version 2.0.33) CD which is not really necessary, and
of course FreeBSD 4.3 stable (it was only a few days past 4.3
RELEASE).SAP-NotesThe following notes should be read before installing
SAP R/3 or proved to be useful
during installation:NumberTitle0171356SAP Software auf Linux: grundlegenden
Anmerkungen0201147INST: 4.6C R/3 Inst. on UNIX -
Oracle0373203Update / Migration Oracle 8.0.5 -->
8.0.6/8.1.6 LINUX0072984Release of Digital UNIX 4.0B for
Oracle0130581R3SETUP step DIPGNTAB terminates0144978Your system has not been installed
correctly0162266Questions and tips for R3SETUP on Windows
NT / W2KHardware-RequirementsThe following equipment is sufficient for a
SAP R/3 System (4.6B):Component4.6B4.6CProcessor2 x 800MHz Pentium III2 x 800MHz Pentium IIIMemory1GB ECC2GB ECCHard Disc Space50-60GB (IDES)50-60GB (IDES)For use in production, Xeon-Processors with large cache,
high-speed disc access (SCSI, RAID hardware controller), USV
and ECC-RAM is recommended. The large amount of Hard disc
space is due to the preconfigured IDES System, which creates
27 GB of database files during installation. Usually after
installation it is then necessary to extend some
tablespaces.I used a dual processor board with 2 800MHz Pentium III
processors, Adaptec 29160 Ultra160 SCSI adapter (for accessing
a 40/80 GB DLT tape drive and CDROM), Mylex AcelleRAID (2
channels, firmware 6.00-1-00 with 32MB RAM). To the Mylex
Raid-controller are attached two 17GB hard discs (mirrored)
and four 36GB hard discs (RAID level 5).Installation of FreeBSD 4.3 stableFirst I installed FreeBSD 4.3 stable. I did the
default-installation via FTP.Installation via FTPGet the diskimages
kern.flp and mfsroot.flp and put them on floppy disks (I got
mine from ftp7.de.freebsd.org. Please choose the appropriate
mirror).&prompt.root; dd if=kern.flp of=/dev/fd0
&prompt.root; dd if=mfsroot.flp of=/dev/fd0
- Don't forget to use different disks for the two images
- :-), then boot from the floppy with the kern.flp-image on it
+ Don't forget to use different disks for the two images,
+ then boot from the floppy with the kern.flp-image on it
and follow instructions. I used the following disk
layout:FilesystemSize (1k-blocks)Size (GB)Mounted on/dev/da0s1a1.016.3031//dev/da0s1b6<swap>/dev/da0s1e2.032.6232/var/dev/da0s1f8.205.3398/usr/dev/da1s1e45.734.36145/compat/linux/oracle/dev/da1s1f2.032.6232/compat/linux/sapmnt/dev/da1s1g2.032.6232/compat/linux/usr/sapI had to configure and initialize the two logical drives
with the Mylex software beforehand. It is located on the
board itself and can be started during the boot phase of the
PC. Please note that this disk layout differs slightly from
the SAP recommendations, as SAP suggests mounting the
oracle-subdirectories (and some others) separately - I
decided to just create them as real subdirectories for
simplicity.Get the latest stable-sourcesFor FreeBSD 4.3 stable onwards, it is quite easy to get
the latest stable sources. With the older versions of
FreeBSD, I had my own script located in /etc/cvsup. Setting
up CVSup for FreeBSD 4.3 is quite
easy. As user
root do the following:&prompt.root; cp /etc/defaults/make.conf /etc/make.conf
&prompt.root; vi /etc/make.confThe file /etc/make.conf requires the
following entries to be active:SUP_UPDATE= yes
SUP= /usr/local/bin/cvsup
SUPFLAGS= -g -L 2
SUPHOST= cvsup8.FreeBSD.org
SUPFILE= /usr/share/examples/cvsup/stable-supfile
PORTSSUPFILE= /usr/share/examples/cvsup/ports-supfile
DOCSUPFILE= /usr/share/examples/cvsup/doc-supfileChange the SUPHOST-value
appropriately. The supfiles in
/usr/share/examples/cvsup should be
fine. If you don't want to load all the docfiles, leave the
corresponding DOCSUPFILE-entry
inactive. Starting cvsup
to get the latest stable-sources is then very easy:&prompt.root; cd /usr/src
&prompt.root; make updateMake world and a new kernelThe first thing to do is to install the sources.
As user root, do the following:&prompt.root; cd /usr/src
&prompt.root; make worldIf this goes through, one can then continue creating and
configuring the new kernel. Usually this is where to
customize the kernel configuration file. As the computer is
named troubadix, the natural name for the
config file also is troubadix:&prompt.root; cd /usr/src/sys/i386/conf
&prompt.root; cp GENERIC TROUBADIX
&prompt.root; vi TROUBADIXAt this stage one can define the drivers to use and not
to use, etc. See the appropriate documentation or have a
look at file LINT for some additional
explanations.One can then also include the parameters as described
below Creating the new kernel then requires:&prompt.root; cd /usr/src/sys/i386/conf
&prompt.root; config TROUBADIX
&prompt.root; cd /usr/src/sys/compile/TROUBADIX
&prompt.root; make depend
&prompt.root; make
&prompt.root; make installAfter make install finished
successfully, one should reboot the computer to have the new
kernel available.Installing the Linux environmentI had some trouble downloading the required RPM-files (for
4.3 stable, 2nd May 2001), so you might try one of the
following locations (if all the others fail and the following
aren't out of date):ftp7.de.freebsd.org/pub/FreeBSD/distfiles/rpmftp.redhat.com/pub/redhat/linux/6.1/en/os/i386/RedHat/RPMSInstalling Linux base-systemFirst the Linux base-system needs to be installed (as root):
&prompt.root; cd /usr/ports/emulators/linux_base
&prompt.root; make packageInstalling Linux developmentNext, the Linux development is needed:&prompt.root; cd /usr/ports/devel/linux_devtools
&prompt.root; make packageInstalling necessary RPMsRPMsTo start the R3SETUP-Program, pam support is needed. As
this also requires some other packages, I ended up
installing several packages. After that, pam still
complained about a missing package, so I forced the
installation and it worked. I wonder if the other packages
are really needed or if it would have been sufficient to
install the pam-package.Anyway, here is the list of packages I installed:cracklib-2.7-5.i386.rpmcracklib-dicts-2.7-5.i386.rpmpwdb-0.60-1.i386.rpmpam-0.68-7.i386.rpmI installed these packages with the following
command:&prompt.root; rpm -i --ignoreos --root /compat/linux --dbpath /var/lib/rpm <package_name>except for the pam package, which I forced with&prompt.root; rpm -i --ignoreos --nodeps --root /compat/linux --dbpath /var/lib/rpm pam-0.68-7.i386.rpmFor Oracle to run the
intelligent agent, I also had to install the following
RedHat Tcl package (as is stated in the FreeBSD Handbook):
tcl-8.0.5-30.i386.rpm (otherwise the
relinking during Oracle install
won't work). There are some other issues regarding
relinking of Oracle, but that is
a Oracle-Linux issue, not FreeBSD specific as far as I
understand it.Creating the SAP/R3 environmentCreating the necessary filesystems and mountpointsFor a simple installation, it is sufficient to create the
following filesystems:mountpointsize in GB/compat/linux/oracle45 GB/compat/linux/sapmnt2 GB/compat/linux/usr/sap2 GBI also created some links, so FreeBSD will also find the
correct path:&prompt.root; ln -s /compat/linux/oracle /oracle
&prompt.root; ln -s /compat/linux/sapmnt /sapmnt
&prompt.root; ln -s /compat/linux/usr/sap /usr/sapCreating users and directoriesSAP R/3 needs two users and
three groups. The usernames depend on the
SAP system id (SID) which consists
of three letters. Some of these SIDs are reserved
by SAP (for example
SAP and NIX. For a
complete list please see the SAP documentation). For the IDES
installation I used IDS. We have
therefore the following groups (group ids might differ, these
are just the values I used with my installation):group idgroup namedescription100dbaData Base Administrator101sapsysSAP System102operData Base OperatorFor a default Oracle-Installation, only group
dba is used. As
oper-group, one also uses group
dba (see Oracle- and
SAP-documentation for further information).We also need the following users:user idusernamegeneric namegroupadditional groupsdescription1000idsadm<sid>admsapsysoperSAP Administrator1002oraidsora<sid>dbaoperDB AdministratorAdding the users with adduser
requires the following (please note shell and home
directory) entries for SAP-Administrator:Name: idsadm <sid>adm
Password: ******
Fullname: SAP IDES Administrator
Uid: 1000
Gid: 101 (sapsys)
Class:
Groups: sapsys dba
HOME: /home/idsadm /home/<sid>adm
Shell: /bin/shand for Database-Administrator:Name: oraids ora<sid>
Password: ******
Fullname: Oracle IDES Administrator
Uid: 1002
Gid: 100 (dba)
Class:
Groups: dba
HOME: /oracle/IDS /oracle/<sid>
Shell: /bin/shThis should also include group
oper in case you are using both
groups dba and
oper.Creating directoriesThese directories are usually created as separate
filesystems. This depends entirely on your requirements. I
choose to create them as simple directories, as they are all
located on the same RAID 5 anyway:First we'll set owners and right of some directories (as
user root):&prompt.root; chmod 775 /oracle
&prompt.root; chmod 777 /sapmnt
&prompt.root; chown root:dba /oracle
&prompt.root; chown idsadm:sapsys /compat/linux/usr/sap
&prompt.root; chmow 775 /compat/linux/usr/sapSecond we'll create directories as user ora<sid>. These
will all be subdirectories of /oracle/IDS:&prompt.root; su - oraids
&prompt.root; mkdir mirrlogA mirrlogB origlogA origlogB
&prompt.root; mkdir sapdata1 sapdata2 sapdata3 sapdata4 sapdata5 sapdata6
&prompt.root; mkdir saparch sapreorg
&prompt.root; exitIn the third step we create directories as user
idsadm (<sid>adm):&prompt.root; su - idsadm
&prompt.root; cd /usr/sap
&prompt.root; mkdir IDS
&prompt.root; mkdir trans
&prompt.root; exitEntries in /etc/servicesSAP R/3 requires some entries in file
/etc/services , which will not be set
correctly during installation under FreeBSD. Please add the
following entries (you need at least those entries
corresponding to the instance number - in this case,
00. It'll do no harm adding all
entries from 00 to
99 for dp,
gw, sp and
ms);sapdp00 3200/tcp # SAP Dispatcher. 3200 + Instance-Number
sapgw00 3300/tcp # SAP Gateway. 3300 + Instance-Number
sapsp00 3400/tcp # 3400 + Instance-Number
sapms00 3500/tcp # 3500 + Instance-Number
sapmsIDS 3600/tcp # SAP Message Server. 3600 + Instance-NumberNecessary localeslocaleSAP requires at least two locales that aren't part of
the default RedHat installation. SAP offers the required
RPMs as download from their FTP-server (which is only
accessible if you are a customer with OSS-access). See note
0171356 for a list of RPMs you need.It is also possible to just create appropriate links
(for example from de_DE and
en_US ), but I wouldn't recommend this
for a production system (so far it worked with the IDES
system without any problems, though). The following locales
are needed:de_DE.ISO-8859-1
en_US.ISO-8859-1If they are not present, there will be some problems
during the installation. If these are then subsequently
ignored (eg by setting the status of the offending steps to
OK in file CENTRDB.R3S), it will be impossible to log onto
the SAP-system without some additional effort.Kernel Tuningkernel tuningSAP R/3 Systems need a lot of resources. I therefore
added the following parameters to my kernel config-file:
# Set these for memory pigs (SAP and Oracle):
options MAXDSIZ="(1024*1024*1024)"
options DFLDSIZ="(1024*1024*1024)" # System V options needed.
options SYSVSHM #SYSV-style shared memory
options SHMMAXPGS=262144 #max amount of shared mem. pages
options SHMMNI=256 #max number of shared memory ident if.
options SHMSEG=100 #max shared mem.segs per process
options SYSVMSG #SYSV-style message queues
options MSGSEG=32767 #max num. of mes.segments in system
options MSGSSZ=32 #size of msg-seg. MUST be power of 2
options MSGMNB=65535 #max char. per message queue
options MSGTQL=2046 #max amount of msgs in system
options SYSVSEM #SYSV-style semaphores
options SEMMNU=256 #number of semaphore UNDO structures
options SEMMNS=1024 #number of semaphores in system
options SEMMNI=520 #number of semaphore indentifiers
options SEMUME=100 #number of UNDO keysThe minimum values are specified in the documentation that
comes from SAP. As there is no description for Linux, see the
HP-UX-section (32-bit) for further information.
Installing SAP R/3Preparing SAP CDROMsThere are lots of CDROMs to mount and unmount during
installation. Assuming you have enough CDROM-drives, you
can just mount them all. I decided to copy the CDROM
contents to corresponding directories:/oracle/IDS/sapreorg/<cd-name>where <cd-name> was one of KERNEL,
RDBMS, EXPORT1,
EXPORT2, EXPORT3,
EXPORT4, EXPORT5 and
EXPORT6. All the
filenames should be in capital letters, otherwise use the -g
option for mounting. So use the following commands:&prompt.root; mount_cd9660 -g /dev/cd0a /mnt
&prompt.root; cp -R /mnt/* /oracle/IDS/sapreorg/<cd-name>
&prompt.root; umount /mntRunning the install-scriptFirst we need to prepare an install-directory:&prompt.root; cd /oracle/IDS/sapreorg
&prompt.root; mkdir install
&prompt.root; cd installThen the install-script is started, which will copy nearly
all the relevant files into the install-directory:/oracle/IDS/sapreorg/KERNEL/UNIX/INSTTOOL.SHAs this is an IDES-Installation with a fully customized
SAP R/3 Demo-System, we have six instead of just three
EXPORT-CDs. At this point the installation template
CENTRDB.R3S is for installing a standard central instance
(R/3 and Database), not an IDES central instance, so copy
the corresponding CENTRDB.R3S from the EXPORT1 directory,
otherwise R3SETUP will only ask for three EXPORT-CDs.Start R3SETUPMake sure LD_LIBRARY_PATH is set correctly:&prompt.root; export LD_LIBRARY_PATH=/oracle/IDS/lib:/sapmnt/IDS/exe:/oracle/805_32/libStart R3SETUP as user root from installation
directory:&prompt.root; cd /oracle/IDS/sapreorg/install
&prompt.root; ./R3SETUP -f CENTRDB.R3SThe script then asks some questions (defaults in brackets,
followed by actual input):QuestionDefaultInputEnter SAP System ID[C11]IDS<ret>Enter SAP Instance Number[00]<ret>Enter SAPMOUNT Directory[/sapmnt]<ret>Enter name of SAP central host[troubadix.domain.de]<ret>Enter name of SAP db host[troubadix]<ret>Select character set[1] (WE8DEC)<ret>Enter Oracle server version (1) Oracle 8.0.5, (2) Oracle 8.0.6, (3) Oracle 8.1.5, (4) Oracle 8.1.61<ret>Extract Oracle Client archive[1] (Yes, extract)<ret>Enter path to KERNEL CD[/sapcd]/oracle/IDS/sapreorg/KERNELEnter path to RDBMS CD[/sapcd]/oracle/IDS/sapreorg/RDBMSEnter path to EXPORT1 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT1Directory to copy EXPORT1 CD[/oracle/IDS/sapreorg/CD4_DIR]<ret>Enter path to EXPORT2 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT2Directory to copy EXPORT2 CD[/oracle/IDS/sapreorg/CD5_DIR]<ret>Enter path to EXPORT3 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT3Directory to copy EXPORT3 CD[/oracle/IDS/sapreorg/CD6_DIR]<ret>Enter path to EXPORT4 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT4Directory to copy EXPORT4 CD[/oracle/IDS/sapreorg/CD7_DIR]<ret>Enter path to EXPORT5 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT5Directory to copy EXPORT5 CD[/oracle/IDS/sapreorg/CD8_DIR]<ret>Enter path to EXPORT6 CD[/sapcd]/oracle/IDS/sapreorg/EXPORT6Directory to copy EXPORT6 CD[/oracle/IDS/sapreorg/CD9_DIR]<ret>Enter amount of RAM for SAP + DB850<ret> (in Megabytes)Service Entry Message Server[3600]<ret>Enter Group-ID of sapsys[101]<ret>Enter Group-ID of oper[102]<ret>Enter Group-ID of dba[100]<ret>Enter User-ID of <sid>adm[1000]<ret>Enter User-ID of ora<sid>[1002]<ret>Number of parallel procs[2]<ret>If I had not copied the CDs to the different locations,
then the SAP-Installer can't find the CD needed (identified
by the LABEL.ASC-File on CD) and would
then ask you to insert / mount the CD and confirm or enter
the mount path.The CENTRDB.R3S might not be
error-free. In my case, it requested EXPORT4 again (but
indicated the correct key (6_LOCATI ON, then 7_LOCATION
etc.), so one can just continue with entering the correct
values. Don't get irritated.Apart from some problems mentioned below, everything
should go straight through up to the point where the Oracle
database software needs to be installed.Installing Oracle 8.0.5Please see the corresponding SAP-Notes and Oracle Readmes
regarding Linux and Oracle DB for possible problems. Most if
not all problems stem from incompatible librariesFor more information on installing Oracle, refer to the Installing Oracle
chapter.Installing the Oracle 8.0.5 with orainstIf Oracle 8.0.5 is to be
used, some additional libraries are needed for successfully
relinking, as Oracle 8.0.5 was linked with an old glibc
(RedHat 6.0), but RedHat 6.1 already uses a new glibc. So
you have to install the following additional packages to
ensure that linking will work:compat-libs-5.2-2.i386.rpmcompat-glibc-5.2-2.0.7.2.i386.rpmcompat-egcs-5.2-1.0.3a.1.i386.rpmcompat-egcs-c++-5.2-1.0.3a.1.i386.rpmcompat-binutils-5.2-2.9.1.0.23.1.i386.rpmSee the corresponding SAP-Notes or Oracle Readmes for
further information. If this is no option (at the time of
installation I didn't have enough time to check this), one
could use the original binaries, or use the relinked
binaries from an original RedHat System.For compiling the intelligent agent, the RedHat Tcl
package must be installed. If you can't get
tcl-8.0.3-20.i386.rpm, a newer one like
tcl-8.0.5-30.i386.rpm for RedHat 6.1
should also do.Apart from relinking, the installation is
straightforward:&prompt.root; su - oraids
&prompt.root; export TERM=xterm
&prompt.root; export ORACLE_TERM=xterm
&prompt.root; export ORACLE_HOME=/oracle/IDS
&prompt.root; cd /ORACLE_HOME/orainst_sap
&prompt.root; ./orainstConfirm all Screens with Enter until the software is
installed, except that one has to deselect the
Oracle On-Line Text Viewer , as this is
not currently available for Linux. Oracle then wants to
relink with i386-glibc20-linux-gcc
instead of the available gcc,
egcs or i386-redhat-linux-gcc
.Due to time constrains I decided to use the binaries
from an Oracle 8.0.5 PreProduction
release, after the first
attempt at getting the version from the RDBMS-CD working,
failed, and finding / accessing the correct RPMs was a
nightmare at that time.Installing the Oracle 8.0.5 Pre-Production release for
Linux (Kernel 2.0.33)This installation is quite easy. Mount the CD, start the
installer. It will then ask for the location of the Oracle
home directory, and copy all binaries there. I did not
delete the remains of my previous RDBMS-installation tries,
though.Afterwards, Oracle Database could be started with no
problems.Continue with SAP R/3 installationFirst check the environment settings of users
idsamd
(<sid>adm) and
oraids (ora<sid>). They should now
both have the files .profile ,
.login and .cshrc
which are all using hostname. In case the
system's hostname is the fully qualified name, you need to
change hostname to hostname
-s within all three files.Database loadAfterwards, R3SETUP can either be restarted or continued
(depending on whether exit was chosen or not). R3SETUP then
creates the tablespaces and loads the data from EXPORT1 to
EXPORT6 (remember, it is an IDES system, otherwise it would
only be EXPORT1 to EXPORT3) with R3load into the
database.When the database load is finished (might take a few
hours), some passwords are requested. For test
installations, one can use the well known default passwords
(use different ones if security is an issue!):QuestionInputEnter Password for sapr3sap<ret>Confirum Password for sapr3sap<ret>Enter Password for syschange_on_install<ret>Confirm Password for syschange_on_install<ret>Enter Password for systemmanager<ret>Confirm Password for systemmanager<ret>At this point I had a few problems with
dipgntab.ListenerStart the Oracle-Listener as user
oraids (ora<sid>) as follows:umask 0; lsnrctl startOtherwise you might get ORA-12546 as the sockets won't
have the correct permissions. See SAP note 072984.Post-installation stepsRequest SAP R/3 license keyThis is needed, as the temporary license is only valid for
four weeks. Don't forget to enter the correct Operating System:
(X) Other: FreeBSD 4.3 Stable. First get
the hardware key. Log on as user idsadm and
call saplicense:&prompt.root; /sapmnt/IDS/exe/saplicense -getCalling saplicense without options
gives a list of options. Upon receiving the license key, it can
be installed using&prompt.root; /sapmnt/IDS/exe/saplicense -installYou are then required to enter the following
values:SAP SYSTEM ID = <SID, 3 chars>
CUSTOMER KEY = <hardware key, 11 chars>
INSTALLATION NO = <installation, 10 digits>
EXPIRATION DATE = <yyyymmdd, usually "99991231">
LICENSE KEY = <license key, 24 chars>Creating UsersCreate a user within client 000 (for some tasks required
to be done within client 000, but with a user different from
users sap* and
ddic). As a username, I usually choose
wartung (or
service in English). Profiles
required are sap_new and
sap_all. For additional safety the
passwords of default users within all clients should be
changed (this includes users sap* and
ddic).Configure Transport System, Profile, Operation Modes, etc.Within client 000, user different from ddic
and sap*, do at least the following:TaskTransactionConfigure Transport System, eg as Stand-Alone
Transport Domain EntitySTMSCreate / Edit Profile for SystemRZ10Maintain Operation Modes and InstancesRZ04These and all the other post-installation steps are
thoroughly described in SAP installation guides.Edit init<sid>.sap (initIDS.sap)The file
/oracle/IDS/dbs/initIDS.sap contains
the SAP backup profile. Here the size of the tape to be
used, type of compression and so on need to be defined. To
get this running with sapdba /
brbackup, I changed the following
values:compress = hardware
archive_function = copy_delete_save
cpio_flags = "-ov --format=newc --block-size=128 --quiet"
cpio_in_flags = "-iuv --block-size=128 --quiet"
tape_size = 38000M
tape_address = /dev/nsa0
tape_address_rew = /dev/sa0Explanations:compress The tape I use is a HP DLT1
which does hardware compression.archive_function This defines the
default behavior for saving Oracle archive logs: New logfiles
are saved to tape, already saved logfiles are saved again and
are then deleted. This prevents lots of trouble if one needs to
recover the database, and one of the archive-tapes has gone
bad.cpio_flags Default is to use -B which
sets blocksize to 5120 Bytes. For DLT-Tapes, HP recommends at
least 32K blocksize, so I used --block-size=128 for
64K. --format=newc is needed I have inode numbers greater than
65535. The last option --quiet is needed as otherwise
brbackup
complains as soon as cpio outputs the
numbers of blocks saved.cpio_in_flags Flags needed for
loading data back from tape. Format is recognized
automagically.tape_size This usually gives the raw
storage capability of the tape. For security reason (we use
hardware compression), thevalue is slightly lower than the
actual value.tape_address The non-rewindable
device to be used with cpio.tape_address_rew The rewindable device to be
used with cpio.Problems during installationOSUSERSIDADM_IND_ORA during R3SETUPIf R3SETUP complains at this stage, edit file
CENTRDB.R3S. Locate [OSUSERSIDADM_IND_ORA] and edit the
following values:HOME=/home/idsadm (was empty)
STATUS=OK (had status ERROR)
Then you can restart R3SETUP with:&prompt.root; ./R3SETUP -f CENTRDB.R3SOSUSERDBSID_IND_ORA during R3SETUPPossibly R3SETUP also complains at this stage. Just edit
CENTRDB.R3S. Locate [OSUSERDBSID_IND_ORA] and edit the
following value in that section:STATUS=OKThen just restart R3SETUP again:&prompt.root; ./R3SETUP -f CENTRDB.R3Soraview.vrf FILE NOT FOUND during Oracle installationYou haven't deselected Oracle On-Line Text Viewer
before starting the installation. This is marked for installation even
though this option is currently not available for Linux. Deselect this
product inside the Oracle installation menu and restart installation.TEXTENV_INVALID during R3SETUP, RFC or SAPGUI startIf this error is encountered, the correct locale is
missing. SAP note 0171356 lists the necessary RPMs that need
be installed (eg saplocales-1.0-3,
saposcheck-1.0-1 for RedHat 6.1). In case
you ignored all the related errors and set the corresponding
status from ERROR to OK (in CENTRDB.R3S) every time R3SETUP
complained and just restarted R3SETUP, the SAP-System will not
be properly configured and you will then not be able to
connect to the system with a
sapgui, even though the system
can be started. Trying to connect with the old Linux
sapgui gave the following
messages:Sat May 5 14:23:14 2001
*** ERROR => no valid userarea given [trgmsgo. 0401]
Sat May 5 14:23:22 2001
*** ERROR => ERROR NR 24 occured [trgmsgi. 0410]
*** ERROR => Error when generating text environment. [trgmsgi. 0435]
*** ERROR => function failed [trgmsgi. 0447]
*** ERROR => no socket operation allowed [trxio.c 3363]
SpeicherzugriffsfehlerThis behavior is due to SAP R/3 being unable to
correctly assign a locale and also not being properly
configured itself (missing entries in some database
tables). To be able to connect to SAP, add the following
entries to file DEFAULT.PFL (see note 0043288):abap/set_etct_env_at_new_mode =0
install/collate/active =0
rscp/TCP0B =TCP0B
Restart the SAP system. Now one can connect to the
system, even though country-specific language settings might
not work as expected. After correcting country-settings
(and providing the correct locales), these entries can be
removed from DEFAULT.PFL and the SAP system can be
restarted.ORA-12546. Start Listener with correct permissionsStart the Oracle Listener as user
oraids with the following commands:&prompt.root; umask 0; lsnrctl startOtherwise one might get ORA-12546 as the sockets won't
have the correct permissions. See SAP note 0072984.[DIPGNTAB_IND_IND] during R3SETUPIn general, see SAP note 0130581 (R3SETUP step
DIPGNTAB
terminates). During this specific installation, for some
reasons the installation process was not using the proper
SAP system name "IDS", but the empty string "" instead. This
lead to some minor problems with accessing directories, as
the paths are generated dynamically using <sid> (in
this case IDS). So instead of accessing:/usr/sap/IDS/SYS/...
/usr/sap/IDS/DVMGS00the following path were used:/usr/sap//SYS/...
/usr/sap/D00iTo continue with the installation, I created a link and an
additional directory:&prompt.root; pwd
/compat/linux/usr/sap
&prompt.root; ls -l
total 4
drwxr-xr-x 3 idsadm sapsys 512 May 5 11:20 D00
drwxr-x--x 5 idsadm sapsys 512 May 5 11:35 IDS
lrwxr-xr-x 1 root sapsys 7 May 5 11:35 SYS -> IDS/SYS
drwxrwxr-x 2 idsadm sapsys 512 May 5 13:00 tmp
drwxrwxr-x 11 idsadm sapsys 512 May 4 14:20 trans I also found SAP notes (0029227 and 0008401) describing
this behavior.[RFCRSWBOINI_IND_IND] during R3SETUPSet STATUS of the offending step from ERROR to OK (file
CENTRDB.R3S) and restart R3SETUP. After
installation, you have to execute the report
RSWBOINS from transaction SE38. See SAP
note 0162266 for additional information about phase
RFCRSWBOINI and
RFCRADDBDIF.[RFCRADDBDIF_IND_IND] during R3SETUPSet STATUS of the offending step from ERROR to OK (file
CENTRDB.R3S) and restart R3SETUP. After
installation, you have to execute the report
RADDBDIF from transaction SE38.
See SAP note 0162266 for further information.Advanced TopicsIf you are curious as to how the Linux binary compatibility
works, this is the section you want to read. Most of what follows
is based heavily on an email written to &a.chat; by Terry Lambert
tlambert@primenet.com (Message ID:
<199906020108.SAA07001@usr09.primenet.com>).How Does It Work?execution class loaderFreeBSD has an abstraction called an execution class
loader. This is a wedge into the &man.execve.2; system
call.What happens is that FreeBSD has a list of loaders, instead of
a single loader with a fallback to the #!
loader for running any shell interpreters or shell scripts.Historically, the only loader on the Unix platform examined
the magic number (generally the first 4 or 8 bytes of the file) to
see if it was a binary known to the system, and if so, invoked the
binary loader.If it was not the binary type for the system, the
&man.execve.2; call returned a failure, and the shell attempted to
start executing it as shell commands.The assumption was a default of whatever the current
shell is.Later, a hack was made for &man.sh.1; to examine the first two
characters, and if they were :\n, then it
invoked the &man.csh.1; shell instead (we believe SCO first made
this hack).What FreeBSD does now is go through a list of loaders, with a
generic #! loader that knows about interpreters
as the characters which follow to the next whitespace next to
last, followed by a fallback to
/bin/sh.ELFFor the Linux ABI support, FreeBSD sees the magic number as an
ELF binary (it makes no distinction between FreeBSD, Solaris,
Linux, or any other OS which has an ELF image type, at this
point).SolarisThe ELF loader looks for a specialized
brand, which is a comment section in the ELF
image, and which is not present on SVR4/Solaris ELF
binaries.For Linux binaries to function, they must be
branded as type Linux;
from &man.brandelf.1;:&prompt.root; brandelf -t Linux fileWhen this is done, the ELF loader will see the
Linux brand on the file.ELFbrandingWhen the ELF loader sees the Linux brand,
the loader replaces a pointer in the proc
structure. All system calls are indexed through this pointer (in
a traditional Unix system, this would be the
sysent[] structure array, containing the system
calls). In addition, the process flagged for special handling of
the trap vector for the signal trampoline code, and sever other
(minor) fix-ups that are handled by the Linux kernel
module.The Linux system call vector contains, among other things, a
list of sysent[] entries whose addresses reside
in the kernel module.When a system call is called by the Linux binary, the trap
code dereferences the system call function pointer off the
proc structure, and gets the Linux, not the
FreeBSD, system call entry points.In addition, the Linux mode dynamically
reroots lookups; this is, in effect, what the
union option to FS mounts
(not the unionfs!) does. First, an attempt
is made to lookup the file in the
/compat/linux/original-path
directory, then only if that fails, the
lookup is done in the
/original-path
directory. This makes sure that binaries that require other
binaries can run (e.g., the Linux toolchain can all run under
Linux ABI support). It also means that the Linux binaries can
load and exec FreeBSD binaries, if there are no corresponding
Linux binaries present, and that you could place a &man.uname.1;
command in the /compat/linux directory tree
to ensure that the Linux binaries could not tell they were not
running on Linux.In effect, there is a Linux kernel in the FreeBSD kernel; the
various underlying functions that implement all of the services
provided by the kernel are identical to both the FreeBSD system
call table entries, and the Linux system call table entries: file
system operations, virtual memory operations, signal delivery,
System V IPC, etc… The only difference is that FreeBSD
binaries get the FreeBSD glue functions, and
Linux binaries get the Linux glue functions
(most older OS's only had their own glue
functions: addresses of functions in a static global
sysent[] structure array, instead of addresses
of functions dereferenced off a dynamically initialized pointer in
the proc structure of the process making the
call).Which one is the native FreeBSD ABI? It does not matter.
Basically the only difference is that (currently; this could
easily be changed in a future release, and probably will be after
this) the FreeBSD glue functions are
statically linked into the kernel, and the Linux glue functions
can be statically linked, or they can be accessed via a kernel
module.Yeah, but is this really emulation? No. It is an ABI
implementation, not an emulation. There is no emulator (or
simulator, to cut off the next question) involved.So why is it sometimes called Linux emulation?
- To make it hard to sell FreeBSD! 8-). Really, it
+ To make it hard to sell FreeBSD! Really, it
is because the historical implementation was done at a time when
there was really no word other than that to describe what was
going on; saying that FreeBSD ran Linux binaries was not true, if
you did not compile the code in or load a module, and there needed
to be a word to describe what was being loaded—hence
the Linux emulator.
diff --git a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
index 023e454d4d..c3aafb299e 100644
--- a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
@@ -1,3871 +1,3870 @@
Obtaining FreeBSDCDROM PublishersFreeBSD is available on CDROM from several retailers:Daemon News2680 Bayshore Parkway, Suite 307Mountain View, CA94043USA
Phone: +1 650 694-4949
Email: sales@daemonnews.org
WWW: http://www.bsdmall.com/Wind River Systems4041 Pike Lane, Suite FConcord, CA94520USA
Phone: +1 925 691-2800
Fax: +1 925 674-0821
Email: info@osd.bsdi.com
WWW: http://www.freebsdmall.com/If you are a reseller and want to carry FreeBSD CDROM products,
please contact
the relevant department at Wind River Systems or:
Cylogistics2680 Bayshore Parkway, Suite 307Mountain View, CA94043USA
Phone: +1 650 694-4949
Fax: +1 650 694-4953
Email: sales@cylogistics.com
WWW: http://www.cylogistics.com/DVD PublishersFreeBSD is available on DVD from:FreeBSD Services Ltd11 Lapwing CloseBicesterOX26 6XRUnited Kingdom
WWW: http://www.freebsd-services.com/FTP SitesThe official sources for FreeBSD are available via anonymous FTP
from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/.
The FreeBSD mirror
sites database is more accurate than the mirror listing in the
handbook, as it gets its information from the DNS rather than relying on
static lists of hosts.Additionally, FreeBSD is available via anonymous FTP from the
following mirror sites. If you choose to obtain FreeBSD via anonymous
FTP, please try to use a site near you.Argentina,
Australia,
Brazil,
Canada,
China,
Czech Republic,
Denmark,
Estonia,
Finland,
France,
Germany,
Hong Kong,
Hungary,
Ireland,
Israel,
Japan,
Korea,
Lithuania,
Netherlands,
New Zealand,
Poland,
Portugal,
Russia,
Saudi Arabia,
South Africa,
Spain,
Slovak Republic,
Slovenia,
Sweden,
Taiwan,
Thailand,
UK,
Ukraine,
USA.ArgentinaIn case of problems, please contact the hostmaster
hostmaster@ar.FreeBSD.org for this domain.ftp://ftp.ar.FreeBSD.org/pub/FreeBSD/AustraliaIn case of problems, please contact the hostmaster
hostmaster@au.FreeBSD.org for this domain.ftp://ftp.au.FreeBSD.org/pub/FreeBSD/ftp://ftp2.au.FreeBSD.org/pub/FreeBSD/ftp://ftp3.au.FreeBSD.org/pub/FreeBSD/ftp://ftp4.au.FreeBSD.org/pub/FreeBSD/BrazilIn case of problems, please contact the hostmaster
hostmaster@br.FreeBSD.org for this domain.ftp://ftp.br.FreeBSD.org/pub/FreeBSD/ftp://ftp2.br.FreeBSD.org/pub/FreeBSD/ftp://ftp3.br.FreeBSD.org/pub/FreeBSD/ftp://ftp4.br.FreeBSD.org/pub/FreeBSD/ftp://ftp5.br.FreeBSD.org/pub/FreeBSD/ftp://ftp6.br.FreeBSD.org/pub/FreeBSD/ftp://ftp7.br.FreeBSD.org/pub/FreeBSD/CanadaIn case of problems, please contact the hostmaster
hostmaster@ca.FreeBSD.org for this domain.ftp://ftp.ca.FreeBSD.org/pub/FreeBSD/ChinaIn case of problems, please contact the hostmaster
phj@cn.FreeBSD.org for this domain.ftp://ftp.cn.FreeBSD.org/pub/FreeBSD/Czech RepublicIn case of problems, please contact the hostmaster
hostmaster@cz.FreeBSD.org for this domain.ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ Contact: calda@dzungle.ms.mff.cuni.czDenmarkIn case of problems, please contact the hostmaster
hostmaster@dk.FreeBSD.org for this domain.ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ftp://ftp2.dk.FreeBSD.org/pub/FreeBSD/ftp://ftp3.dk.FreeBSD.org/pub/FreeBSD/EstoniaIn case of problems, please contact the hostmaster
hostmaster@ee.FreeBSD.org for this domain.ftp://ftp.ee.FreeBSD.org/pub/FreeBSD/FinlandIn case of problems, please contact the hostmaster
hostmaster@fi.FreeBSD.org for this domain.ftp://ftp.fi.FreeBSD.org/pub/FreeBSD/FranceIn case of problems, please contact the hostmaster
hostmaster@fr.FreeBSD.org for this domain.ftp://ftp.fr.FreeBSD.org/pub/FreeBSD/ftp://ftp2.fr.FreeBSD.org/pub/FreeBSD/ftp://ftp3.fr.FreeBSD.org/pub/FreeBSD/ftp://ftp4.fr.FreeBSD.org/pub/FreeBSD/ftp://ftp5.fr.FreeBSD.org/pub/FreeBSD/ftp://ftp6.fr.FreeBSD.org/pub/FreeBSD/GermanyIn case of problems, please contact the mirror admins
de-bsd-hubs@de.FreeBSD.org for this domain.ftp://ftp.de.FreeBSD.org/pub/FreeBSD/ftp://ftp2.de.FreeBSD.org/pub/FreeBSD/ftp://ftp3.de.FreeBSD.org/pub/FreeBSD/ftp://ftp4.de.FreeBSD.org/pub/FreeBSD/ftp://ftp5.de.FreeBSD.org/pub/FreeBSD/ftp://ftp6.de.FreeBSD.org/pub/FreeBSD/ftp://ftp7.de.FreeBSD.org/pub/FreeBSD/Hong Kongftp://ftp.hk.super.net/pub/FreeBSD/ Contact: ftp-admin@HK.Super.NET.HungaryIn case of problems, please contact the hostmaster
mohacsi@ik.bme.hu for this domain.ftp://ftp.hu.FreeBSD.org/pub/FreeBSD/IrelandIn case of problems, please contact the hostmaster
hostmaster@ie.FreeBSD.org for this domain.ftp://ftp.ie.FreeBSD.org/pub/FreeBSD/IsraelIn case of problems, please contact the hostmaster
hostmaster@il.FreeBSD.org for this domain.ftp://ftp.il.FreeBSD.org/pub/FreeBSD/ftp://ftp2.il.FreeBSD.org/pub/FreeBSD/JapanIn case of problems, please contact the hostmaster
hostmaster@jp.FreeBSD.org for this domain.ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ftp://ftp2.jp.FreeBSD.org/pub/FreeBSD/ftp://ftp3.jp.FreeBSD.org/pub/FreeBSD/ftp://ftp4.jp.FreeBSD.org/pub/FreeBSD/ftp://ftp5.jp.FreeBSD.org/pub/FreeBSD/ftp://ftp6.jp.FreeBSD.org/pub/FreeBSD/KoreaIn case of problems, please contact the hostmaster
hostmaster@kr.FreeBSD.org for this domain.ftp://ftp.kr.FreeBSD.org/pub/FreeBSD/ftp://ftp2.kr.FreeBSD.org/pub/FreeBSD/ftp://ftp3.kr.FreeBSD.org/pub/FreeBSD/ftp://ftp4.kr.FreeBSD.org/pub/FreeBSD/ftp://ftp5.kr.FreeBSD.org/pub/FreeBSD/ftp://ftp6.kr.FreeBSD.org/pub/FreeBSD/LithuaniaIn case of problems, please contact the hostmaster
hostmaster@lt.FreeBSD.org for this domain.ftp://ftp.lt.FreeBSD.org/pub/FreeBSD/NetherlandsIn case of problems, please contact the hostmaster
hostmaster@nl.FreeBSD.org for this domain.ftp://ftp.nl.FreeBSD.org/pub/FreeBSD/New ZealandIn case of problems, please contact the hostmaster
hostmaster@nz.FreeBSD.org for this domain.ftp://ftp.nz.FreeBSD.org/pub/FreeBSD/PolandIn case of problems, please contact the hostmaster
hostmaster@pl.FreeBSD.org for this domain.ftp://ftp.pl.FreeBSD.org/pub/FreeBSD/PortugalIn case of problems, please contact the hostmaster
hostmaster@pt.FreeBSD.org for this domain.ftp://ftp.pt.FreeBSD.org/pub/FreeBSD/ftp://ftp2.pt.FreeBSD.org/pub/FreeBSD/RomaniaIn case of problems, please contact the hostmaster
hostmaster@ro.FreeBSD.org for this domain.ftp://ftp.ro.FreeBSD.org/pub/FreeBSD/RussiaIn case of problems, please contact the hostmaster
hostmaster@ru.FreeBSD.org for this domain.ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ftp://ftp2.ru.FreeBSD.org/pub/FreeBSD/ftp://ftp3.ru.FreeBSD.org/pub/FreeBSD/ftp://ftp4.ru.FreeBSD.org/pub/FreeBSD/Saudi ArabiaIn case of problems, please contact
ftpadmin@isu.net.saftp://ftp.isu.net.sa/pub/mirrors/ftp.freebsd.org/South AfricaIn case of problems, please contact the hostmaster
hostmaster@za.FreeBSD.org for this domain.ftp://ftp.za.FreeBSD.org/pub/FreeBSD/ftp://ftp2.za.FreeBSD.org/pub/FreeBSD/ftp://ftp3.za.FreeBSD.org/FreeBSD/Slovak RepublicIn case of problems, please contact the hostmaster
hostmaster@sk.FreeBSD.org for this domain.ftp://ftp.sk.FreeBSD.org/pub/FreeBSD/SloveniaIn case of problems, please contact the hostmaster
hostmaster@si.FreeBSD.org for this domain.ftp://ftp.si.FreeBSD.org/pub/FreeBSD/SpainIn case of problems, please contact the hostmaster
hostmaster@es.FreeBSD.org for this domain.ftp://ftp.es.FreeBSD.org/pub/FreeBSD/SwedenIn case of problems, please contact the hostmaster
hostmaster@se.FreeBSD.org for this domain.ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ftp://ftp2.se.FreeBSD.org/pub/FreeBSD/ftp://ftp3.se.FreeBSD.org/pub/FreeBSD/TaiwanIn case of problems, please contact the hostmaster
hostmaster@tw.FreeBSD.org for this domain.ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ftp://ftp2.tw.FreeBSD.org/pub/FreeBSD/ftp://ftp3.tw.FreeBSD.org/pub/FreeBSD/ftp://ftp4.tw.FreeBSD.org/pub/FreeBSD/Thailandftp://ftp.nectec.or.th/pub/FreeBSD/ Contact: ftpadmin@ftp.nectec.or.th.Ukraineftp://ftp.ua.FreeBSD.org/pub/FreeBSD/ Contact: freebsd-mnt@lucky.net.UKIn case of problems, please contact the hostmaster
hostmaster@uk.FreeBSD.org for this domain.ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ftp://ftp2.uk.FreeBSD.org/pub/FreeBSD/ftp://ftp3.uk.FreeBSD.org/pub/FreeBSD/ftp://ftp4.uk.FreeBSD.org/pub/FreeBSD/ftp://ftp5.uk.FreeBSD.org/pub/FreeBSD/USAIn case of problems, please contact the hostmaster
hostmaster@FreeBSD.org for this domain.ftp://ftp2.FreeBSD.org/pub/FreeBSD/ftp://ftp3.FreeBSD.org/pub/FreeBSD/ftp://ftp4.FreeBSD.org/pub/FreeBSD/ftp://ftp5.FreeBSD.org/pub/FreeBSD/ftp://ftp6.FreeBSD.org/pub/FreeBSD/ftp://ftp7.FreeBSD.org/pub/FreeBSD/ftp://ftp8.FreeBSD.org/pub/FreeBSD/ftp://ftp9.FreeBSD.org/pub/os/FreeBSD/ftp://ftp10.FreeBSD.org/pub/FreeBSD/Anonymous CVSIntroductionAnonymous CVS (or, as it is otherwise known,
anoncvs) is a feature provided by the CVS
utilities bundled with FreeBSD for synchronizing with a remote
CVS repository. Among other things, it allows users of FreeBSD
to perform, with no special privileges, read-only CVS operations
against one of the FreeBSD project's official anoncvs servers.
To use it, one simply sets the CVSROOT
environment variable to point at the appropriate anoncvs server,
provides the well-known password anoncvs with the
cvs login command, and then uses the
&man.cvs.1; command to access it like any local
repository.While it can also be said that the CVSup and anoncvs
services both perform essentially the same function, there are
various trade-offs which can influence the user's choice of
synchronization methods. In a nutshell,
CVSup is much more efficient in its
usage of network resources and is by far the most technically
sophisticated of the two, but at a price. To use
CVSup, a special client must first be
installed and configured before any bits can be grabbed, and
then only in the fairly large chunks which
CVSup calls
collections.Anoncvs, by contrast, can be used
to examine anything from an individual file to a specific
program (like ls or grep)
by referencing the CVS module name. Of course,
anoncvs is also only good for
read-only operations on the CVS repository, so if it's your
intention to support local development in one repository shared
with the FreeBSD project bits then
CVSup is really your only
option.Using Anonymous CVSConfiguring &man.cvs.1; to use an Anonymous CVS repository
is a simple matter of setting the CVSROOT
environment variable to point to one of the FreeBSD project's
anoncvs servers. At the time of this
writing, the following servers are available:USA:
:pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Since CVS allows one to check out virtually
any version of the FreeBSD sources that ever existed (or, in
- some cases, will exist :-), you need to be
+ some cases, will exist, you need to be
familiar with the revision () flag to
&man.cvs.1; and what some of the permissible values for it in
the FreeBSD Project repository are.There are two kinds of tags, revision tags and branch tags.
A revision tag refers to a specific revision. Its meaning stays
the same from day to day. A branch tag, on the other hand,
refers to the latest revision on a given line of development, at
any given time. Because a branch tag does not refer to a
specific revision, it may mean something different tomorrow than
it means today.Here are the branch tags that users might be interested
in (keep in mind that the only tags valid for the ports collection is
HEAD).HEADSymbolic name for the main line, or FreeBSD-CURRENT.
Also the default when no revision is specified.RELENG_4The line of development for FreeBSD-4.X, also known
as FreeBSD-STABLE.RELENG_4_3The release branch for FreeBSD-4.3, used only
for security advisories and other seriously critical fixes.RELENG_3The line of development for FreeBSD-3.X, also known
as 3.X-STABLE.RELENG_2_2The line of development for FreeBSD-2.2.X, also known
as 2.2-STABLE. This branch is mostly obsolete.Here are the revision tags that users might be interested
in. Again, none of these are valid for the ports collection
since the ports collection does not have multiple
revisions.RELENG_4_3_0_RELEASEFreeBSD 4.3.RELENG_4_2_0_RELEASEFreeBSD 4.2.RELENG_4_1_1_RELEASEFreeBSD 4.1.1.RELENG_4_1_0_RELEASEFreeBSD 4.1.RELENG_4_0_0_RELEASEFreeBSD 4.0.RELENG_3_5_0_RELEASEFreeBSD-3.5.RELENG_3_4_0_RELEASEFreeBSD-3.4.RELENG_3_3_0_RELEASEFreeBSD-3.3.RELENG_3_2_0_RELEASEFreeBSD-3.2.RELENG_3_1_0_RELEASEFreeBSD-3.1.RELENG_3_0_0_RELEASEFreeBSD-3.0.RELENG_2_2_8_RELEASEFreeBSD-2.2.8.RELENG_2_2_7_RELEASEFreeBSD-2.2.7.RELENG_2_2_6_RELEASEFreeBSD-2.2.6.RELENG_2_2_5_RELEASEFreeBSD-2.2.5.RELENG_2_2_2_RELEASEFreeBSD-2.2.2.RELENG_2_2_1_RELEASEFreeBSD-2.2.1.RELENG_2_2_0_RELEASEFreeBSD-2.2.0.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development. If
you wish to receive some past version, you can do so by
specifying a date with the flag.
See the &man.cvs.1; man page for more details.ExamplesWhile it really is recommended that you read the manual page
for &man.cvs.1; thoroughly before doing anything, here are some
quick examples which essentially show how to use Anonymous
CVS:Checking out something from -CURRENT (&man.ls.1;) and
deleting it again:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutChecking out the version of &man.ls.1; in the 3.X-STABLE
branch:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co -rRELENG_3 ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutCreating a list of changes (as unified diffs) to &man.ls.1;&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs rdiff -u -rRELENG_3_0_0_RELEASE -rRELENG_3_4_0_RELEASE ls
&prompt.user; cvs logoutFinding out what other module names can be used:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co modules
&prompt.user; more modules/modules
&prompt.user; cvs release -d modules
&prompt.user; cvs logoutOther ResourcesThe following additional resources may be helpful in learning
CVS:CVS Tutorial from Cal Poly.Cyclic Software,
commercial maintainers of CVS.CVSWeb is
the FreeBSD Project web interface for CVS.Using CTMCTM is a method for keeping a
remote directory tree in sync with a central one. It has been
developed for usage with FreeBSD's source trees, though other
people may find it useful for other purposes as time goes by.
Little, if any, documentation currently exists at this time on the
process of creating deltas, so talk to &a.phk; for more
information should you wish to use CTM
for other things.Why should I use CTM?CTM will give you a local copy of
the FreeBSD source trees. There are a number of
“flavors” of the tree available. Whether you wish
to track the entire CVS tree or just one of the branches,
CTM can provide you the information.
If you are an active developer on FreeBSD, but have lousy or
non-existent TCP/IP connectivity, or simply wish to have the
changes automatically sent to you,
CTM was made for you. You will need
to obtain up to three deltas per day for the most active
branches. However, you should consider having them sent by
automatic email. The sizes of the updates are always kept as
small as possible. This is typically less than 5K, with an
occasional (one in ten) being 10-50K and every now and then a
large 100K+ or more coming around.You will also need to make yourself aware of the various
caveats related to working directly from the development sources
rather than a pre-packaged release. This is particularly true
if you choose the “current” sources. It is
recommended that you read Staying
current with FreeBSD.What do I need to use
CTM?You will need two things: The CTM
program, and the initial deltas to feed it (to get up to
“current” levels).The CTM program has been part of
FreeBSD ever since version 2.0 was released, and lives in
/usr/src/usr.sbin/CTM if you have a copy
of the source available.If you are running a pre-2.0 version of FreeBSD, you can
fetch the current CTM sources
directly from:ftp://ftp.FreeBSD.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/ctm/The “deltas” you feed
CTM can be had two ways, FTP or
email. If you have general FTP access to the Internet then the
following FTP sites support access to
CTM:ftp://ftp.FreeBSD.org/pub/FreeBSD/CTM/or see section mirrors.FTP the relevant directory and fetch the
README file, starting from there.If you wish to get your deltas via email:Send email to &a.majordomo; to subscribe to one of the
CTM distribution lists.
“ctm-cvs-cur” supports the entire CVS tree.
“ctm-src-cur” supports the head of the development
branch. “ctm-src-2_2” supports the 2.2 release
branch, etc.. (If you do not know how to subscribe yourself
using majordomo, send a message first containing the word
help — it will send you back usage
instructions.)When you begin receiving your CTM
updates in the mail, you may use the
ctm_rmail program to unpack and apply them.
You can actually use the ctm_rmail program
directly from a entry in /etc/aliases if
you want to have the process run in a fully automated fashion.
Check the ctm_rmail man page for more
details.No matter what method you use to get the
CTM deltas, you should subscribe to
the ctm-announce@FreeBSD.org mailing list. In
the future, this will be the only place where announcements
concerning the operations of the
CTM system will be posted. Send an
email to &a.majordomo; with a single line of
subscribe ctm-announce to get added to the
list.Using CTM for the first
timeBefore you can start using CTM
deltas, you will need to get to a starting point for the deltas
produced subsequently to it.First you should determine what you already have. Everyone
can start from an “empty” directory. You must use
an initial “Empty” delta to start off your
CTM supported tree. At some point it
is intended that one of these “started” deltas be
distributed on the CD for your convenience, however, this does
not currently happen.Since the trees are many tens of megabytes, you should
prefer to start from something already at hand. If you have a
-RELEASE CD, you can copy or extract an initial source from it.
This will save a significant transfer of data.You can recognize these “starter” deltas by the
X appended to the number
(src-cur.3210XEmpty.gz for instance). The
designation following the X corresponds to
the origin of your initial “seed”.
Empty is an empty directory. As a rule a
base transition from Empty is produced
every 100 deltas. By the way, they are large! 25 to 30
Megabytes of gzip'd data is common for the
XEmpty deltas.Once you've picked a base delta to start from, you will also
need all deltas with higher numbers following it.Using CTM in your daily
lifeTo apply the deltas, simply say:&prompt.root; cd /where/ever/you/want/the/stuff
&prompt.root; ctm -v -v /where/you/store/your/deltas/src-xxx.*CTM understands deltas which have
been put through gzip, so you do not need to
gunzip them first, this saves disk space.Unless it feels very secure about the entire process,
CTM will not touch your tree. To
verify a delta you can also use the flag and
CTM will not actually touch your
tree; it will merely verify the integrity of the delta and see
if it would apply cleanly to your current tree.There are other options to CTM
as well, see the manual pages or look in the sources for more
information.That is really all there is to it. Every time you get a new
delta, just run it through CTM to
keep your sources up to date.Do not remove the deltas if they are hard to download again.
You just might want to keep them around in case something bad
happens. Even if you only have floppy disks, consider using
fdwrite to make a copy.Keeping your local changesAs a developer one would like to experiment with and change
files in the source tree. CTM
supports local modifications in a limited way: before checking
for the presence of a file foo, it first
looks for foo.ctm. If this file exists,
CTM will operate on it instead of
foo.This behavior gives us a simple way to maintain local
changes: simply copy the files you plan to modify to the
corresponding file names with a .ctm
suffix. Then you can freely hack the code, while CTM keeps the
.ctm file up-to-date.Other interesting CTM optionsFinding out exactly what would be touched by an
updateYou can determine the list of changes that
CTM will make on your source
repository using the option to
CTM.This is useful if you would like to keep logs of the
changes, pre- or post- process the modified files in any
- manner, or just are feeling a tad paranoid
- :-).
+ manner, or just are feeling a tad paranoid.
Making backups before updatingSometimes you may want to backup all the files that would
be changed by a CTM update.Specifying the option
causes CTM to backup all files that
would be touched by a given CTM
delta to backup-file.Restricting the files touched by an updateSometimes you would be interested in restricting the scope
of a given CTM update, or may be
interested in extracting just a few files from a sequence of
deltas.You can control the list of files that
CTM would operate on by specifying
filtering regular expressions using the
and options.For example, to extract an up-to-date copy of
lib/libc/Makefile from your collection of
saved CTM deltas, run the commands:&prompt.root; cd /where/ever/you/want/to/extract/it/
&prompt.root; ctm -e '^lib/libc/Makefile' ~ctm/src-xxx.*For every file specified in a
CTM delta, the
and options are applied in the order given
on the command line. The file is processed by
CTM only if it is marked as
eligible after all the and
options are applied to it.Future plans for CTMTons of them:Use some kind of authentication into the CTM system, so
as to allow detection of spoofed CTM updates.Clean up the options to CTM,
they became confusing and counter intuitive.Miscellaneous stuffThere is a sequence of deltas for the
ports collection too, but interest has not
been all that high yet. Tell me if you want an email list for
that too and we will consider setting it up.CTM mirrorsCTM/FreeBSD is available via anonymous
FTP from the following mirror sites. If you choose to obtain CTM via
anonymous FTP, please try to use a site near you.In case of problems, please contact &a.phk;.California, Bay Area, official sourceftp://ftp.FreeBSD.org/pub/FreeBSD/development/CTM/Germany, Trierftp://ftp.uni-trier.de/pub/unix/systems/BSD/FreeBSD/CTM/South Africa, backup server for old deltasftp://ftp.za.FreeBSD.org/pub/FreeBSD/CTM/Taiwan/R.O.C, Chiayiftp://ctm.tw.FreeBSD.org/pub/FreeBSD/CTM/ftp://ctm2.tw.FreeBSD.org/pub/FreeBSD/CTM/ftp://ctm3.tw.FreeBSD.org/pub/freebsd/CTM/If you did not find a mirror near to you or the mirror is
incomplete, try FTP
search at http://ftpsearch.ntnu.no/ftpsearch.
FTP search is a great free archie server in Trondheim, Norway.Using CVSupIntroductionCVSup is a software package for
distributing and updating source trees from a master CVS
repository on a remote server host. The FreeBSD sources are
maintained in a CVS repository on a central development machine
in California. With CVSup, FreeBSD
users can easily keep their own source trees up to date.CVSup uses the so-called
pull model of updating. Under the pull
model, each client asks the server for updates, if and when they
are wanted. The server waits passively for update requests from
its clients. Thus all updates are instigated by the client.
The server never sends unsolicited updates. Users must either
run the CVSup client manually to get
an update, or they must set up a cron job to
run it automatically on a regular basis.The term CVSup, capitalized just
so, refers to the entire software package. Its main components
are the client cvsup which runs on each
user's machine, and the server cvsupd which
runs at each of the FreeBSD mirror sites.As you read the FreeBSD documentation and mailing lists, you
may see references to sup.
Sup was the predecessor of
CVSup, and it served a similar
purpose.CVSup is in used in much the
same way as sup and, in fact, uses configuration files which are
backward-compatible with sup's.
Sup is no longer used in the FreeBSD
project, because CVSup is both faster
and more flexible.InstallationThe easiest way to install CVSup
is to use the precompiled net/cvsup package
from the FreeBSD packages collection.
If you prefer to build CVSup from
source, you can use the net/cvsup
port instead. But be forewarned: the
net/cvsup port depends on the Modula-3
system, which takes a substantial amount of time and
disk space to download and build.If you do not know anything about
CVSup at all and want a
single package which will install it, set up the configuration
file and start the transfer via a pointy-clicky type of
interface, then get the cvsupit
package. Just hand it to &man.pkg.add.1; and it will lead you
through the configuration process in a menu-oriented
fashion.CVSup ConfigurationCVSup's operation is controlled
by a configuration file called the supfile.
There are some sample supfiles in the
directory /usr/share/examples/cvsup/.The information in a supfile answers
the following questions for cvsup:Which files do you
want to receive?Which versions of them
do you want?Where do you want to
get them from?Where do you want to
put them on your own machine?Where do you want to
put your status files?In the following sections, we will construct a typical
supfile by answering each of these
questions in turn. First, we describe the overall structure of
a supfile.A supfile is a text file. Comments
begin with # and extend to the end of the
line. Lines that are blank and lines that contain only
comments are ignored.Each remaining line describes a set of files that the user
wishes to receive. The line begins with the name of a
collection, a logical grouping of files defined by
the server. The name of the collection tells the server which
files you want. After the collection name come zero or more
fields, separated by white space. These fields answer the
questions listed above. There are two types of fields: flag
fields and value fields. A flag field consists of a keyword
standing alone, e.g., delete or
compress. A value field also begins with a
keyword, but the keyword is followed without intervening white
space by = and a second word. For example,
release=cvs is a value field.A supfile typically specifies more than
one collection to receive. One way to structure a
supfile is to specify all of the relevant
fields explicitly for each collection. However, that tends to
make the supfile lines quite long, and it
is inconvenient because most fields are the same for all of the
collections in a supfile.
CVSup provides a defaulting mechanism
to avoid these problems. Lines beginning with the special
pseudo-collection name *default can be used
to set flags and values which will be used as defaults for the
subsequent collections in the supfile. A
default value can be overridden for an individual collection, by
specifying a different value with the collection itself.
Defaults can also be changed or augmented in mid-supfile by
additional *default lines.With this background, we will now proceed to construct a
supfile for receiving and updating the main
source tree of FreeBSD-CURRENT.Which files do you want
to receive?The files available via CVSup
are organized into named groups called
collections. The collections that are
available are described here. In this example, we
wish to receive the entire main source tree for the FreeBSD
system. There is a single large collection
src-all which will give us all of that.
As a first step toward constructing our
supfile, we
simply list the collections, one per line (in this case,
only one line):src-allWhich version(s) of them
do you want?With CVSup, you can receive
virtually any version of the sources that ever existed.
That is possible because the
cvsupd server works directly from
the CVS repository, which contains all of the versions. You
specify which one of them you want using the
tag= and value
fields.Be very careful to specify any tag=
fields correctly. Some tags are valid only for certain
collections of files. If you specify an incorrect or
misspelled tag, CVSup
will delete files which you probably
do not want deleted. In particular, use only
tag=. for the
ports-* collections.The tag= field names a symbolic tag
in the repository. There are two kinds of tags, revision
tags and branch tags. A revision tag refers to a specific
revision. Its meaning stays the same from day to day. A
branch tag, on the other hand, refers to the latest revision
on a given line of development, at any given time. Because
a branch tag does not refer to a specific revision, it may
mean something different tomorrow than it means
today.Here are the branch tags that users might be interested
in. Keep in mind that only the tag=. is
relevant for the ports collection.tag=.The main line of development, also known as
FreeBSD-CURRENT.The . is not punctuation; it
is the name of the tag. Valid for all
collections.tag=RELENG_4The line of development for FreeBSD-4.X, also known as
FreeBSD-STABLE.tag=RELENG_3The line of development for FreeBSD-3.Xtag=RELENG_2_2The line of development for FreeBSD-2.2.X, also
known as 2.2-STABLE.Here are the revision tags that users might be interested
in. Again, these are not valid for the ports
collection.tag=RELENG_4_2_0_RELEASEFreeBSD-4.2.tag=RELENG_4_1_1_RELEASEFreeBSD-4.1.1.tag=RELENG_4_1_0_RELEASEFreeBSD-4.1.tag=RELENG_4_0_0_RELEASEFreeBSD-4.0.tag=RELENG_3_5_0_RELEASEFreeBSD-3.5.tag=RELENG_3_4_0_RELEASEFreeBSD-3.4.tag=RELENG_3_3_0_RELEASEFreeBSD-3.3.tag=RELENG_3_2_0_RELEASEFreeBSD-3.2.tag=RELENG_3_1_0_RELEASEFreeBSD-3.1.tag=RELENG_3_0_0_RELEASEFreeBSD-3.0.tag=RELENG_2_2_8_RELEASEFreeBSD-2.2.8.tag=RELENG_2_2_7_RELEASEFreeBSD-2.2.7.tag=RELENG_2_2_6_RELEASEFreeBSD-2.2.6.tag=RELENG_2_2_5_RELEASEFreeBSD-2.2.5.tag=RELENG_2_2_2_RELEASEFreeBSD-2.2.2.tag=RELENG_2_2_1_RELEASEFreeBSD-2.2.1.tag=RELENG_2_2_0_RELEASEFreeBSD-2.2.0.Be very careful to type the tag name exactly as shown.
CVSup cannot distinguish
between valid and invalid tags. If you misspell the tag,
CVSup will behave as though you
had specified a valid tag which happens to refer to no
files at all. It will delete your existing sources in
that case.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development.
If you wish to receive some past version, you can do so by
specifying a date with the value
field. The &man.cvsup.1; manual page explains how to do
that.For our example, we wish to receive FreeBSD-CURRENT. We
add this line at the beginning of our
supfile:*default tag=.There is an important special case that comes into play
if you specify neither a tag= field nor a
date= field. In that case, you receive
the actual RCS files directly from the server's CVS
repository, rather than receiving a particular version.
Developers generally prefer this mode of operation. By
maintaining a copy of the repository itself on their
systems, they gain the ability to browse the revision
histories and examine past versions of files. This gain is
achieved at a large cost in terms of disk space,
however.Where do you want to get
them from?We use the host= field to tell
cvsup where to obtain its updates. Any
of the CVSup mirror
sites will do, though you should try to select one
that is close to you in cyberspace. In this example we will
use a fictional FreeBSD distribution site,
cvsup666.FreeBSD.org:*default host=cvsup666.FreeBSD.orgYou will need to change the host to one that actually
exists before running CVSup.
On any particular run of
cvsup, you can override the host setting
on the command line, with .Where do you want to put
them on your own machine?The prefix= field tells
cvsup where to put the files it receives.
In this example, we will put the source files directly into
our main source tree, /usr/src. The
src directory is already implicit in
the collections we have chosen to receive, so this is the
correct specification:*default prefix=/usrWhere should
cvsup maintain its status files?The CVSup client maintains
certain status files in what
is called the base directory. These files
help CVSup to work more
efficiently, by keeping track of which updates you have
already received. We will use the standard base directory,
/usr/local/etc/cvsup:*default base=/usr/local/etc/cvsupThis setting is used by default if it is not specified
in the supfile, so we actually do not
need the above line.If your base directory does not already exist, now would
be a good time to create it. The cvsup
client will refuse to run if the base directory does not
exist.Miscellaneous supfile
settings:There is one more line of boiler plate that normally
needs to be present in the
supfile:*default release=cvs delete use-rel-suffix compressrelease=cvs indicates that the server
should get its information out of the main FreeBSD CVS
repository. This is virtually always the case, but there
are other possibilities which are beyond the scope of this
discussion.delete gives
CVSup permission to delete files.
You should always specify this, so that
CVSup can keep your source tree
fully up-to-date. CVSup is
careful to delete only those files for which it is
responsible. Any extra files you happen to have will be
left strictly alone.use-rel-suffix is ... arcane. If you
really want to know about it, see the &man.cvsup.1; manual
page. Otherwise, just specify it and do not worry about
it.compress enables the use of
gzip-style compression on the communication channel. If
your network link is T1 speed or faster, you probably should
not use compression. Otherwise, it helps
substantially.Putting it all together:Here is the entire supfile for our
example:*default tag=.
*default host=cvsup666.FreeBSD.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs delete use-rel-suffix compress
src-allThe refuse fileAs mentioned above, CVSup uses
a pull method. Basically, this means that
you connect to the CVSup server, and
it says, Here's what you can download from
me..., and your client responds OK, I'll take
this, this, this, and this. In the default
configuration, the CVSup client will
take every file associated with the collection and tag you
chose in the configuration file. However, this is not always
what you want, especially if you are synching the doc, ports, or
www trees — most people can't read four or five
languages, and therefore they don't need to download the
language-specific files. If you are
CVSuping the ports collection, you
can get around this by specifying each collection individually
(e.g., ports-astrology,
ports-biology, etc instead of simply
saying ports-all). However, since the doc
and www trees do not have language-specific collections, you
must use one of CVSup's many nifty
features; the refuse file.The refuse file essentially tells
CVSup that it should not take every
single file from a collection; in other words, it tells the
client to refuse certain files from the
server. The refuse file can be found (or, if you do not yet
have one, should be placed) in
base/sup/refuse.
base is defined in your supfile; by
default, base is
/usr/local/etc/cvsup,
which means that by default the refuse file is in
/usr/local/etc/cvsup/sup/refuse.The refuse file has a very simple format; it simply
contains the names of files or directories that you do not wish
to download. For example, if you cannot speak any languages other
than English and some German, and you do not feel the need to use
the German applications, you can put the following in your
refuse file:ports/chinese
ports/german
ports/japanese
ports/korean
ports/russian
ports/vietnamese
doc/es_ES.ISO8859-1
doc/ja_JP.eucJPand so forth for the other languages. Note that the name
of the repository is the first directory in the
refuse file.With this very useful feature, those users who are on
slow links or pay by the minute for their Internet connection
will be able to save valuable time as they will no longer need
to download files that they will never use. For more
information on refuse files and other neat
features of CVSup, please view its
man page.Running CVSupYou are now ready to try an update. The command line for
doing this is quite simple:&prompt.root; cvsup supfilewhere supfile
is of course the name of the supfile you have just created.
Assuming you are running under X11, cvsup
will display a GUI window with some buttons to do the usual
things. Press the go button, and watch it
run.Since you are updating your actual
/usr/src tree in this example, you will
need to run the program as root so that
cvsup has the permissions it needs to update
your files. Having just created your configuration file, and
having never used this program before, that might
understandably make you nervous. There is an easy way to do a
trial run without touching your precious files. Just create an
empty directory somewhere convenient, and name it as an extra
argument on the command line:&prompt.root; mkdir /var/tmp/dest
&prompt.root; cvsup supfile /var/tmp/destThe directory you specify will be used as the destination
directory for all file updates.
CVSup will examine your usual files
in /usr/src, but it will not modify or
delete any of them. Any file updates will instead land in
/var/tmp/dest/usr/src.
CVSup will also leave its base
directory status files untouched when run this way. The new
versions of those files will be written into the specified
directory. As long as you have read access to
/usr/src, you do not even need to be root
to perform this kind of trial run.If you are not running X11 or if you just do not like GUIs,
you should add a couple of options to the command line when you
run cvsup:&prompt.root; cvsup -g -L 2 supfileThe tells
CVSup not to use its GUI. This is
automatic if you are not running X11, but otherwise you have to
specify it.The tells
CVSup to print out the
details of all the file updates it is doing. There are three
levels of verbosity, from to
. The default is 0, which means total
silence except for error messages.There are plenty of other options available. For a brief
list of them, type cvsup -H. For more
detailed descriptions, see the manual page.Once you are satisfied with the way updates are working, you
can arrange for regular runs of CVSup
using &man.cron.8;.
Obviously, you should not let CVSup
use its GUI when running it from &man.cron.8;.CVSup File CollectionsThe file collections available via
CVSup are organized hierarchically.
There are a few large collections, and they are divided into
smaller sub-collections. Receiving a large collection is
equivalent to receiving each of its sub-collections. The
hierarchical relationships among collections are reflected by
the use of indentation in the list below.The most commonly used collections are
src-all, and
ports-all. The other collections are used
only by small groups of people for specialized purposes, and
some mirror sites may not carry all of them.cvs-all release=cvsThe main FreeBSD CVS repository, including the
cryptography code.distrib release=cvsFiles related to the distribution and mirroring
of FreeBSD.doc-all release=cvsSources for the FreeBSD handbook and other
documentation.ports-all release=cvsThe FreeBSD ports collection.ports-archivers
release=cvsArchiving tools.ports-astro
release=cvsAstronomical ports.ports-audio
release=cvsSound support.ports-base
release=cvsMiscellaneous files at the top of
/usr/ports.ports-benchmarks
release=cvsBenchmarks.ports-biology
release=cvsBiology.ports-cad
release=cvsComputer aided design tools.ports-chinese
release=cvsChinese language support.ports-comms
release=cvsCommunication software.ports-converters
release=cvscharacter code converters.ports-databases
release=cvsDatabases.ports-deskutils
release=cvsThings that used to be on the desktop
before computers were invented.ports-devel
release=cvsDevelopment utilities.ports-editors
release=cvsEditors.ports-emulators
release=cvsEmulators for other operating
systems.ports-ftp
release=cvsFTP client and server utilities.ports-games
release=cvsGames.ports-german
release=cvsGerman language support.ports-graphics
release=cvsGraphics utilities.ports-irc
release=cvsInternet Relay Chat utilities.ports-japanese
release=cvsJapanese language support.ports-java
release=cvsJava utilities.ports-korean
release=cvsKorean language support.ports-lang
release=cvsProgramming languages.ports-mail
release=cvsMail software.ports-math
release=cvsNumerical computation software.ports-mbone
release=cvsMBone applications.ports-misc
release=cvsMiscellaneous utilities.ports-net
release=cvsNetworking software.ports-news
release=cvsUSENET news software.ports-palm
release=cvsSoftware support for 3Com Palm(tm)
series.ports-print
release=cvsPrinting software.ports-russian
release=cvsRussian language support.ports-security
release=cvsSecurity utilities.ports-shells
release=cvsCommand line shells.ports-sysutils
release=cvsSystem utilities.ports-textproc
release=cvstext processing utilities (does not
include desktop publishing).ports-vietnamese
release=cvsVietnamese language support.ports-www
release=cvsSoftware related to the World Wide
Web.ports-x11
release=cvsPorts to support the X window
system.ports-x11-clocks
release=cvsX11 clocks.ports-x11-fm
release=cvsX11 file managers.ports-x11-fonts
release=cvsX11 fonts and font utilities.ports-x11-toolkits
release=cvsX11 toolkits.ports-x11-serversX11 servers.ports-x11-wmX11 window managers.src-all release=cvsThe main FreeBSD sources, including the
cryptography code.src-base
release=cvsMiscellaneous files at the top of
/usr/src.src-bin
release=cvsUser utilities that may be needed in
single-user mode
(/usr/src/bin).src-contrib
release=cvsUtilities and libraries from outside the
FreeBSD project, used relatively unmodified
(/usr/src/contrib).src-crypto release=cvsCryptography utilities and libraries from
outside the FreeBSD project, used relatively
unmodified
(/usr/src/crypto).src-eBones release=cvsKerberos and DES
(/usr/src/eBones). Not
used in current releases of FreeBSD.src-etc
release=cvsSystem configuration files
(/usr/src/etc).src-games
release=cvsGames
(/usr/src/games).src-gnu
release=cvsUtilities covered by the GNU Public
License (/usr/src/gnu).src-include
release=cvsHeader files
(/usr/src/include).src-kerberos5
release=cvsKerberos5 security package
(/usr/src/kerberos5).src-kerberosIV
release=cvsKerberosIV security package
(/usr/src/kerberosIV).src-lib
release=cvsLibraries
(/usr/src/lib).src-libexec
release=cvsSystem programs normally executed by other
programs
(/usr/src/libexec).src-release
release=cvsFiles required to produce a FreeBSD
release
(/usr/src/release).src-secure release=cvsDES (/usr/src/secure).src-sbin
release=cvsSystem utilities for single-user mode
(/usr/src/sbin).src-share
release=cvsFiles that can be shared across multiple
systems
(/usr/src/share).src-sys
release=cvsThe kernel
(/usr/src/sys).src-sys-crypto
release=cvsKernel cryptography code
(/usr/src/sys/crypto).src-tools
release=cvsVarious tools for the maintenance of
FreeBSD
(/usr/src/tools).src-usrbin
release=cvsUser utilities
(/usr/src/usr.bin).src-usrsbin
release=cvsSystem utilities
(/usr/src/usr.sbin).www release=cvsThe sources for the World Wide Web data.distrib release=selfThe CVSup server's own
configuration files. Used by CVSup
mirror sites.gnats release=currentThe GNATS bug-tracking database.mail-archive release=currentFreeBSD mailing list archive.www release=currentThe installed World Wide Web data. Used by WWW mirror
sites.For more informationFor the CVSup FAQ and other
information about CVSup, see
The
CVSup Home Page.Most FreeBSD-related discussion of
CVSup takes place on the
&a.hackers;. New versions of the software are announced there,
as well as on the &a.announce;.Questions and bug reports should be addressed to the author
of the program at cvsup-bugs@polstra.com.CVSup SitesCVSup servers for FreeBSD are running
at the following sites:Argentinacvsup.ar.FreeBSD.org (maintainer
msagre@cactus.fi.uba.ar)Australiacvsup.au.FreeBSD.org (maintainer
dawes@xfree86.org)cvsup3.au.FreeBSD.org (maintainer
FreeBSD@admin.gil.com.au)Austriacvsup.at.FreeBSD.org (maintainer
postmaster@wu-wien.ac.at)Brazilcvsup.br.FreeBSD.org (maintainer
cvsup@cvsup.br.FreeBSD.org)cvsup2.br.FreeBSD.org (maintainer
tps@ti.sk)cvsup3.br.FreeBSD.org (maintainer
camposr@matrix.com.br)Canadacvsup.ca.FreeBSD.org (maintainer
dan@jaded.net)cvsup2.ca.FreeBSD.org (maintainer
hostmaster@ca.freebsd.org)Chinacvsup.cn.FreeBSD.org (maintainer
phj@cn.FreeBSD.org)Czech Republiccvsup.cz.FreeBSD.org (maintainer
cejkar@dcse.fee.vutbr.cz)Denmarkcvsup.dk.FreeBSD.org (maintainer
jesper@skriver.dk)Estoniacvsup.ee.FreeBSD.org (maintainer
taavi@uninet.ee)Finlandcvsup.fi.FreeBSD.org (maintainer
count@key.sms.fi)cvsup2.fi.FreeBSD.org (maintainer
count@key.sms.fi)Francecvsup.fr.FreeBSD.org (maintainer
hostmaster@fr.FreeBSD.org)cvsup2.fr.FreeBSD.org (maintainer
ftpmaint@uvsq.fr)Germanycvsup.de.FreeBSD.org (maintainer
rse@freebsd.org)cvsup1.de.FreeBSD.org (maintainer
wosch@FreeBSD.org)cvsup2.de.FreeBSD.org (maintainer
cvsup@nikoma.de)cvsup3.de.FreeBSD.org (maintainer
ag@leo.org)cvsup4.de.FreeBSD.org (maintainer
cvsup@cosmo-project.de)cvsup5.de.FreeBSD.org (maintainer
rse@freebsd.org)Greececvsup.gr.FreeBSD.org (maintainer
ftpadm@duth.gr)cvsup2.gr.FreeBSD.org (maintainer
paschos@cs.uoi.gr)Icelandcvsup.is.FreeBSD.org (maintainer
adam@veda.is)Irelandcvsup.ie.FreeBSD.org (maintainer
dwmalone@maths.tcd.ie),
Trinity College, Dublin.Japancvsup.jp.FreeBSD.org (maintainer
cvsupadm@jp.FreeBSD.org)cvsup2.jp.FreeBSD.org (maintainer
max@FreeBSD.org)cvsup3.jp.FreeBSD.org (maintainer
shige@cin.nihon-u.ac.jp)cvsup4.jp.FreeBSD.org (maintainer
cvsup-admin@ftp.media.kyoto-u.ac.jp)cvsup5.jp.FreeBSD.org (maintainer
cvsup@imasy.or.jp)cvsup6.jp.FreeBSD.org (maintainer
cvsupadm@jp.FreeBSD.org)Koreacvsup.kr.FreeBSD.org (maintainer
cjh@kr.FreeBSD.org)cvsup2.kr.FreeBSD.org (maintainer
holywar@mail.holywar.net)Lithuaniacvsup.lt.FreeBSD.org (maintainer
domas.mituzas@delfi.lt)Netherlandscvsup.nl.FreeBSD.org (maintainer
xaa@xaa.iae.nl)cvsup2.nl.FreeBSD.org (maintainer
cvsup@nl.uu.net)Norwaycvsup.no.FreeBSD.org (maintainer
Per.Hove@math.ntnu.no)Polandcvsup.pl.FreeBSD.org (maintainer
Mariusz@kam.pl)Portugalcvsup.pt.FreeBSD.org (maintainer
jpedras@webvolution.net)Russiacvsup.ru.FreeBSD.org (maintainer
ache@nagual.pp.ru)cvsup2.ru.FreeBSD.org (maintainer
dv@dv.ru)cvsup3.ru.FreeBSD.org (maintainer
fjoe@iclub.nsu.ru)cvsup4.ru.FreeBSD.org (maintainer
zhecka@klondike.ru)cvsup5.ru.FreeBSD.org (maintainer
maxim@macomnet.ru)cvsup6.ru.FreeBSD.org (maintainer
pvr@corbina.net)Slovak Republiccvsup.sk.FreeBSD.org (maintainer
tps@tps.sk)cvsup2.sk.FreeBSD.org (maintainer
tps@tps.sk)Sloveniacvsup.si.FreeBSD.org (maintainer
blaz@si.FreeBSD.org)South Africacvsup.za.FreeBSD.org (maintainer
markm@FreeBSD.org)cvsup2.za.FreeBSD.org (maintainer
markm@FreeBSD.org)Spaincvsup.es.FreeBSD.org (maintainer
jesusr@FreeBSD.org)cvsup2.es.FreeBSD.org (maintainer
jesusr@FreeBSD.org)cvsup3.es.FreeBSD.org (maintainer
jose@we.lc.ehu.es)Swedencvsup.se.FreeBSD.org (maintainer
pantzer@ludd.luth.se)cvsup2.se.FreeBSD.org (maintainer
cvsup@dataphone.net)Taiwancvsup.tw.FreeBSD.org (maintainer
jdli@freebsd.csie.nctu.edu.tw)cvsup2.tw.FreeBSD.org (maintainer
ycheng@sinica.edu.tw)cvsup3.tw.FreeBSD.org (maintainer
foxfair@FreeBSD.org)Ukrainecvsup2.ua.FreeBSD.org (maintainer
freebsd-mnt@lucky.net)cvsup3.ua.FreeBSD.org (maintainer
ftpmaster@ukr.net), Kievcvsup4.ua.FreeBSD.org (maintainer
phantom@cris.net)United Kingdomcvsup.uk.FreeBSD.org (maintainer
joe@pavilion.net)cvsup2.uk.FreeBSD.org (maintainer
brian@FreeBSD.org)cvsup3.uk.FreeBSD.org (maintainer
ftp-admin@plig.net)USAcvsup1.FreeBSD.org (maintainer
skynyrd@opus.cts.cwu.edu), Washington
statecvsup2.FreeBSD.org (maintainer
jdp@FreeBSD.org), Californiacvsup3.FreeBSD.org (maintainer
wollman@FreeBSD.org), Massachusettscvsup4.FreeBSD.org (maintainer
rgrimes@FreeBSD.org), Oregoncvsup5.FreeBSD.org (maintainer
mjr@blackened.com), Arizonacvsup6.FreeBSD.org (maintainer
jdp@FreeBSD.org), Floridacvsup7.FreeBSD.org (maintainer
jdp@FreeBSD.org), Washington statecvsup8.FreeBSD.org (maintainer
hostmaster@bigmirror.com), Washington
statecvsup9.FreeBSD.org (maintainer
qbsd@uswest.net), Minnesotacvsup10.FreeBSD.org (maintainer
jdp@FreeBSD.org), Californiacvsup11.FreeBSD.org (maintainer
cvsup@research.uu.net), Virginiacvsup12.FreeBSD.org (maintainer
will@FreeBSD.org), Indianacvsup13.FreeBSD.org (maintainer
dima@valueclick.com), Californiacvsup14.FreeBSD.org (maintainer
freebsd-cvsup@mfnx.net), Californiacvsup15.FreeBSD.org (maintainer
cvsup@math.uic.edu), Illinoiscvsup16.FreeBSD.org (maintainer
pth3k@virginia.edu), Virginiacvsup17.FreeBSD.org (maintainer
cvsup@mirrortree.com), Washington stateAFS SitesAFS servers for FreeBSD are running at the following sites;SwedenThe path to the files are:
/afs/stacken.kth.se/ftp/pub/FreeBSD/stacken.kth.se # Stacken Computer Club, KTH, Sweden
130.237.234.43 #hot.stacken.kth.se
130.237.237.230 #fishburger.stacken.kth.se
130.237.234.3 #milko.stacken.kth.seMaintainer ftp@stacken.kth.se
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index e5fba74e14..970751157b 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,3039 +1,3039 @@
SecuritysecurityMuch of this chapter has been taken from the
&man.security.7; man page, originally written by
&a.dillon;.SynopsisThe following chapter will provide a basic introduction to
system security concepts, some general good rules of thumb, and some
advanced topics such as S/Key, OpenSSL, Kerberos, and others.IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD Unix multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. Unix
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers – meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetworked, security becomes an ever bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash or otherwise make a
system unusable but do not attempt to break root. Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.DOS attackssecurityDOS attacksDenial of ServiceA denial of service attack is an action that deprives the
machine of needed resources. Typically, D.O.S. attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
D.O.S. attacks try to take advantages of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop
short of cutting your system off from the Internet. It may not be
able to take your machine down, but it can saturate your
Internet connection.securityaccount compromisesA user account compromise is even more common than a D.O.S.
attack. Many sysadmins still run standard telnetd, rlogind, rshd,
and ftpd servers on their machines. These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root. However, the reality is
that in a well secured and maintained system, access to a user
account does not necessarily give the attacker access to root. The
distinction is important because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more than mess with the user's files or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.securitybackdoorsSystem administrators must keep in mind that there are
potentially many ways to break root on a machine. The attacker
may know the root password, the attacker may find a bug in a
root-run server and be able to break root over a network
connection to that server, or the attacker may know of a bug in
an suid-root program that allows the attacker to break root once
he has broken into a user's account. If an attacker has found
a way to break root on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. Backdoors provide the attacker with a way to easily
regain root access to the system, but it also gives the smart
system administrator a convenient way to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root – root-run servers and suid/sgid
binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
filesystems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.securitysecuringSecuring FreeBSDThe sections that follow will cover the methods of securing your
FreeBSD system that were mentioned in the last section of this chapter.Securing the root account and staff accountssuFirst off, do not bother securing staff accounts if you have
not secured the root account. Most systems have a password
assigned to the root account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your pty's are specified as being unsecure in the
/etc/ttys file so that direct root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct root logins
are disabled there as well. Consider every access method –
services such as FTP often fall through the cracks. Direct root
logins should only be allowed via the system console.wheelOf course, as a sysadmin you have to be able to get to root,
so we open up a few holes. But we make sure these holes require
additional password verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root. You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access should be placed in the
wheel group. It is also possible, when using
an authentication method such as kerberos, to use kerberos'
.k5login file in the root account to allow a
&man.ksu.1; to root without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better than having
nothing at all, it is not necessarily the safest option.An indirect way to secure staff accounts, and ultimately
root access is to use an alternative login access method and
do what is known as *'ing out the crypted
password for the staff accounts. Using the &man.vipw.8;
command, one can replace each instance of a crypted password
with a single * character. This command
will update the /etc/master.passwd file
and user/password database to disable password-authenticated
logins.A staff account entry such as:foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshShould be changed to this :foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshThis change will prevent normal logins from occurring,
since the encrypted password will never match
*. With this done, staff members must use
another mechanism to authenticate themselves such as
&man.kerberos.1; or &man.ssh.1; using a public/private key
pair. When using something like kerberos, one generally must
secure the machines which run the kerberos servers and your
desktop workstation. When using a public/private key pair
with ssh, one must generally secure
the machine used to login from (typically
one's workstation). An additional layer of protection can be
added to the key pair by password protecting the key pair when
creating it with &man.ssh-keygen.1;. Being able to
* out the passwords for staff accounts also
guarantees that staff members can only login through secure
access methods that you have setup. This forces all staff
members to use secure, encrypted connections for all of their
sessions which closes an important hole used by many
intruders: That of sniffing the network from an unrelated,
less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.KerberosUsing something like kerberos also gives you the ability to
disable or change the password for a staff account in one place
and have it immediately effect all the machine the staff member
may have an account on. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with kerberos: not only can a
kerberos ticket be made to timeout after a while, but the kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesntalkcomsatfingersandboxessshdtelnetdrshdrlogindThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of imapd or
popper is like giving a universal root ticket out to the entire
world. Never run a server that you have not checked out
carefully. Many servers do not need to be run as root. For
example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox isn't perfect unless
you go to a large amount of trouble, but the onion approach to
security still stands: If someone is able to break in through
a server running in a sandbox, they still have to break out of the
sandbox. The more layers the attacker must break through, the
lower the likelihood of his success. Root holes have historically
been found in virtually every server ever run as root, including
basic system servers. If you are running a machine through which
people only login via sshd and never
login via telnetd or
rshd or
rlogind, then turn off those
services!FreeBSD now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
/etc/defaults/rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.sendmailThere are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other mechanisms to detect
break-ins that might occur through them.The other big potential root hole in a system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still, root holes are
occasionally found in these binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe than sorry and the prudent
sysadmin will restrict suid binaries that only staff should run to
a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary
the intruder might be able to read /dev/kmem
and thus read the crypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
pty's, including pty's used by users who login through secure
methods. An intruder that breaks the tty group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
* out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and kerberos for user accounts is
more problematic due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
kerberos for access to those accounts. Even though the crypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder to obtain read access
to that file even if the attacker cannot obtain root-write
access.Your security scripts should always check for and report
changes to the password file (see Checking file integrity
below).Securing the Kernel Core, Raw Devices, and
FilesystemsIf an attacker breaks root he can do just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under FreeBSD it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems should not have the bpf device compiled in.sysctlBut even if you turn off the bpf device, you still have
/dev/mem and /dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf device or other sniffing
device on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags, such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files – everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important – detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker rather than stop him in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh key-pairs to
allow the limit-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method – allowing you to monitor the
filesystems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limit-access box at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
boxes at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh daemon on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
unsecure links, but it's also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. You should probably scan them anyway at least
once a week, since the object of this layer is to detect a break-in
whether or not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which might help
as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files and the
logs themselves should be generated in as secure a manner as
possible – remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features as long as they do not effect
convenience, and can add security features that do effect
convenience with some added thought. Even more importantly, a
security administrator should mix it up a bit – if you use
recommendations such as those given by this document verbatim, you
give away your methodologies to the prospective attacker who also
has access to this document.Denial of Service AttacksDOS attacksThis section covers Denial of Service attacks. A DOS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DOS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory
until the machine dies. Inetd (see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter when you start
sendmail high enough to handle your
expected load but no so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for that sendmail to
prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise. Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other Internet-accessible
services. If you try to configure the firewall the other way
– as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall to allow permissive-like operation
without compromising your low ports. Also take note that FreeBSD
allows you to control the range of port numbers used for dynamic
binding via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. For example, you might use a normal
first/last range of 4000 to 5000, and a hiport range of 49152 to
65535, then block everything under 4000 off in your firewall
(except for certain specific Internet-accessible ports, of
course).ICMP_BANDLIMAnother common DOS attack is called a springboard attack
– to attack a server in a manner that causes the server to
generate responses which then overload the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called ICMP_BANDLIM which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it to less than
rtminexpire. There are two problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the Internet via a T3 or
better it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
- you want to crash the machine :-). Setting both
+ you want to crash the machine. Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHsshKerberosThere are a few issues with both kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an unsecure machine, your keys
becomes exposed. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login and if a attacker has broken root on the
unsecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with kerberos whenever possible for staff logins.
ssh can be compiled with kerberos
support. This reduces your reliance on potentially exposable
ssh keys while at the same time
protecting passwords via kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that kerberos is unsuited to). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.DES, MD5, and CryptsecuritycryptcryptDESMD5Parts rewritten and updated by &a.unfurl;, 21 March
2000.Every user on a Unix system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
Unix came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other Unix
variants that still use DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing your crypt mechanismIt is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those with
encrypted with the DES hash and also begin with the characters
$1$. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The libraries can identify the passwords this way as well.
As a result, the DES libraries are able to identify MD5
passwords, and use MD5 to check passwords that were encrypted
that way, and DES for the rest. They are able to do this
because the DES libraries also contain MD5. Unfortunately, the
reverse is not true, so the MD5 libraries cannot authenticate
passwords that were encrypted with DES.Identifying which library is being used by the programs on
your system is easy as well. Any program that uses crypt is linked
against libcrypt which for each type of library is a symbolic link
to the appropriate implementation. For example, on a system using
the DES versions:&prompt.user; ls -l /usr/lib/libcrypt*
lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a
lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0
lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.aOn a system using the MD5-based libraries, the same links will
be present, but the target will be libscrypt
rather than libdescrypt.If you have installed the DES-capable crypt library
libdescrypt (e.g. by installing the
"crypto" distribution), then which password format will be used
for new passwords is controlled by the
passwd_format login capability in
/etc/login.conf, which takes values of
either des or md5. See the
&man.login.conf.5; manpage for more information about login
capabilities.S/KeyS/KeysecurityS/KeyS/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
FreeBSD base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.There are three different sorts of passwords which we will talk
about in the discussion below. The first is your usual Unix-style or
Kerberos password; we will call this a Unix password.
The second sort is the one-time password which is generated by the
S/Key key program and accepted by the
keyinit program and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key program (and sometimes the
keyinit program) which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your Unix
password; they can be the same but this is not recommended. S/Key
secret passwords are not limited to 8 characters like Unix passwords,
they can be as long as you like. Passwords of six or seven word
long phrases are fairly common. For the most part, the S/Key system
operates completely independently of the Unix password
system.Besides the password, there are two other pieces of data that
are important to S/Key. One is what is known as the
seed or key and consists of two letters
and five digits. The other is what is called the iteration
count and is a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
login and su programs keep
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1 S/Key must be
reinitialized.There are four programs involved in the S/Key system which we
will discuss below. The key program accepts an
iteration count, a seed, and a secret password, and generates a
one-time password. The keyinit program is used
to initialized S/Key, and to change passwords, iteration counts, or
seeds; it takes either a secret password, or an iteration count,
seed, and one-time password. The keyinfo program
examines the /etc/skeykeys file and prints out
the invoking user's current iteration count and seed. Finally, the
login and su programs contain
the necessary logic to accept S/Key one-time passwords for
authentication. The login program is also
capable of disallowing the use of Unix passwords on connections
coming from specified addresses.There are four different sorts of operations we will cover. The
first is using the keyinit program over a secure
connection to set up S/Key for the first time, or to change your
password or seed. The second operation is using the
keyinit program over an insecure connection, in
conjunction with the key program over a secure
connection, to do the same. The third is using the
key program to log in over an insecure
connection. The fourth is using the key program
to generate a number of keys which can be written down or printed
out to carry with you when going to some location without secure
connections to anywhere.Secure connection initializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g., on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTAt the Enter secret password: prompt you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular S/Key instance; your login name, the
iteration count, and seed. When logging in with S/Key, the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure connection initializationTo initialize S/Key or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run the
key program; this might be in the form of a
desk accessory on a Macintosh, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:To accept the default seed (which the
keyinit program confusingly calls a
key), press return. Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GORENow switch back over to the insecure connection, and copy the
one-time password generated by key over to the
keyinit program:s/key access password:CURE MIKE BANE HIM RACY GORE
ID unfurl s/key is 100 to17759
CURE MIKE BANE HIM RACY GOREThe rest of the description from the previous section applies
here as well.Generating a single one-time passwordOnce you've initialized S/Key, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: As a side note, the S/Key prompt has a useful feature
(not shown here): if you press return at the password prompt, the
login program will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in an S/Key by hand, such as from a printout. Also, if this
machine were configured to disallow Unix passwords over a
connection from the source machine, the prompt would have also included
the annotation (s/key required), indicating
that only S/Key one-time passwords will be accepted.MS-DOSWindowsMacOSAt this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run the key command on. (There
are versions of the key program for MS-DOS,
Windows and MacOS as well.) The key program
needs both the iteration count and the seed as command line
options. You can cut-and-paste these right from the login prompt
on the machine that you are logging in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... This is the easiest mechanism if you have
a trusted machine. There is a Java S/Key key
applet, The Java OTP
Calculator, that you can download and run locally on any
Java supporting browser.Generating multiple one-time passwordsSometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key command to
generate a number of one-time passwords before hand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting use of Unix passwordsRestrictions can be placed on the use of Unix passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more info on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the FreeBSD default), then all users will be allowed to
use Unix passwords. If the file exists, however, then all users
will be required to use S/Key unless explicitly permitted to do
otherwise by configuration statements in the
skey.access file. In all cases, Unix
passwords are permitted on the console.Here is a sample configuration file which illustrates the
three most common sorts of configuration statements:permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use Unix passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
Unix passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are uneducable.The third line (permit port) allows all
users logging in on the specified terminal line to use Unix
passwords; this would be used for dial-ups.KerberosKerberosContributed by &a.markm; (based on contribution by
&a.md;).Kerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.4.4BSD-LiteIn FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
1.1.5.1, and was sourced from outside the USA/Canada, and was thus
available to system owners outside those countries during the era
of restrictive export controls on cryptographic code from the USA.Creating the initial databaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, of if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be GRONDAR.ZA and the
server is grunt.grondar.za. We edit or create
the krb.conf file:&prompt.root; cat krb.conf
GRONDAR.ZA
GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a hosts name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos man pages.Now we have to add grunt.grondar.za
to the GRONDAR.ZA realm and also add an entry to
put all hosts in the .grondar.za
domain in the GRONDAR.ZA realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.grondar.za GRONDAR.ZA
.grondar.za GRONDAR.ZA
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this.&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making it all runTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like rcp,
rlogin and rsh.Now let's add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the server fileWe now have to extract all the instances which define the services
on each machine. For this we use the ext_srvtab
command. This will create a file which must be copied or moved
by secure means to each Kerberos client's
/etc/kerberosIV directory. This file must be present on each server
and client, and is crucial to the operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the server can pick
it up. Use the mv command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the databaseWe now have to add some user entries into the database. First
let's create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting it all outFirst we have to start the Kerberos daemons. NOTE that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automagically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: GRONDAR.ZA
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the id jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@GRONDAR.ZA
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZANow try changing the password using passwd to
check if the kpasswd daemon can get authorization to the Kerberos
database:&prompt.user; passwd
realm GRONDAR.ZA
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su privilegesKerberos allows us to give each user who
needs root privileges their own separatesupassword. We could now add an id which is
authorized to su to root.
This is controlled by having an instance of root
associated with a principal. Using kdb_edit we can
create the entry jane.root in the Kerberos
database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's .klogin
file:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZANow try doing the su:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZAUsing other commandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to su to
root if the necessary entries are in the .klogin
file in root's home directory:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZALikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@GRONDAR.ZA
jack@GRONDAR.ZAThis allows anyone in the GRONDAR.ZA realm
who has authenticated themselves to jane or
jack (via kinit, see above)
access to rlogin to jane's
account or files on this system (grunt) via
rlogin, rsh or
rcp.For example, Jane now logs into another system, using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.grondar.za)
Password:
&prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or Jack logs into Jane's account on the same machine (Jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance:&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.grondar.za)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995FirewallsfirewallssecurityfirewallsContributed by &a.gpalmer; and Alex Nash.Firewalls are an area of increasing interest for people who are
connected to the Internet, and are even finding applications on private
networks to provide enhanced security. This section will hopefully
explain what firewalls are, how to use them, and how to use the
facilities provided in the FreeBSD kernel to implement them.People often think that having a firewall between your
internal network and the Big Bad Internet will solve all
your security problems. It may help, but a poorly setup firewall
system is more of a security risk than not having one at all. A
firewall can add another layer of security to your systems, but it
cannot stop a really determined cracker from penetrating your internal
network. If you let internal security lapse because you believe your
firewall to be impenetrable, you have just made the crackers job that
much easier.What is a firewall?There are currently two distinct types of firewalls in common use
on the Internet today. The first type is more properly called a
packet filtering router, where the kernel on a
multi-homed machine chooses whether to forward or block packets based
on a set of rules. The second type, known as a proxy
server, relies on daemons to provide authentication and to
forward packets, possibly on a multi-homed machine which has kernel
packet forwarding disabled.Sometimes sites combine the two types of firewalls, so that only a
certain machine (known as a bastion host) is
allowed to send packets through a packet filtering router onto an
internal network. Proxy services are run on the bastion host, which
are generally more secure than normal authentication
mechanisms.FreeBSD comes with a kernel packet filter (known as
IPFW), which is what the rest of this
section will concentrate on. Proxy servers can be built on FreeBSD
from third party software, but there is such a variety of proxy
servers available that it would be impossible to cover them in this
document.Packet filtering routersA router is a machine which forwards packets between two or more
networks. A packet filtering router has an extra piece of code in
its kernel which compares each packet to a list of rules before
deciding if it should be forwarded or not. Most modern IP routing
software has packet filtering code within it that defaults to
forwarding all packets. To enable the filters, you need to define a
set of rules for the filtering code so it can decide if the
packet should be allowed to pass or not.To decide whether a packet should be passed on, the code looks
through its set of rules for a rule which matches the contents of
this packets headers. Once a match is found, the rule action is
obeyed. The rule action could be to drop the packet, to forward the
packet, or even to send an ICMP message back to the originator.
Only the first match counts, as the rules are searched in order.
Hence, the list of rules can be referred to as a rule
chain.The packet matching criteria varies depending on the software
used, but typically you can specify rules which depend on the source
IP address of the packet, the destination IP address, the source
port number, the destination port number (for protocols which
support ports), or even the packet type (UDP, TCP, ICMP,
etc).Proxy serversProxy servers are machines which have had the normal system
daemons (telnetd, ftpd, etc) replaced with special servers. These
servers are called proxy servers as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
and people can telnet in to your firewall from the outside, go
through some authentication mechanism, and then gain access to the
internal network (alternatively, proxy servers can be used for
signals coming from the internal network and heading out).Proxy servers are normally more secure than normal servers, and
often have a wider variety of authentication mechanisms available,
including one-shot password systems so that even if
someone manages to discover what password you used, they will not be
able to use it to gain access to your systems as the password
instantly expires. As they do not actually give users access to the
host machine, it becomes a lot more difficult for someone to install
backdoors around your security system.Proxy servers often have ways of restricting access further, so
that only certain hosts can gain access to the servers, and often
they can be set up so that you can limit which users can talk to
which destination machine. Again, what facilities are available
depends largely on what proxy software you choose.What does IPFW allow me to do?ipfwIPFW, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
the kernel, and has a user-land control utility,
&man.ipfw.8;. Together, they allow you to define and query the
rules currently used by the kernel in its routing decisions.There are two related parts to IPFW.
The firewall section allows you to perform packet filtering. There is
also an IP accounting section which allows you to track usage of your
router, based on similar rules to the firewall section. This allows
you to see (for example) how much traffic your router is getting from
a certain machine, or how much WWW (World Wide Web) traffic it is
forwarding.As a result of the way that IPFW is
designed, you can use IPFW on non-router
machines to perform packet filtering on incoming and outgoing
connections. This is a special case of the more general use of
IPFW, and the same commands and techniques
should be used in this situation.Enabling IPFW on FreeBSDipfwenablingAs the main part of the IPFW system
lives in the kernel, you will need to add one or more options to your
kernel configuration file, depending on what facilities you want, and
recompile your kernel. See reconfiguring
the kernel for more details on how to recompile your
kernel.There are currently three kernel configuration options relevant to
IPFW:options IPFIREWALLCompiles into the kernel the code for packet
filtering.options IPFIREWALL_VERBOSEEnables code to allow logging of packets through
&man.syslogd.8;. Without this option, even if you specify
that packets should be logged in the filter rules, nothing will
happen.options IPFIREWALL_VERBOSE_LIMIT=10Limits the number of packets logged through
&man.syslogd.8; on a per entry basis. You may wish to use
this option in hostile environments in which you want to log
firewall activity, but do not want to be open to a denial of
service attack via syslog flooding.When a chain entry reaches the packet limit specified,
logging is turned off for that particular entry. To resume
logging, you will need to reset the associated counter using the
&man.ipfw.8; utility:&prompt.root; ipfw zero 4500Where 4500 is the chain entry you wish to continue
logging.Previous versions of FreeBSD contained an
IPFIREWALL_ACCT option. This is now obsolete as
the firewall code automatically includes accounting
facilities.Configuring IPFWipfwconfiguringThe configuration of the IPFW software
is done through the &man.ipfw.8; utility. The syntax for this
command looks quite complicated, but it is relatively simple once you
understand its structure.There are currently four different command categories used by the
utility: addition/deletion, listing, flushing, and clearing.
Addition/deletion is used to build the rules that control how packets
are accepted, rejected, and logged. Listing is used to examine the
contents of your rule set (otherwise known as the chain) and packet
counters (accounting). Flushing is used to remove all entries from
the chain. Clearing is used to zero out one or more accounting
entries.Altering the IPFW rulesThe syntax for this form of the command is:
ipfw-NcommandindexactionlogprotocoladdressesoptionsThere is one valid flag when using this form of the
command:-NResolve addresses and service names in output.The command given can be shortened to the
shortest unique form. The valid commands
are:addAdd an entry to the firewall/accounting rule listdeleteDelete an entry from the firewall/accounting rule
listPrevious versions of IPFW used
separate firewall and accounting entries. The present version
provides packet accounting with each firewall entry.If an index value is supplied, it used to
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).The log option causes matching rules to be
output to the system console if the kernel was compiled with
IPFIREWALL_VERBOSE.Valid actions are:rejectDrop the packet, and send an ICMP host or port unreachable
(as appropriate) packet to the source.allowPass the packet on as normal. (aliases:
pass and
accept)denyDrop the packet. The source is not notified via an
ICMP message (thus it appears that the packet never
arrived at the destination).countUpdate packet counters but do not allow/deny the packet
based on this rule. The search continues with the next chain
entry.Each action will be recognized by the
shortest unambiguous prefix.The protocols which can be specified
are:allMatches any IP packeticmpMatches ICMP packetstcpMatches TCP packetsudpMatches UDP packetsThe address specification is:fromaddress/maskporttoaddress/maskportvia interfaceYou can only specify port in
conjunction with protocols which support ports
(UDP and TCP).The is optional and may specify the IP
address or domain name of a local IP interface, or an interface name
(e.g. ed0) to match only packets coming
through this interface. Interface unit numbers can be specified
with an optional wildcard. For example, ppp*
would match all kernel PPP interfaces.The syntax used to specify an
address/mask is:
address
or
address/mask-bits
or
address:mask-patternA valid hostname may be specified in place of the IP address.
is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying 192.216.222.1/24 will create a
mask which will allow any address in a class C subnet (in this case,
192.216.222) to be matched.
is an IP
address which will be logically AND'ed with the address given. The
keyword any may be used to specify any IP
address.The port numbers to be blocked are specified as:
port,port,port…
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range
with a list, but the range must always be specified first.The options available are:fragMatches if the packet is not the first fragment of the
datagram.inMatches if the packet is on the way in.outMatches if the packet is on the way out.ipoptions specMatches if the IP header contains the comma separated list
of options specified in spec. The
supported list of IP options are: ssrr
(strict source route), lsrr (loose source
route), rr (record packet route), and
ts (time stamp). The absence of a
particular option may be denoted with a leading
!.establishedMatches if the packet is part of an already established
TCP connection (i.e. it has the RST or ACK bits set). You can
optimize the performance of the firewall by placing
established rules early in the
chain.setupMatches if the packet is an attempt to establish a TCP
connection (the SYN bit set is set but the ACK bit is
not).tcpflags flagsMatches if the TCP header contains the comma separated
list of flags. The supported flags
are fin, syn,
rst, psh,
ack, and urg. The
absence of a particular flag may be indicated by a leading
!.icmptypes typesMatches if the ICMP type is present in the list
types. The list may be specified
as any combination of ranges and/or individual types separated
by commas. Commonly used ICMP types are: 0
echo reply (ping reply), 3 destination
unreachable, 5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with &man.traceroute.8;).Listing the IPFW rulesThe syntax for this form of the command is:
ipfw-a-t-NlThere are three valid flags when using this form of the
command:-aWhile listing, show counter values. This option is the
only way to see accounting counters.-tDisplay the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.-NAttempt to resolve given addresses and service
names.Flushing the IPFW rulesThe syntax for flushing the chain is:
ipfwflushThis causes all entries in the firewall chain to be removed
except the fixed default policy enforced by the kernel (index
65535). Use caution when flushing rules, the default deny policy
will leave your system cut off from the network until allow entries
are added to the chain.Clearing the IPFW packet countersThe syntax for clearing one or more packet counters is:
ipfwzeroindexWhen used without an index argument,
all packet counters are cleared. If an
index is supplied, the clearing operation
only affects a specific chain entry.Example commands for ipfwThis command will deny all packets from the host evil.crackers.org to the telnet port of the
host nice.people.org:&prompt.root ipfw add deny tcp from evil.crackers.org to nice.people.org 23The next example denies and logs any TCP traffic from the entire
crackers.org network (a class C) to
the nice.people.org machine (any
port).&prompt.root; ipfw add deny log tcp from evil.crackers.org/24 to nice.people.orgIf you do not want people sending X sessions to your internal
network (a subnet of a class C), the following command will do the
necessary filtering:&prompt.root; ipfw add deny tcp from any to my.org/28 6000 setupTo see the accounting records:
&prompt.root; ipfw -a list
or in the short form
&prompt.root; ipfw -a lYou can also see the last time a chain entry was matched
with:&prompt.root; ipfw -at lBuilding a packet filtering firewallThe following suggestions are just that: suggestions. The
requirements of each firewall are different and we cannot tell you
how to build a firewall to meet your particular requirements.When initially setting up your firewall, unless you have a test
bench setup where you can configure your firewall host in a controlled
environment, it is strongly recommend you use the logging version of the
commands and enable logging in the kernel. This will allow you to
quickly identify problem areas and cure them without too much
disruption. Even after the initial setup phase is complete, I
recommend using the logging for `deny' as it allows tracing of
possible attacks and also modification of the firewall rules if your
requirements alter.If you use the logging versions of the accept
command, it can generate large amounts of log
data as one log line will be generated for every packet that passes
through the firewall, so large FTP/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd with also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition /var/log
is located on.You should enable your firewall from
/etc/rc.conf.local or
/etc/rc.conf. The associated man page explains
which knobs to fiddle and lists some preset firewall configurations.
If you do not use a preset configuration, ipfw list
will output the current ruleset into a file that you can
pass to rc.conf. If you do not use
/etc/rc.conf.local or
/etc/rc.conf to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.
The next problem is what your firewall should actually
do! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
rules are:Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.Block all incoming UDP traffic. There
are very few useful services that travel over UDP, and what useful
traffic there is normally a security threat (e.g. Suns RPC and
NFS protocols). This has its disadvantages also, since UDP is a
connectionless protocol, denying incoming UDP traffic also blocks
the replies to outgoing UDP traffic. This can cause a problem for
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you'll have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another service you may consider
allowing through, which comes from port 123.Block traffic to port 6000 from the outside. Port 6000 is the
port used for access to X11 servers, and can be a security threat
(especially if people are in the habit of doing xhost
+ on their workstations). X11 can actually use a
range of ports starting at 6000, the upper limit being how many X
displays you can run on the machine. The upper limit as defined
by RFC 1700 (Assigned Numbers) is 6063.Check what ports any internal servers use (e.g. SQL servers,
etc). It is probably a good idea to block those as well, as they
normally fall outside the 1-1024 range specified above.Another checklist for firewall configuration is available from
CERT at http://www.cert.org/tech_tips/packet_filtering.htmlAs stated above, these are only guidelines.
You will have to decide what filter rules you want to use on your
firewall yourself. We cannot accept ANY responsibility if someone
breaks into your network, even if you follow the advice given
above.OpenSSLsecurityOpenSSLOpenSSLAs of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL
provides a general-purpose cryptography library, as well as the
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.However, one of the algorithms (specifically IDEA)
included in OpenSSL is protected by patents in the USA and
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
license terms, enable the MAKE_IDEA switch in /etc/make.conf and
rebuild your sources using 'make world'.Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.OpenSSLinstallSource Code InstallationsOpenSSL is part of the src-crypto and
src-secure cvsup collections. See the Obtaining FreeBSD section for more
information about obtaining and updating FreeBSD source
code.IPsecIPsecsecurityIPsecContributed by &a.shin;, 5 March
2000.The IPsec mechanism provides secure communication either for IP
layer and socket layer communication. This section should
explain how to use them. For implementation details, please
refer to The
Developers' Handbook.The current IPsec implementation supports both transport mode
and tunnel mode. However, tunnel mode comes with some restrictions.
http://www.kame.net/newsletter/
has more comprehensive examples.Please be aware that in order to use this functionality, you
must have the following options compiled into your kernel:options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/IPSEC)Transport mode example with IPv4Let's setup security association to deploy a secure channel
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.Now we should choose algorithm to be used corresponding to
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.OK, let's assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
(1)
HOST A ------> HOST B
(1)PROTO=AH
ALG=MD5(RFC1826)
KEY=MYSECRETMYSECRET
SPI=1000
(2.1)
HOST A <------ HOST B
<------
(2.2)
(2.1)
PROTO=AH
ALG=new-HMAC-SHA1(new AH)
KEY=KAMEKAMEKAMEKAMEKAME
SPI=2000
(2.2)
PROTO=ESP
ALG=new-DES-expIV(new ESP)
IV length = 8
KEY=PASSWORD
SPI=3000
Now, let's setup security association. Execute &man.setkey.8;
on both HOST A and B:
&prompt.root; setkey -c
add 10.2.3.4 10.6.7.8 ah-old 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D
Actually, IPsec communication doesn't process until security policy
entries will be defined. In this case, you must setup each host.
At A:
&prompt.root; setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
&prompt.root; setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
HOST A --------------------------------------> HOST E
10.2.3.4 10.6.7.8
| |
========== old AH keyed-md5 ==========>
<========= new AH hmac-sha1 ===========
<========= new ESP des-cbc ============
Transport mode example with IPv6Another example using IPv6.ESP transport mode is recommended for TCP port number 110 between
Host-A and Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the test
key". Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
and at Host-B:&prompt.root; setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
Note the direction of SP.Tunnel mode example with IPv4Tunnel mode between two security gatewaysSecurity protocol is old AH tunnel mode, i.e. specified by
RFC1826, with keyed-md5 whose key is "this is the test" as
authentication algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
If port number field is omitted such above then "[any]" is
employed. `-m' specifies the mode of SA to be used. "-m any" means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.and at Gateway-B:
&prompt.root; setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
Making SA bundle between two security gatewaysAH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Tunnel mode example with IPv6Encryption algorithm is 3des-cbc, and authentication algorithm
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
EOF
Making SAs with the different endESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
EOF
OpenSSHOpenSSHsecurityOpenSSHContributed by &a.chern;, April 21,
2001.Secure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for rlogin,
rsh, rcp, and
telnet. Additionally, any other TCP/IP
connections can be tunneled/forwarded securely through ssh.
ssh encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.Advantages of using OpenSSHNormally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.Enabling sshdOpenSSHenablingBe sure to make the following additions to your
rc.conf file:
sshd_enable="YES"This will load the ssh daemon the next time your system
initializes. Alternatively, you can simply run the
sshd daemon.SSH clientOpenSSHclientThe &man.ssh.1; utility works similarly to
&man.rlogin.1;.
&prompt.root ssh user@foobardomain.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'foobardomain.com' added to the list of known hosts.
user@foobardomain.com's password: *******The login will continue just as it would have if a session was
created using rlogin or telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter 'yes' only during
the first time connecting. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in ~/.ssh/known_hostsSecure copyOpenSSHsecure copyscpThe scp command works similarly to rcp;
it copies a file to or from a remote machine, except in a
secure fashion.&prompt.root scp user@foobardomain.com:/COPYRIGHT COPYRIGHT
user@foobardomain.com's password:
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.rootSince the fingerprint was already saved for this host in the
previous example, it is verified when using scp
here.
ConfigurationOpenSSHconfigurationThe system-wide configuration files for both the OpenSSH
daemon and client reside within the /etc/ssh
directory.
ssh_config configures the client
settings, while sshd_config configures the
daemon.
ssh-keygenInstead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user.
&prompt.user ssh-keygen
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
~/.ssh/identity, whereas the public key is
stored in ~/.ssh/identity.pub. The public
key must be placed in ~/.ssh/authorized_keys
of the remote machine in order for the setup to work.
This will allow connection to the remote machine based upon
RSA authentication instead of passwords.If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.
SSH TunnelingOpenSSHtunnelingOpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.The following command tells &man.ssh.1; to create a tunnel
for telnet.&prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.bar.com
&prompt.user;-2 this forces &man.ssh.1 to use version
2 of the protocol. (Do not use if you are working with older ssh
servers)-N indicates no command, or tunnel only.
If omitted, &man.ssh.1; would initiate a normal session.-f forces &man.ssh.1; to run
in the background.-L indicates a local tunnel in
localport:localhost:remoteport fashion.
foo.bar.com is the remote/target
SSH server.
An SSH tunnel works by creating a listen socket on the specified
local host and port. It then forwards any connection to the local
host/port via the SSH connection to the remote machine on the
specified remote port.
In the example, port 5023 on localhost
is being forwarded to port 23 on the remote
machine. Since 23 is telnet, this would
create a secure telnet session through an SSH tunnel.
This can be used to wrap any number of insecure TCP protocols
such as smtp, pop3, ftp, etc.
A typical SSH Tunnel&prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.foobar.com
user@mailserver.foobar.com's password: *****
&prompt.user; telnet localhost 5025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.foobar.com ESMTPThis can be used in conjunction with an &man.ssh-keygen.1;
and additional user accounts to create a more seamless/hassle-free
SSH tunneling environment. Keys can be used in place of typing
a password, and the tunnels can be run as a separate user.
Further ReadingOpenSSH&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;&man.sshd.8; &man.sftp-server.8;
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.sgml b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
index ba5e97f082..220eaf12e8 100644
--- a/en_US.ISO8859-1/books/handbook/users/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
@@ -1,850 +1,850 @@
NeilsBlakey-MilnerContributedUsers and Basic Account ManagementSynopsisAll access to the system is achieved via accounts, and all
processes are run by users, so user and account management are
of integral importance on FreeBSD systems.There are three main types of accounts; the Superuser, system users, and user accounts. The Superuser
account, usually called root, is used to
manage the system with no limitations on privileges. System
users run services. Finally, user accounts are used by real
people, who log on, read mail, and so forth.The Superuser Accountaccountssuperuser (root)The superuser account, usually called
root, comes preconfigured to facilitate
system administration, and should not be used for day-to-day
tasks like sending and receiving mail, general exploration of
the system, or programming.This is because the superuser, unlike normal user accounts,
can operate without limits, and misuse of the superuser account
may result in spectacular disasters. User accounts are unable
to destroy the system by mistake, so it is generally best to use
normal user accounts whenever possible, unless you especially
need the extra privilege.You should always double and triple-check commands you issue
as the superuser, since an extra space or missing character can
mean irreparable data loss.So, the first thing you should do after reading this
chapter, is to create an unprivileged user account for yourself
for general usage, if you haven't already. This applies equally
whether you're running a multi-user or single-user machine.
Later in this chapter, we discuss how to create additional
accounts, and how to change between the normal user and
superuser.System AccountsaccountssystemSystem users are those used to run services such as DNS,
mail, web servers, and so forth. The reason for this is
security; if all services ran as the superuser, they could
act without restriction.accountsdaemonaccountsoperatorExamples of system users are daemon,
operator, bind (for
the Domain Name Service), and news. Often
sysadmins create httpd to run web servers
they install.accountsnobodynobody is the generic unprivileged
system user. However, it's important to keep in mind that the
more services that use nobody, the more
files and processes that user will become associated with, and
hence the more privileged that user becomes.User AccountsaccountsuserUser accounts are the primary means of access for real
people to the system, and these accounts insulate the user and
the environment, preventing the users from damaging the system
or other users, and allowing users to customize their
environment without affecting others.Every person accessing your system should have a unique user
account. This allows you to find out who is doing what, prevent
people from clobbering each others' settings or reading each
others' mail, and so forth.Each user can set up their own environment to accommodate
their use of the system, by using alternate shells, editors, key
bindings, and language.Modifying Accountsaccountsmodifyingpw is a powerful and flexible
tool to modify all aspects of user accounts. For most tasks
however, adduser and
rmuser are recommended to add and
remove accounts respectively.chpass allows both the system
administrator and normal users to adjust passwords, shells, and
personal information. If you are only interested in changing a
password then the passwd command is
usually quicker.adduseraccountsaddingadduser/usr/share/skelskeleton directoryadduser is a simple program for
adding new users. It creates entries in the system
passwd and group
files. It will also create a home directory for the new user,
copy in the default configuration files ("dotfiles") from
/usr/share/skel, and can optionally mail
the new user a welcome message.To create the initial configuration file, use
adduser -s -config_create.
The makes adduser
default to
quiet. We use later when we want to
change defaults.
Next, we configure adduser
defaults, and create our first user account, since using
root for normal usage is evil and
nasty.Configuring adduser&prompt.root; adduser -v
Use option ``-silent'' if you don't want to see all warnings and questions.
Check /etc/shells
Check /etc/master.passwd
Check /etc/group
Enter your default shell: csh date no sh tcsh [sh]: zsh
Your default shell is: tcsh -> /usr/local/bin/zsh
Enter your default HOME partition: [/home]:
Copy dotfiles from: /usr/share/skel no [/usr/share/skel]:
Send message from file: /etc/adduser.message no
[/etc/adduser.message]: no
Do not send message
Use passwords (y/n) [y]: y
Write your changes to /etc/adduser.conf? (y/n) [n]: y
Ok, let's go.
Don't worry about mistakes. I will give you the chance later to correct any input.
Enter username [a-z0-9_-]: jru
Enter full name []: J. Random User
Enter shell csh date no sh tcsh zsh [zsh]:
Enter home directory (full path) [/home/jru]:
Uid [1001]:
Enter login class: default []:
Login group jru [jru]:
Login group is ``jru''. Invite jru into other groups: guest no
[no]: wheel
Enter password []:
Enter password again []:
Name: jru
Password: ****
Fullname: J. Random User
Uid: 1007
Gid: 1007 (jru)
Class:
Groups: jru wheel
HOME: /home/jru
Shell: /usr/local/bin/zsh
OK? (y/n) [y]: y
Added user ``jru''
Copy files from /usr/share/skel to /home/jru
Add another user? (y/n) [y]: n
Goodbye!
&prompt.root;In summary, we changed the default shell to
zsh (an additional shell found in
packages), and turned off the sending of a welcome mail to
added users. We then saved the configuration, and then
created an account for jru, and we made
sure jru is in wheel
group (which we'll see is important later).The password you type in isn't echoed, nor are asterisks
- displayed. Make sure you don't mistype the password twice
- :-)
+ displayed. Make sure you don't mistype the password twice.
+
Just use adduser without arguments
from now on, and you won't have to go through changing the
defaults. If the program asks you to change the defaults,
exit the program, and try the
option.rmuserrmuseraccountsremovingYou can use rmuser to
completely remove a user from the system.
rmuser performs the following
steps:Removes the user's &man.crontab.1; entry (if
any).Removes any &man.at.1; jobs belonging to the
user.Kills all processes owned by the user.Removes the user from the system's local password
file.Removes the user's home directory (if it is owned by
the user).Removes the incoming mail files belonging to the user
from /var/mail.Removes all files owned by the user from temporary
file storage areas such as /tmp.Finally, removes the username from all groups to which
it belongs in /etc/group.
If a group becomes empty and the group name is the
same as the username, the group is removed; this
complements the per-user unique groups created by
&man.adduser.8;.rmuser can't be used to remove
superuser accounts, since that is almost always an indication
of massive destruction.By default, an interactive mode is used, which attempts to
make sure you know what you're doing.rmuser interactive account removal&prompt.root; rmuser jru
Matching password entry:
jru:*:1000:1000::0:0:J. Random User:/home/jru:/usr/local/bin/tcsh
Is this the entry you wish to remove? y
Remove user's home directory (/home/jru)? y
Updating password file, updating databases, done.
Updating group file: trusted (removing group jru -- personal group is empty) done.
Removing user's incoming mail file /var/mail/jru: done.
Removing files belonging to jru from /tmp: done.
Removing files belonging to jru from /var/tmp: done.
Removing files belonging to jru from /var/tmp/vi.recover: done.
&prompt.root;pwpwpw is a command line utility to
create, remove, modify, and display users and groups, and functions
as an editor of the system user and group files. This section
describes its use for users; the Groups section below describes its
use for groups.It is designed to be useful both as a directly executed
command and for use from shell scripts.For detailed information, please see &man.pw.8;.chpasschpasschpass changes user database
information such as passwords, shells, and personal
information.Only system administrators, as the superuser, may change
other users' information and passwords with
chpass.When passed no options, aside from an optional username,
chpass displays an editor
containing user information. When the user exists from the
editor, the user database is updated with the new
information.Interactive chpass by Superuser#Changing user database information for jru.
Login: jru
Password: *
Uid [#]: 1000
Gid [# or name]: 1000
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/jru
Shell: /usr/local/bin/tcsh
Full Name: J. Random User
Office Location:
Office Phone:
Home Phone:
Other information:The normal user can change only a small subsection of this
information, and only for themselves.Interactive chpass by Normal User#Changing user database information for jru.
Shell: /usr/local/bin/tcsh
Full Name: J. Random User
Office Location:
Office Phone:
Home Phone:
Other information:chfn and chsh are
just links to chpass, as
are ypchpass,
ypchfn, and
ypchsh. NIS support is automatic, so
specifying the yp before the command is
not necessary.passwdpasswdaccountschanging passwordpasswd is the usual way to
change your own password as a user, or another user's password
as the superuser.Users must type in their original password before
changing their password, to prevent an unauthorized person
from changing their password when the user is away from
their console.Changing your password&prompt.user; passwd
Changing local password for jru.
Old password:
New password:
Retype new password:
passwd: updating the database...
passwd: doneChanging another user's password as the superuser&prompt.root; passwd jru
Changing local password for jru.
New password:
Retype new password:
passwd: updating the database...
passwd: doneyppasswd is just a link to
passwd. NIS support is automatic, so
specifying the yp before the command is
not necessary.Limiting Userslimiting usersuserslimiting (see limiting users)If you run a multi-user system, chances are that you do not trust
all of your users not to damage your system. FreeBSD provides a
number of ways a system administrator can limit the amount of system
resources an individual user can use. These limits are generally
divided into two sections: disk quotas, and other resources
limits.quotaslimiting usersquotasdisk quotasDisk quotas are a way for the system administrator to tell the
filesystem the amount of disk space a user may use; moreover, they
provide a way to quickly check on the disk usage of a user without
having to calculate it every time. Quotas are discussed in .The other resource limits include ways to limit the amount of
CPU, memory, and other resources a user may consume. These are
defined using login classes and are discussed here./etc/login.confLogin classes are defined in
/etc/login.conf. The precise semantics are
beyond the scope of this section, but are described in detail in the
&man.login.conf.5; manual page. It is sufficient to say that each
user is assigned to a login class (default by
default), and that each login class has a set of login capabilities
associated with it. A login capability is a
name=value
pair, where name is a well-known
identifier and value is an arbitrary
string processed accordingly depending on the name. Setting up login
classes and capabilities is rather straight-forward, and is also
described in &man.login.conf.5;.Resource limits are different from plain vanilla login
capabilities in two ways. First, for every limit, there is a soft
(current) and hard limit. A soft limit may be adjusted by the user
or application, but may be no higher than the hard limit. The latter
may be lowered by the user, but never raised. Second, most resource
limits apply per process to a specific user, not the user as a whole.
Note, however, that these differences are mandated by the specific
handling of the limits, not by the implementation of the login
capability framework (i.e., they are not really
a special case of login capabilities).And so, without further ado, below are the most commonly used
resource limits (the rest, along with all the other login
capabilities, may be found in &man.login.conf.5;).coredumpsizecoredumpsizelimiting userscoredumpsizeThe limit on the size of a core file generated by a program
is, for obvious reasons, subordinate to other limits on disk
usage (e.g., filesize, or disk quotas).
Nevertheless, it is often used as a less-severe method of
controlling disk space consumption: since users do not generate
core files themselves, and often do not delete them, setting this
may save them from running out of disk space should a large
program (e.g., emacs) crash.cputimecputimelimiting userscputimeThis is the maximum amount of CPU time a user's process may
consume. Offending processes will be killed by the kernel.
This is a limit on CPU time
consumed, not percentage of the CPU as displayed in some
fields by &man.top.1; and &man.ps.1;. A limit on the
latter is, at the time of this writing, not possible, and
would be rather useless: a compiler—probably a
legitimate task—can easily use almost 100% of a CPU
for some time.filesizefilesizelimiting usersfilesizeThis is the maximum size of a file the user may possess.
Unlike disk quotas, this limit is
enforced on individual files, not the set of all files a user
owns.maxprocmaxproclimiting usersmaxprocThis is the maximum number of processes a user may be
running. This includes foreground and background processes
alike. For obvious reasons, this may not be larger than the
system limit specified by the kern.maxprocsysctl. Also note that setting this
too small may hinder a
user's productivity: it is often useful to be logged in
multiple times or execute pipelines. Some tasks, such as
compiling a large program, also spawn multiple processes (e.g.,
&man.make.1;, &man.cc.1;, and other intermediate
preprocessors).memorylockedmemorylockedlimiting usersmemorylockedThis is the maximum amount a memory a process may have
requested to be locked into main memory (e.g., see
&man.mlock.2;). Some system-critical programs, such as
&man.amd.8;, do this so that their getting swapped out does not
contribute to a system's thrashing in time of trouble.memoryusememoryuselimiting usersmemoryuseThis is the maximum amount of memory a process may consume
at any given time. It includes both core memory and swap
usage. This is not a catch-all limit for restricting memory
consumption, but it is a good start.openfilesopenfileslimiting usersopenfilesThis is the maximum amount of files a process may have
open. In FreeBSD, files are also used to represent sockets and
IPC channels; thus, be careful not to set this too low. The
system-wide limit for this is defined by the
kern.maxfilessysctl.sbsizesbsizelimiting userssbsizeThis is the limit on the amount of network memory, and thus
mbufs, a user may consume. This originated as a response to an
old DoS attack by creating a lot of sockets, but can be
generally used to limit network communications.stacksizestacksizelimiting usersstacksizeThis is the maximum size a process' stack may grow to.
This alone is not sufficient to limit the amount of memory a
program may use; consequently, it should be used in conjunction
with other limits.There are a few other things to remember when setting resource
limits. Following are some general tips, suggestions, and
miscellaneous comments.Processes started at system startup by
/etc/rc are assigned to the
daemon login class.Although the /etc/login.conf that comes
with the system is a good source of reasonable values for most
limits, only you, the administrator, can know what is appropriate
for your system. Setting a limit too high may open your system
up to abuse, while setting it too low may put a strain on
productivity.Users of the X Window System (X11) should probably be granted
more resources than other users. X11 by itself takes a lot of
resources, but it also encourages users to run more programs
simultaneously.Remember that many limits apply to individual processes, not
the user as a whole. For example, setting
openfiles to 50 means
that each process the user runs may open up to 50 files. Thus,
the gross amount of files a user may open is the value of
openfiles multiplied by the value of
maxproc. This also applies to memory
consumption.For further information on resource limits and login classes and
capabilities in general, please consult the relevant manual pages:
&man.cap.mkdb.1;, &man.getrlimit.2;, &man.login.conf.5;.Personalizing UsersLocalization is an environment set up by the system
administrator or user to accommodate different languages,
character sets, date and time standards, and so on. This is
discussed in the localization
chapter.Groupsgroups/etc/groupsaccountsgroupsA group is simply a list of users. Groups are identified by
their group name and gid (group ID). In FreeBSD (and most other Unix
systems), the two factors the kernel uses to decide whether a process
is allowed to do something is its user ID and list of groups it
belongs to. Unlike a user ID, a process has a list of groups
associated with it. You may hear some things refer to the "group ID"
of a user or process; most of the time, this just means the first
group in the list.The group name to group ID map is in
/etc/group. This is a plain text file with four
colon-delimited fields. The first fields is the group name, the
second is the encrypted password, the third the group ID, and the
fourth the comma-delimited list of members. It can safely be edited
by hand (assuming, of course, that you don't make any syntax
errors!). For a more complete description of the syntax, see the
&man.group.5; manual page.If you don't want to edit /etc/group
manually, you can use the &man.pw.8; command to add and edit groups.
For example, to add a group called teamtwo and
then confirm that it exists you can use:Adding a group using &man.pw.8;&prompt.root; pw groupadd teamtwo
&prompt.root; pw groupshow teamtwo
teamtwo:*:1100:The number 1100 above is the group ID of the
group teamtwo. Right now,
teamtwo has no members, and is thus rather
useless. Let's change that by inviting jru to
the teamtwo group.Adding somebody to a group using &man.pw.8;&prompt.root; pw groupmod teamtwojru
&prompt.root; pw groupshow teamtwo
teamtwo:*:1100:jruThe argument to the option is a
comma-delimited list of users who are members of the group. From the
preceding sections, we know that the password file also contains a
group for each user. The latter (the user) is automatically added to
the group list by the system; the user will not show up as a member
when using the groupshow command to &man.pw.8;,
but will show up when the information is queried via &man.id.1; or
similar tool. In other words, &man.pw.8; only manipulates the
/etc/group file; it will never attempt to read
additionally data from /etc/passwd.Using &man.id.1; to determine group membership&prompt.user; idjru
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)As you can see, jru is a member of the
groups jru and
teamtwo.For more information about &man.pw.8;, see its manual page, and
for more information on the format of
/etc/group, consult the &man.group.5; manual
page.