diff --git a/en_US.ISO8859-1/articles/committers-guide/article.sgml b/en_US.ISO8859-1/articles/committers-guide/article.sgml
index ecb1d393e9..15f3a873a2 100644
--- a/en_US.ISO8859-1/articles/committers-guide/article.sgml
+++ b/en_US.ISO8859-1/articles/committers-guide/article.sgml
@@ -1,3223 +1,3223 @@
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 ]>
 
 <article>
   <articleinfo>
     <title>Committer's Guide</title>
 
     <authorgroup>
       <author>
 	<surname>The FreeBSD Documentation Project</surname>
       </author>
     </authorgroup>
 
     <pubdate>$FreeBSD$</pubdate>
 
     <copyright>
       <year>1999</year>
       <year>2000</year>
       <year>2001</year>
       <year>2002</year>
       <year>2003</year>
       <year>2004</year>
       <holder>The FreeBSD Documentation Project</holder>
     </copyright>
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.cvsup;
       &tm-attrib.ibm;
       &tm-attrib.intel;
       &tm-attrib.sparc;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This document provides information for the FreeBSD committer
 	community.  All new committers should read this document before they
 	start, and existing committers are strongly encouraged to review it
 	from time to time.</para>
     </abstract>
   </articleinfo>
 
   <sect1 id="admin">
     <title>Administrative Details</title>
 
-    <informaltable frame="none" orient="port">
+    <informaltable frame="none" orient="port" pgwide="1">
       <tgroup cols="2">
 	<tbody>
 	  <row>
 	    <entry><emphasis>Main Repository Host</emphasis></entry>
 	    <entry><hostid role="fqdn">ncvs.FreeBSD.org</hostid></entry>
 	  </row>
 
 	  <row>
 	    <entry><emphasis>Login Methods</emphasis></entry>
 	    <entry>&man.ssh.1;, protocol 2 only</entry>
 	  </row>
 
 	  <row>
 	    <entry><emphasis>Main CVSROOT</emphasis></entry>
 	    <entry>
 	      <hostid role="fqdn">ncvs.FreeBSD.org</hostid><literal>:</literal><filename>/home/ncvs</filename> (although also see <xref linkend="cvs.operations">).
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry><emphasis>Main &a.cvsadm;</emphasis></entry>
 	    <entry>&a.peter; and &a.markm;, as well as &a.joe; and &a.marcus; for
 	      <filename>ports/</filename></entry>
 	  </row>
 
 	  <row>
 	    <entry><emphasis>Mailing Lists</emphasis></entry>
 	    <entry>&a.doc-developers;, &a.doc-committers;;
 	    &a.ports-developers;, &a.ports-committers;;
 	    &a.src-developers;, &a.src-committers;.  (Each project
 	    repository has its own -developers and -committers mailing
 	    lists.  Archives for these lists may be found in files
 	    <filename>/home/mail/<replaceable>repository-name</replaceable>-developers-archive</filename>
 	    and
 	    <filename>/home/mail/<replaceable>repository-name</replaceable>-committers-archive</filename>
 	    on the <hostid role="domainname">FreeBSD.org</hostid>
 	    cluster.)
 	    </entry>
 	  </row>
 
 
 	  <row>
 	    <entry><emphasis>Core Team monthly reports</emphasis></entry>
 	    <entry><filename>/home/core/public/monthly-report</filename>
 	      on the <hostid role="domainname">FreeBSD.org</hostid> cluster.
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry><emphasis>Noteworthy CVS Tags</emphasis></entry>
 	    <entry><literal>RELENG_4</literal> (4.X-STABLE), <literal>RELENG_5</literal> (5.X-STABLE), <literal>HEAD</literal> (-CURRENT)</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <para>It is required that you use &man.ssh.1; or &man.telnet.1;
       with Kerberos 5 to connect to the project hosts.  For
       &man.ssh.1; only protocol 2 is allowed.
       These are generally more secure than plain &man.telnet.1; or
       &man.rlogin.1; since credential negotiation will always be
       encrypted.  All traffic is encrypted by default with &man.ssh.1;.
       With utilities like &man.ssh-agent.1; and &man.scp.1; also
       available, &man.ssh.1; is also far more convenient.  If you do
       not know anything about &man.ssh.1;, please see
       <xref linkend="ssh.guide">.</para>
   </sect1>
 
   <sect1 id="committer.types">
     <title>Commit Bit Types</title>
 
     <para>The FreeBSD CVS repository has a number of components which,
       when combined, support the basic operating system source,
       documentation, third party application ports infrastructure, and
       various maintained utilities.  When FreeBSD commit bits are
       allocated, the areas of the tree where the bit may be used are
       specified.  Generally, the areas associated with a bit reflect who
       authorized the allocation of the commit bit.  Additional areas of
       authority may be added at a later date: when this occurs, the
       committer should follow normal commit bit allocation procedures for
       that area of the tree, seeking approval from the appropriate entity
       and possibly getting a mentor for that area for some period of time.
       </para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="3">
 	<tbody>
 	  <row>
 	    <entry><emphasis>Committer Type</emphasis></entry>
 	    <entry><emphasis>Responsible</emphasis></entry>
 	    <entry><emphasis>Tree Components</emphasis></entry>
 	  </row>
 
 	  <row>
 	    <entry>src</entry>
 	    <entry>core@</entry>
 	    <entry>src/, doc/ subject to appropriate review</entry>
 	  </row>
 
 	  <row>
 	    <entry>doc</entry>
 	    <entry>doceng@</entry>
 	    <entry>doc/, www/, src/ documentation</entry>
 	  </row>
 
 	  <row>
 	    <entry>ports</entry>
 	    <entry>portmgr@</entry>
 	    <entry>ports/</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <para>Commit bits allocated prior to the development of the notion of
       areas of authority may be appropriate for use in many parts of the
       tree.  However, common sense dictates that a committer who has not
       previously worked in an area of the tree seek review prior to
       committing, seek approval from the appropriate responsible party,
       and/or work with a mentor.  Since the rules regarding code
       maintenance differ by area of the tree, this is as much for the
       benefit of the committer working in an area of less familiarity as
       it is for others working on the tree.</para>
 
     <para>Committers are encouraged to seek review for their work as part
       of the normal development process, regardless of the area of the
       tree where the work is occurring.</para>
 
     <sect2>
       <title>Policy for <filename>doc/</filename> committer activity
         in <filename>src/</filename></title>
 
       <itemizedlist>
 	<listitem><para>doc committers may commit documentation
 	  changes to src files, such as man pages, READMEs, fortune
 	  databases, calendar files, and comment fixes without
 	  approval from a src committer, subject to the normal care
 	  and tending of commits.</para></listitem>
 
 	<listitem><para>doc committers may commit minor src changes
 	  and fixes, such as build fixes, small features, etc, with an
 	  "Approved by" from a src committer.</para></listitem>
 
 	<listitem><para>doc committers may seek an upgrade to a src
 	  commit bit by acquiring a mentor, who will propose the doc
 	  committer to core.  When approved, they will be added to
 	  'access' and the normal mentoring period will ensue, which
 	  will involve a continuing of <quote>Approved by</quote> for
 	  some period.</para></listitem>
 
      	<listitem><para>"Approved by" is only acceptable from
 	  non-mentored src committers -- mentored committers can
 	  provide a "Reviewed by" but not an "Approved
 	  by".</para></listitem>
       </itemizedlist>
     </sect2>
 
   </sect1>
 
   <sect1 id="cvs.operations">
     <title>CVS Operations</title>
 
     <para>It is assumed that you are already familiar with the basic operation
       of CVS.</para>
 
     <para>The &a.cvsadm; are the <quote>owners</quote> of the CVS repository and
       are responsible for direct modification of it for the purposes of
       cleanup or fixing some grievous abuse of CVS by a committer.
       Should you cause some repository accident, say a bad <command>cvs
       import</command> or <command>cvs tag</command> operation, mail the
       responsible part of &a.cvsadm;, as stated in the table below,
       (or call one of them) and report the problem.
       For very important issues affecting the entire CVS tree&mdash;not
       just a specific area&mdash;you can contact the &a.cvsadm;.
       Please do <emphasis>not</emphasis> contact the &a.cvsadm; for repocopies
       or other things that the more specific teams can handle.</para>
 
     <para>The only ones able to directly fiddle the repository bits on the
       repository hosts are the repomeisters.  To enforce this, there are
       no login shells available on the repository machines, except to
       the repomeisters.</para>
 
     <note><para>Depending on the affected area of the CVS repository,
       you should send your request to one of the following email
       addresses:</para>
       
       <itemizedlist>
 	<listitem><para>ncvs@ - regarding <filename role="directory">
 	    /home/ncvs</filename>, the src
 	  repository</para></listitem>
 
 	<listitem><para>pcvs@ - regarding <filename role="directory">
 	    /home/pcvs</filename>, the ports
 	  repository</para></listitem>
 
 	<listitem><para>dcvs@ - regarding <filename role="directory">
 	    /home/dcvs</filename>, the doc
 	  repository</para></listitem>
 
 	<listitem><para>projcvs@ - regarding <filename role="directory">
 	    /home/projcvs</filename>, the
 	  third party projects repository</para></listitem>
       </itemizedlist>
     </note>
 
     <para>The CVS tree is currently split into four distinct repositories,
       namely <literal>doc</literal>, <literal>ports</literal>,
       <literal>projects</literal> and <literal>src</literal>.  These are
       combined under a single <literal>CVSROOT</literal> when distributed
       via <application>CVSup</application> for the convenience of our users.</para>
 
     <note><para>Note that the <literal>www</literal> module containing sources
       for the <ulink url="http://www.FreeBSD.org">FreeBSD website</ulink> is
       contained within the <literal>doc</literal> repository.</para></note>
 
     <para>The CVS repositories are hosted on the repository machines.
       Currently, each of the repositories above reside on the same physical
       machine, <hostid role="hostname">ncvs.FreeBSD.org</hostid>, but to allow for
       the possibility of placing each on a separate machine in the future,
       there is a separate hostname for each that committers should use.
       Additionally, each repository is stored in a separate directory.  The
       following table summarizes the situation.</para>
 
     <table frame="none" id="cvs-repositories-and-hosts">
       <title>&os; CVS Repositories, Hosts and Directories</title>
 
       <tgroup cols="3">
 	<thead>
 	  <row>
 	    <entry>Repository</entry>
 	    <entry>Host</entry>
 	    <entry>Directory</entry>
 	  </row>
 	</thead>
 
 	<tbody>
 	  <row>
 	    <entry>doc</entry>
 	    <entry>dcvs.FreeBSD.org</entry>
 	    <entry>/home/dcvs</entry>
 	  </row>
 
 	  <row>
 	    <entry>ports</entry>
 	    <entry>pcvs.FreeBSD.org</entry>
 	    <entry>/home/pcvs</entry>
 	  </row>
 
 	  <row>
 	    <entry>projects</entry>
 	    <entry>projcvs.FreeBSD.org</entry>
 	    <entry>/home/projcvs</entry>
 	  </row>
 
 	  <row>
 	    <entry>src</entry>
 	    <entry>ncvs.FreeBSD.org</entry>
 	    <entry>/home/ncvs</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </table>
 
     <para>CVS operations are done remotely by setting the
       <envar>CVSROOT</envar> environment variable to the appropriate host
       and top-level directory (for example,
       <hostid role="fqdn">ncvs.FreeBSD.org</hostid><literal>:</literal><filename>/home/ncvs</filename>),
       the <envar>CVS_RSH</envar> variable to <command>ssh</command>, and then
       doing the appropriate check-out/check-in operations.  Many committers
       define aliases which expand to the correct <application>cvs</application>
       invocation for the appropriate repository.  For example, a &man.tcsh.1;
       user may add the following to their <filename>.cshrc</filename> for this
       purpose:</para>
 
     <programlisting>alias dcvs env CVS_RSH=ssh cvs -d <replaceable>user</replaceable>@dcvs.FreeBSD.org:/home/dcvs
 alias pcvs env CVS_RSH=ssh cvs -d <replaceable>user</replaceable>@pcvs.FreeBSD.org:/home/pcvs
 alias projcvs env CVS_RSH=ssh cvs -d <replaceable>user</replaceable>@projcvs.FreeBSD.org:/home/projcvs
 alias scvs env CVS_RSH=ssh cvs -d <replaceable>user</replaceable>@ncvs.FreeBSD.org:/home/ncvs</programlisting>
 
     <para>This way they can do all CVS operations
       locally and use <command><replaceable>X</replaceable>cvs commit</command> for committing
       to the official CVS tree.  If you wish to add
       something which is wholly new (like contrib-ified
       sources, etc), <command>cvs import</command> should be used.
       Refer to the &man.cvs.1; manual page for usage.</para>
 
     <note>
       <para>Please do <emphasis>not</emphasis> use
 	<command>cvs checkout</command> or
 	<command>update</command> with the official repository machine set
 	as the CVS Root for keeping your source tree up to date.
 	Remote CVS is not optimized for network distribution
 	and requires a big work/administrative overhead on the server side.
 	Please use our advanced <command>cvsup</command> distribution
 	method for obtaining the repository bits, and only do the actual
 	<command>commit</command> operation on the repository host.
 	We provide an extensive cvsup replication network for this purpose,
 	as well as give access to <hostid>cvsup-master</hostid> if you
 	really need to stay current to the latest changes.
 	<hostid>cvsup-master</hostid> has got the horsepower to deal with
 	this, the repository master server does not.  &a.kuriyama; is in
 	charge of <hostid>cvsup-master</hostid>.
       </para>
     </note>
 
     <para>If you need to use CVS <command>add</command> and
       <command>delete</command> operations in a manner that is
       effectively a &man.mv.1; operation, then a repository
       copy is in order rather than using CVS <command>add</command> and
       <command>delete</command>.  In a repository copy, a <link
       linkend="conventions">CVS Meister</link> will copy the file(s)
       to their new name and/or location and let you know when it is
       done.  The purpose of a repository copy is to preserve file
       change history, or logs.  We in the FreeBSD Project greatly
       value the change history that CVS gives to the project.</para>
 
     <para>CVS reference information, tutorials, and FAQs can be found at:
       <ulink url="http://www.cvshome.org/docs/"></ulink>.
       The information in <ulink url="http://cvsbook.red-bean.com/cvsbook.html">Karl Fogel's
 	chapters from <quote>Open Source Development with CVS</quote></ulink> is also very
       useful.</para>
 
     <para>&a.des; also supplied the following <quote>mini primer</quote> for
       CVS.</para>
 
     <orderedlist>
       <listitem>
 	<para>Check out a module with the <command>co</command> or
 	  <command>checkout</command> command.</para>
 
 	<screen>&prompt.user; <userinput>cvs checkout shazam</userinput></screen>
 
 	<para>This checks out a copy of the <filename>shazam</filename> module. If
 	  there is no <filename>shazam</filename> module in the modules file, it looks for a
 	  top-level directory named <filename>shazam</filename> instead.</para>
 
 	<table frame="none">
 	  <title>Useful <command>cvs checkout</command> options</title>
 
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry><option>-P</option></entry>
 		<entry>Do not create empty directories</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-l</option></entry>
 		<entry>Check out a single level, no subdirectories</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-r<replaceable>rev</replaceable></option></entry>
 		<entry>Check out revision, branch or tag
 		  <replaceable>rev</replaceable></entry>
 	      </row>
 
 	      <row>
 		<entry><option>-D<replaceable>date</replaceable></option></entry>
 		<entry>Check out the sources as they were on date
 		  <replaceable>date</replaceable></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</table>
 
 	<para>Practical FreeBSD examples:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>Check out the <filename>miscfs</filename> module,
 	      which corresponds to <filename>src/sys/miscfs</filename>:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co miscfs</userinput></screen>
 
 	    <para>You now have a directory named <filename>miscfs</filename>
 	      with subdirectories <filename>CVS</filename>,
 	      <filename>deadfs</filename>, <filename>devfs</filename>, and so
 	      on.  One of these (<filename>linprocfs</filename>) is
 	      empty.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the same files, but with full path:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co src/sys/miscfs</userinput></screen>
 
 	    <para>You now have a directory named <filename>src</filename>,
 	      with subdirectories <filename>CVS</filename> and
 	      <filename>sys</filename>.  The <filename>src/sys</filename> directory has
 	      subdirectories <filename>CVS</filename> and
 	      <filename>miscfs</filename>, etc.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the same files, but prunes empty
 	      directories:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -P miscfs</userinput></screen>
 
 	    <para>You now have a directory named
 	      <filename>miscfs</filename> with subdirectories
 	      <filename>CVS</filename>, <filename>deadfs</filename>,
 	      <filename>devfs</filename>... but note that there is no
 	      <filename>linprocfs</filename> subdirectory, because there
 	      are no files in it.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the directory <filename>miscfs</filename>, but
 	      none of the subdirectories:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -l miscfs</userinput></screen>
 
 	    <para>You now have a directory named <filename>miscfs</filename>
 	      with just one subdirectory named
 	      <filename>CVS</filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the <filename>miscfs</filename> module as
 	      it is in the 4.X branch:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -rRELENG_4 miscfs</userinput></screen>
 
 	    <para>You can modify the sources and commit along this
 	      branch.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the <filename>miscfs</filename> module as
 	      it was in 3.4-RELEASE.</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -rRELENG_3_4_0_RELEASE miscfs</userinput></screen>
 
 	    <para>You will not be able to commit modifications, since
 	      <literal>RELENG_3_4_0_RELEASE</literal> is a point in time, not a branch.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the <filename>miscfs</filename> module as it was
 	      on Jan 15 2000.</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -D'01/15/2000' miscfs</userinput></screen>
 
 	    <para>You will not be able to commit modifications.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Check out the <filename>miscfs</filename> module as it was
 	      one week ago.</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -D'last week' miscfs</userinput></screen>
 
 	    <para>You will not be able to commit modifications.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>Note that cvs stores metadata in subdirectories named
 	  <filename>CVS</filename>.</para>
 
 	<para>Arguments to <option>-D</option> and <option>-r</option>
 	  are sticky, which means cvs will remember them later, e.g.
 	  when you do a <command>cvs update</command>.</para>
       </listitem>
 
       <listitem>
 	<para>Check the status of checked-out files with the
 	  <command>status</command> command.</para>
 
 	<screen>&prompt.user; <userinput>cvs status shazam</userinput></screen>
 
 	<para>This displays the status of the
 	  file <filename>shazam</filename> or of every file in the
 	  <filename>shazam</filename> directory. For every file, the
 	  status is given as one of:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry>Up-to-date</entry>
 		<entry>File is up-to-date and unmodified.</entry>
 	      </row>
 
 	      <row>
 		<entry>Needs Patch</entry>
 		<entry>File is unmodified, but there is a newer revision in
 		  the repository.</entry>
 	      </row>
 
 	      <row>
 		<entry>Locally Modified</entry>
 		<entry>File is up-to-date, but modified.</entry>
 	      </row>
 
 	      <row>
 		<entry>Needs Merge</entry>
 		<entry>File is modified, and there is a newer revision in the
 		  repository.</entry>
 	      </row>
 
 	      <row>
 		<entry>File had conflicts on merge</entry>
 		<entry>There were conflicts the last time this file was
 		  updated, and they have not been resolved yet.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>You will also see the local revision and date,
 	  the revision number of the newest applicable version
 	  (<quote>newest applicable</quote> because if you have a
 	  sticky date, tag or branch, it may not be the actual newest
 	  revision), and any sticky tags, dates or options.</para>
       </listitem>
 
       <listitem>
 	<para>Once you have checked something out, you can update it with the
 	  <command>update</command> command.</para>
 
 	<screen>&prompt.user; <userinput>cvs update shazam</userinput></screen>
 
 	<para>This updates the file <filename>shazam</filename> or the
 	  contents of the <filename>shazam</filename> directory to the
 	  latest version along the branch you checked out.  If you
 	  checked out a <quote>point in time</quote>, does nothing
 	  unless the tags have moved in the repository or some other weird
 	  stuff is going on.</para>
 
 	<para>Useful options, in addition to those listed above for
 	  <command>checkout</command>:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry><option>-d</option></entry>
 		<entry>Check out any additional missing directories.</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-A</option></entry>
 		<entry>Update to head of main branch.</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-j<replaceable>rev</replaceable></option></entry>
 		<entry>More magic (see below).</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>If you checked out a module with <option>-r</option> or
 	  <option>-D</option>, running <command>cvs update</command>
 	  with a different <option>-r</option> or <option>-D</option>
 	  argument or with <option>-A</option> will select a new branch,
 	  revision or date. The <option>-A</option> option clears all
 	  sticky tags, dates or revisions whereas <option>-r</option>
 	  and <option>-D</option> set new ones.</para>
 
 	<para>Theoretically, specifying <literal>HEAD</literal> as the
 	  argument to <option>-r</option> will give you the same result
 	  as <option>-A</option>, but that is just theory.</para>
 
 	<para>The <option>-d</option> option is useful if:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>somebody has added subdirectories to the module
 	      you have checked out after you checked it out.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>you checked out with <option>-l</option>, and later
 	      change your mind and want to check out the subdirectories
 	      as well.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>you deleted some subdirectories and want to check
 	      them all back out.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para><emphasis>Watch the output of the <command>cvs
 	  update</command> with care.</emphasis> The letter in front of
 	  each filename indicates what was done with it:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry><literal>U</literal></entry>
 		<entry>The file was updated without trouble.</entry>
 	      </row>
 
 	      <row>
 		<entry><literal>P</literal></entry>
 		<entry>The file was updated without trouble (you will only see
 		  this when working against a remote repository).</entry>
 	      </row>
 
 	      <row>
 		<entry><literal>M</literal></entry>
 		<entry>The file had been modified, and was merged without
 		  conflicts.</entry>
 	      </row>
 
 	      <row>
 		<entry><literal>C</literal></entry>
 		<entry>The file had been modified, and was merged with
 		  conflicts.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>Merging is what happens if you check out a copy of
 	  some source code, modify it, then someone else commits a
 	  change, and you run <command>cvs update</command>. CVS notices
 	  that you have made local changes, and tries to merge your
 	  changes with the changes between the version you originally
 	  checked out and the one you updated to. If the changes are to
 	  separate portions of the file, it will almost always work fine
 	  (though the result might not be syntactically or semantically
 	  correct).</para>
 
 	<para>CVS will print an <literal>M</literal> in front of every locally modified
 	  file even if there is no newer version in the repository, so
 	  <command>cvs update</command> is handy for getting a summary
 	  of what you have changed locally.</para>
 
 	<para>If you get a <literal>C</literal>, then your changes
 	  conflicted with the changes in the repository (the changes
 	  were to the same lines, or neighboring lines, or you changed
 	  the local file so much that <command>cvs</command> can not
 	  figure out how to apply the repository's changes). You will have
 	  to go through the file manually and resolve the conflicts;
 	  they will be marked with rows of <literal>&lt;</literal>,
 	  <literal>=</literal> and <literal>&gt;</literal> signs. For
 	  every conflict, there will be a marker line with seven
 	  <literal>&lt;</literal> signs and the name of the file,
 	  followed by a chunk of what your local file contained,
 	  followed by a separator line with seven <literal>=</literal>
 	  signs, followed by the corresponding chunk in the
 	  repository version, followed by a marker line with seven
 	  <literal>&gt;</literal> signs and the revision number you
 	  updated to.</para>
 
 	<para>The <option>-j</option> option is slightly voodoo. It
 	  updates the local file to the specified revision as if you
 	  used <option>-r</option>, but it does not change the recorded
 	  revision number or branch of the local file. It is not really
 	  useful except when used twice, in which case it will merge the
 	  changes between the two specified versions into the working
 	  copy.</para>
 
 	<para>For instance, say you commit a change to
 	  <filename>shazam/shazam.c</filename> in &os.current; and later
 	  want to MFC it.  The change you want to MFC was revision
 	  1.15:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>Check out the &os.stable; version of the
 	      <filename>shazam</filename> module:</para>
 
 	    <screen>&prompt.user; <userinput>cvs co -rRELENG_4 shazam</userinput></screen>
 	  </listitem>
 
 	  <listitem>
 	    <para>Apply the changes between rev 1.14 and 1.15:</para>
 
 	    <screen>&prompt.user; <userinput>cvs update -j1.14 -j1.15 shazam/shazam.c</userinput></screen>
 	  </listitem>
 	</itemizedlist>
 
 	<para>You will almost certainly get a conflict because
-	  of the <literal>$Id: article.sgml,v 1.216 2004-11-27 21:48:00 murray Exp $</literal> (or in FreeBSD's case,
+	  of the <literal>$Id: article.sgml,v 1.217 2004-11-29 21:43:33 ceri Exp $</literal> (or in FreeBSD's case,
 	  <literal>$<!-- stop expansion -->FreeBSD<!-- stop expansion -->$</literal>)
 	  lines, so you will have to edit the file to resolve the conflict
-	  (remove the marker lines and the second <literal>$Id: article.sgml,v 1.216 2004-11-27 21:48:00 murray Exp $</literal> line,
-	  leaving the original <literal>$Id: article.sgml,v 1.216 2004-11-27 21:48:00 murray Exp $</literal> line intact).</para>
+	  (remove the marker lines and the second <literal>$Id: article.sgml,v 1.217 2004-11-29 21:43:33 ceri Exp $</literal> line,
+	  leaving the original <literal>$Id: article.sgml,v 1.217 2004-11-29 21:43:33 ceri Exp $</literal> line intact).</para>
       </listitem>
 
       <listitem>
 	<para>View differences between the local version and the
 	  repository version with the <command>diff</command>
 	  command.</para>
 
 	<screen>&prompt.user; <userinput>cvs diff shazam</userinput></screen>
 
 	<para>shows you every modification you have made to the
 	  <filename>shazam</filename> file or module.</para>
 
 	<table frame="none">
 	  <title>Useful <command>cvs diff</command> options</title>
 
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry><option>-u</option></entry>
 		<entry>Uses the unified diff format.</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-c</option></entry>
 		<entry>Uses the context diff format.</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-N</option></entry>
 		<entry>Shows missing or added files.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</table>
 
 	<para>You always want to use <option>-u</option>, since
 	  unified diffs are much easier to read than almost any other
 	  diff format (in some circumstances, context diffs generated with
 	  the <option>-c</option> option may be
 	  better, but they are much bulkier). A unified diff consists of
 	  a series of hunks. Each hunk begins with a line that starts
 	  with two <literal>@</literal> signs and specifies where in the
 	  file the differences are and how many lines they span. This
 	  is followed by a number of lines; some (preceded by a blank)
 	  are context; some (preceded by a <literal>-</literal> sign)
 	  are outtakes and some (preceded by a <literal>+</literal>) are
 	  additions.</para>
 
 	<para>You can also diff against a different version
 	  than the one you checked out by specifying a version
 	  with <option>-r</option> or <option>-D</option> as in
 	  <command>checkout</command> or <command>update</command>,
 	  or even view the diffs between two arbitrary versions
 	  (without regard for what you have locally) by specifying
 	  <emphasis>two</emphasis> versions with <option>-r</option> or
 	  <option>-D</option>.</para>
       </listitem>
 
       <listitem>
 	<para>View log entries with the <command>log</command>
 	  command.</para>
 
 	<screen>&prompt.user; <userinput>cvs log shazam</userinput></screen>
 
 	<para>If <filename>shazam</filename> is a file, this will print a
 	  <emphasis>header</emphasis> with information about this file, such
 	  as where in the repository this file is stored, which revision is
 	  the <literal>HEAD</literal> for this file, what branches this file
 	  is in, and any tags that are valid for this file.  Then, for each
 	  revision of this file, a log message is printed.  This includes
 	  the date and time of the commit, who did the commit, how many lines
 	  were added and/or deleted, and finally the log message that the
 	  committer who did the change wrote.</para>
 
 	<para>If <filename>shazam</filename> is a directory, then the log
 	  information described above is printed for each file in the
 	  directory in turn.  Unless you give the <option>-l</option> to
 	  <command>log</command>, the log for all subdirectories of
 	  <filename>shazam</filename> is printed too, in a recursive
 	  manner.</para>
 
 	<para>Use the <command>log</command> command to view the history of
 	  one or more files, as it is stored in the CVS repository.  You can
 	  even use it to view the log message of a specific revision, if you
 	  add the <option>-r<replaceable>rev</replaceable></option> to the
 	  <command>log</command> command:</para>
 
 	<screen>&prompt.user; <userinput>cvs log -r1.2 shazam</userinput></screen>
 
 	<para>This will print only the log message for revision
 	  <literal>1.2</literal> of file <filename>shazam</filename> if it is
 	  a file, or the log message for revision <literal>1.2</literal> of
 	  each file under <filename>shazam</filename> if it is a
 	  directory.</para>
       </listitem>
 
       <listitem>
 	<para>See who did what with the <command>annotate</command> command.
 	  This command shows you each line of the specified file or
 	  files, along with which user most recently changed that
 	  line.</para>
 
 	<screen>&prompt.user; <userinput>cvs annotate shazam</userinput></screen>
       </listitem>
 
       <listitem>
 	<para>Add new files with the <command>add</command> command.</para>
 
 	<para>Create the file, <command>cvs add</command> it, then
 	  <command>cvs commit</command> it.</para>
 
 	<para>Similarly, you can add new directories by creating them
 	  and then <command>cvs add</command>ing them. Note that you
 	  do not need to commit directories.</para>
       </listitem>
 
       <listitem>
 	<para>Remove obsolete files with the <command>remove</command> command.</para>
 
 	<para>Remove the file, then <command>cvs rm</command> it, then
 	  <command>cvs commit</command> it.</para>
       </listitem>
 
       <listitem>
 	<para>Commit with the <command>commit</command> or
 	  <command>checkin</command> command.</para>
 
 	<table frame="none">
 	  <title>Useful <command>cvs commit</command> options</title>
 
 	  <tgroup cols=2>
 	    <tbody>
 	      <row>
 		<entry><option>-f</option></entry>
 		<entry>Force a commit of an unmodified file.</entry>
 	      </row>
 
 	      <row>
 		<entry><option>-m<replaceable>msg</replaceable></option></entry>
 		<entry>Specify a commit message on the command line rather
 		  than invoking an editor.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</table>
 
 	<para>Use the <option>-f</option> option if you realize that
 	  you left out important information from the commit message.</para>
 
 	<para>Good commit messages are important. They tell others
 	  why you did the changes you did, not just right here and now,
 	  but months or years from now when someone wonders why some
 	  seemingly illogical or inefficient piece of code snuck into
 	  your source file. It is also an invaluable aid to deciding
 	  which changes to MFC and which not to MFC.</para>
 
 	<para>Commit messages should be clear, concise and provide
 	  a reasonable summary to give an indication of what was
 	  changed and why.</para>
 
 	<para>Commit messages should provide enough information to
 	  enable a third party to decide if the change is relevant to
 	  them and if they need to read the change itself.</para>
 
 	<para>Avoid committing several unrelated changes in one go. It
 	  makes merging difficult, and also makes it harder to determine
 	  which change is the culprit if a bug crops up.</para>
 
 	<para>Avoid committing style or whitespace fixes and
 	  functionality fixes in one go. It makes merging difficult,
 	  and also makes it harder to understand just what functional
 	  changes were made.  In the case of documentation files, it
 	  can make the job of the translation teams more complicated,
 	  as it becomes difficult for them to determine exactly what
 	  content changes need to be translated.</para>
 
 	<para>Avoid committing changes to multiple files in one go
 	  with a generic, vague message. Instead, commit each file (or
 	  small, related groups of files) with tailored commit messages.</para>
 
 	<para>Before committing, <emphasis>always</emphasis>:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>verify which branch you are committing to, using
 	      <command>cvs status</command>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>review your diffs, using
 	      <command>cvs diff</command></para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>Also, ALWAYS specify which files to commit explicitly on
 	  the command line, so you do not accidentally commit other files
 	  than the ones you intended - <command>cvs commit</command>
 	  without any arguments will commit every modification in your
 	  current working directory and every subdirectory.</para>
       </listitem>
     </orderedlist>
 
     <para>Additional tips and tricks:</para>
 
     <orderedlist>
       <listitem>
 
 	<para>You can place commonly used options in your
 	  <filename>~/.cvsrc</filename>, like this:</para>
 
 	<programlisting>cvs -z3
 diff -Nu
 update -Pd
 checkout -P</programlisting>
 
 	<para>This example says:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>always use compression level 3 when talking to a
 	      remote server. This is a life-saver when working over a
 	      slow connection.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>always use the <option>-N</option> (show added or
 	      removed files) and <option>-u</option> (unified diff
 	      format) options to &man.diff.1;.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>always use the <option>-P</option> (prune empty
 	      directories) and <option>-d</option> (check out new
 	      directories) options when updating.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>always use the <option>-P</option> (prune empty
 	      directories) option when checking out.</para>
 	  </listitem>
 	</itemizedlist>
       </listitem>
 
       <listitem>
 	<para>Use Eivind Eklund's <command>cdiff</command> script to
 	  view unidiffs.  It is a wrapper for &man.less.1; that adds ANSI
 	  color codes to make hunk headers, outtakes and additions stand
 	  out; context and garbage are unmodified.  It also expands tabs
 	  properly (tabs often look wrong in diffs because of the extra
 	  character in front of each line).</para>
 
 	<para><ulink url="http://people.FreeBSD.org/~eivind/cdiff"></ulink></para>
 
 	<para>Simply use it instead of &man.more.1; or &man.less.1;:</para>
 
 	<screen>&prompt.user; <userinput>cvs diff -Nu shazam | cdiff</userinput></screen>
 
 	<para>Alternatively some editors like &man.vim.1;
 	  (<filename role="package">editors/vim5</filename>) have color support and when used as
 	  a pager with color syntax highlighting switched on will
 	  highlight many types of file, including diffs, patches,
 	  and CVS/RCS logs. </para>
 
 	<screen>&prompt.user; <userinput>echo "syn on" &gt;&gt; ~/.vimrc </userinput>
 &prompt.user; <userinput>cvs diff -Nu shazam | vim -</userinput>
 &prompt.user; <userinput>cvs log shazam | vim -</userinput> </screen>
       </listitem>
 
       <listitem>
 	<para>CVS is old, arcane, crufty and buggy, and sometimes
 	  exhibits non-deterministic behavior which some claim as proof
 	  that it is actually merely the Newtonian manifestation of a
 	  sentient transdimensional entity.  It is not humanly possible
 	  to know its every quirk inside out, so do not be afraid to ask
 	  the resident AI (&a.cvsadm;) for help.</para>
       </listitem>
 
       <listitem>
 	<para>Do not leave the <command>cvs commit</command> command in commit
 	  message editing mode for too long (more than 2&ndash;3 minutes).  It
 	  locks the directory you are working with and will prevent other
 	  developers from committing into the same directory.  If you have
 	  to type a long commit message, type it before executing
 	  <command>cvs commit</command> and insert it into the commit
 	  message or save it in a file before committing and use the
 	  <option>-F</option> option of CVS to read the commit message from
 	  that file, i.e.</para>
 
 	  <screen>&prompt.user; <userinput>vi logmsg</userinput>
 &prompt.user; <userinput>cvs ci -F logmsg shazam</userinput></screen>
 
 	<para>This is the fastest way of passing a commit message to CVS but
 	  you should be careful when editing the <filename>logmsg</filename>
 	  file before the commit, because CVS will not give you a chance to edit
 	  the message when you do the actual commit.</para>
       </listitem>
     </orderedlist>
 
   </sect1>
 
   <sect1 id="conventions">
     <title>Conventions and Traditions</title>
 
     <para>As a new committer there are a number of things you should do
       first.</para>
 
     <itemizedlist>
       <listitem>
 	<para>Add your author entity to
 	  <filename>doc/en_US.ISO8859-1/share/sgml/authors.ent</filename>;
 	  this should be done first since an omission of this commit will
 	  cause the next commits to break the doc/ build.</para>
 
 	<para>This is a relatively easy task, but remains a good first test of
 	  your CVS skills.</para>
       </listitem>
 
       <listitem>
 	<para>Add yourself to the <quote>Developers</quote> section of
 	  the <ulink url="&url.articles.contributors;/index.html">Contributors List</ulink>
 	  and remove yourself from the <quote>Additional
 	  Contributors</quote> section.</para>
       </listitem>
 
       <listitem>
 	<para>Add an entry for yourself to
 	  <filename>www/en/news/news.xml</filename>. Look for the other
 	  entries that look like <quote>A new committer</quote> and follow the
 	  format.</para>
       </listitem>
 
       <listitem>
 	<para>You should add your PGP or GnuPG key to
 	  <filename>doc/share/pgpkeys</filename> (and if you do not
 	  have a key, you should create one).  Do not forget to commit
 	  the updated <filename>doc/share/pgpkeys/pgpkeys.ent</filename>.</para>
 
 	<para>&a.des; has
 	  written a shell script to make this extremely simple.  See the
 	  <ulink
 	  url="http://cvsweb.FreeBSD.org/doc/share/pgpkeys/README">README</ulink>
 	  file for more information.</para>
 
 	<note>
 	  <para>It is important to have an up-to-date PGP/GnuPG key in
 	    the Handbook, since the key may be required for positive
 	    identification of a committer, e.g. by the &a.admins; for
 	    account recovery.  A complete keyring of <hostid
 	    role="domainname">FreeBSD.org</hostid> users is available
 	    for download from <ulink
 	    url="&url.base;/doc/pgpkeyring.txt">http://www.FreeBSD.org/doc/pgpkeyring.txt</ulink>.</para>
 	</note>
       </listitem>
 
       <listitem>
 	<para>Some people add an entry for themselves to
 	  <filename>ports/astro/xearth/files/freebsd.committers.markers</filename>.</para>
       </listitem>
 
       <listitem>
 	<para>Some people add an entry for themselves to
 	  <filename>src/usr.bin/calendar/calendars/calendar.freebsd</filename>.</para>
       </listitem>
 
       <listitem>
 	<para>Introduce yourself to the other committers, otherwise no one
 	  will have any idea who you are or what you are working on.  You do
 	  not have to write a comprehensive biography, just write a paragraph
 	  or two about who you are and what you plan to be working on as a
 	  committer in FreeBSD.  Email this to the &a.developers; and you will
 	  be on your way!</para>
       </listitem>
 
       <listitem>
 	<para>Log into <hostid>hub.FreeBSD.org</hostid> and create a
 	  <filename>/var/forward/<replaceable>user</replaceable></filename>
 	  (where <replaceable>user</replaceable> is your username) file
 	  containing the e-mail address where you want mail addressed to
 	  <replaceable>yourusername</replaceable>@FreeBSD.org to be forwarded.
 	  This includes all of the commit messages as well as any other mail
 	  addressed to the &a.committers; and the &a.developers;.  Really
 	  large mailboxes which have taken up permanent residence on
 	  <hostid>hub</hostid> often get <quote>accidentally</quote> truncated
 	  without warning, so forward it or read it and you will not lose
 	  it.</para>
 
 	<para>Due to the severe load dealing with SPAM places on
 	  the central mail servers that do the mailing list processing
 	  the front-end server does do some basic checks and will
 	  drop some messages based on these checks.  At the moment
 	  proper DNS information for the connecting host is the only
 	  check in place but that may change.  Some people blame these
 	  checks for bouncing valid email.  If you want these checks
 	  turned off for your email you can place a file named
 	  <filename>~/.spam_lover</filename> in your home directory
 	  on <hostid role="fqdn">freefall.FreeBSD.org</hostid> to
 	  disable the checks for your email.</para>
       </listitem>
 
       <listitem>
 	<para>If you are subscribed to the &a.cvsall;, you will
 	  probably want to unsubscribe to avoid receiving duplicate
 	  copies of commit messages and their followups.</para>
       </listitem>
     </itemizedlist>
 
     <para>All new committers also have a mentor assigned to them for
       the first few months.  Your mentor is responsible for teaching
       you the rules and conventions of the project and guiding your
       first steps in the committer community.  He or she is also
       personally responsible for your actions during this initial
       period.  Until your mentor decides (and announces with a forced
       commit to <filename>access</filename>) that you have learned the
       ropes and are ready to commit on your own, you should not commit
       anything without first getting your mentor's review and
       approval, and you should document that approval with an
       <literal>Approved by:</literal> line in the commit
       message.</para>
 
     <para>All <filename>src</filename> commits should go to
       &os.current; first before being merged to &os.stable;.  No major
       new features or high-risk modifications should be made to the
       &os.stable; branch.</para>
   </sect1>
 
   <sect1 id="pref-license">
     <title>Preferred License for New Files</title>
 
     <para>Currently the &os; Project suggests and uses the following
       text as the preferred license scheme:</para>
 
 <programlisting>Copyright &copy; &lt;Year&gt; &lt;Author&gt;. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 
 THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.</programlisting>
 
     <para>The &os; project strongly discourages the so called
       advertising clause in new code.  Due to the large number of
       contributors to the &os; project, complying with this clause for
       many commercial vendors has become difficult.  If you have code
       in the tree with the advertising clause, please consider
       removing it.  In fact, please consider using the above license
       for your code.</para>
 
     <para>The &os; project discourages completely new licenses and
       variations on the standard licenses.  New licenses require the
       approval of <email>core@FreeBSD.org</email> to reside in the
       main repository.  The more different licenses that are used in
       the tree, the more problems that this causes to those wishing to
       utilize this code, typically from unintended consequences from a
       poorly worded license.</para>
 
   </sect1>
 
   <sect1 id="developer.relations">
     <title>Developer Relations</title>
 
     <para>If you are working directly on your own code or on code
       which is already well established as your responsibility, then
       there is probably little need to check with other committers
       before jumping in with a commit.  If you see a bug in an area of
       the system which is clearly orphaned (and there are a few such
       areas, to our shame), the same applies.  If, however, you are
       about to modify something which is clearly being actively
       maintained by someone else (and it is only by watching the
       <literal>cvs-committers</literal> mailing list that you can
       really get a feel for just what is and is not) then consider
       sending the change to them instead, just as you would have
       before becoming a committer.  For ports, you should contact the
       listed <makevar>MAINTAINER</makevar> in the
       <filename>Makefile</filename>.  For other parts of the
       repository, if you are unsure who the active maintainer might
       be, it may help to scan the output of <command>cvs log</command>
       to see who has committed changes in the past.  &a.fenner; has
       written a nice shell script that can help determine who the
       active maintainer might be.  It lists each person who has
       committed to a given file along with the number of commits each
       person has made.  It can be found on <hostid>freefall</hostid>
       at <filename>~fenner/bin/whodid</filename>.  If your queries go
       unanswered or the committer otherwise indicates a lack of
       proprietary interest in the area affected, go ahead and commit
       it.</para>
 
     <para>If you are unsure about a commit for any reason at
       all, have it reviewed by <literal>-hackers</literal>
       before committing.  Better to have it flamed then and there
       rather than when it is part of the CVS repository.  If you do
       happen to commit something which results in controversy
       erupting, you may also wish to consider backing the change out
       again until the matter is settled.  Remember &ndash; with CVS we
       can always change it back.</para>
 
     <para>Do not impugn the intentions of someone you disagree with.
       If they see a different solution to a problem than you, or even
       a different problem, it is not because they are stupid, because
       they have questionable parentage, or because they are trying to
       destroy your hard work, personal image, or FreeBSD, but simply
       because they have a different outlook on the world.  Different
       is good.</para>
 
     <para>Disagree honestly.  Argue your position from its merits,
       be honest about any shortcomings it may have, and be open to
       seeing their solution, or even their vision of the problem,
       with an open mind.</para>
 
     <para>Accept correction.  We are all fallible.  When you have made
       a mistake, apologize and get on with life.  Do not beat up
       yourself, and certainly do not beat up others for your mistake.
       Do not waste time on embarrassment or recrimination, just fix
       the problem and move on.</para>
 
     <para>Ask for help.  Seek out (and give) peer reviews.  One of
       the ways open source software is supposed to excel is in the
       number of eyeballs applied to it; this does not apply if nobody
       will review code.</para>
   </sect1>
 
   <sect1 id="gnats">
     <title>GNATS</title>
 
     <para>The FreeBSD Project utilizes
       <application>GNATS</application> for tracking bugs and change
       requests.  Be sure that if you commit a fix or suggestion found
       in a <application>GNATS</application> PR, you use
       <command>edit-pr <replaceable>pr-number</replaceable></command>
       on <hostid>freefall</hostid> to close it.  It is also considered
       nice if you take time to close any PRs associated with your
       commits, if appropriate.  You can also make use of
       &man.send-pr.1; yourself for proposing any change which you feel
       should probably be made, pending a more extensive peer-review
       first.</para>
 
     <para>You can find out more about <application>GNATS</application>
       at:</para>
 
     <itemizedlist>
       <listitem>
 	<para><ulink url="http://www.cs.utah.edu/csinfo/texinfo/gnats/gnats.html"></ulink></para>
       </listitem>
 
       <listitem>
 	<para><ulink url="&url.base;/support.html">http://www.FreeBSD.org/support.html</ulink></para>
       </listitem>
 
       <listitem>
 	<para>&man.send-pr.1;</para>
       </listitem>
     </itemizedlist>
 
     <para>You can run a local copy of GNATS, and then integrate the FreeBSD
       GNATS tree in to it using CVSup.  Then you can run GNATS commands
       locally, or use other interfaces, such as <command>tkgnats</command>.
       This lets you query the PR database without needing to be connected to
       the Internet.</para>
 
     <procedure>
       <title>Using a local GNATS tree</title>
 
       <step>
 	<para>If you are not already downloading the GNATS tree, add this line
 	  to your <filename>supfile</filename>, and re-sup. Note that since
 	  GNATS is not under CVS control it has no tag, so if you are adding
 	  it to your existing <filename>supfile</filename> it should appear
 	  before any <quote>tag=</quote> entry as these remain active once set.
 	</para>
 
 	<programlisting>gnats release=current prefix=/usr</programlisting>
 
 	<para>This will place the FreeBSD GNATS tree in
 	  <filename>/usr/gnats</filename>.  You can use a
 	  <emphasis>refuse</emphasis> file to control which categories to
 	  receive.  For example, to only receive <literal>docs</literal> PRs,
 	  put this line in
 	  <filename>/usr/local/etc/cvsup/sup/refuse</filename><footnote>
 	    <para>The precise path depends on the <literal>*default
 		base</literal> setting in your
 	      <filename>supfile</filename>.</para>
 	  </footnote>.</para>
 
 	<programlisting>gnats/[a-ce-z]*</programlisting>
 
 	<para>The rest of these examples assume you have only supped the
 	  <literal>docs</literal> category.  Adjust them as necessary,
 	  depending on the categories you are syncing.</para>
       </step>
 
       <step>
 	<para>Install the GNATS port from
 	  <filename>ports/databases/gnats</filename>.  This will place the
 	  various GNATS directories under
 	  <filename>$PREFIX/share/gnats</filename>.</para>
       </step>
 
       <step>
 	<para>Symlink the GNATS directories you are supping under the version
 	  of GNATS you have installed.</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/local/share/gnats/gnats-db</userinput>
 &prompt.root; <userinput>ln -s /usr/gnats/docs</userinput></screen>
 
 	<para>Repeat as necessary, depending on how many GNATS categories you
 	  are syncing.</para>
       </step>
 
       <step>
 	<para>Update the GNATS <filename>categories</filename> file with these
 	  categories.  The file is
 	  <filename>$PREFIX/share/gnats/gnats-db/gnats-adm/categories</filename>.</para>
 
 	<programlisting># This category is mandatory
 pending:Category for faulty PRs:gnats-admin:
 #
 # FreeBSD categories
 #
 docs:Documentation Bug:freebsd-doc:</programlisting>
       </step>
 
       <step>
 	<para>Run <filename>$PREFIX/libexec/gnats/gen-index</filename> to
 	  recreate the GNATS index.  The output has to be redirected to
 	  <filename>$PREFIX/share/gnats/gnats-db/gnats-adm/index</filename>.
 	  You can do this periodically from &man.cron.8;, or run &man.cvsup.1;
 	  from a shell script that does this as well.</para>
 
 	<screen>&prompt.root; <userinput>/usr/local/libexec/gnats/gen-index \
 	> /usr/local/share/gnats/gnats-db/gnats-adm/index</userinput></screen>
       </step>
 
       <step>
 	<para>Test the configuration by querying the PR database.  This
 	  command shows open <literal>docs</literal> PRs.</para>
 
 	<screen>&prompt.root; <userinput>query-pr -c docs -s open</userinput></screen>
 
 	<para>Other interfaces, such as that provided by the
 	  <filename role="package">databases/tkgnats</filename> port should also work
 	  nicely.</para>
       </step>
 
       <step>
 	<para>Pick a PR and close it.</para>
       </step>
     </procedure>
 
     <note>
       <para>This procedure only works to allow you to view and query the PRs
 	locally.  To edit or close them you will still have to log in to
 	<hostid>freefall</hostid> and do it from there.</para>
     </note>
   </sect1>
 
   <sect1 id="people">
     <title>Who's Who</title>
 
     <para>Besides the repository
     meisters, there are other FreeBSD project members and teams whom you will
     probably get to know in your role as a committer.  Briefly,
     and by no means all-inclusively, these are:</para>
 
     <!-- XXX The TRB are missing -->
 
     <variablelist>
 
       <varlistentry>
 	<term>&a.jhb;</term>
 
 	<listitem>
 	  <para>John is the manager of the SMPng Project, and has
 	    authority over the architectural design and implementation
 	    of the move to fine-grained kernel threading and locking.
 	    He's also the editor of the SMPng Architecture Document.
 	    If you are working on fine-grained SMP and locking, please
 	    coordinate with John.  You can learn more about the
 	    SMPng Project on its home page:
 	    <ulink url="http://www.FreeBSD.org/smp/"></ulink></para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.jake;, &a.tmm;</term>
 
 	<listitem>
 	  <para>Jake and Thomas are the maintainers of the &sparc64; hardware
 	    port.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.doceng;</term>
 
 	<listitem>
 	  <para>doceng is the group responsible for the documentation build
 	    infrastructure, approving new documentation committers, and
 	    ensuring that the FreeBSD website and documentation on the FTP
 	    site is up to date with respect to the CVS tree.  It is not a
 	    conflict resolution body.  The vast majority of documentation
 	    related discussion takes place on the &a.doc;.  More details regarding the doceng team can be found in its <ulink url="http://www.FreeBSD.org/internal/doceng.html">charter</ulink>.  Committers
 	    interested in contributing to the documentation should familiarize
 	    themselves with the <ulink
 	    url="&url.books.fdp-primer;/index.html">Documentation Project
 	    Primer</ulink>.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.ru;</term>
 
 	<listitem>
 	  <para>Ruslan is Mister &man.mdoc.7;.  If you are writing a
 	    manual page and need
 	    some advice on the structure, or the markup, ask Ruslan.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.bde;</term>
 
 	<listitem>
 	  <para>Bruce is the Style Police-Meister.
 	    When you do a commit that could have been done better,
 	    Bruce will be there to tell you.  Be thankful that someone
 	    is.  Bruce is also very knowledgeable on the various
 	    standards applicable to FreeBSD.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.gallatin;</term>
 	<term>&a.mjacob;</term>
 	<term>&a.dfr;</term>
 	<term>&a.obrien;</term>
 
 	<listitem>
 	  <para>These are the primary developers and overseers of the
 	  DEC Alpha AXP platform.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.dg;</term>
 
 	<listitem>
 	  <para>David is the overseer of the
 	    VM system.  If you have a VM system change in mind,
 	    coordinate it with David.</para>
 	</listitem>
       </varlistentry>
 
 	  <varlistentry>
 	<term>&a.dfr;</term>
 	<term>&a.marcel;</term>
 	<term>&a.peter;</term>
 	<term>&a.ps;</term>
 
 	<listitem>
 	  <para>These are the primary developers and overseers of the
 	  Intel IA-64 platform, officially known as the &itanium; Processor
 	  Family (IPF).</para>
 	</listitem>
 	  </varlistentry>
 
       <varlistentry>
 	<term>&a.murray;</term>
 	<term>&a.steve;</term>
 	<term>&a.rwatson;</term>
 	<term>&a.jhb;</term>
 	<term>&a.scottl;</term>
 	<term>&a.kensmith;</term>
 	<term>&a.hrs;</term>
 
 	<listitem>
 	  <para>These are the members of the &a.re;.  This team is
 	    responsible for setting release deadlines and controlling
 	    the release process.  During code freezes, the release
 	    engineers have final authority on all changes to the
 	    system for whichever branch is pending release status.  If
 	    there is something you want merged from &os.current; to
 	    &os.stable; (whatever values those may have at any given
 	    time), these are the people to talk to about it.</para>
 
 	  <para>Hiroki is also the keeper of the release documentation
 	    (<filename>src/release/doc/*</filename>).  If you commit a
 	    change that you think is worthy of mention in the release notes,
 	    please make sure he knows about it.  Better still, send him
 	    a patch with your suggested commentary.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.benno;</term>
 
 	<listitem>
 	  <para>Benno is the official maintainer of the &powerpc; port.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.brian;</term>
 
 	<listitem>
 	  <para>Official maintainer of
 	    <filename>/usr/sbin/ppp</filename>.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.nectar;</term>
 
 	<listitem>
 	  <para>Jacques is the
 	  <ulink url="&url.base;/security/">FreeBSD Security
 	  Officer</ulink>
 	  and oversees the &a.security-officer;.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.wollman;</term>
 
 	<listitem>
 	  <para>If you need advice on obscure network internals or
 	    are not sure of some potential change to the networking
 	    subsystem you have in mind, Garrett is someone to talk
 	    to.  Garrett is also very knowledgeable on the various
 	    standards applicable to FreeBSD.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.committers;</term>
 
 	<listitem>
 	  <para>cvs-committers is the entity that CVS uses to send you all your
 	    commit messages.  You should <emphasis>never</emphasis> send email
 	    directly to this list.  You should only send replies to this list
 	    when they are short and are directly related to a commit.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>&a.developers;</term>
 
 	<listitem>
 	  <para>All committers are subscribed to -developers.  This list was created to be a
 	    forum for the committers <quote>community</quote> issues.
 	    Examples are Core
 	    voting, announcements, etc.  This list is
 	    <emphasis>not</emphasis> intended as a place for code reviews or a
 	    replacement for the &a.arch; or the &a.audit;.  In fact
 	    using it as such hurts the FreeBSD Project as it gives a sense of a
 	    closed list where general decisions affecting all of the FreeBSD
 	    using community are made without being <quote>open</quote>.
 	    Last, but not least <emphasis>never, never ever, email
 	    the &a.developers; and CC:/BCC: another FreeBSD list</emphasis>.
 	    Never, ever email another FreeBSD email list and CC:/BCC:
 	    the &a.developers;.  Doing so can greatly diminish the benefits
 	    of this list.  Also, never publicly post or forward emails sent
 	    to the &a.developers;.  The act of sending to
 	    the &a.developers; vs. a public list means the information in
 	    the email is not for public consumption.
 	  </para>
 	</listitem>
       </varlistentry>
     </variablelist>
   </sect1>
 
   <sect1 id="ssh.guide">
     <title>SSH Quick-Start Guide</title>
 
     <procedure>
       <step>
 	<para>If you are using FreeBSD 4.0 or later,
 	  OpenSSH is included in the base system.
 	  If you are using an earlier release,
 	  update and install one of the SSH ports.  In general,
 	  you will probably want to get OpenSSH from the
 	  <filename role="package">security/openssh</filename> port.  You
 	  may also wish to check out the original ssh1 in the
 	  <filename role="package">security/ssh</filename> port, but make
 	  certain you pay attention to its license.  Note that both
 	  of these ports cannot be installed at the same time.</para>
       </step>
 
       <step>
 	<para>If you do not wish to type your password in every
 	  time you use &man.ssh.1;, and you use RSA or DSA keys to
 	  authenticate, &man.ssh-agent.1; is there for your
 	  convenience.  If you want to use &man.ssh-agent.1;, make
 	  sure that you run it before running other applications.  X
 	  users, for example, usually do this from their
 	  <filename>.xsession</filename> or
 	  <filename>.xinitrc</filename> file.  See &man.ssh-agent.1;
 	  for details.</para>
       </step>
 
       <step>
 	<para>Generate a key pair using &man.ssh-keygen.1;.  The key
 	  pair will wind up in your
 	  <filename><envar>$HOME</envar>/.ssh/</filename>
 	  directory.</para>
       </step>
 
       <step>
 	<para>Send your public key
 	  (<filename><envar>$HOME</envar>/.ssh/id_dsa.pub</filename>
 	  or <filename><envar>$HOME</envar>/.ssh/id_rsa.pub</filename>)
 	  to the person setting you up as a committer so it can be put
 	  into <filename><replaceable>yourlogin</replaceable></filename> file in
 	  <filename class="directory">/c/ssh-keys/</filename> on
 	  <hostid>freefall</hostid>.
 	</para>
       </step>
     </procedure>
 
     <para>Now you should be able to use &man.ssh-add.1; for
       authentication once per session.  This will prompt you for
       your private key's pass phrase, and then store it in your
       authentication agent (&man.ssh-agent.1;).  If you no longer
       wish to have your key stored in the agent, issuing
       <command>ssh-add -d</command> will remove it.</para>
 
     <para>Test by doing something such as <command>ssh
 	freefall.FreeBSD.org ls /usr</command>.</para>
 
     <para>For more information, see
       <filename role="package">security/openssh</filename>, &man.ssh.1;,
       &man.ssh-add.1;, &man.ssh-agent.1;, &man.ssh-keygen.1;, and
       &man.scp.1;.</para>
   </sect1>
 
   <sect1 id="rules">
     <title>The FreeBSD Committers' Big List of Rules</title>
 
     <orderedlist>
       <listitem>
 	<para>Respect other committers.</para>
       </listitem>
 
       <listitem>
 	<para>Respect other contributors.</para>
       </listitem>
 
       <listitem>
 	<para>Discuss any significant change
 	  <emphasis>before</emphasis> committing.</para>
       </listitem>
 
       <listitem>
 	<para>Respect existing maintainers (if listed in the
 	  <makevar>MAINTAINER</makevar> field in
 	  <filename>Makefile</filename> or in the
 	  <filename>MAINTAINER</filename> file in the top-level
 	  directory).</para>
       </listitem>
 
       <listitem>
 	<para>Any disputed change must be backed out pending
 	  resolution of the dispute if requested by a maintainer.
 	  Security related changes may
 	  override a maintainer's wishes at the Security Officer's
 	  discretion.</para>
       </listitem>
 
       <listitem>
 	<para>Changes go to &os.current; before
 	  &os.stable; unless specifically permitted by
 	  the release engineer or unless they are not applicable to
 	  &os.current;.  Any non-trivial or non-urgent
 	  change which is applicable should also be allowed to sit in
 	  &os.current; for at least 3 days before
 	  merging so that it can be given sufficient testing.  The
 	  release engineer has the same authority over the
 	  &os.stable; branch as outlined for the
 	  maintainer in rule #5.</para>
       </listitem>
 
       <listitem>
 	<para>Do not fight in public with other committers; it looks
 	  bad.  If you must <quote>strongly disagree</quote> about
 	  something, do so only in private.</para>
       </listitem>
 
       <listitem>
 	<para>Respect all code freezes and read the
 	  <literal>committers</literal> and <literal>developers</literal>
 	  mailing lists in a timely manner so you know when a code freeze is
 	  in effect.</para>
       </listitem>
 
       <listitem>
 	<para>When in doubt on any procedure, ask first!</para>
       </listitem>
 
       <listitem>
 	<para>Test your changes before committing them.</para>
       </listitem>
 
       <listitem>
 	<para>Do not commit to anything under the
 	  <filename>src/contrib</filename>,
 	  <filename>src/crypto</filename>, and
 	  <filename>src/sys/contrib</filename> trees without
 	  <emphasis>explicit</emphasis> approval from the respective
 	  maintainer(s).</para>
       </listitem>
     </orderedlist>
 
     <para>As noted, breaking some of these rules can be grounds for
       suspension or, upon repeated offense, permanent removal of
       commit privileges.  Individual members of core
       have the power to temporarily suspend commit privileges until
       core as a whole has the chance to review the
       issue.  In case of an <quote>emergency</quote> (a committer
       doing damage to the repository), a temporary suspension may also
       be done by the repository meisters.
       Only a 2/3 majority of core
       has the authority to suspend commit privileges for longer
       than a week or to remove them permanently.
       This rule does not exist to set core up as a bunch
       of cruel dictators who can dispose of committers as casually as
       empty soda cans, but to give the project a kind of safety fuse.
       If someone is out of control, it is important to be
       able to deal with this immediately rather than be paralyzed by
       debate.  In all cases, a committer whose privileges are
       suspended or revoked is entitled to a <quote>hearing</quote> by core,
       the total duration of the suspension being determined at that
       time.  A committer whose privileges are suspended may also
       request a review of the decision after 30 days and every 30 days
       thereafter (unless the total suspension period is less than 30
       days).  A committer whose privileges have been revoked entirely
       may request a review after a period of 6 months has elapsed.
       This review policy is <emphasis>strictly informal</emphasis>
       and, in all cases, core reserves the right to either act on or
       disregard requests for review if they feel their original
       decision to be the right one.</para>
 
     <para>In all other aspects of project operation, core is a subset
       of committers and is bound by the <emphasis>same
       rules</emphasis>.  Just because someone is in core this does not mean
       that they have special dispensation to step outside any of
       the lines painted here; core's <quote>special powers</quote>
       only kick in when it acts as a group, not on an individual
       basis.  As individuals, the core team members are all committers
       first and core second.</para>
 
     <sect2>
       <title>Details</title>
 
       <orderedlist>
 	<listitem id="respect">
 	  <para>Respect other committers.</para>
 
 	  <para>This means that you need to treat other committers as
 	    the peer-group developers that they are.  Despite our
 	    occasional attempts to prove the contrary, one does not get
 	    to be a committer by being stupid and nothing rankles more
 	    than being treated that way by one of your peers.  Whether
 	    we always feel respect for one another or not (and
 	    everyone has off days), we still have to
 	    <emphasis>treat</emphasis> other committers with respect
 	    at all times, on public forums and in private email.</para>
 
 	  <para>Being able to work together long term is this project's
 	    greatest asset, one far more important than any set of
 	    changes to the code, and turning arguments about code into
 	    issues that affect our long-term ability to work
 	    harmoniously together is just not worth the trade-off by
 	    any conceivable stretch of the imagination.</para>
 
 	  <para>To comply with this rule, do not send email when you are
 	    angry or otherwise behave in a manner which is likely to
 	    strike others as needlessly confrontational.  First calm
 	    down, then think about how to communicate in the most
 	    effective fashion for convincing the other person(s) that
 	    your side of the argument is correct, do not just blow off
 	    some steam so you can feel better in the short term at the
 	    cost of a long-term flame war.  Not only is this very bad
 	    <quote>energy economics</quote>, but repeated displays of
 	    public aggression which impair our ability to work well
 	    together will be dealt with severely by the project
 	    leadership and may result in suspension or termination of
 	    your commit privileges.  The project leadership will
 	    take into account both public and private communications
 	    brought before it.  It will not seek the disclosure of
 	    private communications, but it will take it into account
 	    if it is volunteered by the committers involved in the
 	    complaint.</para>
 
 	    <para>All of this is never an option which the
 	    project's leadership enjoys in the slightest, but unity
 	    comes first.  No amount of code or good advice is worth
 	    trading that away.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Respect other contributors.</para>
 
 	  <para>You were not always a committer. At one time you were
 	    a contributor. Remember that at all times. Remember what
 	    it was like trying to get help and attention.  Do not forget
 	    that your work as a contributor was very important to
 	    you.  Remember what it was like. Do not discourage, belittle,
 	    or demean contributors.  Treat them with respect.  They are
 	    our committers in waiting.  They are every bit as important
 	    to the project as committers. Their contributions are as
 	    valid and as important as your own.  After all, you made
 	    many contributions before you became a committer.  Always
 	    remember that.  </para>
 
 	  <para>Consider the points raised under <xref linkend="respect">
 	    and apply them also to contributors.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Discuss any significant change
 	    <emphasis>before</emphasis> committing.</para>
 
 	  <para>The CVS repository is not where changes should be
 	    initially submitted for correctness or argued over, that
 	    should happen first in the mailing lists and the commit should
 	    only happen once something resembling consensus has
 	    been reached.  This does not mean that you have to ask
 	    permission before correcting every obvious syntax error or
 	    manual page misspelling, simply that you should try to
 	    develop a feel for when a proposed change is not quite such
 	    a no-brainer and requires some feedback first.  People
 	    really do not mind sweeping changes if the result is
 	    something clearly better than what they had before, they
 	    just do not like being <emphasis>surprised</emphasis> by
 	    those changes.  The very best way of making sure that
 	    you are on the right track is to have your code reviewed by
 	    one or more other committers.</para>
 
 	  <para>When in doubt, ask for review!</para>
 	</listitem>
 
 	<listitem>
 	  <para>Respect existing maintainers if listed.</para>
 
 	  <para>Many parts of FreeBSD are not <quote>owned</quote> in
 	    the sense that any specific individual will jump up and
 	    yell if you commit a change to <quote>their</quote> area,
 	    but it still pays to check first.  One convention we use
 	    is to put a maintainer line in the
 	    <filename>Makefile</filename> for any package or subtree
 	    which is being actively maintained by one or more people;
 	    see <ulink
 	    url="&url.books.developers-handbook;/policies.html"></ulink>
 	    for documentation on this.  Where sections of code have
 	    several maintainers, commits to affected areas by one
 	    maintainer need to be reviewed by at least one other
 	    maintainer.  In cases where the
 	    <quote>maintainer-ship</quote> of something is not clear,
 	    you can also look at the CVS logs for the file(s) in
 	    question and see if someone has been working recently or
 	    predominantly in that area.</para>
 
 	  <para>Other areas of FreeBSD fall under the control of
 	    someone who manages an overall category of FreeBSD
 	    evolution, such as internationalization or networking.
 	    See <ulink
 	    url="&url.articles.contributors;/staff-who.html">
 	    http://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/contributors/staff-who.html</ulink>
 	    for more information on this.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Any disputed change must be backed out pending
 	    resolution of the dispute if requested by a maintainer.
 	    Security related changes may
 	    override a maintainer's wishes at the Security Officer's
 	    discretion.</para>
 
 	  <para>This may be hard to swallow in times of conflict (when
 	    each side is convinced that they are in the right, of
 	    course) but CVS makes it unnecessary to have an ongoing
 	    dispute raging when it is far easier to simply reverse the
 	    disputed change, get everyone calmed down again and then
 	    try to figure out what is the best way to proceed.  If the change
 	    turns out to be the best thing after all, it can be easily
 	    brought back. If it turns out not to be, then the users
 	    did not have to live with the bogus change in the tree
 	    while everyone was busily debating its merits.  People
 	    very very rarely call for back-outs in the repository
 	    since discussion generally exposes bad or controversial
 	    changes before the commit even happens, but on such rare
 	    occasions the back-out should be done without argument so
 	    that we can get immediately on to the topic of figuring
 	    out whether it was bogus or not.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Changes go to &os.current; before
 	    &os.stable; unless specifically permitted
 	    by the release engineer or unless they are not applicable
 	    to &os.current;.  Any non-trivial or
 	    non-urgent change which is applicable should also be
 	    allowed to sit in &os.current; for at least
 	    3 days before merging so that it can be given sufficient
 	    testing.  The release engineer has the same authority over
 	    the &os.stable; branch as outlined in rule
 	    #5.</para>
 
 	  <para>This is another <quote>do not argue about it</quote>
 	    issue since it is the release engineer who is ultimately
 	    responsible (and gets beaten up) if a change turns out to
 	    be bad.  Please respect this and give the release engineer
 	    your full cooperation when it comes to the
 	    &os.stable; branch.  The management of
 	    &os.stable; may frequently seem to be
 	    overly conservative to the casual observer, but also bear
 	    in mind the fact that conservatism is supposed to be the
 	    hallmark of &os.stable; and different rules
 	    apply there than in &os.current;.  There is
 	    also really no point in having &os.current;
 	    be a testing ground if changes are merged over to
 	    &os.stable; immediately.  Changes need a
 	    chance to be tested by the &os.current;
 	    developers, so allow some time to elapse before merging
 	    unless the &os.stable; fix is critical,
 	    time sensitive or so obvious as to make further testing
 	    unnecessary (spelling fixes to manual pages, obvious bug/typo
 	    fixes, etc.)  In other words, apply common sense.</para>
 
 	  <para>Changes to the security branches
 	    (for example, <literal>RELENG_4_5</literal>) must be
 	    approved by a member of the &a.security-officer;, or in
 	    some cases, by a member of the &a.re;.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Do not fight in public with other committers; it looks
 	    bad.  If you must <quote>strongly disagree</quote> about
 	    something, do so only in private.</para>
 
 	  <para>This project has a public image to uphold and that
 	    image is very important to all of us, especially if we are
 	    to continue to attract new members.  There will be
 	    occasions when, despite everyone's very best attempts at
 	    self-control, tempers are lost and angry words are
 	    exchanged.  The best thing that can be done in such cases is to minimize
 	    the effects of this until everyone has cooled back down.  That
 	    means that you should not air your angry words in public
 	    and you should not forward private correspondence to
 	    public mailing lists or aliases.  What people say
 	    one-to-one is often much less sugar-coated than what they
 	    would say in public, and such communications therefore
 	    have no place there - they only serve to inflame an
 	    already bad situation. If the person sending you a
 	    flame-o-gram at least had the grace to send it privately,
 	    then have the grace to keep it private yourself.  If you
 	    feel you are being unfairly treated by another developer,
 	    and it is causing you anguish, bring the matter up with
 	    core rather than taking it public.  Core will do its best to
 	    play peace makers and get things back to sanity.  In cases
 	    where the dispute involves a change to the codebase and
 	    the participants do not appear to be reaching an amicable
 	    agreement, core may appoint a mutually-agreeable 3rd party
 	    to resolve the dispute.  All parties involved must then
 	    agree to be bound by the decision reached by this 3rd
 	    party.</para>
 	    <!-- XXX Mention TRB here too -->
 	</listitem>
 
 	<listitem>
 	  <para>Respect all code freezes and read the
 	    <literal>committers</literal> and <literal>developers</literal>
 	    mailing list on a timely basis so you know when a code freeze is
 	    in effect.</para>
 
 	  <para>Committing unapproved changes during a code freeze is a really
 	    big mistake and committers are expected to keep up-to-date
 	    on what is going on before jumping in after a long absence
 	    and committing 10 megabytes worth of accumulated stuff.
 	    People who abuse this on a regular basis will have their
 	    commit privileges suspended until they get back from the
 	    FreeBSD Happy Reeducation Camp we run in Greenland.</para>
 	</listitem>
 
 	<listitem>
 	  <para>When in doubt on any procedure, ask first!</para>
 
 	  <para>Many mistakes are made because someone is in a hurry
 	    and just assumes they know the right way of doing
 	    something.  If you have not done it before, chances are
 	    good that you do not actually know the way we do things
 	    and really need to ask first or you are going to
 	    completely embarrass yourself in public.  There is no shame
 	    in asking <quote>how in the heck do I do this?</quote> We
 	    already know you are an intelligent person; otherwise, you
 	    would not be a committer.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Test your changes before committing them.</para>
 
 	  <!-- XXX Needs update re sparc64 + pc98
 	    Also, needs more details on which machines are available for testing
 	  -->
 	  <para>This may sound obvious, but if it really were so
 	    obvious then we probably would not see so many cases of
 	    people clearly not doing this.  If your changes are to the
 	    kernel, make sure you can still compile both GENERIC and
 	    LINT.  If your changes are anywhere else, make sure you
 	    can still make world.  If your changes are to a branch,
 	    make sure your testing occurs with a machine which is
 	    running that code.  If you have a change which also may
 	    break another architecture, be sure and test on all
 	    supported architectures.  Please refer to the <ulink
 	    url="http://www.FreeBSD.org/internal/">FreeBSD Internal
 	    Page</ulink> for a list of available resources.  As other
 	    architectures are added to the FreeBSD supported platforms
 	    list, the appropriate shared testing resources will be
 	    made available.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Do not commit to anything under the
 	    <filename>src/contrib</filename>,
 	    <filename>src/crypto</filename>, and
 	    <filename>src/sys/contrib</filename> trees without
 	    <emphasis>explicit</emphasis> approval from the respective
 	    maintainer(s).</para>
 
 	  <para>The trees mentioned above are for contributed software
 	    usually imported onto a vendor branch.  Committing something
 	    there, even if it does not take the file off the vendor branch,
 	    may cause unnecessary headaches for those responsible for
 	    maintaining that particular piece of software.  Thus, unless
 	    you have <emphasis>explicit</emphasis> approval from the
 	    maintainer (or you are the maintainer), do
 	    <emphasis>not</emphasis> commit there!</para>
 
 	  <para>Please note that this does not mean you should not try to
 	    improve the software in question; you are still more than
 	    welcome to do so.  Ideally, you should submit your patches to
 	    the vendor.  If your changes are FreeBSD-specific, talk to the
 	    maintainer; they may be willing to apply them locally.  But
 	    whatever you do, do <emphasis>not</emphasis> commit there by
 	    yourself!</para>
 
 	  <para>Contact the &a.core; if you wish to take up maintainership
 	    of an unmaintained part of the tree.</para>
 	</listitem>
       </orderedlist>
     </sect2>
 
     <sect2>
       <title>Policy on Multiple Architectures</title>
 
       <para>FreeBSD has added several new arch ports during the 5.0
 	release cycle and is truly no longer an &i386; centric operating
 	system.  In an effort to make it easier to keep FreeBSD portable
 	across the platforms we support, core has developed the following
 	mandate:</para>
 
 	<blockquote>
 	  <para>Our 32 bit reference platform is i386, and our 64 bit
 	    reference platform is Sparc64.  Major design work (including
 	    major API and ABI changes) must prove itself on at least one
 	    32 bit and at least one 64 bit platform, preferably the
 	    primary reference platforms, before it may be committed
 	    to the source tree.</para>
 	</blockquote>
 
       <para>The i386 and Sparc64 platforms were chosen due to being more
 	readily available to developers and as representatives of more
 	diverse processor and system designs - big vs little endian,
 	register file vs register stack, different DMA and cache
 	implementations, hardware page tables vs software TLB management
 	etc.</para>
 
       <para>While the Alpha is a 64 bit processor, it is a more
 	traditional processor design and does not provide as good a testbed
 	for many of the challenges that the other 64 bit platform ports
 	face.  The ia64 platform has many of the same complications that
 	Sparc64 has, but is still limited in availability to
 	developers.</para>
 
       <para>We will continue to re-evaluate this policy as cost and
 	availability of the 64 bit platforms change.</para>
 
       <para>Developers should also be aware of our Tier Policy for
 	the long term support of hardware architectures.  The rules
 	here are intended to provide guidance during the development
 	process, and are distinct from the requirements for features
 	and architectures listed in that section.  The Tier rules for
 	feature support on architectures at release-time are more
 	strict than the rules for changes during the development
 	process.</para>
     </sect2>
 
     <sect2>
       <title>Other Suggestions</title>
 
       <para>When committing documentation changes, use a spell checker
 	before committing.  For all SGML docs, you should also
 	verify that your formatting directives are correct by running
 	<command>make lint</command>.</para>
 
       <para>For all on-line manual pages, run <command>manck</command>
 	(from ports) over the manual page to verify all of the cross
 	references and file references are correct and that the man
 	page has all of the appropriate <makevar>MLINK</makevar>s
 	installed.</para>
 
       <para>Do not mix style fixes with new functionality.  A style
 	fix is any change which does not modify the functionality of
 	the code.  Mixing the changes obfuscates the functionality
 	change when using <command>cvs diff</command>, which can hide
 	any new bugs.  Do not include whitespace changes with content
 	changes in commits to <filename>doc/</filename> or
 	<filename>www/</filename>.  The extra clutter in the diffs
 	makes the translators' job much more difficult.  Instead, make
 	any style or whitespace changes in separate commits that are
 	clearly labeled as such in the commit message.</para>
     </sect2>
 
     <sect2>
       <title>Deprecating Features</title>
 
       <para>When it is necessary to remove functionality from software
 	in the base system the following guidelines should be followed
 	whenever possible:</para>
 
       <orderedlist>
 	<listitem>
 	  <para>Mention is made in the manual page and possibly the
 	    release notes that the option, utility, or interface is
 	    deprecated.  Use of the deprecated feature generates a
 	    warning.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The option, utility, or interface is preserved until
 	    the next major (point zero) release.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The option, utility, or interface is removed and no
 	    longer documented.  It is now obsolete.  It is also
 	    generally a good idea to note its removal in the release
 	    notes.</para>
 	</listitem>
       </orderedlist>
     </sect2>
   </sect1>
 
   <sect1 id="archs">
     <title>Support for Multiple Architectures</title>
 
     <para>FreeBSD is a highly portable operating system intended to
       function on many different types of hardware architectures.
       Maintaining clean separation of Machine Dependent (MD) and Machine
       Independent (MI) code, as well as minimizing MD code, is an important
       part of our strategy to remain agile with regards to current
       hardware trends.  Each new hardware architecture supported by
       FreeBSD adds substantially to the cost of code maintenance,
       toolchain support, and release engineering.  It also dramatically
       increases the cost of effective testing of kernel changes.  As such,
       there is strong motivation to differentiate between classes of
       support for various architectures while remaining strong in a few
       key architectures that are seen as the FreeBSD "target audience".
       </para>
 
     <sect2>
       <title>Statement of General Intent</title>
 
       <para>The FreeBSD Project targets "production quality commercial
 	off-the-shelf (COTS) workstation, server, and high-end embedded
 	systems".  By retaining a focus on a narrow set of architectures
 	of interest in these environments, the FreeBSD Project is able
 	to maintain high levels of quality, stability, and performance,
 	as well as minimize the load on various support teams on the
 	project, such as the ports team, documentation team,
 	security officer, and release engineering teams.  Diversity in
 	hardware support broadens the options for FreeBSD consumers by
 	offering new features and usage opportunities (such as support
 	for 64-bit CPUs, use in embedded environments, etc.), but these
 	benefits must always be carefully considered in terms of the real-world
 	maintenance cost associated with additional platform support.
 	</para>
 
       <para>The FreeBSD Project differentiates platform targets into
 	four tiers.  Each tier includes a specification of the
 	requirements for an architecture to be in that tier,
 	as well as specifying the obligations of developers with
 	regards to the platform.  In addition, a policy is defined
 	regarding the circumstances required to change the tier
 	of an architecture.</para>
     </sect2>
 
     <sect2>
       <title>Tier 1: Fully Supported Architectures</title>
 
       <para>Tier 1 platforms are fully supported by the security
 	officer, release engineering, and toolchain maintenance staff.
 	New features added to the operating system must be fully
 	functional across all Tier 1 architectures for every release
 	(features which are inherently architecture-specific, such as
 	support for hardware device drivers, may be exempt from this
 	requirement).  In general, all Tier 1 platforms must have build
 	and tinderbox support either in the FreeBSD.org cluster, or
 	easily available for all developers.</para>
 
       <para>Tier 1 architectures are expected to be Production Quality
 	with respects to all aspects of the FreeBSD operating system,
 	including installation and development environments.</para>
 
       <para>Current Tier 1 platforms are i386, Sparc64, AMD64, and PC98.</para>
     </sect2>
 
     <sect2>
       <title>Tier 2: Developmental Architectures</title>
 
       <para>Tier 2 platforms are not supported by the security officer
 	and release engineering teams.  At the discretion of the
 	toolchain maintainer, they may be supported in the toolchain.  New
 	features added to FreeBSD should be feasible to implement on these
 	platforms, but an implementation is not required before the
 	feature may be added to the FreeBSD source tree. The
 	implementation of a Tier 2 architecture may be committed to the
 	main FreeBSD tree as long as it does not interfere with
 	production work on Tier 1 platforms, or substantially with other
 	Tier 2 platforms.  Before a Tier 2 platform can be added to the
 	FreeBSD base source tree, the platform must be able to boot to at
 	least single-user mode on real world commodity hardware.  Some
 	exceptions to these rules may be made for new hardware that is
 	under development by hardware vendors, but not yet available to
 	the project.</para>
 
       <para>Tier 2 architectures are usually systems targeted at Tier 1
 	support, but that are still under development.  Architectures
 	reaching end of life may also be moved from Tier 1 status to Tier
 	2 status as the availability of resources to continue to maintain
 	the system in a Production Quality state diminishes.</para>
 
       <para>Current Tier 2 platforms are Alpha, PowerPC and ia64.</para>
     </sect2>
 
     <sect2>
       <title>Tier 3: Experimental Architectures</title>
 
       <para>Tier 3 platforms are not supported by the security officer
 	and release engineering teams.  At the discretion of the toolchain
 	maintainer, they may be supported in the toolchain.  Tier 3
 	platforms are architectures for which hardware is not or will not
 	be available to the project in the foreseeable future, for which
 	there are two or fewer active developers, that can not boot to at
 	least single-user mode on real hardware (or a simulator for new
 	hardware platforms), or which are considered legacy systems
 	unlikely to see broad future use.  Tier 3 systems will not be
 	committed to the base source tree, although support for Tier 3
 	systems may be worked on in the FreeBSD Perforce Repository,
 	providing source control and easier change integration from the
 	main FreeBSD tree.</para>
 
       <para>Current Tier 3 platforms are &s390;.</para>
     </sect2>
 
     <sect2>
       <title>Tier 4: Unsupported Architectures</title>
 
       <para>Tier 4 systems are not supported in any form by the project.
 	</para>
 
       <para>All systems not otherwise classified into a support tier
 	are Tier 4 systems.</para>
     </sect2>
 
     <sect2>
       <title>Policy on Changing the Tier of an Architecture</title>
 
       <para>Systems may only be moved from one tier to another by
 	approval of the FreeBSD Core Team, which shall make that
 	decision in collaboration with the Security Officer, Release
 	Engineering, and toolchain maintenance teams.</para>
     </sect2>
   </sect1>
 
   <sect1 id="ports">
     <title>Ports Specific FAQ</title>
 
     <qandaset>
       <qandadiv>
 	<title>Adding a New Port</title>
 
 	<qandaentry>
 	  <question>
 	    <para>How do I add a new port?</para>
 	  </question>
 
 	  <answer>
 	    <para>First, please read the section about repository
 	      copies.</para>
 
 	    <para>The easiest way to add a new port is to use the
 	      <command>addport</command> script on
 	      <hostid>freefall</hostid>.  It will add a port from the
 	      directory you specify, determining the category automatically
 	      from the port <filename>Makefile</filename>.
 	      It will also add an entry to the
 	      <filename>CVSROOT/modules</filename> file and the port's
 	      category <filename>Makefile</filename>.  It was
 	      written by &a.mharo; and &a.will;, but Will is the current
 	      maintainer so please send questions/patches about
 	      <command>addport</command> to him.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>Any other things I need to know when I add a new
 	      port?</para>
 	  </question>
 
 	  <answer>
 	    <para>Check the port, preferably to make sure it compiles
 	      and packages correctly.  This is the recommended
 	      sequence:</para>
 
 	    <screen>&prompt.root; <userinput>make install</userinput>
 &prompt.root; <userinput>make package</userinput>
 &prompt.root; <userinput>make deinstall</userinput>
 &prompt.root; <userinput>pkg_add <replaceable>package you built above</replaceable></userinput>
 &prompt.root; <userinput>make deinstall</userinput>
 &prompt.root; <userinput>make reinstall</userinput>
 &prompt.root; <userinput>make package</userinput>
 	    </screen>
 
 	    <para>The
 	      <ulink url="&url.books.porters-handbook;/index.html">Porters
 	      Handbook</ulink> contains more detailed
 	      instructions.</para>
 
 	    <para>Use &man.portlint.1; to check the syntax of the port.
 	      You do not necessarily have to eliminate all warnings but
 	      make sure you have fixed the simple ones.</para>
 
 	    <para>If the port came from a submitter who has not
 	      contributed to the project before, add that person's
 	      name to the <ulink
 	      url="&url.articles.contributors;/contrib-additional.html">Additional
 	      Contributors</ulink> section of the FreeBSD Contributors
 	      List.</para>
 
 	    <para>Close the PR if the port came in as a PR.  To close
 	      a PR, just do
 	      <userinput>edit-pr <replaceable>PR#</replaceable></userinput>
 	      on <hostid>freefall</hostid> and change the
 	      <varname>state</varname> from <constant>open</constant>
 	      to <constant>closed</constant>.  You will be asked to
 	      enter a log message and then you are done.</para>
 	  </answer>
 	</qandaentry>
       </qandadiv>
 
       <qandadiv>
 	<title>Repository Copies</title>
 
 	<qandaentry>
 	  <question>
 	    <para>When do we need a repository copy?</para>
 	  </question>
 
 	  <answer>
 	    <para>When you want to add a port that is related to
 	      any port that is already in the tree in a separate
 	      directory, you have to do a repository copy.
 	      Here <wordasword>related</wordasword> means
 	      it is a different version or a slightly modified
 	      version.  Examples are
 	      <filename>print/ghostscript*</filename> (different
 	      versions) and <filename>x11-wm/windowmaker*</filename>
 	      (English-only and internationalized version).</para>
 
 	    <para>Another example is when a port is moved from one
 	      subdirectory to another, or when you want to change the
 	      name of a directory because the author(s) renamed their
 	      software even though it is a
 	      descendant of a port already in a tree.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>When do we <emphasis>not</emphasis> need a
 	      repository copy?</para>
 	  </question>
 
 	  <answer>
 	    <para>When there is no history to preserve.  If a port is
 	      added into a wrong category and is moved immediately,
 	      it suffices to simply <command>cvs remove</command> the
 	      old one and <command>addport</command> the new
 	      one.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>What do I need to do?</para>
 	  </question>
 
 	  <answer>
 	    <para>File a PR in <application>GNATS</application>, listing the
 	      reasons for the repository copy request.  Assign it to
 	      <literal>portmgr</literal> and set <varname>state</varname> to
 	      <literal>repocopy</literal>.  If &a.portmgr; approves it,
 	      it will be reassigned to <literal>pcvs</literal>.
 	      If so inclined, <literal>portmgr</literal> may do
 	      the copy directly; otherwise, &a.pcvs; will
 	      do a repository copy from the old to the new location, and
 	      reassign the PR back to you.  Once everything is done, perform the
 	      following:</para>
 
 	    <itemizedlist>
 	      <listitem>
 		<para>When a port has been repo copied:</para>
 
 		<procedure>
 		  <step>
 		    <para>Upgrade the copied port to the new version (remember
 		      to change the <makevar>PORTNAME</makevar> so there
 		      are not duplicate ports with the same name).</para>
 		  </step>
 
 		  <step>
 		    <para>Add the new subdirectory to the
 		      <makevar>SUBDIR</makevar> listing in the parent
 		      directory Makefile.  You can run <command>make
 		      checksubdirs</command> in the parent directory to check
 		      this.</para>
 		  </step>
 
 		  <step>
 		    <para>If the port changed categories, modify the
 		      <makevar>CATEGORIES</makevar> line of the port's
 		      <filename>Makefile</filename> accordingly</para>
 		  </step>
 
 		  <step>
 		    <para>Add the new module entry.</para>
 		  </step>
 
 		  <step>
 		    <para>Add an entry to
 		      <filename>ports/MOVED</filename>.</para>
 		  </step>
 		</procedure>
 	      </listitem>
 
 	      <listitem>
 		<para>When removing a port:</para>
 
 		<procedure>
 		  <step>
 		    <para>Perform a thorough check of the ports collection for
 		      any dependencies on the old port location/name, and
 		      update them.  Running <command>grep</command> on
 		      <filename>INDEX</filename> is not enough because some
 		      ports have dependencies enabled by compile-time options.
 		      A full <command>grep -r</command> of the ports
 		      collection is recommended.</para>
 		  </step>
 
 		  <step>
 		    <para>Remove the old port, the old
 		      <makevar>SUBDIR</makevar> entry and the old module
 		      entry.</para>
 		  </step>
 
 		  <step>
 		    <para>Add an entry to
 		      <filename>ports/MOVED</filename>.</para>
 		  </step>
 		</procedure>
 	      </listitem>
 
 	      <listitem>
 		<para>After repo moves (<quote>rename</quote> operations where
 		  a port is copied and the old location is removed):</para>
 
 		<procedure>
 		  <step>
 		    <para>Follow the same steps that are outlined in the
 		      previous two entries, to activate the new location of
 		      the port and remove the old one.</para>
 		  </step>
 		</procedure>
 	      </listitem>
 	    </itemizedlist>
 	  </answer>
 	</qandaentry>
       </qandadiv>
 
       <qandadiv>
 	<title>Ports Freeze</title>
 
 	<qandaentry>
 	  <question>
 	    <para>What is a <quote>ports freeze</quote>?</para>
 	  </question>
 
 	  <answer>
 	    <para>Before a release, it is necessary to restrict
 	      commits to the ports tree for a short period of time
 	      while the packages and the release itself are being
 	      built.  This is to ensure consistency among the various
 	      parts of the release, and is called the <quote>ports
 	      freeze</quote>.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>How long is a ports freeze?</para>
 	  </question>
 
 	  <answer>
 	    <para>Usually an hour or two.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>What does it mean to me?</para>
 	  </question>
 
 	  <answer>
 	    <para>During the ports freeze, you are not allowed to
 	      commit anything to the tree without explicit approval
 	      from the ports manager.  <quote>Explicit
 	      approval</quote> here means either of the
 	      following:</para>
 
 	    <itemizedlist>
 	      <listitem>
 		<para>You asked the ports manager and got a reply
 		  saying, <quote>Go ahead and commit
 		  it.</quote></para>
 	      </listitem>
 
 	      <listitem>
 		<para>The ports manager sent a mail to you or the
 		  mailing lists during the ports freeze pointing out
 		  that the port is broken and has to be fixed.</para>
 	      </listitem>
 	    </itemizedlist>
 
 	    <para>Note that you do not have implicit permission to fix
 	      a port during the freeze just because it is
 	      broken.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>How do I know when the ports freeze starts?</para>
 	  </question>
 
 	  <answer>
 	    <para>The ports manager will send out warning messages to
 	      the &a.ports; and &a.committers;
 	      announcing the start of the impending release, usually
 	      two or three weeks in advance.  The exact starting time
 	      will not be determined until a few days before the
 	      actual release.  This is because the ports freeze has to
 	      be synchronized with the release, and it is usually not
 	      known until then when exactly the release will be
 	      rolled.</para>
 
 	    <para>When the freeze starts, there will be another
 	      announcement to the &a.committers;, of course.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>How do I know when the ports freeze ends?</para>
 	  </question>
 
 	  <answer>
 	    <para>A few hours after the release, the ports manager
 	      will send out a mail to the &a.ports; and &a.committers;
 	      announcing the end of the ports freeze.  Note that the
 	      release being cut does not automatically end the freeze.
 	      We have to make sure there will not be any last minute
 	      snafus that result in an immediate re-rolling of the
 	      release.</para>
 	  </answer>
 	</qandaentry>
       </qandadiv>
 
       <qandadiv>
 	<title>Creating a New Category</title>
 
 	<qandaentry>
 	  <question>
 	    <para>What is the procedure for creating a new category?</para>
 	  </question>
 
 	  <answer>
 	    <para>A developer who wishes to propose a new category
 	      should submit a detailed rationale for the new category,
 	      including why existing categories are not sufficient,
 	      and the list of ports proposed to move.</para>
 
 	    <para>Before submitting, keep in mind that there is a fair
 	      amount of work involved from multiple parties; that the
 	      changes affect everyone who wants to keep up-to-date with
 	      the entire ports tree; and that such proposals tend to
 	      attract controversy.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>What do I need to do?</para>
 	  </question>
 
 	  <answer>
 	    <para>The procedure is a strict superset of the one to
 	      repocopy individual ports (see above).</para>
 
 	    <para>File a PR in <application>GNATS</application>, listing the
 	      reasons for the category request.  Preferably, this should
 	      also include patches for <filename>Makefile</filename>s for
 	      the old ports, the <filename>Makefile</filename>s for their
 	      old categories, and the <makevar>VALID_CATEGORIES</makevar>
 	      definition in <filename>ports/Mk/bsd.port.mk</filename>.
 	      Assign the PR to the &a.portmgr; (as <literal>portmgr</literal>).
 	      If they approve it, it will be reassigned to &a.cvsadm; (as
 	      <literal>cvs</literal>), who will do a repository copy from
 	      the old to the new locations and reassign the PR back to you.
 	      Once everything is done, perform the following steps:</para>
 
 	      <procedure>
 		<step>
 		  <para>Upgrade each copied port's
 		    <filename>Makefile</filename>.  Do not connect the
 		    new category to the build yet.</para>
 
 		  <para>To do this, you will need to:</para>
 		    <procedure>
 		      <step>
 			<para>Change the port's <makevar>CATEGORIES</makevar>
 			  (this was the point of the exercise, remember?)
 			  The new category should be listed
 			  <emphasis>first</emphasis>.  This will help to
 			  ensure that the the <makevar>PKGORIGIN</makevar>
 			  is correct.</para>
 		      </step>
 
 		      <step>
 			<para>Run a <command>make describe</command>.  Since
 			  the top-level <command>make index</command> that
 			  you will be running in a few steps is an iteration
 			  of <command>make describe</command> over the entire
 			  ports hierarchy, catching any errors here will
 			  save you having to re-run that step later on.</para>
 		      </step>
 
 		      <step>
 			<para>If you want to be really thorough, now might
 			  be a good time to run &man.portlint.1;.</para>
 		      </step>
 		    </procedure>
 		</step>
 
 		<step>
 		  <para>Check that the <makevar>PKGORIGIN</makevar>s are
 		    correct.  The ports system uses each port's
 		    <makevar>CATEGORIES</makevar> entry to create
 		    its <makevar>PKGORIGIN</makevar>, which is used to
 		    connect installed packages to the port directory they
 		    were built from. If this entry is wrong, common port
 		    tools like &man.pkg.version.1; and
 		    &man.portupgrade.1; fail.</para>
 
 		  <para>To do this, use the <filename>chkorigin.sh</filename>
 		    tool, as follows: <command>env
 		    PORTSDIR=<replaceable>/path/to/ports</replaceable>
 		    sh -e <replaceable>/path/to/ports</replaceable>/Tools/scripts/chkorigin.sh
 		    </command>.  This will check <emphasis>every</emphasis>
 		    port in the ports tree, even those not connected to the
 		    build, so you can run it directly after the repocopy.
 		    Hint: do not forget to look at the
 		    <makevar>PKGORIGIN</makevar>s of any slave ports of the
 		    ports you just repocopied!</para>
 		</step>
 
 		<step>
 		  <para>On your own local system, test the proposed
 		    changes: first, comment out the
 		    <makevar>SUBDIR</makevar> entries in the old
 		    ports' categories' <filename>Makefile</filename>s;
 		    then enable building the new category in
 		    <filename>ports/Makefile</filename>.
 		    Run <command>make checksubdirs</command> in the
 		    affected category directories to check the
 		    <makevar>SUBDIR</makevar> entries.  Next, in
 		    the <filename class="directory">ports/</filename>
 		    directory, run <command>make index</command>.  This
 		    can take over 40 minutes on even modern systems;
 		    however, it is a necessary step to prevent problems
 		    for other people.</para>
 		</step>
 
 		<step>
 		  <para>Once this is done, you can commit the
 		    updated <filename>ports/Makefile</filename> to
 		    connect the new category to the build and also
 		    commit the <filename>Makefile</filename> changes
 		    for the old category or categories.</para>
 		</step>
 
 		<step>
 		  <para>Change all the affected module entries in
 		    <filename>CVSROOT-ports/modules</filename>.</para>
 		</step>
 
 		<step>
 		  <para>Add appropriate entries to
 		    <filename>ports/MOVED</filename>.</para>
 		</step>
 
 		<step>
 		  <para>Update the instructions for &man.cvsup.1; by
 		    modifying <filename>distrib/cvsup/sup/README</filename>
 		    and adding the following files into
 		    <filename>cvsup/sup/ports-categoryname</filename>:
 		    <filename>list.cvs</filename> and
 		    <filename>releases</filename>.  (Note: these are
 		    in the src, not the ports, repository).</para>
 		</step>
 
 		<step>
 		  <para>Submit a docs PR to add the new category to both the
 		    <ulink url="&url.books.porters-handbook;/makefile-categories.html#PORTING-CATEGORIES">
 		    Porter's Handbook</ulink> and to
 		    <filename>www/en/ports/categories</filename>.</para>
 		</step>
 
 		<step>
 		  <para>The procedure to update the <ulink
 		    url="&url.base;/ports/index.html">ports web pages</ulink>
 		    to reflect the new category is not yet defined.</para>
 		</step>
 
 		<step>
 		  <para>Only once all the above have been done, and
 		    no one is any longer reporting problems with the
 		    new ports, should the old ports be deleted from
 		    their previous locations in the repository.</para>
 		</step>
 	      </procedure>
 	  </answer>
 	</qandaentry>
       </qandadiv>
 
       <qandadiv>
 	<title>Miscellaneous Questions</title>
 
 	<qandaentry>
 	  <question>
 	    <para>How do I know if my port is building correctly or
 	      not?</para>
 	  </question>
 
 	  <answer>
 	    <para>First, go check
 	      <ulink url="http://pointyhat.FreeBSD.org/errorlogs/"></ulink>.
 	      There you will find error logs from the latest package
 	      building runs on all supported platforms for the most
 	      recent branches.</para>
 
 	    <para>However, just because the port does not show up there
 	      does not mean it is building correctly.  (One of the
 	      dependencies may have failed, for instance.)  The relevant
 	      directories are available on <hostid>pointyhat</hostid> under
 	      <filename class="directory">/a/portbuild/&lt;arch&gt;/&lt;major_version&gt;</filename>
 	      so feel free to dig around.  Each architecture and version has
 	      the following subdirectories:</para>
 
 <programlisting>errors        error logs from latest &lt;major_version&gt; run on &lt;arch&gt;
 logs          all logs from latest &lt;major_version&gt; run on &lt;arch&gt;
 packages      packages from latest &lt;major_version&gt; run on &lt;arch&gt;
 bak/errors    error logs from last complete &lt;major_version&gt; run on &lt;arch&gt;
 bak/logs      all logs from last complete &lt;major_version&gt; run on &lt;arch&gt;
 bak/packages  packages from last complete &lt;major_version&gt; run on &lt;arch&gt;</programlisting>
 
 	    <para>Basically, if the port shows up in
 	      <filename>packages</filename>, or it is in
 	      <filename>logs</filename> but not in
 	      <filename>errors</filename>, it built fine.  (The
 	      <filename>errors</filename> directories are what you get
 	      from the web page.)</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>I added a new port.  Do I need to add it to the
 	      <filename>INDEX</filename>?</para>
 	  </question>
 
 	  <answer>
 	    <para>No.  The ports manager will regenerate the
 	      <filename>INDEX</filename> and commit it for each
 	      &os; release.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>Are there any other files I am not allowed to
 	      touch?</para>
 	  </question>
 
 	  <answer>
 	    <para>Any file directly under <filename>ports/</filename>, or
 	      any file under a subdirectory that starts with an
 	      uppercase letter (<filename>Mk/</filename>,
 	      <filename>Tools/</filename>, etc.).  In particular, the
 	      ports manager is very protective of
 	      <filename>ports/Mk/bsd.port*.mk</filename> so do not
 	      commit changes to those files unless you want to face his
 	      wra(i)th.</para>
 	  </answer>
 	</qandaentry>
 
 	<qandaentry>
 	  <question>
 	    <para>What is the proper procedure for updating the checksum
 	      for a port's distfile when the file changes without a
 	      version change?</para>
 	  </question>
 
 	  <answer>
 	    <para>When the checksum for a port's distfile is updated due
 	      to the author updating the file without changing the port's
 	      revision, the commit message should include a summary of
 	      the relevant diffs between the original and new distfile to
 	      ensure that the distfile has not been corrupted or
 	      maliciously altered.  If the current version of the port
 	      has been in the ports tree for a while, a copy of the old
 	      distfile will usually be available on the ftp servers;
 	      otherwise the author or maintainer should be contacted to
 	      find out why the distfile has changed.</para>
 	  </answer>
 	</qandaentry>
       </qandadiv>
     </qandaset>
   </sect1>
 
   <sect1 id="perks">
     <title>Perks of the Job</title>
 
     <para>Unfortunately, there are not many perks involved with being a
       committer.  Recognition as a competent software engineer is probably
       the only thing that will be of benefit in the long run.  However,
       there are at least some perks:</para>
 
     <variablelist>
 
       <varlistentry>
 	<term>Direct access to <hostid>cvsup-master</hostid></term>
 
 	<listitem>
 	  <para>As a committer, you may apply to &a.kuriyama; for direct access
 	    to <hostid role="fqdn">cvsup-master.FreeBSD.org</hostid>,
 	    providing the public key output from <command>cvpasswd
 	    <replaceable>yourusername</replaceable>@FreeBSD.org
 	    freefall.FreeBSD.org</command>.  Please note: you must
 	    specify <hostid>freefall.FreeBSD.org</hostid> on the
 	    <command>cvpasswd</command> command line even though the
 	    actual server is <hostid>cvsup-master</hostid>.  Access to
 	    <hostid>cvsup-master</hostid> should not be overused as it is
 	    a busy machine.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>A Free 4-CD Set or DVD Subscription</term>
 
 	<listitem>
 	  <para><ulink url="http://www.freebsdmall.com">FreeBSD Mall,
 	    Inc.</ulink> offers a free subscription of the 4-CD set or
 	    the DVD product to all FreeBSD committers.  Information about how
 	    to obtain your free media is mailed to
 	    <email>developers@FreeBSD.org</email> following each major
 	    release.</para>
 	</listitem>
       </varlistentry>
 
     </variablelist>
   </sect1>
 
   <sect1 id="misc">
     <title>Miscellaneous Questions</title>
 
     <qandaset>
       <qandaentry>
 	<question>
 	  <para>Why are trivial or cosmetic changes to files on a vendor
 	    branch a bad idea?</para>
 	</question>
 
 	<answer>
 	  <itemizedlist>
 	    <listitem>
 	      <para>From now on, every new vendor release of that file will
 		need to have patches merged in by hand.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>From now on, every new vendor release of that file will
 		need to have patches <emphasis>verified</emphasis> by hand.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>The <option>-j</option> option does not work very well.
 		Ask &a.obrien; for horror stories.</para>
 	    </listitem>
 	  </itemizedlist>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question>
 	  <para>How do I add a new file to a CVS branch?</para>
 	</question>
 
 	<answer>
 	  <para>To add a file onto a branch, simply checkout or update
 	  to the branch you want to add to and then add the file using
 	  <command>cvs add</command> as you normally would.  For
 	  example, if you wanted to MFC the file
 	  <filename>src/sys/alpha/include/smp.h</filename> from HEAD
 	  to RELENG_4 and it does not exist in RELENG_4 yet, you would
 	  use the following steps:</para>
 
 	  <example>
 	    <title>MFC'ing a New File</title>
 
 	    <screen>&prompt.user; <userinput>cd sys/alpha/include</userinput>
 &prompt.user; <userinput>cvs update -rRELENG_4</userinput>
 cvs update: Updating .
 U clockvar.h
 U console.h
 ...
 &prompt.user; <userinput>cvs update -kk -Ap smp.h &gt; smp.h</userinput>
 ===================================================================
 Checking out smp.h
 RCS:  /usr/cvs/src/sys/alpha/include/smp.h,v
 VERS: 1.1
 ***************
 &prompt.user; <userinput>cvs add smp.h</userinput>
 cvs add: scheduling file `smp.h' for addition on branch `RELENG_4'
 cvs add: use 'cvs commit' to add this file permanently
 &prompt.user; <userinput>cvs commit</userinput>
 	    </screen>
 	  </example>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question>
 	  <para>What <quote>meta</quote> information should I include in a
 	    commit message?</para>
 	</question>
 
 	<answer>
 	  <para>As well as including an informative message with each commit
 	    you may need to include some additional information as
 	    well.</para>
 
 	  <para>This information consists of one or more lines containing the
 	    key word or phrase, a colon, tabs for formatting, and then the
 	    additional information.</para>
 
 	  <para>The key words or phrases are:</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <tbody>
 		<row>
 		  <entry><literal>PR:</literal></entry>
 		  <entry>The problem report (if any) which is affected
 		    (typically, by being closed) by this commit.</entry>
 		</row>
 
 		<row>
 		  <entry><literal>Submitted by:</literal></entry>
 		  <entry>The name and e-mail address of the person that
 		    submitted the fix; for committers, just the username on
 		    the FreeBSD cluster.</entry>
 		</row>
 
 		<row>
 		  <entry><literal>Reviewed by:</literal></entry>
 		  <entry>The name and e-mail address of the person or people
 		    that reviewed the change; for committers, just the
 		    username on the FreeBSD cluster. If a patch was
 		    submitted to a mailing list for review, and the review
 		    was favorable, then just include the list name.</entry>
 		</row>
 
 		<row>
 		  <entry><literal>Approved by:</literal></entry>
 		  <entry>The name and e-mail address of the person or people
 		    that approved the change; for committers, just the
 		    username on the FreeBSD cluster. It is customary to get
 		    prior approval for a commit if it is to an area of the
 		    tree to which you do not usually commit.  In addition,
 		    during the run up to a new release all commits
 		    <emphasis>must</emphasis> be approved by the release
 		    engineering team.  If these are your first commits then
 		    you should have passed them past your mentor first, and
 		    you should list your mentor, as in
 		    ``<replaceable>username-of-mentor</replaceable>
 		    <literal>(mentor)</literal>''.
 		 </entry>
 		</row>
 
 		<row>
 		  <entry><literal>Obtained from:</literal></entry>
 		  <entry>The name of the project (if any) from which the code
 		    was obtained.</entry>
 		</row>
 
 		<row>
 		  <entry><literal>MFC after:</literal></entry>
 
 		  <entry>If you wish to receive an e-mail reminder to
 		    <acronym>MFC</acronym> at a later date, specify the
 		    number of days, weeks, or months after which an
 		    <acronym>MFC</acronym> is planned.</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 
 	  <example>
 	    <title>Commit log for a commit based on a PR</title>
 
 	    <para>You want to commit a change based on a PR submitted by John
 	      Smith containing a patch.  The end of the commit message should
 	      look something like this.</para>
 
 	    <programlisting>...
 
 PR:                foo/12345
 Submitted by:	   John Smith &lt;John.Smith@example.com></programlisting>
 	  </example>
 
 	  <example>
 	    <title>Commit log for a commit needing review</title>
 
 	    <para>You want to change the virtual memory system.  You have
 	      posted patches to the appropriate mailing list (in this case,
 	      <literal>freebsd-arch</literal>) and the changes have been
 	      approved.</para>
 
 	    <programlisting>...
 
 Reviewed by:       -arch</programlisting>
 	  </example>
 
 	  <example>
 	    <title>Commit log for a commit needing approval</title>
 
 	    <para>You want to commit a change to a section of the tree with a
 	      MAINTAINER assigned.  You have collaborated with the listed
 	      MAINTAINER, who has told you to go ahead and commit.</para>
 
 	    <programlisting>...
 
 Approved by:	    <replaceable>abc</replaceable></programlisting>
 
 	    <para>Where <replaceable>abc</replaceable> is the account name of
 	      the person who approved.</para>
 	  </example>
 
 	  <example>
 	    <title>Commit log for a commit bringing in code from
 	      OpenBSD</title>
 
 	    <para>You want to commit some code based on work done in the
 	      OpenBSD project.</para>
 
 	    <programlisting>...
 
 Obtained from:      OpenBSD</programlisting>
 	  </example>
 
 	  <example>
 	    <title>Commit log for a change to &os.current; with a planned
 	      commit to &os.stable; to follow at a later date.</title>
 
 	    <para>You want to commit some code which will be merged from
 	      &os.current; into the &os.stable; branch after two
 	      weeks.</para>
 
 	    <programlisting>...
 
 MFC after:      <replaceable>2 weeks</replaceable></programlisting>
 
 	    <para>Where <replaceable>2</replaceable> is the number of days,
 	      weeks, or months after which an <acronym>MFC</acronym> is
 	      planned.  The <replaceable>weeks</replaceable> option may be
 	      <literal>day</literal>, <literal>days</literal>,
 	      <literal>week</literal>, <literal>weeks</literal>,
 	      <literal>month</literal>, <literal>months</literal>,
 	      or may be left off (in which case, days will be assumed).</para>
 	  </example>
 
 	  <para>In some cases you may need to combine some of these.</para>
 
 	  <para>Consider the situation where a user has submitted a PR
 	    containing code from the NetBSD project.  You are looking at the
 	    PR, but it is not an area of the tree you normally work in, so
 	    you have decided to get the change reviewed by the
 	    <literal>arch</literal> mailing list.  Since the change is
 	    complex, you opt to <acronym>MFC</acronym> after one month to
 	    allow adequate testing.</para>
 
 	  <para>The extra information to include in the commit would look
 	    something like</para>
 
 	  <programlisting>PR:                 foo/54321
 Submitted by:       John Smith &lt;John.Smith@example.com>
 Reviewed by:        -arch
 Obtained from:      NetBSD
 MFC after:          1 month</programlisting>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question>
 	  <para>How do I access <hostid
 	    role="fqdn">people.FreeBSD.org</hostid> to put up personal
 	    or project information?</para>
 	</question>
 
 	<answer>
 	  <para><hostid role="fqdn">people.FreeBSD.org</hostid> is the
 	    same as <hostid
 	    role="fqdn">freefall.FreeBSD.org</hostid>. Just create a
 	    <filename>public_html</filename> directory.  Anything you
 	    place in that directory will automatically be visible
 	    under <ulink url="http://people.FreeBSD.org/"></ulink>.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question>
 	  <para>Where are the mailing list archives stored?</para>
 	</question>
 
 	<answer>
 	  <para>The mailing lists are archived under <filename>/g/mail</filename>
 	    which will show up as <filename>/hub/g/mail</filename> with &man.pwd.1;.
 	    This location is accessible from any machine on the FreeBSD cluster.</para>
 	</answer>
       </qandaentry>
     </qandaset>
   </sect1>
 </article>
diff --git a/en_US.ISO8859-1/articles/diskless-x/article.sgml b/en_US.ISO8859-1/articles/diskless-x/article.sgml
index f4100741c0..1a52f033e8 100644
--- a/en_US.ISO8859-1/articles/diskless-x/article.sgml
+++ b/en_US.ISO8859-1/articles/diskless-x/article.sgml
@@ -1,358 +1,358 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 ]>
 
 <article>
   <articleinfo>
     <title>Diskless X Server: a how to guide</title>
     
     <authorgroup>
       <author>
 	<firstname>Jerry</firstname>
 	<surname>Kendall</surname>
 	<affiliation>
 	  <address>
 	    <email>jerry@kcis.com</email>
 	  </address>
 	</affiliation>
       </author></authorgroup>
     
     <pubdate>28-December-1996</pubdate>
     
     <copyright>
       <year>1996</year>
       <holder>Jerry Kendall</holder>
     </copyright>
     
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.3com;
       &tm-attrib.microsoft;
       &tm-attrib.sun;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>With the help of some friends on the FreeBSD-hackers list, I have
 	been able to create a diskless X terminal.  The creation of the X
 	terminal required first creating a diskless system with minimal
 	utilities mounted via NFS.  These same steps were used to create 2
 	separate diskless systems.  The first is <hostid
 	  role="fqdn">altair.example.com</hostid>.  A diskless X terminal that I
 	run on my old 386DX-40.  It has a 340Meg hard disk but, I did not want
 	to change it.  So, it boots from <hostid
 	  role="fqdn">antares.example.com</hostid> across a Ethernet.  The second
 	system is a 486DX2-66.  I set up a diskless FreeBSD (complete) that
 	uses no local disk.  The server in that case is a Sun 670MP running
 	&sunos; 4.1.3.  The same setup configuration was needed for both.</para>
       
       <para>I am sure that there is stuff that needs to be added
 	to this.  Please send me any comments.</para>
     </abstract>
   </articleinfo>
   
   <sect1>
     <title>Creating the boot floppy (On the diskless system)</title>
     
     <para>Since the network boot loaders will not work with some of the TSR's
       and such that &ms-dos; uses, it is best to create a dedicated boot floppy
       or, if you can, create an &ms-dos; menu that will (via the
       <filename>config.sys</filename>/<filename>autoexec.bat</filename> files)
       ask what configuration to load when the system starts.  The later is the
       method that I use and it works great. My &ms-dos; (6.x) menu is
       below.</para>
     
     <example>
       <title><filename>config.sys</filename></title>
 
       <programlisting>[menu]
 menuitem=normal, normal
 menuitem=unix, unix
 [normal]
 ....
 normal config.sys stuff
 ...
 [unix]</programlisting>
     </example>
 
     <example>
       <title><filename>autoexec.bat</filename></title>
 
       <programlisting>@ECHO OFF
 goto %config%
 
 :normal
 ...
 normal autoexec.bat stuff
 ...
 goto end
 
 :unix
 cd \netboot
 nb8390.com
 
 :end</programlisting>
     </example>
   </sect1>
   
   <sect1>
     <title>Getting the network boot programs (On the server)</title>
     
     <para>Compile the <quote>net-boot</quote> programs that are located in
       <filename>/usr/src/sys/i386/boot/netboot</filename>.  You should read
       the comments at the top of the <filename>Makefile</filename>.  Adjust as
       required.  Make a backup of the original in case something goes wrong.  When
       the build is done, there should be 2 &ms-dos; executables,
       <filename>nb8390.com</filename> and <filename>nb3c509.com</filename>.
       One of these two programs will be what you need to run on the diskless
       server.  It will load the kernel from the boot server.  At this point,
       put both programs on the &ms-dos; boot floppy created earlier.</para>
   </sect1>
   
   <sect1>
     <title>Determine which program to run (On the diskless system)</title>
     
     <para>If you know the chipset that your Ethernet adapter uses, this is
       easy.  If you have the NS8390 chipset, or a NS8390 based chipset, use
       <filename>nb8390.com</filename>.  If you have a &tm.3com; 509 based chipset,
       use the <filename>nb3C509.com</filename> boot program.  If you are not
       sure which you have, try using one, if it says <errorname>No adapter
 	found</errorname>, try the other.  Beyond that, you are pretty much on
       your own.</para>
   </sect1>
 
   <sect1>
     <title>Booting across the network</title>
     
     <para>Boot the diskless system with out any config.sys/autoexec.bat
       files.  Try running the boot program for your Ethernet adapter.</para>
 
     <para>My Ethernet adapter is running in WD8013 16bit mode so I run
       <filename>nb8390.com</filename></para>
     
     <screen><prompt>C:&gt;</prompt> <userinput>cd \netboot</userinput>
 <prompt>C:&gt;</prompt> <userinput>nb8390</userinput>
 
 <prompt>Boot from Network (Y/N) ?</prompt>  <userinput>Y</userinput>
 
 BOOTP/TFTP/NFS bootstrap loader     ESC for menu
 
 Searching for adapter..
 WD8013EBT base 0x0300, memory 0x000D8000, addr 00:40:01:43:26:66
 
 Searching for server...</screen>
 
     <para>At this point, my diskless system is trying to find a machine to act
       as a boot server.  Make note of the <literal>addr</literal> line above,
       you will need this number later.  Reset the diskless system and modify
       your <filename>config.sys</filename> and
       <filename>autoexec.bat</filename> files to do these steps automatically
       for you.  Perhaps in a menu.  If you had to run
       <command>nb3c509.com</command> instead of <command>nb8390.com</command>
       the output is the same as above.  If you got <errorname>No adapter
 	found</errorname> at the <literal>Searching for adapter...</literal>
       message, verify that you did indeed set the compile time defines in the
       <filename>Makefile</filename> correctly.</para>
   </sect1>
   
   <sect1>
     <title>Allowing systems to boot across the network (On the server)</title>
     
     <para>Make sure the <filename>/etc/inetd.conf</filename> file has entries
       for tftp and bootps. Mine are listed below:</para>
     
     <programlisting>tftp	dgram	udp	wait	nobody	/usr/libexec/tftpd	tftpd /tftpboot
 #
 # Additions by who ever you are
 bootps  dgram  udp  wait  root  /usr/libexec/bootpd bootpd /etc/bootptab</programlisting>
     
     <para>If you have to change the <filename>/etc/inetd.conf</filename> file,
       send a <literal>HUP</literal> signal to &man.inetd.8;.  To do this, get the
       process ID of <command>inetd</command> with <command>ps -ax | grep inetd | grep -v
 	grep</command>.  Once you have it, send it a <literal>HUP</literal> signal.  Do this by
       <command>kill -HUP &lt;pid&gt;</command>.  This will force <command>inetd</command> to
       re-read its config file.</para>
 
     <para>Did you remember to note the <literal>addr</literal> line from the
       output of the boot loader on the diskless system? Guess what, here is
       where you need it.</para>
 
     <para>Add an entry to <filename>/etc/bootptab</filename> (maybe creating the
       file).  It should be laid out identical to this:</para>
 
     <programlisting>altair:\
         :ht=ether:\
         :ha=004001432666:\
         :sm=255.255.255.0:\
         :hn:\
         :ds=199.246.76.1:\
         :ip=199.246.76.2:\
         :gw=199.246.76.1:\
         :vm=rfc1048:</programlisting>
     
     <para>The lines are as follows:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
 	<tbody>
 	  <row>
 	    <entry><literal>altair</literal></entry>
 	    <entry>the diskless systems name without the domain name.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>ht=ether</literal></entry>
 	    <entry>the hardware type of <quote>ethernet</quote>.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>ha=004001432666</literal></entry>
 	    <entry>the hardware address (the number noted above).</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>sm=255.255.255.0</literal></entry>
 	    <entry>the subnet mask.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>hn</literal></entry>
 	    <entry>tells server to send client's hostname to the
 	      client.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>ds=199.246.76.1</literal></entry>
 	    <entry>tells the client who the domain server is.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>ip=199.246.76.2</literal></entry>
 	    <entry>tells the client what its IP address is.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>gw=199.246.76.1</literal></entry>
 	    <entry>tells the client what the default gateway is.</entry>
 	  </row>
 
 	  <row>
 	    <entry><literal>vm=...</literal></entry>
 	    <entry>just leave it there.</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <note>
       <para>Be sure to set up the IP addresses correctly, the addresses above
 	are my own.</para>
     </note>
 
     <para>Create the directory <filename>/tftpboot</filename> on the server it will contain the
       configuration files for the diskless systems that the server will serve.
       These files will be named <filename>cfg.<replaceable>ip</replaceable></filename> where <replaceable>ip</replaceable> is the IP
       address of the diskless system.  The config file for <hostid>altair</hostid> is
       <filename>/tftpboot/cfg.199.246.76.2</filename>.  The contents is:</para>
 
     <programlisting>rootfs 199.246.76.1:/DiskLess/rootfs/altair
 hostname altair.example.com</programlisting>
 
     <para>The line <literal>hostname altair.example.com</literal> simply tells
       the diskless system what its fully qualified domain name is.</para>
 
     <para>The line <literal>rootfs
 	199.246.76.1:/DiskLess/rootfs/altair</literal> tells the diskless
       system where its NFS mountable root filesystem is located.</para>
 
     <note>
       <para>The NFS mounted root filesystem will be mounted <emphasis>read
 	  only</emphasis>.</para>
     </note>
     
     <para>The hierarchy for the diskless system can be re-mounted allowing
       read-write operations if required.</para>
     
     <para>I use my spare 386DX-40 as a dedicated X terminal.</para>
 
     <para>The hierarchy for <hostid>altair</hostid> is:</para>
 
     <literallayout>/
 /bin
 /etc
 /tmp
 /sbin
 /dev
 /dev/fd
 /usr
 /var
 /var/run</literallayout>
 
     <para>The actual list of files is:</para>
 
     <screen>-r-xr-xr-x  1 root  wheel  779984 Dec 11 23:44 ./kernel
 -r-xr-xr-x  1 root    bin  299008 Dec 12 00:22 ./bin/sh
 -rw-r--r--  1 root  wheel     499 Dec 15 15:54 ./etc/rc
 -rw-r--r--  1 root  wheel    1411 Dec 11 23:19 ./etc/ttys
 -rw-r--r--  1 root  wheel     157 Dec 15 15:42 ./etc/hosts
 -rw-r--r--  1 root    bin    1569 Dec 15 15:26 ./etc/XF86Config.altair
 -r-x------  1 bin     bin  151552 Jun 10  1995 ./sbin/init
 -r-xr-xr-x  1 bin     bin  176128 Jun 10  1995 ./sbin/ifconfig
 -r-xr-xr-x  1 bin     bin  110592 Jun 10  1995 ./sbin/mount_nfs
 -r-xr-xr-x  1 bin     bin  135168 Jun 10  1995 ./sbin/reboot
 -r-xr-xr-x  1 root    bin   73728 Dec 13 22:38 ./sbin/mount
 -r-xr-xr-x  1 root  wheel    1992 Jun 10  1995 ./dev/MAKEDEV.local
 -r-xr-xr-x  1 root  wheel   24419 Jun 10  1995 ./dev/MAKEDEV</screen>
     
     <para>If you are not using &man.devfs.5; (which is the default
       in FreeBSD&nbsp;5.X), you should make sure that you
       do not forget to run <command>MAKEDEV all</command> in the
       <filename>dev</filename> directory.</para>
 
     <para>My <filename>/etc/rc</filename> for <hostid>altair</hostid>
       is:</para>
 
 <programlisting>#!/bin/sh
 #
 PATH=/bin:/
 export PATH
 #
 # configure the localhost
 /sbin/ifconfig lo0 127.0.0.1
 #
 # configure the ethernet card
 /sbin/ifconfig ed0 199.246.76.2 netmask 0xffffff00
 #
 # mount the root filesystem via NFS
 /sbin/mount antares:/DiskLess/rootfs/altair /
 #
 # mount the /usr filesystem via NFS
 /sbin/mount antares:/DiskLess/usr /usr
 #
 /usr/X11R6/bin/XF86_SVGA -query antares -xf86config /etc/XF86Config.altair > /dev/null 2>&1
 #
 # Reboot after X exits
 /sbin/reboot
 #
 # We blew up....
 exit 1</programlisting>
 
     <para>Any comments and all questions welcome.</para>
   </sect1>
 </article>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      End:
 -->
diff --git a/en_US.ISO8859-1/articles/java-tomcat/article.sgml b/en_US.ISO8859-1/articles/java-tomcat/article.sgml
index 70acdbce27..ba8d04ecad 100644
--- a/en_US.ISO8859-1/articles/java-tomcat/article.sgml
+++ b/en_US.ISO8859-1/articles/java-tomcat/article.sgml
@@ -1,611 +1,611 @@
 <!-- Copyright (c) 2002, 2003, 2004
      Hiten Pandya <hmp@FreeBSD.org>, Victoria Chan <vkchan@kendryl.net>.
      
      All rights reserved.
 
      Redistribution and use in source (SGML DocBook) and 'compiled' forms
      (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
      modification, are permitted provided that the following conditions
      are met:
 
       1. Redistributions of source code (SGML DocBook) must retain the above
          copyright notice, this list of conditions and the following
          disclaimer as the first lines of this file unmodified.
 
       2. Redistributions in compiled form (transformed to other DTDs,
          converted to PDF, PostScript, RTF and other formats) must reproduce
          the above copyright notice, this list of conditions and the
          following disclaimer in the documentation and/or other materials
          provided with the distribution.
 
      THIS DOCUMENTATION IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS "AS IS" 
      AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
      THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
      PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS AND CONTRIBUTORS BE 
      LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
      CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
      SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
      INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
      CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
      ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED 
      OF THE POSSIBILITY OF SUCH DAMAGE.
 -->
 
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 <!--
   URL Entities.  These are in place, to allow wrapping long URLs to the 80th
   column.
 -->
 <!ENTITY wwwurl  "http://www.FreeBSD.org">
 <!ENTITY ftpurl  "ftp://ftp.FreeBSD.org">
 <!ENTITY sunurl  "http://www.sun.com">
 <!ENTITY tomcaturl  "http://jakarta.apache.org/tomcat">
 
 <!-- The Download URL is too long! :-) -->
 <!ENTITY tomcat406 "http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/bin/">
 ]>
 
 <article>
 
   <!-- START of Article Metadata -->
   <articleinfo>
     <title>&java; and Jakarta Tomcat on FreeBSD</title>
 
     <authorgroup>      
       <author>
 	<firstname>Victoria</firstname>
 	<surname>Chan</surname>
 	<affiliation>
 	  <address><email>vkchan@kendryl.net</email></address>
 	</affiliation>
       </author>
 
       <author>
 	<firstname>Hiten</firstname>
 	<surname>Pandya</surname>
 	<affiliation>
 	  <address><email>hmp@FreeBSD.org</email></address>
 	</affiliation>
       </author>
     </authorgroup>
 
     <copyright>
       <year>2002</year>
       <year>2003</year>
       <year>2004</year>
       <holder role="mailto:vkchan@kendryl.net">Victoria Chan</holder>
       <holder role="mailto:hmp@FreeBSD.org">Hiten Pandya</holder>
     </copyright>
     
     <pubdate>$FreeBSD$</pubdate> 
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.cvsup;
       &tm-attrib.linux;
       &tm-attrib.microsoft;
       &tm-attrib.sun;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This document is presented in hopes of making it easier for
 	anyone that needs to get &java; up and running on FreeBSD, with the
 	least amount of aggravation.  Plan on spending a whole day on such
 	a project as it will take time to assemble all the pieces and
 	compile them individually, and then as a whole.  It also shows how
 	to install the famous Jakarta Tomcat Servlet and &jsp; container on
 	the FreeBSD operating system.</para>
     </abstract>
   </articleinfo>
   <!-- END of Article Metadata-->
   
   <sect1>
     <title>Introduction</title>
 
     <para>The &java; programming language was birthed on <literal>May 23rd
       1995</literal>.  One would expect that after all this time, &java;
       applications would be easy to install and ready to run from a single
       package, or port on FreeBSD, thus making it available for the
       <quote>masses</quote>.  This is not the case, unfortunately, as
       the &java; distribution is held very closely by Sun Microsystems,
       and prohibits re-distribution.  All &java; Applets must be compiled
       from source code, together with the &java; Development Kit from Sun
       Microsystems.  All these ingredients must be blended together in
       the right order, assembled, and compiled by the end user.  With
       such distribution philosophies at heart, it is my opinion that
       &java; will always be developer or hacker use only.  I certainly
       found this to be true when I needed to serve up some
       <filename>.jsp</filename> pages for a client on my web server,
       and needed to get <filename
       role="package">www/jakarta-tomcat4</filename> to work with
       <filename role="package">www/apache13</filename> on my FreeBSD
       system.</para>
 
     <para>The Tomcat portion of the install is very straight forward, but
       the difficulty I had was getting &java; Development Kit up and
       running for FreeBSD 4.X, as Sun Microsystems only supplies
       binaries for Linux, &solaris;, and &windowsnt;.  This means that I
       had to compile my own &jdk; for FreeBSD.  I began by searching for
       documentation on the Internet.  I quickly found that there is more
       source code than I need along with patches to the source code, but
       very little documentation of what to do after obtaining
       everything.</para>
 
     <para>In this article, you will find how to install the &java;
       Development Kit for FreeBSD, and how to get up and running with
       Tomcat.  A <xref linkend="ref"> section is also provided for
       further reading.</para>	
   </sect1>
 
   <sect1>
     <title>The &java; Environment</title>
 
     <para>Ensure that you have the current ports collection as
       <command>make</command> it will fail if it attempts to build older
       source.  You can upgrade your entire ports collection by using
       <application>CVSup</application>.  See <ulink
       url="&url.books.handbook;/cvsup.html">Using CVSup</ulink> section
       of the Handbook for more information.  You can also download the
       ports you need manually from <ulink
       url="&ftpurl;/pub/FreeBSD/ports/"></ulink> to
       get you going.</para>
 
       <note>
 	<para>You will need the <literal>Linux Emulation</literal>
 	  (Linux-ABI) enabled in your kernel configuration.  Simply add
 	  the following option to your kernel configuration file and
 	  recompile it.  Instructions for building a kernel can be found
 	  in the <ulink url="&url.books.handbook;/index.html">FreeBSD
           Handbook</ulink>.</para>
 
 	<programlisting>options		COMPAT_LINUX</programlisting>
 
 	<para>The above option will add Linux-ABI support to your
 	  kernel, when it is recompiled.</para>
       </note>
 
     <para>The list of dependencies below, are required to be installed
       manually in a certain order.  Dependencies that are automatically
       downloaded are not listed here.</para>
 
     <itemizedlist>
       <listitem>
 	<para><filename role="package">java/jdk13</filename></para>
       </listitem>
 
       <listitem>
 	<para><filename role="package">java/linux-jdk13</filename></para>
       </listitem>
     </itemizedlist>
 
     <para>You will need to get the following:</para>
 
     <procedure>
       <step>
 	<para>Download <filename>bsd-jdk131-patches-9.tar.gz</filename>
 	  from <ulink
 	  url="http://www.eyesbeyond.com/freebsddom/java/jdk13.html"></ulink>
 	  and place it under <filename>/usr/ports/distfiles</filename>.</para>
       </step>
 
       <step>
 	<para>Next get out your web browser and head on over to
 	  <ulink url="http://java.sun.com/j2se/1.3/download-linux.html"></ulink>
 	  and find SDK downloads. Click on the <quote>continue</quote>
 	  button below <quote>GNUZIP Tar Shell Script</quote>.  Be sure
 	  you read every word of the license page before you click on
 	  the <quote>Accept</quote> button! You will be brought to a
 	  page titled <quote>Download Java(TM) 2 SDK, Standard Edition
 	  1.3.1_10</quote>.  Scroll to the bottom and click on the
 	  <quote>HTTP download</quote> button.  When the <quote>File
 	  Download</quote> box comes up, be sure to click on the
 	  <quote>Open</quote> button rather than the <quote>Save</quote>
 	  button.  You will be presented with another <quote>File
 	  Download</quote> box - this time choose <quote>Save</quote>
 	  and you will be able to save
           <filename>j2sdk-1_3_1_10-linux-i386.bin</filename>.
 	  Place it in <filename>/usr/ports/distfiles</filename>.</para>
       </step>
 
       <step>
 	<para>Go to <ulink
 	  url="http://www.sun.com/software/java2/download.html"></ulink>.
 	  In the table under <literal>Produce Description</literal>,
 	  named <literal>Java 2 SDK 1.3.1</literal>, go to the
 	  right-hand cell and click <quote>download</quote>.  You will
 	  be taken to the <quote>Sign On</quote> page, where you must
 	  sign in if you already have an account, or register for
 	  access.  Once you have signed on, you will be taken to the
 	  <quote>Legal</quote> page, where you must accept the license
 	  agreement; scroll down (reading the license) and click on the
 	  <quote>Continue</quote> button.  Next page, is the
 	  <quote>Receipt</quote> page.  This is where you will save your
 	  order number.  You will be able to choose the location that is
 	  nearest to you.  Click on <quote>Java 2 SDK, Standard Edition,
 	  version 1.3.1</quote>.  Save the
 	  <filename>j2sdk-1_3_1-src.tar.gz</filename> to the
 	  <filename>/usr/ports/distfiles/</filename> directory.</para>	  
       </step>
     </procedure>
 
     <note>
       <para>It is very important for you to read the License Agreement
 	which has been issued by Sun Microsystems Corp.  There are
 	several restrictions in place on the use of &java;, which you must
 	address. The FreeBSD Project does not take any responsibilities
 	for your actions.</para>
       
       <para>Do not discard any of the downloaded files, as they will be
 	needed for building some of the native ports for FreeBSD, which
 	are discussed later on.</para>
     </note>
 
     <para>Now that you have assembled all the source files and ports,
       you need to start by building <filename
       role="package">java/linux-jdk13</filename>:</para>
 
     <screen>&prompt.root; cd /usr/ports/java/linux-jdk13
 &prompt.root; make all install clean</screen>
 
     <para>Once you have built <filename
       role="package">java/linux-jdk13</filename>, you need to test it, to
       make sure it works as intended.  To do that:</para>
 
     <screen>&prompt.root; cd /usr/local/linux-jdk1.3.1/bin
 &prompt.root; ./java -version</screen>
 
     <para>The output of the above command should be as follows:</para>
 
     <programlisting>java version "1.3.1_10"
 Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_10-b02)
 Classic VM (build 1.3.1_02-b02, green threads, nojit)</programlisting>
 
     <para>If you did not get the correct response, you need to:</para>
 
     <screen>&prompt.root; cd /usr/ports/java/linux-jdk13
 &prompt.root; make deinstall</screen>
 
     <para>And make sure that <filename>/usr/local</filename> does not
       contain a <filename>linux-jdk1.3.1</filename> directory.  If you
       find a fragment of the directory, delete it.  Repeat the
       build and install process for <filename
       role="package">java/linux-jdk13</filename>.</para>
 
     <para>To make the native <literal>Java Development Kit
       1.3.1</literal> for FreeBSD, do the following:</para>
 
     <procedure>
       <step>
 	<para>Make sure you have the
 	  <filename>j2sdk-1_3_1-src.tar.gz</filename> file in your
 	  <filename>/usr/ports/distfiles</filename>.  This file is needed
 	  for applying the <quote>patch-set</quote> discussed below.</para>
       </step>
 
       <step>
 	<para>You will need to download the <literal>patch set</literal>
 	  for building the port.  The patch-set file is called
 	  <filename>bsd-jdk131-patches-9.tar.gz</filename>.  You should
 	  also make sure the integrity of the files by matching it with
 	  the following <acronym>MD5</acronym> checksum.</para>
 
         <programlisting>
 MD5 (bsd-jdk131-patches-9.tar.gz) = 29c83880d3555abcf74fc7df9db1959f</programlisting>
 
         <para>The patch-set is available from:  <ulink
 	  url="http://www.eyesbeyond.com/freebsddom/java/index.html"></ulink></para>
       </step>
     </procedure>
 
     <para>The last procedure discussed above (building the native
       &jdk;) will take some time.</para>
   </sect1>
 
   <sect1>
     <title>Jakarta Tomcat Setup</title>
 
     <sect2>
       <title>Overview</title>
 
       <para>&java; is becoming an even more popular for making diverse
 	and scalable platform independent solutions.  One of the most
 	growing needs of &java; is in the <acronym>ASP</acronym> (Application
 	Service Provider) market.  &java; serves as the perfect
 	solution for these types of markets, with the following
 	advantages:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Platform Independence</para>
 	</listitem>
 
 	<listitem>
 	  <para>Industry Wide Commitment</para>
 	</listitem>
 
 	<listitem>
 	  <para>Scalability</para>
 	</listitem>
 
 	<listitem>
 	  <para>Reliable Performance</para>
 	</listitem>
 
 	<listitem>
 	  <para>Distributed, Multi-threaded, Secure etc.</para>
 	</listitem>
       </itemizedlist>
 
       <para>A very important and growing technology which has emerged
 	from &java; is <acronym>&jsp;</acronym> (&javaserver.pages;).</para>
 
       <para><acronym>&jsp;</acronym> (&javaserver.pages;) is a server-side
 	technology introduced by <literal>Sun Microsystems
 	Corp.</literal>, which provides a quick simple way to generate
 	dynamic content from within <acronym>HTML</acronym> pages.  It
 	uses <acronym>XML</acronym> tags along with &java; scriptlets to
 	encapsulate and separate the logic from the design and display.
 	When a <acronym>&jsp;</acronym> page is invoked, it is dynamically
 	converted into a Servlet and processed by the server to produce
 	the resulting <acronym>HTML/XML</acronym> page for the client.
 	When <acronym>&jsp;</acronym> is used in conjunction with
 	JavaBeans, it is possible to produce very diverse and scalable
 	applications, which may be combined with the strength and
 	performance of FreeBSD.</para>
 
       <para><application>Tomcat</application> is an open-source
 	implementation of the &java; Servlets and &javaserver.pages;
 	technologies, developed under the Jakarta project at the Apache
 	Software Foundation.  Tomcat implements a new Servlet framework
 	(called Catalina) that is based on completely new architecture
 	with the Servlet 2.3 and <acronym>&jsp;</acronym> 1.2
 	specifications.  It includes many additional features that make
 	it a useful platform for developing and deploying web
 	applications and web services.  In a nutshell, Tomcat is an
 	application server written in 100% Pure &java;.</para>
 
       <para>Tomcat is used for many purposes, and is not limited to
 	Application Servers.  It provides an open platform to develop
 	extensible web and content management services.  When Tomcat is
 	used with an optimized FreeBSD system, it can provide highly
 	reliable and fast pacing services.</para>
 
       <para>Please refer to the <xref linkend="ref"> section for more
 	information on Tomcat and <acronym>&jsp;</acronym>.  The next
 	section will demonstrate how to build the <quote>Tomcat
 	Environment</quote> for FreeBSD.  The version of Tomcat used in
 	this guide is <literal>4.0.6</literal>.  This version contains
 	major bug fixes, and the following updates/changes:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><literal>JSP 1.2 Specification</literal></para>
 	</listitem>
 
 	<listitem>
 	  <para><literal>Java Servlet 2.3 Specification</literal></para>
 	</listitem>
 
 	<listitem>
 	  <para><literal>Full backward compatibility with the Java Servlet
 	    2.2 and JSP 1.1 Specification</literal></para>
 	</listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>The Tomcat environment for FreeBSD</title>
 
       <para>It is very simple to install Tomcat on a FreeBSD machine,
 	after setting up the necessary &java; environment, which we have
 	previously completed.</para>
 
       <para>In-order to set up Tomcat on FreeBSD, follow the below 
         procedure:</para>
 
       <procedure>
 	<step>
 	  <para>Follow the above steps to set up the necessary &java;
 	    environment.</para>
 	</step>
 
 	<step>
 	  <para>Set an environment variable <envar>JAVA_HOME</envar>
 	    which, points to the directory where you have installed the
 	    &jdk; (the examples below point to a native build of the
 	    &jdk;).  If you are using &man.sh.1; as your shell, you can set
 	    <envar>JAVA_HOME</envar> with:</para>
 
 	  <screen>&prompt.root; export JAVA_HOME="/usr/local/jdk1.3.1"</screen>
 
 	  <para>Those who use &man.csh.1; or a compatible shell, must use a
 	    slightly different command:</para>
 
 	  <screen>&prompt.root; setenv JAVA_HOME /usr/local/jdk1.3.1</screen>
 
 	  <para>This environment variable should be made permanent by
 	    adding it into either <filename>.profile</filename> or
 	    <filename>.cshrc</filename>, depending on the shell you are
 	    using. This variable is very crucial for the functioning of
 	    all the &java; based programs, including Tomcat itself.</para>
 	</step>
 
 	<step>
 	  <para>Download the Tomcat <quote>binary distribution</quote>
 	    from the Jakarta website, which is located at
 	    <literal><ulink url="&tomcat406"></ulink></literal>.  The
 	    file to download is called
 	    <filename>jakarta-tomcat-4.0.6.tar.gz</filename>.</para>	    
 	</step>
 
 	<step>
 	  <para>The compressed and archived file we downloaded in the
 	    previous step uses special <quote>GNU Extensions</quote>.
 	    In-order to untar and uncompress the file, we will need to
 	    install <literal>GNU Tar  (<filename
 	    role="package">archivers/gtar</filename>)</literal>, by
 	    doing the following:</para>
 
 	  <screen>&prompt.root; cd /usr/ports/archivers/gtar &amp;&amp; make all install clean</screen>
 	</step>
 
 	<step>
 	  <para>Un-tar and Un-compress the
 	    <filename>jakarta-tomcat-4.0.6.tar.gz</filename> file into
 	    the <filename>/usr/local</filename> directory and rename the
 	    directory to <filename>tomcat-4.0</filename> for ease of
 	    reference:</para>
 
 	  <screen>&prompt.root; cd /usr/local
 &prompt.root; gtar zxvf jakarta-tomcat-4.0.6.tar.gz
 &prompt.root; ls jakarta*
 jakarta-tomcat-4.0.6
 &prompt.root; mv jakarta-tomcat-4.0.6 tomcat-4.0</screen>
 
 	  <para>You can remove the
 	    <filename>jakarta-tomcat-4.0.6.tar.gz</filename> at your
 	    preference.</para>
 	</step>
       </procedure>
 
       <note>
 	<para><literal>Installation by using the source code is currently
 	  out of scope for this document.  Please refer to the following
 	  files for addition information on building from source,
 	  available from your Tomcat distribution
 	  directory:</literal></para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><filename>/usr/local/tomcat-4.0/README.txt</filename></para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>/usr/local/tomcat-4.0/BUILDING.txt</filename></para>
 	  </listitem>
 	</itemizedlist>
       </note>
     </sect2>
 
     <sect2>
       <title>Operating Tomcat - Basics</title>
 
       <para>Now that we have finished installing Tomcat.  The following
 	example shows how to start the Tomcat server:</para>
 
       <screen>&prompt.root; cd /usr/local/tomcat-4.0/bin
 &prompt.root; ./startup.sh  (for starting Tomcat)</screen>
 
       <para>You can test if your Tomcat server has started by visiting
 	the following URL: <literal>http://127.0.0.1:8080</literal> or
 	<literal>http://localhost:8080</literal>.  To stop
 	Tomcat:</para>
 
       <screen>&prompt.root; cd /usr/local/tomcat-4.0/bin
 &prompt.root; ./shutdown.sh</screen>
 
       <para>(for stopping Tomcat)</para>
 
       <para>The <filename>startup.sh</filename> and
 	<filename>shutdown.sh</filename> are frontends to the
 	<filename>catalina.sh</filename> executable script in the same
 	directory; if you would like to start Tomcat automatically at
 	boot-time run:</para>
 
       <screen>&prompt.root; cd /usr/local/etc/rc.d
 &prompt.root; ln -s /usr/local/tomcat-4.0/bin/catalina.sh</screen>
 
       <para>Edit the <filename>catalina.sh</filename>, and add the
 	following at the beginning of the file (after the comment
 	box):</para>
 
       <programlisting>JAVA_HOME=/usr/local/jdk1.3.1</programlisting>
 
       <para>If your port <literal>8080</literal> is occupied by some other
 	service, you can change it by editing the
 	<filename>server.xml</filename> in your Tomcat's
 	<filename>conf/</filename> directory.  In the example below, the
 	port will be changed to 80, assuming there is no service running
 	on that port.</para>
 
       <screen>&prompt.root; cd /usr/local/tomcat-4.0/conf
 &prompt.root; fgrep -n 8080 server.xml
 ~65:         By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
 ~89:         port="8080" minProcessors="5" maxProcessors="75"
 &prompt.root; cat server.xml | sed s/8080/80/ > server.xml.new
 &prompt.root; mv server.xml.new server.xml</screen>
     </sect2>
   </sect1>
 
   <sect1 id="ref" xreflabel="reference">
     <title>Reference</title>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="1">
 	<tbody>
 	  <row>
 	    <entry>
 	      <ulink url="&wwwurl;/java">The FreeBSD &java; Project</ulink>
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry>
 	      <ulink url="http://java.sun.com">JavaSoft. Home of &java;</ulink>
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry>
 	      <ulink
 		url="&sunurl;/software/communitysource/java2/licensing.html">The
 		Sun Community Source Licensing for &java;</ulink>
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry>
 	      <ulink url="&tomcaturl">Jakarta Tomcat Homepage</ulink>
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry>
 	      <ulink url="http://java.sun.com/docs/index.html">J2SE
 		Documentation</ulink>
 	    </entry>
 	  </row>
 
 	  <row>
 	    <entry>
 	      <ulink url="&wwwurl;/ports/java.html">FreeBSD Ports - &java;
 		Section</ulink>
 	    </entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <sect2>
       <title>Conclusion</title>
 
       <para>Finally, we are at the end of the article and have a working
 	version of Tomcat.  We hope that you have learned the basics of
 	installing and building the &java; Development Kit on FreeBSD,
 	along with installation of the Tomcat binary distribution
 	application server released by the Apache Software Foundation.
 	The <xref linkend="ref"> section contains pointers to additional
 	resources on this topic, some which are in print, some which are
 	on the World Wide Web, or both.</para>
 
       <para>The most important thing is drive space.  I suggest having
 	<literal>700MB</literal> or more free space in
 	<filename>/usr</filename>.  I hope this article has helped you
 	in some small way.  For questions, comments, compliments, or
 	rants, please direct them to the authors.</para>
     </sect2>
   </sect1>
 </article>
diff --git a/en_US.ISO8859-1/articles/pxe/article.sgml b/en_US.ISO8859-1/articles/pxe/article.sgml
index efc50a8ecc..2051120097 100644
--- a/en_US.ISO8859-1/articles/pxe/article.sgml
+++ b/en_US.ISO8859-1/articles/pxe/article.sgml
@@ -1,285 +1,285 @@
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 ]>
 
 <article>
   <articleinfo>
     <title>FreeBSD Jumpstart Guide</title>
 
     <authorgroup>
       <author>
         <firstname>Alfred</firstname>
         <surname>Perlstein</surname>
 
         <affiliation>
           <address><email>alfred@FreeBSD.org</email></address>
         </affiliation>
       </author>
     </authorgroup>
 
     <pubdate>$FreeBSD$</pubdate>
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.intel;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This article details the method used to allow machines to install
         FreeBSD using the &intel; PXE method of booting a machine over a network.
         </para>
     </abstract>
   </articleinfo>
 
   <sect1 id="introduction">
     <title>Introduction</title>
 
     <warning>
       <para>This procedure will make the <quote>Server</quote> both insecure and dangerous,
         it is best to just keep the <quote>Server</quote> on its own hub and not in any way
         accessible by any machines other than the <quote>Clients</quote>.</para>
     </warning>
 
     <para>Terminology:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
 
         <tbody>
           <row>
             <entry>Server</entry>
             <entry>The machine offering netboot and install options.</entry>
           </row>
 
           <row>
             <entry>Client</entry>
             <entry>The machine that will have FreeBSD installed on it.</entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
 
     <para>Requires:
       Clients supporting the &intel; PXE netboot option, an Ethernet connection.
       </para>
 
     <para>Please let me know if you come across anything you have problems with
       or suggestions for additional documentation.</para>
 
     <para>If you would like someone to train/implement a specific netinstall system
       for you, please send email so that we can discuss terms.</para>
 
     <para>I would also like to thank &a.ps; and &a.jhb; for doing most of the
       programming work on pxeboot, the interface to the &intel; PXE (netboot)
       system.</para>
   </sect1>
 
   <sect1 id="server-config">
     <title>Server Configuration</title>
 
     <procedure>
       <step>
         <para>Install DHCP: Install <filename role="package">net/isc-dhcp3-server</filename> you can use this config file
           <ulink url="dhcpd.conf">
           <filename>dhcpd.conf</filename></ulink>, stick it in <filename>/usr/local/etc/</filename>.</para>
       </step>
 
       <step>
         <para>Enable tftp:</para>
 	
         <procedure>
           <step>
             <para>Make a directory <filename>/usr/tftpboot</filename></para>
           </step>
 
           <step>
             <para>Add this line to your
               <filename>/etc/inetd.conf</filename>:</para>
 	
 <programlisting>tftp    dgram   udp     wait    nobody  /usr/libexec/tftpd    tftpd /usr/tftpboot</programlisting>
           </step>
         </procedure>
 
       </step>
 
       <step>
         <para>Enable NFS:</para>
 	
         <procedure>
           <step>
             <para>Add this to <filename>/etc/rc.conf</filename>:</para>
 
 	    <programlisting>nfs_server_enable="YES"</programlisting>
           </step>
 
           <step>
             <para>Add this to <filename>/etc/exports</filename>:</para>
 
 	    <programlisting>/usr -alldirs -ro</programlisting>
           </step>
         </procedure>
       </step>
 
       <step>
         <para>Reboot to enable the new services or start them
           manually.</para>
       </step>
     </procedure>
   </sect1>
 
   <sect1 id="bootstrap-config">
     <title>Bootstrap Setup</title>
 
     <procedure>
       <step>
         <para>Download bootfiles: Download the
           <ulink
 	  url="&snapshots.stable;/floppies/kern.flp">
           kern.flp</ulink> and
           <ulink
 	  url="&snapshots.stable;/floppies/mfsroot.flp">
           mfsroot.flp</ulink> floppy images.</para>
       </step>
 
       <step>
         <para>Set up tftp/pxe-boot directory:</para>
 	
         <procedure>
           <step>
             <para>Put pxeboot in the boot directory:</para>
 	
 	    <screen>&prompt.root; <userinput>rm -rf /usr/obj/*</userinput>
 &prompt.root; <userinput>cd /usr/src/sys/boot</userinput>
 &prompt.root; <userinput>make</userinput>
 &prompt.root; <userinput>cp /usr/src/sys/boot/i386/pxeldr/pxeboot /usr/tftpboot</userinput></screen>
           </step>
 
           <step>
             <para>Using the vndevice mount the <filename>kern.flp</filename>
 	      file and copy its contents to
 	      <filename>/usr/tftpboot</filename>:</para>
 
 	    <screen>&prompt.root; <userinput>vnconfig vn0 kern.flp</userinput>    # associate a vndevice with the file
 &prompt.root; <userinput>mount /dev/vn0 /mnt</userinput>      # mount it
 &prompt.root; <userinput>cp -R /mnt /usr/tftpboot</userinput> # copy the contents to /usr/tftpboot
 &prompt.root; <userinput>umount /mnt</userinput>              # unmount it
 &prompt.root; <userinput>vnconfig -u vn0</userinput>          # disassociate the vndevice from the file</screen>
           </step>
         </procedure>
       </step>
 
       <step>
         <para>Compile a custom kernel for the clients (particularly to avoid
           the device config screen at boot) and stick it in
           <filename>/usr/tftpboot</filename>.</para>
       </step>
 
       <step>
         <para>Make a special <filename>loader.rc</filename> to and install it
           in <filename>/usr/tftpboot/boot/loader.rc</filename> so that it
           does not prompt for the second disk, here is
           <ulink url="loader.rc">mine</ulink>.</para>
       </step>
 
       <step>
         <para>Extract the installer and helper utilities from the mfsroot disk
           and uncompress them, put them in <filename>/usr/tftpboot</filename>
           as well:</para>
 
 	<screen>&prompt.root; <userinput>vnconfig vn0 mfsroot.flp</userinput>         # associate a vndevice with the file
 &prompt.root; <userinput>mount /dev/vn0 /mnt</userinput>              # mount it
 &prompt.root; <userinput>cp /mnt/mfsroot.gz /usr/tftpboot</userinput> # copy the contents to /usr/tftpboot
 &prompt.root; <userinput>umount /mnt</userinput>                      # unmount it
 &prompt.root; <userinput>vnconfig -u vn0</userinput>                  # disassociate the vndevice from the file
 &prompt.root; <userinput>cd /usr/tftpboot</userinput>                 # get into the pxeboot directory
 &prompt.root; <userinput>gunzip mfsroot.gz</userinput>                # uncompress the mfsroot</screen>
       </step>
 
       <step>
         <para>Make your sysinstall script <filename>install.cfg</filename>, you
           can use
           <ulink url="install.cfg">mine</ulink>
           as a template, but you must edit it.</para>
       </step>
 
       <step>
         <para>Copy the sysinstall script into the extracted and uncompressed
           mfsroot image:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/tftpboot</userinput>
 &prompt.root; <userinput>vnconfig vn0 mfsroot</userinput>
 &prompt.root; <userinput>mount /dev/vn0 /mnt</userinput>
 &prompt.root; <userinput>cp install.cfg /mnt</userinput>
 &prompt.root; <userinput>umount /mnt</userinput>
 &prompt.root; <userinput>vnconfig -u vn0</userinput></screen>
       </step>
     </procedure>
   </sect1>
 
   <sect1 id="install-setup">
     <title>Install Setup</title>
 
     <procedure>
       <step>
         <para>Put the install files in an NFS accessible location on the
 	  Server. Make a directory corresponding the 'nfs' directive in the
 	  <filename> install.cfg</filename> file and mirror the FreeBSD
 	  install files there, you will want it to look somewhat like
 	  this:</para>
 
 	<screen>ABOUT.TXT       TROUBLE.TXT     compat20        floppies        ports
 ERRATA.TXT      UPGRADE.TXT     compat21        games           proflibs
 HARDWARE.TXT    XF86336         compat22        info            src
 INSTALL.TXT     bin             compat3x        kern.flp
 LAYOUT.TXT      catpages        crypto          manpages
 README.TXT      cdrom.inf       dict            mfsroot.flp
 RELNOTES.TXT    compat1x        doc             packages</screen>
       </step>
 
       <step>
         <para>Copy the compressed packages into the packages/All directory
           under <filename>nfs</filename>.</para>
       </step>
 
       <step>
         <para>Make sure you have an <filename>INDEX</filename> file prepared
 	  in the packages directory. You can make your own
 	  <filename>INDEX</filename> entries like so:</para>
 
 	<programlisting>alfred-1.0||/|Alfred install bootstrap||alfred@FreeBSD.org||||</programlisting>
 
         <para>Then you can install custom packages, particularly your own
 	  custom post-install package.</para>
       </step>
     </procedure>
   </sect1>
 
   <sect1 id="custom-postinst-package">
     <title>Custom Post-Install Package</title>
 
     <para>You can use the script <ulink url="pkgmaker.sh"><filename>pkgmaker.sh
       </filename></ulink> to create a
       custom package for post install, the idea is to have it install and
       configure any special things you may need done.
       <filename>pkgmaker</filename> is run in the directory above the package
       you wish to create with the single argument of the package (ie mypkg)
       which will then create a mypkg.tgz for you to include in your sysinstall
       package.</para>
 
     <para>Inside your custom package dir you will want a file called
       <filename>PLIST</filename> which contains all the files that you wish to
       install and be incorporated into your package.</para>
 
     <para>You will also want files called
       <ulink url="pre"><filename>pre</filename></ulink> and
       <ulink url="post"><filename>post</filename></ulink>
       in the directory, these are shell scripts
       that you want to execute before and after your package is
       installed.</para>
 
     <para>Since this package is in your <filename>install.cfg</filename> file
       it should be run and do the final configuration for you.</para>
   </sect1>
 </article>
diff --git a/en_US.ISO8859-1/articles/serial-uart/article.sgml b/en_US.ISO8859-1/articles/serial-uart/article.sgml
index c0de19c776..8a896aad2a 100644
--- a/en_US.ISO8859-1/articles/serial-uart/article.sgml
+++ b/en_US.ISO8859-1/articles/serial-uart/article.sgml
@@ -1,2439 +1,2439 @@
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 ]>
 
 <article>
   <articleinfo>
     <title>Serial and UART Tutorial</title>
     
     <authorgroup>
       <author>
         <firstname>Frank</firstname>
         <surname>Durda</surname>
         
         <affiliation>
           <address><email>uhclem@FreeBSD.org</email></address>
         </affiliation>
       </author>
     </authorgroup>
     
     <pubdate>$FreeBSD$</pubdate>
     
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.microsoft;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This article talks about using serial hardware with FreeBSD.</para>
     </abstract>
   </articleinfo>
   
   <sect1 id="uart">
     <title>The UART: What it is and how it works</title>
 
       <para><emphasis>Copyright &copy; 1996 &a.uhclem;, All Rights
         Reserved.  13 January 1996.</emphasis></para>
 
       <para>The Universal Asynchronous Receiver/Transmitter (UART)
 	controller is the key component of the serial communications
 	subsystem of a computer.  The UART takes bytes of data and
 	transmits the individual bits in a sequential fashion.  At the
 	destination, a second UART re-assembles the bits into complete
 	bytes.</para>
 	    
       <para>Serial transmission is commonly used with modems and for
 	non-networked communication between computers, terminals and
 	other devices.</para>
 	    
       <para>There are two primary forms of serial transmission:
 	Synchronous and Asynchronous.  Depending on the modes that are
 	supported by the hardware, the name of the communication
 	sub-system will usually include a <literal>A</literal> if it
 	supports Asynchronous communications, and a
 	<literal>S</literal> if it supports Synchronous
 	communications.  Both forms are described below.</para>
 	    
       <para>Some common acronyms are:</para>
 	  
       <blockquote>
 	<para>UART Universal Asynchronous Receiver/Transmitter</para>
       </blockquote>
 	  
       <blockquote>
 	<para>USART Universal Synchronous-Asynchronous
 	  Receiver/Transmitter</para>
       </blockquote>
 
       <sect2>
         <title>Synchronous Serial Transmission</title>
 	  
 	<para>Synchronous serial transmission requires that the sender
 	  and receiver share a clock with one another, or that the
 	  sender provide a strobe or other timing signal so that the
 	  receiver knows when to <quote>read</quote> the next bit of
 	  the data.  In most forms of serial Synchronous
 	  communication, if there is no data available at a given
 	  instant to transmit, a fill character must be sent instead
 	  so that data is always being transmitted.  Synchronous
 	  communication is usually more efficient because only data
 	  bits are transmitted between sender and receiver, and
 	  synchronous communication can be more costly if extra wiring
 	  and circuits are required to share a clock signal between
 	  the sender and receiver.</para>
 	      
 	<para>A form of Synchronous transmission is used with printers
 	  and fixed disk devices in that the data is sent on one set
 	  of wires while a clock or strobe is sent on a different
 	  wire. Printers and fixed disk devices are not normally
 	  serial devices because most fixed disk interface standards
 	  send an entire word of data for each clock or strobe signal
 	  by using a separate wire for each bit of the word.  In the
 	  PC industry, these are known as Parallel devices.</para>
 	      
 	<para>The standard serial communications hardware in the PC
 	  does not support Synchronous operations.  This mode is
 	  described here for comparison purposes only.</para>
       </sect2>
 
       <sect2>
         <title>Asynchronous Serial Transmission</title>
 	  
 	<para>Asynchronous transmission allows data to be transmitted
 	  without the sender having to send a clock signal to the
 	  receiver.  Instead, the sender and receiver must agree on
 	  timing parameters in advance and special bits are added to
 	  each word which are used to synchronize the sending and
 	  receiving units.</para>
 	      
 	<para>When a word is given to the UART for Asynchronous
 	  transmissions, a bit called the "Start Bit" is added to the
 	  beginning of each word that is to be transmitted.  The Start
 	  Bit is used to alert the receiver that a word of data is
 	  about to be sent, and to force the clock in the receiver
 	  into synchronization with the clock in the transmitter.
 	  These two clocks must be accurate enough to not have the
 	  frequency drift by more than 10% during the transmission of
 	  the remaining bits in the word.  (This requirement was set
 	  in the days of mechanical teleprinters and is easily met by
 	  modern electronic equipment.)</para>
 	      
 	<para>After the Start Bit, the individual bits of the word of
 	  data are sent, with the Least Significant Bit (LSB) being
 	  sent first.  Each bit in the transmission is transmitted for
 	  exactly the same amount of time as all of the other bits,
 	  and the receiver <quote>looks</quote> at the wire at
 	  approximately halfway through the period assigned to each
 	  bit to determine if the bit is a <literal>1</literal> or a
 	  <literal>0</literal>.  For example, if it takes two seconds
 	  to send each bit, the receiver will examine the signal to
 	  determine if it is a <literal>1</literal> or a
 	  <literal>0</literal> after one second has passed, then it
 	  will wait two seconds and then examine the value of the next
 	  bit, and so on.</para>
 	      
 	<para>The sender does not know when the receiver has
 	  <quote>looked</quote> at the value of the bit.  The sender
 	  only knows when the clock says to begin transmitting the
 	  next bit of the word.</para>
 	      
 	<para>When the entire data word has been sent, the transmitter
 	  may add a Parity Bit that the transmitter generates.  The
 	  Parity Bit may be used by the receiver to perform simple
 	  error checking.  Then at least one Stop Bit is sent by the
 	  transmitter.</para>
 	      
 	<para>When the receiver has received all of the bits in the
 	  data word, it may check for the Parity Bits (both sender and
 	  receiver must agree on whether a Parity Bit is to be used),
 	  and then the receiver looks for a Stop Bit.  If the Stop Bit
 	  does not appear when it is supposed to, the UART considers
 	  the entire word to be garbled and will report a Framing
 	  Error to the host processor when the data word is read.  The
 	  usual cause of a Framing Error is that the sender and
 	  receiver clocks were not running at the same speed, or that
 	  the signal was interrupted.</para>
 	      
 	<para>Regardless of whether the data was received correctly or
 	  not, the UART automatically discards the Start, Parity and
 	  Stop bits.  If the sender and receiver are configured
 	  identically, these bits are not passed to the host.</para>
 	      
 	<para>If another word is ready for transmission, the Start Bit
 	  for the new word can be sent as soon as the Stop Bit for the
 	  previous word has been sent.</para>
 	      
 	<para>Because asynchronous data is <quote>self
 	  synchronizing</quote>, if there is no data to transmit, the
 	  transmission line can be idle.</para>
       </sect2>
 
       <sect2>
         <title>Other UART Functions</title>
 	  
 	<para>In addition to the basic job of converting data from
 	  parallel to serial for transmission and from serial to
 	  parallel on reception, a UART will usually provide
 	  additional circuits for signals that can be used to indicate
 	  the state of the transmission media, and to regulate the
 	  flow of data in the event that the remote device is not
 	  prepared to accept more data.  For example, when the device
 	  connected to the UART is a modem, the modem may report the
 	  presence of a carrier on the phone line while the computer
 	  may be able to instruct the modem to reset itself or to not
 	  take calls by raising or lowering one more of these
 	  extra signals. The function of each of these additional
 	  signals is defined in the EIA RS232-C standard.</para>
       </sect2>
 
       <sect2>
         <title>The RS232-C and V.24 Standards</title>
 	  
 	<para>In most computer systems, the UART is connected to
 	  circuitry that generates signals that comply with the EIA
 	  RS232-C specification.  There is also a CCITT standard named
 	  V.24 that mirrors the specifications included in
 	  RS232-C.</para>
 	      
 	<sect3>
 	  <title>RS232-C Bit Assignments (Marks and Spaces)</title>
 	    
 	  <para>In RS232-C, a value of <literal>1</literal> is called
 	    a <literal>Mark</literal> and a value of
 	    <literal>0</literal> is called a <literal>Space</literal>.
 	    When a communication line is idle, the line is said to be
 	    <quote>Marking</quote>, or transmitting continuous
 	    <literal>1</literal> values.</para>
 		
 	  <para>The Start bit always has a value of
 	    <literal>0</literal> (a Space).  The Stop Bit always has a
 	    value of <literal>1</literal> (a Mark).  This means that
 	    there will always be a Mark (1) to Space (0) transition on
 	    the line at the start of every word, even when multiple
 	    word are transmitted back to back.  This guarantees that
 	    sender and receiver can resynchronize their clocks
 	    regardless of the content of the data bits that are being
 	    transmitted.</para>
 		
 	  <para>The idle time between Stop and Start bits does not
 	    have to be an exact multiple (including zero) of the bit
 	    rate of the communication link, but most UARTs are
 	    designed this way for simplicity.</para>
 		
 	  <para>In RS232-C, the "Marking" signal (a
 	    <literal>1</literal>) is represented by a voltage between
 	    -2 VDC and -12 VDC, and a "Spacing" signal (a
 	    <literal>0</literal>) is represented by a voltage between
 	    0 and +12 VDC.  The transmitter is supposed to send +12
 	    VDC or -12 VDC, and the receiver is supposed to allow for
 	    some voltage loss in long cables.  Some transmitters in
 	    low power devices (like portable computers) sometimes use
 	    only +5 VDC and -5 VDC, but these values are still
 	    acceptable to a RS232-C receiver, provided that the cable
 	    lengths are short.</para>
 	</sect3>
 	      
 	<sect3>
 	  <title>RS232-C Break Signal</title>
 	    
 	  <para>RS232-C also specifies a signal called a
 	    <literal>Break</literal>, which is caused by sending
 	    continuous Spacing values (no Start or Stop bits).  When
 	    there is no electricity present on the data circuit, the
 	    line is considered to be sending
 	    <literal>Break</literal>.</para>
 		
 	  <para>The <literal>Break</literal> signal must be of a
 	    duration longer than the time it takes to send a complete
 	    byte plus Start, Stop and Parity bits.  Most UARTs can
 	    distinguish between a Framing Error and a Break, but if
 	    the UART cannot do this, the Framing Error detection can
 	    be used to identify Breaks.</para>
 		
 	  <para>In the days of teleprinters, when numerous printers
 	    around the country were wired in series (such as news
 	    services), any unit could cause a <literal>Break</literal>
 	    by temporarily opening the entire circuit so that no
 	    current flowed.  This was used to allow a location with
 	    urgent news to interrupt some other location that was
 	    currently sending information.</para>
 		
 	  <para>In modern systems there are two types of Break
 	    signals. If the Break is longer than 1.6 seconds, it is
 	    considered a "Modem Break", and some modems can be
 	    programmed to terminate the conversation and go on-hook or
 	    enter the modems' command mode when the modem detects this
 	    signal.  If the Break is smaller than 1.6 seconds, it
 	    signifies a Data Break and it is up to the remote computer
 	    to respond to this signal.  Sometimes this form of Break
 	    is used as an Attention or Interrupt signal and sometimes
 	    is accepted as a substitute for the ASCII CONTROL-C
 	    character.</para>
 		
 	  <para>Marks and Spaces are also equivalent to
 	    <quote>Holes</quote> and <quote>No Holes</quote> in paper
 	    tape systems.</para>
 
 	  <note>
 	    <para>Breaks cannot be generated from paper tape or from
 	      any other byte value, since bytes are always sent with
 	      Start and Stop bit.  The UART is usually capable of
 	      generating the continuous Spacing signal in response to
 	      a special command from the host processor.</para>
 	  </note>
 	</sect3>
 	  
 	<sect3>
 	  <title>RS232-C DTE and DCE Devices</title>
 	    
 	  <para>The RS232-C specification defines two types of
 	    equipment: the Data Terminal Equipment (DTE) and the Data
 	    Carrier Equipment (DCE).  Usually, the DTE device is the
 	    terminal (or computer), and the DCE is a modem.  Across
 	    the phone line at the other end of a conversation, the
 	    receiving modem is also a DCE device and the computer that
 	    is connected to that modem is a DTE device.  The DCE
 	    device receives signals on the pins that the DTE device
 	    transmits on, and vice versa.</para>
 		
 	  <para>When two devices that are both DTE or both DCE must be
 	    connected together without a modem or a similar media
 	    translater between them, a NULL modem must be used.  The
 	    NULL modem electrically re-arranges the cabling so that
 	    the transmitter output is connected to the receiver input
 	    on the other device, and vice versa.  Similar translations
 	    are performed on all of the control signals so that each
 	    device will see what it thinks are DCE (or DTE) signals
 	    from the other device.</para>
 		
 	  <para>The number of signals generated by the DTE and DCE
 	    devices are not symmetrical.  The DTE device generates
 	    fewer signals for the DCE device than the DTE device
 	    receives from the DCE.</para>
 	</sect3>
 	  
 	<sect3>
 	  <title>RS232-C Pin Assignments</title>
 	    
 	  <para>The EIA RS232-C specification (and the ITU equivalent,
 	    V.24) calls for a twenty-five pin connector (usually a
 	    DB25) and defines the purpose of most of the pins in that
 	    connector.</para>
 		
 	  <para>In the IBM Personal Computer and similar systems, a
 	    subset of RS232-C signals are provided via nine pin
 	    connectors (DB9).  The signals that are not included on
 	    the PC connector deal mainly with synchronous operation,
 	    and this transmission mode is not supported by the UART
 	    that IBM selected for use in the IBM PC.</para>
 		
 	  <para>Depending on the computer manufacturer, a DB25, a DB9,
 	    or both types of connector may be used for RS232-C
 	    communications.  (The IBM PC also uses a DB25 connector
 	    for the parallel printer interface which causes some
 	    confusion.)</para>
 		
 	  <para>Below is a table of the RS232-C signal assignments in
 	    the DB25 and DB9 connectors.</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="7">
 	      <thead>
 	        <row>
 		  <entry>DB25 RS232-C Pin</entry> <entry>DB9 IBM PC
 		  Pin</entry> <entry>EIA Circuit Symbol</entry>
 		  <entry>CCITT Circuit Symbol</entry> <entry>Common
 		  Name</entry> <entry>Signal Source</entry>
 		  <entry>Description</entry>
 		</row>
 	      </thead>
 		
 	      <tbody>
 		<row>
 		  <entry>1</entry>
 		  <entry>-</entry>
 		  <entry>AA</entry>
 		  <entry>101</entry>
 		  <entry>PG/FG</entry>
 		  <entry>-</entry>
 		  <entry>Frame/Protective Ground</entry>
 		</row>
 		  
 		<row>
 		  <entry>2</entry>
 		  <entry>3</entry>
 		  <entry>BA</entry>
 		  <entry>103</entry>
 		  <entry>TD</entry>
 		  <entry>DTE</entry>
 		  <entry>Transmit Data</entry>
 		</row>
 		  
 		<row>
 		  <entry>3</entry>
 		  <entry>2</entry>
 		  <entry>BB</entry>
 		  <entry>104</entry>
 		  <entry>RD</entry>
 		  <entry>DCE</entry>
 		  <entry>Receive Data</entry>
 		</row>
 		  
 		<row>
 		  <entry>4</entry>
 		  <entry>7</entry>
 		  <entry>CA</entry>
 		  <entry>105</entry>
 		  <entry>RTS</entry>
 		  <entry>DTE</entry>
 		  <entry>Request to Send</entry>
 		</row>
 		  
 		<row>
 		  <entry>5</entry>
 		  <entry>8</entry>
 		  <entry>CB</entry>
 		  <entry>106</entry>
 		  <entry>CTS</entry>
 		  <entry>DCE</entry>
 		  <entry>Clear to Send</entry>
 		</row>
 		  
 		<row>
 		  <entry>6</entry>
 		  <entry>6</entry>
 		  <entry>CC</entry>
 		  <entry>107</entry>
 		  <entry>DSR</entry>
 		  <entry>DCE</entry>
 		  <entry>Data Set Ready</entry>
 		</row>
 		  
 		<row>
 		  <entry>7</entry>
 		  <entry>5</entry>
 		  <entry>AV</entry>
 		  <entry>102</entry>
 		  <entry>SG/GND</entry>
 		  <entry>-</entry>
 		  <entry>Signal Ground</entry>
 		</row>
 		
 		<row>
 		  <entry>8</entry>
 		  <entry>1</entry>
 		  <entry>CF</entry>
 		  <entry>109</entry>
 		  <entry>DCD/CD</entry>
 		  <entry>DCE</entry>
 		  <entry>Data Carrier Detect</entry>
 		</row>
 		
 		<row>
 		  <entry>9</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>Reserved for Test</entry>
 		</row>
 		
 		<row>
 		  <entry>10</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>Reserved for Test</entry>
 		</row>
 		
 		<row>
 		  <entry>11</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>Reserved for Test</entry>
 		</row>
 		
 		<row>
 		  <entry>12</entry>
 		  <entry>-</entry>
 		  <entry>CI</entry>
 		  <entry>122</entry>
 		  <entry>SRLSD</entry>
 		  <entry>DCE</entry>
 		  <entry>Sec. Recv. Line Signal Detector</entry>
 		</row>
 		
 		<row>
 		  <entry>13</entry>
 		  <entry>-</entry>
 		  <entry>SCB</entry>
 		  <entry>121</entry>
 		  <entry>SCTS</entry>
 		  <entry>DCE</entry>
 		  <entry>Secondary Clear to Send</entry>
 		</row>
 		
 		<row>
 		  <entry>14</entry>
 		  <entry>-</entry>
 		  <entry>SBA</entry>
 		  <entry>118</entry>
 		  <entry>STD</entry>
 		  <entry>DTE</entry>
 		  <entry>Secondary Transmit Data</entry>
 		</row>
 		
 		<row>
 		  <entry>15</entry>
 		  <entry>-</entry>
 		  <entry>DB</entry>
 		  <entry>114</entry>
 		  <entry>TSET</entry>
 		  <entry>DCE</entry>
 		  <entry>Trans. Sig. Element Timing</entry>
 		</row>
 		
 		<row>
 		  <entry>16</entry>
 		  <entry>-</entry>
 		  <entry>SBB</entry>
 		  <entry>119</entry>
 		  <entry>SRD</entry>
 		  <entry>DCE</entry>
 		  <entry>Secondary Received Data</entry>
 		</row>
 		
 		<row>
 		  <entry>17</entry>
 		  <entry>-</entry>
 		  <entry>DD</entry>
 		  <entry>115</entry>
 		  <entry>RSET</entry>
 		  <entry>DCE</entry>
 		  <entry>Receiver Signal Element Timing</entry>
 		</row>
 		  
 		<row>
 		  <entry>18</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>141</entry>
 		  <entry>LOOP</entry>
 		  <entry>DTE</entry>
 		  <entry>Local Loopback</entry>
 		</row>
 		
 		<row>
 		  <entry>19</entry>
 		  <entry>-</entry>
 		  <entry>SCA</entry>
 		  <entry>120</entry>
 		  <entry>SRS</entry>
 		  <entry>DTE</entry>
 		  <entry>Secondary Request to Send</entry>
 		</row>
 		
 		<row>
 		  <entry>20</entry>
 		  <entry>4</entry>
 		  <entry>CD</entry>
 		  <entry>108.2</entry>
 		  <entry>DTR</entry>
 		  <entry>DTE</entry>
 		  <entry>Data Terminal Ready</entry>
 		</row>
 		
 		<row>
 		  <entry>21</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>RDL</entry>
 		  <entry>DTE</entry>
 		  <entry>Remote Digital Loopback</entry>
 		</row>
 		
 		<row>
 		  <entry>22</entry>
 		  <entry>9</entry>
 		  <entry>CE</entry>
 		  <entry>125</entry>
 		  <entry>RI</entry>
 		  <entry>DCE</entry>
 		  <entry>Ring Indicator</entry>
 		</row>
 		
 		<row>
 		  <entry>23</entry>
 		  <entry>-</entry>
 		  <entry>CH</entry>
 		  <entry>111</entry>
 		  <entry>DSRS</entry>
 		  <entry>DTE</entry>
 		  <entry>Data Signal Rate Selector</entry>
 		</row>
 		
 		<row>
 		  <entry>24</entry>
 		  <entry>-</entry>
 		  <entry>DA</entry>
 		  <entry>113</entry>
 		  <entry>TSET</entry>
 		  <entry>DTE</entry>
 		  <entry>Trans. Sig. Element Timing</entry>
 		</row>
 		
 		<row>
 		  <entry>25</entry>
 		  <entry>-</entry>
 		  <entry>-</entry>
 		  <entry>142</entry>
 		  <entry>-</entry>
 		  <entry>DCE</entry>
 		  <entry>Test Mode</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	</sect3>
       </sect2>
 
       <sect2>
 	<title>Bits, Baud and Symbols</title>
 	  
 	<para>Baud is a measurement of transmission speed in
 	  asynchronous communication.  Because of advances in modem
 	  communication technology, this term is frequently misused
 	  when describing the data rates in newer devices.</para>
 	      
 	<para>Traditionally, a Baud Rate represents the number of bits
 	  that are actually being sent over the media, not the amount
 	  of data that is actually moved from one DTE device to the
 	  other. The Baud count includes the overhead bits Start, Stop
 	  and Parity that are generated by the sending UART and
 	  removed by the receiving UART.  This means that seven-bit
 	  words of data actually take 10 bits to be completely
 	  transmitted.  Therefore, a modem capable of moving 300 bits
 	  per second from one place to another can normally only move
 	  30 7-bit words if Parity is used and one Start and Stop bit
 	  are present.</para>
 	      
 	<para>If 8-bit data words are used and Parity bits are also
 	  used, the data rate falls to 27.27 words per second, because
 	  it now takes 11 bits to send the eight-bit words, and the
 	  modem still only sends 300 bits per second.</para>
 	      
 	<para>The formula for converting bytes per second into a baud
 	  rate and vice versa was simple until error-correcting modems
 	  came along.  These modems receive the serial stream of bits
 	  from the UART in the host computer (even when internal
 	  modems are used the data is still frequently serialized) and
 	  converts the bits back into bytes.  These bytes are then
 	  combined into packets and sent over the phone line using a
 	  Synchronous transmission method.  This means that the Stop,
 	  Start, and Parity bits added by the UART in the DTE (the
 	  computer) were removed by the modem before transmission by
 	  the sending modem. When these bytes are received by the
 	  remote modem, the remote modem adds Start, Stop and Parity
 	  bits to the words, converts them to a serial format and then
 	  sends them to the receiving UART in the remote computer, who
 	  then strips the Start, Stop and Parity bits.</para>
 	      
 	<para>The reason all these extra conversions are done is so
 	  that the two modems can perform error correction, which
 	  means that the receiving modem is able to ask the sending
 	  modem to resend a block of data that was not received with
 	  the correct checksum.  This checking is handled by the
 	  modems, and the DTE devices are usually unaware that the
 	  process is occurring.</para>
 	      
 	<para>By striping the Start, Stop and Parity bits, the
 	  additional bits of data that the two modems must share
 	  between themselves to perform error-correction are mostly
 	  concealed from the effective transmission rate seen by the
 	  sending and receiving DTE equipment.  For example, if a
 	  modem sends ten 7-bit words to another modem without
 	  including the Start, Stop and Parity bits, the sending modem
 	  will be able to add 30 bits of its own information that the
 	  receiving modem can use to do error-correction without
 	  impacting the transmission speed of the real data.</para>
 	      
 	<para>The use of the term Baud is further confused by modems
 	  that perform compression.  A single 8-bit word passed over
 	  the telephone line might represent a dozen words that were
 	  transmitted to the sending modem.  The receiving modem will
 	  expand the data back to its original content and pass that
 	  data to the receiving DTE.</para>
 	      
 	<para>Modern modems also include buffers that allow the rate
 	  that bits move across the phone line (DCE to DCE) to be a
 	  different speed than the speed that the bits move between
 	  the DTE and DCE on both ends of the conversation.  Normally
 	  the speed between the DTE and DCE is higher than the DCE to
 	  DCE speed because of the use of compression by the
 	  modems.</para>
 	      
 	<para>Because the number of bits needed to describe a byte
 	  varied during the trip between the two machines plus the
 	  differing bits-per-seconds speeds that are used present on
 	  the DTE-DCE and DCE-DCE links, the usage of the term Baud to
 	  describe the overall communication speed causes problems and
 	  can misrepresent the true transmission speed.  So Bits Per
 	  Second (bps) is the correct term to use to describe the
 	  transmission rate seen at the DCE to DCE interface and Baud
 	  or Bits Per Second are acceptable terms to use when a
 	  connection is made between two systems with a wired
 	  connection, or if a modem is in use that is not performing
 	  error-correction or compression.</para>
 	      
 	<para>Modern high speed modems (2400, 9600, 14,400, and
 	  19,200bps) in reality still operate at or below 2400 baud,
 	  or more accurately, 2400 Symbols per second.  High speed
 	  modem are able to encode more bits of data into each Symbol
 	  using a technique called Constellation Stuffing, which is
 	  why the effective bits per second rate of the modem is
 	  higher, but the modem continues to operate within the
 	  limited audio bandwidth that the telephone system provides.
 	  Modems operating at 28,800 and higher speeds have variable
 	  Symbol rates, but the technique is the same.</para>
       </sect2>
 
       <sect2>
 	<title>The IBM Personal Computer UART</title>
 	  
 	<para>Starting with the original IBM Personal Computer, IBM
 	  selected the National Semiconductor INS8250 UART for use in
 	  the IBM PC Parallel/Serial Adapter.  Subsequent generations
 	  of compatible computers from IBM and other vendors continued
 	  to use the INS8250 or improved versions of the National
 	  Semiconductor UART family.</para>
 	      
 	<sect3>
 	  <title>National Semiconductor UART Family Tree</title>
 	    
 	  <para>There have been several versions and subsequent
 	    generations of the INS8250 UART.  Each major version is
 	    described below.</para>
 
 	    <!-- This should really be a graphic -->
 	  <programlisting>INS8250  -&gt; INS8250B
   \
    \
     \-&gt; INS8250A -&gt; INS82C50A
              \
               \
                \-&gt; NS16450 -&gt; NS16C450
                         \
                          \
                           \-&gt; NS16550 -&gt; NS16550A -&gt; PC16550D</programlisting>
 		
 	  <variablelist>
 	    <varlistentry>
 	      <term>INS8250</term>
 
 	      <listitem>
 		<para>This part was used in the original IBM PC and
 		  IBM PC/XT.  The original name for this part was the
 		  INS8250 ACE (Asynchronous Communications Element)
 		  and it is made from NMOS technology.</para>
 			
 		<para>The 8250 uses eight I/O ports and has a one-byte
 		  send and a one-byte receive buffer.  This original
 		  UART has several race conditions and other
 		  flaws. The original IBM BIOS includes code to work
 		  around these flaws, but this made the BIOS dependent
 		  on the flaws being present, so subsequent parts like
 		  the 8250A, 16450 or 16550 could not be used in the
 		  original IBM PC or IBM PC/XT.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>INS8250-B</term>
 		
 	      <listitem>
 		<para>This is the slower speed of the INS8250 made
 		  from NMOS technology.  It contains the same problems
 		  as the original INS8250.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>INS8250A</term>
 		
 	      <listitem>
 		<para>An improved version of the INS8250 using XMOS
 		  technology with various functional flaws
 		  corrected. The INS8250A was used initially in PC
 		  clone computers by vendors who used
 		  <quote>clean</quote> BIOS designs. Because of the
 		  corrections in the chip, this part could not be used
 		  with a BIOS compatible with the INS8250 or
 		  INS8250B.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>INS82C50A</term>
 		
 	      <listitem>
 		<para>This is a CMOS version (low power consumption)
 		  of the INS8250A and has similar functional
 		  characteristics.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>NS16450</term>
 		
 	      <listitem>
 		<para>Same as NS8250A with improvements so it can be
 		  used with faster CPU bus designs.  IBM used this
 		  part in the IBM AT and updated the IBM BIOS to no
 		  longer rely on the bugs in the INS8250.</para>
               </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>NS16C450</term>
 		
 	      <listitem>
 		<para>This is a CMOS version (low power consumption)
 		  of the NS16450.</para>
               </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>NS16550</term>
 		
 	      <listitem>
 		<para>Same as NS16450 with a 16-byte send and receive
 		  buffer but the buffer design was flawed and could
 		  not be reliably be used.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>NS16550A</term>
 		
 	      <listitem>
 		<para>Same as NS16550 with the buffer flaws
 		  corrected. The 16550A and its successors have become
 		  the most popular UART design in the PC industry,
 		  mainly due to its ability to reliably handle higher
 		  data rates on operating systems with sluggish
 		  interrupt response times.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>NS16C552</term>
 		
 	      <listitem>
 		<para>This component consists of two NS16C550A CMOS
 		  UARTs in a single package.</para>
 	      </listitem>
 	    </varlistentry>
 	      
 	    <varlistentry>
 	      <term>PC16550D</term>
 		
 	      <listitem>
 		<para>Same as NS16550A with subtle flaws
 		  corrected. This is revision D of the 16550 family
 		  and is the latest design available from National
 		  Semiconductor.</para>
 	      </listitem>
 	    </varlistentry>
 	  </variablelist>
 	</sect3>
 	  
 	<sect3>
 	  <title>The NS16550AF and the PC16550D are the same thing</title>
 		
 	  <para>National reorganized their part numbering system a few
 	    years ago, and the NS16550AFN no longer exists by that
 	    name. (If you have a NS16550AFN, look at the date code on
 	    the part, which is a four digit number that usually starts
 	    with a nine.  The first two digits of the number are the
 	    year, and the last two digits are the week in that year
 	    when the part was packaged.  If you have a NS16550AFN, it
 	    is probably a few years old.)</para>
 		
 	  <para>The new numbers are like PC16550DV, with minor
 	    differences in the suffix letters depending on the package
 	    material and its shape.  (A description of the numbering
 	    system can be found below.)</para>
 		
 	  <para>It is important to understand that in some stores, you
 	    may pay &#36;15(US) for a NS16550AFN made in 1990 and in
 	    the next bin are the new PC16550DN parts with minor fixes
 	    that National has made since the AFN part was in
 	    production, the PC16550DN was probably made in the past
 	    six months and it costs half (as low as &#36;5(US) in
 	    volume) as much as the NS16550AFN because they are readily
 	    available.</para>
 		
 	  <para>As the supply of NS16550AFN chips continues to shrink,
 	    the price will probably continue to increase until more
 	    people discover and accept that the PC16550DN really has
 	    the same function as the old part number.</para>
 	</sect3>
 	  
 	<sect3>
 	  <title>National Semiconductor Part Numbering System</title>
 	    
 	  <para>The older NS<replaceable>nnnnnrqp</replaceable> part
 	    numbers are now of the format
 	    PC<replaceable>nnnnnrgp</replaceable>.</para>
 		
 	  <para>The <replaceable>r</replaceable> is the revision
 	    field.  The current revision of the 16550 from National
 	    Semiconductor is <literal>D</literal>.</para>
 		
 	  <para>The <replaceable>p</replaceable> is the package-type
 	    field.  The types are:</para>
 	    
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="3">
 	      <tbody>
 		<row>
 		  <entry>"F"</entry>
 		  <entry>QFP</entry>
 		  <entry>(quad flat pack) L lead type</entry>
 		</row>
 		  
 		<row>
 		  <entry>"N"</entry>
 		  <entry>DIP</entry>
 		  <entry>(dual inline package) through hole straight lead
 		    type</entry>
 		</row>
 
 		<row>
 		  <entry>"V"</entry>
 		  <entry>LPCC</entry>
 		  <entry>(lead plastic chip carrier) J lead type</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	    
 	  <para>The <replaceable>g</replaceable> is the product grade
 	    field.  If an <literal>I</literal> precedes the
 	    package-type letter, it indicates an
 	    <quote>industrial</quote> grade part, which has higher
 	    specs than a standard part but not as high as Military
 	    Specification (Milspec) component.  This is an optional
 	    field.</para>
 		
 	  <para>So what we used to call a NS16550AFN (DIP Package) is
 	    now called a PC16550DN or PC16550DIN.</para>
         </sect3>
       </sect2>
 
       <sect2>
 	<title>Other Vendors and Similar UARTs</title>
 	  
 	<para>Over the years, the 8250, 8250A, 16450 and 16550 have
 	  been licensed or copied by other chip vendors.  In the case
 	  of the 8250, 8250A and 16450, the exact circuit (the
 	  <quote>megacell</quote>) was licensed to many vendors,
 	  including Western Digital and Intel. Other vendors
 	  reverse-engineered the part or produced emulations that had
 	  similar behavior.</para>
 	      
 	<para>In internal modems, the modem designer will frequently
 	  emulate the 8250A/16450 with the modem microprocessor, and
 	  the emulated UART will frequently have a hidden buffer
 	  consisting of several hundred bytes.  Because of the size of
 	  the buffer, these emulations can be as reliable as a 16550A
 	  in their ability to handle high speed data.  However, most
 	  operating systems will still report that the UART is only a
 	  8250A or 16450, and may not make effective use of the extra
 	  buffering present in the emulated UART unless special
 	  drivers are used.</para>
 	      
 	<para>Some modem makers are driven by market forces to abandon
 	  a design that has hundreds of bytes of buffer and instead
 	  use a 16550A UART so that the product will compare favorably
 	  in market comparisons even though the effective performance
 	  may be lowered by this action.</para>
 	      
 	<para>A common misconception is that all parts with
 	  <quote>16550A</quote> written on them are identical in
 	  performance.  There are differences, and in some cases,
 	  outright flaws in most of these 16550A clones.</para>
 	      
 	<para>When the NS16550 was developed, the National
 	  Semiconductor obtained several patents on the design and
 	  they also limited licensing, making it harder for other
 	  vendors to provide a chip with similar features.  Because of
 	  the patents, reverse-engineered designs and emulations had
 	  to avoid infringing the claims covered by the patents.
 	  Subsequently, these copies almost never perform exactly the
 	  same as the NS16550A or PC16550D, which are the parts most
 	  computer and modem makers want to buy but are sometimes
 	  unwilling to pay the price required to get the genuine
 	  part.</para>
 	      
 	<para>Some of the differences in the clone 16550A parts are
 	  unimportant, while others can prevent the device from being
 	  used at all with a given operating system or driver.  These
 	  differences may show up when using other drivers, or when
 	  particular combinations of events occur that were not well
 	  tested or considered in the &windows; driver.  This is because
 	  most modem vendors and 16550-clone makers use the Microsoft
 	  drivers from &windows; for Workgroups 3.11 and the &microsoft;
 	  &ms-dos; utility as the primary tests for compatibility with
 	  the NS16550A.  This over-simplistic criteria means that if a
 	  different operating system is used, problems could appear
 	  due to subtle differences between the clones and genuine
 	  components.</para>
 	      
 	<para>National Semiconductor has made available a program
 	  named <application>COMTEST</application> that performs
 	  compatibility tests independent of any OS drivers.  It
 	  should be remembered that the purpose of this type of
 	  program is to demonstrate the flaws in the products of the
 	  competition, so the program will report major as well as
 	  extremely subtle differences in behavior in the part being
 	  tested.</para>
 	      
 	<para>In a series of tests performed by the author of this
 	  document in 1994, components made by National Semiconductor,
 	  TI, StarTech, and CMD as well as megacells and emulations
 	  embedded in internal modems were tested with COMTEST.  A
 	  difference count for some of these components is listed
 	  below. Because these tests were performed in 1994, they may
 	  not reflect the current performance of the given product
 	  from a vendor.</para>
 	      
 	<para>It should be noted that COMTEST normally aborts when an
 	  excessive number or certain types of problems have been
 	  detected.  As part of this testing, COMTEST was modified so
 	  that it would not abort no matter how many differences were
 	  encountered.</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="3">
 	      <thead>
 		<row>
 		  <entry>Vendor</entry>
 		  <entry>Part Number</entry>
 		  <entry>Errors (aka "differences" reported)</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>National</entry>
 		  <entry>(PC16550DV)</entry>
 		  <entry>0</entry>
 		</row>
 		
 		<row>
 		  <entry>National</entry>
 		  <entry>(NS16550AFN)</entry>
 		  <entry>0</entry>
 		</row>
 		
 		<row>
 		  <entry>National</entry>
 		  <entry>(NS16C552V)</entry>
 		  <entry>0</entry>
 		</row>
 		
 		<row>
 		  <entry>TI</entry>
 		  <entry>(TL16550AFN)</entry>
 		  <entry>3</entry>
 		</row>
 		
 		<row>
 		  <entry>CMD</entry>
 		  <entry>(16C550PE)</entry>
 		  <entry>19</entry>
 		</row>
 		
 		<row>
 		  <entry>StarTech</entry>
 		  <entry>(ST16C550J)</entry>
 		  <entry>23</entry>
 		</row>
 		
 		<row>
 		  <entry>Rockwell</entry>
 		  <entry>Reference modem with internal 16550 or an
 		    emulation (RC144DPi/C3000-25)</entry>
 		  <entry>117</entry>
 		</row>
 		
 		<row>
 		  <entry>Sierra</entry>
 		  <entry>Modem with an internal 16550
 		    (SC11951/SC11351)</entry>
 		  <entry>91</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	  
 	<note>
 	  <para>To date, the author of this document has not found any
 	    non-National parts that report zero differences using the
 	    COMTEST program.  It should also be noted that National
 	    has had five versions of the 16550 over the years and the
 	    newest parts behave a bit differently than the classic
 	    NS16550AFN that is considered the benchmark for
 	    functionality.  COMTEST appears to turn a blind eye to the
 	    differences within the National product line and reports
 	    no errors on the National parts (except for the original
 	    16550) even when there are official erratas that describe
 	    bugs in the A, B and C revisions of the parts, so this
 	    bias in COMTEST must be taken into account.</para>
 	</note>
 	  
 	<para>It is important to understand that a simple count of
 	  differences from COMTEST does not reveal a lot about what
 	  differences are important and which are not.  For example,
 	  about half of the differences reported in the two modems
 	  listed above that have internal UARTs were caused by the
 	  clone UARTs not supporting five- and six-bit character
 	  modes.  The real 16550, 16450, and 8250 UARTs all support
 	  these modes and COMTEST checks the functionality of these
 	  modes so over fifty differences are reported.  However,
 	  almost no modern modem supports five- or six-bit characters,
 	  particularly those with error-correction and compression
 	  capabilities.  This means that the differences related to
 	  five- and six-bit character modes can be discounted.</para>
 	      
 	<para>Many of the differences COMTEST reports have to do with
 	  timing.  In many of the clone designs, when the host reads
 	  from one port, the status bits in some other port may not
 	  update in the same amount of time (some faster, some slower)
 	  as a <emphasis>real</emphasis> NS16550AFN and COMTEST looks
 	  for these differences.  This means that the number of
 	  differences can be misleading in that one device may only
 	  have one or two differences but they are extremely serious,
 	  and some other device that updates the status registers
 	  faster or slower than the reference part (that would
 	  probably never affect the operation of a properly written
 	  driver) could have dozens of differences reported.</para>
 	      
 	<para>COMTEST can be used as a screening tool to alert the
 	  administrator to the presence of potentially incompatible
 	  components that might cause problems or have to be handled
 	  as a special case.</para>
 	      
 	<para>If you run COMTEST on a 16550 that is in a modem or a
 	  modem is attached to the serial port, you need to first
 	  issue a ATE0&amp;W command to the modem so that the modem
 	  will not echo any of the test characters.  If you forget to
 	  do this, COMTEST will report at least this one
 	  difference:</para>
 
 	<screen>Error (6)...Timeout interrupt failed: IIR = c1  LSR = 61</screen>
       </sect2>
 
       <sect2>
 	<title>8250/16450/16550 Registers</title>
 	  
 	<para>The 8250/16450/16550 UART occupies eight contiguous I/O
 	  port addresses.  In the IBM PC, there are two defined
 	  locations for these eight ports and they are known
 	  collectively as <devicename>COM1</devicename> and <devicename>COM2</devicename>.  The makers of PC-clones and
 	  add-on cards have created two additional areas known as <devicename>COM3</devicename>
 	  and <devicename>COM4</devicename>, but these extra COM ports conflict with other
 	  hardware on some systems.  The most common conflict is with
 	  video adapters that provide IBM 8514 emulation.</para>
 	      
 	<para><devicename>COM1</devicename> is located from 0x3f8 to 0x3ff and normally uses
 	  IRQ 4.  <devicename>COM2</devicename> is located from 0x2f8 to 0x2ff and normally uses
 	  IRQ 3.  <devicename>COM3</devicename> is located from 0x3e8 to 0x3ef and has no
 	  standardized IRQ.  <devicename>COM4</devicename> is located from 0x2e8 to 0x2ef and has
 	  no standardized IRQ.</para>
 	      
 	<para>A description of the I/O ports of the 8250/16450/16550
 	  UART is provided below.</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <thead>
 	      <row>
 		<entry>I/O Port</entry>
 		<entry>Access Allowed</entry>
 		<entry>Description</entry>
 	      </row>
 	    </thead>
 	      
 	    <tbody>
 	      <row>
 		<entry>+0x00</entry>
 		<entry>write (DLAB==0)</entry>
 		<entry><para>Transmit Holding Register
 		    (THR).</para><para>Information written to this port are
 		    treated as data words and will be transmitted by the
 		    UART.</para></entry>
 	      </row>
 		
 	      <row>
 		<entry>+0x00</entry>
 		<entry>read (DLAB==0)</entry>
 		<entry><para>Receive Buffer Register (RBR).</para><para>Any
 		    data words received by the UART form the serial link are
 		    accessed by the host by reading this
 		    port.</para></entry>
 	      </row>
 		
 	      <row>
 		<entry>+0x00</entry>
 		<entry>write/read (DLAB==1)</entry>
 		<entry><para>Divisor Latch LSB (DLL)</para><para>This value
 		      will be divided from the master input clock (in the IBM
 		      PC, the master clock is 1.8432MHz) and the resulting
 		      clock will determine the baud rate of the UART.  This
 		      register holds bits 0 thru 7 of the
 		      divisor.</para></entry>
 	      </row>
 		
 	      <row>
 		<entry>+0x01</entry>
 		<entry>write/read (DLAB==1)</entry>
 		<entry><para>Divisor Latch MSB (DLH)</para><para>This value
 		      will be divided from the master input clock (in the IBM
 		      PC, the master clock is 1.8432MHz) and the resulting
 		      clock will determine the baud rate of the UART.  This
 		      register holds bits 8 thru 15 of the
 		      divisor.</para></entry>
 	      </row>
 		
 	      <row>
 		<entry>+0x01</entry>
 		<entry>write/read (DLAB==0)</entry>
 		<entrytbl cols="2">
 		  <colspec colnum="1" colname="col1">
 		  <colspec colnum="2" colname="col2">
 		  <spanspec namest="col1" nameend="col2" spanname="1to2">
 
 		  <tbody>
 		    <row>
 			<entry spanname="1to2"><para>Interrupt Enable Register
 			    (IER)</para><para>The 8250/16450/16550 UART
 			    classifies events into one of four categories.
 			    Each category can be configured to generate an
 			    interrupt when any of the events occurs.  The
 			    8250/16450/16550 UART generates a single external
 			    interrupt signal regardless of how many events in
 			    the enabled categories have occurred.  It is up to
 			    the host processor to respond to the interrupt and
 			    then poll the enabled interrupt categories
 			    (usually all categories have interrupts enabled)
 			    to determine the true cause(s) of the
 			    interrupt.</para></entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 7</entry>
 		      <entry>Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 6</entry>
 		      <entry>Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 5</entry>
 		      <entry>Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 4</entry>
 		      <entry>Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 3</entry>
 		      <entry>Enable Modem Status Interrupt (EDSSI). Setting
 			this bit to "1" allows the UART to generate an
 			interrupt when a change occurs on one or more of the
 			status lines.</entry>
 		    </row>
 		     
 		    <row>
 		      <entry>Bit 2</entry>
 		      <entry>Enable Receiver Line Status Interrupt (ELSI)
 			Setting this bit to "1" causes the UART to generate
 			an interrupt when the an error (or a BREAK signal)
 			has been detected in the incoming data.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 1</entry>
 		      <entry>Enable Transmitter Holding Register Empty
 			Interrupt (ETBEI) Setting this bit to "1" causes the
 			UART to generate an interrupt when the UART has room
 			for one or more additional characters that are to be
 			transmitted.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 0</entry>
 		      <entry>Enable Received Data Available Interrupt
 			(ERBFI) Setting this bit to "1" causes the UART to
 			generate an interrupt when the UART has received
 			enough characters to exceed the trigger level of the
 			FIFO, or the FIFO timer has expired (stale data), or
 			a single character has been received when the FIFO
 			is disabled.</entry>
 		    </row>
 		  </tbody>
 		</entrytbl>
 	      </row>
 		
 	      <row>
 		<entry>+0x02</entry>
 		<entry>write</entry>
 		<entrytbl cols="4">
 		  <colspec colnum="1" colname="col1">
 		  <colspec colnum="2" colname="col2">
 		  <colspec colnum="3" colname="col3">
 		  <colspec colnum="4" colname="col4">
 		  <spanspec namest="col1" nameend="col4" spanname="1to4">
 		  <spanspec namest="col2" nameend="col4" spanname="2to4">
 		   
 		  <tbody>
 		    <row>
 		      <entry spanname="1to4">FIFO Control Register (FCR)
 			(This port does not exist on the 8250 and 16450
 			UART.)</entry>
 		    </row>
 
 		    <row>
 		      <entry>Bit 7</entry>
 		      <entry spanname="2to4">Receiver Trigger Bit #1</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 6</entry>
 		      <entry spanname="2to4"><para>Receiver Trigger Bit
 			#0</para><para>These two bits control at what
 			point the receiver is to generate an interrupt
 			when the FIFO is active.</para></entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">7</entry>
 		      <entry colname="col3">6</entry>
 		      <entry colname="col4">How many words are received
 			before an interrupt is generated</entry>
 		    </row>
 			  
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">0</entry>
 		      <entry colname="col4">1</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">4</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">1</entry>
 		      <entry colname="col3">0</entry>
 		      <entry colname="col4">8</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">1</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">14</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 5</entry>
 		      <entry spanname="2to4">Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 4</entry>
 		      <entry spanname="2to4">Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 3</entry>
 		      <entry spanname="2to4">DMA Mode Select.  If Bit 0 is
 			set to "1" (FIFOs enabled), setting this bit changes
 			the operation of the -RXRDY and -TXRDY signals from
 			Mode 0 to Mode 1.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 2</entry>
 		      <entry spanname="2to4">Transmit FIFO Reset.  When a
 			"1" is written to this bit, the contents of the FIFO
 			are discarded.  Any word currently being transmitted
 			will be sent intact.  This function is useful in
 			aborting transfers.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 1</entry>
 		      <entry spanname="2to4">Receiver FIFO Reset.  When a
 			"1" is written to this bit, the contents of the FIFO
 			are discarded.  Any word currently being assembled
 			in the shift register will be received
 			intact.</entry>
 		    </row>
 
 		    <row>
 		      <entry>Bit 0</entry>
 		      <entry spanname="2to4">16550 FIFO Enable.  When set,
 			both the transmit and receive FIFOs are enabled.
 			Any contents in the holding register, shift
 			registers or FIFOs are lost when FIFOs are enabled
 			or disabled.</entry>
 		    </row>
 		  </tbody>
 		</entrytbl>
 	      </row>
 		
 	      <row>
 		<entry>+0x02</entry>
 		<entry>read</entry>
 		<entrytbl cols="6">
 		  <colspec colnum="1" colname="col1">
 		  <colspec colnum="2" colname="col2">
 		  <colspec colnum="3" colname="col3">
 		  <colspec colnum="4" colname="col4">
 		  <colspec colnum="5" colname="col5">
 		  <colspec colnum="6" colname="col6">
 		  <spanspec namest="col1" nameend="col6" spanname="1to6">
 		  <spanspec namest="col2" nameend="col6" spanname="2to6">
 
 		  <tbody>
 		    <row>
 		      <entry spanname="1to6">Interrupt Identification
 			Register</entry>
 		    </row>
 
 		    <row>
 		      <entry>Bit 7</entry>
 		      <entry spanname="2to6">FIFOs enabled.  On the
 			8250/16450 UART, this bit is zero.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 6</entry>
 		      <entry spanname="2to6">FIFOs enabled.  On the
 			8250/16450 UART, this bit is zero.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 5</entry>
 		      <entry spanname="2to6">Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 4</entry>
 		      <entry spanname="2to6">Reserved, always 0.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 3</entry>
 		      <entry spanname="2to6">Interrupt ID Bit #2.  On the
 			8250/16450 UART, this bit is zero.</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 2</entry>
 		      <entry spanname="2to6">Interrupt ID Bit #1</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 1</entry>
 		      <entry spanname="2to6">Interrupt ID Bit #0.These
 			three bits combine to report the category of
 			event that caused the interrupt that is in
 			progress.  These categories have priorities,
 			so if multiple categories of events occur at
 			the same time, the UART will report the more
 			important events first and the host must
 			resolve the events in the order they are
 			reported.  All events that caused the current
 			interrupt must be resolved before any new
 			interrupts will be generated.  (This is a
 			limitation of the PC architecture.)</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">2</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">0</entry>
 		      <entry colname="col5">Priority</entry>
 		      <entry colname="col6">Description</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">1</entry>
 		      <entry colname="col5">First</entry>
 		      <entry colname="col6">Received Error (OE, PE, BI, or
 			FE)</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">0</entry>
 		      <entry colname="col5">Second</entry>
 		      <entry colname="col6">Received Data Available</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">1</entry>
 		      <entry colname="col3">1</entry>
 		      <entry colname="col4">0</entry>
 		      <entry colname="col5">Second</entry>
 		      <entry colname="col6">Trigger level identification
 			(Stale data in receive buffer)</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">0</entry>
 		      <entry colname="col4">1</entry>
 		      <entry colname="col5">Third</entry>
 		      <entry colname="col6">Transmitter has room for more
 			words (THRE)</entry>
 		    </row>
 		      
 		    <row>
 		      <entry colname="col2">0</entry>
 		      <entry colname="col3">0</entry>
 		      <entry colname="col4">0</entry>
 		      <entry colname="col5">Fourth</entry>
 		      <entry colname="col6">Modem Status Change (-CTS, -DSR,
 			-RI, or -DCD)</entry>
 		    </row>
 		      
 		    <row>
 		      <entry>Bit 0</entry>
 		      <entry spanname="2to6">Interrupt Pending Bit.  If this
 			bit is set to "0", then at least one interrupt is
 			pending.</entry>
 		    </row>
 		  </tbody>
 		</entrytbl>
 	        </row>
 		
 		<row>
 		  <entry>+0x03</entry>
 		  <entry>write/read</entry>
 		  <entrytbl cols="5">
 		    <colspec colnum="1" colname="col1">
 		    <colspec colnum="2" colname="col2">
 		    <colspec colnum="3" colname="col3">
 		    <colspec colnum="4" colname="col4">
 		    <colspec colnum="5" colname="col5">
 		    <spanspec namest="col1" nameend="col5" spanname="1to5">
 		    <spanspec namest="col2" nameend="col5" spanname="2to5">
 		    <spanspec namest="col4" nameend="col5" spanname="4to5">
 
 		    <tbody>
 		      <row>
 			<entry spanname="1to5">Line Control Register
 			  (LCR)</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 7</entry>
 			<entry spanname="2to5">Divisor Latch Access Bit
 			  (DLAB).  When set, access to the data
 			  transmit/receive register (THR/RBR) and the
 			  Interrupt Enable Register (IER) is disabled.  Any
 			  access to these ports is now redirected to the
 			  Divisor Latch Registers.  Setting this bit, loading
 			  the Divisor Registers, and clearing DLAB should be
 			  done with interrupts disabled.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 6</entry>
 			<entry spanname="2to5">Set Break.  When set to "1",
 			  the transmitter begins to transmit continuous
 			  Spacing until this bit is set to "0".  This
 			  overrides any bits of characters that are being
 			  transmitted.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 5</entry>
 			<entry spanname="2to5">Stick Parity.  When parity is
 			  enabled, setting this bit causes parity to always be
 			  "1" or "0", based on the value of Bit 4.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 4</entry>
 			<entry spanname="2to5">Even Parity Select (EPS). When
 			  parity is enabled and Bit 5 is "0", setting this bit
 			  causes even parity to be transmitted and expected.
 			  Otherwise, odd parity is used.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 3</entry>
 			<entry spanname="2to5">Parity Enable (PEN).  When set
 			  to "1", a parity bit is inserted between the last
 			  bit of the data and the Stop Bit.  The UART will
 			  also expect parity to be present in the received
 			  data.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 2</entry>
 			<entry spanname="2to5">Number of Stop Bits (STB). If
 			  set to "1" and using 5-bit data words, 1.5 Stop Bits
 			  are transmitted and expected in each data word.  For
 			  6, 7 and 8-bit data words, 2 Stop Bits are
 			  transmitted and expected.  When this bit is set to
 			  "0", one Stop Bit is used on each data word.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 1</entry>
 			<entry spanname="2to5">Word Length Select Bit #1
 			  (WLSB1)</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 0</entry>
 			<entry spanname="2to5">Word Length Select Bit #0
 			  (WLSB0)</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2" spanname="2to5">Together these
 			  bits specify the number of bits in each data
 			  word.</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2">1</entry>
 			<entry colname="col3">0</entry>
 			<entry colname="col4" spanname="4to5">Word
 			  Length</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2">0</entry>
 			<entry colname="col3">0</entry>
 			<entry colname="col4" spanname="4to5">5 Data
 			  Bits</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2">0</entry>
 			<entry colname="col3">1</entry>
 			<entry colname="col4" spanname="4to5">6 Data
 			  Bits</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2">1</entry>
 			<entry colname="col3">0</entry>
 			<entry colname="col4" spanname="4to5">7 Data
 			  Bits</entry>
 		      </row>
 		      
 		      <row>
 			<entry colname="col2">1</entry>
 			<entry colname="col3">1</entry>
 			<entry colname="col4" spanname="4to5">8 Data
 			  Bits</entry>
 		      </row>
 		    </tbody>
 		  </entrytbl>
 		</row>
 		
 		<row>
 		  <entry>+0x04</entry>
 		  <entry>write/read</entry>
 		  <entrytbl cols="2">
 		    <colspec colnum="1" colname="col1">
 		    <colspec colnum="2" colname="col2">
 		    <spanspec namest="col1" nameend="col2" spanname="1to2">
 
 		    <tbody>
 		      <row>
 			<entry spanname="1to2">Modem Control Register
 			  (MCR)</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 7</entry>
 			<entry>Reserved, always 0.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 6</entry>
 			<entry>Reserved, always 0.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 5</entry>
 			<entry>Reserved, always 0.</entry>
 			  </row>
 		      
 		      <row>
 			<entry>Bit 4</entry>
 			<entry>Loop-Back Enable.  When set to "1", the UART
 			  transmitter and receiver are internally connected
 			  together to allow diagnostic operations.  In
 			  addition, the UART modem control outputs are
 			  connected to the UART modem  control inputs.  CTS is
 			  connected to RTS, DTR is connected to DSR, OUT1 is
 			  connected to RI, and OUT 2 is connected to
 			  DCD.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 3</entry>
 			<entry>OUT 2.  An auxiliary output that the host
 			  processor may set high or low.  In the IBM PC serial
 			  adapter (and most clones), OUT 2 is used to
 			  tri-state (disable) the interrupt signal from the
 			  8250/16450/16550 UART.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 2</entry>
 			<entry>OUT 1.  An auxiliary output that the host
 			  processor may set high or low.  This output is not
 			  used on the IBM PC serial adapter.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 1</entry>
 			<entry>Request to Send (RTS).  When set to "1", the
 			  output of the UART -RTS line is Low
 			  (Active).</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 0</entry>
 			<entry>Data Terminal Ready (DTR).  When set to "1",
 			  the output of the UART -DTR line is Low
 			  (Active).</entry>
 		      </row>
 		    </tbody>
 		  </entrytbl>
 		</row>
 		
 		<row>
 		  <entry>+0x05</entry>
 		  <entry>write/read</entry>
 		  <entrytbl cols="2">
 		    <colspec colnum="1" colname="col1">
 		    <colspec colnum="2" colname="col2">
 		    <spanspec namest="col1" nameend="col2" spanname="1to2">
 
 		    <tbody>
 		      <row>
 			<entry spanname="1to2">Line Status Register
 			  (LSR)</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 7</entry>
 			<entry>Error in Receiver FIFO.  On the 8250/16450
 			  UART, this bit is zero.  This bit is set to "1" when
 			  any of the bytes in the FIFO have one or more of the
 			  following error conditions: PE, FE, or BI.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 6</entry>
 			<entry>Transmitter Empty (TEMT).  When set to "1",
 			  there are no words  remaining in the transmit FIFO
 			  or the transmit shift register.  The transmitter is
 			  completely idle.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 5</entry>
 			<entry>Transmitter Holding Register Empty (THRE).
 			  When set to "1", the FIFO (or holding register) now
 			  has room for at least one additional word to
 			  transmit.  The transmitter may still be transmitting
 			  when this bit is set to "1".</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 4</entry>
 			<entry>Break Interrupt (BI).  The receiver has
 			  detected a Break signal.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 3</entry>
 			<entry>Framing Error (FE).  A Start Bit was detected
 			  but the Stop Bit did not appear at the expected
 			  time.  The received word is probably
 			  garbled.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 2</entry>
 			<entry>Parity Error (PE).  The parity bit was
 			  incorrect for the word received.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 1</entry>
 			<entry>Overrun Error (OE).  A new word was received
 			  and there was no room in the receive buffer.  The
 			  newly-arrived word in the shift register is
 			  discarded.  On 8250/16450 UARTs, the word in the
 			  holding register is discarded and the newly- arrived
 			  word is put in the holding register.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 0</entry>
 			<entry>Data Ready (DR) One or more words are in the
 			  receive FIFO that the host may read.  A word must be
 			  completely received and moved from the shift
 			  register into the FIFO (or holding register for
 			  8250/16450 designs) before this bit is set.</entry>
 		      </row>
 		    </tbody>
 		  </entrytbl>
 		</row>
 		
 		<row>
 		  <entry>+0x06</entry>
 		  <entry>write/read</entry>
 		  <entrytbl cols="2">
 		    <colspec colnum="1" colname="col1">
 		    <colspec colnum="2" colname="col2">
 		    <spanspec namest="col1" nameend="col2" spanname="1to2">
 
 		    <tbody>
 		      <row>
 			<entry spanname="1to2">Modem Status Register
 			  (MSR)</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 7</entry>
 			<entry>Data Carrier Detect (DCD).  Reflects the state
 			  of the DCD line on the UART.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 6</entry>
 			<entry>Ring Indicator (RI).  Reflects the state of the
 			  RI line on the UART.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 5</entry>
 			<entry>Data Set Ready (DSR).  Reflects the state of
 			  the DSR line on the UART.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 4</entry>
 			<entry>Clear To Send (CTS).  Reflects the state of the
 			  CTS line on the UART.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 3</entry>
 			<entry>Delta Data Carrier Detect (DDCD).  Set to "1"
 			  if the -DCD line has changed state one more
 			  time since the last time the MSR was read by the
 			  host.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 2</entry>
 			<entry>Trailing Edge Ring Indicator (TERI).  Set to
 			  "1" if the -RI line has had a low to high transition
 			  since the last time the MSR was read by the
 			  host.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 1</entry>
 			<entry>Delta Data Set Ready (DDSR).  Set to "1" if the
 			  -DSR line has changed state one more time
 			  since the last time the MSR was read by the
 			  host.</entry>
 		      </row>
 		      
 		      <row>
 			<entry>Bit 0</entry>
 			<entry>Delta Clear To Send (DCTS).  Set to "1" if the
 			  -CTS line has changed state one more time
 			  since the last time the MSR was read by the
 			  host.</entry>
 		      </row>
 		    </tbody>
 		  </entrytbl>
 		</row>
 		
 		<row>
 		  <entry>+0x07</entry>
 		  <entry>write/read</entry>
 		  <entry>Scratch Register (SCR).  This register performs no
 		    function in the UART.  Any value can be written by the
 		    host to this location and read by the host later
 		    on.</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
       </sect2>
 
       <sect2>
 	<title>Beyond the 16550A UART</title>
 	  
 	<para>Although National Semiconductor has not offered any
 	  components compatible with the 16550 that provide additional
 	  features, various other vendors have.  Some of these
 	  components are described below.  It should be understood
 	  that to effectively utilize these improvements, drivers may
 	  have to be provided by the chip vendor since most of the
 	  popular operating systems do not support features beyond
 	  those provided by the 16550.</para>
 	      
 	  <variablelist>
 	    <varlistentry>
 	      <term>ST16650</term>
 
 	      <listitem>
 		<para>By default this part is similar to the NS16550A, but an
 		  extended 32-byte send and receive buffer can be optionally
 		  enabled.  Made by StarTech.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term>TIL16660</term>
 	      
 	      <listitem>
 		<para>By default this part behaves similar to the NS16550A,
 		  but an extended 64-byte send and receive buffer can be
 		  optionally enabled.  Made by Texas Instruments.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term>Hayes ESP</term>
 	      
 	      <listitem>
 		<para>This proprietary plug-in card contains a 2048-byte send
 		  and receive buffer, and supports data rates to
 		  230.4Kbit/sec.  Made by Hayes.</para>
 	      </listitem>
 	    </varlistentry>
 	  </variablelist>
 	  
 	  <para>In addition to these <quote>dumb</quote> UARTs, many vendors
 	    produce intelligent serial communication boards.  This type of
 	    design usually provides a microprocessor that interfaces with
 	    several UARTs, processes and buffers the data, and then alerts the
 	    main PC processor when necessary.  Because the UARTs are not
 	    directly accessed by the PC processor in this type of
 	    communication system, it is not necessary for the vendor to use
 	    UARTs that are compatible with the 8250, 16450, or the 16550 UART.
 	    This leaves the designer free to components that may have better
 	    performance characteristics.</para>
       </sect2>
     </sect1>
       
     <sect1 id="sio">
       <title>Configuring the <devicename>sio</devicename> driver</title>
 	    
       <para>The <devicename>sio</devicename> driver provides support
 	for NS8250-, NS16450-, NS16550 and NS16550A-based EIA RS-232C
 	(CCITT V.24) communications interfaces.  Several multiport
 	cards are supported as well.  See the &man.sio.4; manual page
 	for detailed technical documentation.</para>
 	    
       <sect2>
 	<title>Digi International (DigiBoard) PC/8</title>
 	  
 	<para><emphasis>Contributed by &a.awebster;.  26 August
 	  1995.</emphasis></para>
 	      
         <para>Here is a config snippet from a machine with a Digi
 	  International PC/8 with 16550.  It has 8 modems connected to
 	  these 8 lines, and they work just great.  Do not forget to
 	  add <literal>options COM_MULTIPORT</literal> or it will not
 	  work very well!</para>
 	      
 	<programlisting>device          sio4    at isa? port 0x100 flags 0xb05
 device          sio5    at isa? port 0x108 flags 0xb05
 device          sio6    at isa? port 0x110 flags 0xb05
 device          sio7    at isa? port 0x118 flags 0xb05
 device          sio8    at isa? port 0x120 flags 0xb05
 device          sio9    at isa? port 0x128 flags 0xb05
 device          sio10   at isa? port 0x130 flags 0xb05
 device          sio11   at isa? port 0x138 flags 0xb05 irq 9</programlisting>
 	      
 	<para>The trick in setting this up is that the MSB of the
 	  flags represent the last SIO port, in this case 11 so flags
 	  are 0xb05.</para>
       </sect2>
 
       <sect2>
 	<title>Boca 16</title>
 	  
 	<para><emphasis>Contributed by &a.whiteside;.  26 August
 	  1995.</emphasis></para>
 	  
 	<para>The procedures to make a Boca 16 port board with FreeBSD
 	  are pretty straightforward, but you will need a couple
 	  things to make it work:</para>
 	  
 	<orderedlist>
 	  <listitem>
 	    <para>You either need the kernel sources installed so you
 		can recompile the necessary options or you will need
 		someone else to compile it for you.  The 2.0.5 default
 		kernel does <emphasis>not</emphasis> come with
 		multiport support enabled and you will need to add a
 		device entry for each port anyways.</para>
 	  </listitem>
 	    
 	  <listitem>
 	    <para>Two, you will need to know the interrupt and IO
 	      setting for your Boca Board so you can set these options
 	      properly in the kernel.</para>
 	  </listitem>
 	</orderedlist>
 	  
 	<para>One important note &mdash; the actual UART chips for the
 	  Boca 16 are in the connector box, not on the internal board
 	  itself.  So if you have it unplugged, probes of those ports
 	  will fail.  I have never tested booting with the box
 	  unplugged and plugging it back in, and I suggest you do not
 	  either.</para>
 	      
         <para>If you do not already have a custom kernel
 	  configuration file set up, refer to <ulink
 	  url="&url.books.handbook;/kernelconfig.html">Kernel
 	  Configuration</ulink> chapter of the FreeBSD Handbook for
 	  general procedures.  The following are the specifics for the
 	  Boca 16 board and assume you are using the kernel name
 	  MYKERNEL and editing with vi.</para>
 	      
 	<procedure>
 	  <step>
 	    <para>Add the line 
 		
 	      <programlisting>options COM_MULTIPORT</programlisting>
 
 	      to the config file.</para>
 	  </step>
 	    
 	  <step>
 	    <para>Where the current <literal>device
 	      sio<replaceable>n</replaceable></literal> lines are, you
 	      will need to add 16 more devices.  The
 	      following example is for a Boca Board with an interrupt
 	      of 3, and a base IO address 100h.  The IO address for
 	      Each port is +8 hexadecimal from the previous port, thus
 	      the 100h, 108h, 110h...  addresses.</para>
 
 	    <programlisting>device sio1 at isa? port 0x100 flags 0x1005
 device sio2 at isa? port 0x108 flags 0x1005
 device sio3 at isa? port 0x110 flags 0x1005
 device sio4 at isa? port 0x118 flags 0x1005
 &hellip;
 device sio15 at isa? port 0x170 flags 0x1005
 device sio16 at isa? port 0x178 flags 0x1005 irq 3</programlisting>
 
 	    <para>The flags entry <emphasis>must</emphasis> be changed
 	      from this example unless you are using the exact same
 	      sio assignments. Flags are set according to
 	      0x<replaceable>M</replaceable><replaceable>YY</replaceable>
 	      where <replaceable>M</replaceable> indicates the minor
 	      number of the master port (the last port on a Boca 16)
 	      and <replaceable>YY</replaceable> indicates if FIFO is
 	      enabled or disabled(enabled), IRQ sharing is used(yes)
 	      and if there is an AST/4 compatible IRQ control
 	      register(no).  In this example, <programlisting> flags
 	      0x1005</programlisting> indicates that the master port
 	      is sio16.  If I added another board and assigned sio17
 	      through sio28, the flags for all 16 ports on
 	      <emphasis>that</emphasis> board would be 0x1C05, where
 	      1C indicates the minor number of the master port.  Do
 	      not change the 05 setting.</para>
 	  </step>
 		  
 	  <step>
 	    <para>Save and complete the kernel configuration,
 	      recompile, install and reboot.  Presuming you have
 	      successfully installed the recompiled kernel and have it
 	      set to the correct address and IRQ, your boot message
 	      should indicate the successful probe of the Boca ports
 	      as follows: (obviously the sio numbers, IO and IRQ could
 	      be different)</para>
 		    		    
 	    <screen>sio1 at 0x100-0x107 flags 0x1005 on isa
 sio1: type 16550A (multiport)
 sio2 at 0x108-0x10f flags 0x1005 on isa
 sio2: type 16550A (multiport)
 sio3 at 0x110-0x117 flags 0x1005 on isa
 sio3: type 16550A (multiport)
 sio4 at 0x118-0x11f flags 0x1005 on isa
 sio4: type 16550A (multiport)
 sio5 at 0x120-0x127 flags 0x1005 on isa
 sio5: type 16550A (multiport)
 sio6 at 0x128-0x12f flags 0x1005 on isa
 sio6: type 16550A (multiport)
 sio7 at 0x130-0x137 flags 0x1005 on isa
 sio7: type 16550A (multiport)
 sio8 at 0x138-0x13f flags 0x1005 on isa
 sio8: type 16550A (multiport)
 sio9 at 0x140-0x147 flags 0x1005 on isa
 sio9: type 16550A (multiport)
 sio10 at 0x148-0x14f flags 0x1005 on isa
 sio10: type 16550A (multiport)
 sio11 at 0x150-0x157 flags 0x1005 on isa
 sio11: type 16550A (multiport)
 sio12 at 0x158-0x15f flags 0x1005 on isa
 sio12: type 16550A (multiport)
 sio13 at 0x160-0x167 flags 0x1005 on isa
 sio13: type 16550A (multiport)
 sio14 at 0x168-0x16f flags 0x1005 on isa
 sio14: type 16550A (multiport)
 sio15 at 0x170-0x177 flags 0x1005 on isa
 sio15: type 16550A (multiport)
 sio16 at 0x178-0x17f irq 3 flags 0x1005 on isa
 sio16: type 16550A (multiport master)</screen>
 
 	    <para>If the messages go by too fast to see,
 
 	    <screen>&prompt.root; <userinput>dmesg | more</userinput></screen>
 	      will show you the boot messages.</para>
 	  </step>
 	    
 	  <step>
 	    <para>Next, appropriate entries in
 	      <filename>/dev</filename> for the devices must be made
 	      using the <filename>/dev/MAKEDEV</filename>
 	      script.  This step can be omitted if you are running
 	      FreeBSD&nbsp;5.X with a kernel that has &man.devfs.5;
 	      support compiled in.</para>
 	      
 	    <para>If you do need to create the <filename>/dev</filename>
 	      entries, run the following as <username>root</username>:</para>
 	      
 	    <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>./MAKEDEV tty1</userinput>
 &prompt.root; <userinput>./MAKEDEV cua1</userinput>
 <emphasis>(everything in between)</emphasis>
 &prompt.root; <userinput>./MAKEDEV ttyg</userinput>
 &prompt.root; <userinput>./MAKEDEV cuag</userinput></screen>
 		      
 	    <para>If you do not want or need call-out devices for some
 	      reason, you can dispense with making the
 	      <filename>cua*</filename> devices.</para>
 	  </step>
 	    
 	  <step>
 	    <para>If you want a quick and sloppy way to make sure the
 	      devices are working, you can simply plug a modem into
 	      each port and (as root)
 		    
             <screen>&prompt.root; <userinput>echo at &gt; ttyd*</userinput></screen>
 	      for each device you have made.  You
 	      <emphasis>should</emphasis> see the RX lights flash for each
 	      working port.</para>
 	  </step>
 	</procedure>
       </sect2>
 
       <sect2>
 	<title>Support for Cheap Multi-UART Cards</title>
 
 	<para><emphasis>Contributed by Helge Oldach
 	  <email>hmo@sep.hamburg.com</email>, September
 	  1999</emphasis></para>
 	  
 	<para>Ever wondered about FreeBSD support for your 20$
 	  multi-I/O card with two (or more) COM ports, sharing IRQs?
 	  Here is how:</para>
 	  
 	<para>Usually the only option to support these kind of boards
 	  is to use a distinct IRQ for each port.  For example, if
 	  your CPU board has an on-board <devicename>COM1</devicename>
 	  port (aka <devicename>sio0</devicename>&ndash;I/O address
 	  0x3F8 and IRQ 4) and you have an extension board with two
 	  UARTs, you will commonly need to configure them as
 	  <devicename>COM2</devicename> (aka
 	  <devicename>sio1</devicename>&ndash;I/O address 0x2F8 and
 	  IRQ 3), and the third port (aka
 	  <devicename>sio2</devicename>) as I/O 0x3E8 and IRQ 5.
 	  Obviously this is a waste of IRQ resources, as it should be
 	  basically possible to run both extension board ports using a
 	  single IRQ with the <literal>COM_MULTIPORT</literal>
 	  configuration described in the previous sections.</para>
 	  
 	<para>Such cheap I/O boards commonly have a 4 by 3 jumper
 	  matrix for the COM ports, similar to the following:</para>
 
 <programlisting>            o  o  o  *
 Port A               |
             o  *  o  *
 Port B         |
             o  *  o  o
 IRQ         2  3  4  5</programlisting>
 
 	<para>Shown here is port A wired for IRQ 5 and port B wired
 	  for IRQ 3.  The IRQ columns on your specific board may
 	  vary&mdash;other boards may supply jumpers for IRQs 3, 4, 5,
 	  and 7 instead.</para>
 
 	<para>One could conclude that wiring both ports for IRQ 3
 	  using a handcrafted wire-made jumper covering all three
 	  connection points in the IRQ 3 column would solve the issue,
 	  but no.  You cannot duplicate IRQ 3 because the output
 	  drivers of each UART are wired in a <quote>totem
 	  pole</quote> fashion, so if one of the UARTs drives IRQ 3,
 	  the output signal will not be what you would expect.
 	  Depending on the implementation of the extension board or
 	  your motherboard, the IRQ 3 line will continuously stay up,
 	  or always stay low.</para>
 
 	<para>You need to decouple the IRQ drivers for the two UARTs,
 	  so that the IRQ line of the board only goes up if (and only
 	  if) one of the UARTs asserts a IRQ, and stays low otherwise.
 	  The solution was proposed by Joerg Wunsch
 	  <email>j@ida.interface-business.de</email>: To solder up a
 	  wired-or consisting of two diodes (Germanium or
 	  Schottky-types strongly preferred) and a 1 kOhm resistor.
 	  Here is the schematic, starting from the 4 by 3 jumper field
 	  above:</para>
 
 <programlisting>                          Diode
                 +---------->|-------+
                /                    |
             o  *  o  o              |     1 kOhm
 Port A                              +----|######|-------+
             o  *  o  o              |                   |
 Port B          `-------------------+                 ==+==
             o  *  o  o              |                 Ground
                 \                   |
                  +--------->|-------+
 IRQ         2  3  4  5    Diode</programlisting>
 
 	<para>The cathodes of the diodes are connected to a common
 	  point, together with a 1 kOhm pull-down resistor.  It is
 	  essential to connect the resistor to ground to avoid
 	  floating of the IRQ line on the bus.</para>
 
 	<para>Now we are ready to configure a kernel.  Staying with
 	  this example, we would configure:</para>
 
 	<programlisting># standard on-board COM1 port
 device          sio0    at isa? port "IO_COM1" flags 0x10
 # patched-up multi-I/O extension board
 options         COM_MULTIPORT
 device          sio1    at isa? port "IO_COM2" flags 0x205
 device          sio2    at isa? port "IO_COM3" flags 0x205 irq 3</programlisting>
 
 	<para>Note that the <literal>flags</literal> setting for
 	  <devicename>sio1</devicename> and
 	  <devicename>sio2</devicename> is truly essential; refer to
 	  &man.sio.4; for details. (Generally, the
 	  <literal>2</literal> in the "flags" attribute refers to
 	  <devicename>sio</devicename>2 which holds the IRQ, and you
 	  surely want a <literal>5</literal> low nibble.)  With kernel
 	  verbose mode turned on this should yield something similar
 	  to this:</para>
 
 	<screen>sio0: irq maps: 0x1 0x11 0x1 0x1
 sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
 sio0: type 16550A
 sio1: irq maps: 0x1 0x9 0x1 0x1
 sio1 at 0x2f8-0x2ff flags 0x205 on isa
 sio1: type 16550A (multiport)
 sio2: irq maps: 0x1 0x9 0x1 0x1
 sio2 at 0x3e8-0x3ef irq 3 flags 0x205 on isa
 sio2: type 16550A (multiport master)</screen>
 
 	<para>Though <filename>/sys/i386/isa/sio.c</filename> is
 	  somewhat cryptic with its use of the <quote>irq maps</quote>
 	  array above, the basic idea is that you observe
 	  <literal>0x1</literal> in the first, third, and fourth
 	  place.  This means that the corresponding IRQ was set upon
 	  output and cleared after, which is just what we would
 	  expect. If your kernel does not display this behavior, most
 	  likely there is something wrong with your wiring.</para>
       </sect2>
     </sect1>
       
     <sect1 id="cy">
       <title>Configuring the <devicename>cy</devicename> driver</title>
 	    
       <para><emphasis>Contributed by Alex Nash.  6 June
         1996.</emphasis></para>
 	    
       <para>The Cyclades multiport cards are based on the
 	<devicename>cy</devicename> driver instead of the usual
 	<devicename>sio</devicename> driver used by other multiport
 	cards.  Configuration is a simple matter of:</para>
 
 	<procedure>
 	  <step>
 	    <para>Add the <devicename>cy</devicename> device to your
 	      kernel configuration (note that your irq and iomem
 	      settings may differ).</para>
 		    
 	    <programlisting>device cy0 at isa? irq 10 iomem 0xd4000 iosiz 0x2000</programlisting>
 	  </step>
 		
 	  <step>
 	    <para>Rebuild and install the new kernel.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Make the device nodes by typing (the following
 	      example assumes an 8-port board)<footnote>
 	        <para>You can omit this part if you are running FreeBSD&nbsp;5.X
 		  with &man.devfs.5;.</para>
 	      </footnote>:</para>
 		  
 	    <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>for i in 0 1 2 3 4 5 6 7;do ./MAKEDEV cuac$i ttyc$i;done</userinput></screen>
 	  </step>
 	  
 	  <step>
 	    <para>If appropriate, add dialup entries to
 	      <filename>/etc/ttys</filename> by duplicating serial
 	      device (<literal>ttyd</literal>) entries and using
 	      <literal>ttyc</literal> in place of
 	      <literal>ttyd</literal>.  For example:</para>
 	    
 	    <programlisting>ttyc0   "/usr/libexec/getty std.38400"  unknown on insecure
 ttyc1   "/usr/libexec/getty std.38400"  unknown on insecure
 ttyc2   "/usr/libexec/getty std.38400"  unknown on insecure
 &hellip;
 ttyc7   "/usr/libexec/getty std.38400"  unknown on insecure</programlisting>
 	  </step>
 		
 	  <step>
 	    <para>Reboot with the new kernel.</para>
 	  </step>
 	</procedure>
     </sect1>
 
     <sect1>
       <title>Configuring the <devicename>si</devicename> driver</title>
 
       <para><emphasis>Contributed by &a.nsayer;. 25 March
 	1998.</emphasis></para>
      
       <para>The Specialix SI/XIO and SX multiport cards use the
 	<devicename>si</devicename> driver. A single machine can have
 	up to 4 host cards. The following host cards are
 	supported:</para>
 
 	<itemizedlist>
 	  <listitem><para>ISA SI/XIO host card (2 versions)</para></listitem>
 	  <listitem><para>EISA SI/XIO host card</para></listitem>
 	  <listitem><para>PCI SI/XIO host card</para></listitem>
 	  <listitem><para>ISA SX host card</para></listitem>
 	  <listitem><para>PCI SX host card</para></listitem>
 	</itemizedlist>
 
       <para>Although the SX and SI/XIO host cards look markedly
 	different, their functionality are basically the same. The
 	host cards do not use I/O locations, but instead require a 32K
 	chunk of memory. The factory configuration for ISA cards
 	places this at <literal>0xd0000-0xd7fff</literal>.  They also
 	require an IRQ. PCI cards will, of course, auto-configure
 	themselves.</para>
 
       <para>You can attach up to 4 external modules to each host
 	card. The external modules contain either 4 or 8 serial
 	ports. They come in the following varieties:</para>
 
 	<itemizedlist>
 	  <listitem><para>SI 4 or 8 port modules. Up to 57600 bps on each port
 	      supported.</para></listitem>
 	  
 	  <listitem><para>XIO 8 port modules. Up to 115200 bps on each port
 	      supported. One type of XIO module has 7 serial and 1 parallel
 	      port.</para></listitem>
 	  
 	  <listitem><para>SXDC 8 port modules. Up to 921600 bps on each port
 	      supported. Like XIO, a module is available with one parallel
 	      port as well.</para></listitem>
 	</itemizedlist>
 
       <para>To configure an ISA host card, add the following line to
 	your kernel configuration file, changing the numbers as
 	appropriate:</para>
      
       <programlisting>device si0 at isa? iomem 0xd0000 irq 11</programlisting>
 
       <para>Valid IRQ numbers are 9, 10, 11, 12 and 15 for SX ISA host
 	cards and 11, 12 and 15 for SI/XIO ISA host cards.</para>
      
       <para>To configure an EISA or PCI host card, use this line:</para>
      
       <programlisting>device si0</programlisting>
 
       <para>After adding the configuration entry, rebuild and
 	install your new kernel.</para>
      
       <note>
         <para>The following step, is not necessary if you are using
           &man.devfs.5; in FreeBSD&nbsp;5.<replaceable>X</replaceable>.</para>
       </note>
 
       <para>After rebooting with the new kernel, you need to make the
 	device nodes in <filename>/dev</filename>.  The <filename>MAKEDEV</filename> script
 	will take care of this for you.  Count how many total ports
 	you have and type:</para>
      
       <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>./MAKEDEV ttyA<replaceable>nn</replaceable> cuaA<replaceable>nn</replaceable></userinput></screen>
      
       <para>(where <replaceable>nn</replaceable> is the number of
 	ports)</para>
      
       <para>If you want login prompts to appear on these ports, you
 	will need to add lines like this to
 	<filename>/etc/ttys</filename>:</para>
 
       <programlisting>ttyA01  "/usr/libexec/getty std.9600"   vt100   on insecure</programlisting>
      
       <para>Change the terminal type as appropriate. For modems,
 	<userinput>dialup</userinput> or
 	<userinput>unknown</userinput> is fine.</para>
 
   </sect1>
 
 </article>
diff --git a/en_US.ISO8859-1/articles/solid-state/article.sgml b/en_US.ISO8859-1/articles/solid-state/article.sgml
index cff6136296..3bfb5737ac 100644
--- a/en_US.ISO8859-1/articles/solid-state/article.sgml
+++ b/en_US.ISO8859-1/articles/solid-state/article.sgml
@@ -1,635 +1,635 @@
 <!-- Copyright (c) 2001 The FreeBSD Documentation Project
 
      Redistribution and use in source (SGML DocBook) and 'compiled' forms
      (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
      modification, are permitted provided that the following conditions
      are met:
 
       1. Redistributions of source code (SGML DocBook) must retain the above
          copyright notice, this list of conditions and the following
          disclaimer as the first lines of this file unmodified.
 
       2. Redistributions in compiled form (transformed to other DTDs,
          converted to PDF, PostScript, RTF and other formats) must reproduce
          the above copyright notice, this list of conditions and the
          following disclaimer in the documentation and/or other materials
          provided with the distribution.
 
      THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
      IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
      THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
      PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
      DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
      STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
      ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
      POSSIBILITY OF SUCH DAMAGE.
 
      $FreeBSD$
 -->
 
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 <!ENTITY legalnotice SYSTEM "../../share/sgml/legalnotice.sgml">
 ]>
 
 <article>
   <articleinfo>
     <title>FreeBSD and Solid State Devices</title>
 
     <authorgroup>
       <author>
 	<firstname>John</firstname>
 	<surname>Kozubik</surname>
 
 	<affiliation>
 	  <address><email>john@kozubik.com</email></address>
 	</affiliation>
       </author>
     </authorgroup>
     
     <pubdate>$FreeBSD$</pubdate>
 
     <copyright>
       <year>2001</year>
       <holder>The FreeBSD Documentation Project</holder>
     </copyright>
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.m-systems;
       &tm-attrib.general;
     </legalnotice>
 
     &legalnotice;
     
     <abstract>
       <para>This article covers the use of solid state disk devices in FreeBSD
 	to create embedded systems.</para>
     
       <para>Embedded systems have the advantage of increased stability due to
 	the lack of integral moving parts (hard drives).  Account must be
 	taken, however, for the generally low disk space available in the
 	system and the durability of the storage medium.</para>
 
       <para>Specific topics to be covered include the types and attributes of
 	solid state media suitable for disk use in FreeBSD, kernel options
 	that are of interest in such an environment, the
 	<filename>rc.diskless</filename> mechanisms that automate the
 	initialization of such systems and the need for read-only filesystems,
 	and building filesystems from scratch.  The article will conclude
 	with some general strategies for small and read-only FreeBSD
 	environments.</para>
     </abstract>
   </articleinfo>
 
   <sect1 id="intro">
     <title>Solid State Disk Devices</title>
 
     <para>The scope of this article will be limited to solid state disk
       devices made from flash memory.  Flash memory is a solid state memory
       (no moving parts) that is non-volatile (the memory maintains data even
       after all power sources have been disconnected).  Flash memory can
       withstand tremendous physical shock and is reasonably fast (the flash
       memory solutions covered in this article are slightly slower than a EIDE
       hard disk for write operations, and much faster for read operations).
       One very important aspect of flash memory, the ramifications of which
       will be discussed later in this article, is that each sector has a
       limited rewrite capacity.  You can only write, erase, and write again to
       a sector of flash memory a certain number of times before the sector
       becomes permanently unusable.  Although many flash memory products
       automatically map bad blocks, and although some even distribute write
       operations evenly throughout the unit, the fact remains that there
       exists a limit to the amount of writing that can be done to the device.
       Competitive units have between 1,000,000 and 10,000,000 writes per
       sector in their specification.  This figure varies due to the
       temperature of the environment.</para>
 
     <para>Specifically, we will be discussing ATA compatible compact-flash
       units and the M-Systems &diskonchip; flash memory unit.  ATA compatible
       compact-flash cards are quite popular as storage media for digital
       cameras.  Of particular interest is the fact that they pin out directly
       to the IDE bus and are compatible with the ATA command set.  Therefore,
       with a very simple and low-cost adaptor, these devices can be attached
       directly to an IDE bus in a computer.  Once implemented in this manner,
       operating systems such as FreeBSD see the device as a normal hard disk
       (albeit small).  The M-Systems &diskonchip; product is based on the same
       underlying flash memory technology as ATA compatible compact-flash
       cards, but resides in a DIP form factor and is not ATA compatible.  To
       use such a device, not only must you install it on a motherboard that
       has a &diskonchip; socket, you must also build the `fla` driver into any
       FreeBSD kernel you wish to use it with.  Further, there is critical,
       manufacturer-specific data residing in the boot sector of this device,
       so you must take care not to install the FreeBSD (or any other) boot
       loader when using this.</para>
 
     <para>Other solid state disk solutions do exist, but their expense,
       obscurity, and relative unease of use places them beyond the scope of
       this article.</para>
   </sect1>
 
   <sect1 id="kernel">
       <title>Kernel Options</title>
 
     <para>A few kernel options are of specific interest to those creating
       an embedded FreeBSD system.</para>
 
     <para>First, all embedded FreeBSD systems that use flash memory as system
       disk will be interested in memory disks and memory filesystems.  Because
       of the limited number of writes that can be done to flash memory, the
       disk and the filesystems on the disk will most likely be mounted
       read-only.  In this environment, filesystems such as
       <filename>/tmp</filename> and <filename>/var</filename> are mounted as
       memory filesystems to allow the system to create logs and update
       counters and temporary files.  Memory filesystems are a critical
       component to a successful solid state FreeBSD implementation.</para>
 
     <para>You should make sure the following lines exist in your kernel
       configuration file:</para>
 
     <programlisting>options         MFS             # Memory Filesystem
 options         MD_ROOT         # md device usable as a potential root device
 pseudo-device   md              # memory disk</programlisting>
 
     <para>Second, if you will be using the M-Systems &diskonchip; product, you
       must also include this line:</para>
 
     <programlisting>device          fla0    at isa?</programlisting>
   </sect1>
 
   <sect1 id="ro-fs">
     <title><filename>rc.diskless</filename> and Read-Only Filesystems</title>
 
     <para>The post-boot initialization of an embedded FreeBSD system is
       controlled by <filename>/etc/rc.diskless2</filename>
       (<filename>/etc/rc.diskless1</filename> is for BOOTP diskless boot).
       This initialization script is invoked by placing a line in
       <filename>/etc/rc.conf</filename> as follows:</para>
 
     <programlisting>diskless_mount=/etc/rc.diskless2</programlisting>
 
     <para><filename>rc.diskless2</filename> mounts <filename>/var</filename>
       as a memory filesystem, makes a configurable list of directories in
       <filename>/var</filename> with the &man.mkdir.1; command, changes modes
       on some of those directories, and extracts a list of device entries to
       copy to a writable (again, a memory filesystem)
       <filename>/dev</filename> partition.  In the execution of
       <filename>/etc/rc.diskless2</filename>, one other
       <filename>rc.conf</filename> variable comes into play -
       <literal>varsize</literal>.  The <filename>/etc/rc.diskless2</filename>
       file creates a <filename>/var</filename> partition based on the value of
       this variable in <filename>rc.conf</filename>:</para>
 
     <programlisting>varsize=8192</programlisting>
 
     <para>Remember that this value is in sectors.  The creation of the
       <filename>/dev</filename> partition by
       <filename>/etc/rc.diskless2</filename>, however, is governed by a
       hard-coded value of 4096 sectors.  It is trivial to change this entry in
       the <filename>/etc/rc.diskless2</filename> file itself, although you
       should not need more space than that for
       <filename>/dev</filename>.</para>
 
     <para>It is important to remember that the
       <filename>/etc/rc.diskless2</filename> script assumes that you have
       already removed your conventional <filename>/tmp</filename> partition
       and replaced it with a symbolic link to <filename>/var/tmp</filename>.
       Because <filename>tmp</filename> is one of the directories created in
       <filename>/var</filename> by the <filename>/etc/rc.diskless2</filename>
       script, and because <filename>/var</filename> is a memory filesystem
       (which is mounted read-write), <filename>/tmp</filename> will now be a
       directory that is read-write as well.</para>
 
     <para>The fact that <filename>/var</filename> and
       <filename>/dev</filename> are read-write filesystems is an important
       distinction, as the <filename>/</filename> partition (and any other
       partitions you may have on your flash media) should be mounted
       read-only.  Remember that in <xref linkend="intro"> we detailed the
       limitations of flash memory - specifically the limited write capability.
       The importance of not mounting filesystems on flash media read-write,
       and the importance of not using a swap file, cannot be overstated.  A
       swap file on a busy system can burn through a piece of flash media in
       less than one year. Heavy logging or temporary file creation and
       destruction can do the same.  Therefore, in addition to removing the
       <literal>swap</literal> and <literal>/proc</literal> entries from your
       <filename>/etc/fstab</filename> file, you should also change the Options
       field for each filesystem to <literal>ro</literal> as follows:</para>
 
     <programlisting># Device                Mountpoint      FStype  Options         Dump    Pass#
 /dev/ad0s1a             /               ufs     ro              1       1</programlisting>
 
     <para>A few applications in the average system will immediately begin to
       fail as a result of this change.  For instance, ports will not install
       from the ports tree because the
       <filename>/var/db/port.mkversion</filename> file does not exist.  cron
       will not run properly as a result of missing cron tabs in the
       <filename>/var</filename> created by
       <filename>/etc/rc.diskless2</filename>, and syslog and dhcp will
       encounter problems as well as a result of the read-only filesystem and
       missing items in the <filename>/var</filename> that
       <filename>/etc/rc.diskless2</filename> has created.  These are only
       temporary problems though, and are addressed, along with solutions to
       the execution of other common software packages in
       <xref linkend="strategies">.</para>
 
     <para>An important thing to remember is that a filesystem that was mounted
       read-only with <filename>/etc/fstab</filename> can be made read-write at
       any time by issuing the command:</para>
 
     <screen>&prompt.root; <userinput>/sbin/mount -uw <replaceable>partition</replaceable></userinput></screen>
 
     <para>and can be toggled back to read-only with the command:</para>
 
     <screen>&prompt.root; <userinput>/sbin/mount -ur <replaceable>partition</replaceable></userinput></screen>
   </sect1>
 
   <sect1>
     <title>Building a File System From Scratch</title>
 
     <para>Because ATA compatible compact-flash cards are seen by FreeBSD as
       normal IDE hard drives, as is a M-Systems &diskonchip; product (when you
       are running a kernel with the fla driver built in) you could
       theoretically install FreeBSD from the network using the kern and
       mfsroot floppies or from a CD.  Other than the fact that you should not
       write a boot-loader of any kind to the M-Systems device, no special
       instructions are needed.</para>
 
     <para>However, even a small installation of FreeBSD using normal
       installation procedures can produce a system in size of greater than 200
       megabytes.  Because most people will be using smaller flash memory
       devices (128 megabytes is considered fairly large - 32 or even 16
       megabytes is common) an installation using normal mechanisms is not
       possible&mdash;there is simply not enough disk space for even the
       smallest of conventional installations.</para>
 
     <para>The easiest way to overcome this space limitation is to install
       FreeBSD using conventional means to a normal hard disk.  After the
       installation is complete, pare down the operating system to a size that
       will fit onto your flash media, then tar the entire filesystem.  The
       following steps will guide you through the process of preparing a piece
       of flash memory for your tarred filesystem.  Remember, because a normal
       installation is not being performed, operations such as partitioning,
       labeling, file-system creation, etc. need to be performed by hand.  In
       addition to the kern and mfsroot floppy disks, you will also need to use
       the fixit floppy.  If you are using a M-Systems &diskonchip;, the kernel
       on your kern floppy must have the <literal>fla</literal> option detailed
       in <xref linkend="kernel"> compiled into it.  Please see
       <xref linkend="kern.flp"> for instructions on creating a new kernel for
       <filename>kern.flp</filename>.</para>
 
     <procedure>
       <step>
 	<title>Partitioning your flash media device</title>
 
 	<para>After booting with the kern and mfsroot floppies, choose
 	  <literal>custom</literal> from the installation menu.  In the custom
 	  installation menu, choose <literal>partition</literal>.  In the
 	  partition menu, you should delete all existing partitions using the
 	  <keycap>d</keycap> key.  After deleting all existing partitions,
 	  create a partition using the <keycap>c</keycap> key and accept the
 	  default value for the size of the partition.  When asked for the
 	  type of the partition, make sure the value is set to
 	  <literal>165</literal>.  Now write this partition table to the disk
 	  by pressing the <keycap>w</keycap> key (this is a hidden option on
 	  this screen).  When presented with a menu to choose a boot manager,
 	  take care to select <literal>None</literal> if you are using an
 	  M-Systems &diskonchip;.  If you are using an ATA compatible compact
 	  flash card, you should choose the FreeBSD Boot Manager.  Now press
 	  the <keycap>q</keycap> key to quit the partition menu.  You will be
 	  shown the boot manager menu once more - repeat the choice you made
 	  earlier.</para>
       </step>
 
       <step>
 	<title>Creating filesystems on your flash memory device</title>
 
 	<para>Exit the custom installation menu, and from the main
 	  installation menu choose the <literal>fixit</literal> option.  After
 	  entering the fixit environment, enter the following commands:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry align="center">ATA compatible</entry>
 
 		<entry align="center">&diskonchip;</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><para><screen>&prompt.root; <userinput>mknod /dev/ad0a c 116 0</userinput>
 &prompt.root; <userinput>mknod /dev/ad0c c 116 2</userinput>		      
 &prompt.root; <userinput>disklabel -e /dev/ad0c</userinput></screen></para></entry>
 
 		<entry><para><screen>&prompt.root; <userinput>mknod /dev/fla0a c 102 0</userinput>
 &prompt.root; <userinput>mknod /dev/fla0c c 102 2</userinput>
 &prompt.root; <userinput>disklabel -e /dev/fla0c</userinput></screen></para></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>At this point you will have entered the vi editor under the
 	  auspices of the disklabel command.  If you are using &diskonchip;,
 	  the first step will be to change the type value near the beginning
 	  of the file from <literal>ESDI</literal> to
 	  <literal>DOC2K</literal>.  Next, regardless of whether you are using
 	  &diskonchip; or ATA compatible compact flash media, you need to add
 	  an <literal>a:</literal> line at the end of the file.  This
 	  <literal>a:</literal> line should look like:</para>
 
 	<programlisting>a:      <replaceable>123456</replaceable>  0       4.2BSD  0       0</programlisting>
 
 	<para>Where <replaceable>123456</replaceable> is a number that is
 	  exactly the same as the number in the existing <literal>c:</literal>
 	  entry for size. Basically you are duplicating the existing
 	  <literal>c:</literal> line as an <literal>a:</literal> line, making
 	  sure that fstype is <literal>4.2BSD</literal>.  Save the file and
 	  exit.</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry align="center">ATA compatible</entry>
 
 		<entry align="center">&diskonchip;</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><para><screen>&prompt.root; <userinput>disklabel -B -r /dev/ad0c</userinput>
 &prompt.root; <userinput>newfs /dev/ad0a</userinput></screen></para></entry>
 
 		<entry><para><screen>&prompt.root; <userinput>disklabel -B -r /dev/fla0c</userinput>
 &prompt.root; <userinput>newfs /dev/fla0a</userinput></screen></para></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </step>
 
       <step>
 	<title>Placing your filesystem on the flash media</title>
 
 	<para>Mount the newly prepared flash media:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry align="center">ATA compatible</entry>
 
 		<entry align="center">&diskonchip;</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><para><screen>&prompt.root; <userinput>mount /dev/ad0a /flash</userinput></screen></para></entry>
 
 		<entry><para><screen>&prompt.root; <userinput>mount /dev/fla0a /flash</userinput></screen></para></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 	
 	<para>Bring this machine up on the network so we may transfer our tar
 	  file and explode it onto our flash media filesystem.  One example of
 	  how to do this is:</para>
 
 	<screen>&prompt.root; <userinput>ifconfig xl0 192.168.0.10 netmask 255.255.255.0</userinput>
 &prompt.root; <userinput>route add default 192.168.0.1</userinput></screen>
 
 	<para>Now that the machine is on the network, transfer your tar file.
 	  You may be faced with a bit of a dilemma at this point - if your
 	  flash memory part is 128 megabytes, for instance, and your tar file
 	  is larger than 64 megabytes, you cannot have your tar file on the
 	  flash media at the same time as you explode it - you will run out of
 	  space.  One solution to this problem, if you are using FTP, is to
 	  untar the file while it is transferred over FTP.  If you perform
 	  your transfer in this manner, you will never have the tar file and
 	  the tar contents on your disk at the same time:</para>
 
 	<screen><prompt>ftp></prompt> <userinput>get tarfile.tar "| tar xvf -"</userinput></screen>
 
 	<para>If your tarfile is gzipped, you can accomplish this as
 	  well:</para>
 
 	<screen><prompt>ftp></prompt> <userinput>get tarfile.tar "| zcat | tar xvf -"</userinput></screen>
 
 	<para>After the contents of your tarred filesystem are on your flash
 	  memory filesystem, you can unmount the flash memory and
 	  reboot:</para>
 
 	<screen>&prompt.root; <userinput>cd /</userinput>
 &prompt.root; <userinput>umount /flash</userinput>
 &prompt.root; <userinput>exit</userinput></screen>
 
 	<para>Assuming that you configured your filesystem correctly when it
 	  was built on the normal hard disk (with your filesystems mounted
 	  read-only, and with the necessary options compiled into the kernel)
 	  you should now be successfully booting your FreeBSD embedded
 	  system.</para>
       </step>
     </procedure>
   </sect1>
 
   <sect1 id="kern.flp">
     <title>Building a <filename>kern.flp</filename> Installation Floppy with
       the fla Driver</title>
 
     <note>
       <para>This section of the article is relevant only to those using
 	M-Systems &diskonchip; flash media.</para>
     </note>
 
     <para>It is possible that your <filename>kern.flp</filename> boot floppy
       does not have a kernel with the <devicename>fla</devicename> driver
       compiled into it necessary for the system to recognize the &diskonchip;.
       If you have booted off of the installation floppies and are told that no
       disks are present, then you are probably lacking the
       <devicename>fla</devicename> driver in your kernel.</para>
 
     <para>After you have built a kernel with <devicename>fla</devicename>
       support that is smaller than 1.4 megabytes, you can create a custom
       <filename>kern.flp</filename> floppy image with it by following these
       instructions:</para>
 
     <procedure>
       <step>
 	<para>Obtain an existing kern.flp image file</para>
       </step>
 
       <step>
 	<para><screen>&prompt.root; <userinput>vnconfig vn0c kern.flp</userinput></screen></para>
       </step>
 
       <step>
 	<para><screen>&prompt.root; <userinput>mount /dev/vn0c /mnt</userinput></screen></para>
       </step>
       
       <step>
 	<para>Place your kernel file into <filename>/mnt</filename>, replacing
 	  the existing one</para>
       </step>
 
       <step>
 	<para><screen>&prompt.root; <userinput>vnconfig -d vn0c</userinput></screen></para>
       </step>
     </procedure>
 
     <para>Your <filename>kern.flp</filename> file now has your new kernel on it.</para>
   </sect1>
 
   <sect1 id="strategies">
     <title>System Strategies for Small and Read Only Environments</title>
 
     <para>In <xref linkend="ro-fs">, it was pointed out that the
       <filename>/var</filename> filesystem constructed by
       <filename>/etc/rc.diskless2</filename> and the presence of a read-only
       root filesystem causes problems with many common software packages used
       with FreeBSD.  In this article, suggestions for successfully running
       cron, syslog, ports installations, and the Apache web server will be
       provided.</para>
 
     <sect2>
       <title>cron</title>
 
       <para>In <filename>/etc/rc.diskless2</filename> there is a variable
 	named <literal>var_dirs</literal>.  This variable consists of a
 	space-delimited list of directories that will be created inside of
 	<filename>/var</filename> after it is mounted as a memory filesystem.
 	<filename>cron</filename> and <filename>cron/tabs</filename> are not
 	in that list, and without those directories, cron will complain.  By
 	inserting <literal>cron</literal>, <literal>cron/tabs</literal>, and
 	perhaps even <literal>at</literal>, and <literal>at/jobs</literal> as
 	elements of that variable, you will facilitate the running of the
 	&man.cron.8; and &man.at.1; daemons.</para>
 
       <para>However, this still does not solve the problem of maintaining cron
 	tabs across reboots.  When the system reboots, the
 	<filename>/var</filename> filesystem that is in memory will disappear
 	and any cron tabs you may have had in it will also disappear.
 	Therefore, one solution would be to create cron tabs for the users
 	that need them, mount your <filename>/</filename> filesystem as
 	read-write and copy those cron tabs to somewhere safe, like
 	<filename>/etc/tabs</filename>, then add a line to the end of
 	<filename>/etc/rc.diskless2</filename> that copies those crontabs into
 	<filename>/var/cron/tabs</filename> after that directory has been
 	created during system initialization.  You may also need to add a line
 	that changes modes and permissions on the directories you create and
 	the files you copy with <filename>/etc/rc.diskless2</filename>.</para>
     </sect2>
 
     <sect2>
       <title>syslog</title>
 
       <para><filename>syslog.conf</filename> specifies the locations of
 	certain log files that exist in <filename>/var/log</filename>.  These
 	files are not created by <filename>/etc/rc.diskless2</filename> upon
 	system initialization. Therefore, somewhere in
 	<filename>/etc/rc.diskless2</filename>, after the section that creates
 	the directories in <filename>/var</filename>, you will need to add
 	something like this:</para>
 
       <screen>&prompt.root; <userinput>touch /var/log/security /var/log/maillog /var/log/cron /var/log/messages</userinput>
 &prompt.root; <userinput>chmod 0644 /var/log/*</userinput></screen>
 
       <para>You will also need to add the log directory to the list of
 	directories that <filename>/etc/rc.diskless2</filename>
 	creates.</para>
     </sect2>
 
     <sect2>
       <title>ports installation</title>
 
       <para>Before discussing the changes necessary to successfully use the
 	ports tree, a reminder is necessary regarding the read-only nature of
 	your filesystems on the flash media.  Since they are read-only, you
 	will need to temporarily mount them read-write using the mount syntax
 	shown in <xref linkend="ro-fs">.  You should always remount those
 	filesystems read-only when you are done with any maintenance -
 	unnecessary writes to the flash media could considerably shorten its
 	lifespan.</para>
 
       <para>To make it possible to enter a ports directory and successfully
 	run <command>make install</command>, it is necessary for the file
 	<filename>/var/db/port.mkversion</filename> to exist, and that it has
 	a correct date in it.  Further, we must create a packages directory on
 	a non-memory filesystem that will keep track of our packages across
 	reboots. Because it is necessary to mount your filesystems as
 	read-write for the installation of a package anyway, it is sensible to
 	assume that an area on the flash media can also be used for package
 	information to be written to.</para>
 
       <para>First, create a package database directory.  This is normally in
 	<filename>/var/db/pkg</filename>, but we cannot place it there as it
 	will disappear every time the system is booted.</para>
 
       <screen>&prompt.root; <userinput>mkdir /etc/pkg</userinput></screen>
 
       <para>Now, add a line to <filename>/etc/rc.diskless2</filename> that
 	links the <filename>/etc/pkg</filename> directory to
 	<filename>/var/db/pkg</filename>.  An example:</para>
 
       <screen>&prompt.root; <userinput>ln -s /etc/pkg /var/db/pkg</userinput></screen>
       
       <para>Add another line in <filename>/etc/rc.diskless2</filename> that
 	creates and populates
 	<filename>/var/db/port.mkversion</filename></para>
 
       <screen>&prompt.root; <userinput>touch /var/db/port.mkversion</userinput>
 &prompt.root; <userinput>chmod 0644 /var/db/port.mkversion</userinput>
 &prompt.root; <userinput>echo <replaceable>20010412</replaceable> >> /var/db/port.mkversion</userinput></screen>
 
       <para>where <replaceable>20010412</replaceable> is a date that is
 	appropriate for your particular release of FreeBSD</para>
 
       <para>Now, any time that you mount your filesystems as read-write and
 	install a package, the <command>make install</command> will work
 	because it finds a suitable
 	<filename>/var/db/port.mkversion</filename>, and package information
 	will be written successfully to <filename>/etc/pkg</filename> (because
 	the filesystem will, at that time, be mounted read-write) which will
 	always be available to the operating system as
 	<filename>/var/db/pkg</filename>.</para>
     </sect2>
 
     <sect2>
       <title>Apache Web Server</title>
 
       <para>Apache keeps pid files and logs in
 	<filename><replaceable>apache_install</replaceable>/logs</filename>.
 	Since this directory doubtless exists on a read-only filesystem, this
 	will not work.  It is necessary to add a new directory to the
 	<filename>/etc/rc.diskless2</filename> list of directories to create
 	in <filename>/var</filename>, to link
 	<filename><replaceable>apache_install</replaceable>/logs</filename> to
 	<filename>/var/log/apache</filename>.  It is also necessary to set
 	permissions and ownership on this new directory.</para>
 
       <para>First, add the directory <literal>log/apache</literal> to the list
 	of directories to be created in
 	<filename>/etc/rc.diskless2</filename>.</para>
       
       <para>Second, add these commands to
 	<filename>/etc/rc.diskless2</filename> after the directory creation
 	section:</para>
 
       <screen>&prompt.root; <userinput>chmod 0774 /var/log/apache</userinput>
 &prompt.root; <userinput>chown nobody:nobody /var/log/apache</userinput></screen>
 
       <para>Finally, remove the existing
 	<filename><replaceable>apache_install</replaceable>/logs</filename>
 	directory, and replace it with a link:</para>
 
       <screen>&prompt.root; <userinput>rm -rf (apache_install)/logs</userinput>
 &prompt.root; <userinput>ln -s /var/log/apache (apache_install)/logs</userinput></screen>
     </sect2>
   </sect1>
 </article>
 
diff --git a/en_US.ISO8859-1/articles/storage-devices/article.sgml b/en_US.ISO8859-1/articles/storage-devices/article.sgml
index 8f8577925f..97e8b25043 100644
--- a/en_US.ISO8859-1/articles/storage-devices/article.sgml
+++ b/en_US.ISO8859-1/articles/storage-devices/article.sgml
@@ -1,2643 +1,2643 @@
 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
 %articles.ent;
 ]>
 
 <article>
   <articleinfo>
     <title>Storage Devices</title>
     
     <authorgroup>
       <author>
         <firstname>Wilko</firstname>
         <surname>Bulte</surname>
         
         <affiliation>
           <address><email>wilko@FreeBSD.org</email></address>
         </affiliation>
       </author>
     </authorgroup>
     
     <pubdate>$FreeBSD$</pubdate>
     
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This article talks about storage devices with FreeBSD.</para>
     </abstract>
   </articleinfo>
   
   <sect1 id="esdi">
     <title>Using ESDI hard disks</title>
       
     <para><emphasis>Copyright &copy; 1995, &a.wilko;.  24 September
       1995.</emphasis></para>
 	  
     <para>ESDI is an acronym that means Enhanced Small Device
       Interface. It is loosely based on the good old ST506/412
       interface originally devised by Seagate Technology, the makers
       of the first affordable 5.25" winchester disk.</para>
 	  
     <para>The acronym says Enhanced, and rightly so.  In the first
       place the speed of the interface is higher, 10 or 15
       Mbits/second instead of the 5 Mbits/second of ST412 interfaced
       drives.  Secondly some higher level commands are added, making
       the ESDI interface somewhat <quote>smarter</quote> to the operating system
       driver writers.  It is by no means as smart as SCSI by the way.
       ESDI is standardized by ANSI.</para>
 	  
     <para>Capacities of the drives are boosted by putting more sectors
       on each track.  Typical is 35 sectors per track, high capacity
       drives I have seen were up to 54 sectors/track.</para>
       
     <para>Although ESDI has been largely obsoleted by IDE and SCSI
       interfaces, the availability of free or cheap surplus drives
       makes them ideal for low (or now) budget systems.</para>
       
       <sect2>
 	<title>Concepts of ESDI</title>
 
 	<sect3>
 	  <title>Physical connections</title>
 	  
 	  <para>The ESDI interface uses two cables connected to each drive.
 	    One cable is a 34 pin flat cable edge connector that carries the
 	    command and status signals from the controller to the drive and
 	    vice-versa.  The command cable is daisy chained between all the
 	    drives.  So, it forms a bus onto which all drives are
 	    connected.</para>
 	      
 	  <para>The second cable is a 20 pin flat cable edge connector that
 	    carries the data to and from the drive.  This cable is radially
 	    connected, so each drive has its own direct connection to the
 	    controller.</para>
 	      
 	  <para>To the best of my knowledge PC ESDI controllers are limited to
 	    using a maximum of 2 drives per controller.  This is compatibility
 	    feature(?) left over from the WD1003 standard that reserves only a
 	    single bit for device addressing.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Device addressing</title>
 	  
 	  <para>On each command cable a maximum of 7 devices and 1 controller
 	    can be present.  To enable the controller to uniquely  identify
 	    which drive it addresses, each ESDI device is equipped with
 	    jumpers or switches to select the devices address.</para>
 	      
 	  <para>On PC type controllers the first drive is set to address 0,
 	    the second disk to address 1.  <emphasis>Always make
 	      sure</emphasis> you set each disk to an unique address! So, on a
 	    PC with its two drives/controller maximum the first drive is drive
 	    0, the second is drive 1.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Termination</title>
 	  
 	  <para>The daisy chained command cable (the 34 pin cable remember?)
 	    needs to be terminated at the last drive on the chain.  For this
 	    purpose ESDI drives come with a termination resistor network that
 	    can be removed or disabled by a jumper when it is not used.</para>
 	  
 	  <para>So, one and <emphasis>only</emphasis> one drive, the one at
 	    the farthest end of the command cable has its terminator
 	    installed/enabled.  The controller automatically terminates the
 	    other end of the cable.  Please note that this implies that the
 	    controller must be  at one end of the cable and
 	    <emphasis>not</emphasis> in the middle.</para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>Using ESDI disks with FreeBSD</title>
 
 	<para>Why is ESDI such a pain to get working in the first
 	  place?</para>
 
 	<para>People who tried ESDI disks with FreeBSD are known to have
 	  developed a profound sense of frustration.  A combination of factors
 	  works against you to produce effects that are hard to understand
 	  when you have never seen them before.</para>
 	    
 	<para>This has also led to the popular legend ESDI and FreeBSD is a
 	  plain NO-GO.  The following sections try to list all the pitfalls
 	  and  solutions.</para>
 	    
 	<sect3>
 	  <title>ESDI speed variants</title>
 	  
 	  <para>As briefly mentioned before, ESDI comes in two speed flavors.
 	    The older drives and controllers use a 10 Mbits/second data
 	    transfer rate.  Newer stuff uses 15 Mbits/second.</para>
 	      
 	  <para>It is not hard to imagine that 15 Mbits/second drive cause
 	    problems on controllers laid out for 10 Mbits/second.  As always,
 	    consult your controller <emphasis>and</emphasis> drive
 	    documentation to see if things match.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Stay on track</title>
 	  
 	  <para>Mainstream ESDI drives use 34 to 36 sectors per track. Most
 	    (older) controllers cannot handle more than this  number of
 	    sectors.  Newer, higher capacity, drives use higher numbers of
 	    sectors per track.  For instance, I own a 670 MB drive that has 54
 	    sectors per track.</para>
 	      
 	  <para>In my case, the controller could not handle this number of
 	    sectors.  It proved to work well except that it only used 35
 	    sectors on each track.  This meant losing a lot of disk
 	    space.</para>
 	      
 	  <para>Once again, check the documentation of your hardware for more
 	    info.  Going out-of-spec like in the example might or might not
 	    work.  Give it a try or get another more capable
 	    controller.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Hard or soft sectoring</title>
 	  
 	  <para>Most ESDI drives allow hard or soft sectoring to be selected
 	    using a jumper.  Hard sectoring means that the drive will produce
 	    a sector pulse on the start of each new sector. The controller
 	    uses this pulse to tell when it should start to write or
 	    read.</para>
 	  
 	  <para>Hard sectoring allows a selection of sector size (normally
 	    256, 512 or 1024 bytes per formatted sector).  FreeBSD uses 512
 	    byte sectors.  The number of sectors per track also varies while
 	    still using the same number of bytes per formatted sector.  The
 	    number of <emphasis>unformatted</emphasis> bytes per sector
 	    varies, dependent on your controller it needs more or less
 	    overhead  bytes to work correctly.  Pushing more sectors on a
 	    track  of course gives you more usable space, but might give
 	    problems if your controller needs more bytes than the  drive
 	    offers.</para>
 	      
 	  <para>In case of soft sectoring, the controller itself determines
 	    where to start/stop reading or writing.  For ESDI hard sectoring
 	    is the default (at least on everything I came across).  I never
 	    felt the urge to try soft sectoring.</para>
 	      
 	  <para>In general, experiment with sector settings before you install
 	    FreeBSD because you need to re-run the low-level format after each
 	    change.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Low level formatting</title>
 	  
 	  <para>ESDI drives need to be low level formatted before they are
 	    usable.  A reformat is needed whenever you figgle with the number
 	    of sectors/track jumpers or the physical orientation of the drive
 	    (horizontal, vertical).  So, first think, then format.  The format
 	    time must not be underestimated, for big disks it can take
 	    hours.</para>
 	      
 	  <para>After a low level format, a surface scan is done to find and
 	    flag bad sectors.  Most disks have a manufacturer bad block list
 	    listed on a piece of paper or adhesive sticker.  In addition, on
 	    most disks the list is also written onto the disk.  Please use the
 	    manufacturer's list.  It is much easier to remap a defect now than
 	    after FreeBSD is installed.</para>
 	      
 	  <para>Stay away from low-level formatters that mark all sectors of a
 	    track as bad as soon as they find one bad sector.  Not only does
 	    this waste space, it also and more importantly causes you grief
 	    with bad144 (see the section on bad144).</para>
 	</sect3>
 
 	<sect3>
 	  <title>Translations</title>
 	  
 	  <para>Translations, although not exclusively a ESDI-only problem,
 	    might give you real trouble.  Translations come in multiple
 	    flavors.  Most of them  have in common that they attempt to work
 	    around the limitations posed upon disk geometries by the original
 	    IBM PC/AT design (thanks IBM!).</para>
 	      
 	  <para>First of all there is the (in)famous 1024 cylinder limit. For
 	    a system to be able to boot, the stuff (whatever operating system)
 	    must be in the first 1024 cylinders of a disk.  Only 10 bits are
 	    available to encode the cylinder number.  For the number of
 	    sectors the limit is 64 (0-63).  When you combine the 1024
 	    cylinder limit with the 16 head limit (also a design feature) you
 	    max out at fairly limited  disk sizes.</para>
 	      
 	  <para>To work around this problem, the manufacturers of ESDI PC
 	    controllers added a BIOS prom extension on their boards.  This
 	    BIOS extension handles disk I/O for booting (and for some
 	    operating systems <emphasis>all</emphasis> disk I/O) by using
 	    translation.  For instance, a big drive might be presented to the
 	    system as having 32 heads and 64 sectors/track.  The result is
 	    that the number of cylinders is reduced to something below 1024
 	    and is therefore usable by the system without problems.  It is
 	    noteworthy to know that FreeBSD does not use the BIOS after its
 	    kernel has started.  More on this later.</para>
 	      
 	  <para>A second reason for translations is the fact that most older
 	    system BIOSes could only handle drives with 17 sectors per track
 	    (the old ST412 standard).  Newer system BIOSes usually have a
 	    user-defined drive type (in most cases this is drive type
 	    47).</para>
 
 	  <warning>
 	    <para>Whatever you do to translations after reading this document,
 	      keep in mind that if you have multiple operating systems on the
 	      same disk, all must use the same translation</para>
 	  </warning>
 	  
 	  <para>While on the subject of translations, I have seen one
 	    controller type (but there are probably more like this) offer the
 	    option to logically split a drive in multiple partitions as a BIOS
 	    option.  I had select 1 drive == 1 partition because this
 	    controller wrote this info onto the disk.  On power-up it read the
 	    info and presented itself to the system based on the info from the
 	    disk.</para>
 	</sect3>
 	    
 	<sect3>
 	  <title>Spare sectoring</title>
 	  
 	  <para>Most ESDI controllers offer the possibility to remap bad
 	    sectors.  During/after the low-level format of the disk bad
 	    sectors are marked as such, and a replacement sector is put in
 	    place (logically of course) of the bad one.</para>
 	      
 	  <para>In most cases the remapping is done by using N-1 sectors on
 	    each track for actual data storage, and sector N itself is the
 	    spare sector.  N is the total number of sectors physically
 	    available on the track.  The idea behind this is that the
 	    operating system sees a <quote>perfect</quote> disk without bad sectors.  In
 	    the case of FreeBSD this concept is not usable.</para>
 	      
 	  <para>The problem is that the translation from
 	    <emphasis>bad</emphasis> to <emphasis>good</emphasis> is performed
 	    by the BIOS of the ESDI controller.  FreeBSD, being a true 32 bit
 	    operating system, does not use the BIOS after it has been booted.
 	    Instead, it has device drivers that talk directly to the
 	    hardware.</para>
 	      
 	  <para><emphasis>So: do not use spare sectoring, bad block remapping
 	      or whatever it may be called by the controller manufacturer when
 	      you want to use the disk for FreeBSD.</emphasis></para>
 	</sect3>
 
 	<sect3>
 	  <title>Bad block handling</title>
 	  
 	  <para>The preceding section leaves us with a problem.  The
 	    controller's bad block handling is not usable and still FreeBSD's
 	    filesystems assume perfect media without any flaws. To solve this
 	    problem, FreeBSD use the <command>bad144</command> tool.  Bad144
 	    (named after a Digital Equipment standard for bad block handling)
 	    scans a FreeBSD slice for bad blocks.  Having found these bad
 	    blocks, it writes a table with the offending block numbers to the
 	    end of the FreeBSD slice.</para>
 	      
 	  <para>When the disk is in operation, the disk accesses are checked
 	    against the table read from the disk.  Whenever a block number is
 	    requested that is in the <command>bad144</command> list, a
 	    replacement block (also from the end of the FreeBSD slice) is
 	    used.  In this way, the <command>bad144</command> replacement
 	    scheme presents <quote>perfect</quote> media to the FreeBSD filesystems.</para>
 	      
 	  <para>There are a number of potential pitfalls associated with the
 	    use of <command>bad144</command>.  First of all, the slice cannot
 	    have more than 126 bad sectors.  If your drive has a high number
 	    of bad sectors, you might need to divide it into multiple FreeBSD
 	    slices each containing less than 126 bad sectors.  Stay away from
 	    low-level format programs that mark <emphasis>every</emphasis>
 	    sector of a track as bad when  they find a flaw on the track.  As
 	    you can imagine, the  126 limit is quickly reached when the
 	    low-level format is done this way.</para>
 	      
 	  <para>Second, if the slice contains the root filesystem, the slice
 	    should be within the 1024 cylinder BIOS limit.  During the boot
 	    process the bad144 list is read using the BIOS and this only
 	    succeeds when the list is within the 1024 cylinder limit.</para>
 
 	  <note>
 	    <para>The restriction is not that only the root
 	      <emphasis>filesystem</emphasis> must be within the 1024 cylinder
 	      limit, but rather the entire <emphasis>slice</emphasis> that
 	      contains the root filesystem.</para>
 	  </note>
 	</sect3>
 
 	<sect3>
 	  <title>Kernel configuration</title>
 	  
 	  <para>ESDI disks are handled by the same <literal>wd</literal>driver
 	    as IDE and ST412 MFM disks.  The <literal>wd</literal> driver
 	    should work for all WD1003 compatible interfaces.</para>
 	      
 	  <para>Most hardware is jumperable for one of two different I/O
 	    address ranges and IRQ lines.  This allows you to have  two wd
 	    type controllers in one system.</para>
 	  
 	  <para>When your hardware allows non-standard strappings, you can use
 	    these with FreeBSD as long as you enter the  correct info into the
 	    kernel config file.  An example from the kernel config file (they
 	    live in <filename>/sys/i386/conf</filename> BTW).</para>
 	      
 	  <programlisting># First WD compatible controller
 controller      wdc0    at isa? port "IO_WD1" bio irq 14 vector wdintr
 disk            wd0     at wdc0 drive 0
 disk            wd1     at wdc0 drive 1
 # Second WD compatible controller
 controller      wdc1    at isa? port "IO_WD2" bio irq 15 vector wdintr
 disk            wd2     at wdc1 drive 0
 disk            wd3     at wdc1 drive 1</programlisting>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>Particulars on ESDI hardware</title>
 
 	<sect3>
 	  <title>Adaptec 2320 controllers</title>
 	  
 	  <para>I successfully installed FreeBSD onto a ESDI disk controlled
 	    by a ACB-2320.  No other operating system was present on the
 	    disk.</para>
 	      
 	  <para>To do so I low level formatted the disk using
 	    <command>NEFMT.EXE</command> (<command>ftp</command>able from
 	    <hostid role="fqdn">www.adaptec.com</hostid>) and answered NO to
 	    the question whether the disk should be formatted with a spare
 	    sector on each track.  The BIOS on the ACD-2320 was disabled.  I
 	    used the <literal>free configurable</literal> option in the system
 	    BIOS to allow the BIOS to boot it.</para>
 	      
 	  <para>Before using <command>NEFMT.EXE</command> I tried to format
 	    the disk using the ACB-2320 BIOS built-in formatter.  This proved
 	    to be a show stopper, because it did not give me an option to
 	    disable spare sectoring.  With spare sectoring enabled the FreeBSD
 	    installation process broke down on the <command>bad144</command>
 	    run.</para>
 	      
 	  <para>Please check carefully which
 	    ACB-232<replaceable>xy</replaceable> variant you have. The
 	    <replaceable>x</replaceable> is either <literal>0</literal> or
 	    <literal>2</literal>, indicating a controller without or with a
 	    floppy controller on board.</para>
 	      
 	  <para>The <literal>y</literal> is more interesting.  It can either
 	    be a blank, a <literal>A-8</literal> or a <literal>D</literal>.  A
 	    blank indicates a plain 10 Mbits/second controller.  An
 	    <literal>A-8</literal> indicates a 15 Mbits/second controller
 	    capable of handling 52 sectors/track.  A <literal>D</literal>
 	    means a 15 Mbits/second controller that can also handle drives
 	    with &gt; 36 sectors/track (also 52?).</para>
 	      
 	  <para>All variations should be capable of using 1:1 interleaving.
 	    Use 1:1, FreeBSD is fast enough to handle it.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Western Digital WD1007 controllers</title>
 	  
 	  <para>I successfully installed FreeBSD onto a ESDI disk controlled
 	    by a WD1007 controller.  To be precise, it was a WD1007-WA2.
 	    Other variations of the WD1007 do exist.</para>
 	      
 	  <para>To get it to work, I had to disable the sector translation and
 	    the WD1007's onboard BIOS.  This implied I could not use the
 	    low-level formatter built into this BIOS.  Instead, I grabbed
 	    <command>WDFMT.EXE</command> from <hostid
 	      role="fqdn">www.wdc.com</hostid> Running this formatted my drive
 	    just fine.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Ultrastor U14F controllers</title>
 	  
 	  <para>According to multiple reports from the net, Ultrastor ESDI
 	    boards work OK with FreeBSD.  I lack any further info on
 	    particular settings.</para>
 	</sect3>
       </sect2>
       
       <sect2 id="esdi-further-reading">
 	<title>Further reading</title>
 	    
 	<para>If you intend to do some serious ESDI hacking, you might want to
 	  have the official standard at hand:</para>
 	    
 	<para>The latest ANSI X3T10 committee document is: Enhanced Small
 	  Device Interface (ESDI) [X3.170-1990/X3.170a-1991]    [X3T10/792D
 	  Rev 11]</para>
 		
 	<para>On Usenet the newsgroup <ulink
 	    url="news:comp.periphs">comp.periphs</ulink> is a noteworthy place
 	  to look  for more info.</para>
 	    
 	<para>The World Wide Web (WWW) also proves to be a very handy info
 	  source: For info on Adaptec ESDI controllers see <ulink
 	    url="http://www.adaptec.com/"></ulink>. For
 	  info on Western Digital controllers see
 	  <ulink url="http://www.wdc.com/"></ulink>.</para>
       </sect2>
       
       <sect2>
 	<title>Thanks to...</title>
 
 	<para>Andrew Gordon for sending me an Adaptec 2320 controller and ESDI
 	  disk for testing.</para>
       </sect2>
     </sect1>
     
     <sect1 id="scsi">
       <title>What is SCSI?</title>
       
       <para><emphasis>Copyright &copy; 1995, &a.wilko;.  July 6,
 	  1996.</emphasis></para>
 	  
       <para>SCSI is an acronym for Small Computer Systems Interface.  It is an
 	ANSI standard that has become one of the leading I/O buses in the
 	computer industry.  The foundation of the SCSI standard was laid by
 	Shugart Associates (the same guys that gave the world the first mini
 	floppy disks) when they introduced the SASI bus (Shugart Associates
 	Standard Interface).</para>
 	  
       <para>After some time an industry effort was started to come to a more
 	strict standard allowing devices from different vendors to work
 	together.  This effort was recognized in the ANSI SCSI-1 standard.
 	The SCSI-1 standard (approximately 1985) is rapidly becoming obsolete.  The
 	current standard is SCSI-2 (see <link
 	  linkend="scsi-further-reading">Further reading</link>), with SCSI-3
 	on the drawing boards.</para>
 	  
       <para>In addition to a physical interconnection standard, SCSI defines a
 	logical (command set) standard to which disk devices must adhere.
 	This standard is called the Common Command Set (CCS) and was developed
 	more or less in parallel with ANSI SCSI-1. SCSI-2 includes the
 	(revised) CCS as part of the standard itself. The commands are
 	dependent on the type of device at hand.  It does not make much sense
 	of course to define a Write command for a scanner.</para>
 	  
       <para>The SCSI bus is a parallel bus, which comes in a number of
 	variants.  The oldest and most used is an 8 bit wide bus, with
 	single-ended signals, carried on 50 wires.  (If you do not know what
 	single-ended means, do not worry, that is what this document is all
 	about.)  Modern designs also use 16 bit wide buses, with differential
 	signals.  This allows transfer speeds of 20Mbytes/second, on cables
 	lengths of up to 25 meters.  SCSI-2 allows a maximum bus width of 32
 	bits, using an additional cable. Quickly emerging are Ultra SCSI (also
 	called Fast-20) and Ultra2 (also called Fast-40).  Fast-20 is 20
 	million transfers per second (20 Mbytes/sec on a 8 bit bus), Fast-40
 	is 40 million transfers per second (40 Mbytes/sec on a 8 bit bus).
 	Most hard drives sold today are single-ended Ultra SCSI (8 or 16
 	bits).</para>
 	  
       <para>Of course the SCSI bus not only has data lines, but also a number
 	of control signals.  A very elaborate protocol is part of the standard
 	to allow multiple devices to share the bus in an efficient manner.  In
 	SCSI-2, the data is always checked using a separate parity line.  In
 	pre-SCSI-2 designs parity was optional.</para>
 	  
       <para>In SCSI-3 even faster bus types are introduced, along with a
 	serial SCSI busses that reduces the cabling overhead and allows a
 	higher maximum bus length.  You might see names like SSA and
 	fibre channel in this context.  None of the serial buses are currently
 	in widespread use (especially not in the typical FreeBSD environment).
 	For this reason the serial bus types are not discussed any
 	further.</para>
 	  
       <para>As you could have guessed from the description above, SCSI devices
 	are intelligent.  They have to be to adhere to the SCSI standard
 	(which is over 2 inches thick BTW).  So, for a hard disk drive for
 	instance you do not specify a head/cylinder/sector to address a
 	particular block, but simply the number of the block you want.
 	Elaborate caching schemes, automatic bad block replacement etc are all
 	made possible by this <quote>intelligent device</quote> approach.</para>
 	  
       <para>On a SCSI bus, each possible pair of devices can communicate.
 	Whether their function allows this is another matter, but the standard
 	does not restrict it.  To avoid signal contention, the 2 devices have
 	to arbitrate for the bus before using it.</para>
 	  
       <para>The philosophy of SCSI is to have a standard that allows
 	older-standard devices to work with newer-standard ones.  So, an old
 	SCSI-1 device should normally work on a SCSI-2 bus.  I say Normally,
 	because it is not absolutely sure that the implementation of an old
 	device follows the (old) standard closely enough to be acceptable on a
 	new bus.  Modern devices are usually more well-behaved, because the
 	standardization has become more strict and is better adhered to by the
 	device manufacturers.</para>
 	  
       <para>Generally speaking, the chances of getting a working set of
 	devices on a single bus is better when all the devices are SCSI-2 or
 	newer.  This implies that you do not have to dump all your old stuff
 	when you get that shiny 80GB disk: I own a system on which a pre-SCSI-1
 	disk, a SCSI-2 QIC tape unit, a SCSI-1 helical scan tape unit and 2
 	SCSI-1 disks work together quite happily.  From a performance
 	standpoint you might want to separate your older and newer (=faster)
 	devices however. This is especially advantageous if you have an
 	Ultra160 host adapter where you should separate your U160 devices
 	from the Fast and Wide SCSI-2 devices.</para>
       
       <sect2>
 	<title>Components of SCSI</title>
 
 	<para>As said before, SCSI devices are smart.  The idea is to put the
 	  knowledge about intimate hardware details onto the SCSI device
 	  itself.  In this way, the host system does not have to worry about
 	  things like how many heads a hard disks has, or how many tracks
 	  there are on a specific tape device.  If you are curious, the
 	  standard specifies commands with which you can query your devices on
 	  their hardware particulars.  FreeBSD uses this capability during
 	  boot to check out what devices are connected and whether they need
 	  any special treatment.</para>
 	    
 	<para>The advantage of intelligent devices is obvious: the device
 	  drivers on the host can be made in a much more generic fashion,
 	  there is no longer a need to change (and qualify!) drivers for every
 	  odd new device that is introduced.</para>
 	    
 	<para>For cabling and connectors there is a golden rule: get good
 	  stuff.  With bus speeds going up all the time you will save yourself
 	  a lot of grief by using good material.</para>
 	    
 	<para>So, gold plated connectors, shielded cabling, sturdy connector
 	  hoods with strain reliefs etc are the way to go. Second golden rule:
 	  do no use cables longer than necessary.  I once spent 3 days hunting
 	  down a problem with a flaky machine only to discover that shortening
 	  the SCSI bus by 1 meter solved the problem.  And the original bus
 	  length was well within the SCSI specification.</para>
       </sect2>
 	  
       <sect2>
 	<title>SCSI bus types</title>
 
 	<para>From an electrical point of view, there are two incompatible bus
 	  types: single-ended and differential.  This means that there are two
 	  different main groups of SCSI devices and controllers, which cannot
 	  be mixed on the same bus.  It is possible however to use special
 	  converter hardware to transform a single-ended bus into a
 	  differential one (and vice versa).  The differences between the bus
 	  types are explained in the next sections.</para>
 	    
 	<para>In lots of SCSI related documentation there is a sort of jargon
 	  in use to abbreviate the different bus types.  A small list:</para>
 	    
 	<itemizedlist>
 	  <listitem>
 	    <para>FWD:	Fast Wide Differential</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>FND:	Fast Narrow Differential</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>SE:	Single Ended</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>FN:	Fast Narrow</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>etc.</para>
 	  </listitem>
 	</itemizedlist>
 
 
 	<para>With a minor amount of imagination one can usually imagine what
 	  is meant.</para>
 	    
 	<para>Wide is a bit ambiguous, it can indicate 16 or 32 bit buses. As
 	  far as I know, the 32 bit variant is not (yet) in use, so wide
 	  normally means 16 bit.</para>
 	    
 	<para>Fast means that the timing on the bus is somewhat different, so
 	  that on a narrow (8 bit) bus 10 Mbytes/sec are possible instead of 5
 	  Mbytes/sec for <quote>slow</quote> SCSI.  As discussed before, bus speeds of 20
 	  and 40 million transfers/second are also emerging  (Fast-20 == Ultra
 	  SCSI and Fast-40 == Ultra2 SCSI).</para>
 
 	<note>
 	  <para>The data lines &gt; 8 are only used for data transfers and
 	    device addressing.  The transfers of commands and status messages
 	    etc are only performed on the lowest 8 data lines. The standard
 	    allows narrow devices to operate on a wide bus. The usable bus
 	    width is negotiated between the devices.  You have to watch your
 	    device addressing closely when mixing wide and narrow.</para>
 	</note>
 
 	<sect3>
 	  <title>Single ended buses</title>
 	  
 	  <para>A single-ended SCSI bus uses signals that are either 5 Volts
 	    or 0 Volts (indeed, TTL levels) and are relative to a COMMON
 	    ground reference.  A singled ended 8 bit SCSI bus has
 	    approximately 25 ground lines, who are all tied to a single <quote>rail</quote>
 	    on all devices.  A standard single ended bus has a maximum length
 	    of 6 meters.  If the same bus is used with fast-SCSI devices, the
 	    maximum length allowed drops to 3 meters.  Fast-SCSI means that
 	    instead of 5Mbytes/sec the bus allows 10Mbytes/sec
 	    transfers.</para>
 	      
 	  <para>Fast-20 (Ultra SCSI) and Fast-40 allow for 20 and 40 million
 	    transfers/second respectively.  So, F20 is 20 Mbytes/second on a 8
 	    bit bus, 40 Mbytes/second on a 16 bit bus etc.  For F20 the max
 	    bus length is 1.5 meters, for F40 it becomes 0.75 meters.  Be
 	    aware that F20 is pushing  the limits quite a bit, so you will
 	    quickly find out if your SCSI bus is electrically sound.</para>
 
 	  <note>
 	    <para>If some devices on your bus use <quote>fast</quote> to communicate your
 	      bus must adhere to the length restrictions for fast
 	      buses!</para>
 	  </note>
 	  
 	  <para>It is obvious that with the newer fast-SCSI devices the bus
 	    length can become a real bottleneck.  This is why the differential
 	    SCSI bus was introduced in the SCSI-2 standard.</para>
 	      
 	  <para>For connector pinning and connector types please refer to the
 	    SCSI-2 standard (see <link linkend="scsi-further-reading">Further
 	      reading</link>) itself, connectors etc are listed there in
 	    painstaking detail.</para>
 	  
 	  <para>Beware of devices using non-standard cabling.  For instance
 	    Apple uses a 25pin D-type connecter (like the one on serial ports
 	    and parallel printers).  Considering that the official SCSI bus
 	    needs 50 pins you can imagine the use of this connector needs some
 	    <quote>creative cabling</quote>.  The reduction of the number of ground wires
 	    they used is a bad idea, you better stick to 50 pins cabling  in
 	    accordance with the SCSI standard.  For Fast-20 and 40 do not even
 	    think about buses like this.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Differential buses</title>
 	  
 	  <para>A differential SCSI bus has a maximum length of 25 meters.
 	    Quite a difference from the 3 meters for a single-ended fast-SCSI
 	    bus.  The idea behind differential signals is that each bus signal
 	    has its own return wire.  So, each signal is carried on a
 	    (preferably twisted) pair of wires.  The voltage difference
 	    between these two wires determines whether the signal is asserted
 	    or de-asserted.  To a certain extent the voltage difference
 	    between ground and the signal wire pair is not relevant (do not
 	    try 10 kVolts though).</para>
 	      
 	  <para>It is beyond the scope of this document to explain why this
 	    differential idea is so much better.  Just accept that
 	    electrically seen the use of differential signals gives a much
 	    better noise margin.  You will normally find differential buses in
 	    use for inter-cabinet connections.  Because of the lower cost
 	    single ended is mostly used for shorter buses like inside
 	    cabinets.</para>
 	      
 	  <para>There is nothing that stops you from using differential stuff
 	    with FreeBSD, as long as you use a controller that has device
 	    driver support in FreeBSD.  As an example, Adaptec marketed the
 	    AHA1740 as a single ended board, whereas the AHA1744 was
 	    differential.  The software interface to the host is identical for
 	    both.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Terminators</title>
 	  
 	  <para>Terminators in SCSI terminology are resistor networks that are
 	    used to get a correct impedance matching.  Impedance matching is
 	    important to get clean signals on the bus, without reflections or
 	    ringing.  If you once made a long distance telephone call on a bad
 	    line you probably know what reflections are.  With 20Mbytes/sec
 	    traveling over your SCSI bus, you do not want signals echoing
 	    back.</para>
 	      
 	  <para>Terminators come in various incarnations, with more or less
 	    sophisticated designs.  Of course, there are internal and external
 	    variants.  Many SCSI devices come with a number of sockets in
 	    which a number of resistor networks can (must be!) installed.  If
 	    you remove terminators from a device, carefully store them.  You
 	    will need them when you ever decide to reconfigure your SCSI bus.
 	    There is enough variation in even these simple tiny things to make
 	    finding the exact replacement a frustrating business.  There are
 	    also SCSI devices that have a single jumper to enable or disable a
 	    built-in terminator. There are special terminators you can stick
 	    onto a flat cable bus.  Others look like external connectors, or a
 	    connector hood without a cable.  So, lots of choice as you can
 	    see.</para>
 	      
 	  <para>There is much debate going on if and when you should switch
 	    from simple resistor (passive) terminators to active terminators.
 	    Active terminators contain slightly more elaborate circuit to give
 	    cleaner bus signals.  The general consensus seems to be that the
 	    usefulness of active termination increases when you have long
 	    buses and/or fast devices.  If you ever have problems with your
 	    SCSI buses you might consider trying an active terminator.  Try to
 	    borrow one first, they reputedly are quite expensive.</para>
 	      
 	  <para>Please keep in mind that terminators for differential and
 	    single-ended buses are not identical.  You should <emphasis>not
 	      mix</emphasis> the two variants.</para>
 	      
 	  <para>OK, and now where should you install your terminators? This is
 	    by far the most misunderstood part of SCSI.  And it is by far the
 	    simplest.  The rule is: <emphasis>every single line on the SCSI
 	      bus has 2 (two) terminators, one at each end of the
 	      bus.</emphasis> So, two and not one or three or whatever.  Do
 	    yourself a favor and stick to this rule.  It will save you endless
 	    grief, because wrong termination has the potential to introduce
 	    highly mysterious bugs.  (Note the <quote>potential</quote> here;
 	    the nastiest part is that it may or may not work.)</para>
 	      
 	  <para>A common pitfall is to have an internal (flat) cable in a
 	    machine and also an external cable attached to the controller. It
 	    seems almost everybody forgets to remove the terminators from the
 	    controller.  The terminator must now be on the last external
 	    device, and not on the controller! In general, every
 	    reconfiguration of a SCSI bus must pay attention to this.</para>
 
 	  <note>
 	    <para>Termination is to be done on a per-line basis.  This means
 	      if you have both narrow and wide buses connected to the same
 	      host adapter, you need to enable termination on the higher 8
 	      bits of the bus on the adapter (as well as the last devices on
 	      each bus, of course).</para>
 	      </note>
 	      
 	  <para>What I did myself is remove all terminators from my SCSI
 	    devices and controllers.  I own a couple of external terminators,
 	    for both the Centronics-type external cabling and for the internal
 	    flat cable connectors.  This makes reconfiguration much
 	    easier.</para>
 	      
 	  <para>On modern devices, sometimes integrated terminators are used.
 	    These things are special purpose integrated circuits that can be
 	    enabled or disabled with a control pin.  It is not necessary to
 	    physically remove them from a device.  You may find them on newer
 	    host adapters, sometimes they are software configurable, using
 	    some sort of setup tool.  Some will even auto-detect the cables
 	    attached to the connectors and automatically set up the
 	    termination as necessary.  At any rate, consult your
 	    documentation!</para>
 	</sect3>
 
 	<sect3>
 	  <title>Terminator power</title>
 	  
 	  <para>The terminators discussed in the previous chapter need power
 	    to operate properly.  On the SCSI bus, a line is dedicated to this
 	    purpose.  So, simple huh?</para>
 	      
 	  <para>Not so.  Each device can provide its own terminator power to
 	    the terminator sockets it has on-device.  But if you have external
 	    terminators, or when the device supplying the terminator power to
 	    the SCSI bus line is switched off you are in trouble.</para>
 	      
 	  <para>The idea is that initiators (these are devices that initiate
 	    actions on the bus, a discussion follows) must supply terminator
 	    power.  All SCSI devices are allowed (but not required) to supply
 	    terminator power.</para>
 	      
 	  <para>To allow for un-powered devices on a bus, the terminator power
 	    must be supplied to the bus via a diode.  This prevents the
 	    backflow of current to un-powered devices.</para>
 	      
 	  <para>To prevent all kinds of nastiness, the terminator power is
 	    usually fused.  As you can imagine, fuses might blow.  This can,
 	    but does not have to, lead to a non functional bus.  If multiple
 	    devices supply terminator power, a single blown fuse will not put
 	    you out of business.  A single supplier with a blown fuse
 	    certainly will.  Clever external terminators sometimes have a  LED
 	    indication that shows whether terminator power is present.</para>
 	      
 	  <para>In newer designs auto-restoring fuses that <quote>reset</quote> themselves
 	    after some time are sometimes used.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Device addressing</title>
 	  
 	  <para>Because the SCSI bus is, ehh, a bus there must be a way to
 	    distinguish or address the different devices connected to
 	    it.</para>
 	      
 	  <para>This is done by means of the SCSI or target ID.  Each device
 	    has a unique target ID.  You can select the ID to which a device
 	    must respond using a set of jumpers, or a dip switch, or something
 	    similar.  Some SCSI host adapters let you change the target ID
 	    from the boot menu.  (Yet some others will not let you change the
 	    ID from 7.)  Consult the documentation of your device for more
 	    information.</para>
 	  
 	  <para>Beware of multiple devices configured to use the same ID.
 	    Chaos normally reigns in this case.  A pitfall is that one of the
 	    devices sharing the same ID sometimes even manages to answer to
 	    I/O requests!</para>
 	      
 	  <para>For an 8 bit bus, a maximum of 8 targets is possible.  The
 	    maximum is 8 because the selection is done bitwise using the 8
 	    data lines on the bus.  For wide buses this increases to the
 	    number of data lines (usually 16).</para>
 
 	  <note>
 	    <para>A narrow SCSI device can not communicate with a SCSI device
 	      with a target ID larger than 7.  This means it is generally not
 	      a good idea to move your SCSI host adapter's target ID to
 	      something higher than 7 (or your CDROM will stop
 	      working).</para>
 	  </note>
 	  
 	  <para>The higher the SCSI target ID, the higher the priority the
 	    devices has.  When it comes to arbitration between devices that
 	    want to use the bus at the same time, the device that has the
 	    highest SCSI ID will win.  This also means that the SCSI host
 	    adapter usually uses target ID 7.  Note however that the lower 8
 	    IDs have higher priorities than the higher 8 IDs on a wide-SCSI
 	    bus.  Thus, the order of target IDs is: [7 6 .. 1 0 15 14 .. 9 8]
 	    on a wide-SCSI system.  (If you are wondering why the lower 8
 	    have higher priority, read the previous paragraph for a
 	    hint.)</para>
 	      
 	  <para>For a further subdivision, the standard allows for Logical
 	    Units or LUNs for short.  A single target ID may have multiple
 	    LUNs.  For example, a tape device including a tape changer may
 	    have LUN 0 for the tape device itself, and LUN 1 for the tape
 	    changer.  In this way, the host system can address each of the
 	    functional units of the tape changer as desired.</para>
 	</sect3>
 	    
 	<sect3>
 	  <title>Bus layout</title>
 	  
 	  <para>SCSI buses are linear.  So, not shaped like Y-junctions, star
 	    topologies, rings, cobwebs or whatever else people might want to
 	    invent.  One of the most common mistakes is for people with
 	    wide-SCSI host adapters to connect devices on all three connecters
 	    (external connector, internal wide connector, internal narrow
 	    connector).  Do not do that.  It may appear to work if you are
 	    really lucky, but I can almost guarantee that your system will
 	    stop functioning at the most unfortunate moment (this is also
 	    known as <quote>Murphy's law</quote>).</para>
 	      
 	  <para>You might notice that the terminator issue discussed earlier
 	    becomes rather hairy if your bus is not linear.  Also, if you have
 	    more connectors than devices on your internal SCSI cable, make
 	    sure you attach devices on connectors on both ends instead of
 	    using the connectors in the middle and let one or both ends
 	    dangle.  This will screw up the termination of the bus.</para>
 	      
 	  <para>The electrical characteristics, its noise margins and
 	    ultimately the reliability of it all are tightly related to linear
 	    bus rule.</para>
 	  
 	  <para><emphasis>Stick to the linear bus rule!</emphasis></para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>Using SCSI with FreeBSD</title>
 
 	<sect3>
 	  <title>About translations, BIOSes and magic...</title>
 	  
 	  <para>As stated before, you should first make sure that you have a
 	    electrically sound bus.</para>
 	      
 	  <para>When you want to use a SCSI disk on your PC as boot disk, you
 	    must aware of some quirks related to PC BIOSes.  The PC BIOS in
 	    its first incarnation used a low level physical interface to the
 	    hard disk.  So, you had to tell the BIOS (using a setup tool or a
 	    BIOS built-in setup) how your disk physically looked like.  This
 	    involved stating number of heads, number of cylinders, number of
 	    sectors per track, obscure things like precompensation and reduced
 	    write current cylinder etc.</para>
 	      
 	  <para>One might be inclined to think that since SCSI disks are smart
 	    you can forget about this.  Alas, the arcane setup issue is still
 	    present today.  The system BIOS needs to know how to access your
 	    SCSI disk with the head/cyl/sector method in order to load the
 	    FreeBSD kernel during boot.</para>
 	      
 	  <para>The SCSI host adapter or SCSI controller you have put in your
 	    AT/EISA/PCI/whatever bus to connect your disk therefore has its
 	    own on-board BIOS.  During system startup, the SCSI BIOS takes
 	    over the hard disk interface routines from the system BIOS.  To
 	    fool the system BIOS, the system setup is normally set to No hard
 	    disk present.  Obvious, is it not?</para>
 	      
 	  <para>The SCSI BIOS itself presents to the system a so called
 	    <emphasis>translated</emphasis> drive.  This means that a fake
 	    drive table is constructed that allows the PC to boot the drive.
 	    This translation is often (but not always) done using a pseudo
 	    drive with 64 heads and 32 sectors per track.  By varying the
 	    number of cylinders, the SCSI BIOS adapts to the actual drive
 	    size.  It is useful to note that 32 * 64 / 2 = the size of your
 	    drive in megabytes.  The division by 2 is to get from disk blocks
 	    that are normally 512 bytes in size to Kbytes.</para>
 	      
 	  <para>Right.  All is well now?! No, it is not.  The system BIOS has
 	    another quirk you might run into.  The number of cylinders of a
 	    bootable hard disk cannot be greater than 1024.  Using the
 	    translation above, this is a show-stopper for disks greater than 1
 	    GB.  With disk capacities going up all the time this is causing
 	    problems.</para>
 	      
 	  <para>Fortunately, the solution is simple: just use another
 	    translation, e.g. with 128 heads instead of 32.  In most cases new
 	    SCSI BIOS versions are available to upgrade older SCSI host
 	    adapters.  Some newer adapters have an option, in the form of a
 	    jumper or software setup selection, to switch the translation the
 	    SCSI BIOS uses.</para>
 	      
 	  <para>It is very important that <emphasis>all</emphasis> operating
 	    systems on the disk use the <emphasis>same translation</emphasis>
 	    to get the right idea about where to find the relevant partitions.
 	    So, when installing FreeBSD you must answer any questions about
 	    heads/cylinders etc using the translated values your host adapter
 	    uses.</para>
 	      
 	  <para>Failing to observe the translation issue might lead to
 	    un-bootable systems or operating systems overwriting each others
 	    partitions.  Using fdisk you should be able to see all
 	    partitions.</para>
 	      
 	  <para>You might have heard some talk of <quote>lying</quote> devices?
 	    Older FreeBSD kernels used to report the geometry of SCSI disks
 	    when booting.  An example from one of my systems:</para>
 	      
 	  <screen>aha0 targ 0 lun 0: &lt;MICROP 1588-15MB1057404HSP4&gt;
 da0: 636MB (1303250 total sec), 1632 cyl, 15 head, 53 sec, bytes/sec 512</screen>
 
 	  <para>Newer kernels usually do not report this information.
 	    e.g.</para>
 
 	  <screen>(bt0:0:0): "SEAGATE ST41651 7574" type 0 fixed SCSI 2
 da0(bt0:0:0): Direct-Access 1350MB (2766300 512 byte sectors)</screen>
 		
 	  <para>Why has this changed?</para>
 	      
 	  <para>This info is retrieved from the SCSI disk itself.  Newer disks
 	    often use a technique called zone bit recording.  The idea is that
 	    on the outer cylinders of the drive there is more space so more
 	    sectors per track can be put on them.  This results in disks that
 	    have more tracks on outer cylinders than on the inner cylinders
 	    and, last but not least, have more capacity.  You can imagine that
 	    the value reported by the drive when inquiring about the geometry
 	    now becomes suspect at best, and nearly always misleading.  When
 	    asked for a geometry, it is nearly always better to supply the
 	    geometry used by the BIOS, or <emphasis>if the BIOS is never going
 	      to know about this disk</emphasis>, (e.g. it is not a booting
 	    disk) to supply a fictitious geometry that is convenient.</para>
 	</sect3>
 
 	<sect3>
 	  <title>SCSI subsystem design</title>
 	  
 	  <para>FreeBSD uses a layered SCSI subsystem.  For each different
 	    controller card a device driver is written.  This driver knows all
 	    the intimate details about the hardware it controls.  The driver
 	    has a interface to the upper layers of the SCSI subsystem through
 	    which it receives its commands and reports back any status.</para>
 	      
 	  <para>On top of the card drivers there are a number of more generic
 	    drivers for a class of devices.  More specific: a driver for tape
 	    devices (abbreviation: sa, for serial access),
 	    magnetic disks (da, for direct access), CDROMs (cd) etc.
 	    In case you are wondering where you can find this stuff, it all
 	    lives in <filename>/sys/cam/scsi</filename>.  See the man pages in
 	    section 4 for more details.</para>
 	      
 	  <para>The multi level design allows a decoupling of low-level bit
 	    banging and more high level stuff.  Adding support for another
 	    piece of hardware is a much more manageable problem.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Kernel configuration</title>
 	  
 	  <para>Dependent on your hardware, the kernel configuration file must
 	    contain one or more lines describing your host adapter(s).  This
 	    includes I/O addresses, interrupts etc. Consult the manual page for
 	    your adapter driver to get more info. Apart from that, check out
 	    <filename>/sys/i386/conf/LINT</filename> for an overview of a
 	    kernel config file.  <filename>LINT</filename> contains every
 	    possible option you can dream of.  It does
 	    <emphasis>not</emphasis> imply <filename>LINT</filename> will
 	    actually get you to a working kernel at all.</para>
 	  
 	  <para>Although it is probably stating the obvious: the kernel config
 	    file should reflect your actual hardware setup.  So, interrupts,
 	    I/O addresses etc must match the kernel config file.  During
 	    system boot messages will be displayed to indicate whether the
 	    configured hardware was actually found.</para>
 
 	  <note>
 	    <para>Note that most of the EISA/PCI drivers (namely
 	      <devicename>ahb</devicename>, <devicename>ahc</devicename>,
 	      <devicename>ncr</devicename> and <devicename>amd</devicename>
 	      will automatically obtain the correct parameters from the host
 	      adapters themselves at boot time; thus, you just need to write,
 	      for instance, <literal>controller ahc0</literal>.</para>
 	  </note>
 	  
 	  <para>An example loosely based on the FreeBSD 2.2.5-Release kernel
 	    config  file <filename>LINT</filename> with some added comments
 	    (between []):</para>
 	      
 	  <programlisting># SCSI host adapters: `aha', `ahb', `aic', `bt', `nca'
 #
 # aha: Adaptec 154x
 # ahb: Adaptec 174x
 # ahc: Adaptec 274x/284x/294x
 # aic: Adaptec 152x and sound cards using the Adaptec AIC-6360 (slow!)
 # amd: AMD 53c974 based SCSI cards (e.g., Tekram DC-390 and 390T)
 # bt: Most Buslogic controllers
 # nca: ProAudioSpectrum cards using the NCR 5380 or Trantor T130
 # ncr: NCR/Symbios 53c810/815/825/875 etc based SCSI cards
 # uha: UltraStore 14F and 34F
 # sea: Seagate ST01/02 8 bit controller (slow!)
 # wds: Western Digital WD7000 controller (no scatter/gather!).
 #
 
 [For an Adaptec AHA274x/284x/294x/394x etc controller]
 controller	ahc0
 
 [For an NCR/Symbios 53c875 based controller]
 controller	ncr0
 
 [For an Ultrastor adapter]
 controller	uha0	at isa? port "IO_UHA0" bio irq ? drq 5 vector uhaintr
 
 # Map SCSI buses to specific SCSI adapters
 controller	scbus0	at ahc0
 controller	scbus2	at ncr0
 controller	scbus1  at uha0
 
 # The actual SCSI devices
 disk da0 at scbus0 target 0 unit 0	[SCSI disk 0 is at scbus 0, LUN 0]
 disk da1 at scbus0 target 1             [implicit LUN 0 if omitted]
 disk da2 at scbus1 target 3             [SCSI disk on the uha0]
 disk da3 at scbus2 target 4             [SCSI disk on the ncr0]
 tape sa1 at scbus0 target 6             [SCSI tape at target 6]
 device cd0 at scbus?                    [the first ever CDROM found, no wiring]</programlisting>
 	      
 	  <para>The example above tells the kernel to look for a ahc (Adaptec
 	    274x) controller, then for an NCR/Symbios board, and so on.  The
 	    lines following the controller specifications  tell the kernel to
 	    configure specific devices but <emphasis>only</emphasis> attach
 	    them when they match the target ID and LUN specified on the
 	    corresponding bus.</para>
 	      
 	  <para>Wired down devices get <quote>first shot</quote> at the unit
 	    numbers so the first non <quote>wired down</quote> device, is
 	    allocated the unit number  one greater than the highest
 	    <quote>wired down</quote> unit number for that kind of device.  So,
 	    if you had a SCSI tape at target ID 2 it would be configured as
 	    sa2, as the tape at target ID 6 is wired down to unit number
 	    1.</para>
 
 	  <note>
 	    <para>Wired down devices need not be found to get their unit
 	      number.  The unit number for a wired down device is reserved for
 	      that device, even if it is turned off at boot time.  This allows
 	      the device to be turned on and brought on-line at a later time,
 	      without rebooting.  Notice that a device's unit number has
 	      <emphasis>no</emphasis> relationship with its target ID on  the
 	      SCSI bus.</para>
 	  </note>
 	  
 	  <para>Below is another example of a kernel config file as used by
 	    FreeBSD version &lt; 2.0.5.  The difference with the first example
 	    is that devices are not <quote>wired down</quote>.  <quote>Wired
 	    down</quote> means that you specify which SCSI target belongs to
 	    which device.</para>
 	      
 	  <para>A kernel built to the config file below will attach  the first
 	    SCSI disk it finds to da0, the second disk to da1 etc. If you ever
 	    removed or added a disk, all other devices of the same type (disk
 	    in this case) would <quote>move around</quote>.  This implies you have to
 	    change <filename>/etc/fstab</filename> each time.</para>
 	      
 	  <para>Although the old style still works, you  are
 	    <emphasis>strongly</emphasis> recommended to use this new feature.
 	    It will save you a lot of grief whenever you shift your hardware
 	    around on the SCSI buses.  So, when you re-use your old trusty
 	    config file after upgrading from a pre-FreeBSD2.0.5.R system check
 	    this out.</para>
 	  
 	  <programlisting>[driver for Adaptec 174x]
 controller      ahb0 at isa? bio irq 11 vector ahbintr
 
 [for Adaptec 154x]
 controller      aha0    at isa? port "IO_AHA0" bio irq 11 drq 5 vector ahaintr
 
 [for Seagate ST01/02]
 controller      sea0    at isa? bio irq 5 iomem 0xc8000 iosiz 0x2000 vector seaintr
 
 controller      scbus0
 
 device          da0     [support for 4 SCSI harddisks, da0 up da3]
 device          sa0	[support for 2 SCSI tapes]
 
 [for the CDROM]
 device          cd0     #Only need one of these, the code dynamically grows</programlisting>
 	      
 	  <para>Both examples support SCSI disks.  If during boot more devices
 	    of a specific type (e.g. da disks) are found than are configured
 	    in the booting kernel, the system will simply allocate more
 	    devices, incrementing the unit number starting at the last number
 	    <quote>wired down</quote>.  If there are no <quote>wired
 	    down</quote> devices then counting starts at unit 0.</para>
 	      
 	  <para>Use <command>man 4 scsi</command> to check for the latest info
 	    on the SCSI subsystem.  For more detailed info on host adapter
 	    drivers use e.g., <command>man 4 ahc</command> for info on the
 	    Adaptec 294x driver.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Tuning your SCSI kernel setup</title>
 	  
 	  <para>Experience has shown that some devices are slow to respond to
 	    INQUIRY commands after a SCSI bus reset (which happens at boot
 	    time).  An INQUIRY command is sent by the kernel on boot to see
 	    what kind of device (disk, tape, CDROM etc.) is connected to a
 	    specific target ID.  This process is called device probing by the
 	    way.</para>
 	      
 	  <para>To work around the <quote>slow response</quote> problem, FreeBSD allows a
 	    tunable delay time before the SCSI devices are probed following a
 	    SCSI bus reset.  You can set this delay time in your kernel
 	    configuration file using a line like:</para>
 	      
 	  <programlisting>options         SCSI_DELAY=15         #Be pessimistic about Joe SCSI device</programlisting>
 
 	  <para>This line sets the delay time to 15 seconds.  On my own system
 	    I had to use 3 seconds minimum to get my trusty old CDROM drive
 	    to be recognized.  Start with a high value (say 30 seconds or so)
 	    when you have problems  with device recognition.  If this helps,
 	    tune it back until it just stays working.</para>
 	</sect3>
 
 	<sect3 id="scsi-rogue-devices">
 	  <title>Rogue SCSI devices</title>
 	      
 	  <para>Although the SCSI standard tries to be complete and concise,
 	    it is a complex standard and implementing things correctly is no
 	    easy task.  Some vendors do a better job then others.</para>
 	      
 	  <para>This is exactly where the <quote>rogue</quote> devices come
 	    into view. Rogues are devices that are recognized by the FreeBSD
 	    kernel as behaving slightly (...) non-standard.  Rogue devices are
 	    reported by the kernel when booting.  An example for two of my
 	    cartridge tape units:</para>
 	  
 	  <screen>Feb 25 21:03:34 yedi /kernel: ahb0 targ 5 lun 0: &lt;TANDBERG TDC 3600       -06:&gt;
 Feb 25 21:03:34 yedi /kernel: sa0: Tandberg tdc3600 is a known rogue
 
 Mar 29 21:16:37 yedi /kernel: aha0 targ 5 lun 0: &lt;ARCHIVE VIPER 150  21247-005&gt;
 Mar 29 21:16:37 yedi /kernel: sa1: Archive  Viper 150 is a known rogue </screen>
 	      
 	  <para>For instance, there are devices that respond to all LUNs on a
 	    certain target ID, even if they are actually only one device.  It
 	    is easy to see that the kernel might be fooled into believing that
 	    there are 8 LUNs at that particular target ID. The confusion this
 	    causes is left as an exercise to the reader.</para>
 	      
 	  <para>The SCSI subsystem of FreeBSD recognizes devices with bad
 	    habits by looking at the INQUIRY response they send when probed.
 	    Because the INQUIRY response also includes the version number of
 	    the device  firmware, it is even possible that for different
 	    firmware versions different workarounds are used. See e.g.
 	    <filename>/sys/cam/scsi/scsi_sa.c</filename> and
 	    <filename>/sys/cam/scsi/scsi_all.c</filename> for more info on how
 	    this is done.</para>
 	      
 	  <para>This scheme works fine, but keep in mind that it of course
 	    only works for devices that are known to be weird.  If you are the
 	    first to connect your bogus Mumbletech SCSI CDROM you might be
 	    the one that has to define which workaround is needed.</para>
 	      
 	  <para>After you got your Mumbletech working, please send the
 	    required workaround to the FreeBSD development team for inclusion
 	    in the next release of FreeBSD.  Other Mumbletech owners will be
 	    grateful  to you.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Multiple LUN devices</title>
 	  
 	  <para>In some cases you come across devices that use multiple
 	    logical units (LUNs) on a single SCSI ID.  In most cases FreeBSD
 	    only probes devices for LUN 0.  An example are so called bridge
 	    boards that connect 2 non-SCSI hard disks to a SCSI bus (e.g. an
 	    Emulex MD21 found in old Sun systems).</para>
 	      
 	  <para>This means that any devices with LUNs != 0 are not normally
 	    found during device probe on system boot.  To work around this
 	    problem you must add an appropriate entry in /sys/cam/scsi
 	    and rebuild your kernel.</para>
 	      
 	  <para>Look for a struct that is initialized like below:
 	    (FIXME: which file? Do these entries still exist in this form
             now that we use CAM?)</para>
 
 	  <programlisting>{
         T_DIRECT, T_FIXED, "MAXTOR", "XT-4170S", "B5A",
         "mx1", SC_ONE_LU
 }</programlisting>
 	      
 	  <para>For your Mumbletech BRIDGE2000 that has more than one LUN, acts
 	    as a SCSI disk and has firmware revision 123 you would add
 	    something like:</para>
 	      
 	  <programlisting>{
         T_DIRECT, T_FIXED, "MUMBLETECH", "BRIDGE2000", "123",
         "da", SC_MORE_LUS
 }</programlisting>
 	      
 	  <para>The kernel on boot scans the inquiry data it receives against
 	    the table and acts accordingly.  See the source for more
 	    info.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Tagged command queuing</title>
 	  
 	  <para>Modern SCSI devices, particularly magnetic disks,
 	    support what is called tagged command queuing (TCQ).</para>
 	  
 	  <para>In a nutshell, TCQ allows the device to have multiple I/O
 	    requests outstanding at the same time.  Because the device is
 	    intelligent, it can optimize its operations (like head
 	    positioning) based on its own request queue.  On  SCSI devices
 	    like RAID (Redundant Array of Independent Disks) arrays the TCQ
 	    function is indispensable to take advantage of the device's
 	    inherent parallelism.</para>
 	      
 	  <para>Each I/O request is uniquely identified by a <quote>tag</quote>
 	    (hence the name tagged command queuing) and this tag is used by
 	    FreeBSD to see which I/O in the device drivers queue is reported
 	    as complete by the device.</para>
 	      
 	  <para>It should be noted however that TCQ requires device driver
 	    support and that some devices implemented it <quote>not quite
 	    right</quote> in their firmware.  This problem bit me once, and it
 	    leads to highly mysterious problems.  In such cases, try to
 	    disable TCQ.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Bus-master host adapters</title>
 	  
 	  <para>Most, but not all, SCSI host adapters are bus mastering
 	    controllers.  This means that they can do I/O on their own without
 	    putting load onto the host CPU for data movement.</para>
 	      
 	  <para>This is of course an advantage for a multitasking operating
 	    system like FreeBSD.  It must be noted however that there might be
 	    some rough edges.</para>
 	      
 	  <para>For instance an Adaptec 1542 controller can be set to use
 	    different transfer speeds on the host bus (ISA or AT in this
 	    case).  The controller is settable to different rates because not
 	    all motherboards can handle the higher speeds.  Problems like
 	    hang-ups, bad data etc might be the result of using a higher data
 	    transfer rate then your motherboard can stomach.</para>
 	      
 	  <para>The solution is of course obvious: switch to a lower data
 	    transfer rate and try if that works better.</para>
 	      
 	  <para>In the case of a Adaptec 1542, there is an option that can be
 	    put into the kernel config file to allow dynamic determination of
 	    the right, read: fastest feasible, transfer rate.  This option is
 	    disabled by default:</para>
 	      
 	  <programlisting>options        "TUNE_1542"             #dynamic tune of bus DMA speed</programlisting>
 	      
 	  <para>Check the manual pages for the host adapter that you use.  Or
 	    better still, use the ultimate documentation (read: driver
 	    source).</para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>Tracking down problems</title>
 
 	<para>The following list is an attempt to give a guideline for the
 	  most common SCSI problems and their solutions.  It is by no means
 	  complete.</para>
 	    
 	<itemizedlist>
 	  <listitem>
 	    <para>Check for loose connectors and cables.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Check and double check the location and number of your
 	      terminators.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Check if your bus has at least one supplier of terminator
 	      power (especially with external terminators.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Check if no double target IDs are used.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Check if all devices to be used are powered up.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Make a minimal bus config with as little devices as
 	      possible.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>If possible, configure your host adapter to use slow bus
 	      speeds.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Disable tagged command queuing to make things as simple as
 	      possible (for a NCR host adapter based system see man
 	      ncrcontrol)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>If you can compile a kernel, make one with the
 	      <literal>SCSIDEBUG</literal> option, and try accessing the
 	      device with debugging turned on for that device.  If your device
 	      does not even probe at startup, you may have to define the
 	      address of the device that is failing, and the desired debug
 	      level in <filename>/sys/cam/cam_debug.h</filename>. If it
 	      probes but just does not work, you can use the
 	      &man.camcontrol.8; command to dynamically set a debug level to
 	      it in a running kernel (if <literal>CAMDEBUG</literal> is
 	      defined).  This will give you <emphasis>copious</emphasis>
 	      debugging output with which to confuse the gurus. See
 	      <command>man camcontrol</command> for more exact information.  Also
 	      look at <command>man 4 pass</command>.</para>
 	  </listitem>
 	</itemizedlist>
       </sect2>
       
       <sect2 id="scsi-further-reading">
 	<title>Further reading</title>
 
 	<para>If you intend to do some serious SCSI hacking, you might want to
 	  have the official standard at hand:</para>
 	    
 	<para>Approved American National Standards can be purchased from
 	  ANSI at
 	  
 	  <address>
 	    <otheraddr>13th Floor</otheraddr>
 	    <street>11 West 42nd Street</street>
 	    <city>New York</city>
 	    <state>NY</state> <postcode>10036</postcode>
 	    Sales Dept: <phone>(212) 642-4900</phone>
 	  </address>
 	</para>
 
 	<para>You can also buy many ANSI
 	  standards and most committee draft documents from Global
 	  Engineering Documents,
 
 	  <address>
 	    <street>15 Inverness Way East</street>
 	    <city>Englewood</city>
 	    <state>CO</state>, <postcode>80112-5704</postcode>
 	    Phone: <phone>(800) 854-7179</phone>
 	    Outside USA and Canada: <phone>(303) 792-2181</phone>
 	    Fax: <fax>(303) 792- 2192</fax>
 	  </address>
 	</para>
 
 	<para>Many X3T10 draft documents are available electronically on the
 	  SCSI BBS (719-574-0424) and on the <hostid
 	    role="fqdn">ncrinfo.ncr.com</hostid> anonymous FTP site.</para>
 	    
 	<para>Latest X3T10 committee documents are:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>AT Attachment (ATA or IDE) [X3.221-1994]
 	      (<emphasis>Approved</emphasis>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>ATA Extensions (ATA-2) [X3T10/948D Rev 2i]</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Enhanced Small Device Interface (ESDI)
 	      [X3.170-1990/X3.170a-1991]
 	      (<emphasis>Approved</emphasis>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Small Computer System Interface &mdash; 2 (SCSI-2)
 	      [X3.131-1994] (<emphasis>Approved</emphasis>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>SCSI-2 Common Access Method Transport and SCSI Interface
 	      Module (CAM)  [X3T10/792D Rev 11]</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>Other publications that might provide you with additional
 	  information are:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><quote>SCSI: Understanding the Small Computer System
 	      Interface</quote>, written by NCR  Corporation.  Available from:
 	      Prentice Hall, Englewood Cliffs, NJ, 07632 Phone: (201) 767-5937
 	      ISBN 0-13-796855-8</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para><quote>Basics of SCSI</quote>, a SCSI tutorial written by
 	      Ancot Corporation Contact Ancot for availability information at:
 	      Phone: (415) 322-5322  Fax: (415) 322-0455</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para><quote>SCSI Interconnection Guide Book</quote>, an AMP
 	      publication (dated 4/93, Catalog  65237) that lists the various
 	      SCSI connectors and suggests cabling schemes.  Available from
 	      AMP at (800) 522-6752 or (717) 564-0100</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para><quote>Fast Track to SCSI</quote>, A Product Guide written by
 	      Fujitsu.  Available from: Prentice Hall, Englewood Cliffs, NJ,
 	      07632 Phone: (201) 767-5937 ISBN 0-13-307000-X</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para><quote>The SCSI Bench Reference</quote>, <quote>The SCSI
 	      Encyclopedia</quote>, and the <quote>SCSI Tutor</quote>, ENDL
 	      Publications, 14426 Black Walnut Court, Saratoga CA, 95070
 	      Phone: (408) 867-6642</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para><quote>Zadian SCSI Navigator</quote> (quick ref. book) and
 	      <quote>Discover the Power of SCSI</quote>  (First book along with
 	      a one-hour video and tutorial book), Zadian Software, Suite 214,
 	      1210 S. Bascom Ave., San Jose, CA 92128, (408) 293-0800</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>On Usenet the newsgroups <ulink
 	    url="news:comp.periphs.scsi">comp.periphs.scsi</ulink> and <ulink
 	    url="news:comp.periphs">comp.periphs</ulink> are noteworthy places
 	  to look for more info.  You can also find the <ulink
 	  url="http://scsifaq.org:9080/scsi_faq/scsifaq.html">SCSI-FAQ</ulink>
 	  there, which is posted periodically.</para>
 
 	<para>Most major SCSI device and host adapter suppliers operate FTP
 	  sites and/or BBS systems.  They may be valuable sources of
 	  information about the devices you own.</para>
       </sect2>
     </sect1>
     
     <sect1 id="hw-storage-controllers">
       <title>* Disk/tape controllers</title>
       
       <sect2>
 	<title>* SCSI</title>
 
 	<para></para>
       </sect2>
       
       <sect2>
 	<title>* IDE</title>
 
 	<para></para>
       </sect2>
       
       <sect2>
 	<title>* Floppy</title>
 
 	<para></para>
       </sect2>
     </sect1>
     
     <sect1>
       <title>Hard drives</title>
       
       <sect2>
 	<title>SCSI hard drives</title>
 
 	<para><emphasis>Contributed by &a.asami;.  17 February
 	    1998.</emphasis></para>
 	    
 	<para>As mentioned in the <link linkend="scsi">SCSI</link> section,
 	  virtually all SCSI hard drives sold today are SCSI-2 compliant and
 	  thus will work fine as long as you connect them to a supported SCSI
 	  host adapter.  Most problems people encounter are either due to
 	  badly designed cabling (cable too long, star topology, etc.),
 	  insufficient termination, or defective parts. Please refer to the
 	  <link linkend="scsi">SCSI</link> section first if your SCSI hard
 	  drive is not working.  However, there are a couple of things you may
 	  want to take into account before you purchase SCSI hard drives for
 	  your system.</para>
 
 	<sect3>
 	  <title>Rotational speed</title>
 	  
 	  <para>Rotational speeds of SCSI drives sold today range from around
 	    4,500RPM to 15,000RPM.  Most of them are either 7,200RPM or
 	    10,000RPM, with 15,000RPM becoming affordable (June 2002).
 	    Even though the 10,000RPM drives can generally transfer
 	    data faster, they run considerably hotter than their 7,200RPM
 	    counterparts.  A large fraction of today's disk drive malfunctions
 	    are heat-related.  If you do not have very good cooling in your PC
 	    case, you may want to stick with 7,200RPM or slower drives.</para>
 	      
 	  <para>Note that newer drives, with higher areal recording densities,
 	    can deliver much more bits per rotation than older ones.  Today's
 	    top-of-line 7,200RPM drives can sustain a throughput comparable to
 	    10,000RPM drives of one or two model generations ago.  The number
 	    to find on the spec sheet for bandwidth is <quote>internal data
 	    (or transfer) rate</quote>.  It is usually in megabits/sec so
 	    divide it by 8 and you will get the rough approximation of how much
 	    megabytes/sec you can get out of the drive.</para>
 	      
 	  <para>(If you are a speed maniac and want a 15,000RPM drive for your
 	    cute little PC, be my guest; however, those drives become
 	    extremely hot.  Do not even think about it if you do not have a fan
 	    blowing air <emphasis>directly at</emphasis> the drive or a
 	    properly ventilated disk enclosure.)</para>
 	      
 	  <para>Obviously, the latest 15,000RPM drives and 10,000RPM drives can
 	    deliver more data than the latest 7,200RPM drives, so if absolute
 	    bandwidth is the necessity for your applications, you have little
 	    choice but to get the faster drives.  Also, if you need low
 	    latency, faster drives are better; not only do they usually have
 	    lower average seek times, but also the rotational delay is one
 	    place where slow-spinning drives can never beat a faster one.
 	    (The average rotational latency is half the time it takes to
 	    rotate the drive once; thus, it is 2 milliseconds for 15,000RPM,
 	    3ms for 10,000RPM
 	    drives, 4.2ms for 7,200RPM drives and 5.6ms for 5,400RPM drives.)
 	    Latency is seek time plus rotational delay. Make sure you
 	    understand whether you need low latency or more accesses per
 	    second, though; in the latter case (e.g., news servers), it may
 	    not be optimal to purchase one big fast drive.  You can achieve
 	    similar or even better results by using the ccd (concatenated
 	    disk) driver to create a striped disk array out of multiple slower
 	    drives for comparable overall cost.</para>
 	      
 	  <para>Make sure you have adequate air flow around the drive,
 	    especially if you are going to use a fast-spinning drive.  You
 	    generally need at least 1/2&rdquo; (1.25cm) of spacing above and below a
 	    drive.  Understand how the air flows through your PC case.  Most
 	    cases have the power supply suck the air out of the back.  See
 	    where the air flows in, and put the drive where it will have the
 	    largest volume of cool air flowing around it. You may need to seal
 	    some unwanted holes or add a new fan for effective cooling.</para>
 	      
 	  <para>Another consideration is noise.  Many 10,000 or faster drives
 	    generate a high-pitched whine which is quite unpleasant to most
 	    people.  That, plus the extra fans often required for cooling, may
 	    make 10,000 or faster drives unsuitable for some office and home
 	    environments.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Form factor</title>
 	  
 	  <para>Most SCSI drives sold today are of 3.5&rdquo; form factor.  They
 	    come in two different heights; 1.6&rdquo; (<quote>half-height</quote>) or
 	    1&rdquo; (<quote>low-profile</quote>).  The half-height drive is the same
 	    height as a CDROM drive.  However, do not forget the spacing rule
 	    mentioned in the previous section.  If you have three standard
 	    3.5&rdquo; drive bays, you will not be able to put three half-height
 	    drives in there (without frying them, that is).</para>
 	</sect3>
 
 	<sect3>
 	  <title>Interface</title>
 	  
 	  <para>The majority of SCSI hard drives sold today are Ultra,
 	    Ultra-wide, or Ultra160 SCSI. As of this writing (June 2002),
 	    the first Ultra320 host adapters and devices become available.
 	    The maximum bandwidth of Ultra SCSI is 20MB/sec,
 	    and Ultra-wide SCSI is 40MB/sec. Ultra160 can transfer 160MB/sec
 	    and Ultra320 can transfer 320MB/sec.  There is no difference in max
 	    cable length between Ultra and Ultra-wide; however, the more
 	    devices you have on the same bus, the sooner you will start having
 	    bus integrity problems.  Unless you have a well-designed disk
 	    enclosure, it is not easy to make more than 5 or 6 Ultra SCSI
 	    drives work on a single bus.</para>
 	      
 	  <para>On the other hand, if you need to connect many drives, going
 	    for Fast-wide SCSI may not be a bad idea.  That will have the same
 	    max bandwidth as Ultra (narrow) SCSI, while electronically it is
 	    much easier to get it <quote>right</quote>.  My advice would be: if
 	    you want to connect many disks, get wide or Ultra160 SCSI drives;
         they usually
 	    cost a little more but it may save you down the road.  (Besides,
 	    if you can not afford the cost difference, you should not be building
 	    a disk array.)</para>
 	      
 	  <para>There are two variant of wide SCSI drives; 68-pin and 80-pin
 	    SCA (Single Connector Attach).  The SCA drives do not have a
 	    separate 4-pin power connector, and also read the SCSI ID settings
 	    through the 80-pin connector.  If you are really serious about
 	    building a large storage system, get SCA drives and a good SCA
 	    enclosure (dual power supply with at least one extra fan).  They
 	    are more electronically sound than 68-pin counterparts because
 	    there is no <quote>stub</quote> of the SCSI bus inside the disk
 	    canister as in arrays built from 68-pin drives.  They are easier
 	    to install too (you just need to screw the drive in the canister,
 	    instead of trying to squeeze in your fingers in a tight place to
 	    hook up all the little cables (like the SCSI ID and disk activity
 	    LED lines).</para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>* IDE hard drives</title>
 
 	<para></para>
       </sect2>
     </sect1>
     
     <sect1>
       <title>Tape drives</title>
       
       <para><emphasis>Contributed by &a.jmb;.  2 July
 	  1996.</emphasis></para>
       
       <sect2>
 	<title>General tape access commands</title>
 
 	<para>&man.mt.1; provides generic access to the tape drives.  Some of
 	  the more common commands are <command>rewind</command>,
 	  <command>erase</command>, and <command>status</command>.  See the
 	    &man.mt.1; manual page for a detailed description.</para>
       </sect2>
       
       <sect2>
 	<title>Controller Interfaces</title>
 
 	<para>There are several different interfaces that support tape drives.
 	  The interfaces are SCSI, IDE, Floppy and Parallel Port. A wide
 	  variety of tape drives are available for these interfaces.
 	  Controllers are discussed in <link
 	    linkend="hw-storage-controllers">Disk/tape
 	    controllers</link>.</para>
       </sect2>
       
       <sect2>
 	<title>SCSI drives</title>
 
 	<para>The &man.st.4; driver provides support for 8mm (Exabyte), 4mm
 	  (DAT: Digital Audio Tape), QIC (Quarter-Inch Cartridge), DLT
 	  (Digital Linear Tape), QIC Mini cartridge and 9-track (remember the
 	  big reels that you see spinning in Hollywood computer rooms) tape
 	  drives.  See the &man.st.4; manual page for a detailed
 	  description.</para>
 
 	<para>The drives listed below are currently being used by members of
 	  the FreeBSD community.  They are not the only drives that will work
 	  with FreeBSD.  They just happen to be the ones that we use.</para>
 
 	<sect3>
 	  <title>4mm (DAT: Digital Audio Tape)</title>
 	  
 	  <para><link linkend="hw-storage-python-28454">Archive Python
 	      28454</link></para>
 
 	  <para><link linkend="hw-storage-python-04687">Archive Python
 	      04687</link></para>
 	  
 	  <para><link linkend="hw-storage-hp1533a">HP C1533A</link></para>
 	      
 	  <para><link linkend="hw-storage-hp1534a">HP C1534A</link></para>
 	      
 	  <para><link linkend="hw-storage-hp35450a">HP 35450A</link></para>
 	      
 	  <para><link linkend="hw-storage-hp35470a">HP 35470A</link></para>
 	      
 	  <para><link linkend="hw-storage-hp35480a">HP 35480A</link></para>
 	      
 	  <para><link linkend="hw-storage-sdt5000">SDT-5000</link></para>
 	      
 	  <para><link linkend="hw-storage-wangtek6200">Wangtek
 	      6200</link></para>
 	</sect3>
 
 	<sect3>
 	  <title>8mm (Exabyte)</title>
 	  
 	  <para><link linkend="hw-storage-exb8200">EXB-8200</link></para>
 	  
 	  <para><link linkend="hw-storage-exb8500">EXB-8500</link></para>
 	  
 	  <para><link linkend="hw-storage-exb8505">EXB-8505</link></para>
 	</sect3>
 
 	<sect3>
 	  <title>QIC (Quarter-Inch Cartridge)</title>
 	  
 	  <para><link linkend="hw-storage-anaconda">Archive Anaconda
 	      2750</link></para>
 	      
 	  <para><link linkend="hw-storage-viper60">Archive Viper
 	      60</link></para>
 	      
 	  <para><link linkend="hw-storage-viper150">Archive Viper
 	      150</link></para>
 	      
 	  <para><link linkend="hw-storage-viper2525">Archive Viper
 	      2525</link></para>
 	      
 	  <para><link linkend="hw-storage-tandberg3600">Tandberg TDC
 	      3600</link></para>
 
 	  <para><link linkend="hw-storage-tandberg3620">Tandberg TDC
 	      3620</link></para>
 	    
 	  <para><link linkend="hw-storage-tandberg3800">Tandberg TDC
 	      3800</link></para>
 	      
 	  <para><link linkend="hw-storage-tandberg4222">Tandberg TDC
 	      4222</link></para>
 	      
 	  <para><link linkend="hw-storage-wangtek5525es">Wangtek
 	      5525ES</link></para>
 	</sect3>
 
 	<sect3>
 	  <title>DLT (Digital Linear Tape)</title>
 	  
 	  <para><link linkend="hw-storage-dectz87">Digital TZ87</link></para>
 	</sect3>
 
 	<sect3>
 	  <title>Mini-Cartridge</title>
 	  
 	  <para><link linkend="hw-storage-ctms3200">Conner CTMS
 	      3200</link></para>
 	      
 	  <para><link linkend="hw-storage-exb2501">Exabyte 2501</link></para>
 	</sect3>
 
 	<sect3>
 	  <title>Autoloaders/Changers</title>
 	  
 	  <para><link linkend="hw-storage-hp1553a">Hewlett-Packard HP C1553A
 	      Autoloading DDS2</link></para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>* IDE drives</title>
 
 	<para></para>
       </sect2>
       
       <sect2>
 	<title>Floppy drives</title>
 
 	<para><link linkend="hw-storage-conner420r">Conner 420R</link></para>
       </sect2>
       
       <sect2>
 	<title>* Parallel port drives</title>
 
 	<para></para>
       </sect2>
       
       <sect2>
 	<title>Detailed Information</title>
 
 	<sect3 id="hw-storage-anaconda">
 	  <title>Archive Anaconda 2750</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE
 	      ANCDA 2750 28077 -003 type 1 removable SCSI 2</literal></para>
 	  
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 1.35GB when using QIC-1350 tapes.  This
 	    drive will read and write QIC-150 (DC6150), QIC-250 (DC6250), and
 	    QIC-525 (DC6525) tapes as well.</para>
 	      
 	  <para>Data transfer rate is 350kB/s using &man.dump.8;.
 	    Rates of 530kB/s have been reported when using
 	    Amanda</para>
 
 	  <para>Production of this drive has been discontinued.</para>
 	  
 	  <para>The SCSI bus connector on this tape drive is reversed from
 	    that on most other SCSI devices.  Make sure that you have enough
 	    SCSI cable to twist the cable one-half turn before and after the
 	    Archive Anaconda tape drive, or turn your other SCSI devices
 	    upside-down.</para>
 	  
 	  <para>Two kernel code changes are required to use this drive. This
 	    drive will not work as delivered.</para>
 	      
 	  <para>If you have a SCSI-2 controller, short jumper 6. Otherwise,
 	    the drive behaves are a SCSI-1 device.  When operating as a SCSI-1
 	    device, this drive, <quote>locks</quote> the SCSI bus during some
 	    tape operations, including: fsf, rewind, and rewoffl.</para>
 	      
 	  <para>If you are using the NCR SCSI controllers, patch the file
 	    <filename>/usr/src/sys/pci/ncr.c</filename> (as shown below).
 	    Build and install a new kernel.</para>
 	      
 	  <programlisting>*** 4831,4835 ****
                 };
         
 !               if (np-&gt;latetime&gt;4) {
                         /*
                         **      Although we tried to wake it up,
 --- 4831,4836 ----
                 };
 
 !               if (np-&gt;latetime&gt;1200) {
                         /*
                         **      Although we tried to wake it up,</programlisting>
 	      
 	  <para>Reported by: &a.jmb;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-python-28454">
 	  <title>Archive Python 28454</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE
 	      Python 28454-XXX4ASB</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>density code 0x8c, 512-byte
 	      blocks</literal></para>
 	      
 	  <para>This is a DDS-1 tape drive.</para>
 	      
 	  <para>Native capacity is 2.5GB on 90m tapes.</para>
 	  
 	  <para>Data transfer rate is XXX.</para>
 	  
 	  <para>This drive was repackaged by Sun Microsystems as model
 	    595-3067.</para>
 	      
 	  <para>Reported by: Bob Bishop <email>rb@gid.co.uk</email></para>
 	  
 	  <para>Throughput is in the 1.5 MByte/sec range, however this will
 	    drop if the disks and tape drive are on the same SCSI
 	    controller.</para>
 
 	  <para>Reported by: Robert E. Seastrom
 	    <email>rs@seastrom.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-python-04687">
 	  <title>Archive Python 04687</title>
 
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE 
 	      Python 04687-XXX 6580</literal> <literal>Removable Sequential
 	      Access SCSI-2 device</literal></para>
 
 	  <para>This is a DAT-DDS-2 drive.</para>
 
 	  <para>Native capacity is 4GB when using 120m tapes.</para>
 
 	  <para>This drive supports hardware data compression.  Switch 4
 	    controls MRS (Media Recognition System).  MRS tapes have stripes
 	    on the transparent leader.  Switch 4 <emphasis>off</emphasis>
 	    enables MRS, <emphasis>on</emphasis> disables MRS.</para>
 
 	  <para>Parity is controlled by switch 5.  Switch 5
 	    <emphasis>on</emphasis> to enable parity control.  Compression is
 	    enabled with Switch 6 <emphasis>off</emphasis>.  It is possible to 
 	    override compression with the <literal>SCSI MODE SELECT</literal>
 	    command (see &man.mt.1;).</para>
 
 	  <para>Data transfer rate is 800kB/s.</para>
 	</sect3>
 
 	<sect3 id="hw-storage-viper60">
 	  <title>Archive Viper 60</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE
 	      VIPER 60 21116 -007</literal> <literal>type 1 removable SCSI
 	      1</literal></para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 60MB.</para>
 	  
 	  <para>Data transfer rate is XXX.</para>
 	  
 	  <para>Production of this drive has been discontinued.</para>
 	  
 	  <para>Reported by: Philippe Regnauld
 	    <email>regnauld@hsc.fr</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-viper150">
 	  <title>Archive Viper 150</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE
 	      VIPER 150 21531 -004</literal> <literal>Archive Viper 150 is a
 	      known rogue</literal> <literal>type 1 removable SCSI
 	      1</literal>.  A multitude of firmware revisions exist for this
 	    drive.  Your drive may report different numbers (e.g
 	    <literal>21247 -005</literal>.</para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 150/250MB.  Both 150MB (DC6150) and 250MB
 	    (DC6250) tapes have the recording format.  The 250MB tapes are
 	    approximately 67% longer than the 150MB tapes.  This drive can
 	    read 120MB tapes as well.  It can not write 120MB tapes.</para>
 	      
 	  <para>Data transfer rate is 100kB/s</para>
 	  
 	  <para>This drive reads and writes DC6150 (150MB) and DC6250 (250MB)
 	    tapes.</para>
 	      
 	  <para>This drives quirks are known and pre-compiled into the SCSI
 	    tape device driver (&man.st.4;).</para>
 	      
 	  <para>Under FreeBSD 2.2-CURRENT, use <command>mt blocksize
 	      512</command> to set the blocksize.  (The particular drive had
 	    firmware revision 21247 -005.  Other firmware revisions may behave
 	    differently) Previous versions of FreeBSD did not have this
 	    problem.</para>
 	      
 	  <para>Production of this drive has been discontinued.</para>
 	  
 	  <para>Reported by: Pedro A M Vazquez
 	    <email>vazquez@IQM.Unicamp.BR</email></para>
 	  
 	  <para>&a.msmith;</para>
 	</sect3>
 	    
 	<sect3 id="hw-storage-viper2525">
 	  <title>Archive Viper 2525</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>ARCHIVE
 	      VIPER 2525 25462 -011</literal> <literal>type 1 removable SCSI
 	      1</literal></para>
 	  
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 525MB.</para>
 	  
 	  <para>Data transfer rate is 180kB/s at 90 inches/sec.</para>
 	  
 	  <para>The drive reads QIC-525, QIC-150, QIC-120 and QIC-24 tapes.
 	    Writes QIC-525, QIC-150, and QIC-120.</para>
 	      
 	  <para>Firmware revisions prior to <literal>25462 -011</literal> are
 	    bug ridden and will not function properly.</para>
 	  
 	  <para>Production of this drive has been discontinued.</para>
 	</sect3>
 
 	<sect3 id="hw-storage-conner420r">
 	  <title>Conner 420R</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>Conner
 	      tape</literal>.</para>
 	      
 	  <para>This is a floppy controller, mini cartridge tape drive.</para>
 	      
 	  <para>Native capacity is XXXX</para>
 	  
 	  <para>Data transfer rate is XXX</para>
 	  
 	  <para>The drive uses QIC-80 tape cartridges.</para>
 	  
 	  <para>Reported by: Mark Hannon
 	    <email>mark@seeware.DIALix.oz.au</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-ctms3200">
 	  <title>Conner CTMS 3200</title>
 	      
 	  <para>The boot message identifier for this drive is <literal>CONNER
 	      CTMS 3200 7.00</literal> <literal>type 1 removable SCSI
 	      2</literal>.</para>
 	      
 	  <para>This is a mini cartridge tape drive.</para>
 	  
 	  <para>Native capacity is XXXX</para>
 	  
 	  <para>Data transfer rate is XXX</para>
 	  
 	  <para>The drive uses QIC-3080 tape cartridges.</para>
 	  
 	  <para>Reported by: Thomas S. Traylor
 	    <email>tst@titan.cs.mci.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-dectz87">
 	  <title><ulink
 	      url="http://www.digital.com/info/Customer-Update/931206004.txt.html">DEC TZ87</ulink></title>
 	  
 	  <para>The boot message identifier for this drive is <literal>DEC
 	      TZ87 (C) DEC 9206</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>density code 0x19</literal></para>
 	      
 	  <para>This is a DLT tape drive.</para>
 	  
 	  <para>Native capacity is 10GB.</para>
 	  
 	  <para>This drive supports hardware data compression.</para>
 	  
 	  <para>Data transfer rate is 1.2MB/s.</para>
 	  
 	  <para>This drive is identical to the Quantum DLT2000.  The drive
 	    firmware can be set to emulate several well-known drives,
 	    including an Exabyte 8mm drive.</para>
 	      
 	  <para>Reported by: &a.wilko;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-exb2501">
 	  <title><ulink
 	      url="http://www.Exabyte.COM:80/Products/Minicartridge/2501/Rfeatures.html">Exabyte EXB-2501</ulink></title>
 	      
 	  <para>The boot message identifier for this drive is <literal>EXABYTE
 	      EXB-2501</literal></para>
 	      
 	  <para>This is a mini-cartridge tape drive.</para>
 	      
 	  <para>Native capacity is 1GB when using MC3000XL
 	    mini cartridges.</para>
 	      
 	  <para>Data transfer rate is XXX</para>
 	  
 	  <para>This drive can read and write DC2300 (550MB), DC2750 (750MB),
 	    MC3000 (750MB), and MC3000XL (1GB) mini cartridges.</para>
 	      
 	  <para>WARNING: This drive does not meet the SCSI-2 specifications.
 	    The drive locks up completely in response to a SCSI MODE_SELECT
 	    command unless there is a formatted tape in the drive.  Before
 	    using this drive, set the tape blocksize with</para>
 	      
 	  <screen>&prompt.root; <userinput>mt -f /dev/st0ctl.0 blocksize 1024</userinput></screen>
 	      
 	  <para>Before using a mini cartridge for the first time, the
 	    mini cartridge must be formated.  FreeBSD 2.1.0-RELEASE and
 	    earlier:</para>
 	      
 	  <screen>&prompt.root; <userinput>/sbin/scsi -f /dev/rst0.ctl -s 600 -c "4 0 0 0 0 0"</userinput></screen>
 	      
 	  <para>(Alternatively, fetch a copy of the
 	    <command>scsiformat</command> shell script from FreeBSD
 	    2.1.5/2.2.) FreeBSD 2.1.5 and later:</para>
 	      
 	  <screen>&prompt.root; <userinput>/sbin/scsiformat -q -w /dev/rst0.ctl</userinput></screen>
 	      
 	  <para>Right now, this drive cannot really be recommended for
 	    FreeBSD.</para>
 	      
 	  <para>Reported by: Bob Beaulieu
 	    <email>ez@eztravel.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-exb8200">
 	  <title>Exabyte EXB-8200</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>EXABYTE
 	      EXB-8200 252X</literal> <literal>type 1 removable SCSI
 	      1</literal></para>
 	      
 	  <para>This is an 8mm tape drive.</para>
 	  
 	  <para>Native capacity is 2.3GB.</para>
 	  
 	  <para>Data transfer rate is 270kB/s.</para>
 	  
 	  <para>This drive is fairly slow in responding to the SCSI bus during
 	    boot.  A custom kernel may be required (set SCSI_DELAY to 10
 	    seconds).</para>
 	  
 	  <para>There are a large number of firmware configurations for this
 	    drive, some have been customized to a particular vendor's
 	    hardware.  The firmware can be changed via EPROM
 	    replacement.</para>
 	      
 	  <para>Production of this drive has been discontinued.</para>
 	  
 	  <para>Reported by: &a.msmith;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-exb8500">
 	  <title>Exabyte EXB-8500</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>EXABYTE
 	      EXB-8500-85Qanx0 0415</literal> <literal>type 1 removable SCSI
 	      2</literal></para>
 	      
 	  <para>This is an 8mm tape drive.</para>
 	  
 	  <para>Native capacity is 5GB.</para>
 	  
 	  <para>Data transfer rate is 300kB/s.</para>
 	      
 	  <para>Reported by: Greg Lehey <email>grog@lemis.de</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-exb8505">
 	  <title><ulink
 	      url="http://www.Exabyte.COM:80/Products/8mm/8505XL/Rfeatures.html">Exabyte EXB-8505</ulink></title>
 	      
 	      <para>The boot message identifier for this drive is
 	    <literal>EXABYTE EXB-85058SQANXR1 05B0</literal> <literal>type 1
 	      removable SCSI 2</literal></para>
 	      
 	  <para>This is an 8mm tape drive which supports compression, and is
 	    upward compatible with the EXB-5200 and EXB-8500.</para>
 	  
 	  <para>Native capacity is 5GB.</para>
 	  
 	  <para>The drive supports hardware data compression.</para>
 	  
 	  <para>Data transfer rate is 300kB/s.</para>
 	  
 	  <para>Reported by: Glen Foster
 	    <email>gfoster@gfoster.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-hp1533a">
 	  <title>Hewlett-Packard HP C1533A</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>HP
 	      C1533A 9503</literal> <literal>type 1 removable SCSI
 	      2</literal>.</para>
 	      
 	  <para>This is a DDS-2 tape drive.  DDS-2 means hardware data
 	    compression and narrower tracks for increased data
 	    capacity.</para>
 	  
 	  <para>Native capacity is 4GB when using 120m tapes.  This drive
 	    supports hardware data compression.</para>
 	      
 	  <para>Data transfer rate is 510kB/s.</para>
 	  
 	  <para>This drive is used in Hewlett-Packard's SureStore 6000eU and
 	    6000i tape drives and C1533A DDS-2 DAT drive.</para>
 	  
 	  <para>The drive has a block of 8 dip switches.  The proper settings
 	    for FreeBSD are: 1 ON; 2 ON; 3 OFF; 4 ON; 5 ON; 6 ON; 7 ON; 8
 	    ON.</para>
 	  
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="3">
 	      <thead>
 		<row>
 		  <entry>switch 1</entry>
 		  <entry>switch 2</entry>
 		  <entry>Result</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>On</entry>
 		  <entry>On</entry>
 		  <entry>Compression enabled at power-on, with host
 		    control</entry>
 		</row>
 		
 		<row>
 		  <entry>On</entry>
 		  <entry>Off</entry>
 		  <entry>Compression enabled at power-on, no host
 		    control</entry>
 		</row>
 		
 		<row>
 		  <entry>Off</entry>
 		  <entry>On</entry>
 		  <entry>Compression disabled at power-on, with host
 		    control</entry>
 		</row>
 		
 		<row>
 		  <entry>Off</entry>
 		  <entry>Off</entry>
 		  <entry>Compression disabled at power-on, no host
 		    control</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	  
 	  <para>Switch 3 controls MRS (Media Recognition System).  MRS tapes
 	    have stripes on the transparent leader.  These identify the tape
 	    as DDS (Digital Data Storage) grade media.  Tapes that do not have
 	    the stripes will be treated as write-protected.  Switch 3 OFF
 	    enables MRS.  Switch 3 ON disables MRS.</para>
 	      
 	      <para>See <ulink url="http://www.hp.com/tape/c_intro.html">HP
 	      SureStore Tape Products</ulink> and <ulink
 	      url="http://www.impediment.com/hp/hp_technical.html">Hewlett-Packard
 	      Disk and Tape Technical Information</ulink> for more information
 	    on configuring this drive.</para>
 	      
 	  <para><emphasis>Warning:</emphasis> Quality control on these drives
 	    varies greatly.  One FreeBSD core-team member has returned 2 of
 	    these drives.  Neither lasted more than 5 months.</para>
 	      
 	  <para>Reported by: &a.se;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-hp1534a">
 	  <title>Hewlett-Packard HP 1534A</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>HP
 	      HP35470A T503</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>Sequential-Access density code 0x13,
 	      variable blocks</literal>.</para>
 	      
 	  <para>This is a DDS-1 tape drive.  DDS-1 is the original DAT tape
 	    format.</para>
 	      
 	  <para>Native capacity is 2GB when using 90m tapes.</para>
 	      
 	  <para>Data transfer rate is 183kB/s.</para>
 	  
 	  <para>The same mechanism is used in Hewlett-Packard's SureStore
 	    <ulink url="http://www.dmo.hp.com/tape/sst2000.htm">2000i</ulink>
 	    tape drive, C35470A DDS format DAT drive, C1534A DDS format DAT
 	    drive and HP C1536A DDS format DAT drive.</para>
 	      
 	  <para>The HP C1534A DDS format DAT drive has two indicator lights,
 	    one green and one amber.  The green one indicates tape action:
 	    slow flash during load, steady when loaded, fast flash during
 	    read/write operations.  The amber one indicates warnings: slow
 	    flash when cleaning is required or tape is nearing the end of its
 	    useful life, steady indicates an hard fault.  (factory service
 	    required?)</para>
 	      
 	  <para>Reported by Gary Crutcher
 	    <email>gcrutchr@nightflight.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-hp1553a">
 	  <title>Hewlett-Packard HP C1553A Autoloading DDS2</title>
 	  
 	  <para>The boot message identifier for this drive is "".</para>
 	  
 	  <para>This is a DDS-2 tape drive with a tape changer.  DDS-2 means
 	    hardware data compression and narrower tracks for increased data
 	    capacity.</para>
 	      
 	  <para>Native capacity is 24GB when using 120m tapes.  This drive
 	    supports hardware data compression.</para>
 	      
 	  <para>Data transfer rate is 510kB/s (native).</para>
 	      
 	  <para>This drive is used in Hewlett-Packard's SureStore <ulink
 	      url="http://www.dmo.hp.com/tape/sst12000.htm">12000e</ulink>
 	    tape drive.</para>
 	      
 	  <para>The drive has two selectors on the rear panel.  The selector
 	    closer to the fan is SCSI id.  The other selector should be set to
 	    7.</para>
 	      
 	  <para>There are four internal switches.  These should be set: 1 ON;
 	    2 ON; 3 ON; 4 OFF.</para>
 	      
 	  <para>At present the kernel drivers do not automatically change
 	    tapes at the end of a volume.  This shell script can be used to
 	    change tapes:</para>
 	      
 	  <programlisting>#!/bin/sh
 PATH="/sbin:/usr/sbin:/bin:/usr/bin"; export PATH
 
 usage()
 {
         echo "Usage: dds_changer [123456ne] raw-device-name
         echo "1..6 = Select cartridge"
         echo "next cartridge"
         echo "eject magazine"
         exit 2
 }
 
 if [ $# -ne 2 ] ; then
         usage
 fi
 
 cdb3=0
 cdb4=0
 cdb5=0
 
 case $1 in
         [123456])
                 cdb3=$1
                 cdb4=1
                 ;;
         n)
                 ;;
         e)
                 cdb5=0x80
                 ;;
         ?)
                 usage
                 ;;
 esac
 
 scsi -f $2 -s 100 -c "1b 0 0 $cdb3 $cdb4 $cdb5"</programlisting>
 	</sect3>
 
 	<sect3 id="hw-storage-hp35450a">
 	  <title>Hewlett-Packard HP 35450A</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>HP
 	      HP35450A -A C620</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>Sequential-Access density code
 	      0x13</literal></para>
 	      
 	  <para>This is a DDS-1 tape drive.  DDS-1 is the original DAT tape
 	    format.</para>
 	      
 	  <para>Native capacity is 1.2GB.</para>
 	      
 	  <para>Data transfer rate is 160kB/s.</para>
 	  
 	  <para>Reported by: Mark Thompson
 	    <email>mark.a.thompson@pobox.com</email></para>
 	</sect3>
 
 	<sect3 id="hw-storage-hp35470a">
 	  <title>Hewlett-Packard HP 35470A</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>HP
 	      HP35470A 9 09</literal> <literal>type 1 removable SCSI
 	      2</literal></para>
 	      
 	  <para>This is a DDS-1 tape drive.  DDS-1 is the original DAT tape
 	    format.</para>
 	      
 	  <para>Native capacity is 2GB when using 90m tapes.</para>
 	      
 	  <para>Data transfer rate is 183kB/s.</para>
 	  
 	  <para>The same mechanism is used in Hewlett-Packard's SureStore
 	    <ulink url="http://www.dmo.hp.com/tape/sst2000.htm">2000i</ulink>
 	    tape drive, C35470A DDS format DAT drive, C1534A DDS format DAT
 	    drive, and HP C1536A DDS format DAT drive.</para>
 	      
 	  <para><emphasis>Warning:</emphasis> Quality control on these drives
 	    varies greatly.  One FreeBSD core-team member has returned 5 of
 	    these drives.  None lasted more than 9 months.</para>
 	      
 	  <para>Reported by: David Dawes
 	    <email>dawes@rf900.physics.usyd.edu.au</email> (9 09)</para>
 	      
 	</sect3>
 
 	<sect3 id="hw-storage-hp35480a">
 	  <title>Hewlett-Packard HP 35480A</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>HP
 	      HP35480A 1009</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>Sequential-Access density code
 	      0x13</literal>.</para>
 	      
 	  <para>This is a DDS-DC tape drive.  DDS-DC is DDS-1 with hardware
 	    data compression.  DDS-1 is the original DAT tape format.</para>
 	      
 	  <para>Native capacity is 2GB when using 90m tapes.  It cannot handle
 	    120m tapes.  This drive supports hardware data compression.
 	    Please refer to the section on <link
 	      linkend="hw-storage-hp1533a">HP C1533A</link> for the proper
 	    switch settings.</para>
 	      
 	  <para>Data transfer rate is 183kB/s.</para>
 	  
 	  <para>This drive is used in Hewlett-Packard's SureStore <ulink
 	      url="http://www.dmo.hp.com/tape/sst5000.htm">5000eU</ulink> and
 	    <ulink url="http://www.dmo.hp.com/tape/sst5000.htm">5000i</ulink>
 	    tape drives and C35480A DDS format DAT drive..</para>
 	      
 	  <para>This drive will occasionally hang during a tape eject
 	    operation (<command>mt offline</command>). Pressing the front
 	    panel button will eject the tape and bring the tape drive back to
 	    life.</para>
 	      
 	  <para>WARNING: HP 35480-03110 only.  On at least two occasions this
 	    tape drive when used with FreeBSD 2.1.0, an IBM Server 320 and an
 	    2940W SCSI controller resulted in all SCSI disk partitions being
 	    lost.  The problem has not be analyzed or resolved at this
 	    time.</para>
 	</sect3>
 
 	<sect3 id="hw-storage-sdt5000">
 	  <title><ulink
 	      url="http://www.sel.sony.com/SEL/ccpg/storage/tape/t5000.html">Sony SDT-5000</ulink></title>
 	      
 	  <para>There are at least two significantly different models: one is
 	    a DDS-1 and the other DDS-2.  The DDS-1 version is
 	    <literal>SDT-5000 3.02</literal>.  The DDS-2 version is
 	    <literal>SONY SDT-5000 327M</literal>. The DDS-2 version has a 1MB
 	    cache.  This cache is able to keep the tape streaming in almost
 	    any circumstances.</para>
 	      
 	  <para>The boot message identifier for this drive is <literal>SONY
 	      SDT-5000 3.02</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>Sequential-Access density code
 	      0x13</literal></para>
 	      
 	  <para>Native capacity is 4GB when using 120m tapes.  This drive
 	    supports hardware data compression.</para>
 	      
 	  <para>Data transfer rate is depends upon the model or the drive. The
 	    rate is 630kB/s for the <literal>SONY SDT-5000 327M</literal>
 	    while compressing the data.  For the <literal>SONY SDT-5000
 	      3.02</literal>, the data transfer rate is 225kB/s.</para>
 	      
 	  <para>In order to get this drive to stream, set the blocksize to 512
 	    bytes (<command>mt blocksize 512</command>) reported by Kenneth
 	    Merry <email>ken@ulc199.residence.gatech.edu</email>.</para>
 	      
 	  <para><literal>SONY SDT-5000 327M</literal> information reported by
 	    Charles Henrich <email>henrich@msu.edu</email>.</para>
 	      
 	  <para>Reported by: &a.jmz;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-tandberg3600">
 	  <title>Tandberg TDC 3600</title>
 	  
 	  <para>The boot message identifier for this drive is
 	    <literal>TANDBERG TDC 3600 =08:</literal> <literal>type 1
 	      removable SCSI 2</literal></para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 150/250MB.</para>
 	  
 	  <para>This drive has quirks which are known and work around code is
 	    present in the SCSI tape device driver (&man.st.4;).
 	    Upgrading the firmware to XXX version will fix the quirks and
 	    provide SCSI 2 capabilities.</para>
 	      
 	  <para>Data transfer rate is 80kB/s.</para>
 	  
 	  <para>IBM and Emerald units will not work.  Replacing the firmware
 	    EPROM of these units will solve the problem.</para>
 	      
 	  <para>Reported by: &a.msmith;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-tandberg3620">
 	  <title>Tandberg TDC 3620</title>
 	  
 	  <para>This is very similar to the <link
 	      linkend="hw-storage-tandberg3600">Tandberg TDC 3600</link>
 	    drive.</para>
 	      
 	  <para>Reported by: &a.joerg;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-tandberg3800">
 	  <title>Tandberg TDC 3800</title>
 
 	  <para>The boot message identifier for this drive is
 	    <literal>TANDBERG TDC 3800 =04Y</literal> <literal>Removable
 	      Sequential Access SCSI-2 device</literal></para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 525MB.</para>
 	  
 	  <para>Reported by: &a.jhs;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-tandberg4222">
 	  <title>Tandberg TDC 4222</title>
 	  
 	  <para>The boot message identifier for this drive is
 	    <literal>TANDBERG TDC 4222 =07</literal> <literal>type 1 removable
 	      SCSI 2</literal></para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 2.5GB.  The drive will read all cartridges
 	    from the 60 MB (DC600A) upwards, and write 150 MB (DC6150)
 	    upwards.  Hardware compression is optionally supported for the 2.5
 	    GB cartridges.</para>
 	      
 	  <para>This drives quirks are known and pre-compiled into the SCSI
 	    tape device driver (&man.st.4;) beginning with FreeBSD
 	    2.2-CURRENT.  For previous versions of FreeBSD, use
 	    <command>mt</command> to read one block from the tape, rewind the
 	    tape, and then execute the backup program (<command>mt fsr 1; mt
 	      rewind; dump ...</command>)</para>
 	      
 	  <para>Data transfer rate is 600kB/s (vendor claim with compression),
 	    350 KB/s can even be reached in start/stop mode. The rate
 	    decreases for smaller cartridges.</para>
 	  
 	  <para>Reported by: &a.joerg;</para>
 	</sect3>
 
 	<sect3 id="hw-storage-wangtek5525es">
 	  <title>Wangtek 5525ES</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>WANGTEK
 	      5525ES SCSI REV7 3R1</literal> <literal>type 1 removable SCSI
 	      1</literal> <literal>density code 0x11, 1024-byte
 	      blocks</literal></para>
 	      
 	  <para>This is a QIC tape drive.</para>
 	  
 	  <para>Native capacity is 525MB.</para>
 	  
 	  <para>Data transfer rate is 180kB/s.</para>
 	  
 	  <para>The drive reads 60, 120, 150, and 525MB tapes.  The drive will
 	    not write 60MB (DC600 cartridge) tapes.  In order to overwrite 120
 	    and 150 tapes reliably, first erase (<command>mt erase</command>)
 	    the tape.  120 and 150 tapes used a wider track (fewer tracks per
 	    tape) than 525MB tapes. The <quote>extra</quote> width of the
 	    previous tracks is not overwritten, as a result the new data lies
 	    in a band surrounded on both sides by the previous data unless the
 	    tape have been erased.</para>
 	      
 	  <para>This drives quirks are known and pre-compiled into the SCSI
 	    tape device driver (&man.st.4;).</para>
 	  
 	  <para>Other firmware revisions that are known to work are:
 	    M75D</para>
 	  
 	  <para>Reported by: Marc van Kempen <email>marc@bowtie.nl</email>
 	    <literal>REV73R1</literal> Andrew Gordon
 	    <email>Andrew.Gordon@net-tel.co.uk</email>
 	    <literal>M75D</literal></para>
 	</sect3>
 
 	<sect3 id="hw-storage-wangtek6200">
 	  <title>Wangtek 6200</title>
 	  
 	  <para>The boot message identifier for this drive is <literal>WANGTEK
 	      6200-HS 4B18</literal> <literal>type 1 removable SCSI
 	      2</literal> <literal>Sequential-Access density code
 	      0x13</literal></para>
 	  
 	  <para>This is a DDS-1 tape drive.</para>
 	  
 	  <para>Native capacity is 2GB using 90m tapes.</para>
 	  
 	  <para>Data transfer rate is 150kB/s.</para>
 	  
 	  <para>Reported by: Tony Kimball <email>alk@Think.COM</email></para>
 	</sect3>
       </sect2>
       
       <sect2>
 	<title>* Problem drives</title>
 
 	<para></para>
       </sect2>
     </sect1>
     
     <sect1>
       <title>CDROM drives</title>
       
       <para><emphasis>Contributed by &a.obrien;.  23 November
 	      1997.</emphasis></para>
       
       <para>Generally speaking those in <emphasis>The FreeBSD
 	Project</emphasis> prefer SCSI CDROM drives over IDE CDROM
 	drives.  However not all SCSI CDROM drives are equal.  Some
 	feel the quality of some SCSI CDROM drives have been
 	deteriorating to that of IDE CDROM drives.  Toshiba used to be
 	the favored stand-by, but many on the SCSI mailing list have
 	found displeasure with the 12x speed XM-5701TA as its volume
 	(when playing audio CDROMs) is not controllable by the various
 	audio player software.</para>
 	  
       <para>Another area where SCSI CDROM manufacturers are cutting corners is
 	adherence to the <link linkend="scsi-further-reading">SCSI
 	  specification</link>. Many SCSI CDROMs will respond to <link
 	  linkend="scsi-rogue-devices">multiple LUNs</link> for its target
 	address.  Known violators include the 6x Teac CD-56S 1.0D.</para>
   </sect1>
 
 </article>
diff --git a/en_US.ISO8859-1/books/arch-handbook/boot/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/boot/chapter.sgml
index 572cc8af4f..dce3509d17 100644
--- a/en_US.ISO8859-1/books/arch-handbook/boot/chapter.sgml
+++ b/en_US.ISO8859-1/books/arch-handbook/boot/chapter.sgml
@@ -1,1024 +1,1024 @@
 <!--
 The FreeBSD Documentation Project
 
 Copyright (c) 2002 Sergey Lyubka <devnull@uptsoft.com>
 All rights reserved
 $FreeBSD$
 -->
 
 <chapter id="boot">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Sergey</firstname>
 	<surname>Lyubka</surname>
 	<contrib>Contributed by </contrib>
       </author> <!-- devnull@uptsoft.com  12 Jun 2002 -->
     </authorgroup>
   </chapterinfo>
   <title>Bootstrapping and kernel initialization</title>
 
   <sect1 id="boot-synopsis">
     <title>Synopsis</title>
 
     <para>This chapter is an overview of the boot and system
       initialization process, starting from the BIOS (firmware) POST,
       to the first user process creation.  Since the initial steps of
       system startup are very architecture dependent, the IA-32
       architecture is used as an example.</para>
   </sect1>
 
   <sect1 id="boot-overview">
     <title>Overview</title>
 
     <para>A computer running FreeBSD can boot by several methods,
       although the most common method, booting from a harddisk where
       the OS is installed, will be discussed here.  The boot process
       is divided into several steps:</para>
 
     <itemizedlist>
       <listitem><para>BIOS POST</para></listitem>
       <listitem><para><literal>boot0</literal> stage</para></listitem>
       <listitem><para><literal>boot2</literal> stage</para></listitem>
       <listitem><para>loader stage</para></listitem>
       <listitem><para>kernel initialization</para></listitem>
     </itemizedlist>
 
     <para>The <literal>boot0</literal> and <literal>boot2</literal>
       stages are also referred to as <emphasis>bootstrap stages 1 and
       2</emphasis> in &man.boot.8; as the first steps in FreeBSD's
       3-stage bootstrapping procedure.  Various information is printed
       on the screen at each stage, so you may visually recognize them
       using the table that follows.  Please note that the actual data
       may differ from machine to machine:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
         <tbody>
           <row>
             <entry><para>may vary</para></entry>
 
 	    <entry><para>BIOS (firmware) messages</para></entry>
           </row>
 
           <row>
             <entry><para>
 <screen>F1    FreeBSD
 F2    BSD
 F5    Disk 2</screen>
             </para></entry>
 
 	    <entry><para><literal>boot0</literal></para></entry>
           </row>
 
           <row>
             <entry><para>
 <screen>>>FreeBSD/i386 BOOT
 Default: 1:ad(1,a)/boot/loader
 boot:</screen>
             </para></entry>
 
 	    <entry><para><literal>boot2</literal><footnote><para>This
 	      prompt will appear if the user presses a key just after
 	      selecting an OS to boot at the <literal>boot0</literal>
               stage.</para></footnote></para></entry>
           </row>
 
           <row>
             <entry><para>
 <screen>BTX loader 1.0 BTX version is 1.01
 BIOS drive A: is disk0
 BIOS drive C: is disk1
 BIOS 639kB/64512kB available memory
 FreeBSD/i386 bootstrap loader, Revision 0.8
 Console internal video/keyboard
 (jkh@bento.freebsd.org, Mon Nov 20 11:41:23 GMT 2000)
 /kernel text=0x1234 data=0x2345 syms=[0x4+0x3456]
 Hit [Enter] to boot immediately, or any other key for command prompt
 Booting [kernel] in 9 seconds..._</screen>
             </para></entry>
 
             <entry><para>loader</para></entry>
           </row>
 
           <row>
             <entry><para>
 	      <screen>Copyright (c) 1992-2002 The FreeBSD Project.
 Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
         The Regents of the University of California. All rights reserved.
 FreeBSD 4.6-RC #0: Sat May  4 22:49:02 GMT 2002
     devnull@kukas:/usr/obj/usr/src/sys/DEVNULL
 Timecounter "i8254"  frequency 1193182 Hz</screen></para></entry>
 
             <entry><para>kernel</para></entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
   </sect1>
 
   <sect1 id="boot-bios">
     <title>BIOS POST</title>
 
     <para>When the PC powers on, the processor's registers are set
       to some predefined values.  One of the registers is the
       <emphasis>instruction pointer</emphasis> register, and its value
       after a power on is well defined: it is a 32-bit value of
       0xfffffff0.  The instruction pointer register points to code to
       be executed by the processor.  One of the registers is the
       <literal>cr1</literal> 32-bit control register, and its value
       just after the reboot is 0.  One of the cr1's bits, the bit PE
       (Protected Enabled) indicates whether the processor is running
       in protected or real mode.  Since at boot time this bit is
       cleared, the processor boots in real mode.  Real mode means,
       among other things, that linear and physical addresses are
       identical.</para>
 
     <para>The value of 0xfffffff0 is slightly less then 4Gb, so unless
       the machine has 4Gb physical memory, it cannot point to a valid
       memory address.  The computer's hardware translates this address
       so that it points to a BIOS memory block.</para>
 
     <para>BIOS stands for <emphasis>Basic Input Output
       System</emphasis>, and it is a chip on the motherboard that has
       a relatively small amount of read-only memory (ROM).  This
       memory contains various low-level routines that are specific to
       the hardware supplied with the motherboard.  So, the processor
       will first jump to the address 0xfffffff0, which really resides
       in the BIOS's memory.  Usually this address contains a jump
       instruction to the BIOS's POST routines.</para>
 
     <para>POST stands for <emphasis>Power On Self Test</emphasis>.
       This is a set of routines including the memory check, system bus
       check and other low-level stuff so that the CPU can initialize
       the computer properly.  The important step on this stage is
       determining the boot device.  All modern BIOS's allow the boot
       device to be set manually, so you can boot from a floppy,
       CD-ROM, harddisk etc.</para>
 
     <para>The very last thing in the POST is the <literal>INT
       0x19</literal> instruction.  That instruction reads 512 bytes
       from the first sector of boot device into the memory at address
       0x7c00.  The term <emphasis>first sector</emphasis> originates
       from harddrive architecture, where the magnetic plate is divided
       to a number of cylindrical tracks.  Tracks are numbered, and
       every track is divided by a number (usually 64) sectors.  Track
       number 0 is the outermost on the magnetic plate, and sector 1,
       the first sector (tracks, or, cylinders, are numbered starting
       from 0, but sectors - starting from 1), has a special meaning.
       It is also called Master Boot Record, or MBR.  The remaining
       sectors on the first track are never used <footnote><para>Some
       utilities such as &man.disklabel.8; may store the information in
       this area, mostly in the second
       sector.</para></footnote>.</para>
   </sect1>
 
   <sect1 id="boot-boot0">
     <title><literal>boot0</literal> stage</title>
 
     <para>Take a look at the file <filename>/boot/boot0</filename>.
       This is a small 512-byte file, and it is exactly what FreeBSD's
       installation procedure wrote to your harddisk's MBR if you chose
       the <quote>bootmanager</quote> option at installation time.</para>
 
     <para>As mentioned previously, the <literal>INT 0x19</literal>
       instruction loads an MBR, i.e. the <filename>boot0</filename>
       content, into the memory at address 0x7c00.  Taking a look at
       the file <filename>sys/boot/i386/boot0/boot0.s</filename> can
       give a guess at what is happening there - this is the boot
       manager, which is an awesome piece of code written by Robert
       Nordier.</para>
 
     <para>The MBR, or, <filename>boot0</filename>, has a special
       structure starting from offset 0x1be, called the
       <emphasis>partition table</emphasis>.  It has 4 records of 16
       bytes each, called <emphasis>partition records</emphasis>, which
       represent how the harddisk(s) are partitioned, or, in FreeBSD's
       terminology, sliced.  One byte of those 16 says whether a
       partition (slice) is bootable or not.  Exactly one record must
       have that flag set, otherwise <filename>boot0</filename>'s code
       will refuse to proceed.</para>
 
     <para>A partition record has the following fields:</para>
 
     <itemizedlist>
       <listitem>
         <para>the 1-byte filesystem type</para>
       </listitem>
 
       <listitem>
         <para>the 1-byte bootable flag</para>
       </listitem>
 
       <listitem>
         <para>the 6 byte descriptor in CHS format</para>
       </listitem>
 
       <listitem>
         <para>the 8 byte descriptor in LBA format</para>
       </listitem>
     </itemizedlist>
 
     <para>A partition record descriptor has the information about
       where exactly the partition resides on the drive.  Both
       descriptors, LBA and CHS, describe the same information, but in
       different ways: LBA (Logical Block Addressing) has the starting
       sector for the partition and the partition's length, while CHS
       (Cylinder Head Sector) has coordinates for the first and last
       sectors of the partition.</para>
 
     <para>The boot manager scans the partition table and prints the
       menu on the screen so the user can select what disk and what
       slice to boot.  By pressing an appropriate key,
       <filename>boot0</filename> performs the following
       actions:</para>
 
     <itemizedlist>
       <listitem>
 	<para>modifies the bootable flag for the selected partition to
 	  make it bootable, and clears the previous</para>
       </listitem>
 
       <listitem>
 	<para>saves itself to disk to remember what partition (slice)
 	  has been selected so to use it as the default on the next
 	  boot</para>
       </listitem>
 
       <listitem>
 	<para>loads the first sector of the selected partition (slice)
 	  into memory and jumps there</para>
       </listitem>
     </itemizedlist>
 
     <para>What kind of data should reside on the very first sector of
       a bootable partition (slice), in our case, a FreeBSD slice?  As
       you may have already guessed, it is
       <filename>boot2</filename>.</para>
   </sect1>
 
   <sect1 id="boot-boot2">
     <title><literal>boot2</literal> stage</title>
 
     <para>You might wonder, why <literal>boot2</literal> comes after
       <literal>boot0</literal>, and not boot1.  Actually, there is a
       512-byte file called <filename>boot1</filename> in the directory
       <filename>/boot</filename> as well.  It is used for booting from
       a floppy.  When booting from a floppy,
       <filename>boot1</filename> plays the same role as
       <filename>boot0</filename> for a harddisk: it locates
       <filename>boot2</filename> and runs it.</para>
 
     <para>You may have realized that a file
       <filename>/boot/mbr</filename> exists as well.  It is a
       simplified version of <filename>boot0</filename>.  The code in
       <filename>mbr</filename> does not provide a menu for the user,
       it just blindly boots the partition marked active.</para>
 
     <para>The code implementing <filename>boot2</filename> resides in
       <filename>sys/boot/i386/boot2/</filename>, and the executable
       itself is in <filename>/boot</filename>.  The files
       <filename>boot0</filename> and <filename>boot2</filename> that
       are in <filename>/boot</filename> are not used by the bootstrap,
       but by utilities such as <application>boot0cfg</application>.
       The actual position for <filename>boot0</filename> is in the
       MBR.  For <filename>boot2</filename> it is the beginning of a
       bootable FreeBSD slice.  These locations are not under the
       filesystem's control, so they are invisible to commands like
       <application>ls</application>.</para>
 
     <para>The main task for <literal>boot2</literal> is to load the
       file <filename>/boot/loader</filename>, which is the third stage
       in the bootstrapping procedure.  The code in
       <literal>boot2</literal> cannot use any services like
       <function>open()</function> and <function>read()</function>,
       since the kernel is not yet loaded.  It must scan the harddisk,
       knowing about the filesystem structure, find the file
       <filename>/boot/loader</filename>, read it into memory using a
       BIOS service, and then pass the execution to the loader's entry
       point.</para>
 
     <para>Besides that, <literal>boot2</literal> prompts for user
       input so the loader can be booted from different disk, unit,
       slice and partition.</para>
 
     <para>The <literal>boot2</literal> binary is created in special
       way:</para>
 
     <programlisting><filename>sys/boot/i386/boot2/Makefile</filename>
 boot2: boot2.ldr boot2.bin ${BTX}/btx/btx
 	btxld -v -E ${ORG2} -f bin -b ${BTX}/btx/btx -l boot2.ldr \
 		-o boot2.ld -P 1 boot2.bin</programlisting>
 
     <para>This Makefile snippet shows that &man.btxld.8; is used to
       link the binary.  BTX, which stands for BooT eXtender, is a
       piece of code that provides a protected mode environment for the
       program, called the client, that it is linked with.  So
       <literal>boot2</literal> is a BTX client, i.e. it uses the
       service provided by BTX.</para>
 
     <para>The <application>btxld</application> utility is the linker.
       It links two binaries together.  The difference between
       &man.btxld.8; and &man.ld.1; is that
       <application>ld</application> usually links object files into a
       shared object or executable, while
       <application>btxld</application> links an object file with the
       BTX, producing the binary file suitable to be put on the
       beginning of the partition for the system boot.</para>
 
     <para><literal>boot0</literal> passes the execution to BTX's entry
       point.  BTX then switches the processor to protected mode, and
       prepares a simple environment before calling the client.  This
       includes:</para>
 
     <itemizedlist>
       <listitem><para>virtual v86 mode.  That means, the BTX is a v86
         monitor.  Real mode instructions like pushf, popf, cli, sti, if
         called by the client, will work.</para></listitem>
 
       <listitem><para>Interrupt Descriptor Table (IDT) is set up so
         all hardware interrupts are routed to the default BIOS's
         handlers, and interrupt 0x30 is set up to be the syscall
         gate.</para></listitem>
 
       <listitem><para>Two system calls: <function>exec</function> and
         <function>exit</function>, are defined:</para>
 
     <programlisting><filename>sys/boot/i386/btx/lib/btxsys.s:</filename>
 		.set INT_SYS,0x30		# Interrupt number
 #
 # System call: exit
 #
 __exit: 	xorl %eax,%eax			# BTX system
 		int $INT_SYS			#  call 0x0
 #
 # System call: exec
 #
 __exec: 	movl $0x1,%eax			# BTX system
 		int $INT_SYS			#  call 0x1</programlisting></listitem>
     </itemizedlist>
 
     <para>BTX creates a Global Descriptor Table (GDT):</para>
 
     <programlisting><filename>sys/boot/i386/btx/btx/btx.s:</filename>
 gdt:		.word 0x0,0x0,0x0,0x0		# Null entry
 		.word 0xffff,0x0,0x9a00,0xcf	# SEL_SCODE
 		.word 0xffff,0x0,0x9200,0xcf	# SEL_SDATA
 		.word 0xffff,0x0,0x9a00,0x0	# SEL_RCODE
 		.word 0xffff,0x0,0x9200,0x0	# SEL_RDATA
 		.word 0xffff,MEM_USR,0xfa00,0xcf# SEL_UCODE
 		.word 0xffff,MEM_USR,0xf200,0xcf# SEL_UDATA
 		.word _TSSLM,MEM_TSS,0x8900,0x0 # SEL_TSS</programlisting>
 
     <para>The client's code and data start from address MEM_USR
       (0xa000), and a selector (SEL_UCODE) points to the client's code
       segment.  The SEL_UCODE descriptor has Descriptor Privilege
       Level (DPL) 3, which is the lowest privilege level.  But the
       <literal>INT 0x30</literal> instruction handler resides in a
       segment pointed to by the SEL_SCODE (supervisor code) selector,
       as shown from the code that creates an IDT:</para>
 
   <programlisting>		mov $SEL_SCODE,%dh		# Segment selector
 init.2: 	shr %bx				# Handle this int?
 		jnc init.3			# No
 		mov %ax,(%di)			# Set handler offset
 		mov %dh,0x2(%di)		#  and selector
 		mov %dl,0x5(%di)		# Set P:DPL:type
 		add $0x4,%ax			# Next handler</programlisting>
 
     <para>So, when the client calls <function>__exec()</function>, the
       code will be executed with the highest privileges.  This allows
       the kernel to change the protected mode data structures, such as
       page tables, GDT, IDT, etc later, if needed.</para>
 
     <para><literal>boot2</literal> defines an important structure,
       <literal>struct bootinfo</literal>.  This structure is
       initialized by <literal>boot2</literal> and passed to the
       loader, and then further to the kernel.  Some nodes of this
       structures are set by <literal>boot2</literal>, the rest by the
       loader.  This structure, among other information, contains the
       kernel filename, BIOS harddisk geometry, BIOS drive number for
       boot device, physical memory available, <literal>envp</literal>
       pointer etc.  The definition for it is:</para>
 
     <programlisting><filename>/usr/include/machine/bootinfo.h</filename>
 struct bootinfo {
 	u_int32_t	bi_version;
 	u_int32_t	bi_kernelname;		/* represents a char * */
 	u_int32_t	bi_nfs_diskless;	/* struct nfs_diskless * */
 				/* End of fields that are always present. */
 #define	bi_endcommon	bi_n_bios_used
 	u_int32_t	bi_n_bios_used;
 	u_int32_t	bi_bios_geom[N_BIOS_GEOM];
 	u_int32_t	bi_size;
 	u_int8_t	bi_memsizes_valid;
 	u_int8_t	bi_bios_dev;		/* bootdev BIOS unit number */
 	u_int8_t	bi_pad[2];
 	u_int32_t	bi_basemem;
 	u_int32_t	bi_extmem;
 	u_int32_t	bi_symtab;		/* struct symtab * */
 	u_int32_t	bi_esymtab;		/* struct symtab * */
 				/* Items below only from advanced bootloader */
 	u_int32_t	bi_kernend;		/* end of kernel space */
 	u_int32_t	bi_envp;		/* environment */
 	u_int32_t	bi_modulep;		/* preloaded modules */
 };</programlisting>
 
   <para><literal>boot2</literal> enters into an infinite loop waiting
     for user input, then calls <function>load()</function>.  If the
     user does not press anything, the loop brakes by a timeout, so
     <function>load()</function> will load the default file
     (<filename>/boot/loader</filename>).  Functions <function>ino_t
     lookup(char *filename)</function> and <function>int xfsread(ino_t
     inode, void *buf, size_t nbyte)</function> are used to read the
     content of a file into memory.  <filename>/boot/loader</filename>
     is an ELF binary, but where the ELF header is prepended with
     a.out's <literal>struct exec</literal> structure.
     <function>load()</function> scans the loader's ELF header, loading
     the content of <filename>/boot/loader</filename> into memory, and
     passing the execution to the loader's entry:</para>
 
   <programlisting><filename>sys/boot/i386/boot2/boot2.c:</filename>
     __exec((caddr_t)addr, RB_BOOTINFO | (opts & RBX_MASK),
 	   MAKEBOOTDEV(dev_maj[dsk.type], 0, dsk.slice, dsk.unit, dsk.part),
 	   0, 0, 0, VTOP(&amp;bootinfo));</programlisting>
   </sect1>
 
   <sect1 id="boot-loader">
     <title><application>loader</application> stage</title>
 
     <para><application>loader</application> is a BTX client as well.
       I will not describe it here in detail, there is a comprehensive
       manpage written by Mike Smith, &man.loader.8;.  The underlying
       mechanisms and BTX were discussed above.</para>
 
     <para>The main task for the loader is to boot the kernel.  When
       the kernel is loaded into memory, it is being called by the
       loader:</para>
 
   <programlisting><filename>sys/boot/common/boot.c:</filename>
     /* Call the exec handler from the loader matching the kernel */
     module_formats[km->m_loader]->l_exec(km);</programlisting>
   </sect1>
 
   <sect1 id="boot-kernel">
     <title>Kernel initialization</title>
 
     <para>To where exactly is the execution passed by the loader,
       i.e. what is the kernel's actual entry point.  Let us take a
       look at the command that links the kernel:</para>
 
     <programlisting><filename>sys/conf/Makefile.i386:</filename>
 ld -elf -Bdynamic -T /usr/src/sys/conf/ldscript.i386  -export-dynamic \
 -dynamic-linker /red/herring -o kernel -X locore.o \
 &lt;lots of kernel .o files&gt;</programlisting>
 
     <para>A few interesting things can be seen in this line.  First,
       the kernel is an ELF dynamically linked binary, but the dynamic
       linker for kernel is <filename>/red/herring</filename>, which is
       definitely a bogus file.  Second, taking a look at the file
       <filename>sys/conf/ldscript.i386</filename> gives an idea about
       what <application>ld</application> options are used when
       compiling a kernel.  Reading through the first few lines, the
       string</para>
 
   <programlisting><filename>sys/conf/ldscript.i386:</filename>
 ENTRY(btext)</programlisting>
 
     <para>says that a kernel's entry point is the symbol `btext'.
       This symbol is defined in <filename>locore.s</filename>:</para>
 
   <programlisting><filename>sys/i386/i386/locore.s:</filename>
 	.text
 /**********************************************************************
  *
  * This is where the bootblocks start us, set the ball rolling...
  *
  */
 NON_GPROF_ENTRY(btext)</programlisting>
 
     <para>First what is done is the register EFLAGS is set to a
       predefined value of 0x00000002, and then all the segment
       registers are initialized:</para>
 
     <programlisting><filename>sys/i386/i386/locore.s</filename>
 /* Don't trust what the BIOS gives for eflags. */
 	pushl	$PSL_KERNEL
 	popfl
 
 /*
  * Don't trust what the BIOS gives for %fs and %gs.  Trust the bootstrap
  * to set %cs, %ds, %es and %ss.
  */
 	mov	%ds, %ax
 	mov	%ax, %fs
 	mov	%ax, %gs</programlisting>
 
     <para>btext calls the routines
       <function>recover_bootinfo()</function>,
       <function>identify_cpu()</function>,
       <function>create_pagetables()</function>, which are also defined
       in <filename>locore.s</filename>.  Here is a description of what
       they do:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols=2 align=left>
       <tbody>
         <row>
           <entry><function>recover_bootinfo</function></entry>
 
           <entry>This routine parses the parameters to the kernel
             passed from the bootstrap.  The kernel may have been
             booted in 3 ways: by the loader, described above, by the
             old disk boot blocks, and by the old diskless boot
             procedure.  This function determines the booting method,
             and stores the <literal>struct bootinfo</literal>
             structure into the kernel memory.</entry>
         </row>
 
         <row>
           <entry><function>identify_cpu</function></entry>
 
 	  <entry>This functions tries to find out what CPU it is
 	    running on, storing the value found in a variable
 	    <varname>_cpu</varname>.</entry>
         </row>
 
         <row>
           <entry><function>create_pagetables</function></entry>
 
 	  <entry>This function allocates and fills out a Page Table
 	    Directory at the top of the kernel memory area.</entry>
         </row>
        </tbody>
       </tgroup>
     </informaltable>
 
     <para>The next steps are enabling VME, if the CPU supports
       it:</para>
 
     <programlisting>	testl	$CPUID_VME, R(_cpu_feature)
 	jz	1f
 	movl	%cr4, %eax
 	orl	$CR4_VME, %eax
 	movl	%eax, %cr4</programlisting>
 
     <para>Then, enabling paging:</para>
     <programlisting>/* Now enable paging */
 	movl	R(_IdlePTD), %eax
 	movl	%eax,%cr3			/* load ptd addr into mmu */
 	movl	%cr0,%eax			/* get control word */
 	orl	$CR0_PE|CR0_PG,%eax		/* enable paging */
 	movl	%eax,%cr0			/* and let's page NOW! */</programlisting>
 
     <para>The next three lines of code are because the paging was set,
       so the jump is needed to continue the execution in virtualized
       address space:</para>
 
     <programlisting>	pushl	$begin				/* jump to high virtualized address */
 	ret
 
 /* now running relocated at KERNBASE where the system is linked to run */
 begin:</programlisting>
 
     <para>The function <function>init386()</function> is called, with
       a pointer to the first free physical page, after that
       <function>mi_startup()</function>.  <function>init386</function>
       is an architecture dependent initialization function, and
       <function>mi_startup()</function> is an architecture independent
       one (the 'mi_' prefix stands for Machine Independent).  The
       kernel never returns from <function>mi_startup()</function>, and
       by calling it, the kernel finishes booting:</para>
 
     <programlisting><filename>sys/i386/i386/locore.s:</filename>
 	movl	physfree, %esi
 	pushl	%esi				/* value of first for init386(first) */
 	call	_init386			/* wire 386 chip for unix operation */
 	call	_mi_startup			/* autoconfiguration, mountroot etc */
 	hlt		/* never returns to here */</programlisting>
 
     <sect2>
       <title><function>init386()</function></title>
 
       <para><function>init386()</function> is defined in
         <filename>sys/i386/i386/machdep.c</filename> and performs
         low-level initialization, specific to the i386 chip.  The
         switch to protected mode was performed by the loader.  The
         loader has created the very first task, in which the kernel
         continues to operate.  Before running straight away to the
         code, I will enumerate the tasks the processor must complete
         to initialize protected mode execution:</para>
 
       <itemizedlist>
         <listitem>
 	  <para>Initialize the kernel tunable parameters, passed from
 	    the bootstrapping program.</para>
 	  </listitem>
 
         <listitem>
 	  <para>Prepare the GDT.</para>
 	</listitem>
 
         <listitem>
 	  <para>Prepare the IDT.</para>
 	</listitem>
 
         <listitem>
 	  <para>Initialize the system console.</para>
 	</listitem>
 
         <listitem>
 	  <para>Initialize the DDB, if it is compiled into
 	    kernel.</para>
 	</listitem>
 
         <listitem>
 	  <para>Initialize the TSS.</para>
 	</listitem>
 
         <listitem>
 	  <para>Prepare the LDT.</para>
 	</listitem>
 
         <listitem>
 	  <para>Set up proc0's pcb.</para>
 	</listitem>
       </itemizedlist>
 
       <para>What <function>init386()</function> first does is
         initialize the tunable parameters passed from bootstrap.  This
         is done by setting the environment pointer (envp) and calling
         <function>init_param1()</function>.  The envp pointer has been
         passed from loader in the <literal>bootinfo</literal>
         structure:</para>
 
       <programlisting><filename>sys/i386/i386/machdep.c:</filename>
 		kern_envp = (caddr_t)bootinfo.bi_envp + KERNBASE;
 
 	/* Init basic tunables, hz etc */
 	init_param1();</programlisting>
 
       <para><function>init_param1()</function> is defined in
         <filename>sys/kern/subr_param.c</filename>.  That file has a
         number of sysctls, and two functions,
         <function>init_param1()</function> and
         <function>init_param2()</function>, that are called from
         <function>init386()</function>:</para>
 
       <programlisting><filename>sys/kern/subr_param.c</filename>
 	hz = HZ;
 	TUNABLE_INT_FETCH("kern.hz", &amp;hz);</programlisting>
 
       <para>TUNABLE_&lt;typename&gt;_FETCH is used to fetch the value
         from the environment:</para>
 
     <programlisting><filename>/usr/src/sys/sys/kernel.h</filename>
 #define	TUNABLE_INT_FETCH(path, var)	getenv_int((path), (var))
 </programlisting>
 
       <para>Sysctl <literal>kern.hz</literal> is the system clock tick.  Along with
         this, the following sysctls are set by
         <function>init_param1()</function>: <literal>kern.maxswzone,
         kern.maxbcache, kern.maxtsiz, kern.dfldsiz, kern.dflssiz,
         kern.maxssiz, kern.sgrowsiz</literal>.</para>
 
       <para>Then <function>init386()</function> prepares the Global
         Descriptors Table (GDT).  Every task on an x86 is running in
         its own virtual address space, and this space is addressed by
         a segment:offset pair.  Say, for instance, the current
         instruction to be executed by the processor lies at CS:EIP,
         then the linear virtual address for that instruction would be
         <quote>the virtual address of code segment CS</quote> + EIP.  For
         convenience, segments begin at virtual address 0 and end at a
         4Gb boundary.  Therefore, the instruction's linear virtual
         address for this example would just be the value of EIP.
         Segment registers such as CS, DS etc are the selectors,
         i.e. indexes, into GDT (to be more precise, an index is not a
         selector itself, but the INDEX field of a selector).
         FreeBSD's GDT holds descriptors for 15 selectors per
         CPU:</para>
 
       <programlisting><filename>sys/i386/i386/machdep.c:</filename>
 union descriptor gdt[NGDT * MAXCPU];	/* global descriptor table */
 
 <filename>sys/i386/include/segments.h:</filename>
 /*
  * Entries in the Global Descriptor Table (GDT)
  */
 #define	GNULL_SEL	0	/* Null Descriptor */
 #define	GCODE_SEL	1	/* Kernel Code Descriptor */
 #define	GDATA_SEL	2	/* Kernel Data Descriptor */
 #define	GPRIV_SEL	3	/* SMP Per-Processor Private Data */
 #define	GPROC0_SEL	4	/* Task state process slot zero and up */
 #define	GLDT_SEL	5	/* LDT - eventually one per process */
 #define	GUSERLDT_SEL	6	/* User LDT */
 #define	GTGATE_SEL	7	/* Process task switch gate */
 #define	GBIOSLOWMEM_SEL	8	/* BIOS low memory access (must be entry 8) */
 #define	GPANIC_SEL	9	/* Task state to consider panic from */
 #define GBIOSCODE32_SEL	10	/* BIOS interface (32bit Code) */
 #define GBIOSCODE16_SEL	11	/* BIOS interface (16bit Code) */
 #define GBIOSDATA_SEL	12	/* BIOS interface (Data) */
 #define GBIOSUTIL_SEL	13	/* BIOS interface (Utility) */
 #define GBIOSARGS_SEL	14	/* BIOS interface (Arguments) */</programlisting>
 
       <para>Note that those #defines are not selectors themselves, but
         just a field INDEX of a selector, so they are exactly the
         indices of the GDT.  for example, an actual selector for the
         kernel code (GCODE_SEL) has the value 0x08.</para>
 
       <para>The next step is to initialize the Interrupt Descriptor
         Table (IDT).  This table is to be referenced by the processor
         when a software or hardware interrupt occurs.  For example, to
         make a system call, user application issues the <literal>INT
         0x80</literal> instruction.  This is a software interrupt, so
         the processor's hardware looks up a record with index 0x80 in
         the IDT.  This record points to the routine that handles this
         interrupt, in this particular case, this will be the kernel's
         syscall gate.  The IDT may have a maximum of 256 (0x100)
         records.  The kernel allocates NIDT records for the IDT, where
         NIDT is the maximum (256):</para>
 
       <programlisting><filename>sys/i386/i386/machdep.c:</filename>
 static struct gate_descriptor idt0[NIDT];
 struct gate_descriptor *idt = &amp;idt0[0];	/* interrupt descriptor table */
 </programlisting>
 
       <para>For each interrupt, an appropriate handler is set.  The
         syscall gate for <literal>INT 0x80</literal> is set as
         well:</para>
 
       <programlisting><filename>sys/i386/i386/machdep.c:</filename>
  	setidt(0x80, &amp;IDTVEC(int0x80_syscall),
 			SDT_SYS386TGT, SEL_UPL, GSEL(GCODE_SEL, SEL_KPL));</programlisting>
 
       <para>So when a userland application issues the <literal>INT
         0x80</literal> instruction, control will transfer to the
         function <function>_Xint0x80_syscall</function>, which is in
         the kernel code segment and will be executed with supervisor
         privileges.</para>
 
       <para>Console and DDB are then initialized:</para>
 
       <programlisting><filename>sys/i386/i386/machdep.c:</filename>
 	cninit();
 /* skipped */
 #ifdef DDB
 	kdb_init();
 	if (boothowto & RB_KDB)
 		Debugger("Boot flags requested debugger");
 #endif</programlisting>
 
       <para>The Task State Segment is another x86 protected mode
         structure, the TSS is used by the hardware to store task
         information when a task switch occurs.</para>
 
       <para>The Local Descriptors Table is used to reference userland
         code and data.  Several selectors are defined to point to the
         LDT, they are the system call gates and the user code and data
         selectors:</para>
 
       <programlisting><filename>/usr/include/machine/segments.h</filename>
 #define	LSYS5CALLS_SEL	0	/* forced by intel BCS */
 #define	LSYS5SIGR_SEL	1
 #define	L43BSDCALLS_SEL	2	/* notyet */
 #define	LUCODE_SEL	3
 #define LSOL26CALLS_SEL	4	/* Solaris >= 2.6 system call gate */
 #define	LUDATA_SEL	5
 /* separate stack, es,fs,gs sels ? */
 /* #define	LPOSIXCALLS_SEL	5*/	/* notyet */
 #define LBSDICALLS_SEL	16	/* BSDI system call gate */
 #define NLDT		(LBSDICALLS_SEL + 1)
 </programlisting>
 
     <para>Next, proc0's Process Control Block (<literal>struct
       pcb</literal>) structure is initialized.  proc0 is a
       <literal>struct proc</literal> structure that describes a kernel
       process.  It is always present while the kernel is running,
       therefore it is declared as global:</para>
 
     <programlisting><filename>sys/kern/kern_init.c:</filename>
     struct	proc proc0;</programlisting>
 
     <para>The structure <literal>struct pcb</literal> is a part of a
       proc structure.  It is defined in
       <filename>/usr/include/machine/pcb.h</filename> and has a
       process's information specific to the i386 architecture, such as
       registers values.</para>
     </sect2>
 
     <sect2>
       <title><function>mi_startup()</function></title>
 
       <para>This function performs a bubble sort of all the system
         initialization objects and then calls the entry of each object
         one by one:</para>
 
       <programlisting><filename>sys/kern/init_main.c:</filename>
 	for (sipp = sysinit; *sipp; sipp++) {
 
 		/* ... skipped ... */
 
 		/* Call function */
 		(*((*sipp)->func))((*sipp)->udata);
 		/* ... skipped ... */
 	}</programlisting>
 
     <para>Although the sysinit framework is described in the
       Developers' Handbook, I will discuss the internals of it.</para>
 
     <para>Every system initialization object (sysinit object) is
       created by calling a SYSINIT() macro.  Let us take as example an
       <literal>announce</literal> sysinit object.  This object prints
       the copyright message:</para>
 
     <programlisting><filename>sys/kern/init_main.c:</filename>
 static void
 print_caddr_t(void *data __unused)
 {
 	printf("%s", (char *)data);
 }
 SYSINIT(announce, SI_SUB_COPYRIGHT, SI_ORDER_FIRST, print_caddr_t, copyright)</programlisting>
 
     <para>The subsystem ID for this object is SI_SUB_COPYRIGHT
       (0x0800001), which comes right after the SI_SUB_CONSOLE
       (0x0800000).  So, the copyright message will be printed out
       first, just after the console initialization.</para>
 
     <para>Let us take a look at what exactly the macro
       <literal>SYSINIT()</literal> does.  It expands to a
       <literal>C_SYSINIT()</literal> macro.  The
       <literal>C_SYSINIT()</literal> macro then expands to a static
       <literal>struct sysinit</literal> structure declaration with
       another <literal>DATA_SET</literal> macro call:</para>
       <programlisting><filename>/usr/include/sys/kernel.h:</filename>
       #define C_SYSINIT(uniquifier, subsystem, order, func, ident) \
       static struct sysinit uniquifier ## _sys_init = { \ subsystem, \
       order, \ func, \ ident \ }; \ DATA_SET(sysinit_set,uniquifier ##
       _sys_init);
 
 #define	SYSINIT(uniquifier, subsystem, order, func, ident)	\
 	C_SYSINIT(uniquifier, subsystem, order,			\
 	(sysinit_cfunc_t)(sysinit_nfunc_t)func, (void *)ident)</programlisting>
 
     <para>The <literal>DATA_SET()</literal> macro expands to a
       <literal>MAKE_SET()</literal>, and that macro is the point where
       the all sysinit magic is hidden:</para>
 
     <programlisting><filename>/usr/include/linker_set.h</filename>
 #define MAKE_SET(set, sym)						\
 	static void const * const __set_##set##_sym_##sym = &amp;sym;	\
 	__asm(".section .set." #set ",\"aw\"");				\
 	__asm(".long " #sym);						\
 	__asm(".previous")
 #endif
 #define TEXT_SET(set, sym) MAKE_SET(set, sym)
 #define DATA_SET(set, sym) MAKE_SET(set, sym)</programlisting>
 
     <para>In our case, the following declaration will occur:</para>
 
     <programlisting>static struct sysinit announce_sys_init = {
 	SI_SUB_COPYRIGHT,
 	SI_ORDER_FIRST,
 	(sysinit_cfunc_t)(sysinit_nfunc_t)  print_caddr_t,
 	(void *) copyright
 };
 
 static void const *const __set_sysinit_set_sym_announce_sys_init =
     &amp;announce_sys_init;
 __asm(".section .set.sysinit_set" ",\"aw\"");
 __asm(".long " "announce_sys_init");
 __asm(".previous");</programlisting>
 
     <para>The first <literal>__asm</literal> instruction will create
       an ELF section within the kernel's executable.  This will happen
       at kernel link time.  The section will have the name
       <literal>.set.sysinit_set</literal>.  The content of this section is one 32-bit
       value, the address of announce_sys_init structure, and that is
       what the second <literal>__asm</literal> is.  The third
       <literal>__asm</literal> instruction marks the end of a section.
       If a directive with the same section name occurred before, the
       content, i.e. the 32-bit value, will be appended to the existing
       section, so forming an array of 32-bit pointers.</para>
 
     <para>Running <application>objdump</application> on a kernel
       binary, you may notice the presence of such small
       sections:</para>
 
     <screen>&prompt.user; <userinput>objdump -h /kernel</userinput>
   7 .set.cons_set 00000014  c03164c0  c03164c0  002154c0  2**2
                   CONTENTS, ALLOC, LOAD, DATA
   8 .set.kbddriver_set 00000010  c03164d4  c03164d4  002154d4  2**2
                   CONTENTS, ALLOC, LOAD, DATA
   9 .set.scrndr_set 00000024  c03164e4  c03164e4  002154e4  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  10 .set.scterm_set 0000000c  c0316508  c0316508  00215508  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  11 .set.sysctl_set 0000097c  c0316514  c0316514  00215514  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  12 .set.sysinit_set 00000664  c0316e90  c0316e90  00215e90  2**2
                   CONTENTS, ALLOC, LOAD, DATA</screen>
 
     <para>This screen dump shows that the size of .set.sysinit_set
       section is 0x664 bytes, so <literal>0x664/sizeof(void
       *)</literal> sysinit objects are compiled into the kernel.  The
       other sections such as <literal>.set.sysctl_set</literal>
       represent other linker sets.</para>
 
     <para>By defining a variable of type <literal>struct
       linker_set</literal> the content of
       <literal>.set.sysinit_set</literal> section will be <quote>collected</quote>
       into that variable:</para>
       <programlisting><filename>sys/kern/init_main.c:</filename>
       extern struct linker_set sysinit_set; /* XXX */</programlisting>
 
     <para>The <literal>struct linker_set</literal> is defined as
       follows:</para>
 
     <programlisting><filename>/usr/include/linker_set.h:</filename>
   struct linker_set {
 	int	ls_length;
 	void	*ls_items[1];		/* really ls_length of them, trailing NULL */
 };</programlisting>
 
     <para>The first node will be equal to the number of a sysinit
       objects, and the second node will be a NULL-terminated array of
       pointers to them.</para>
 
     <para>Returning to the <function>mi_startup()</function>
       discussion, it is must be clear now, how the sysinit objects are
       being organized.  The <function>mi_startup()</function> function
       sorts them and calls each.  The very last object is the system
       scheduler:</para>
 
     <programlisting><filename>/usr/include/sys/kernel.h:</filename>
 enum sysinit_sub_id {
 	SI_SUB_DUMMY		= 0x0000000,	/* not executed; for linker*/
 	SI_SUB_DONE		= 0x0000001,	/* processed*/
 	SI_SUB_CONSOLE		= 0x0800000,	/* console*/
 	SI_SUB_COPYRIGHT	= 0x0800001,	/* first use of console*/
 ...
 	SI_SUB_RUN_SCHEDULER	= 0xfffffff	/* scheduler: no return*/
 };</programlisting>
 
     <para>The system scheduler sysinit object is defined in the file
       <filename>sys/vm/vm_glue.c</filename>, and the entry point for
       that object is <function>scheduler()</function>.  That function
       is actually an infinite loop, and it represents a process with
       PID 0, the swapper process.  The proc0 structure, mentioned
       before, is used to describe it.</para>
 
     <para>The first user process, called <emphasis>init</emphasis>, is
       created by the sysinit object <literal>init</literal>:</para>
 
     <programlisting><filename>sys/kern/init_main.c:</filename>
 static void
 create_init(const void *udata __unused)
 {
 	int error;
 	int s;
 
 	s = splhigh();
 	error = fork1(&amp;proc0, RFFDG | RFPROC, &amp;initproc);
 	if (error)
 		panic("cannot fork init: %d\n", error);
 	initproc->p_flag |= P_INMEM | P_SYSTEM;
 	cpu_set_fork_handler(initproc, start_init, NULL);
 	remrunqueue(initproc);
 	splx(s);
 }
 SYSINIT(init,SI_SUB_CREATE_INIT, SI_ORDER_FIRST, create_init, NULL)</programlisting>
 
   <para>The <function>create_init()</function> allocates a new process
     by calling <function>fork1()</function>, but does not mark it
     runnable.  When this new process is scheduled for execution by the
     scheduler, the <function>start_init()</function> will be called.
     That function is defined in <filename>init_main.c</filename>.  It
     tries to load and exec the <filename>init</filename> binary,
     probing <filename>/sbin/init</filename> first, then
     <filename>/sbin/oinit</filename>,
     <filename>/sbin/init.bak</filename>, and finally
     <filename>/stand/sysinstall</filename>:</para>
 
   <programlisting><filename>sys/kern/init_main.c:</filename>
 static char init_path[MAXPATHLEN] =
 #ifdef	INIT_PATH
     __XSTRING(INIT_PATH);
 #else
     "/sbin/init:/sbin/oinit:/sbin/init.bak:/stand/sysinstall";
 #endif</programlisting>
 
   </sect2>
 </sect1>
 
 </chapter>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
index 478a4b8f6a..8731937ed0 100644
--- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
@@ -1,7948 +1,7948 @@
 <!--
     Copyright (c) 2002-2004 Networks Associates Technology, Inc.
     All rights reserved.
     
     This software was developed for the FreeBSD Project by
     Chris Costello at Safeport Network Services and Network Associates Labs,
     the Security Research Division of Network Associates, Inc. under
     DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
     DARPA CHATS research program.
     
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions
     are met:
     1. Redistributions of source code must retain the above copyright
        notice, this list of conditions and the following disclaimer.
     2. Redistributions in binary form must reproduce the above copyright
        notice, this list of conditions and the following disclaimer in the
        documentation and/or other materials provided with the distribution.
     
     THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
     ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
     FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     SUCH DAMAGE.
     
     $FreeBSD$
 -->
 
 <chapter id="mac">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Chris</firstname>
         <surname>Costello</surname>
         
         <affiliation>
           <orgname>TrustedBSD Project</orgname>
           <address><email>chris@FreeBSD.org</email></address>
         </affiliation>
       </author>
       
       <author>
         <firstname>Robert</firstname>
         <surname>Watson</surname>
         
         <affiliation>
           <orgname>TrustedBSD Project</orgname>
           <address><email>rwatson@FreeBSD.org</email></address>
         </affiliation>
       </author>
     </authorgroup>
   </chapterinfo>
   
   <title>The TrustedBSD MAC Framework</title>
 
   <sect1 id="mac-copyright">
     <title>MAC Documentation Copyright</title>
 
     <para>This documentation was developed for the FreeBSD Project by
       Chris Costello at Safeport Network Services and Network
       Associates Laboratories, the Security Research Division of
       Network Associates, Inc.  under DARPA/SPAWAR contract
       N66001-01-C-8035 (<quote>CBOSS</quote>), as part of the DARPA
       CHATS research program.</para>
 
     <para>Redistribution and use in source (SGML DocBook) and
       'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth)
       with or without modification, are permitted provided that the
       following conditions are met:</para>
 
     <orderedlist>
       <listitem>
         <para>Redistributions of source code (SGML DocBook) must
           retain the above copyright notice, this list of conditions
           and the following disclaimer as the first lines of this file
           unmodified.</para>
       </listitem>
 
       <listitem>
         <para>Redistributions in compiled form (transformed to other
           DTDs, converted to PDF, PostScript, RTF and other formats)
           must reproduce the above copyright notice, this list of
           conditions and the following disclaimer in the documentation
           and/or other materials provided with the
           distribution.</para>
       </listitem>
     </orderedlist>
 
     <important>
       <para>THIS DOCUMENTATION IS PROVIDED BY THE NETWORKS ASSOCIATES
         TECHNOLOGY, INC "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
         INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
         MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
         DISCLAIMED. IN NO EVENT SHALL NETWORKS ASSOCIATES TECHNOLOGY,
         INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
         EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
         LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
         OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
         CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
         STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
         ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN
         IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</para>
     </important>
   </sect1>
   
   <sect1 id="mac-synopsis">
     <title>Synopsis</title>
     
     <para>FreeBSD includes experimental support for several
       mandatory access control policies, as well as a framework
       for kernel security extensibility, the TrustedBSD MAC
       Framework.  The MAC Framework is a pluggable access
       control framework, permitting new security policies to
       be easily linked into the kernel, loaded at boot, or loaded
       dynamically at run-time.  The framework provides a variety
       of features to make it easier to implement new security policies,
       including the ability to easily tag security labels (such as
       confidentiality information) onto system objects.</para>
 
     <para>This chapter introduces the MAC policy framework and
       provides documentation for a sample MAC policy module.</para>
   </sect1>
   
   
   <sect1 id="mac-introduction">
     <title>Introduction</title>
     
     <para>The TrustedBSD MAC framework provides a mechanism to allow
       the compile-time or run-time extension of the kernel access
       control model.  New system policies may be implemented as
       kernel modules and linked to the kernel; if multiple policy
       modules are present, their results will be composed.  The
       MAC Framework provides a variety of access control infrastructure
       services to assist policy writers, including support for
       transient and persistent policy-agnostic object security
       labels.  This support is currently considered experimental.</para>
 
    <para>This chapter provides information appropriate for developers
       of policy modules, as well as potential consumers of MAC-enabled
       environments, to learn about how the MAC Framework supports
       access control extension of the kernel.</para>
   </sect1>
 
   <sect1 id="mac-background">
     <title>Policy Background</title>
 
     <para>Mandatory Access Control (MAC), refers to a set of
       access control policies that are mandatorily enforced on
       users by the operating system.  MAC policies may be contrasted
       with Discretionary Access Control (DAC) protections, by which
       non-administrative users may (at their discretion) protect
       objects.  In traditional UNIX systems, DAC protections include
       file permissions and access control lists; MAC protections include
       process controls preventing inter-user debugging and firewalls.
       A variety of MAC policies have been formulated by operating system
       designers and security researches, including the Multi-Level
       Security (MLS) confidentiality policy, the Biba integrity policy,
       Role-Based Access Control (RBAC), Domain and Type Enforcement (DTE),
       and Type Enforcement (TE).  Each
       model bases decisions on a variety of factors, including user
       identity, role, and security clearance, as well as security labels
       on objects representing concepts such as data sensitivity and
       integrity.</para>
 
     <para>The TrustedBSD MAC Framework is capable of supporting policy
       modules that implement all of these policies, as well as a broad
       class of system hardening policies, which may use existing security
       attributes, such as user and group IDs, as well as extended
       attributes on files, and other system properties.  In addition,
       despite the
       name, the MAC Framework can also be used to implement purely
       discretionary policies, as policy modules are given substantial
       flexibility in how they authorize protections.</para>
   </sect1>
   
   <sect1 id="mac-framework-kernel-arch">
     <title>MAC Framework Kernel Architecture</title>
     
     <para>The TrustedBSD MAC Framework permits kernel modules to
       extend the operating system security policy, as well as
       providing infrastructure functionality required by many
       access control modules.  If multiple policies are
       simultaneously loaded, the MAC Framework will usefully (for
       some definition of useful) compose the results of the
       policies.</para>
 
     <sect2 id="mac-framework-kernel-arch-elements">
       <title>Kernel Elements</title>
 
       <para>The MAC Framework contains a number of kernel elements:</para>
 
       <itemizedlist>
 	<listitem><para>Framework management interfaces</para></listitem>
 	<listitem><para>Concurrency and synchronization 
 	  primitives.</para></listitem>
 	<listitem><para>Policy registration</para></listitem>
 	<listitem><para>Extensible security label for kernel
 	  objects</para></listitem>
 	<listitem><para>Policy entry point composition
 	  operators</para></listitem>
 	<listitem><para>Label management primitives</para></listitem>
 	<listitem><para>Entry point API invoked by kernel
 	  services</para></listitem>
 	<listitem><para>Entry point API to policy modules</para></listitem>
 	<listitem><para>Entry points implementations (policy life cycle,
 	  object life cycle/label management, access control
 	  checks).</para></listitem>
 	<listitem><para>Policy-agnostic label-management system
 	  calls</para></listitem>
 	<listitem><para><function>mac_syscall()</function> multiplex
 	  system call</para></listitem>
 	<listitem><para>Various security policies implemented as MAC
 	  policy modules</para></listitem>
       </itemizedlist>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-management">
       <title>Framework Management Interfaces</title>
 
       <para>The TrustedBSD MAC Framework may be directly managed using
 	sysctls, loader tunables, and system calls.</para>
 
       <para>In most cases, sysctls and loader tunables of the same name
 	modify the same
 	parameters, and control behavior such as enforcement of
 	protections relating to various kernel subsystems.  In addition,
 	if MAC debugging support is compiled into the kernel, several
 	counters will be maintained tracking label allocation.  In
 	most cases, it is advised that per-subsystem enforcement
 	controls not be used to control policy behavior in production
 	environments, as they broadly impact the operation of all
 	active policies.  Instead, per-policy controls should be
 	preferred to provide greater granularity and provide greater
 	operational consistency for policy modules.</para>
 
       <para>Loading and unloading of policy modules is performed
 	using the system module management system calls and other
 	system interfaces, including loader variables; policy modules
 	will have the opportunity to influence load and unload
 	events.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-synchronization">
       <title>Policy List Concurrency and Synchronization</title>
 
       <para>As the set of active policies may change at run-time,
 	and the invocation of entry points is non-atomic,
 	synchronization is required to prevent loading or
 	unloading of policies while an entry point invocation
 	is progress, freezing the list of policies for the
 	duration.  This is accomplished by means of a framework
 	busy count.  Whenever an entry point is entered, the
 	busy count is incremented; whenever it is exited, the
 	busy count is decremented.  While the busy count is
 	elevated, policy list changes are not permitted, and
 	threads attempting to modify the policy list will sleep
 	until the list is not busy.  The busy count is protected
 	by a mutex, and a condition variable is used to wake up
 	sleepers waiting on policy list modifications.  One
 	side effect of this synchronization model is that
 	recursion into the MAC Framework from within a policy
 	module is permitted, although not generally used.</para>
 
       <para>Various optimizations are used to reduce the overhead
 	of the busy count, including avoiding the full cost of
 	incrementing and decrementing if the list is empty or
 	contains only static entries (policies that are loaded
 	before the system starts, and cannot be unloaded).  A
 	compile-time option is also provided which prevents any
 	change in the set of loaded policies at run-time, which
 	eliminates the mutex locking costs associated with
 	supporting dynamically loaded and unloaded policies.</para>
 
       <para>As the MAC Framework is not permitted to block in all
 	entry points, a normal sleep lock cannot be used; as a
 	result, it is possible for the load or unload attempt to
 	block for a substantial period of time waiting for the
 	framework to become idle.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-label-synchronization">
       <title>Label Synchronization</title>
 
       <para>As many kernel objects of interest may be accessed from
 	more than one thread at a time, and parallel entry into
 	the MAC Framework is permitted, security attribute storage
 	maintained by the MAC Framework is carefully synchronized.
 	In general, existing kernel synchronization on kernel
 	object data is used to protect MAC Framework security labels
 	on the object: for example, MAC labels on sockets are
 	protected using the existing socket mutex.  Likewise,
 	semantics for concurrent access are generally identical to
 	those of the container objects: for credentials, copy-on-write
 	semantics are maintained for label contents as with the
 	remainder of the credential structure.  The MAC Framework
 	asserts necessary locks on objects when invoked with an
 	object reference.  Policy authors must be aware of these
 	synchronization semantics, as they will sometimes limit the
 	types of accesses permitted on labels: for example, when
 	a read-only reference to a credential is passed to a policy
 	via an entry point, only read operations are permitted on
 	the label state attached to the credential.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-policy-synchronization">
       <title>Policy Synchronization and Concurrency</title>
 
       <para>Policy modules must be written to assume that many
 	kernel threads may simultaneously enter one more more
 	policy entry points due to the parallel and preemption
 	nature of the FreeBSD kernel.  If the policy module makes
 	use of mutable state, this may require the use of
 	synchronization primitives within the policy to prevent
 	inconsistent views on that state resulting in incorrect
 	operation of the policy.  Policies will generally be
 	able to make use of existing FreeBSD synchronization
 	primitives for this purpose, including mutexes, sleep
 	locks, condition variables, and counting semaphores.
 	However, policies should be written to employ these
 	primitives carefully, respecting existing kernel lock
 	orders, and recognizing that some entry points are not
 	permitted to sleep, limiting the use of primitives in
 	those entry points to mutexes and wakeup operations.</para>
 
       <para>When policy modules call out to other kernel subsytems,
 	they will generally need to release any in-policy locks in
 	order to avoid violating the kernel lock order or risking
 	lock recursion.  This will maintain policy locks as leaf
 	locks in the global lock order.</para>
 
     <sect2 id="mac-framework-kernel-arch-registration">
       <title>Policy Registration</title>
 
       <para>The MAC Framework maintains two lists of active
 	policies: a static list, and a dynamic list.  The lists
 	differ only with regards to their locking semantics: an
 	elevated reference count is not required to make use of
 	the static list.  When kernel modules containing MAC
 	Framework policies are loaded, the policy module will
 	use <literal>SYSINIT</literal> to invoke a registration
 	function; when a policy module is unloaded,
 	<literal>SYSINIT</literal> will likewise invoke a
 	de-registration function.  Registration may fail if a
 	policy module is loaded more than once, if insufficient
 	resources are available for the registration (for
 	example, the policy might require labeling and
 	insufficient labeling state might be available), or
 	other policy prerequisites might not be met (some
 	policies may only be loaded prior to boot).  Likewise,
 	de-registration may fail if a policy refuses an
 	unload.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-entrypoints">
       <title>Entry Points</title>
 
       <para>Kernel services interact with the MAC Framework in two ways:
 	they invoke a series of APIs to notify the framework of relevant
 	events, and they provide a policy-agnostic label structure
 	pointer in
 	security-relevant objects.  The label pointer is maintained by
 	the MAC Framework via label management entry points, and permits
 	the Framework to offer a labeling service to policy modules
 	through relatively non-invasive changes to the kernel subsystem
 	maintaining the object.  For example, label pointers have been
 	added to processes, process credentials, sockets, pipes, vnodes,
 	Mbufs, network interfaces, IP reassembly queues, and a variety
 	of other security-relevant structures.  Kernel services also
 	invoke the MAC Framework when they perform important security
 	decisions, permitting policy modules to augment those decisions
 	based on their own criteria (possibly including data stored in
 	security labels).  Most of these security critical decisions
 	will be explicit access control checks; however, some affect
 	more general decision functions such as packet matching for
 	sockets and label transition at program execution.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-composition">
       <title>Policy Composition</title>
 
       <para>When more than one policy module is loaded into the kernel
 	at a time, the results of the policy modules will be composed
 	by the framework using a composition operator.  This operator
 	is currently hard-coded, and requires that all active policies
 	must approve a request for it to return success.  As policies may
 	return a variety of error conditions (success, access denied,
 	object doesn't exist, ...), a precedence operator selects the
 	resulting error from the set of errors returned by policies.
 	In general, errors indicating that an object does not exist will
 	be preferred to errors indicating that access to an object is
 	denied.
 	While it is not guaranteed that the resulting composition will
 	be useful or secure, we've found that it is for many useful
 	selections of policies.  For example, traditional trusted systems
 	often ship with two or more policies using a similar
 	composition.</para>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-labels">
       <title>Labeling Support</title>
 
       <para>As many interesting access control extensions rely on
 	security labels on objects, the MAC Framework provides a set
 	of policy-agnostic label management system calls covering
 	a variety of user-exposed objects.  Common label types
 	include partition identifiers, sensitivity labels, integrity
 	labels, compartments, domains, roles, and types.  By policy
 	agnostic, we mean that policy modules are able to completely
 	define the semantics of meta-data associated with an object.
 	Policy
 	modules participate in the internalization and externalization
 	of string-based labels provides by user applications, and can
 	expose multiple label elements to applications if desired.</para>
 
       <para>In-memory labels are stored in slab-allocated <structname>struct
 	label</structname>, which consists of a fixed-length array
 	of unions, each holding a <literal>void *</literal> pointer
 	and a <literal>long</literal>.  Policies registering for
 	label storage will be assigned a "slot" identifier, which
 	may be used to dereference the label storage.  The semantics
 	of the storage are left entirely up to the policy module:
 	modules are provided with a variety of entry points
 	associated with the kernel object life cycle, including
 	initialization, association/creation, and destruction.  Using
 	these interfaces, it is possible to implement reference
 	counting and other storage models.  Direct access to
 	the object structure is generally not required by policy
 	modules to retrieve a label, as the MAC Framework generally
 	passes both a pointer to the object and a direct pointer
 	to the object's label into entry points.  The primary
 	exception to this rule is the process credential, which must
 	be manually dereferenced to access the credential label.  This
 	may change in future revisions of the MAC Framework.</para>
 
       <para>Initialization entry points frequently include a sleeping
 	disposition flag indicating whether or not an initialization
 	is permitted to sleep; if sleeping is not permitted, a failure
 	may be returned to cancel allocation of the label (and hence
 	object).  This may
 	occur, for example, in the network stack during interrupt
 	handling, where sleeping is not permitted, or while the caller
 	holds a mutex.  Due to the
 	performance cost of maintaining labels on in-flight network
 	packets (Mbufs), policies must specifically declare a
 	requirement that Mbuf labels be allocated.  Dynamically
 	loaded policies making use of labels must be able to handle
 	the case where their init function has not been called on
 	an object, as objects may already exist when the policy is
 	loaded.  The MAC Framework guarantees that uninitialized label
 	slots will hold a 0 or NULL value, which policies may use to
 	detect uninitialized values.  However, as allocation of Mbuf
 	labels is conditional, policies must also be able to handle a
 	NULL label pointer for Mbufs if they have been loaded
 	dynamically.</para>
 
       <para>In the case of file system labels, special support is
 	provided for the persistent storage of security labels in
 	extended attributes.  Where available, EA transactions
 	are used to permit consistent compound updates of
 	security labels on vnodes.  Policy authors may choose to
 	implement multilabel file system object labels using one
 	(or more) extended attributes.  For effiency reasons, the
 	vnode label (<literal>v_label</literal>) is a cache of any
 	on-disk label; policies are able to load values into the
 	cache when the vnode is instantiated, and update the cache
 	as needed.</para>
 
       <note><para>Currently, if a labeled policy permits dynamic
 	unloading, its state slot cannot be reclaimed, which places
 	a strict (and relatively low) bound on the number of
 	unload-reload operations for labeled policies.</para></note>
     </sect2>
 
     <sect2 id="mac-framework-kernel-arch-syscalls">
       <title>System Calls</title>
 
       <para>The MAC Framework implements a number of system calls:
 	most of these calls support the policy-agnostic label
 	retrieval and manipulation APIs exposed to user
 	applications.</para>
 
       <para>The label management calls accept a label description
 	structure, <structname>struct mac</structname>, which
 	contains a series of MAC label elements.  Each element
 	contains a character string name, and character string
 	value.  Each policy will be given the chance to claim a
 	particular element name, permitting policies to expose
 	multiple independent elements if desired.  Policy modules
 	perform the internalization and externalization between
 	kernel labels and user-provided labels via entry points,
 	permitting a variety of semantics.  Label management system
 	calls are generally wrapped by user library functions to
 	perform memory allocation and error handling.</para>
 
       <para>In addition, <function>mac_syscall()</function>
 	permits policy modules to create new system calls without
 	allocating system calls.  <function>mac_execve()</function>
 	permits an atomic process credential label change when
 	executing a new image.</para>
     </sect2>
   </sect1>
 
   <sect1 id="mac-policy-architecture">
     <title>MAC Policy Architecture</title>
 
     <para>Security policies are either linked directly into the kernel,
       or compiled into loadable kernel modules that may be loaded at
       boot, or dynamically using the module loading system calls at
       runtime.  Policy modules interact with the system through a
       set of declared entry points, providing access to a stream of
       system events and permitting the policy to influence access
       control decisions.  Each policy contains a number of elements:</para>
 
     <itemizedlist>
       <listitem><para>Optional configuration parameters for
 	policy.</para></listitem>
       <listitem><para>Centralized implementation of the policy
 	logic and parameters.</para></listitem>
       <listitem><para>Optional implementation of policy life cycle
 	events, such as initialization and destruction.</para></listitem>
       <listitem><para>Optional support for initializing, maintaining, and
 	destroying labels on selected kernel objects.</para></listitem>
       <listitem><para>Optional support for user process inspection and
 	modification of labels on selected objects.</para></listitem>
       <listitem><para>Implementation of selected access control
 	entry points that are of interest to the policy.</para></listitem>
       <listitem><para>Declaration of policy identity, module entry
 	points, and policy properties.</para></listitem>
     </itemizedlist>
 
     <sect2 id="mac-policy-declaration">
       <title>Policy Declaration</title>
     
       <para>Modules may be declared using the
 	<function>MAC_POLICY_SET()</function> macro, which names the
 	policy, provides a reference to the MAC entry point vector,
 	provides load-time flags determining how the policy framework
 	should handle the policy, and optionally requests the
 	allocation of label state by the framework.</para>
 
     <programlisting>static struct mac_policy_ops mac_<replaceable>policy</replaceable>_ops =
 {                                   
         .mpo_destroy = mac_<replaceable>policy</replaceable>_destroy,
         .mpo_init = mac_<replaceable>policy</replaceable>_init,
         .mpo_init_bpfdesc_label = mac_<replaceable>policy</replaceable>_init_bpfdesc_label,  
         .mpo_init_cred_label = mac_<replaceable>policy</replaceable>_init_label,
 /* ... */
         .mpo_check_vnode_setutimes = mac_<replaceable>policy</replaceable>_check_vnode_setutimes,
         .mpo_check_vnode_stat = mac_<replaceable>policy</replaceable>_check_vnode_stat,
         .mpo_check_vnode_write = mac_<replaceable>policy</replaceable>_check_vnode_write,
 };</programlisting>
       
       <para>The MAC policy entry point vector,
 	<varname>mac_<replaceable>policy</replaceable>_ops</varname> in this example, associates
 	functions defined in the module with specific entry points. A
 	complete listing of available entry points and their
 	prototypes may be found in the MAC entry point reference
 	section.  Of specific interest during module registration are
 	the <symbol>.mpo_destroy</symbol> and <symbol>.mpo_init</symbol>
 	entry points. <symbol>.mpo_init</symbol> will be invoked once a
 	policy is successfully registered with the module framework
 	but prior to any other entry points becoming active. This
 	permits the policy to perform any policy-specific allocation
 	and initialization, such as initialization of any data or
 	locks.  <symbol>.mpo_destroy</symbol> will be invoked when a
 	policy module is unloaded to permit releasing of any allocated
 	memory and destruction of locks.  Currently, these two entry
 	points are invoked with the MAC policy list mutex held to
 	prevent any other entry points from being invoked: this will
 	be changed, but in the mean time, policies should be careful
 	about what kernel primitives they invoke so as to avoid lock
 	ordering or sleeping problems.</para>
       
       <para>The policy declaration's module name field exists so that
 	the module may be uniquely identified for the purposes of
 	module dependencies. An appropriate string should be selected.
 	The full string name of the policy is displayed to the user
 	via the kernel log during load and unload events, and also
 	exported when providing status information to userland
 	processes.</para>
     </sect2>
 
     <sect2 id="mac-policy-flags">
       <title>Policy Flags</title>
       
       <para>The policy declaration flags field permits the module to
 	provide the framework with information about its capabilities at
 	the time the module is loaded.  Currently, three flags are
 	defined:</para>
       
       <variablelist>
 	<varlistentry>
 	  <term>MPC_LOADTIME_FLAG_UNLOADOK</term>
 
 	  <listitem>
 	    <para>This flag indicates that the policy module may be
 	      unloaded.  If this flag is not provided, then the policy
 	      framework will reject requests to unload the module.
 	      This flag might be used by modules that allocate label
 	      state and are unable to free that state at
 	      runtime.</para>
 	  </listitem>
 	</varlistentry>
         
 	<varlistentry>
 	  <term>MPC_LOADTIME_FLAG_NOTLATE</term>
         
 	  <listitem>
 	    <para>This flag indicates that the policy module
 	      must be loaded and initialized early in the boot
 	      process.  If the flag is specified, attempts to register
 	      the module following boot will be rejected.  The flag
 	      may be used by policies that require pervasive labeling
 	      of all system objects, and cannot handle objects that
 	      have not been properly initialized by the policy.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>MPC_LOADTIME_FLAG_LABELMBUFS</term>
 
 	  <listitem>
 	    <para>This flag indicates that the policy module requires
 	      labeling of Mbufs, and that memory should always be
 	      allocated for the storage of Mbuf labels.  By default,
 	      the MAC Framework will not allocate label storage for
 	      Mbufs unless at least one loaded policy has this flag
 	      set.  This measurably improves network performance when
 	      policies do not require Mbuf labeling.  A kernel option,
 	      <literal>MAC_ALWAYS_LABEL_MBUF</literal>, exists to
 	      force the MAC Framework to allocate Mbuf label storage
 	      regardless of the setting of this flag, and may be
 	      useful in some environments.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
       
       <note><para>Policies using the
 	<literal>MPC_LOADTIME_FLAG_LABELMBUFS</literal> without the
 	<literal>MPC_LOADTIME_FLAG_NOTLATE</literal> flag set
 	must be able to correctly handle <literal>NULL</literal>
 	Mbuf label pointers passed into entry points.  This is necessary
 	as in-flight Mbufs without label storage may persist after a
 	policy enabling Mbuf labeling has been loaded.  If a policy
 	is loaded before the network subsystem is active (i.e., the
 	policy is not being loaded late), then all Mbufs are guaranteed
 	to have label storage.</para></note>
     </sect2>
 
     <sect2 id="mac-policy-entry-points">
       <title>Policy Entry Points</title>
     
       <para>Four classes of entry points are offered to policies
 	registered with the framework: entry points associated with
 	the registration and management of policies, entry points
 	denoting initialization, creation, destruction, and other life
 	cycle events for kernel objects, events associated with access
 	control decisions that the policy module may influence, and
 	calls associated with the management of labels on objects. In
 	addition, a <function>mac_syscall()</function> entry point is
 	provided so that policies may extend the kernel interface
 	without registering new system calls.</para>
     
       <para>Policy module writers should be aware of the kernel
 	locking strategy, as well as what object locks are available
 	during which entry points. Writers should attempt to avoid
 	deadlock scenarios by avoiding grabbing non-leaf locks inside
 	of entry points, and also follow the locking protocol for
 	object access and modification.  In particular, writers should
 	be aware that while necessary locks to access objects and
 	their labels are generally held, sufficient locks to modify an
 	object or its label may not be present for all entry points.
 	Locking information for arguments is documented in the MAC
 	framework entry point document.</para>
     
       <para>Policy entry points will pass a reference to the object
 	label along with the object itself.  This permits labeled
 	policies to be unaware of the internals of the object yet
 	still make decisions based on the label. The exception to this
 	is the process credential, which is assumed to be understood
 	by policies as a first class security object in the kernel.</para>
     </sect2>
   </sect1>
 
   <sect1 id="mac-entry-point-reference">
     <title>MAC Policy Entry Point Reference</title>
     
     <sect2 id="mac-mpo-general">
       <title>General-Purpose Module Entry Points</title>
       
       <sect3 id="mac-mpo-init">
         <title><function>&mac.mpo;_init</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init</function></funcdef>
             
             <paramdef>struct mac_policy_conf
               *<parameter>conf</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>conf</parameter></entry>
                 <entry>MAC policy definition</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Policy load event.  The policy list mutex is held, so
 	  sleep operations cannot be performed, and calls out to other
 	  kernel subsystems must be made with caution.  If potentially
 	  sleeping memory allocations are required during policy
 	  initialization, they should be made using a separate module
 	  SYSINIT().</para>
       </sect3>
       
       <sect3 id="mpo-destroy">
         <title><function>&mac.mpo;_destroy</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy</function></funcdef>
             
             <paramdef>struct mac_policy_conf
               *<parameter>conf</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>conf</parameter></entry>
                 <entry>MAC policy definition</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Policy load event.  The policy list mutex is held, so
           caution should be applied.</para>
       </sect3>
 
       <sect3 id="mac-mpo-syscall">
         <title><function>&mac.mpo;_syscall</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_syscall</function></funcdef>
 
             <paramdef>struct thread
               *<parameter>td</parameter></paramdef>
             <paramdef>int <parameter>call</parameter></paramdef>
             <paramdef>void *<parameter>arg</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>td</parameter></entry>
                 <entry>Calling thread</entry>
               </row>
 
               <row>
                 <entry><parameter>call</parameter></entry>
                 <entry>Policy-specific syscall number</entry>
               </row>
 
               <row>
                 <entry><parameter>arg</parameter></entry>
                 <entry>Pointer to syscall arguments</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>This entry point provides a policy-multiplexed system
           call so that policies may provide additional services to
           user processes without registering specific system calls.
           The policy name provided during registration is used to
           demux calls from userland, and the arguments will be
           forwarded to this entry point.  When implementing new
           services, security modules should be sure to invoke
           appropriate access control checks from the MAC framework as
           needed.  For example, if a policy implements an augmented
           signal functionality, it should call the necessary signal
           access control checks to invoke the MAC framework and other
           registered policies.</para>
 
         <note><para>Modules must currently perform the
             <function>copyin()</function> of the syscall data on their
             own.</para></note>
       </sect3>
       
       <sect3 id="mac-mpo-thread-userret">
         <title><function>&mac.mpo;_thread_userret</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_thread_userret</function></funcdef>
 
             <paramdef>struct thread
               *<parameter>td</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>td</parameter></entry>
                 <entry>Returning thread</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <!-- XXX: Maybe rewrite this section. -->
         <para>This entry point permits policy modules to perform
           MAC-related events when a thread returns to user space, via
 	  a system call return, trap return, or otherwise.
           This is required for policies that have floating process
           labels, as it is not always possible to acquire the process
           lock at arbitrary points in the stack during system call
           processing; process labels might represent traditional
           authentication data, process history information, or other
           data.  To employ this mechanism, intended changes to the
 	  process credential label may be stored in the
 	  <literal>p_label</literal> protected by a per-policy spin
 	  lock, and then set the per-thread
 	  <literal>TDF_ASTPENDING</literal> flag and per-process
 	  <literal>PS_MACPENDM</literal> flag to schedule a call
 	  to the userret entry point.  From this entry point, the
 	  policy may create a replacement credential with less
 	  concern about the locking context.  Policy writers are
 	  cautioned that event ordering relating to scheduling an
 	  AST and the AST being performed may be complex and
 	  interlaced in multithreaded applications.</para>
       </sect3>
     </sect2>
 
     <sect2 id="mac-label-ops">
       <title>Label Operations</title>
 
       <sect3 id="mac-mpo-init-bpfdesc">
         <title><function>&mac.mpo;_init_bpfdesc_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_bpfdesc_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to apply</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated bpfdesc (BPF
           descriptor).  Sleeping is permitted.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-cred-label">
         <title><function>&mac.mpo;_init_cred_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_cred_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to initialize</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label for a newly instantiated
           user credential.  Sleeping is permitted.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-devfsdirent">
         <title><function>&mac.mpo;_init_devfsdirent_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_devfsdirent_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to apply</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated devfs
           entry.  Sleeping is permitted.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-ifnet">
         <title><function>&mac.mpo;_init_ifnet_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_ifnet_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to apply</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated network
           interface.  Sleeping is permitted.</para>
       </sect3>
       
       <sect3 id="mac-mpo-init-ipq">
         <title><function>&mac.mpo;_init_ipq_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_ipq_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>flag</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to apply</entry>
               </row>
 
               <row>
                 <entry><parameter>flag</parameter></entry>
                 <entry>Sleeping/non-sleeping &man.malloc.9;; see
 		  below</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated IP fragment
           reassembly queue.  The <parameter>flag</parameter> field may
 	  be one of <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>,
 	  and should be employed to avoid performing a sleeping
           &man.malloc.9; during this initialization call.  IP fragment
 	  reassembly queue allocation frequently occurs in performance
 	  sensitive environments, and the implementation should be careful
 	  to avoid sleeping or long-lived operations.  This entry point
           is permitted to fail resulting in the failure to allocate
           the IP fragment reassembly queue.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-mbuf">
         <title><function>&mac.mpo;_init_mbuf_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_mbuf_label</function></funcdef>
             
             <paramdef>int <parameter>flag</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>flag</parameter></entry>
                 <entry>Sleeping/non-sleeping &man.malloc.9;; see
                   below</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label to initialize</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated mbuf packet
           header (<parameter>mbuf</parameter>).  The
           <parameter>flag</parameter> field may be one of
           <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
           should be employed to avoid performing a sleeping
           &man.malloc.9; during this initialization call.  Mbuf
           allocation frequently occurs in performance sensitive
           environments, and the implementation should be careful to
           avoid sleeping or long-lived operations.  This entry point
           is permitted to fail resulting in the failure to allocate
           the mbuf header.</para>
       </sect3>
       
       <sect3 id="mac-mpo-init-mount">
         <title><function>&mac.mpo;_init_mount_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_mount_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>mntlabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>fslabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
         <!-- XXX: Wording on label descriptions. -->
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>mntlabel</parameter></entry>
                 <entry>Policy label to be initialized for the mount
                   itself</entry>
               </row>
               
               <row>
                 <entry><parameter>fslabel</parameter></entry>
                 <entry>Policy label to be initialized for the file
                   system</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the labels on a newly instantiated mount
           point.  Sleeping is permitted.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-mount-fs-label">
         <title><function>&mac.mpo;_init_mount_fs_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_mount_fs_label</function></funcdef>
 
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label to be initialized</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Initialize the label on a newly mounted file
           system.  Sleeping is permitted</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-pipe-label">
         <title><function>&mac.mpo;_init_pipe_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_pipe_label</function></funcdef>
 
             <paramdef>struct
               label*<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label to be filled in</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Initialize a label for a newly instantiated pipe. Sleeping
 	  is permitted.</para>
       </sect3>
       
       <sect3 id="mac-mpo-init-socket">
         <title><function>&mac.mpo;_init_socket_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_socket_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>flag</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to initialize</entry>
               </row>
               
               <row>
                 <entry><parameter>flag</parameter></entry>
                 <entry>&man.malloc.9; flags</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize a label for a newly instantiated
           socket.  The <parameter>flag</parameter> field may be one of  
 	  <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
 	  should be employed to avoid performing a sleeping &man.malloc.9;
 	  during this initialization call.</para>
       </sect3>
 
       <sect3 id="mac-mpo-init-socket-peer-label">
         <title><function>&mac.mpo;_init_socket_peer_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_socket_peer_label</function></funcdef>
 
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>flag</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to initialize</entry>
               </row>
 
               <row>
                 <entry><parameter>flag</parameter></entry>
                 <entry>&man.malloc.9; flags</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Initialize the peer label for a newly instantiated
           socket.  The <parameter>flag</parameter> field may be one of  
 	  <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
 	  should be employed to avoid performing a sleeping &man.malloc.9;
 	  during this initialization call.</para>
       </sect3>
       
       <sect3 id="mac-mpo-init-proc-label">
         <title><function>&mac.mpo;_init_proc_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_proc_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to initialize</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label for a newly instantiated
           process.  Sleeping is permitted.</para>
       </sect3>
 
 
       <sect3 id="mac-mpo-init-vnode">
         <title><function>&mac.mpo;_init_vnode_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_init_vnode_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>New label to initialize</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Initialize the label on a newly instantiated vnode.  Sleeping
 	  is permitted.</para>
       </sect3>
       <sect3 id="mac-mpo-destroy-bpfdesc">
         <title><function>&mac.mpo;_destroy_bpfdesc_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_bpfdesc_label</function></funcdef>
 
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>bpfdesc label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Destroy the label on a BPF descriptor.  In this entry
           point a policy should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-cred">
         <title><function>&mac.mpo;_destroy_cred_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_cred_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on a credential.  In this entry point,
           a policy module should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
 
 
       <sect3 id="mac-mpo-destroy-devfsdirent">
         <title><function>&mac.mpo;_destroy_devfsdirent_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_devfsdirent_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on a devfs entry.  In this entry
           point, a policy module should free any internal storage
           associated with <parameter>label</parameter> so that it may
           be destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-ifnet-label">
         <title><function>&mac.mpo;_destroy_ifnet_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_ifnet_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on a removed interface.  In this entry
           point, a policy module should free any internal storage
           associated with <parameter>label</parameter> so that it may
           be destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-ipq-label">
         <title><function>&mac.mpo;_destroy_ipq_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_ipq_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on an IP fragment queue.  In this
           entry point, a policy module should free any internal
           storage associated with <parameter>label</parameter> so that
           it may be destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-mbuf-label">
         <title><function>&mac.mpo;_destroy_mbuf_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_mbuf_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on an mbuf header.  In this entry
           point, a policy module should free any internal storage
           associated with <parameter>label</parameter> so that it may
           be destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-mount-label">
         <title><function>&mac.mpo;_destroy_mount_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_mount_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Mount point label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the labels on a mount point.  In this entry
           point, a policy module should free the internal storage
           associated with <parameter>mntlabel</parameter> so that they
           may be destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-destroy-mount">
         <title><function>&mac.mpo;_destroy_mount_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_mount_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>mntlabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>fslabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>mntlabel</parameter></entry>
                 <entry>Mount point label being destroyed</entry>
               </row>
               
               <row>
                 <entry><parameter>fslabel</parameter></entry>
                 <entry>File system label being destroyed></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the labels on a mount point.  In this entry
           point, a policy module should free the internal storage
           associated with <parameter>mntlabel</parameter> and
           <parameter>fslabel</parameter> so that they may be
           destroyed.</para>
       </sect3>
       
       <sect3 id="mac-mpo-destroy-socket">
         <title><function>&mac.mpo;_destroy_socket_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_socket_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
 
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Socket label being destroyed</entry>
               </row>
 
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Destroy the label on a socket.  In this entry point, a
           policy module should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-destroy-socket-peer-label">
         <title><function>&mac.mpo;_destroy_socket_peer_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_socket_peer_label</function></funcdef>
 
             <paramdef>struct label
               *<parameter>peerlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>peerlabel</parameter></entry>
                 <entry>Socket peer label being destroyed</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Destroy the peer label on a socket.  In this entry
           point, a policy module should free any internal storage
           associated with <parameter>label</parameter> so that it may
           be destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-destroy-pipe-label">
         <title><function>&mac.mpo;_destroy_pipe_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_pipe_label</function></funcdef>
 
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Pipe label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Destroy the label on a pipe.  In this entry point, a
           policy module should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-destroy-proc-label">
         <title><function>&mac.mpo;_destroy_proc_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_proc_label</function></funcdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Process label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Destroy the label on a process.  In this entry point, a
           policy module should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-destroy-vnode-label">
         <title><function>&mac.mpo;_destroy_vnode_label</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_destroy_vnode_label</function></funcdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Process label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Destroy the label on a vnode.  In this entry point, a
           policy module should free any internal storage associated
           with <parameter>label</parameter> so that it may be
           destroyed.</para>
       </sect3>
 
       <sect3 id="mac-mpo-copy-mbuf-label">
         <title><function>&mac.mpo;_copy_mbuf_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_copy_mbuf_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>src</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dest</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>src</parameter></entry>
                 <entry>Source label</entry>
               </row>
               
               <row>
                 <entry><parameter>dest</parameter></entry>
                 <entry>Destination label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Copy the label information in
           <parameter>src</parameter> into
           <parameter>dest</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-copy-pipe-label">
         <title><function>&mac.mpo;_copy_pipe_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_copy_pipe_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>src</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dest</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>src</parameter></entry>
                 <entry>Source label</entry>
               </row>
               
               <row>
                 <entry><parameter>dest</parameter></entry>
                 <entry>Destination label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Copy the label information in
           <parameter>src</parameter> into
           <parameter>dest</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-copy-vnode-label">
         <title><function>&mac.mpo;_copy_vnode_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_copy_vnode_label</function></funcdef>
             
             <paramdef>struct label
               *<parameter>src</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dest</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>src</parameter></entry>
                 <entry>Source label</entry>
               </row>
               
               <row>
                 <entry><parameter>dest</parameter></entry>
                 <entry>Destination label</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Copy the label information in
           <parameter>src</parameter> into
           <parameter>dest</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-externalize-cred-label">
         <title><function>&mac.mpo;_externalize_cred_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_cred_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>
 
       <sect3 id="mac-mpo-externalize-ifnet-label">
         <title><function>&mac.mpo;_externalize_ifnet_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_ifnet_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-externalize-pipe-label">
         <title><function>&mac.mpo;_externalize_pipe_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_pipe_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-externalize-socket-label">
         <title><function>&mac.mpo;_externalize_socket_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_socket_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-externalize-socket-peer-label">
         <title><function>&mac.mpo;_externalize_socket_peer_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_socket_peer_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-externalize-vnode-label">
         <title><function>&mac.mpo;_externalize_vnode_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_externalize_vnode_label</function></funcdef>
             
             &mac.externalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.externalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.externalize.para;
       </sect3>    
 
       <sect3 id="mac-mpo-internalize-cred-label">
         <title><function>&mac.mpo;_internalize_cred_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_internalize_cred_label</function></funcdef>
             
             &mac.internalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.internalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.internalize.para;
       </sect3>
 
       <sect3 id="mac-mpo-internalize-ifnet-label">
         <title><function>&mac.mpo;_internalize_ifnet_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_internalize_ifnet_label</function></funcdef>
             
             &mac.internalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.internalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.internalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-internalize-pipe-label">
         <title><function>&mac.mpo;_internalize_pipe_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_internalize_pipe_label</function></funcdef>
             
             &mac.internalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.internalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.internalize.para;
       </sect3>
       
       <sect3 id="mac-mpo-internalize-socket-label">
         <title><function>&mac.mpo;_internalize_socket_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_internalize_socket_label</function></funcdef>
             
             &mac.internalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.internalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.internalize.para;
       </sect3>
 
       <sect3 id="mac-mpo-internalize-vnode-label">
         <title><function>&mac.mpo;_internalize_vnode_label</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_internalize_vnode_label</function></funcdef>
             
             &mac.internalize.paramdefs;
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             &mac.internalize.tbody;
           </tgroup>
         </informaltable>
         
         &mac.internalize.para;
       </sect3>
     </sect2>
     
     <sect2 id="mac-label-events">
       <title>Label Events</title>
       
       <para>This class of entry points is used by the MAC framework to
         permit policies to maintain label information on kernel
         objects.  For each labeled kernel object of interest to a MAC
         policy, entry points may be registered for relevant life cycle
         events.  All objects implement initialization, creation, and
         destruction hooks.  Some objects will also implement
         relabeling, allowing user processes to change the labels on
         objects.  Some objects will also implement object-specific
         events, such as label events associated with IP reassembly.  A
         typical labeled object will have the following life cycle of
         entry points:</para>
       
       <programlisting>Label initialization          o
 (object-specific wait)         \
 Label creation                  o
                                  \
 Relabel events,                   o--<--.
 Various object-specific,          |     |
 Access control events             ~-->--o
                                          \
 Label destruction                         o</programlisting>
       
       <para>Label initialization permits policies to allocate memory
         and set initial values for labels without context for the use
         of the object.  The label slot allocated to a policy will be
         zeroed by default, so some policies may not need to perform
         initialization.</para>
       
       <para>Label creation occurs when the kernel structure is
         associated with an actual kernel object.  For example, Mbufs
         may be allocated and remain unused in a pool until they are
         required.  mbuf allocation causes label initialization on the
         mbuf to take place, but mbuf creation occurs when the mbuf is
         associated with a datagram.  Typically, context will be
         provided for a creation event, including the circumstances of
         the creation, and labels of other relevant objects in the
         creation process. For example, when an mbuf is created from a
         socket, the socket and its label will be presented to
         registered policies in addition to the new mbuf and its label.
         Memory allocation in creation events is discouraged, as it may
         occur in performance sensitive ports of the kernel; in
         addition, creation calls are not permitted to fail so a
         failure to allocate memory cannot be reported.</para>
       
       <para>Object specific events do not generally fall into the
         other broad classes of label events, but will generally
         provide an opportunity to modify or update the label on an
         object based on additional context.  For example, the label on
         an IP fragment reassembly queue may be updated during the
         <symbol>MAC_UPDATE_IPQ</symbol> entry point as a result of the
         acceptance of an additional mbuf to that queue.</para>
       
       <para>Access control events are discussed in detail in the
         following section.</para>
       
       <para>Label destruction permits policies to release storage or
         state associated with a label during its association with an
         object so that the kernel data structures supporting the
         object may be reused or released.</para>
       
       <para>In addition to labels associated with specific kernel
         objects, an additional class of labels exists: temporary
         labels.  These labels are used to store update information
         submitted by user processes. These labels are initialized and
         destroyed as with other label types, but the creation event is
         <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label
         to be converted to an in-kernel representation.</para>
       
       <sect3 id="mac-fs-label-event-ops">
         <title>File System Object Labeling Event Operations</title>
 
         <sect4 id="mac-mpo-associate-vnode-devfs">
           <title><function>&mac.mpo;_associate_vnode_devfs</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_associate_vnode_devfs</function></funcdef>
 
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
               <paramdef>struct devfs_dirent
                 *<parameter>de</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>delabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>mp</parameter></entry>
                   <entry>Devfs mount point</entry>
                 </row>
 
                 <row>
                   <entry><parameter>fslabel</parameter></entry>
                   <entry>Devfs file system label
                     (<varname>mp->mnt_fslabel</varname>)</entry>
                 </row>
 
                 <row>
                   <entry><parameter>de</parameter></entry>
                   <entry>Devfs directory entry</entry>
                 </row>
 
                 <row>
                   <entry><parameter>delabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>de</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>vnode associated with
                     <parameter>de</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>vlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Fill in the label (<parameter>vlabel</parameter>) for
             a newly created devfs vnode based on the devfs directory
             entry passed in <parameter>de</parameter> and its
             label.</para>
         </sect4>
 
         <sect4 id="mac-mpo-associate-vnode-extattr">
           <title><function>&mac.mpo;_associate_vnode_extattr</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>int
                 <function>&mac.mpo;_associate_vnode_extattr</function></funcdef>
 
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>mp</parameter></entry>
                   <entry>File system mount point</entry>
                 </row>
 
                 <row>
                   <entry><parameter>fslabel</parameter></entry>
                   <entry>File system label</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>Vnode to label</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Attempt to retrieve the label for
             <parameter>vp</parameter> from the file system extended
             attributes.  Upon success, the value <literal>0</literal>
             is returned.  Should extended attribute retrieval not be
             supported, an accepted fallback is to copy
             <parameter>fslabel</parameter> into
             <parameter>vlabel</parameter>.  In the event of an error,
             an appropriate value for <varname>errno</varname> should
             be returned.</para>
         </sect4>
 
         <sect4 id="mac-mpo-associate-vnode-singlelabel">
           <title><function>&mac.mpo;_associate_vnode_singlelabel</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_associate_vnode_singlelabel</function></funcdef>
 
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>mp</parameter></entry>
                   <entry>File system mount point</entry>
                 </row>
 
                 <row>
                   <entry><parameter>fslabel</parameter></entry>
                   <entry>File system label</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>Vnode to label</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>On non-multilabel file systems, this entry point is
             called to set the policy label for
             <parameter>vp</parameter> based on the file system label,
             <parameter>fslabel</parameter>.</para>
         </sect4>
 
 
         <sect4 id="mac-mpo-create-devfs-device">
           <title><function>&mac.mpo;_create_devfs_device</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_devfs_device</function></funcdef>
               
               <paramdef>dev_t <parameter>dev</parameter></paramdef>
               <paramdef>struct devfs_dirent
                 *<parameter>devfs_dirent</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>label</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>dev</parameter></entry>
                   <entry>Device corresponding with
                     <parameter>devfs_dirent</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>devfs_dirent</parameter></entry>
                   <entry>Devfs directory entry to be labeled.</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>label</parameter></entry>
                   <entry>Label for <parameter>devfs_dirent</parameter>
                     to be filled in.</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Fill out the label on a devfs_dirent being created for
             the passed device. This call will be made when the device
             file system is mounted, regenerated, or a new device is made
             available.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-devfs-directory">
           <title><function>&mac.mpo;_create_devfs_directory</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_devfs_directory</function></funcdef>
               
               <paramdef>char *<parameter>dirname</parameter></paramdef>
               <paramdef>int <parameter>dirnamelen</parameter></paramdef>
               <paramdef>struct devfs_dirent
                 *<parameter>devfs_dirent</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>label</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>dirname</parameter></entry>
                   <entry>Name of directory being created</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>namelen</parameter></entry>
                   <entry>Length of string
                     <parameter>dirname</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>devfs_dirent</parameter></entry>
                   <entry>Devfs directory entry for directory being
                     created.</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Fill out the label on a devfs_dirent being created for
             the passed directory. This call will be made when the device
             file system is mounted, regenerated, or a new device
             requiring a specific directory hierarchy is made
             available.</para>
         </sect4>
 
         <sect4 id="mac-mpo-create-devfs-symlink">
           <title><function>&mac.mpo;_create_devfs_symlink</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_devfs_symlink</function></funcdef>
 
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct devfs_dirent
                 *<parameter>dd</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ddlabel</parameter></paramdef>
               <paramdef>struct devfs_dirent
                 *<parameter>de</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>delabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
 
                 <row>
                   <entry><parameter>mp</parameter></entry>
                   <entry>Devfs mount point</entry>
                 </row>
 
                 <row>
                   <entry><parameter>dd</parameter></entry>
                   <entry>Link destination</entry>
                 </row>
 
                 <row>
                   <entry><parameter>ddlabel</parameter></entry>
                   <entry>Label associated with
                     <parameter>dd</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>de</parameter></entry>
                   <entry>Symlink entry</entry>
                 </row>
 
                 <row>
                   <entry><parameter>delabel</parameter></entry>
                   <entry>Label associated with
                     <parameter>de</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Fill in the label (<parameter>delabel</parameter>) for
             a newly created &man.devfs.5; symbolic link entry.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-vnode-extattr">
           <title><function>&mac.mpo;_create_vnode_extattr</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>int
                 <function>&mac.mpo;_create_vnode_extattr</function></funcdef>
 
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>dvp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>dlabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vlabel</parameter></paramdef>
               <paramdef>struct componentname
                 *<parameter>cnp</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
 
                 <row>
                   <entry><parameter>mount</parameter></entry>
                   <entry>File system mount point</entry>
                 </row>
 
                 <row>
                   <entry><parameter>label</parameter></entry>
                   <entry>File system label</entry>
                 </row>
 
                 <row>
                   <entry><parameter>dvp</parameter></entry>
                   <entry>Parent directory vnode</entry>
                 </row>
 
                 <row>
                   <entry><parameter>dlabel</parameter></entry>
                   <entry>Label associated with
                     <parameter>dvp</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>Newly created vnode</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>vp</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>cnp</parameter></entry>
                   <entry>Component name for
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Write out the label for <parameter>vp</parameter> to
             the appropriate extended attribute.  If the write
             succeeds, fill in <parameter>vlabel</parameter> with the
             label, and return <returnvalue>0</returnvalue>. Otherwise,
             return an appropriate error.</para>
         </sect4>
 
         <sect4 id="mac-mpo-create-mount">
           <title><function>&mac.mpo;_create_mount</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mount</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mnt</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mp</parameter></entry>
                   <entry>Object; file system being mounted</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mntlabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>mp</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>fslabel</parameter></entry>
                   <entry>Policy label for the file system
                     <parameter>mp</parameter> mounts.</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Fill out the labels on the mount point being created by
             the passed subject credential.  This call will be made when
             a new file system is mounted.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-root-mount">
           <title><function>&mac.mpo;_create_root_mount</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_root_mount</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct mount
                 *<parameter>mp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mntlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fslabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry namest="first" nameend="last">See <xref
                     linkend="mac-mpo-create-mount">.</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Fill out the labels on the mount point being created by
             the passed subject credential.  This call will be made when
             the root file system is mounted, after
             &mac.mpo;_create_mount;.</para>
         </sect4>
 
         <sect4 id="mac-mpo-relabel-vnode">
           <title><function>&mac.mpo;_relabel_vnode</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_relabel_vnode</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vnodelabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>vnode to relabel</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vnodelabel</parameter></entry>
                   <entry>Existing policy label for
                     <parameter>vp</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>New, possibly partial label to replace
                     <parameter>vnodelabel</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label on the passed vnode given the passed
             update vnode label and the passed subject credential.</para>
         </sect4>
 
         <sect4 id="mac-mpo-setlabel-vnode-extattr">
           <title><function>&mac.mpo;_setlabel_vnode_extattr</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>int
                 <function>&mac.mpo;_setlabel_vnode_extattr</function></funcdef>
 
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>intlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>Vnode for which the label is being
                     written</entry>
                 </row>
 
                 <row>
                   <entry><parameter>vlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>vp</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>intlabel</parameter></entry>
                   <entry>Label to write out</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Write out the policy from
             <parameter>intlabel</parameter> to an extended
             attribute.  This is called from
             <function>vop_stdcreatevnode_ea</function>.</para>
         </sect4>
 
         <sect4 id="mac-mpo-update-devfsdirent">
           <title><function>&mac.mpo;_update_devfsdirent</function></title>
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_update_devfsdirent</function></funcdef>
               
               <paramdef>struct devfs_dirent
                 *<parameter>devfs_dirent</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>direntlabel</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vnodelabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>devfs_dirent</parameter></entry>
                   <entry>Object; devfs directory entry</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>direntlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>devfs_dirent</parameter> to be
                     updated.</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>Parent vnode</entry>
                   <entry>Locked</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vnodelabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the <parameter>devfs_dirent</parameter> label
             from the passed devfs vnode label.  This call will be made
             when a devfs vnode has been successfully relabeled to commit
             the label change such that it lasts even if the vnode is
             recycled.  It will also be made when when a symlink is
             created in devfs, following a call to
             <function>mac_vnode_create_from_vnode</function> to
             initialize the vnode label.</para>
         </sect4>
       </sect3>
       
       <sect3 id="mac-ipc-label-ops">
         <title>IPC Object Labeling Event Operations</title>
 
         
         <sect4 id="mac-mpo-create-mbuf-from-socket">
           <title><function>&mac.mpo;_create_mbuf_from_socket</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_from_socket</function></funcdef>
               
               <paramdef>struct socket
                 *<parameter>so</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>socketlabel</parameter></paramdef>
               <paramdef>struct mbuf *<parameter>m</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>socket</parameter></entry>
                   <entry>Socket</entry>
                   <entry>Socket locking WIP</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>socketlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>socket</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>m</parameter></entry>
                   <entry>Object; mbuf</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Policy label to fill in for
                     <parameter>m</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly created mbuf header from the
             passed socket label.  This call is made when a new datagram
             or message is generated by the socket and stored in the
             passed mbuf.</para>
         </sect4>
 
         <sect4 id="mac-mpo-create-pipe">
           <title><function>&mac.mpo;_create_pipe</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_pipe</function></funcdef>
 
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct pipe
                 *<parameter>pipe</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>pipelabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
 
                 <row>
                   <entry><parameter>pipe</parameter></entry>
                   <entry>Pipe</entry>
                 </row>
 
                 <row>
                   <entry><parameter>pipelabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>pipe</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Set the label on a newly created pipe from the passed
             subject credential.  This call is made when a new pipe is
             created.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-socket">
           <title><function>&mac.mpo;_create_socket</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_socket</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct socket
                 *<parameter>so</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>socketlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                   <entry>Immutable</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>so</parameter></entry>
                   <entry>Object; socket to label</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>socketlabel</parameter></entry>
                   <entry>Label to fill in for
                     <parameter>so</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly created socket from the passed
             subject credential. This call is made when a socket is
             created.</para>
         </sect4>
 
         <sect4 id="mac-mpo-create-socket-from-socket">
           <title><function>&mac.mpo;_create_socket_from_socket</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_socket_from_socket</function></funcdef>
 
               <paramdef>struct socket
                 *<parameter>oldsocket</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldsocketlabel</parameter></paramdef>
               <paramdef>struct socket
                 *<parameter>newsocket</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newsocketlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>oldsocket</parameter></entry>
                   <entry>Listening socket</entry>
                 </row>
 
                 <row>
                   <entry><parameter>oldsocketlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>oldsocket</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>newsocket</parameter></entry>
                   <entry>New socket</entry>
                 </row>
 
                 <row>
                   <entry><parameter>newsocketlabel</parameter></entry>
                   <entry>Policy label associated with
                     <parameter>newsocketlabel</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Label a socket, <parameter>newsocket</parameter>,
             newly &man.accept.2;ed, based on the &man.listen.2;
             socket, <parameter>oldsocket</parameter>.</para>
         </sect4>
 
         <sect4 id="mac-mpo-relabel-pipe">
           <title><function>&mac.mpo;_relabel_pipe</function></title>
 
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_relabel_pipe</function></funcdef>
 
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct pipe
                 *<parameter>pipe</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
 
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
 
                 <row>
                   <entry><parameter>pipe</parameter></entry>
                   <entry>Pipe</entry>
                 </row>
 
                 <row>
                   <entry><parameter>oldlabel</parameter></entry>
                   <entry>Current policy label associated with
                     <parameter>pipe</parameter></entry>
                 </row>
 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>Policy label update to apply to
                     <parameter>pipe</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
           <para>Apply a new label, <parameter>newlabel</parameter>, to
             <parameter>pipe</parameter>.</para>
         </sect4>
 
         <sect4 id="mac-mpo-relabel-socket">
           <title><function>&mac.mpo;_relabel_socket</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_relabel_socket</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct socket
                 *<parameter>so</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                   <entry>Immutable</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>so</parameter></entry>
                   <entry>Object; socket</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldlabel</parameter></entry>
                   <entry>Current label for
                     <parameter>so</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>Label update for
                     <parameter>so</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label on a socket from the passed socket
             label update.</para>
         </sect4>
         
         <sect4 id="mpo-set-socket-peer-from-mbuf">
           <title><function>&mac.mpo;_set_socket_peer_from_mbuf</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_set_socket_peer_from_mbuf</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>mbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mbuflabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>mbuf</parameter></entry>
                   <entry>First datagram received over socket</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Label for <parameter>mbuf</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldlabel</parameter></entry>
                   <entry>Current label for the socket</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>Policy label to be filled out for the
                     socket</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the peer label on a stream socket from the passed
             mbuf label.  This call will be made when the first datagram
             is received by the stream socket, with the exception of Unix
             domain sockets.</para>
         </sect4>
         
         <sect4 id="mac-mpo-set-socket-peer-from-socket">
           <title><function>&mac.mpo;_set_socket_peer_from_socket</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_set_socket_peer_from_socket</function></funcdef>
               
               <paramdef>struct socket
                 *<parameter>oldsocket</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldsocketlabel</parameter></paramdef>
               <paramdef>struct socket
                 *<parameter>newsocket</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newsocketpeerlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>oldsocket</parameter></entry>
                   <entry>Local socket</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldsocketlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>oldsocket</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newsocket</parameter></entry>
                   <entry>Peer socket</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newsocketpeerlabel</parameter></entry>
                   <entry>Policy label to fill in for
                     <parameter>newsocket</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <!-- XXX Passed _remote_ socket endpoint ? -->
           <para>Set the peer label on a stream UNIX domain socket from
             the passed remote socket endpoint.  This call will be made
             when the socket pair is connected, and will be made for both
             endpoints.</para>
         </sect4>
       </sect3>
       
       <sect3 id="mac-net-labeling-event-ops">
         <title>Network Object Labeling Event Operations</title>
         
         <sect4 id="mac-mpo-create-bpfdesc">
           <title><function>&mac.mpo;_create_bpfdesc</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_bpfdesc</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct bpf_d
                 *<parameter>bpf_d</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>bpflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                   <entry>Immutable</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>bpf_d</parameter></entry>
                   <entry>Object; bpf descriptor</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>bpf</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>bpf_d</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly created BPF descriptor from the
             passed subject credential.  This call will be made when a
             BPF device node is opened by a process with the passed
             subject credential.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-ifnet">
           <title><function>&mac.mpo;_create_ifnet</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_ifnet</function></funcdef>
               
               <paramdef>struct ifnet
                 *<parameter>ifnet</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ifnetlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>ifnet</parameter></entry>
                   <entry>Network interface</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnetlabel</parameter></entry>
                   <entry>Policy label to fill in for
                     <parameter>ifnet</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly created interface.  This call
             may be made when a new physical interface becomes available
             to the system, or when a pseudo-interface is instantiated
             during the boot or as a result of a user action.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-ipq">
           <title><function>&mac.mpo;_create_ipq</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_ipq</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>fragment</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fragmentlabel</parameter></paramdef>
               <paramdef>struct ipq
                 *<parameter>ipq</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ipqlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>fragment</parameter></entry>
                   <entry>First received IP fragment</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>fragmentlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>fragment</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipq</parameter></entry>
                   <entry>IP reassembly queue to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipqlabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>ipq</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly created IP fragment reassembly
             queue from the mbuf header of the first received
             fragment.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-datagram-from-ipq">
           <title><function>&mac.mpo;_create_datagram_from_ipq</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_create_datagram_from_ipq</function></funcdef>
               
               <paramdef>struct ipq
                 *<parameter>ipq</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ipqlabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>datagram</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>datagramlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>ipq</parameter></entry>
                   <entry>IP reassembly queue</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipqlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ipq</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>datagram</parameter></entry>
                   <entry>Datagram to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>datagramlabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>datagramlabel</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on a newly reassembled IP datagram from
             the IP fragment reassembly queue from which it was
             generated.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-fragment">
           <title><function>&mac.mpo;_create_fragment</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_fragment</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>datagram</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>datagramlabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>fragment</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fragmentlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>datagram</parameter></entry>
                   <entry>Datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>datagramlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>datagram</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>fragment</parameter></entry>
                   <entry>Fragment to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>fragmentlabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>datagram</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created IP
             fragment from the label on the mbuf header of the datagram
             it was generate from.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-from-mbuf">
           <title><function>&mac.mpo;_create_mbuf_from_mbuf</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_from_mbuf</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>oldmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldmbuflabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>newmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newmbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>oldmbuf</parameter></entry>
                   <entry>Existing (source) mbuf</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldmbuflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>oldmbuf</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuf</parameter></entry>
                   <entry>New mbuf to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuflabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>newmbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram from the mbuf header of an existing datagram.  This
             call may be made in a number of situations, including when
             an mbuf is re-allocated for alignment purposes.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-linklayer">
           <title><function>&mac.mpo;_create_mbuf_linklayer</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_linklayer</function></funcdef>
               
               <paramdef>struct ifnet
                 *<parameter>ifnet</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ifnetlabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>mbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>ifnet</parameter></entry>
                   <entry>Network interface</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnetlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ifnet</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuf</parameter></entry>
                   <entry>mbuf header for new datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>mbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram generated for the purposes of a link layer response
             for the passed interface.  This call may be made in a number
             of situations, including for ARP or ND6 responses in the
             IPv4 and IPv6 stacks.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-from-bpfdesc">
           <title><function>&mac.mpo;_create_mbuf_from_bpfdesc</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_from_bpfdesc</function></funcdef>
               
               <paramdef>struct bpf_d
                 *<parameter>bpf_d</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>bpflabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>mbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>bpf_d</parameter></entry>
                   <entry>BPF descriptor</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>bpflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>bpflabel</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuf</parameter></entry>
                   <entry>New mbuf to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Policy label to fill in for
                     <parameter>mbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram generated using the passed BPF descriptor.  This
             call is made when a write is performed to the BPF device
             associated with the passed BPF descriptor.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-from-ifnet">
           <title><function>&mac.mpo;_create_mbuf_from_ifnet</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_from_ifnet</function></funcdef>
               
               <paramdef>struct ifnet
                 *<parameter>ifnet</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ifnetlabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>mbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>mbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>ifnet</parameter></entry>
                   <entry>Network interface</entry>
                 </row>
                 
                 <row>
                  <entry><parameter>ifnetlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ifnetlabel</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuf</parameter></entry>
                   <entry>mbuf header for new datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>mbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram generated from the passed network interface.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-multicast-encap">
           <title><function>&mac.mpo;_create_mbuf_multicast_encap</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_multicast_encap</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>oldmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldmbuflabel</parameter></paramdef>
               <paramdef>struct ifnet
                 *<parameter>ifnet</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ifnetlabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>newmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newmbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>oldmbuf</parameter></entry>
                   <entry>mbuf header for existing datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldmbuflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>oldmbuf</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnet</parameter></entry>
                   <entry>Network interface</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnetlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ifnet</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuf</parameter></entry>
                   <entry>mbuf header to be labeled for new
                     datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuflabel</parameter></entry>
                   <entry>Policy label to be filled in for
                     <parameter>newmbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram generated from the existing passed datagram when it
             is processed by the passed multicast encapsulation
             interface.  This call is made when an mbuf is to be
             delivered using the virtual interface.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-mbuf-netlayer">
           <title><function>&mac.mpo;_create_mbuf_netlayer</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_mbuf_netlayer</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>oldmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>oldmbuflabel</parameter></paramdef>
               <paramdef>struct mbuf
                 *<parameter>newmbuf</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newmbuflabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>oldmbuf</parameter></entry>
                   <entry>Received datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>oldmbuflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>oldmbuf</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuf</parameter></entry>
                   <entry>Newly created datagram</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newmbuflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>newmbuf</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label on the mbuf header of a newly created
             datagram generated by the IP stack in response to an
             existing received datagram (<parameter>oldmbuf</parameter>).
             This call may be made in a number of situations, including
             when responding to ICMP request datagrams.</para>
         </sect4>
         
         <sect4 id="mac-mpo-fragment-match">
           <title><function>&mac.mpo;_fragment_match</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>int
                 <function>&mac.mpo;_fragment_match</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>fragment</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fragmentlabel</parameter></paramdef>
               <paramdef>struct ipq
                 *<parameter>ipq</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ipqlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>fragment</parameter></entry>
                   <entry>IP datagram fragment</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>fragmentlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>fragment</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipq</parameter></entry>
                   <entry>IP fragment reassembly queue</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipqlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ipq</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Determine whether an mbuf header containing an IP
             datagram (<parameter>fragment</parameter>) fragment matches
             the label of the passed IP fragment reassembly queue
             (<parameter>ipq</parameter>).  Return
             (<returnvalue>1</returnvalue>) for a successful match, or
             (<returnvalue>0</returnvalue>) for no match.  This call is
             made when the IP stack attempts to find an existing fragment
             reassembly queue for a newly received fragment; if this
             fails, a new fragment reassembly queue may be instantiated
             for the fragment. Policies may use this entry point to
             prevent the reassembly of otherwise matching IP fragments if
             policy does not permit them to be reassembled based on the
             label or other information.</para>
         </sect4>
         
         <sect4 id="mac-mpo-ifnet-relabel">
           <title><function>&mac.mpo;_relabel_ifnet</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_relabel_ifnet</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct ifnet
                 *<parameter>ifnet</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ifnetlabel</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnet</parameter></entry>
                   <entry>Object; Network interface</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ifnetlabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>ifnet</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>Label update to apply to
                     <parameter>ifnet</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label of network interface,
             <parameter>ifnet</parameter>, based on the passed update
             label, <parameter>newlabel</parameter>, and the passed
             subject credential, <parameter>cred</parameter>.</para>
         </sect4>
         
         <sect4 id="mac-mpo-update-ipq">
           <title><function>&mac.mpo;_update_ipq</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_update_ipq</function></funcdef>
               
               <paramdef>struct mbuf
                 *<parameter>fragment</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>fragmentlabel</parameter></paramdef>
               <paramdef>struct ipq
                 *<parameter>ipq</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>ipqlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>mbuf</parameter></entry>
                   <entry>IP fragment</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>mbuflabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>mbuf</parameter></entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipq</parameter></entry>
                   <entry>IP fragment reassembly queue</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>ipqlabel</parameter></entry>
                   <entry>Policy label to be updated for
                     <parameter>ipq</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label on an IP fragment reassembly queue
             (<parameter>ipq</parameter>) based on the acceptance of the
             passed IP fragment mbuf header
             (<parameter>mbuf</parameter>).</para>
         </sect4>
       </sect3>
       
       <sect3 id="mac-proc-labeling-event-ops">
         <title>Process Labeling Event Operations</title>
         
         <sect4 id="mac-mpo-create-cred">
           <title><function>&mac.mpo;_create_cred</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_cred</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>parent_cred</parameter></paramdef>
               <paramdef>struct ucred
                 *<parameter>child_cred</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>parent_cred</parameter></entry>
                   <entry>Parent subject credential</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>child_cred</parameter></entry>
                   <entry>Child subject credential</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Set the label of a newly created subject credential from
             the passed subject credential.  This call will be made when
             &man.crcopy.9; is invoked on a newly created <type>struct
               ucred</type>.  This call should not be confused with a
             process forking or creation event.</para>
         </sect4>
         
         <sect4 id="mac-mpo-execve-transition">
           <title><function>&mac.mpo;_execve_transition</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_execve_transition</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>old</parameter></paramdef>
               <paramdef>struct ucred
                 *<parameter>new</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vnodelabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>old</parameter></entry>
                   <entry>Existing subject credential</entry>
                   <entry>Immutable</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>new</parameter></entry>
                   <entry>New subject credential to be labeled</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>File to execute</entry>
                   <entry>Locked</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vnodelabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label of a newly created subject credential
             (<parameter>new</parameter>) from the passed existing
             subject credential (<parameter>old</parameter>) based on a
             label transition caused by executing the passed vnode
             (<parameter>vp</parameter>).  This call occurs when a
             process executes the passed vnode and one of the policies
             returns a success from the
             <function>mpo_execve_will_transition</function> entry point.
             Policies may choose to implement this call simply by
             invoking <function>mpo_create_cred</function> and passing
             the two subject credentials so as not to implement a
             transitioning event.  Policies should not leave this entry
             point unimplemented if they implement
             <function>mpo_create_cred</function>, even if they do not
             implement
             <function>mpo_execve_will_transition</function>.</para>
         </sect4>
         
         <sect4 id="mac-mpo-execve-will-transition">
           <title><function>&mac.mpo;_execve_will_transition</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>int
                 <function>&mac.mpo;_execve_will_transition</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>old</parameter></paramdef>
               <paramdef>struct vnode
                 *<parameter>vp</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>vnodelabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>old</parameter></entry>
                   <entry>Subject credential prior to
                       &man.execve.2;</entry>
                   <entry>Immutable</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vp</parameter></entry>
                   <entry>File to execute</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>vnodelabel</parameter></entry>
                   <entry>Policy label for
                     <parameter>vp</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Determine whether the policy will want to perform a
             transition event as a result of the execution of the passed
             vnode by the passed subject credential.  Return
             <returnvalue>1</returnvalue> if a transition is required,
             <returnvalue>0</returnvalue> if not.  Even if a policy
             returns <returnvalue>0</returnvalue>, it should behave
             correctly in the presence of an unexpected invocation of
             <function>mpo_execve_transition</function>, as that call may
             happen as a result of another policy requesting a
             transition.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-proc0">
           <title><function>&mac.mpo;_create_proc0</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_proc0</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential to be filled in</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Create the subject credential of process 0, the parent
             of all kernel processes.</para>
         </sect4>
         
         <sect4 id="mac-mpo-create-proc1">
           <title><function>&mac.mpo;_create_proc1</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_create_proc1</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential to be filled in</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Create the subject credential of process 1, the parent
             of all user processes.</para>
         </sect4>
         
         <sect4 id="mac-mpo-relabel-cred">
           <title><function>&mac.mpo;_relabel_cred</function></title>
           
           <funcsynopsis>
             <funcprototype>
               <funcdef>void
                 <function>&mac.mpo;_relabel_cred</function></funcdef>
               
               <paramdef>struct ucred
                 *<parameter>cred</parameter></paramdef>
               <paramdef>struct label
                 *<parameter>newlabel</parameter></paramdef>
             </funcprototype>
           </funcsynopsis>
           
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               &mac.thead;
               
               <tbody>
                 <row>
                   <entry><parameter>cred</parameter></entry>
                   <entry>Subject credential</entry>
                 </row>
                 
                 <row>
                   <entry><parameter>newlabel</parameter></entry>
                   <entry>Label update to apply to
                     <parameter>cred</parameter></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>Update the label on a subject credential from the passed
             update label.</para>
         </sect4>
 
 
 
       </sect3>
     </sect2>
     
     <sect2 id="mac-access-control-checks">
       <title>Access Control Checks</title>
       
       <para>Access control entry points permit policy modules to
         influence access control decisions made by the kernel.
         Generally, although not always, arguments to an access control
         entry point will include one or more authorizing credentials,
         information (possibly including a label) for any other objects
         involved in the operation.  An access control entry point may
         return 0 to permit the operation, or an &man.errno.2; error
         value.  The results of invoking the entry point across various
         registered policy modules will be composed as follows: if all
         modules permit the operation to succeed, success will be
         returned.  If one or modules returns a failure, a failure will
         be returned.  If more than one module returns a failure, the
         errno value to return to the user will be selected using the
         following precedence, implemented by the
         <function>error_select()</function> function in
         <filename>kern_mac.c</filename>:</para>
       
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
           <tbody>
             <row>
               <entry>Most precedence</entry>
               <entry><errorcode>EDEADLK</errorcode></entry></row>
             
             <row>
               <entry></entry>
               <entry><errorcode>EINVAL</errorcode></entry>
             </row>
             <row>
               <entry></entry>
               <entry><errorcode>ESRCH</errorcode></entry>
             </row>
             <row>
               <entry></entry>
               <entry>EACCES</entry>
             </row>
             <row>
               <entry>Least precedence</entry>
               <entry>EPERM</entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
       
       <para>If none of the error values returned by all modules are
         listed in the precedence chart then an arbitrarily selected
         value from the set will be returned.  In general, the rules
         provide precedence to errors in the following order: kernel
         failures, invalid arguments, object not present, access not
         permitted, other.</para>
       
       <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet">
         <title><function>&mac.mpo;_check_bpfdesc_receive</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_bpfdesc_receive</function></funcdef>
             
             <paramdef>struct bpf_d
               *<parameter>bpf_d</parameter></paramdef>
             <paramdef>struct label
               *<parameter>bpflabel</parameter></paramdef>
             <paramdef>struct ifnet
               *<parameter>ifnet</parameter></paramdef>
             <paramdef>struct label
               *<parameter>ifnetlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>bpf_d</parameter></entry>
                 <entry>Subject; BPF descriptor</entry>
               </row>
               
               <row>
                 <entry><parameter>bpflabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>bpf_d</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>ifnet</parameter></entry>
                 <entry>Object; network interface</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnetlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>ifnet</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the MAC framework should permit
           datagrams from the passed interface to be delivered to the
           buffers of the passed BPF descriptor.  Return
           (<returnvalue>0</returnvalue>) for success, or an
           <varname>errno</varname> value for failure Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches,
           <errorcode>EPERM</errorcode> for lack of privilege.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kenv-dump">
         <title><function>&mac.mpo;_check_kenv_dump</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kenv_dump</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           retrieve the kernel environment (see &man.kenv.2;).</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kenv-get">
         <title><function>&mac.mpo;_check_kenv_get</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kenv_get</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>char *<parameter>name</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry>Kernel environment variable name</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           retrieve the value of the specified kernel environment
           variable.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kenv-set">
         <title><function>&mac.mpo;_check_kenv_set</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kenv_set</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>char *<parameter>name</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry>Kernel environment variable name</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to set
           the specified kernel environment variable.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kenv-unset">
         <title><function>&mac.mpo;_check_kenv_unset</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kenv_unset</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>char *<parameter>name</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry>Kernel environment variable name</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to unset
           the specified kernel environment variable.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kld-load">
         <title><function>&mac.mpo;_check_kld_load</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kld_load</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>vlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Kernel module vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>vlabel</parameter></entry>
                 <entry>Label associated with
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to load
           the specified module file.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kld-stat">
         <title><function>&mac.mpo;_check_kld_stat</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kld_stat</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           retrieve a list of loaded kernel module files and associated
           statistics.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-kld-unload">
         <title><function>&mac.mpo;_check_kld_unload</function></title>
 
         <funcsynopsis>
            <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_kld_unload</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           unload a kernel module.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-ioctl">
         <title><function>&mac.mpo;_check_pipe_ioctl</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_ioctl</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
             <paramdef>unsigned long
               <parameter>cmd</parameter></paramdef>
             <paramdef>void *<parameter>data</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>cmd</parameter></entry>
                 <entry>&man.ioctl.2; command</entry>
               </row>
 
               <row>
                 <entry><parameter>data</parameter></entry>
                 <entry>&man.ioctl.2; data</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to make
           the specified &man.ioctl.2; call.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-poll">
         <title><function>&mac.mpo;_check_pipe_poll</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_poll</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to poll
           <parameter>pipe</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-read">
         <title><function>&mac.mpo;_check_pipe_read</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_read</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed read
           access to <parameter>pipe</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-relabel">
         <title><function>&mac.mpo;_check_pipe_relabel</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_relabel</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>newlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Current policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>newlabel</parameter></entry>
                 <entry>Label update to
                   <parameter>pipelabel</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           relabel <parameter>pipe</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-stat">
         <title><function>&mac.mpo;_check_pipe_stat</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_stat</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           retrieve statistics related to
           <parameter>pipe</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-pipe-write">
         <title><function>&mac.mpo;_check_pipe_write</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_pipe_write</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct pipe
               *<parameter>pipe</parameter></paramdef>
             <paramdef>struct label
               *<parameter>pipelabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>pipe</parameter></entry>
                 <entry>Pipe</entry>
               </row>
 
               <row>
                 <entry><parameter>pipelabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>pipe</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to write
           to <parameter>pipe</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-cred-check-socket-bind">
         <title><function>&mac.mpo;_check_socket_bind</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_bind</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>socket</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
             <paramdef>struct sockaddr
               *<parameter>sockaddr</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>socket</parameter></entry>
                 <entry>Socket to be bound</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>socket</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>sockaddr</parameter></entry>
                 <entry>Address of
                   <parameter>socket</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
       </sect3>
       
       
       <sect3 id="mac-mpo-cred-check-socket-connect">
         <title><function>&mac.mpo;_check_socket_connect</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_connect</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>socket</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
             <paramdef>struct sockaddr
               *<parameter>sockaddr</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>socket</parameter></entry>
                 <entry>Socket to be connected</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>socket</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>sockaddr</parameter></entry>
                 <entry>Address of
                   <parameter>socket</parameter></entry>
               </row>
             </tbody>            
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential
           (<parameter>cred</parameter>) can connect the passed socket
           (<parameter>socket</parameter>) to the passed socket address
           (<parameter>sockaddr</parameter>).  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches,
           <errorcode>EPERM</errorcode> for lack of privilege.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-socket-receive">
         <title><function>&mac.mpo;_check_socket_receive</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_receive</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>so</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>so</parameter></entry>
                 <entry>Socket</entry>
               </row>
 
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>so</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           receive information from the socket
           <parameter>so</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-socket-send">
         <title><function>&mac.mpo;_check_socket_send</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_send</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>so</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>so</parameter></entry>
                 <entry>Socket</entry>
               </row>
 
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>so</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to send
           information across the socket
           <parameter>so</parameter>.</para>
       </sect3>
       
       <sect3 id="mac-mpo-check-cred-visible">
         <title><function>&mac.mpo;_check_cred_visible</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_cred_visible</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>u1</parameter></paramdef>
             <paramdef>struct ucred
               *<parameter>u2</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>u1</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>u2</parameter></entry>
                 <entry>Object credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential
           <parameter>u1</parameter> can <quote>see</quote> other
           subjects with the passed subject credential
           <parameter>u2</parameter>.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches,
           <errorcode>EPERM</errorcode> for lack of privilege, or
           <errorcode>ESRCH</errorcode> to hide visibility.  This call
           may be made in a number of situations, including
           inter-process status sysctls used by <command>ps</command>,
           and in procfs lookups.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-socket-visible">
         <title><function>&mac.mpo;_check_socket_visible</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_visible</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>socket</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>socket</parameter></entry>
                 <entry>Object; socket</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>socket</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-ifnet-relabel">
         <title><function>&mac.mpo;_check_ifnet_relabel</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_ifnet_relabel</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct ifnet
               *<parameter>ifnet</parameter></paramdef>
             <paramdef>struct label
               *<parameter>ifnetlabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>newlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnet</parameter></entry>
                 <entry>Object; network interface</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnetlabel</parameter></entry>
                 <entry>Existing policy label for
                   <parameter>ifnet</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>newlabel</parameter></entry>
                 <entry>Policy label update to later be applied to
                   <parameter>ifnet</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can relabel the
           passed network interface to the passed label update.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-socket-relabel">
         <title><function>&mac.mpo;_check_socket_relabel</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_relabel</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>socket</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>newlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>socket</parameter></entry>
                 <entry>Object; socket</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Existing policy label for
                   <parameter>socket</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>newlabel</parameter></entry>
                 <entry>Label update to later be applied to
                   <parameter>socketlabel</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can relabel the
           passed socket to the passed label update.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-cred-relabel">
         <title><function>&mac.mpo;_check_cred_relabel</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_cred_relabel</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct label
               *<parameter>newlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>newlabel</parameter></entry>
                 <entry>Label update to later be applied to
                   <parameter>cred</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can relabel
           itself to the passed label update.</para>
       </sect3>
 
 
       <sect3 id="mac-mpo-cred-check-vnode-relabel">
         <title><function>&mac.mpo;_check_vnode_relabel</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_relabel</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>vnodelabel</parameter></paramdef>
             <paramdef>struct label
               *<parameter>newlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
                 <entry>Immutable</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
                 <entry>Locked</entry>
               </row>
               
               <row>
                 <entry><parameter>vnodelabel</parameter></entry>
                 <entry>Existing policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>newlabel</parameter></entry>
                 <entry>Policy label update to later be applied to
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can relabel the
           passed vnode to the passed label update.</para>
       </sect3>
       
       <sect3 id="mpo-cred-check-mount-stat">
         <title><function>&mac.mpo;_check_mount_stat</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int <function>&mac.mpo;_check_mount_stat</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct mount
               *<parameter>mp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>mountlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>mp</parameter></entry>
                 <entry>Object; file system mount</entry>
               </row>
               
               <row>
                 <entry><parameter>mountlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>mp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
 	<!-- XXX Update ? -->
         <para>Determine whether the subject credential can see the
           results of a statfs performed on the file system.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches
           or <errorcode>EPERM</errorcode> for lack of privilege.  This
           call may be made in a number of situations, including during
           invocations of &man.statfs.2; and related calls, as well as to
           determine what file systems to exclude from listings of file
           systems, such as when &man.getfsstat.2; is invoked. </para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-proc-debug">
         <title><function>&mac.mpo;_check_proc_debug</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_proc_debug</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct proc
               *<parameter>proc</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
                 <entry>Immutable</entry>
               </row>
               
               <row>
                 <entry><parameter>proc</parameter></entry>
                 <entry>Object; process</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can debug the
           passed process.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, <errorcode>EPERM</errorcode> for lack of
           privilege, or <errorcode>ESRCH</errorcode> to hide
           visibility of the target.  This call may be made in a number
           of situations, including use of the &man.ptrace.2; and
             &man.ktrace.2; APIs, as well as for some types of procfs
           operations.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-access">
         <title><function>&mac.mpo;_check_vnode_access</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_access</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>flags</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>flags</parameter></entry>
                 <entry>&man.access.2; flags</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine how invocations of &man.access.2; and related
           calls by the subject credential should return when performed
           on the passed vnode using the passed access flags.  This
           should generally be implemented using the same semantics
           used in <function>&mac.mpo;_check_vnode_open</function>.
           Return <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-chdir">
         <title><function>&mac.mpo;_check_vnode_chdir</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_chdir</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Object; vnode to &man.chdir.2; into</entry>
               </row>
               
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>dvp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can change the
           process working directory to the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-chroot">
         <title><function>&mac.mpo;_check_vnode_chroot</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_chroot</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Directory vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>dvp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
             &man.chroot.2; into the specified directory
           (<parameter>dvp</parameter>).</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-create">
         <title><function>&mac.mpo;_check_vnode_create</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_create</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
             <paramdef>struct vattr
               *<parameter>vap</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>dvp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Component name for
                   <parameter>dvp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>vap</parameter></entry>
                 <entry>vnode attributes for <parameter>vap</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can create a
           vnode with the passed parent directory, passed name
           information, and passed attribute information.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode>. for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of privilege.
           This call may be made in a number of situations, including
           as a result of calls to &man.open.2; with
           <symbol>O_CREAT</symbol>, &man.mknod.2;, &man.mkfifo.2;, and
           others.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-delete">
         <title><function>&mac.mpo;_check_vnode_delete</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_delete</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>void *<parameter>label</parameter></paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Parent directory vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>dvp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode to delete</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Component name for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can delete a
           vnode from the passed parent directory and passed name
           information.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, or <errorcode>EPERM</errorcode> for lack of
           privilege.  This call may be made in a number of situations,
           including as a result of calls to &man.unlink.2; and
             &man.rmdir.2;.  Policies implementing this entry point
           should also implement
           <function>mpo_check_rename_to</function> to authorize
           deletion of objects as a result of being the target of a
           rename.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-deleteacl">
         <title><function>&mac.mpo;_check_vnode_deleteacl</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_deleteacl</function></funcdef>
             
             <paramdef>struct ucred *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode *<parameter>vp</parameter></paramdef>
             <paramdef>struct label *<parameter>label</parameter></paramdef>
             <paramdef>acl_type_t <parameter>type</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
                 <entry>Immutable</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
                 <entry>Locked</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>type</parameter></entry>
                 <entry>ACL type</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can delete the
           ACL of passed type from the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-exec">
         <title><function>&mac.mpo;_check_vnode_exec</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_exec</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode to execute</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can execute the
           passed vnode.  Determination of execute privilege is made
           separately from decisions about any transitioning event.
           Return <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mpo-cred-check-vnode-getacl">
         <title><function>&mac.mpo;_check_vnode_getacl</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_getacl</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>acl_type_t
               <parameter>type</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>type</parameter></entry>
                 <entry>ACL type</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can retrieve
           the ACL of passed type from the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-getextattr">
         <title><function>&mac.mpo;_check_vnode_getextattr</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_getextattr</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int
               <parameter>attrnamespace</parameter></paramdef>
             <paramdef>const char
               *<parameter>name</parameter></paramdef>
             <paramdef>struct uio
               *<parameter>uio</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>attrnamespace</parameter></entry>
                 <entry>Extended attribute namespace</entry>
               </row>
               
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry>Extended attribute name</entry>
               </row>
               
               <row>
                 <entry><parameter>uio</parameter></entry>
                 <entry>I/O structure pointer; see &man.uio.9;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can retrieve
           the extended attribute with the passed namespace and name
           from the passed vnode. Policies implementing labeling using
           extended attributes may be interested in special handling of
           operations on those extended attributes.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure. Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-link">
         <title><function>&mac.mpo;_check_vnode_link</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_link</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Directory vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>dvp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Link destination vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>vp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Component name for the link being created</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           create a link to the vnode <parameter>vp</parameter> with
           the name specified by <parameter>cnp</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-mmap">
         <title><function>&mac.mpo;_check_vnode_mmap</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_mmap</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>prot</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Vnode to map</entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>vp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>prot</parameter></entry>
                 <entry>Mmap protections (see &man.mmap.2;)</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to map
           the vnode <parameter>vp</parameter> with the protections
           specified in <parameter>prot</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-mmap-downgrade">
         <title><function>&mac.mpo;_check_vnode_mmap_downgrade</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>void
               <function>&mac.mpo;_check_vnode_mmap_downgrade</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int *<parameter>prot</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry morerows="2">See
                   <xref linkend="mac-mpo-check-vnode-mmap">.</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>prot</parameter></entry>
                 <entry>Mmap protections to be downgraded</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Downgrade the mmap protections based on the subject and
           object labels.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-mprotect">
         <title><function>&mac.mpo;_check_vnode_mprotect</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_mprotect</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>prot</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Mapped vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>prot</parameter></entry>
                 <entry>Memory protections</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           set the specified memory protections on memory mapped from
           the vnode <parameter>vp</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-poll">
         <title><function>&mac.mpo;_check_vnode_poll</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_poll</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>active_cred</parameter></paramdef>
             <paramdef>struct ucred
               *<parameter>file_cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>active_cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>file_cred</parameter></entry>
                 <entry>Credential associated with the <type>struct
                     file</type></entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Polled vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to poll
           the vnode <parameter>vp</parameter>.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-rename-from">
         <title><function>&mac.mpo;_check_vnode_rename_from</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_vnode_rename_from</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Directory vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>dvp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Vnode to be renamed</entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>vp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Component name for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           rename the vnode <parameter>vp</parameter> to something
           else.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-vnode-rename-to">
         <title><function>&mac.mpo;_check_vnode_rename_to</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_rename_to</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>dvp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>dlabel</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int <parameter>samedir</parameter></paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Directory vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>dvp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Overwritten vnode</entry>
               </row>
 
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label associated with
                   <parameter>vp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>samedir</parameter></entry>
                 <entry>Boolean; <literal>1</literal> if the source and
                   destination directories are the same</entry>
               </row>
 
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Destination component name</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           rename to the vnode <parameter>vp</parameter>, into the
           directory <parameter>dvp</parameter>, or to the name
           represented by <parameter>cnp</parameter>.  If there is no
           existing file to overwrite, <parameter>vp</parameter> and
           <parameter>label</parameter> will be NULL.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-socket-listen">
         <title><function>&mac.mpo;_check_socket_listen</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_listen</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>socket</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>socket</parameter></entry>
                 <entry>Object; socket</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>socket</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can listen on
           the passed socket.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-lookup">
         <title><function>&mac.mpo;_check_vnode_lookup</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_lookup</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter></parameter>cred</paramdef>
             <paramdef>struct vnode
               *<parameter></parameter>dvp</paramdef>
             <paramdef>struct label
               *<parameter></parameter>dlabel</paramdef>
             <paramdef>struct componentname
               *<parameter>cnp</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>dvp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>cnp</parameter></entry>
                 <entry>Component name being looked up</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can perform a
           lookup in the passed directory vnode for the passed name.
           Return <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-open">
         <title><function>&mac.mpo;_check_vnode_open</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_open</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int
               <parameter>acc_mode</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>acc_mode</parameter></entry>
                 <entry>&man.open.2; access mode</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can perform an
           open operation on the passed vnode with the passed access
           mode.  Return <returnvalue>0</returnvalue> for success, or
           an errno value for failure.  Suggested failure:
           <errorcode>EACCES</errorcode> for label mismatch, or
           <errorcode>EPERM</errorcode> for lack of privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-readdir">
         <title><function>&mac.mpo;_check_vnode_readdir</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_readdir</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter></parameter>cred</paramdef>
             <paramdef>struct vnode
               *<parameter></parameter>dvp</paramdef>
             <paramdef>struct label
               *<parameter></parameter>dlabel</paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>dvp</parameter></entry>
                 <entry>Object; directory vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>dlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>dvp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can perform a
           <function>readdir</function> operation on the passed
           directory vnode.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-readlink">
         <title><function>&mac.mpo;_check_vnode_readlink</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_readlink</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can perform a
           <function>readlink</function> operation on the passed
           symlink vnode.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, or <errorcode>EPERM</errorcode> for lack of
           privilege.  This call may be made in a number of situations,
           including an explicit <function>readlink</function> call by
           the user process, or as a result of an implicit
           <function>readlink</function> during a name lookup by the
           process.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-revoke">
         <title><function>&mac.mpo;_check_vnode_revoke</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_revoke</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can revoke
           access to the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure. Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setacl">
         <title><function>&mac.mpo;_check_vnode_setacl</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setacl</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>acl_type_t
               <parameter>type</parameter></paramdef>
             <paramdef>struct acl
               *<parameter>acl</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>type</parameter></entry>
                 <entry>ACL type</entry>
               </row>
               
               <row>
                 <entry><parameter>acl</parameter></entry>
                 <entry>ACL</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           passed ACL of passed type on the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setextattr">
         <title><function>&mac.mpo;_check_vnode_setextattr</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setextattr</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>int
               <parameter>attrnamespace</parameter></paramdef>
             <paramdef>const char
               *<parameter>name</parameter></paramdef>
             <paramdef>struct uio
               *<parameter>uio</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>attrnamespace</parameter></entry>
                 <entry>Extended attribute namespace</entry>
               </row>
               
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry>Extended attribute name</entry>
               </row>
               
               <row>
                 <entry><parameter>uio</parameter></entry>
                 <entry>I/O structure pointer; see &man.uio.9;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           extended attribute of passed name and passed namespace on
           the passed vnode.  Policies implementing security labels
           backed into extended attributes may want to provide
           additional protections for those attributes.  Additionally,
           policies should avoid making decisions based on the data
           referenced from <parameter>uio</parameter>, as there is a
           potential race condition between this check and the actual
           operation.  The <parameter>uio</parameter> may also be
           <literal>NULL</literal> if a delete operation is being
           performed.  Return <returnvalue>0</returnvalue> for success,
           or an <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setflags">
         <title><function>&mac.mpo;_check_vnode_setflags</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setflags</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>u_long <parameter>flags</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>flags</parameter></entry>
                 <entry>File flags; see &man.chflags.2;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           passed flags on the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setmode">
         <title><function>&mac.mpo;_check_vnode_setmode</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setmode</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>mode_t <parameter>mode</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>mode</parameter></entry>
                 <entry>File mode; see &man.chmod.2;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           passed mode on the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setowner">
         <title><function>&mac.mpo;_check_vnode_setowner</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setowner</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
             <paramdef>uid_t <parameter>uid</parameter></paramdef>
             <paramdef>gid_t <parameter>gid</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>uid</parameter></entry>
                 <entry>User ID</entry>
               </row>
               
               <row>
                 <entry><parameter>gid</parameter></entry>
                 <entry>Group ID</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           passed uid and passed gid as file uid and file gid on the
           passed vnode.  The IDs may be set to (<literal>-1</literal>)
           to request no update.  Return <returnvalue>0</returnvalue>
           for success, or an <varname>errno</varname> value for
           failure.  Suggested failure: <errorcode>EACCES</errorcode>
           for label mismatch, or <errorcode>EPERM</errorcode> for lack
           of privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-setutimes">
         <title><function>&mac.mpo;_check_vnode_setutimes</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_setutimes</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter></parameter>cred</paramdef>
             <paramdef>struct vnode
               *<parameter></parameter>vp</paramdef>
             <paramdef>struct label
               *<parameter></parameter>label</paramdef>
             <paramdef>struct timespec
               <parameter></parameter>atime</paramdef>
             <paramdef>struct timespec
               <parameter></parameter>mtime</paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vp</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>atime</parameter></entry>
                 <entry>Access time; see &man.utimes.2;</entry>
               </row>
               
               <row>
                 <entry><parameter>mtime</parameter></entry>
                 <entry>Modification time; see &man.utimes.2;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can set the
           passed access timestamps on the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-proc-sched">
         <title><function>&mac.mpo;_check_proc_sched</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_proc_sched</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>ucred</parameter></paramdef>
             <paramdef>struct proc
               *<parameter>proc</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>proc</parameter></entry>
                 <entry>Object; process</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can change the
           scheduling parameters of the passed process.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           <errorcode>EPERM</errorcode> for lack of privilege, or
           <errorcode>ESRCH</errorcode> to limit visibility.</para>
         
         <para>See &man.setpriority.2; for more information.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-proc-signal">
         <title><function>&mac.mpo;_check_proc_signal</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_proc_signal</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct proc
               *<parameter>proc</parameter></paramdef>
             <paramdef>int <parameter>signal</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>proc</parameter></entry>
                 <entry>Object; process</entry>
               </row>
               
               <row>
                 <entry><parameter>signal</parameter></entry>
                 <entry>Signal; see &man.kill.2;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can deliver the
           passed signal to the passed process.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           <errorcode>EPERM</errorcode> for lack of privilege, or
           <errorcode>ESRCH</errorcode> to limit visibility.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-vnode-stat">
         <title><function>&mac.mpo;_check_vnode_stat</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_vnode_stat</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>label</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Object; vnode</entry>
               </row>
               
               <row>
                 <entry><parameter>label</parameter></entry>
                 <entry>Policy label for
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential can
           <function>stat</function> the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
         
         <para>See &man.stat.2; for more information.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-ifnet-transmit">
         <title><function>&mac.mpo;_check_ifnet_transmit</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_ifnet_transmit</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct ifnet
               *<parameter>ifnet</parameter></paramdef>
             <paramdef>struct label
               *<parameter>ifnetlabel</parameter></paramdef>
             <paramdef>struct mbuf
               *<parameter>mbuf</parameter></paramdef>
             <paramdef>struct label
               *<parameter>mbuflabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnet</parameter></entry>
                 <entry>Network interface</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnetlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>ifnet</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>mbuf</parameter></entry>
                 <entry>Object; mbuf to be sent</entry>
               </row>
               
               <row>
                 <entry><parameter>mbuflabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>mbuf</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the network interface can transmit the
           passed mbuf.  Return <returnvalue>0</returnvalue> for
           success, or an <varname>errno</varname> value for failure.
           Suggested failure: <errorcode>EACCES</errorcode> for label
           mismatch, or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-cred-check-socket-deliver">
         <title><function>&mac.mpo;_check_socket_deliver</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_deliver</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct ifnet
               *<parameter>ifnet</parameter></paramdef>
             <paramdef>struct label
               *<parameter>ifnetlabel</parameter></paramdef>
             <paramdef>struct mbuf
               *<parameter>mbuf</parameter></paramdef>
             <paramdef>struct label
               *<parameter>mbuflabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnet</parameter></entry>
                 <entry>Network interface</entry>
               </row>
               
               <row>
                 <entry><parameter>ifnetlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>ifnet</parameter></entry>
               </row>
               
               <row>
                 <entry><parameter>mbuf</parameter></entry>
                 <entry>Object; mbuf to be delivered</entry>
               </row>
               
               <row>
                 <entry><parameter>mbuflabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>mbuf</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the socket may receive the datagram
           stored in the passed mbuf header.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failures: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
       
       <sect3 id="mac-mpo-check-socket-visible">
         <title><function>&mac.mpo;_check_socket_visible</function></title>
         
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_socket_visible</function></funcdef>
             
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct socket
               *<parameter>so</parameter></paramdef>
             <paramdef>struct label
               *<parameter>socketlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
         
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
             
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
                 <entry>Immutable</entry>
               </row>
               
               <row>
                 <entry><parameter>so</parameter></entry>
                 <entry>Object; socket</entry>
               </row>
               
               <row>
                 <entry><parameter>socketlabel</parameter></entry>
                 <entry>Policy label for
                   <parameter>so</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
         
         <para>Determine whether the subject credential cred can "see"
           the passed socket (<parameter>socket</parameter>) using
           system monitoring functions, such as those employed by
             &man.netstat.8; and &man.sockstat.1;.  Return
           <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches,
           <errorcode>EPERM</errorcode> for lack of privilege, or
           <errorcode>ESRCH</errorcode> to hide visibility.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-acct">
         <title><function>&mac.mpo;_check_system_acct</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_acct</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>ucred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>vlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>ucred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Accounting file; &man.acct.5;</entry>
               </row>
 
               <row>
                 <entry><parameter>vlabel</parameter></entry>
                 <entry>Label associated with
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           enable accounting, based on its label and the label of the
           accounting log file.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-nfsd">
         <title><function>&mac.mpo;_check_system_nfsd</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_nfsd</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to call
             &man.nfssvc.2;.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-reboot">
         <title><function>&mac.mpo;_check_system_reboot</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_reboot</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>int <parameter>howto</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>howto</parameter></entry>
                 <entry><parameter>howto</parameter> parameter from
                     &man.reboot.2;</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to
           reboot the system in the specified manner.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-settime">
         <title><function>&mac.mpo;_check_system_settime</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_settime</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the user should be allowed to set the
           system clock.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-swapon">
         <title><function>&mac.mpo;_check_system_swapon</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_swapon</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct vnode
               *<parameter>vp</parameter></paramdef>
             <paramdef>struct label
               *<parameter>vlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>vp</parameter></entry>
                 <entry>Swap device</entry>
               </row>
 
               <row>
                 <entry><parameter>vlabel</parameter></entry>
                 <entry>Label associated with
                   <parameter>vp</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to add
           <parameter>vp</parameter> as a swap device.</para>
       </sect3>
 
       <sect3 id="mac-mpo-check-system-sysctl">
         <title><function>&mac.mpo;_check_system_sysctl</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
               <function>&mac.mpo;_check_system_sysctl</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>int *<parameter>name</parameter></paramdef>
             <paramdef>u_int *<parameter>namelen</parameter></paramdef>
             <paramdef>void *<parameter>old</parameter></paramdef>
             <paramdef>size_t
               *<parameter>oldlenp</parameter></paramdef>
             <paramdef>int <parameter>inkernel</parameter></paramdef>
             <paramdef>void *<parameter>new</parameter></paramdef>
             <paramdef>size_t <parameter>newlen</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             &mac.thead;
 
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
               </row>
 
               <row>
                 <entry><parameter>name</parameter></entry>
                 <entry morerows="3">See &man.sysctl.3;</entry>
               </row>
 
               <row>
                 <entry><parameter>namelen</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>old</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>oldlenp</parameter></entry>
               </row>
 
               <row>
                 <entry><parameter>inkernel</parameter></entry>
                 <entry>Boolean; <literal>1</literal> if called from
                   kernel</entry>
               </row>
 
               <row>
                 <entry><parameter>new</parameter></entry>
                 <entry morerows="1">See &man.sysctl.3;</entry>
               </row>
 
               <row>
                 <entry><parameter>newlen</parameter></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>Determine whether the subject should be allowed to make
           the specified &man.sysctl.3; transaction.</para>
       </sect3>
     </sect2>
     
     <sect2 id="mac-label-management">
       <title>Label Management Calls</title>
       
       <para>Relabel events occur when a user process has requested
         that the label on an object be modified.  A two-phase update
         occurs: first, an access control check will be performed to
         determine if the update is both valid and permitted, and then
         the update itself is performed via a separate entry point.
         Relabel entry points typically accept the object, object label
         reference, and an update label submitted by the process.
         Memory allocation during relabel is discouraged, as relabel
         calls are not permitted to fail (failure should be reported
         earlier in the relabel check).</para>
       
     </sect2>
   </sect1>
   
   <sect1 id="mac-userland-arch">
     <title>Userland Architecture</title>
     
     <para>The TrustedBSD MAC Framework includes a number of
       policy-agnostic elements, including MAC library interfaces
       for abstractly managing labels, modifications to the system
       credential management and login libraries to support the
       assignment of MAC labels to users, and a set of tools to
       monitor and modify labels on processes, files, and network
       interfaces.  More details on the user architecture will
       be added to this section in the near future.</para>
 
     <sect2 id="mac-userland-labels">
       <title>APIs for Policy-Agnostic Label Management</title>
 
       <para>The TrustedBSD MAC Framework provides a number of
 	library and system calls permitting applications to
 	manage MAC labels on objects using a policy-agnostic
 	interface.  This permits applications to manipulate
 	labels for a variety of policies without being
 	written to support specific policies.  These interfaces
 	are used by general-purpose tools such as &man.ifconfig.8;,
 	&man.ls.1; and &man.ps.1; to view labels on network
 	interfaces, files, and processes.  The APIs also support
 	MAC management tools including &man.getfmac.8;,
 	&man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
 	and &man.setpmac.8;.  The MAC APIs are documented in
 	&man.mac.3;.</para>
 
       <para>Applications handle MAC labels in two forms: an
 	internalized form used to return and set labels on
 	processes and objects (<literal>mac_t</literal>),
 	and externalized form based on C strings appropriate for
 	storage in configuration files, display to the user, or
 	input from the user.  Each MAC label contains a number of
 	elements, each consisting of a name and value pair.
 	Policy modules in the kernel bind to specific names
 	and interpret the values in policy-specific ways.  In
 	the externalized string form, labels are represented
 	by a comma-delimited list of name and value pairs separated
 	by the <literal>/</literal> character.  Labels may be
 	directly converted to and from text using provided APIs;
 	when retrieving labels from the kernel, internalized
 	label storage must first be prepared for the desired
 	label element set.  Typically, this is done in one of
 	two ways: using &man.mac.prepare.3; and an arbitrary
 	list of desired label elements, or one of the variants
 	of the call that loads a default element set from the
 	&man.mac.conf.5; configuration file.  Per-object
 	defaults permit application writers to usefully display
 	labels associated with objects without being aware of
 	the policies present in the system.</para>
 
       <note><para>Currently, direct manipulation of label elements
 	other than by conversion to a text string, string editing,
 	and conversion back to an internalized label is not supported
 	by the MAC library.  Such interfaces may be added in the
 	future if they prove necessary for application
 	writers.</para></note>
     </sect2>
 
     <sect2 id="mac-userland-credentials">
       <title>Binding of Labels to Users</title>
 
       <para>The standard user context management interface,
 	&man.setusercontext.3;, has been modified to retrieve
 	MAC labels associated with a user's class from
 	&man.login.conf.5;.  These labels are then set along
 	with other user context when either
 	<literal>LOGIN_SETALL</literal> is specified, or when
 	<literal>LOGIN_SETMAC</literal> is explicitly
 	specified.</para>
 
       <note><para>It is expected that, in a future version of FreeBSD,
 	the MAC label database will be separated from the
 	<filename>login.conf</filename> user class abstraction,
 	and be maintained in a separate database.  However, the
 	&man.setusercontext.3; API should remain the same
 	following such a change.</para></note>
     </sect2>
   </sect1>
 
   <sect1 id="mac-conclusion">
     <title>Conclusion</title>
     
     <para>The TrustedBSD MAC framework permits kernel modules to
       augment the system security policy in a highly integrated
       manner.  They may do this based on existing object properties,
       or based on label data that is maintained with the assistance of
       the MAC framework.  The framework is sufficiently flexible to
       implement a variety of policy types, including information flow
       security policies such as MLS and Biba, as well as policies
       based on existing BSD credentials or file protections.  Policy
       authors may wish to consult this documentation as well as
       existing security modules when implementing a new security
       service.</para>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/corp-net-guide/book.sgml b/en_US.ISO8859-1/books/corp-net-guide/book.sgml
index bda8f553d7..5abc08a029 100644
--- a/en_US.ISO8859-1/books/corp-net-guide/book.sgml
+++ b/en_US.ISO8859-1/books/corp-net-guide/book.sgml
@@ -1,3222 +1,3222 @@
 <!-- $FreeBSD$ -->
 <!-- FreeBSD Documentation Project -->
 
 <!DOCTYPE book PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % books.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Books Entity Set//EN">
 %books.ent;
 ]>
 
 <book>
   <bookinfo>
     <title>The FreeBSD Corporate Networker's Guide</title>
 
     <author>
       <firstname>Ted</firstname>
       <surname>Mittelstaedt</surname>
     </author>
 
     <copyright>
       <year>2001</year>
       <holder>Addison-Wesley Longman, Inc (Original English language edition)</holder>
     </copyright>
 
     <copyright>
       <year>2001</year>
       <holder>Pearson Educational Japan (Japanese language translation)</holder>
     </copyright>
 
     <isbn>ENGLISH LANGUAGE EDITION ISBN: 0-201-70481-1</isbn>
     <isbn>JAPANESE LANGUAGE EDITION ISBN: 4-89471-464-7</isbn>
     
     <legalnotice id="legalnotice">
       <para>The eighth chapter of the book, <citetitle>The FreeBSD Corporate
 	  Networker's Guide</citetitle> is excerpted here with the permission
 	of the publisher.  No part of it may be further reproduced or
 	distributed without the publisher's express written
 	<email>Chanda.Leary-Coutu@awl.com</email>.
 	The other chapters of
 	<ulink url="http://cseng.aw.com/book/0,,0201704811,00.html">the
 	  book</ulink> covers topics such as system administration,
 	fileserving, and e-mail delivery.  More information about this book is
 	available from the publisher, with whom you can also sign up to
 	receive news of <ulink url="mailto:Chanda.Leary-Coutu@awl.com">related
 	  titles</ulink>.  The author's web site for the book includes sample
 	code, working examples,
 	<ulink url="http://www.freebsd-corp-net-guide.com/errata.html">errata</ulink>
 	and a Q&amp;A forum, and is available at
 	<ulink url="http://www.freebsd-corp-net-guide.com/"></ulink>.</para>
     </legalnotice>
   </bookinfo>
 
   <chapter id="printserving" label="8">
     <title>Printserving</title>
 
     <para>Printserving is a complicated topic.  There are many different
       software interfaces to printers, as well as a wide variety of printer
       hardware interfaces.  This chapter covers the basics of setting up a
       print queue, using Samba to print, and administering print queues and
       connections.</para>
 
     <sect1 id="printserving-history">
       <title>PC printing history</title>
 
       <para>In the early days of the personal computer, printing was simple.
 	The PC owner bought a cheap printer, usually a dot matrix that barely
 	supported ASCII, and plugged it into the computer with a parallel
 	cable.  Applications would either work with the printer or not, and
 	most did because all they could do was output DOS or ASCII text.  The
 	few software applications that supported graphics generally could only
 	output on specific makes and models of printers.  Shared
 	<emphasis>network</emphasis> printing, if it existed, was usually done
 	by some type of serial port switchbox.</para>
 
       <para>This was the general state of affairs with the PC until the
 	Windows operating system was released.  All at once, application
 	programmers were finally free of the restrictions of worrying about
 	how some printer manufacturer would change printer control codes.
 	Graphics printing, in the form of fonts and images, was added to most
 	applications, and demand for it rapidly increased across the
 	corporation.  Large, high-capacity laser printers designed for office
 	printing appeared on the scene.  Printing went from 150 to 300 to
 	600 dpi for the common desktop laser printer.</para>
 
       <para>Today organizational network printing is complex, and printers
 	themselves are more complicated.  Most organizations find that sharing
 	a few high-quality laser printers is much more cost effective than
 	buying many cheaper dot matrix units.  Good network print serving is a
 	necessity, and it can be very well provided by the FreeBSD UNIX
 	system.</para>
     </sect1>
 
     <sect1 id="printserving-protocols">
       <title>Printer communication protocols and hardware</title>
 
       <para>Printers that don't use proprietary vendor codes communicate with
 	computers using one or more of three major printing protocols.  The
 	communication is done over a hardware cable that can be a parallel
 	connection (printer port) or a serial connection (COM port).</para>
 
       <sect2>
 	<title>ASCII Printing Protocol</title>
 
 	<para>The ASCII protocol is the simplest protocol used, as well as the
 	  oldest.  ASCII is also used to represent text files internally in
 	  the DOS, UNIX, and Windows operating systems.  Therefore, data taken
 	  from a text file or a directory listing generally requires little
 	  preparation before being sent to the printer, other than a
 	  newline-to-carriage return/linefeed conversion for UNIX.  Printers
 	  usually follow the DOS text file convention of the print head
 	  requiring an explicit carriage return character followed by a
 	  linefeed character at the end of a line of text.  Since UNIX uses
 	  only the linefeed character to terminate text, an additional
 	  carriage return character must be added to the end of each line in
 	  raw text print output; otherwise, text prints in a
 	  <emphasis>stairstep</emphasis> output.  (Some printers have hardware
 	  or software switches to do the conversion.)</para>
       </sect2>
 
       <sect2>
 	<title>PostScript Printing Protocol</title>
 
 	<para>Adobe introduced the PostScript language in 1985; it is used to
 	  enable the printout of high quality graphics and styled font text.
 	  PostScript is now the de-facto print standard in the UNIX community,
 	  and the only print standard in the Macintosh community.  Numerous
 	  UNIX utilities exist to <emphasis>beautify</emphasis> and enhance
 	  text printing with PostScript.  PostScript can be used to download
 	  font files into a printer as well as the data to be printed.
 	  PostScript commands can be sent to instruct the printer CPU to
 	  image, rotate, and scale complex graphics and images, thus freeing
 	  the host CPU.  Scaling is particularly important with fonts since
 	  the document with the font has been produced on a computer screen
 	  with far lower resolution than the printer.  For example, a 1024x768
 	  computer screen on a 17-inch monitor allows for a resolution of
 	  approximately 82dpi, a modern desktop printer prints at a resolution
 	  of 600dpi.  Therefore, a font must be scaled at least seven times
 	  larger for WYSIWYG output!</para>
 
 	<para>PostScript printers generally come with a number of resident
 	  fonts.  For example, the NEC Silentwriter 95 contains Courier,
 	  Helvetica, ITC Avant Garde Gothic Book, ITC Bookman Light, New
 	  Century Schoolbook Roman, Palatino Roman, Times Roman, and several
 	  symbol fonts.  These are stored in Read Only Memory (ROM) in the
 	  printer.  When a page is printed from a Windows client that contains
 	  a font not in the printer, a font substitution table is used.  If no
 	  substitute can be made, Courier is usually used.  The user should be
 	  conscious of this when creating documents - documents with fonts not
 	  listed in the substitution table may cause other users problems when
 	  printing.  Avoid use of strange fonts for documents that will be
 	  widely distributed.</para>
 
 	<para>The user program can choose to download different fonts as
 	  outline fonts to the PostScript printer if desired.  Fonts that are
 	  commonly used by the user are often downloaded to PostScript
 	  printers that are connected directly to the user's computer, the
 	  fonts are then available to successive print jobs until the printer
 	  is turned off.  When PostScript printers are networked, the clients
 	  must download any fonts desired <emphasis>with each print
 	    job</emphasis>.  Since jobs come from different clients, the
 	  clients cannot assume that downloaded fonts will still be in the
 	  printer.</para>
 
 	<para>PostScript print jobs also contain a header that is sent
 	  describing the page layout, among other things.  On a shared network
 	  printer, this header must also be downloaded with each print job.
 	  Although some PostScript drivers allow downloading of the header
 	  only once, this usually requires a bi-directional serial connection
 	  to the printer, instead of a unidirectional parallel
 	  connection.</para>
 
 	<para>PostScript print jobs can be sent either as binary data or as
 	  ASCII.  The main advantage of binary data transmission is that it is
 	  faster.  However, not all PostScript printers support it.  Also,
 	  fonts can generally not be downloaded in binary.  When FreeBSD is
 	  used as a printserver, ASCII PostScript printing should be selected
 	  on the clients, this is generally the default with most PostScript
 	  drivers.</para>
 
 	<para>The Adobe company licenses PostScript interpreters as well as
 	  resident fonts to printer manufacturers, and extracts a hefty
 	  license fee from any printer manufacturer who wants to use them in
 	  its printer.  This presents both a benefit and a problem to the end
 	  user.  Although a single company holding control over a standard can
 	  guarantee compliance, it does significantly raise the cost of the
 	  printer.  As a result, PostScript has not met with much success in
 	  the lower-end laser and inkjet Windows printing market, despite the
 	  fact that Adobe distributes PostScript software operating system
 	  drivers for free.</para>
 
 	<para>One issue that is a concern when networking PostScript printers
 	  is the selection of banner page, (also known as header page, or
 	  <emphasis>burst page)</emphasis> printing.  UNIX shared printing
 	  began with ASCII line printers, and since UNIX is a multiuser
 	  system, often many different user print jobs piled up in the printer
 	  output hopper.  To separate these jobs the UNIX printing system
 	  programs support banner page printing if the client program that
 	  submits jobs asks for them.  These pages print at the beginning or
 	  end of every print job and contain the username, submittal date, and
 	  so on..  By default, most clients, whether remote (e.g., a Windows
 	  LPR client) or local (e.g., the <command>/usr/bin/lpr</command>
 	  program) trigger a banner page to be printed.  One problem is that
 	  some PostScript printers abort the entire job if they get
 	  unformatted ASCII text instead of PostScript.  (In general,
 	  PostScript printers compatible with Hewlett-Packard Printer Control
 	  Language [HPPCL] handle banners without problems) Banner printing
 	  should be disabled for any printers with this problem, unless
 	  PostScript banner page printing is set up on the server.</para>
       </sect2>
 
       <sect2>
 	<title>HPPCL Printing Protocol</title>
 
 	<para>The Hewlett Packard company currently holds the largest market
 	  share of desktop inkjet and office laser printers.  Back when
 	  Windows was released, HP decided to expand into the desktop laser
 	  jet market with the first LaserJet series of printers.  At the time
 	  there was much pressure on Microsoft to use Adobe Type Manager for
 	  scaleable fonts within Windows, and to print PostScript to
 	  higher-end printers.  Microsoft decided against doing this and used
 	  a technically inferior font standard, Truetype.  They thought that
 	  it would be unlikely that the user would download fonts to the
 	  printer, since desktop Publishing was not being done on PC's at the
 	  time. Instead users would rasterize the entire page to the printer
 	  using whatever proprietary graphics printer codes the selected
 	  printer needed.  HP devised HPPCL for their LaserJets, and make
 	  PostScript an add-on.  The current revision of HPPCL now allows for
 	  many of the same scaling and font download commands that PostScript
 	  does.  HP laser jet printers that support PostScript can be
 	  distinguished by the letter "M" in their model number.  (M is for
 	  Macintosh, since Macintosh requires PostScript to print) For
 	  example, the HP 6MP has PostScript, the 6P doesn't.</para>
 
 	<para>HPPCL has almost no support in the UNIX applications market, and
 	  it is very unlikely that any will appear soon.  One big reason is
 	  the development of the free <application>Ghostscript</application>
 	  PostScript interpreter.  <application>Ghostscript</application> can
 	  take a PostScript input stream and print it on a PCL printer under
 	  UNIX.  Another reason is the UNIX community's dislike of reinventing
 	  the wheel.  HPPCL has no advantage over PostScript, and in many ways
 	  there are fewer problems with PostScript.  Considering that
 	  PostScript can be added to a printer, either by hardware or use of
 	  <application>Ghostscript</application>, what is the point of
 	  exchanging an existing working solution for a slightly technically
 	  inferior one?  Over the life of the printer, taking into account the
 	  costs of toner, paper, and maintenance, the initial higher cost of
 	  PostScript support is infinitesimal.</para>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-network">
       <title>Network Printing Basics</title>
 
       <para>The most common network printing implementation is a printserver
 	accepting print jobs from clients tied to the server via a network
 	cable.</para>
 
       <sect2>
 	<title>Printservers</title>
 
 	<para>The term "printserver" is one of those networking terms, like
 	  <emphasis>packet,</emphasis> that has been carelessly tossed around
 	  until its meaning has become somewhat confusing and blurred.  To be
 	  specific, a printserver is simply a program that arbitrates print
 	  data from multiple clients for a single printer.  Printservers can
 	  be implemented in one of the four methods described in the following
 	  sections.</para>
 
 	<sect3>
 	  <title>Printserver on the fileserver</title>
 
 	  <para>The printer can be physically cabled to the PC running the
 	    Network OS.  Print jobs are submitted by clients to the
 	    printserver software on the fileserver, which sends them down the
 	    parallel or serial cable to the printer.  The printer must be
 	    physically close to the fileserver.  This kind of printserving is
 	    popular in smaller workgroup networks, in smaller offices.</para>
 
 	  <figure>
 	    <title>Printserver on the fileserver</title>
 
 	    <mediaobject>
 	      <imageobject>
 		<imagedata fileref="08-01" format="EPS">
 	      </imageobject>
 
 	      <textobject>
 		<literallayout class="monospaced"> ,---------.
  | ======= |                        Server
  | ======= |               +---------------------+        ,-----.
 +-----------+              |  +---------------+  |        |     |
 |  Printer [ ]------------[ ] |  Printserver  |  |        |_____| 
 +-----------+	Parallel   |  |   Software    | [ ]------_________
 		 Cable     |  +---------------+  |      / ::::::: \
                            +---------------------+      `---------'
                                                          Network PC</literallayout>
 	      </textobject>
 
 	      <textobject>
 		<phrase>Printer, connected to a network server running
 		  printserver software, with one or more network PCs printing
 		  through it.</phrase>
 	      </textobject>
 	    </mediaobject>
 	  </figure>
 	</sect3>
 
 	<sect3>
 	  <title>Printserver on a separate PC</title>
 
 	  <para>It is possible to run a print server program on a cheap PC
 	    that is located next to the printer and plugged into it via
 	    parallel cable.  This program simply acts as a pass-through
 	    program, taking network packets from the network interface and
 	    passing them to the printer.  This kind of server doesn't allow
 	    any manipulation of print jobs, jobs usually come from a central
 	    fileserver, where jobs are controlled.</para>
 
 	  <figure>
 	    <title>Printserver on a separate PC</title>
 
 	    <mediaobject>
 	      <imageobject>
 		<imagedata fileref="08-02" format="EPS">
 	      </imageobject>
 	      
 	      <textobject>
 		<literallayout class="monospaced">                                                     Fileserver
                                                  ,----------------.
   ,---------.                                .---| |          === |
   | ======= |               ,-----.          |   `----------======'
   | ======= |               |     |          |
  +-----------+              |_____|          |
  |  Printer [ ]------------_________---------| Ethernet
  +-----------+   Parallel / ::::::: \        |
                   Cable   `---------'        |
 		          Printserver        |          ,-----.
                                              |          |     |
 					     |          |_____|
 					     `---------_________
 						      / ::::::: \
 						      `---------'
 						       Network PC</literallayout>
 	      </textobject>
 
 	      <textobject>
 		<phrase>Printer connected to a printserver (typically running
 		  FreeBSD), with network files hosted on a separate machine,
 		  and a network PC, able to access both resources.</phrase>
 	      </textobject>
 	    </mediaobject>
 	  </figure>
 	</sect3>
 
 	<sect3>
 	  <title>Printserver on a separate hardware box</title>
 
 	  <para>A printserver on a separate hardware box is exemplified by
 	    network devices such as the Intel Netport, the HP JetDirect Ex,
 	    the Osicom/DPI NETPrint, and the Lexmark MarkNet. Basically, these
 	    are plastic boxes with an Ethernet connection on one side and a
 	    parallel port on the other.  Like a printserver on a PC, these
 	    devices don't allow remote job manipulation, and merely pass
 	    packets from the network down the parallel port to the
 	    printer.</para>
 
 	  <figure>
 	    <title>Printserver on a separate hardware box</title>
 
 	    <mediaobject>
 	      <imageobject>
 		<imagedata fileref="08-03" format="EPS">
 	      </imageobject>
 
 	      <textobject>
 		<literallayout class="monospaced">                                                     Fileserver
                                                  ,----------------.
   ,---------.                                .---| |          === |
   | ======= |                                |   `----------======'
   | ======= |              Printserver       |
  +-----------+             ,--------.        |
  |  Printer [ ]-----------[ ]  ooo [ ]-------| Ethernet
  +-----------+   Parallel  `--------'        |
                   Cable                      |
 		                             |          ,-----.
                                              |          |     |
 					     |          |_____|
 					     `---------_________
 						      / ::::::: \
 						      `---------'
 						       Network PC</literallayout>
 	      </textobject>
 
 	      <textobject>
 		<phrase>Printer connected to a dedicated print server
 		  <quote>appliance</quote>.</phrase>
 	      </textobject>
 	    </mediaobject>
 	  </figure>
 	</sect3>
 
 	<sect3>
 	  <title>Printserver in the Printer</title>
 
 	  <para>The HP JetDirect Internal is the best known printserver of
 	    this type.  It is inserted into a slot in the printer case, and it
 	    works identically to the external JetDirect units.</para>
 
 	  <figure>
 	    <title>Printserver in the printer</title>
 
 	    <mediaobject>
 	      <imageobject>
 		<imagedata fileref="08-04" format="EPS">
 	      </imageobject>
 
 	      <textobject>
 		<literallayout class="monospaced">                                                     Fileserver
                                                  ,----------------.
   ,---------.                                .---| |          === |
   | ======= |                                |   `----------======'
   | ======= |                                |
  +-----------+                               |
  |  Printer [ ]------------------------------| Ethernet
  +-----------+                               |
                                              |
 		                             |          ,-----.
                                              |          |     |
 					     |          |_____|
 					     `---------_________
 						      / ::::::: \
 						      `---------'
 						       Network PC</literallayout>
 	      </textobject>
 
 	      <textobject>
 		<phrase>Printer with an embedded print server, connecting
 		  directly to the local network.</phrase>
 	      </textobject>
 	    </mediaobject>
 	  </figure>
 	</sect3>
       </sect2>
 
       <sect2>
 	<title>Printspools</title>
 
 	<para>Printspooling is an integral part of network printing.  Since
 	  the PC can spit out data much faster than the printer can accept it,
 	  the data must be buffered in a spool at some location.  In addition,
 	  because many clients share printers, when clients send print jobs at
 	  the same time, jobs must be placed on a queue so that one can be
 	  printed after the other.</para>
 
 	<sect3>
 	  <title>Logical location of the print spool</title>
 
 	  <para>Printspooling can be implemented at one of three
 	    locations</para>
 
 	  <orderedlist>
 	    <listitem>
 	      <para>The client.  Clients can be required to spool their own
 		print jobs on their own disks.  For example, when a Windows
 		client application generates a print job the job must be
 		placed on the local client's hard drive.  Once the remote
 		print server is free to accept the job it signals the client
 		to start sending the job a bit at a time.  Client spooling is
 		popular in peer-to-peer networks with no defined central
 		fileserver.  However, it is impossible for a central
 		administrator to perform advanced print job management tasks
 		such as moving a particular print job ahead of another, or
 		deleting jobs.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>The printserver.  If each printer on the network is
 		allocated their own combination print spooler-printserver,
 		jobs can stack at the printer.  Many of the larger printers
 		with internal printservers have internal hard disks for this
 		purpose.  Although this enables basic job management, it still
 		restricts the ability to move jobs from one printer to
 		another.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para><emphasis>A central print spooler on a
 		  fileserver</emphasis>.  Print jobs are received from all
 		clients on the network in the spool and then dispatched to the
 		appropriate printer.  This scheme is the best for locations
 		with several busy printers and many clients.  Administration
 		is extremely simple because all print jobs are spooled on a
 		central server, which is particularly important in bigger
 		organizations.  Many large organizations have standardized on
 		PostScript printing for all printing; in the event that a
 		particular printer fails and is offline, incoming PostScript
 		print jobs can be rerouted automatically to another printer.
 		Since all printers and clients are using PostScript, clients
 		don't need to be reconfigured when this happens.  Print jobs
 		appear the same whether printed on a 4 page-per-minute NEC
 		Silentwriter 95, or a 24 page-per-minute HP LaserJet 5SiMX if
 		both printers are defined in the client as PostScript
 		printers.</para>
 	    </listitem>
 	  </orderedlist>
 
 	  <figure>
 	    <title>Print spool locations</title>
 
 	    <mediaobject>
 	      <imageobject>
 		<imagedata fileref="08-05" format="EPS">
 	      </imageobject>
 
 	      <textobject>
 		<literallayout class="monospaced">                               Client
   ,---------.                                                        PC
   | ======= |                                                      ,-----.
   | ======= |                                                      |     |
  +-----------+                                                     |_____|
  |  Printer [ ]---------------------------------------------------_________
  +-----------+                                                   / ::::::: \
 		                                                 `---------'
 		                                                    Spool
 
                                Printserver                          
   ,---------.                                                        PC
   | ======= |                                                      ,-----.
   | ======= |                                                      |     |
  +-----------+               ,----------------.                    |_____|
  |  Printer [ ]--------------| |          === |-------------------_________
  +-----------+               `----------======'                  / ::::::: \
                                    Spool                         `---------'
 
 
                                Fileserver
   ,---------.                                                        PC
   | ======= |                                                      ,-----.
   | ======= |         Printserver            Fileserver            |     |
  +-----------+     ,----------------.     ,----------------.       |_____|
  |  Printer [ ]----| |          === |-----| |          === |------_________
  +-----------+     `----------======'     `----------======'     / ::::::: \
                                                 Spool            `---------'</literallayout>
 	      </textobject>
 
 	      <textobject>
 		<phrase>Possible locations for the print spool</phrase>
 	      </textobject>
 	    </mediaobject>
 	  </figure>
 	  
 	  <para>FreeBSD is an excellent platform to implement centralized
 	    printserving and print spooling.  The rest of this chapter
 	    concentrates on the centralized print spooler model.  Note that
 	    PostScript printing is not a requirement for this model--the HPPCL
 	    protocol can be the standard print protocol as well.  For
 	    transparent printing between printers with HPPCL, however, the
 	    printer models must be similar.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Physical location of the print spool</title>
 
 	  <para>In some companies, the central fileserver is often placed in a
 	    closet, locked away.  Printers, on the other hand, are best
 	    located in high traffic areas for ease of use.  Network printing
 	    works best when the printers are evenly distributed throughout the
 	    organization.  Attempting to place all the major printers in one
 	    location, as technically advantageous as it may seem, merely
 	    provokes users to requisition smaller printers that are more
 	    convenient for that quick print job.  The administrator may end up
 	    with a datacenter full of nice, expensive printers that are never
 	    used, while the smaller personal laser printers scattered
 	    throughout the plant bear most of the printing load.</para>
 
 	  <para>The big problem with this is that scattering printers through
 	    the organization makes it difficult to utilize the 3 possible
 	    parallel ports on the fileserver due to parallel port distance
 	    limitations.  Although high-speed serial ports may extend the
 	    distance, not many printers have good serial ports on them. This
 	    is where the hardware network print server devices can come into
 	    play.  I prefer using these devices because they are much cheaper
 	    and more reliable than a standalone PC running printserver
 	    software.  For example, Castelle
 	    <ulink url="http://www.castelle.com/"></ulink>
 	    sells the LANpress 1P/10BT printserver for about $170.00.  Using
 	    these devices a FreeBSD UNIX server can have dozens of print spools
 	    accepting print jobs and then route them back out over the network
 	    to these remote printserver boxes.  If these hardware servers are
 	    used, they must support the Line Printer Daemon (LPD) print
 	    protocol.</para>
 
 	  <para>With a scheme like this it is important to have enough disk
 	    space on the spool to handle the print jobs.  A single large
 	    PowerPoint presentation PostScript print job containing many
 	    graphics may be over 100MB.  When many such jobs stack up in the
 	    print spool waiting to print, the print spooler should have
 	    several gigabytes of free disk space available.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Network Printing to Remote Spools</title>
 
 	  <para>Although several proprietary network printing protocols such
 	    as Banyan Vines and NetWare, are tied to proprietary network protocols,
 	    FreeBSD UNIX can use two TCP/IP network printing protocols to
 	    print to remote print spools.  The two print protocols available
 	    on TCP/IP with FreeBSD are the open LPD protocol and the
 	    NetBIOS-over-TCP/IP Server Messaging Block (SMB) print protocol
 	    first defined by Intel and Microsoft and later used by IBM and
 	    Microsoft.</para>
 
 	  <para>The LPD protocol is defined in RFC1179.  This network protocol
 	    is the standard print protocol used on all UNIX systems.  LPD
 	    client implementations exist for all Windows operating systems and
 	    DOS.  Microsoft has written LPD for the Windows NT versions, the
 	    other Windows operating system implementations are provided by
 	    third parties.</para>
 
 	  <para>The Microsoft Networking network protocol that runs on top of
 	    SMB can use NetBIOS over TCP/IP as defined in RFC1001 and RFC1002.
 	    This protocol has a specification for printing that is the same
 	    print protocol used to send print jobs to NT Server by Microsoft
 	    clients.  To implement this protocol on FreeBSD requires the
 	    installation of the Samba client suite of programs discussed in
 	    Chapter 7.</para>
 	</sect3>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-lpr-windows">
       <title>Setting up LPR on Windows clients</title>
 
       <para>The program clients use to print via LPD is the Line Printer
 	Remote, or LPR program.  The following instructions cover enabling
 	this program on Windows clients.</para>
 
       <sect2>
 	<title>Windows 3.1/Windows for Workgroups 3.11</title>
 
 	<para>Several commercial TCP/IP stacks are available for Win31, that
 	  provide LPR client programs, in addition to the basic TCP/IP
 	  protocol to Win31.  WfW has TCP/IP networking available for free
 	  from Microsoft, but it doesn't include an LPR client. Unfortunately,
 	  I have not come across a freeware implementation of a 16-bit Windows
 	  LPR client, so with the following instructions I use the Shareware
 	  program WLPRSPL available from
 	  <ulink url="http://www.winsite.com/info/pc/win3/winsock/wlprs41.zip"></ulink>.
 	  This program must be active during client printing, and is usually
 	  placed in the Startup group.</para>
 	
 	<para>Organizations that want to use UNIX as a printserver to a group
 	  of Win31 clients without using a commercial or shareware LPR program
 	  have another option.  The Microsoft Networking client for DOS used
 	  underneath Win31 contains SMB-based printing which is covered later
 	  in the chapter.  DOS networking client setup and use are covered in
 	  Chapter 2 and Chapter 7.</para>
 
 	<para>If LPR-based client printing is desired and the organization
 	  doesn't want to upgrade to Win95, (which has several LPR clients
 	  available) the following instructions can be used. WLPRSPL needs a
 	  Winsock under Windows 3.1, so for the example I explain the setup of
 	  the Novell 16-bit TCP/IP client.  The stack can be FTPed from
 	  Novell, and is easy to integrate into sites that already use the
 	  16-bit NetWare networking client, usually NW 3.11 and 3.12.  In most
 	  cases, however, sites that use NetWare + Win31 are probably best off
 	  printing through the NetWare server, then loading an LPR spooler as
 	  an Netware Loadable Module (NLM) to send the job over to
 	  FreeBSD.</para>
 
 	<para>As an alternate, the Microsoft Networking DOS 16-bit TCP/IP
 	  client under Win31 contains a Winsock, as does Microsoft TCP/IP for
 	  WfW.  The target machine used here is a Compaq Deskpro 386/33 with
 	  12MB of ram with an operating version of Windows 3.1, and a 3com
 	  3C579 EISA network card.  The instructions assume an LPR printserver
 	  on the network, named <hostid>mainprinter.my.domain.com</hostid>
 	  with a print queue named RAW.</para>
 
 	<para>Use the installation instructions in Exhibit 8.1 for a quick and
 	  dirty TCP/IP Winsock for Win31 systems. Administrators who already
 	  have the Novell IPX client installed should skip those steps.</para>
       </sect2>
 
       <sect2>
 	<title>Installation of the Novell TCP/IP Winsock client</title>
 
 	<procedure>
 	  <step>
 	    <para>Make sure that the machine has enough environment space
 	      (2048 bytes or more) by adding the following line to the
 	      <filename>config.sys</filename> file and rebooting:</para>
 
 	    <programlisting>SHELL=C:\COMMAND.COM /E:2048 /P</programlisting>
 	  </step>
 
 	  <step>
 	    <para>Obtain the <filename>TCP16.EXE</filename> file from
 	      <ulink url="ftp://ftp3.novell.com/pub/updates/eol/nweol/tcp16.exe"></ulink>.</para>
 	  </step>
 
 	  <step>
 	    <para>Obtain the Network Adapter support diskette for the network
 	      card in your machine.  This should be supplied with the card, or
 	      available via FTP from the network adapter manufacturer's FTP
 	      site.</para>
 	  </step>
 
 	  <step>
 	    <para>Now you need the file <filename>LSL.COM</filename>.  This is
 	      available on some Network Adapter Driver diskettes, it used to
 	      be available from the <filename>VLM121_2.EXE</filename> file
 	      from Novell but unfortunately this file is no longer publicly
 	      accessible from Novell.</para>
 	  </step>
 
 	  <step>
 	    <para>If you have <filename>vlm121_2.exe</filename> in a temporary
 	      directory, run it.  This will extract a number of files.</para>
 	  </step>
 	  
 	  <step>
 	    <para>One of the files extracted is <filename>LSL.CO_</filename>
 	      extract this file with the command <command>nwunpack
 		lsl.co_</command>.</para>
 	  </step>
 
 	  <step>
 	    <para>Create the directory <filename>c:\nwclient</filename>. Then,
 	      copy <filename>lsl.com</filename> from the temporary directory
 	      into the directory.</para>
 	  </step>
 
 	  <step>
 	    <para>Obtain and install the printer driver for the model of
 	      printer that you will be spooling to and point it to
 	      <devicename>LPT1:</devicename>.  Win31 and WfW 3.11 have an
 	      incomplete printer driver list, so if you need a driver
 	      Microsoft has many Win16 printer drivers on their FTP site.  A
 	      list is available at
 	      <ulink url="ftp://ftp.microsoft.com/Softlib/index.txt"></ulink>.
 	      In addition, if you are installing a PostScript printer driver
 	      for a printer supplied in Win31, it may be necessary to patch
 	      the driver.  The Microsoft PostScript driver supplied in Win31
 	      is version 3.5.  (The patch named
 	      <filename>PSCRIP.EXE</filename> which brought the PostScript
 	      driver to version 3.58 is no longer publicly available.) WfW
 	      already uses the more recent PostScript driver, as does Win31
 	      version A.  Installing the Adobe PostScript driver for Win31 is
 	      also an option.  (see
 	      <ulink url="http://www.adobe.com/support/downloads/pdrvwin.htm"></ulink>
 	      for the version 3.1.2 Win31 PostScript driver).</para>
 	  </step>
 
 	  <step>
 	    <para>Look on the network adapter driver disk for the subdirectory
 	      <filename>nwclient/</filename> and then look for the ODI driver
 	      for the adapter card.  For example, on the 3com 3C509/3C579
 	      adapter driver disk, the driver and location are
 	      <filename>\NWCLIENT\3C5X9.COM</filename>.  Copy this driver to
 	      the <filename>c:\nwclient</filename> directory.</para>
 	  </step>
 
 	  <step>
 	    <para>Create a file called <filename>NET.CFG</filename> in the
 	      <filename>c:\nwclient</filename> directory.  Often, the network
 	      card adapter driver diskette has a template for this file in the
 	      same location as the ODI driver.  This can be modified, as can
 	      the following example:</para>
 
 	    <programlisting>LINK SUPPORT
 
 BUFFERS 4 1600
 
 MEMPOOL 8192
 
 LINK DRIVER
 3C5X9
 
 ; PORT 300 (these are optional, if needed by card uncomment)
 
 ; INT 10 (optional, uncomment and modify if needed)</programlisting>
 	  </step>
 
 	  <step>
 	    <para>Attempt to load the network card driver. First load
 	      <filename>lsl</filename>, then the ODI driver.  With the 3com
 	      card the commands are:</para>
 
 	    <screen><userinput>lsl</userinput>
 <userinput>3c5x9</userinput></screen>
 
 	    <para>If the driver properly loads it will list the hardware port
 	      and interrupt settings for the network adapter.  If it has
 	      loaded properly, unload the drivers in reverse order with the
 	      <option>/u</option> command:</para>
 
 	    <screen><userinput>3c5x9 /u</userinput>
 <userinput>lsl /u</userinput></screen>
 	  </step>
 
 	  <step>
 	    <para>Go to the temporary directory that contains the
 	      <filename>tcp16.exe</filename> file and extract it by running
 	      the program.</para>
 	  </step>
 
 	  <step>
 	    <para>Run the install batch file by typing
 	      <command>installr</command>.  It should list <literal>New
 		Installation detected</literal>.  It will then copy a number
 	      of files into <filename>nwclient</filename>, add some
 	      commented-out sections to <filename>net.cfg</filename>, and call
 	      <command>edit</command> on <filename>net.cfg</filename>.</para>
 	  </step>
 
 	  <step>
 	    <para>Read the editing instructions and make the appropriate
 	      entries.  The sample <filename>net.cfg</filename> file from
 	      above would look like this.</para>
 
 	    <programlisting>LINK SUPPORT
 
 BUFFERS 4 1600
 
 MEMPOOL 8192
 
 LINK DRIVER 3C5X9
 
 FRAME ETHERNET_II
 
 Protocol TCPIP
 
 PATH TCP_CFG c:\nwclient
 
 ip_address 192.168.1.54 LAN_NET
 
 ip_netmask 255.255.255.0 LAN_NET
 
 ip_router 192.168.1.1 LAN_NET
 
 Bind 3C5X9 #1 Ethernet_II LAN_NET</programlisting>
 
 	    <para>Save and exit, the Installer should list <literal>TCP16
 		installation completed</literal>.</para>
 	  </step>
 
 	  <step>
 	    <para>Reload the client with the commands:</para>
 
 	    <screen><userinput>lsl</userinput>
 <userinput>3c5x9</userinput>
 <userinput>tcpip</userinput></screen>
 
 	    <para>The TCP/IP driver should list the IP numbers and other
 	      information.</para>
 	  </step>
 
 	  <step>
 	    <para>Optionally, create either a <filename>HOSTS</filename> file,
 	      or a <filename>RESOLV.CFG</filename> file (pointing to a
 	      nameserver) in <filename>c:\nwclient</filename>.  Check to see
 	      this is operating properly by pinging a hostname.</para>
 
 	    <para>Add the <filename>c:\nwclient</filename> directory to the
 	      <envar>PATH</envar>, as well as the 3 startup commands in step
 	      15 in <filename>autoexec.bat</filename></para>
 	  </step>
 	</procedure>
       </sect2>
 
       <sect2>
 	<title>Installation of the LPR client on 16-bit Windows with a Winsock
 	  installed</title>
 
 	<para>The following assumes a running Win31 installation with a
 	  Winsock or a running WfW installation with the 32-bit Microsoft
 	  TCP/IP protocol installed.</para>
 
 	<procedure>
 	  <step>
 	    <para>Install the printer driver desired.  See step 8 of the
 	      previous set of instructions.</para>
 	  </step>
 
 	  <step>
 	    <para>Obtain and extract into a temporary directory the
 	      <filename>wlprs41.zip</filename> file from the location
 	      mentioned above.</para>
 	  </step>
 
 	  <step>
 	    <para>Run <command>setup.exe</command> from the temporary
 	      directory containing the <filename>wlprs</filename> files.
 	      </para>
 	  </step>
 
 	  <step>
 	    <para>In setup, accept default directory, and check Yes to add to
 	      its own group.  Click <guibutton>Continue</guibutton> when asked
 	      for group name, and check whatever choice you want when asked to
 	      copy the <filename>doc</filename> files.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>No</guibutton> when asked to add the
 	      program to <literal>Startup</literal>.</para>
 	  </step>
 
 	  <step>
 	    <para>On the UNIX FreeBSD print spooler, make sure that there is
 	      an entry in <filename>/etc/hosts.lpd</filename> or
 	      <filename>/etc/hosts.equiv</filename> for the client
 	      workstation, thereby allowing it to submit jobs.</para>
 	  </step>
 
 	  <step>
 	    <para>Double-click the Windows LPR Spooler icon in the Windows LPR
 	      Spooler group that is opened.  When it asks for a valid spool
 	      directory, just select the <filename>c:\wlprspl</filename>
 	      directory that the program installed its files into.</para>
 	  </step>
 
 	  <step>
 	    <para>When asked for a valid Queue Definition File, just click
 	      <guibutton>OK</guibutton> to use the default filename.  The
 	      program automatically creates a queue definition file.</para>
 	  </step>
 
 	  <step>
 	    <para>The program opens up with its menu.  Click
 	      <guibutton>Setup</guibutton> in the top menu, then select
 	      <guimenuitem>Define New Queue</guimenuitem>.</para>
 	  </step>
 
 	  <step>
 	    <para>For a local spool filename, just use the name of the remote
 	      queue (RAW) to which the client prints.</para>
 	  </step>
 
 	  <step>
 	    <para>For the remote printer name, use the same name as the remote
 	      queue (RAW) to which the client prints.</para>
 	  </step>
 
 	  <step>
 	    <para>For the remote hostname, use the machine name
 	      of the FreeBSD print spooler.
 	      <hostid role="fqdn"><replaceable>mainprinter.ayedomain.com</replaceable></hostid>.</para>
 	  </step>
 
 	  <step>
 	    <para>For the Description, enter a description such as
 	      <literal>3rd floor Marketing printer</literal>.</para>
 	  </step>
 
 	  <step>
 	    <para>For the protocol, leave the default of BSD LPR/LPD
 	      selected.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click on the <guimenuitem>Queue Properties</guimenuitem>,
 	      and make sure that the <guilabel>Print unfiltered</guilabel> is
 	      selected.  If you're printing PostScript, then also click the
 	      <guibutton>Advanced options</guibutton> button.  Make sure that
 	      <guilabel>Remove trailing Ctrl-D</guilabel> is
 	      <emphasis>unchecked</emphasis>, and that <guilabel>Remove
 		Leading Ctrl-D</guilabel> is <emphasis>checked</emphasis>.
 	      Also with PostScript, if the printer cannot print ASCII, uncheck
 	      the <guilabel>Send header page</guilabel> box. (PostScript
 	      header/banner pages are discussed later in this chapter)</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>OK</guibutton>.  At the main menu of the
 	      program, click <guimenu>File</guimenu>, then <guimenu>Control
 		Panel/Printers</guimenu> to bring up the Printers control
 	      panel of Windows.</para>
 	  </step>
 	    
 	  <step>
 	    <para>Make sure that the <guilabel>Use Print Manager</guilabel>
 	      button is checked, then highlight the printer driver and click
 	      the <guibutton>Connect</guibutton> button.</para>
 	  </step>
 
 	  <step>
 	    <para>Scroll down to the <guilabel>C:\WLPRSPL\RAW</guilabel> entry
 	      for the spool that was built and highlight this.  Click
 	      <guibutton>OK</guibutton>.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Minimize the Windows LPR Spooler.  Copy the Windows LPR
 	      Spooler icon to the Startup group.  Click
 	      <guimenu>File/Properties</guimenu> with the Windows LPR Spooler
 	      icon highlighted in the Startup group. Check the <guilabel>Run
 		Minimized</guilabel> button.</para>
 	  </step>
 
 	  <step>
 	    <para>Exit Windows, and when the <guibutton>Save queue
 		changes?</guibutton> button comes up, click
 	      <guibutton>Yes</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>Restart windows and make sure that the spooler starts
 	      up.</para>
 	  </step>
 
 	  <step>
 	    <para>Open the Control Panel and look for a new yellow icon named
 	      <guiicon>Set Username</guiicon> If you are running the Novell or
 	      other Winsock under Win31, click on this icon and put the
 	      username of the person using this computer into the space
 	      provided.  If you are running WfW, this isn't necessary because
 	      Windows will supply the username.</para>
 	  </step>
 
 	  <step>
 	    <para>If the spooler is not started properly in some
 	      installations, there may be a bug.  If placing the icon in the
 	      Startup group doesn't actually start the spooler, the program
 	      name can be placed in the <literal>run=</literal> line of
 	      <filename>win.ini</filename>.</para>
 	  </step>
 
 	  <step>
 	    <para>Try printing a print job from an application such as
 	      Notepad.  If everything goes properly, clicking on the
 	      <guimenuitem>Queues/Show remote printer status</guimenuitem>" in
 	      the Windows LPR menu should show the print job spooled and
 	      printing on the remote printserver.</para>
 	  </step>
 	</procedure>
       </sect2>
 
       <sect2>
 	<title>Installation of LPR client on Windows 95/98</title>
 
 	<para>The <command>wlprspl</command> program also can be used under
 	  Windows 95, but as a 16-bit program, it is far from an optimal
 	  implementation on a 32-bit operating system.  In addition, Win95 and
 	  its derivatives fundamentally changed from Windows 3.1 in the
 	  printing subsystem.  For these reasons I use a different LPR client
 	  program for Win95/98 LPR printing instructions.  It is a full 32-bit
 	  print program, and it installs as a <emphasis>Windows 32-bit
 	    printer</emphasis> <emphasis>port monitor</emphasis>.  The program
 	  is called ACITS LPR Remote Printing for Windows 95 and it is located
 	  at <ulink url="http://shadowland.cc.utexas.edu/acitslpr.htm"></ulink>.</para>
 	
 	<para>ACITS stands for Academic Computing and Instructional
 	  Technologies Services.  The ACITS LPR client includes software
 	  developed by the University of Texas at Austin and its contributors,
 	  it was written by Glenn K.  Smith, a systems analyst with the
 	  Networking Services group at the university.  The filename of the
 	  archive in the original program was ACITSLPR95.EXE and as of version
 	  1.4 it was free for individuals or organizations to use for their
 	  internal printing needs.  Since that time, it has gotten so popular
 	  that the university has taken over the program, incremented the
 	  version number (to get out from under the free license) and is now
 	  charging a $35 per copy fee for commercial use for the newer
 	  versions.  The older free version can still be found on overseas FTP
 	  servers, such as
 	  <ulink url="http://www.go.dlr.de/fresh/pc/src/winsock/acitslpr95.exe"></ulink>.</para>
 
 	<para>It is likely that the cost of a shareware/commercial LPR program
 	  for Win95 plus the cost of Win95 itself will meet or exceed that of
 	  Win2K.  As such, users wishing to print via LPR to FreeBSD UNIX
 	  systems will probably find it cheaper to simply upgrade to Windows
 	  NT Workstation or Win2K.</para>
 
 	<para>ACITS LPR and Win95 have a few printing idosyncracies.  Most
 	  Win95 programs, such as Microsoft Word, expect print output to be
 	  spooled on the local hard drive and then metered out to a printer
 	  that is plugged into the parallel port.  Network printing, on the
 	  other hand, assumes that print output will go directly from the
 	  application to the remote print server.  Under Win95, local ports
 	  have a setting under Properties, Details, Spool Settings labeled
 	  "Print directly to the printer".  If this is checked, the
 	  application running on the desktop (such as Microsoft Word) will not
 	  create a little Printer icon with pages coming out of it or use
 	  other means of showing the progress of the job as it is built.  This
 	  can be very disconcerting to the user of a network printer, so this
 	  option should be checked only with printers plugged directly into
 	  the parallel port.  Worse, if this is checked with ACITS, it can
 	  cause the job to abort if the remote print spooler momentarily goes
 	  offline.</para>
 
 	<para>Another local setting also should be changed. Generally, with
 	  local ports, Win95 builds the first page in the spooler and then
 	  starts printing it while the rest of the pages spool.  If ACITS
 	  starts printing the first page while the rest of the pages are
 	  building, timeouts at the network layer can sometimes cause very
 	  large jobs to abort.  The entire job should be set to completely
 	  spool before the LPR client passes it to the UNIX spooler.  The
 	  problem is partly the result of program design: because ACITS is
 	  implemented as a local printer port instead of being embedded into
 	  Win95 networking (and available in Network Neighborhood) the program
 	  acts like a local printer port in some ways.</para>
 
 	<para>The LPR program can be set to deselect banner/burst page
 	  printing if a PostScript printer that cannot support ASCII is used.
 	  The burst pages referred to here are NOT generated by the Windows
 	  machine.  Use the instructions in Exhibit 8.3 to install ACITS.</para>
 
 	<procedure>
 	  <title>LPR client on Win95/98 installation instructions</title>
 
 	  <step>
 	    <para>Obtain the <filename>ACITSLPR95.EXE</filename> file and
 	      place it in a temporary directory such as
 	      <filename>c:\temp1</filename>.</para>
 	  </step>
 
 	  <step>
 	    <para>Close all running programs on the desktop.  The computer
 	      <emphasis>must</emphasis> be rebooted at completion of
 	      installation or the program will not work.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>Start</guibutton>,
 	      <guimenuitem>Run</guimenuitem> and type in
 	      <userinput>c:\temp1\acitslpr95</userinput> then click
 	      <guibutton>Yes</guibutton> at the InstallShield prompt.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>Next</guibutton>, then
 	      <guibutton>Yes</guibutton>.  The program will run through some
 	      installation and then presents a Help screen that explains how
 	      to configure an LPR port.</para>
 	  </step>
 	  
 	  <step>
 	    <para>After the help screen closes, the program asks to reboot the
 	      system.  Ensure that <guilabel>Yes</guilabel> is checked and
 	      click <guibutton>Finish</guibutton> to reboot.</para>
 	  </step>
 
 	  <step>
 	    <para>After the machine comes back up, install a Printer icon in
 	      the <guibutton>Start</guibutton>, <guimenu>Settings</guimenu>,
 	      <guimenuitem>Printers</guimenuitem> folder if one hasn't been
 	      created for the correct model of destination printer.</para>
 	  </step>
 
 	  <step>
 	    <para>With the Printers folder open, right-click over the printer
 	      icon that needs to use the LPR program and click on the
 	      <guilabel>Properties</guilabel> tab.</para>
 	  </step>
 
 	  <step>
 	    <para>Under the <guilabel>Details</guilabel> tab, click the
 	      <guilabel>Add Port</guilabel> tab, then click
 	      <guibutton>Other</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>Highlight the <guilabel>ACITS LPR Remote Printing</guilabel>
 	      line and click <guibutton>OK</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>The Add ACITS LPR screen opens.  Type in the hostname of the
 	      UNIX system that the client spools through&mdash;
 	      <hostid role="fqdn"><replaceable>mainprinter.ayedomain.com</replaceable></hostid>.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Type in the Printer/Queue name and click
 	      <guibutton>OK</guibutton>. (Some versions have a "Verify Printer
 	      Information" button.) The LPR program then contacts the UNIX
 	      host and makes sure that the selected printer is
 	      available.</para>
 
 	    <note>
 	      <para>If this fails the client machine name is probably not in
 		the <filename>/etc/hosts.equiv</filename> or
 		<filename>etc/hosts.lpd</filename> on the FreeBSD printserver.
 		Most sites may simply decide to put a wildcard in
 		<filename>hosts.equiv</filename> to allow printing, especially
 		if DHCP is used, but many security-conscious sites may stick
 		with individual entries in
 		<filename>hosts.lpd</filename>.</para>
 	    </note>
 	  </step>
 	  
 	  <step>
 	    <para>If the printer is PostScript and cannot print ASCII, make
 	      sure that the "No banner page control flag" is checked to turn
 	      off banner pages.  Accessible under Port settings, this flag is
 	      overridden if the <filename>/etc/printcap</filename> file
 	      specifies no banner pages.</para>
 	  </step>
 
 	  <step>
 	    <para>Review how the "send plain text control flag" is set.  With
 	      this flag unchecked, the LPR code sent is L, (i.e., print
 	      unfiltered) meaning that the <literal>if</literal> filter gets
 	      called with the <option>-c</option> option.  This is equivalent
 	      to the local invocation of <filename>/usr/bin/lpr -l</filename>.
 	      With the flag checked, the code is F, (formatted) meaning that
 	      the <literal>if</literal> filter gets called without the
 	      <option>-c</option> option.  This is equivalent to the default
 	      invocation <filename>/usr/bin/lpr</filename>.  (This is also an
 	      issue under Windows NT, which retypes the print job to text if
 	      this flag is checked.  Some filters understand the
 	      <option>-c</option> flag, which is used to preserve control
 	      characters, so it should generally remain unchecked.</para>
 	  </step>
 
 	  <step>
 	    <para>Leave the "Send data file before control file" box
 	      unchecked.  This option is used only in rare mainframe spooling
 	      circumstances.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click <guibutton>OK</guibutton>, then click the
 	      <guibutton>Spool Settings</guibutton> button at the properties
 	      page.</para>
 	  </step>
 
 	  <step>
 	    <para>Make sure that the "Spool print jobs so program finishes
 	      printing faster" box is checked.</para>
 	  </step>
 
 	  <step>
 	    <para>Make sure that "Start printing after last page is spooled"
 	      box is checked.</para>
 	  </step>
 
 	  <step>
 	    <para>Make sure that "Disable bi-directional support for this
 	      printer" is checked, or greyed out.</para>
 	  </step>
 
 	  <step>
 	    <para>Make sure that the "Spool data format" is set to RAW.  Some
 	      printer drivers present a choice of EMF or RAW, such as the
 	      Generic Text driver, in this case select RAW.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>OK</guibutton>, then
 	      <guibutton>OK</guibutton> again to close the Printer Properties.
 	      The printer icon now spools through FreeBSD.</para>
 	  </step>
 	</procedure>
       </sect2>
 
       <sect2>
 	<title>Installation of LPR client on Windows NT</title>
 
 	<para>Unlike WfW and Win95 TCP/IP, Windows NT&mdash;both server and
 	  workstation&mdash;includes an LPR client as well as an LPD program
 	  that allows incoming print jobs to be printed from LPR clients, such
 	  as UNIX systems.</para>
 
 	<para>To install the LPR client and daemon program under Windows NT
 	  3.51, use the following instructions.  The TCP/IP protocol should be
 	  installed beforehand and you must be logged in to the NT system as
 	  Administrator.  This can be done at any time after the NT system is
 	  installed, or during OS installation:</para>
 
 	<procedure>
 	  <step>
 	    <para>Double-click on Main, Control Panel, then
 	      Network Settings.</para>
 	  </step>
 
 	  <step>
 	    <para>In the Installed Network Software window, "Microsoft TCP/IP
 	      Printing" should be listed as well as "TCP/IP Protocol". If it
 	      is, stop here; otherwise continue.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click the <guibutton>Add Software</guibutton> button to get
 	      the Add Network Software dialog box</para>
 	  </step>
 
 	  <step>
 	    <para>Click the down arrow and select TCP/IP Protocol and related
 	      components.  Click <guibutton>Continue</guibutton>.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Check the "TCP/IP Network Printing Support" box and click
 	      <guibutton>Continue</guibutton>.  LPR printing is now installed.
 	      Follow the instructions to reboot to save changes.</para>
 	  </step>
 	</procedure>
 	
 	<para>To install the LPR client and daemon program under Windows NT 4,
 	  use the following instructions.  The TCP/IP protocol should be
 	  installed beforehand and you must be logged in to the NT system as
 	  Administrator.  This can be done at any time after the NT system is
 	  installed, or during OS installation:</para>
 
 	<procedure>
 	  <step>
 	    <para>Click on <guibutton>Start</guibutton>,
 	      <guimenuitem>Settings</guimenuitem>, <guimenuitem>Control
 		Panel</guimenuitem>, and double-click on
 	      <guiicon>Network</guiicon> to open it up.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click on the <guilabel>Services</guilabel> tab.
 	      <literal>Microsoft TCP/IP Printing</literal> should be listed.
 	      If not, continue steps 3 - 4.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>Add</guibutton>, then select
 	      <guilabel>Microsoft TCP/IP Printing</guilabel> and click
 	      <guibutton>OK</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>Close</guibutton>.  Follow instructions to
 	      reboot to save changes.</para>
 
 	    <note>
 	      <para>Any NT Service Packs that were previously installed must
 		be reapplied after these operations.</para>
 	    </note>
 	  </step>
 	</procedure>
 	
 	<para>Once LPR printing has been installed, the Printer icon or icons
 	  must be created on the NT system so that applications can print.
 	  Since this printer driver does all job formatting before passing the
 	  printing to the FreeBSD printserver, the print queues specified
 	  should be raw queues on the FreeBSD system, which don't do any job
 	  formatting.</para>
 
 	<para>To install the printer icon in Print Manager and set it to send
 	  print jobs to the FreeBSD UNIX system, use the following
 	  instructions under NT 3.51.  You must be logged in to the NT system
 	  as Administrator.  This can be done at any time after the NT system
 	  is installed, or during OS installation.</para>
 
 	<procedure>
 	  <step>
 	    <para>Click on Main, and open it.  Then click on Print Manager to
 	      open it.</para>
 	  </step>
 
 	  <step>
 	    <para>Click on <guiicon>Printer</guiicon>, <guibutton>Create
 		Printer</guibutton>.  Select the appropriate printer
 	      driver.</para>
 	  </step>
 
 	  <step>
 	    <para>Click the down arrow under Print To and select
 	      Other.</para>
 	  </step>
 
 	  <step>
 	    <para>In the Available Print Monitors window select
 	      LPR port and click <guibutton>OK</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>Enter the hostname of the FreeBSD printserver, and the name
 	      of the printer queue and click <guibutton>OK</guibutton></para>
 	  </step>
 
 	  <step>
 	    <para>Click <guibutton>OK</guibutton> to close the Create Printer
 	      window. The Printer icon is created.</para>
 	  </step>
 	</procedure>
 
 	<para>To install the printer icon in Print Manager and set it to send
 	  print jobs to the FreeBSD UNIX system, use the following
 	  instructions under NT 4.  You must be logged in to the NT system as
 	  Administrator.  This can be done at any time after the NT system is
 	  installed, or during OS installation:</para>
 
 	<procedure>
 	  <step>
 	    <para>Click <guibutton>Start</guibutton>,
 	      <guimenuitem>Settings</guimenuitem>,
 	      <guimenuitem>Printers</guimenuitem> to open the printer
 	      folder.</para>
 	  </step>
 
 	  <step>
 	    <para>Double-click <guiicon>Add Printer</guiicon> to start the
 	      wizard.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Select the My Computer radio button, not the Network
 	      Print Server button and click <guibutton>Next</guibutton>.  (The
 	      printer <emphasis>is</emphasis> a networked printer, it is
 	      managed on the local NT system. Microsoft used confusing
 	      terminology here.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click <guibutton>Add Port</guibutton> and select LPR Port,
 	      then click <guibutton>New Port</guibutton>.</para>
 	  </step>
 
 	  <step>
 	    <para>Enter the hostname and print queue for the FreeBSD
 	      printserver and click <guibutton>OK</guibutton>.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Click <guibutton>Next</guibutton> and select the correct
 	      printer driver.  Continue until the printer is set up.</para>
 	  </step>
 	</procedure>
 
 	<para>The LPR client in Windows NT allows DOS print jobs originating
 	  in DOS boxes to be routed to the central UNIX print spooler.  This
 	  is an advantage over the Win95 and WfW LPR programs.</para>
 
 	<sect3>
 	  <title>Windows NT Registry Changes</title>
 
 	  <para>Using the LPR daemon program under Windows NT presents one
 	    problem.  If the NT server is used as an LPR/LPD "relay", for
 	    example, to pass jobs from clients to LPR print queues on a UNIX
 	    system, to pass jobs from LPR programs on UNIX terminating at NT
 	    print queues, or to pass jobs from Appletalk clients to LPR
 	    printers, NT retypes the job if the type code is set to P (text).
 	    This can wreak havoc on PostScript files printed through HP
 	    LaserJet printers with internal MIO cards in them, if the job
 	    originates from the <filename>/usr/bin/lpr</filename> program
 	    under UNIX, which assigns a P type code.  The printserver card
 	    treats PostScript jobs as text, and instead of the print job, the
 	    raw PostScript codes print.  This problem often manifests in the
 	    following way: <filename>/usr/bin/lpr</filename> is used to print
 	    a PostScript file from UNIX directly to the remote printer
 	    printserver, which works fine, but spooling it through NT causes
 	    problems.</para>
 
 	  <para>A registry change that can override the NT Server formatting
 	    behavior is detailed in Microsoft Knowledge Base article ID
 	    Q150930.  With Windows NT 3.51, and 4.0 up to service pack 1 the
 	    change is global.  Starting with NT 4.0 Service pack 2 the change
 	    can be applied to specific print queues, (see Knowledge Base
 	    article ID Q168457). This registry change also works for
 	    Windows 2000.</para>
 
 	  <para>Under Windows NT 4.0, the change is:</para>
 
 	  <procedure>
 	    <step>
 	      <para>Run Registry Editor
 		(<filename>REGEDT32.EXE</filename>)</para>
 	    </step>
 	    
 	    <step>
 	      <para>From the <literal>HKEY_LOCAL_MACHINE</literal> subtree, go
 		to the following key:</para>
 
 	      <para><literal>\SYSTEM\CurrentControlSet\Services\LPDSVC\Parameters</literal></para>
 	    </step>
 
 	    <step>
 	      <para>On the <guimenu>Edit</guimenu> menu, click
 		<guimenuitem>Add Value</guimenuitem>.</para>
 	    </step>
 
 	    <step>
 	      <para>Add the following:</para>
 
-	      <informaltable frame="none">
+	      <informaltable frame="none" pgwide="1">
 		<tgroup cols="2">
 		  <tbody>
 		    <row>
 		      <entry>Value Name:</entry>
 		      <entry>SimulatePassThrough</entry>
 		    </row>
 
 		    <row>
 		      <entry>Data Type:</entry>
 		      <entry>REG_DWORD</entry>
 		    </row>
 
 		    <row>
 		      <entry>Data</entry>
 		      <entry>1</entry>
 		    </row>
 		  </tbody>
 		</tgroup>
 	      </informaltable>
 
 	      <note>
 		<para>The default value is 0, which informs LPD to assign
 		  datatypes according to the control commands.</para>
 	      </note>
 	    </step>
 	  </procedure>
 	  
 	  <para>Under Windows NT 3.51, the change is:</para>
 
 	  <procedure>
 	    <step>
 	      <para>Run Registry Editor
 		(<filename>REGEDT32.EXE</filename>)</para>
 	    </step>
 
 	    <step>
 	      <para>From the <literal>HKEY_LOCAL_MACHINE</literal> subtree, go
 		to the following key:</para>
 
 	      <para><literal>\SYSTEM\CurrentControlSet\Services\LPDSVC\Parameters</literal></para>
 	    </step>
 
 	    <step>
 	      <para>On the <guimenu>Edit</guimenu> menu, click
 		<guimenuitem>Add Value</guimenuitem>.</para>
 	    </step>
 
 	    <step>
 	      <para>Add the following:</para>
 
-	      <informaltable frame="none">
+	      <informaltable frame="none" pgwide="1">
 		<tgroup cols="2">
 		  <tbody>
 		    <row>
 		      <entry>Value Name:</entry>
 		      <entry>SimulatePassThrough</entry>
 		    </row>
 
 		    <row>
 		      <entry>Data Type:</entry>
 		      <entry>REG_DWORD</entry>
 		    </row>
 
 		    <row>
 		      <entry>Data</entry>
 		      <entry>1</entry>
 		    </row>
 		  </tbody>
 		</tgroup>
 	      </informaltable>
 
 	      <note>
 		<para>The default value is 0, which informs LPD to assign
 		  datatypes according to the control commands.</para>
 	      </note>
 	    </step>
 
 	    <step>
 	      <para>Create an LPD key at the same level as the LPDSVC
 		key.</para>
 	    </step>
 	    
 	    <step>
 	      <para>Click the LPDSVC Key, click <guimenuitem>Save
 		  Key</guimenuitem> from the <guimenu>Registry</guimenu> menu,
 		and then save the file as
 		<filename>LPDSVC.KEY</filename></para>
 	    </step>
 
 	    <step>
 	      <para>Click the LPD key created in step 5.</para>
 	    </step>
 
 	    <step>
 	      <para>Click <guimenuitem>Restore</guimenuitem> on the
 		<guimenu>Registry</guimenu> menu, click the file created in
 		step 6, and then click <guibutton>OK</guibutton>.</para>
 	    </step>
 
 	    <step>
 	      <para>A warning message appears.  Click
 		<guibutton>OK</guibutton> and then quit the Registry
 		Editor.</para>
 	    </step>
 
 	    <step>
 	      <para>At a command prompt window, type:</para>
 
 	      <screen><userinput>net stop lpdsvc</userinput>
 <userinput>net start lpdsvc</userinput></screen>
 	    </step>
 	  </procedure>
 	</sect3>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-ps-dos">
       <title>Printing PostScript and DOS command files</title>
 
       <para>One problem with printing under Win31 and Win95 with the LPR
 	methods discussed is the lack of a <quote>raw</quote>
 	<devicename>LPT1:</devicename> device. This is annoying to the
 	administrator who wants to print an occasional text file, such as a
 	file full of printer control codes, without their being intercepted by
 	the Windows printer driver.  Of course this is also an issue with DOS
 	programs, but a commercial site that runs significant DOS software and
 	wants to print directly to UNIX with LPR really only has one
 	option&mdash;to use a commercial TCP/IP stack containing a DOS LPR
 	program.</para>
 
       <para>Normally, under Windows printing, virtually all graphical programs
 	print through the Windows printer driver.  This is true even of basic
 	programs such as Notepad.  For example, an administrator may have a
 	DOS batch file named <filename>filename.txt</filename> containing the
 	following line:</para>
 
       <programlisting>echo \033&amp;k2G &gt; lpt1:</programlisting>
 
       <para>This batch file switches a HP LaserJet from CR-LF, MS-DOS
 	textfile printing into Newline termination UNIX textfile printing.
 	Otherwise, raw text printed from UNIX on the HP prints with a
 	stairstep effect.</para>
 
       <para>If the administrator opens this file with Notepad and prints it
 	using a regular printer driver, such as an Epson LQ, the Windows
 	printer driver encapsulates this print output into a series of
 	printer-specific control codes that do things such as initialize the
 	printer, install fonts, and so on.  The printer won't interpret this
 	output as control code input.  Usually, if the printer is locally
 	attached, the user can force a "raw text print" of the file by opening
 	a DOS window and running:</para>
 
       <screen><userinput>copy filename.txt lpt1: /b</userinput></screen>
 
       <para>Since the LPR client program doesn't provide a DOS driver, it
 	cannot reroute input from the <devicename>LPT1:</devicename> device
 	ports. The solution is to use the Generic / Text Only printer driver
 	in conjunction with Wordpad (under Win95); under Win31 use a different
 	text editor.  The Notepad editor supplied with Windows is unsuitable
 	for this - it "helpfully" inserts a 1 inch margin of spaces around all
 	printed output, as well as the filename title.  Wordpad supplied with
 	Win95, can be set to use margins of zero, and inserts no additions
 	into the printed output. Also, make sure that banner pages are turned
 	off, and the print type is set to raw.</para>
     </sect1>
 
     <sect1 id="printserving-psprinter">
       <title>Checking PostScript Printer capabilities</title>
 
       <para>Following is a PostScript command file that can be used to get a
 	PostScript printer to output a number of useful pieces of information
 	that are needed to set up a printer icon under Windows properly.  It
 	was printed from Wordpad, in Win95, through the Generic / Text Only
 	printer driver with the following instructions:</para>
 
       <procedure>
 	<step>
 	  <para><guibutton>Start</guibutton>, <guimenuitem>Run</guimenuitem>,
 	    type in <userinput>Wordpad</userinput> and press
 	    <keycap>Enter</keycap>.</para>
 	</step>
 
 	<step>
 	  <para><guimenu>File</guimenu>, <guimenuitem>Open</guimenuitem>
 	    <filename>testps.txt</filename></para>
 	</step>
 
 	<step>
 	  <para><guimenu>File</guimenu>, <guimenuitem>Page
 	      Setup</guimenuitem>, <guimenuitem>Printer</guimenuitem>, select
 	    <guimenuitem>Generic / Text Only</guimenuitem>, click
 	    <guibutton>Properties</guibutton></para>
 	</step>
 
 	<step>
 	  <para>Click <guimenuitem>Device Options</guimenuitem>, select
 	    <guilabel>TTY custom</guilabel>, click
 	    <guibutton>OK</guibutton>.</para>
 	</step>
 
 	<step>
 	  <para>Click <guibutton>OK</guibutton>, then set all four margins to
 	    <literal>0</literal>; click <guibutton>OK</guibutton>.</para>
 	</step>
 
 	<step>
 	  <para>Click <guimenu>File</guimenu>,
 	    <guimenuitem>Print</guimenuitem>,
 	    <guibutton>OK</guibutton>.</para>
 	</step>
       </procedure>
       
       <para>This could also have been printed with
 	<filename>/usr/bin/lpr</filename> on a UNIX command prompt.  The file
 	prints <emphasis>Test Page</emphasis> and some printer statistics
 	below that, as follows.</para>
 
       <programlisting>% filename: testps.txt
 % purpose: to verify proper host connection and function of PostScript
 % printers.
 /buf 10 string def
 /CM {
 save statusdict/product get (PostScript) anchorsearch
 exch pop {length 0 eq
 {1}{2}ifelse
 }
 {2}ifelse exch restore
 }bind def
 /isCM {
 CM 1 ge
 }bind def
 /Times-BoldItalic findfont 75 scalefont setfont
 150 500 moveto
 (Test Page) false charpath
 isCM{gsave 0.0 1.0 1.0 0.0 setcmykcolor fill grestore}if
 2 setlinewidth stroke
 /Times-Roman findfont 10 scalefont setfont
 150 400 moveto
 (Your PostScript printer is properly connected and operational.)show
 150 380 moveto
 (The border around the page indicates your printer's printable region.)show
 { vmreclaim } stopped pop
 vmstatus exch sub exch pop
 150 360 moveto
 (Max Available Printer Virtual Memory (KB):)show
 150 340 moveto
 dup 1024 div truncate buf cvs show
 150 320 moveto
 (Calculated memory size used for PostScript printer icon properties:) show
 150 300 moveto
 0.85 mul 1024 div truncate buf cvs show
 150 280 moveto
 (Printer Model: )show
 statusdict begin product show end
 150 260 moveto
 (PostScript Level: )show
 /languagelevel where
 { languagelevel 3 string cvs show pop }
 {(1) show } ifelse
 150 240 moveto
 (PostScript Version: )show
 statusdict begin
 version show (.)show
 revision 40 string cvs show end
 clippath stroke
 showpage</programlisting>
     </sect1>
 
     <sect1 id="printserving-lpr-freebsd">
       <title>Setting up LPR/LPD on FreeBSD</title>
 
       <para>When a FreeBSD system is booted, it starts the LPD spooler control
 	daemon program if the <filename>/etc/rc.conf</filename> file has
 	<literal>lpd_enable="YES"</literal> set.  If this is not set, attempts
 	to print through and from the FreeBSD system will fail with an
 	<errorname>lpr: connect: No such file or directory</errorname> error
 	message.</para>
 
       <para>The LPD program manages all incoming print jobs, whether they come
 	in from the network, or from local users on the UNIX system.  It
 	transfers print jobs to all locally attached parallel or serial
 	printers, as well as defined remote printers. Several programs also
 	are used to manipulate jobs in the print spools that LPD manages, as
 	well as the user programs to submit them from the UNIX command prompt.
 	All of these programs use the <filename>/etc/printcap</filename> file,
 	which is the master control file for the printing system.</para>
 
       <para>Back when printing was mostly text, it was common to place
 	printers on a serial connection that stretched for long distances.
 	Often, 9600bps was used because it could work reliably up to a block
 	away, which allowed printers to be located almost anywhere on an
 	office high-rise floor.  Modern office print jobs, on the other hand,
 	are generally graphics-laden and tend to be rather large.  These jobs
 	would take hours to transfer over a slower 9600bps serial printer
 	connection.  Today, most printers that are not connected to a remote
 	hardware print server box are directly connected to the server using
 	parallel cables.  All of the examples shown here are direct
 	connections that are parallel connections.</para>
 
       <para>The <filename>printcap</filename> configuration file, like most
 	UNIX configuration files, indicates comment lines starting with a hash
 	character.  Lines without a hash character are meant to be part of a
 	printer queue description line.  Each printer queue description line
 	starts with a symbolic name, and ends with a newline.  Since the
 	description lines are often quite long, they are often written to span
 	multiple lines by escaping intermediate newlines with the backslash
 	(<literal>\</literal>) character.  The
 	<filename>/etc/printcap</filename> file, as supplied, defines a single
 	printer queue, <literal>lp</literal>.  The <literal>lp</literal> queue
 	is the default queue.  Most UNIX-supplied printing utilities send
 	print output to this queue if no printer is specified by the user.  It
 	should be set to point to the most popular print queue with
 	<emphasis>local</emphasis> UNIX print users, (i.e., users that have
 	shell accounts).</para>
 
       <para>The layout of <filename>/etc/printcap</filename> is covered in the
 	manual page, which is reached by running the <userinput>man
 	  printcap</userinput> command. The stock
 	<filename>/etc/printcap</filename> file at the line defining the spool
 	<literal>lp</literal> shows:</para>
 
       <programlisting>#
 lp|local line printer:\
     :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:
 #</programlisting>
 
       <para>In this example the first line defines the names by which the
 	printer is known, and ends with an escaped newline. The next line
 	defines the physical device, the PC parallel port, by
 	<filename>/dev/lpt0</filename>, and the directory in which the spool
 	files are stored at <filename>/var/spool/output/lpd</filename>, and
 	the error log file.  Note that this particular error log file will not
 	show all LPD errors, such as bad job submittals, it usually shows only
 	the errors that originate within the printing system itself.</para>
 
       <para>In general, the administrator creates two print queues for every
 	printer that is connected to the FreeBSD machine. The first queue
 	entry contains whatever additional capabilities UNIX shell users on
 	the server require.  The second is a raw queue that performs no print
 	processing on the incoming print job.  This queue is used by remote
 	clients, such as Windows clients, that format their own jobs.</para>
 
       <para>If the administrator is setting up the printer to allow incoming
 	LPR jobs from network clients, such as other Windows or UNIX systems,
 	those systems <emphasis>must</emphasis> be listed in
 	<filename>/etc/hosts.lpd</filename>.</para>
 
       <sect2>
 	<title>Creating the spools</title>
 
 	<para>Building new print spools is merely a matter of making an entry
 	  in the <filename>/etc/printcap</filename> file, creating the spool
 	  directories, and setting the correct permissions on them. For
 	  example, the following additional line defines a PostScript printer
 	  named NEC (in addition to the <literal>lp</literal>
 	  definition):</para>
 
 	<programlisting>#
 lp|local line printer:\
     :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:
 
 NEC|NEC Silentwriter 95 PostScript printer:\
     :lp=/dev/lpt0:sd=/var/spool/output/NEC:lf=/var/log/lpd-errs:
 #</programlisting>
 
 	<para>Because UNIX is case sensitive, NEC is different from
 	  <literal>nec</literal> in both the name of the printer and the name
 	  of the Spool directory.  With the print spooler LPD, the Spool
 	  directories <emphasis>must</emphasis> be different from each other,
 	  or the spooler gets confused and doesen't print.</para>
 
 	<para>After the <filename>/etc/printcap</filename> is modified, the
 	  root user must create the <filename>/var/spool/output/NEC</filename>
 	  directory and assign ownership of it to the <username>bin</username>
 	  user, assign group ownership to <username>daemon</username>, and set
 	  permissions with the following commands:</para>
 
 	<screen>&prompt.user; <userinput>su root</userinput>
 &prompt.root; <userinput>cd /var/spool/output</userinput>
 &prompt.root; <userinput>mkdir NEC</userinput>
 &prompt.root; <userinput>chown bin NEC</userinput>	  
 &prompt.root; <userinput>chgrp daemon NEC</userinput>
 &prompt.root; <userinput>chmod 755 NEC</userinput></screen>
       </sect2>
 
       <sect2>
 	<title>Additional spool capabilities</title>
 
 	<para>Because modern print jobs (especially PostScript) can sometimes
 	  reach hundreds of megabytes, the <literal>sd</literal> capability
 	  entry in the <filename>/etc/printcap</filename> file should always
 	  point to a Spool directory on a filesystem that has enough space.
 	  The <filename>/var</filename> directory on a default FreeBSD
 	  installation is generally set to a fairly small amount, which can
 	  easily overflow the spool.  There are four ways to handle this
 	  problem:</para>
 
 	<orderedlist>
 	  <listitem>
 	    <para>During FreeBSD installation, if the administrator knows a
 	      lot of print jobs are going to go through the spooler,
 	      <filename>/var</filename> should be set to a large
 		amount of free space.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Modify the <literal>sd</literal> capability in the
 	      <filename>/etc/printcap</filename> file to point to a spool
 	      directory in a different, larger filesystem, such as
 	      <filename>/usr/spool</filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Use soft links to point the
 	      <filename>/var/spool/output</filename> directory to directories
 	      on a larger filesystem.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Don't define a <filename>/var</filename> directory at all
 	      during FreeBSD installation; this would make the installer link
 	      <filename>/var</filename> to
 	      <filename>/usr/var</filename>.</para>
 	  </listitem>
 	</orderedlist>
 	
 	<para>In addition to spools, the following other capabilities are
 	  usually placed in a production
 	  <filename>/etc/printcap</filename> file.</para>
 	
 	<para>The entry <literal>fo</literal> prints a form feed when the
 	  printer is opened.  It is handy for HPPCL (HP LaserJets) or other
 	  non-PostScript printers that are located behind electronic print
 	  sharing devices.  It can also be used for printers that accept input
 	  from multiple connections, such as a parallel port, serial port, and
 	  localtalk port.  An example is an HP LaserJet with an MIO card in it
 	  plugged into both Ethernet and LocalTalk networks.  It will clear
 	  any garbage out of the printer before the job is processed.</para>
 
 	<para>The entry <literal>mx</literal> defines the maximum size of a
 	  print job, which is a must for modern print jobs that frequently
 	  grow far past the default print size of a megabyte.  The original
 	  intent of this capability was to prevent errant programs from
 	  stuffing the spool with jobs so large that they would use up all
 	  paper in a printer.  Graphics-heavy print jobs have made it
 	  impossible to depend on this kind of space limitation, so
 	  <literal>mx</literal> is usually set to zero, which turns it
 	  off.</para>
 
 	<para>The entry <literal>sh</literal> suppresses printing of banner
 	  pages in case the printer cannot handle ASCII and the client
 	  mistakenly requests them.</para>
 
 	<para>The entry <literal>ct</literal> denotes a TCP Connection
 	  timeout.  This is useful if the remote print server doesn't close
 	  the connection properly.</para>
 
 	<note>
 	  <para>FreeBSD 2.2.5 contains a bug in the LPD system - as a
 	    workaround the <literal>ct</literal> capability needs to be set
 	    very large, such as 3600, or the appropriate patch installed and
 	    LPD recompiled.  More recent versions of FreeBSD do not have this
 	    bug.</para>
 	</note>
       </sect2>
 
       <sect2>
 	<title>Printing to hardware print server boxes or remote print
 	  servers.</title>
 	
 	<para>Hardware print server boxes, such as the HP JetDirect internal
 	  and external cards, need some additional capabilities defined in the
 	  <filename>/etc/printcap</filename> entry; <literal>rp</literal>, for
 	  remote print spool, and <literal>rm</literal> for remote machine
 	  name.</para>
 
 	<para>The <literal>rm</literal> capability is simply the DNS or
 	  <filename>/etc/hosts</filename> name of the IP number associated
 	  with the remote printserver device.  Obviously, print server
 	  devices, such as the HP JetDirect, must not use a dynamic TCP/IP
 	  network numbering assignment.  If they get their numbering via DHCP,
 	  the IP number should be assigned from the static pool; it should
 	  always be the same IP number.</para>
 
 	<para>Determining the name used for <literal>rp</literal>, on the
 	  other hand, can be rather difficult.  Here are some common
 	  names:</para>
 
 	<para>Windows NT Server: Printer name of the printer icon created in
 	  Print Manager</para>
 
 	<para>FreeBSD: Print queue name defined in
 	  <filename>/etc/printcap</filename></para>
 
 	<para>HP JetDirect: Either the name <literal>TEXT</literal> or the
 	  name <literal>RAW</literal>.  <literal>TEXT</literal> automatically
 	  converts incoming UNIX newline text to DOS-like CR/LF text that the
 	  printer can print.  <literal>RAW</literal> should be used for
 	  PostScript, and HPPCL printing.</para>
 
 	<para>HP JetDirect EX +3: External, 3 port version of the JetDirect.
 	  Use <literal>RAW1</literal>, <literal>RAW2</literal>,
 	  <literal>RAW3</literal>, <literal>TEXT1</literal>,
 	  <literal>TEXT2</literal>, or <literal>TEXT3</literal> depending on
 	  the port desired.</para>
 
 	<para>Intel NetPort: Either use <literal>TEXT</literal> for UNIX text
 	  conversion printing or use <literal>PASSTHRU</literal> for normal
 	  printing.</para>
 
 	<para>DPI: Use <literal>PORT1</literal> or <literal>PORT2</literal>
 	  depending on which port the printer is plugged into.</para>
 
 	<para>For other manufacturer's print servers refer to the manuals
 	  supplied with those devices.</para>
 
 	<para>The following is an example printcap that redefines the default
 	  <literal>lp</literal> print queue to send print jobs to the first
 	  parallel port on a remote HP LaserJet plugged into a JetDirect EX +3
 	  named <hostid role="fqdn">floor2hp4.biggy.com</hostid>.</para>
 
 	<programlisting>#
 lp|local line printer:\
     :rm=floor2hp4.biggy.com:rp=RAW1:\
     :sd=/var/spool/output/lpd:\
     :lf=/var/log/lpd-errs:
 #</programlisting>
 
 	<note>
 	  <para>The <literal>rp</literal> capability <emphasis>must</emphasis>
 	    be defined or the job goes to the default print queue on the
 	    remote host.  If the remote device does not have a single print
 	    queue, such as another UNIX system, this causes problems.  For
 	    example, if the remote device was a JetDirect EX + 3 and
 	    <literal>rp</literal> was omitted, all queues defined would print
 	    out of the first parallel port.</para>
 	</note>
       </sect2>
 
       <sect2>
 	<title>Filters</title>
 
 	<para>The last two important printcap capabilities concern print
 	  filters, <literal>if</literal> (input filter) and
 	  <literal>of</literal> (output filter).  If defined, incoming print
 	  jobs are run through the filters that these entries point to for
 	  further processing.</para>
 
 	<para>Filters are the reason that the UNIX print spooling system is so
 	  much more powerful than any other commercial server operating
 	  system.  Under FreeBSD, incoming print jobs are acted on by any
 	  filters specified in the <filename>/etc/printcap</filename>
 	  <emphasis>no matter where they originate</emphasis>.  Incoming print
 	  jobs from remote Windows, Mac, NT, OS/2 or other clients can be
 	  intercepted and manipulated by any program specified as a filter.
 	  Want a PostScript Printer? There's a filter that adds PostScript
 	  capability to a non-PostScript printer.  Want to make a cheap Epson
 	  MX 80 dot-matrix emulate an expensive Okidata Microline dot-matrix
 	  for some archaic mainframe application? Write a filter that will
 	  rewrite the print codes to do it.  Want custom-built banner pages?
 	  Use a filter.  Many UNIX <filename>/etc/printcap</filename> filters
 	  on many Internet sites can do a variety of interesting and unique
 	  things. Someone may have already written a filter that does what you
 	  want!</para>
 
 	<sect3>
 	  <title>Types of Filters</title>
 
 	  <para>Three types of filters can be defined in the
 	    <filename>/etc/printcap</filename> file.  In this book all filter
 	    examples are for Input filters.</para>
 
 	  <sect4>
 	    <title>Input Filters</title>
 
 	    <para>Input filters are specified by the <literal>if</literal>
 	      capability.  Every job that comes into the spool is acted on by
 	      any filter specified in the <literal>if</literal> entry for that
 	      spool. Virtually all filters that an administrator would use are
 	      specified here.  These filters can be either shell scripts, or
 	      compiled programs.</para>
 	  </sect4>
 
 	  <sect4>
 	    <title>Fixed Filters</title>
 
 	    <para>Fixed filters are specified by separate capabilities, such
 	      as <literal>cf</literal>, <literal>df</literal>, and
 	      <literal>gf</literal>.  Mostly, these exist for historical
 	      reasons.  Originally, the idea of LPD was that incoming jobs
 	      would be submitted with the type fields set to trigger whatever
 	      filter was desired.  However, type codes are confusing and
 	      annoying to the user, who has to remember which option is needed
 	      to trigger which type.  It is much easier to set up multiple
 	      queues with different names, and this is what most sites do
 	      these days. For example, originally a DVI fixed filter might be
 	      specified in a spool for <literal>lp</literal>, triggered by the
 	      <option>-d</option> option passed to <command>lpr</command>.
 	      Jobs without this option aren't acted on by the DVI filter.
 	      However, the same thing can be done by creating a queue named
 	      <literal>lp</literal> that doesn't have a DVI filter, and a
 	      queue named <literal>lpdvi</literal> which has the DVI filter
 	      specified in the <literal>if</literal> capability.  Users just
 	      need to remember which queue to print to, instead of what option
 	      needed for this or that program.</para>
 	  </sect4>
 
 	  <sect4>
 	    <title>Output Filters</title>
 
 	    <para>These are specified by the <literal>of</literal> capability.
 	      Output filters are much more complicated than input filters and
 	      are hardly ever used in normal circumstances.  They also
 	      generally require a compiled program somewhere, either directly
 	      specified or wrapped in a shell script, since they have to do
 	      their own signal-handling.</para>
 	  </sect4>
 	</sect3>
 
 	<sect3>
 	  <title>Printing Raw UNIX Text with a Filter</title>
 
 	  <para>One of the first things that a new UNIX user will discover when
 	    plugging a standard LaserJet or impact printer into a UNIX system
 	    is the <emphasis>stairstep</emphasis> problem.  The symptom is
 	    that the user dumps text to the printer, either through LPR or
 	    redirection (by catting it to the parallel device) and instead of
 	    receiving the expected Courier 10-point printout, gets a page with
 	    a single line of text, or two lines of text "stairstepped", text
 	    and nothing else.</para>
 
 	  <para>The problem is rooted in how printers and UNIX handle
 	    textfiles internally.  Printers by and large follow the "MS-DOS
 	    Textfile" convention of requiring a carriage return, then a
 	    linefeed, at the end of every text line.  This is a holdover from
 	    the early days when printers were mechanical devices, and the
 	    print head needed to return and the platen to advance to start a
 	    new line.  UNIX uses only the linefeed character to terminate a
 	    text line.  So, simply dumping raw text out the parallel port
 	    works on MS-DOS, but not on UNIX.</para>
 
 	  <para>If the printer is a PostScript printer, and doesn't support
 	    standard ASCII, then dumping UNIX text to it doesn't work.  But
 	    then, neither would dumping MS-DOS text to it.  (Raw text printing
 	    on PostScript printers is discussed later in this chapter.)  Note
 	    also that if the printer is connected over the network to an HP
 	    JetDirect hardware print server, internal or external, the TEXT
 	    queue on the hardware print automatically adds the extra Carriage
 	    Return character to the end of a text line.</para>
 
 	  <para>If the printer is the garden-variety HP LaserJet, DeskJet, or
 	    an impact printer, and under DOS the administrator is used to
 	    printing raw text from the command line for directory listings,
 	    there are two ways to fix stairstep.  The first is to send a
 	    command to the printer to make it print in "unix textfile" mode,
 	    which makes the printer supply its own carriage return.  This
 	    solution is ugly in a printer environment with UNIX and Windows
 	    machines attempting to share use of the same printer.  Switching
 	    the printer to work with UNIX disrupts DOS/Windows raw text
 	    printouts.</para>
 
 	  <para>The better solution is to use a simple filter that converts
 	    incoming text from UNIX style to DOS style.  The following filter
 	    posted on questions@FreeBSD.org and the sample
 	    <filename>/etc/printcap</filename> entry can be used to do
 	    this:</para>
 
 	  <programlisting>#!/bin/sh
 # /usr/local/libexec/crlfilter
 #
 # simple parlor trick to add CR to LF for printer
 # Every line of standard input is printed with CRLF
 # attached.
 #
 
 awk '{printf "%s\r\n", $0}' -</programlisting>
 
 	  <para>An alternative filter posted using sed could be written
 	    as:</para>
 
 	  <programlisting>#!/bin/sh
 # /usr/local/libexec/crlfilter
 #
 # Add CR to LF for printer
 # Every line of standard input is printed with CRLF
 # attached.
 #
 # Note, the ^M is a *real* ^M (^V^M if your typing in vi)
 #
 
 sed 's/$/^M/' -</programlisting>
 
 	  <para>Here is an example of a filter that triggers the printers
 	    automatic LF-to-CR/LF converter (this option is only useful on HP
 	    LaserJets that support this command):</para>
 
 	  <programlisting>#!/bin/sh
 # Simply copies stdin to stdout.  Ignores all filter
 # arguments.
 # Tells printer to treat LF as CR+LF.  Writes a form feed
 # character after printing job.
 
 printf "\033&amp;k2G" &amp;&amp; cat &amp;&amp; printf "\f" &amp;&amp; exit 0
 
 exit 2</programlisting>
 
 	  <para>The printcap file used to trigger the filter is:</para>
 
 	  <programlisting>#/etc/printcap
 # The trailer (tr) is used when the queue empties.  I found that the
 # form feed (\f) was basically required for the HP to print properly.
 # Banners also need to be shut off.
 #
 
 lp|local line printer:\
     :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:
     :if=/usr/local/libexec/crlfilter:sh:tr=\f:mx#0:
 #</programlisting>
 	</sect3>
 
 	<sect3>
 	  <title>The <literal>pr</literal> filter</title>
 	  
 	  <para>Although most filters are built by scripts or programs and are
 	    added to the UNIX machine by the administrator, there is one
 	    filter that is supplied with the FreeBSD operating system is very
 	    useful for raw text files: the <literal>pr</literal> filter.  It is
 	    most commonly used when printing from the UNIX command shell.  The
 	    <literal>pr</literal> filter paginates and applies headers and
 	    footers to ASCII text files.  It is automatically invoked with the
 	    <option>-p</option> option used with the <command>lpr</command>
 	    program at the UNIX command prompt.</para>
 
 	  <para>The <literal>pr</literal> filter is special - it runs <emphasis>in
 	      addition</emphasis> to any input filters specified for the print
 	    queue in <filename>/etc/printcap</filename>,
 	    <emphasis>if</emphasis> the user sets the option for a print job.
 	    This allows headers and pagination to be applied in addition to
 	    any special conversion, such as CR to CR/LF that a specified input
 	    filter may apply.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Printing PostScript Banner Pages with a Filter.</title>
 
 	  <para>Unfortunately, the canned banner page supplied in the LPD
 	    program prints only on a text-compatible printer.  If the attached
 	    printer understands only PostScript and the administrator wants to
 	    print banner pages, it is possible to install a filter into the
 	    <filename>/etc/printcap</filename> file to do this.</para>
 
 	  <para>The following filter is taken from the FreeBSD Handbook.  I've
 	    slightly changed its invocation for a couple of reasons.  First,
 	    some PostScript printers have difficulty when two print files are
 	    sent within the same print job or they lack the trailing
 	    Control-D.  Second is that the handbook invocation uses the LPRPS
 	    program, which requires a serial connection to the printer.</para>
 
 	  <para>The following filter shows another trick: calling LPR from
 	    within a filter program to spin off another print job.
 	    Unfortunately, the problem with using this trick is that the
 	    banner page always gets printed after the job.  This is because
 	    the incoming job spools first, and then FreeBSD runs the filter
 	    against it, so the banner page generated by the filter always
 	    spools behind the existing job.</para>
 
 	  <para>There are two scripts, both should be put in the
 	    <filename>/usr/local/libexec</filename> directory, and the modes
 	    set to executable.  The <filename>printcap</filename> also must be
 	    modified to create the nonbanner and banner versions of the print
 	    queue.  Following the scripts is the
 	    <filename>/etc/printcap</filename> file showing how they are
 	    called.  Notice that the <literal>sh</literal> parameter is turned
 	    on since the actual printed banner is being generated on the fly
 	    by the filter:</para>
 
 	  <programlisting>#!/bin/sh
 # Filename /usr/local/libexec/psbanner
 # parameter spacing comes from if= filter call template of:
 # if -c -w -l -i -n login -h host
 # parsing trickiness is to allow for the presence or absence of -c
 # sleep is in there for ickiness of some PostScript printers
 
 for dummy
 do
   case "$1" in
     -n) alogname="$2" ;;
     -h) ahostname="$2" ;;
   esac
   shift
 done
 
 /usr/local/libexec/make-ps-header $alogname $ahostname "PostScript" | \
   lpr -P lpnobanner
 
 sleep 10
 
 cat &amp;&amp; exit 0</programlisting>
 
 	  <para>Here is the <filename>make-ps-header</filename> listing.</para>
 
 	  <programlisting>#!/bin/sh
 # Filename /usr/local/libexec/make-ps-header
 #
 # These are PostScript units (72 to the inch).  Modify for A4 or
 # whatever size paper you are using:
 #
 
 page_width=612
 page_height=792
 border=72
 
 #
 # Save these, mostly for readability in the PostScript, below.
 #
 
 user=$1
 host=$2
 job=$3
 date=`date`
 
 #
 # Send the PostScript code to stdout.
 #
 
 exec cat &lt;&lt;EOF
 %!PS
 %
 % Make sure we do not interfere with user's job that will follow
 %
 
 %
 % Make a thick, unpleasant border around the edge of the paper.
 %
 
 $border $border moveto
 $page_width $border 2 mul sub 0 rlineto
 0 $page_height $border 2 mul sub rlineto
 currentscreen 3 -1 roll pop 100 3 1 roll setscreen
 $border 2 mul $page_width sub 0 rlineto closepath
 0.8 setgray 10 setlinewidth stroke 0 setgray
 
 %
 % Display user's login name, nice and large and prominent
 %
 
 /Helvetica-Bold findfont 64 scalefont setfont
 $page_width ($user) stringwidth pop sub 2 div $page_height 200 sub moveto
 ($user) show
 
 %
 % Now show the boring particulars
 %
 
 /Helvetica findfont 14 scalefont setfont
 /y 200 def
 [ (Job:) (Host:) (Date:) ] {
 200 y moveto show /y y 18 sub def
 } forall
 /Helvetica-Bold findfont 14 scalefont setfont
 /y 200 def
 [ ($job) ($host) ($date) ] {
 270 y moveto show /y y 18 sub def
 } forall
 
 %
 % That is it
 %
 
 showpage</programlisting>
 
 	  <para>Here is the <filename>/etc/printcap</filename> file.</para>
 
 	  <programlisting>#
 lp|local line printer, PostScript, banner:\
   :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:\
   :if=/usr/local/libexec/psbanner:sh:mx#0:
 
 lpnobanner|local line printer, PostScript, no banner:\
   :lp=/dev/lpt0:sd=/var/spool/output/lpd-noban:\
   :lf=/var/log/lpd-errs:sh:mx#0:
 #</programlisting>
 	</sect3>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-accounting">
       <title>Printer Accounting</title>
 
       <para>The FreeBSD print spooler can manage accounting statistics for
 	printer usage.  The spooler counts each page printed and generates
 	totals for each user.  In this manner departments or individuals can
 	be charged money for their use of the printer.</para>
 
       <para>In the academic world, such as student computer labs, accounting
 	is very political.  Many schemes have been developed to attempt to
 	gather statistics to charge people (generally students) for printing.
 	Administrators in this environment who deal with printers can have
 	almost as many accounting problems as printer problems.  In the
 	corporate environment, on the other hand, accounting is not as
 	important.  I strongly recommend against any corporation attempting to
 	implement printer accounting on shared printers for a number of
 	reasons:</para>
 
       <orderedlist>
 	<listitem>
 	  <para>The entire UNIX accounting system is based on ASCII printouts.
 	    It is easy to count the number of ASCII pages, form feeds, or text
 	    lines in a print job.  In corporations, however, PostScript and
 	    HPPCL are generally the order of the day.  It is almost impossible
 	    to figure out by examining the datastream how many pages it will
 	    occupy, and even if this could be done accurately, it wastes
 	    significant computational resources.</para>
 
 	  <note>
 	    <para>It is possible to get some PostScript printers to count
 	      pages, but doing so requires a bidirectional connection to the
 	      printer and additional programming on the UNIX system.  This
 	      task is beyond the scope of this book.</para>
 	  </note>
 	</listitem>
 
 	<listitem>
 	  <para>Banner pages aren't included in UNIX printer accounting
 	    counts.  Therefore, someone submitting 20 two-page jobs uses much
 	    more paper than does someone submitting one 40 page job, yet both
 	    are charged the same amount.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The username of the submitter can be easily forged, if the job
 	    is remotely submitted over the network from a client (practically
 	    all jobs in a Windows client printing environment are remotely
 	    submitted).  Although some LPR clients can be set to authenticate,
 	    and the <literal>rs</literal> capability can be set to enforce
 	    authentication, not all can, especially Windows LPR
 	    clients.</para>
 	</listitem>
 
 	<listitem>
 	  <para>It is more difficult for a submitter to hide the IP number or
 	    machine name of the remote client, but in a Windows environment
 	    there is no guarantee that someone was sitting at a particular
 	    desktop machine when the job was submitted.</para>
 	</listitem>
 
 	<listitem>
 	  <para>A business generates no revenue by monitoring printer usage.
 	    In the academic community, however, when a student lab charges for
 	    printouts the lab is actually extracting money from an entity (the
 	    student) that is separate from the lab.  Within a corporation, the
 	    concept of department A getting revenue from user B is pointless
 	    and doesn't generate a net gain for the corporation as a
 	    whole.</para>
 
 	  <para>For my printer administration, I have found that I can save
 	    more money on printing costs by purchasing supplies wisely than by
 	    attempting to discourage printing through "chargebacks".  What is
 	    the sense of being miserly with printing while spending double on
 	    toner cartridges because no one is willing to comparison shop, or
 	    signing a "lease" agreement that isn't beneficial for the printer?
 	    When you get down to it, corporate users don't care much for print
 	    sharing anyway, and they generally only agree to it because the
 	    administrator can buy a far bigger, faster, and fancier printer
 	    than they can requisition.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Worse yet, if usage on a shared printer is charged, it
 	    encourages employees to look for other places to print.
 	    Inevitably, people run out buy cheap inkjet printers for their own
 	    use, and the business ends up spending more on paper and supplies
 	    for many poor-quality small printers, than it would for a few
 	    decent big ones.  Moreover, the inferior output of these printers
 	    makes the organization as a whole look bad.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The corporate spirit should be one of teamwork, not bickering.
 	    The surest way to kill a network in a corporation is to set up a
 	    situation that puts the administrator into the policeman position
 	    or pits one department against another.</para>
 	</listitem>
       </orderedlist>
       
       <para>The only justification I've ever seen for running accounting on
 	corporate printers is using the accounting system to automate
 	reminders to the administrator to replace paper, or toner. Aside from
 	this use, a corporation that implements accounting as a way of
 	encouraging employees not to waste paper ends up defeating the purpose
 	of turning on accounting.</para>
     </sect1>
 
     <sect1 id="printserving-samba">
       <title>Microsoft Networking Client printing with Samba</title>
 
       <para>Although LPR is a time-tested and truly cross-platform printing
 	solution, sites with a majority of Windows clients running Microsoft
 	Networking have an alternate printing mechanism&mdash;Samba.  Samba
 	can provide print services to clients running SMB-compatible network
 	clients.  With a running Samba installation, the administrator may
 	"share out" printers as well as filesystem directories from the
 	FreeBSD system.</para>
 
       <para>Printers accessed with Samba must be defined both in the
 	<filename>/etc/printcap</filename> file and the
 	<filename>/usr/local/etc/smb.conf</filename> file. If the individual
 	printers are defined in the <filename>smb.conf</filename> file with
 	the <literal>printer driver=</literal> statement set to the exact
 	model name of the printer, the "Auto printer driver install" feature
 	of Windows NT and Win95/98 is activated.  This automatically loads the
 	correct printer driver if the user clicks on the print queue in
 	Network Neighborhood under Windows 95 or NT 4.0.  The restriction, of
 	course, is that the printer model must be in the Windows client driver
 	database.</para>
 
       <para>The <filename>smb.conf</filename> file also defines the
 	<literal>print</literal> command used to pass jobs to the UNIX print
 	spool.  It is a good idea to redefine this via the <literal>print
 	  command</literal> option to <literal>lpr -s -P %p %s; rm
 	  %s</literal>.  This turns on soft linking, so that large print jobs
 	don't get truncated.</para>
 
       <para>In operation, the SMB-networking client builds the print job on
 	itself and then transfers the entire job over the network to the Samba
 	server.  On the server, Samba has its own temporary print spool
 	directory to which the job is copied.  Once the job has been
 	completely received, it is then passed to the UNIX print
 	spooler.</para>
 
       <figure>
 	<title>Microsoft Networking Client printing with Samba</title>
 
 	<mediaobject>
 	  <imageobject>
 	    <imagedata fileref="08-06" format="EPS">
 	  </imageobject>
 
 	      <textobject>
 		<literallayout class="monospaced"> ,---------.
  | ======= |                   FreeBSD Server
  | ======= |               +---------------------+        ,-----.
 +-----------+              |  +---------------+  |        |     |
 |  Printer [ ]------------[ ] |    Samba      |  |        |_____| 
 +-----------+	Parallel   |  |   Software    | [ ]------_________
 		 Cable     |  +---------------+  |      / ::::::: \
                            |                     |      `---------'
                            |  +---------------+  |       Network PC
                            |  |    Print      |  |
                            |  |   Software    |  |
 	                   |  +---------------+  |
 	                   +---------------------+</literallayout>
 	  </textobject>
 
 	  <textobject>
 	    <phrase>The Samba software and the print software run on the same
 	      host.  Samba receives the print job, then hands it to the print
 	      spooler.</phrase>
 	  </textobject>
 	</mediaobject>
       </figure>
 
       <sect2>
 	<title>Client access issues</title>
 
 	<para>Because a Windows client formats print jobs before sending them
 	  to the server, the administrator may want to hide some of the
 	  specialty print queues on the server.  For example, the queue that
 	  converts LF to CRLF for UNIX text printouts would probably not be
 	  shared out.  To make such queues invisible, the
 	  <literal>browseable=no</literal> option can be turned on in the
 	  <filename>smb.conf</filename> file.  Also, the <literal>load
 	    printers</literal> option must be set to no to allow individual
 	  printer definitions.</para>
 
 	<note>
 	  <para>In general, the only print queues that should be visible
 	    through Samba are the "raw" print queues that are set up by the
 	    administrator to allow incoming preformatted print jobs.</para>
 	</note>
 	
 	<para>Windows clients that print to Samba print queues on the UNIX
 	  system can view and cancel print jobs in the print queue.  They
 	  cannot pause them, however, which is a difference between Novell and
 	  Windows NT Server print queues.  They also cannot prioritize print
 	  jobs from the print queue window, although the administrator can
 	  reprioritize print jobs that are in the queue from a command shell
 	  on the FreeBSD server.</para>
       </sect2>
 
       <sect2>
 	<title>Printer entries in configuration files</title>
 
 	<para>Following are listings of sample
 	  <filename>/etc/printcap</filename> and
 	  <filename>smb.conf</filename> files used on the system to provide
 	  print services.  An explanation of the interaction of these files
 	  follows.</para>
 
 	<example>
 	  <title><filename>/etc/printcap</filename></title>
 
 	  <programlisting>#
 #
 # The printer in lpt0 is a PostScript printer.  The nec-crlf entry
 # is for testing the printer when it is switched into HP LaserJet III
 # mode.
 #
 
 lp|local line printer:\
   :lp=/dev/lpt0:sd=/var/spool/output/lpd:\
   :lf=/var/log/lpd-errs:sh:mx#0:
 
 #
 
 nec-crlf|NEC Silentwriter 95 in ASCII mode with UNIX text filter:\
   :lp=/dev/lpt0:sd=/usr/lpdspool/nec-crlf:\
   :lf=/var/log/lpd-errs:sh:mx#0:\
   :if=/usr/local/libexec/crlfilter:tr=\f:
 
 #
 
 nec-raw|NEC Silentwriter 95 used for PostScript passthrough printing:\
   :lp=/dev/lpt0:sd=/usr/lpdspool/nec-raw:\
   :lf=/var/log/lpd-errs:sh:mx#0:
 
 #
 
 nec-ps-banner|NEC Silentwriter 95 with PostScript banner page created:\
   :lp=/dev/lpt0:sd=/usr/lpdspool/nec-ps-banner:\
   :lf=/var/log/lpd-errs:sh:mx#0:if=/usr/local/libexec/psbanner:
 
 #
 #</programlisting>
 	</example>
 
 	<example>
 	  <title><filename>/usr/local/etc/smb.conf</filename></title>
 
 	  <programlisting>[global]
 comment = FreeBSD - Samba %v
 log file = /var/log/samba.log
 dont descend = /dev,/proc,/root,/stand
 print command = lpr -s -P %p %s; rm %s
 interfaces = <replaceable>X.X.X.X</replaceable> (the system IP number goes here)
 printing = bsd
 map archive = no
 status = yes
 public = yes
 read only = no
 preserve case = yes
 strip dot = yes
 security = share
 guest ok = no
 password level = 1
 dead time = 15
 domain master = yes
 workgroup = WORKGROUP
 
 [homes]
 browseable = no
 comment = User Home Directory
 create mode = 0775
 public = no
 
 [printers]
 path = /var/spool
 comment = Printers
 create mode = 0700
 browseable = no
 read only = yes
 public = no
 
 [lp]
 printable = yes
 browseable = no
 
 [nec-raw]
 comment = Main PostScript printer driver for Windows clients
 printer driver = NEC SilentWriter 95
 printable = yes
 browseable = yes
 
 [wwwroot]
 path = /usr/local/www
 read only = no
 create mode = 0775
 comment = Internal Web Server</programlisting>
 	</example>
       </sect2>
 
       <sect2>
 	<title>Browsing output</title>
 
 	<para>Following is the output of a <userinput>net view</userinput>
 	  command executed at a DOS prompt under Windows 95:</para>
 
 	<screen>Shared resources at \\SERVER
 
 Sharename Type    Comment
 --------------------------------------------------------------------
 nec-crlf  Print   NEC Silentwriter 95 in ASCII mode
 nec-raw   Print   Main PostScript printer driver
 tedm      Disk    User Home Directory
 wwwroot   Disk    Internal Web Server
 
 The command was completed successfully.</screen>
 
 	<para>In the <filename>/etc/printcap</filename> file four print queues
 	  are defined, all tied to the printer plugged into the parallel port
 	  on the FreeBSD server.  The first is <literal>lp</literal>, the
 	  generic local line printer.  Since this print queue generally has a
 	  filter placed on it to format jobs from the UNIX print queue
 	  properly, it should not be visible on the SMB network (i.e., visible
 	  in Network Neighborhood).  The second queue,
 	  <literal>nec-crlf</literal>, has a filter that converts UNIX text to
 	  text that prints without stairstepping, so it also should be hidden
 	  from the SMB network.  The third, <literal>nec-raw</literal>, should
 	  be visible on the network because this is the spool that the Windows
 	  clients use.  The last queue, <literal>nec-ps-banner</literal>, is
 	  another specialty queue for UNIX local printing and thus should not
 	  be visible.</para>
 
 	<para>When the <filename>smb.conf</filename> file is parsed, the
 	  default entry <literal>[printers]</literal> is first read and used
 	  as a set of defaults for printers that are going to be shared out.
 	  Next, the <filename>/etc/printcap</filename> file is read to get a
 	  list of all printers on the server.  Last, each printer is checked
 	  for a service name in the <filename>smb.conf</filename> file that
 	  contains settings that override the set of defaults.</para>
 
 	<para>In the listing of what resources are visible on the network,
 	  both <literal>nec-crlf</literal> and <literal>nec-raw</literal>
 	  print queues are visible, and <literal>lp</literal> and
 	  <literal>nec-ps-banner</literal> is not. <literal>lp</literal> is
 	  not visible because there is a specific entry,
 	  <literal>[lp]</literal> in the <filename>smb.conf</filename> file
 	  that blocks it. <literal>nec-ps-banner</literal> doesn't have such
 	  an entry, but because the print queue name is not a legal length for
 	  a SMB name, it isn't shared out either.</para>
 
 	<para>The <literal>nec-crlf</literal> printer is visible so as to
 	  illustrate another point - comments.  If a print queue has no entry
 	  in the <filename>smb.conf</filename> file and is built by scanning
 	  the <filename>/etc/printcap</filename> file and using the
 	  <literal>[printers]</literal> defaults, the comment is taken from
 	  the <filename>/etc/printcap</filename> file next to the queue
 	  definition name.  Otherwise, if an entry is made for the printer in
 	  the <filename>smb.conf</filename> file the comment is taken from the
 	  entry in <filename>smb.conf</filename>.</para>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-nt-and-freebsd">
       <title>Printing between NT Server/NetWare and FreeBSD.</title>
 
       <para>Up to this point in the chapter, our main concern has been FreeBSD
 	and Windows NT printing interoperability with NT as a print client
 	passing jobs to the FreeBSD system.  What happens if the situation is
 	reversed and the FreeBSD system is itself a printing client of another
 	LPD server?  This situation can arise in a mixed UNIX/NetWare or
 	UNIX/NT environment.  The administrator may elect to forgo the use of
 	Samba, and use an NT server to provide print services.  Alternatively,
 	the administrator may have existing DOS Novell IPX clients that they
 	don't want to change, printing to an existing IPX Novell NetWare
 	server.  Many of the earlier hardware print servers, such as the Intel
 	NetPort 1 and NetPort 2 were IPX only.  A site with a large number of
 	these hardware servers may wish to move the clients to TCP/IP, but
 	leave the existing IPX-based printing network intact.</para>
 
       <para>With NetWare it is possible to load an LPD NetWare loadable module
 	(NLM) on the NetWare server that takes incoming LPR print jobs and
 	prints them on IPX print queues.  Later versions of NetWare may
 	include this NLM, it was an extra cost add-on with NetWare 3.X</para>
 
       <para>With Windows NT Server, loading the TCP/IP LPR printing support
 	also loads the LPD print server on NT.  By using LPR client programs
 	on UNIX, it is possible to submit, view status, and remove jobs
 	remotely from an NT server that has LPR installed as a port for its
 	printers.</para>
 
       <para>Following is a sample <filename>/etc/printcap</filename> file entry
 	that defines a print queue named <literal>tank</literal> on the FreeBSD
 	system pointed to an NT LPD server queue named
 	<literal>sherman</literal> on a NT Server named
 	<hostid role="fqdn">big.army.mil</hostid> in the DNS.  This uses the
 	<literal>rm</literal> printcap capability.  Unlike the earlier
 	examples, the output print jobs are sent out not by the PC parallel
 	port but over the network to the NT server.</para>
 
       <programlisting>#
 tank|sample remote printer:\
   :rm=big.army.mil:rp=sherman:sd=/var/spool/output/lphost:\
   :lf=/var/log/lpd-errs:
 #</programlisting>
 
       <note>
 	<para>When using an NT server as an LPD server it may be necessary to
 	  make the NT registry changes mentioned under Windows NT Registry
 	  Changes, earlier in the chapter.</para>
       </note>
     </sect1>
 
     <sect1 id="printserving-unix">
       <title>Printing from UNIX</title>
 
       <para>Two commands used at the FreeBSD command prompt are intended as
 	general-purpose print commands: <command>lp</command> and
 	<command>lpr</command>.</para>
 
       <sect2>
 	<title><command>lp</command></title>
 
 	<para>The <command>lp</command> command is simply a front end command
 	  that calls the <command>lpr</command> command with appropriate
 	  options.  Its main use is to allow the running of precompiled
 	  binary programs and scripts that assume that the
 	  <command>lp</command> command is the <emphasis>official</emphasis>
 	  printing command.</para>
       </sect2>
 
       <sect2>
 	<title><command>lpr</command></title>
 
 	<para>The <command>lpr</command> command is the main command that is
 	  used to print files from the command prompts under the FreeBSD
 	  operating system.  It is frequently spawned off as a child program,
 	  or used in pipes.  For example, when the Netscape web browser's
 	  Print button is clicked, Netscape may create the PostScript output,
 	  but the output goes through the <command>lpr</command>
 	  command.</para>
 
 	<para>The <command>lpr</command> command, like many UNIX command-line
 	  printing programs, assumes that the default print queue name is
 	  <literal>lp</literal>.  When the FreeBSD machine is set up, the
 	  administrator usually sets the <literal>lp</literal> queue to print
 	  through a filter that allows raw UNIX text sent to it to print
 	  properly.  For example, if an HP LaserJet printer that doesn't have
 	  PostScript is connected to the server, the
 	  <literal>lp</literal> queue specifies in the
 	  <filename>/etc/printcap</filename> file the CRLF filter listed
 	  earlier.  On the other hand, if an Apple Laserwriter that doesn't
 	  support ASCII is connected to the server, the
 	  <literal>a2ps</literal>filter would be specified in the
 	  <filename>/etc/printcap</filename> for the <literal>lp</literal>
 	  queue.</para>
 
 	<para>When printing raw text files usually the <option>-p</option>
 	  option is specified to <command>lpr</command>.  When printing
 	  preformatted files, such as PostScript files, the
 	  <option>-P</option> option is used, which selects whatever queue is
 	  used to handle these job types.</para>
       </sect2>
 
       <sect2>
 	<title>Managing the UNIX Print Queue</title>
 
 	<para>Once the print jobs coming in from clients are received on the
 	  FreeBSD system and placed in the print spool, they are metered out
 	  at a slower rate to the various printers.  If traffic activity is
 	  light, and few print jobs get sent through, the administrator can
 	  probably ignore the print queue as long as it continues to work.
 	  However, a busy network printer running at an optimal rate of speed
 	  usually has a backlog of unprinted jobs in the queue waiting for
 	  print time.  To keep all users happy and to provide for the
 	  occasional rush print job, the UNIX LPD/LPR printing system has
 	  several administration commands which are described here.</para>
 
 	<sect3>
 	  <title>Viewing the queue</title>
 
 	  <para>On busy printers, and to troubleshoot stopped printers, users
 	    sometimes need to view the print jobs in the queue. Administrators
 	    also need to view the queue to see what jobs may need to be
 	    expedited.  This can be done from the workstation that remotely
 	    submitted the job if the LPR client has the ability to do this.
 	    The Windows 3.1 LPR client discussed earlier has this capability.
 	    Unfortunately, many LPR clients don't, which means that the
 	    administrator must Telnet into the UNIX machine that the print
 	    queues are on and view them there.</para>
 
 	  <para>The UNIX shell command used to view the queue is the
 	    <command>lpq</command> command.  It is frequently run as
 	    <userinput>lpq -a</userinput> which shows jobs in all queues.  The
 	    following is a sample output of the command:</para>
 
 	  <screen>&prompt.root; <userinput>lpq -a</userinput>
 nec-raw:
 Rank Owner Job Files                         Total Size
 1st  tedm  19  C:/WLPRSPL/SPOOL/~LP00018.TMP 105221 bytes
 2nd  tedm  20  C:/WLPRSPL/SPOOL/~LP00019.TMP 13488 bytes
 3rd  root  3   hosts                         1220 bytes
 4th  tedm  1   Printer Test Page             765 bytes
 5th  tedm  2   Microsoft Word - CHAPTE10.DOC 15411 bytes</screen>
 
 	  <para>The first two jobs and the last two jobs came from remote
 	    clients, the third came from the command prompt.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Removing print jobs</title>
 
 	  <para>Deleting unwanted print jobs that haven't yet printed from the
 	    queue can be done by the remote workstations that submitted the
 	    job if their LPR implementations have the necessary commands.  The
 	    Windows 3.1 LPR client I detailed earlier has this capability.  Many
 	    LPR clients don't, however, which means that the administrator
 	    must Telnet into the UNIX machine that the print queues are on and
 	    delete the jobs there.</para>
 
 	  <para>The administrator can delete any print jobs from any queues by
 	    running the <command>lprm</command> command followed by the
 	    specified print queue and the job number.  Below is a sample
 	    output of the command:</para>
 
 	  <screen>&prompt.root; <userinput>lprm -P nec-raw 19</userinput>
 dfA019tedmitte dequeued
 cfA019dostest dequeued
 &prompt.root; <userinput>lprm -P nec-raw 3</userinput>
 dfA003toybox.placo.com dequeued
 cfA003toybox.placo.com dequeued</screen>
 
 	  <para>The <command>lprm</command> command is also used under UNIX to
 	    delete remote print jobs.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Advanced management</title>
 
 	  <para>The administrator logged into the FreeBSD system as the root
 	    user can also perform several other operations that ordinary users
 	    cannot.  These include turning the queues on and off, and moving
 	    print jobs within the print queues.  The command used to do this
 	    is the <command>lpc</command> command.</para>
 
 	  <para><command>lpc</command> has two modes of operation.  In the
 	    first mode, the command is run by itself, which puts the
 	    administrator into an <prompt>lpc</prompt> prompt.  Some general
 	    help is available for the commands, such as the following sample
 	    output:</para>
 
 	  <screen>&prompt.root; <userinput>lpc</userinput>
 <prompt>lpc&gt;</prompt> <userinput>help</userinput>
 Commands may be abbreviated.
 Commands are:
 abort enable disable help restart status topq ?
 clean exit down quit start stop up
 <prompt>lpc&gt;</prompt> <userinput>help disable</userinput>
 disable turn a spooling queue off
 <prompt>lpc&gt;</prompt> <userinput>help status</userinput>
 status show status of daemon and queue
 <prompt>lpc&gt;</prompt> <userinput>exit</userinput></screen>
 	  
 	  <para>In the second mode of operation the <command>lpc</command>
 	    command is just run by itself, followed by the command and the
 	    print queue name.  Following is a sample output:</para>
 
 	  <screen>&prompt.root; <userinput>lpc disable lp</userinput>
 lp:
 queuing disabled</screen>
 
 	  <para>Under FreeBSD, there is no command that specifically allows
 	    the administrator to move jobs from one queue to another.  This
 	    can be done, however, by changing into the raw queue directory
 	    then rerunning the <command>lpr</command> command.  Following is a
 	    sample run showing three print jobs moved from a dysfunctional
 	    queue to a good one:</para>
 
 	  <screen>&prompt.root; <userinput>lpq -a</userinput>
 lp:
 Warning: lp is down: printing disabled
 printing disabled
 Rank Owner Job Files                      Total Size
 1st  root  51  hosts                      1220 bytes
 2nd  root  52  services                   60767 bytes
 3rd  root  53  printcap                   2383 bytes
 &prompt.root; <userinput>cd /var/spool/output/lpd</userinput>
 &prompt.root; <userinput>ls</userinput>
 .seq cfA053toybox.placo.com dfA053toybox.placo.com
 cfA051toybox.placo.com dfA051toybox.placo.com lock
 cfA052toybox.placo.com dfA052toybox.placo.com status
 &prompt.root; <userinput>lpr -P nec-raw dfA051toybox.placo.com</userinput>
 &prompt.root; <userinput>lpr -P nec-raw dfA052toybox.placo.com</userinput>
 &prompt.root; <userinput>lpr -P nec-raw dfA053toybox.placo.com</userinput>
 &prompt.root; <userinput>lprm -P lp -</userinput>
 &prompt.root; <userinput>lpq -a</userinput>
 nec-raw:
 Warning: nec-raw is down: printing disabled
 Warning: no daemon present
 Rank Owner Job Files                      Total Size
 1st  root  5   dfA051toybox.placo.com     1220 bytes
 2nd  root  6   dfA052toybox.placo.com     60767 bytes
 3rd  root  7   dfA053toybox.placo.com     2383 bytes</screen>
 
 	  <note>
 	    <para>Moving jobs from queue to queue is feasible only when all
 	      printers are similar, as when all printers support
 	      PostScript.</para>
 	  </note>
 	</sect3>
 
 	<sect3>
 	  <title>Remote Management</title>
 
 	  <para>Just as the root user can manipulate remotely submitted jobs
 	    in the print queue, print jobs can be remotely managed by regular
 	    users with the LPR clients that created them. Unfortunately, some
 	    LPR clients, such as the ACITS LPR client for Win95, don't have
 	    enough programming to be able to do this.  Others, like the Win31
 	    client, can manipulate the print jobs remotely.</para>
 
 	  <para>FreeBSD offers some level of protection against inadvertent
 	    deletion of print jobs from remote hosts by restricting
 	    manipulation of a job to the same host that originated it.  Even
 	    if the owner of the job matches a local user account on the
 	    server, for an ordinary user to delete remotely submitted print
 	    jobs, the request still must come from the remote host.</para>
 	</sect3>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-advanced">
       <title>Advanced Printing Topics</title>
 
       <para>The FreeBSD UNIX LPR/LPD printing system is very flexible, and,
 	with the addition of filters, can be adapted to very unusual printing
 	environments.  To enhance this flexibility, several useful printing
 	utilities are supplied on the FreeBSD CDROM which the administrator
 	might wish to install.</para>
 
       <sect2>
 	<title>Ghostscript</title>
 
 	<para>The Ghostscript program, invoked as
 	  <filename>/usr/local/bin/gs</filename>, is one of the most useful
 	  printing utilities that have been developed for the free software
 	  community.  Ghostscript reads incoming PostScript data, (or Adobe
 	  PDF files) interprets it, and outputs it as a raster image.  This
 	  can be displayed on screen, for example, with the GhostView program
 	  under the X Window system, or printed on most graphics printers,
 	  such as Epson dot-matrix, HP DeskJet, or HP LaserJet.  In effect, it
 	  is a way of adding PostScript printing capability to a printer that
 	  doesn't have PostScript firmware code. Ghostscript has been ported
 	  to numerous operating systems including Windows.</para>
 
 	<para>The Ghostscript home page is located at
 	  <ulink url="http://www.cs.wisc.edu/~ghost/"></ulink>
 	  and contains the most current version of the program.  A prebuilt
 	  FreeBSD binary of Ghostscript is located in the Packages section of
 	  the FreeBSD CDROM.  This can be installed on the FreeBSD system by
 	  selecting the package from the prepackaged software list that is
 	  accessed through the <command>/stand/sysinstall</command>
 	  installation program.  Many packaged programs on the CD depend on
 	  GhostScript, and so it may already be installed.</para>
 
 	<para>Installation of the packaged version of GhostScript is
 	  recommended in the FreeBSD ports Section because it has been tested
 	  with the other packages that require it.  The package creates a
 	  directory containing some documentation files in
 	  <filename>/usr/local/share/ghostscript/X.XX/doc</filename>.
 	  Unfortunately, because of the packaging process on the FreeBSD CDROM
 	  not all the useful installation files are copied into this location.
 	  So, if the package was version 5.03 (for example) the administrator
 	  will also want to get the file
 	  <ulink url="ftp://ftp.cs.wisc.edu/ghost/aladdin/gs502/ghostscript-5.02.tar.gz"></ulink>,
 	  and unzip and untar it into a temporary directory.</para>
 	
 	<para>Extracting the archive file creates a directory structure under
 	  the <filename>gs5.03</filename> subdirectory.  To install
 	  ghostscript in the <filename>/etc/printcap</filename> file, read the
 	  <filename>gs5.03/devs.mak</filename> file to determine which printer
 	  driver definition works with your printer and then use the following
 	  instructions:</para>
 
 	<procedure>
 	  <step>
 	    <para>Change to the root user with <command>su</command>.</para>
 	  </step>
 
 	  <step>
 	    <para>In the <filename>gs5.03</filename> directory, copy the
 	      <filename>lprsetup.sh</filename>,
 	      <filename>unix-lpr.txt</filename>, and
 	      <filename>unix-lpr.sh</filename> files to
 	      <filename>/usr/local/share/ghostscript/5.03</filename>.</para>
 	  </step>
 
 	  <step>
 	    <para>Change to the
 	      <filename>/usr/local/share/ghostscript/5.03</filename>
 	      directory. Edit <filename>lprsetup.sh</filename> with a text
 	      editor such as <command>vi</command>.</para>
 	  </step>
 
 	  <step>
 	    <para>Modify the <literal>DEVICES=</literal> entries
 		to list your selected printer driver definitions per the
 		instructions in <filename>unix-lpr.txt</filename>.</para>
 	  </step>
 
 	  <step>
 	    <para>Modify the <literal>PRINTERDEV=</literal> to
 	      <literal>/dev/lpt0</literal>, and the <literal>GSDIR=</literal>
 	      to <literal>/usr/local/share/ghostscript</literal>, and the
 	      <literal>SPOOLDIR=</literal> to
 	      <literal>/var/spool/output</literal>. Save the file.</para>
 	  </step>
 
 	  <step>
 	    <para>Edit the <filename>unix-lpr.sh</filename> file and change
 	      the <literal>PSFILTERPATH=</literal> to
 	      <literal>/usr/local/share/ghostscript</literal>.</para>
 	  </step>
 
 	  <step>
 	    <para>If the printer that you defined in the
 	      <filename>lprsetup.sh</filename> file is a monochrome printer,
 	      remove the <literal>"-dBitsPerPixel=${bpp}"</literal> and
 	      <literal>"$colorspec"</literal> entries on the
 	      <literal>gs</literal> invocation line and save the file.
 	      Otherwise, if it is a color definition leave them in.  For
 	      example, the following line is for a monochrome LaserJet:</para>
 
 	    <programlisting>") | gs -q -dNOPAUSE -sDEVICE=${device} \"</programlisting>
 	    
 	    <para>Don't remove anything else.  Exit the editor, and save the
 	      <filename>unix-lpr.sh</filename> file.</para>
 	  </step>
 
 	  <step>
 	    <para>Copy the <filename>unix-lpr.sh</filename> file to the parent
 	      directory, <filename>/usr/local/share/ghostscript</filename> and
 	      set the execute bit on it.</para>
 	  </step>
 
 	  <step>
 	    <para>Set the execute bit on <filename>lprsetup.sh</filename> with
 	      chmod and run the file by typing
 	      <userinput>./lprsetup.sh</userinput>.</para>
 	  </step>
 
 	  <step>
 	    <para>Follow the instructions on creating the Spool directories.
 	      If you will be using accounting and a separate log file, run the
 	      <command>touch</command> command to create the empty files per
 	      directions in script output.</para>
 	  </step>
 
 	  <step>
 	    <para>The sample <command>/etc/printcap</command> is located in
 	      the current directory; the filename is
 	      <filename>printcap.insert</filename>.  Use this as a template to
 	      modify the <filename>/etc/printcap</filename> file.  A sample
 	      <filename>/etc/printcap</filename> file for a LaserJet 3 is
 	      below:</para>
 
 	    <programlisting>#
 #
 ljet3.raw|Raw output device ljet3 for Ghostscript:\
   :rm=big.army.mil:rp=sherman:sd=/var/spool/output/ljet3/raw:\
   :mx#0:sf:sh:rs:
 
 #
 
 ljet3|Ghostscript device ljet3 (output to ljet3.raw):\
   :lp=/dev/null:sd=/var/spool/output/ljet3:\
   :lf=/var/log/lpd-errs:mx#0:sf:sh:rs:\
   :if=/usr/local/share/ghostscript/filt/indirect/ljet3/gsif:\
   :af=/var/spool/output/ljet3/acct:
 
 #</programlisting>
 	  </step>
 	</procedure>
       </sect2>
 
       <sect2>
 	<title>a2ps filter</title>
 
 	<para>Another handy utility is the <command>a2ps</command> filter, short
 	  for ASCII-to-PostScript.  This program takes an incoming ASCII
 	  datastream and converts it into PostScript.  It can also print
 	  multiple pages on a single sheet of paper by shrinking them down. It
 	  is a useful tool for a printer that cannot interpret ASCII, such as
 	  a PostScript-only printer.</para>
 
 	<para><command>A2ps</command> is not installed in the FreeBSD system
 	  by default; it is located in the ports section
 	  <filename>/usr/ports/print/a2ps43</filename>.  A prepackaged binary
 	  can be installed with <command>/stand/sysinstall</command> but I
 	  have had problems with that port.  It is best to install it by
 	  running <command>make</command> in the a2ps43 ports directory.  A
 	  printcap entry and filter using this follow:</para>
 
 	<example>
 	  <title><filename>/etc/printcap</filename></title>
 
 	  <programlisting>#
 lp|local line printer with output dumped through a2ps for raw listings:\
   :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:sh:mx#0:\
   :if=/usr/local/libexec/ascii2postscript:
 #</programlisting>
 	</example>
 
 	<example>
 	  <title><filename>/usr/local/libexec/ascii2postscript</filename></title>
 
 	  <programlisting>#!/bin/sh
 #
 # Simple filter that converts ASCII to PostScript for basic stuff like
 # directory listings.
 #
 
 /usr/local/bin/a2ps &amp;&amp; exit 0
 
 exit 2</programlisting>
 	</example>
 
 	<para>Read the system manual page for <command>a2ps</command> to see
 	  the options available with this program, and remember to set the
 	  filter script <filename>ascii2postscript</filename>
 	  all-executable.</para>
       </sect2>
     </sect1>
 
     <sect1 id="printserving-misc">
       <title>Miscellaneous</title>
 
       <para>The large number of other printing utilities cannot be covered
 	here.  Some add features such as automatic job type sensing, others
 	handle bidirectional communication between the server and the printer.
 	There are also a few other experimental LPR printing replacement
 	systems.  Commands such as ghostscript and <command>a2ps</command> can
 	also be used in pipes that create pretty output on an ordinary impact
 	printer.</para>
 
       <para>One last hint - the system manual pages can be printed with the
 	<option>-t</option> option which turns their ordinary ASCII output to
 	beautifully formatted PostScript.  Try the command <command>man -t
 	  man</command> and send the output through GhostScript or a
 	PostScript printer for easier to read manual pages.</para>
     </sect1>
   </chapter>
 </book>
diff --git a/en_US.ISO8859-1/books/developers-handbook/dma/chapter.sgml b/en_US.ISO8859-1/books/developers-handbook/dma/chapter.sgml
index ae56b1144a..7ac24b9838 100644
--- a/en_US.ISO8859-1/books/developers-handbook/dma/chapter.sgml
+++ b/en_US.ISO8859-1/books/developers-handbook/dma/chapter.sgml
@@ -1,1326 +1,1326 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="dma">
   <title>DMA</title>
 
   <sect1 id="dma-basics">
     <title>DMA: What it is and How it Works</title>
     
     <para><emphasis>Copyright &copy; 1995,1997 &a.uhclem;, All Rights
 	Reserved.  10 December 1996.  Last Update 8 October
 	1997.</emphasis></para>
 
     <para>Direct Memory Access (DMA) is a method of allowing data to be moved
       from one location to another in a computer without intervention from the
       central processor (CPU).</para>
 
     <para>The way that the DMA function is implemented varies between computer
       architectures, so this discussion will limit itself to the
       implementation and workings of the DMA subsystem on the IBM Personal
       Computer (PC), the IBM PC/AT and all of its successors and
       clones.</para>
 
     <para>The PC DMA subsystem is based on the &intel; 8237 DMA controller. The
       8237 contains four DMA channels that can be programmed independently and
       any one of the channels may be active at any moment.  These channels are
       numbered 0, 1, 2 and 3.  Starting with the PC/AT, IBM added a second
       8237 chip, and numbered those channels 4, 5, 6 and 7.</para>
 
     <para>The original DMA controller (0, 1, 2 and 3) moves one byte in each
       transfer.  The second DMA controller (4, 5, 6, and 7) moves 16-bits from
       two adjacent memory locations in each transfer, with the first byte
       always coming from an even-numbered address.  The two controllers are
       identical components and the difference in transfer size is caused by
       the way the second controller is wired into the system.</para>
 
     <para>The 8237 has two electrical signals for each channel, named DRQ and
       -DACK.  There are additional signals with the names HRQ (Hold Request),
       HLDA (Hold Acknowledge), -EOP (End of Process), and the bus control
       signals -MEMR (Memory Read), -MEMW (Memory Write), -IOR (I/O Read), and
       -IOW (I/O Write).</para>
 
     <para>The 8237 DMA is known as a <quote>fly-by</quote> DMA controller.
       This means that the data being moved from one location to another does
       not pass through the DMA chip and is not stored in the DMA chip.
       Subsequently, the DMA can only transfer data between an I/O port and a
       memory address, but not between two I/O ports or two memory
       locations.</para>
 
     <note>
       <para>The 8237 does allow two channels to be connected together to allow
 	memory-to-memory DMA operations in a non-<quote>fly-by</quote> mode,
 	but nobody in the PC industry uses this scarce resource this way since
 	it is faster to move data between memory locations using the
 	CPU.</para>
     </note>
 
     <para>In the PC architecture, each DMA channel is normally activated only
       when the hardware that uses a given DMA channel requests a transfer by
       asserting the DRQ line for that channel.</para>
 
     <sect2>
       <title>A Sample DMA transfer</title>
       
       <para>Here is an example of the steps that occur to cause and perform a
 	DMA transfer.  In this example, the floppy disk controller (FDC) has
 	just read a byte from a diskette and wants the DMA to place it in
 	memory at location 0x00123456.  The process begins by the FDC
 	asserting the DRQ2 signal (the DRQ line for DMA channel 2) to alert
 	the DMA controller.</para>
 	  
       <para>The DMA controller will note that the DRQ2 signal is asserted. The
 	DMA controller will then make sure that DMA channel 2 has been
 	programmed and is unmasked (enabled).  The DMA controller also makes
 	sure that none of the other DMA channels are active or want to be
 	active and have a higher priority.  Once these checks are complete,
 	the DMA asks the CPU to release the bus so that the DMA may use the
 	bus.  The DMA requests the bus by asserting the HRQ signal which goes
 	to the CPU.</para>
 	  
       <para>The CPU detects the HRQ signal, and will complete executing the
 	current instruction.  Once the processor has reached a state where it
 	can release the bus, it will.  Now all of the signals normally
 	generated by the CPU (-MEMR, -MEMW, -IOR, -IOW and a few others) are
 	placed in a tri-stated condition (neither high or low) and then the
 	CPU asserts the HLDA signal which tells the DMA controller that it is
 	now in charge of the bus.</para>
 	  
       <para>Depending on the processor, the CPU may be able to execute a few
 	additional instructions now that it no longer has the bus, but the CPU
 	will eventually have to wait when it reaches an instruction that must
 	read something from memory that is not in the internal processor cache
 	or pipeline.</para>
 	  
       <para>Now that the DMA <quote>is in charge</quote>, the DMA activates its
 	-MEMR, -MEMW, -IOR, -IOW output signals, and the address outputs from
 	the DMA are set to 0x3456, which will be used to direct the byte that
 	is about to transferred to a specific memory location.</para>
 	  
       <para>The DMA will then let the device that requested the DMA transfer
 	know that the transfer is commencing.  This is done by asserting the
 	-DACK signal, or in the case of the floppy disk controller, -DACK2 is
 	asserted.</para>
 	  
       <para>The floppy disk controller is now responsible for placing the byte
 	to be transferred on the bus Data lines.  Unless the floppy controller
 	needs more time to get the data byte on the bus (and if the peripheral
 	does need more time it alerts the DMA via the READY signal), the DMA
 	will wait one DMA clock, and then de-assert the -MEMW and -IOR signals
 	so that the memory will latch and store the byte that was on the bus,
 	and the FDC will know that the byte has been transferred.</para>
 	  
       <para>Since the DMA cycle only transfers a single byte at a time, the
 	FDC now drops the DRQ2 signal, so the DMA knows that it is no longer
 	needed.  The DMA will de-assert the -DACK2 signal, so that the FDC
 	knows it must stop placing data on the bus.</para>
 	  
       <para>The DMA will now check to see if any of the other DMA channels
 	have any work to do.  If none of the channels have their DRQ lines
 	asserted, the DMA controller has completed its work and will now
 	tri-state the -MEMR, -MEMW, -IOR, -IOW and address signals.</para>
 	  
       <para>Finally, the DMA will de-assert the HRQ signal.  The CPU sees
 	this, and de-asserts the HOLDA signal.  Now the CPU activates its
 	-MEMR, -MEMW, -IOR, -IOW and address lines, and it resumes executing
 	instructions and accessing main memory and the peripherals.</para>
 	  
       <para>For a typical floppy disk sector, the above process is repeated
 	512 times, once for each byte.  Each time a byte is transferred, the
 	address register in the DMA is incremented and the counter in the DMA
 	that shows how many bytes are to be transferred is decremented.</para>
 	  
       <para>When the counter reaches zero, the DMA asserts the EOP signal,
 	which indicates that the counter has reached zero and no more data
 	will be transferred until the DMA controller is reprogrammed by the
 	CPU.  This event is also called the Terminal Count (TC). There is only
 	one EOP signal, and since only one DMA channel can be active at any
 	instant, the DMA channel that is currently active must be the DMA
 	channel that just completed its task.</para>
 	  
       <para>If a peripheral wants to generate an interrupt when the transfer
 	of a buffer is complete, it can test for its -DACKn signal and the EOP
 	signal both being asserted at the same time. When that happens, it
 	means the DMA will not transfer any more information for that
 	peripheral without intervention by the CPU. The peripheral can then
 	assert one of the interrupt signals to get the processors' attention.
 	In the PC architecture, the DMA chip itself is not capable of
 	generating an interrupt.  The peripheral and its associated hardware
 	is responsible for generating any interrupt that occurs.
 	Subsequently, it is possible to have a peripheral that uses DMA but
 	does not use interrupts.</para>
 	  
       <para>It is important to understand that although the CPU always
 	releases the bus to the DMA when the DMA makes the request, this
 	action is invisible to both applications and the operating system,
 	except for slight changes in the amount of time the processor takes to
 	execute instructions when the DMA is active. Subsequently, the
 	processor must poll the peripheral, poll the registers in the DMA
 	chip, or receive an interrupt from the peripheral to know for certain
 	when a DMA transfer has completed.</para>
     </sect2>
     
     <sect2>
       <title>DMA Page Registers and 16Meg address space limitations</title>
 	  
       <para>You may have noticed earlier that instead of the DMA setting the
 	address lines to 0x00123456 as we said earlier, the DMA only set
 	0x3456.  The reason for this takes a bit of explaining.</para>
 	  
       <para>When the original IBM PC was designed, IBM elected to use both DMA
 	and interrupt controller chips that were designed for use with the
 	8085, an 8-bit processor with an address space of 16 bits (64K).
 	Since the IBM PC supported more than 64K of memory, something had to
 	be done to allow the DMA to read or write memory locations above the
 	64K mark.  What IBM did to solve this problem was to add an external
 	data latch for each DMA channel that holds the upper bits of the
 	address to be read to or written from. Whenever a DMA channel is
 	active, the contents of that latch are written to the address bus and
 	kept there until the DMA operation for the channel ends.  IBM called
 	these latches <quote>Page Registers</quote>.</para>
 	  
       <para>So for our example above, the DMA would put the 0x3456 part of the
 	address on the bus, and the Page Register for DMA channel 2 would put
 	0x0012xxxx on the bus.  Together, these two values form the complete
 	address in memory that is to be accessed.</para>
 	  
       <para>Because the Page Register latch is independent of the DMA chip,
 	the area of memory to be read or written must not span a 64K physical
 	boundary.  For example, if the DMA accesses memory location 0xffff,
 	after that transfer the DMA will then increment the address register
 	and the DMA will access the next byte at location 0x0000, not 0x10000.
 	The results of letting this happen are probably not intended.</para>
 	  
       <note>
 	<para><quote>Physical</quote> 64K boundaries should not be confused
 	  with 8086-mode 64K <quote>Segments</quote>, which are created by
 	  mathematically adding a segment register with an offset register.
 	  Page Registers have no address overlap and are mathematically OR-ed
 	  together.</para>
       </note>
       
       <para>To further complicate matters, the external DMA address latches on
 	the PC/AT hold only eight bits, so that gives us 8+16=24 bits, which
 	means that the DMA can only point at memory locations between 0 and
 	16Meg.  For newer computers that allow more than 16Meg of memory, the
 	standard PC-compatible DMA cannot access memory locations above
 	16Meg.</para>
 	  
       <para>To get around this restriction, operating systems will reserve a
 	RAM buffer in an area below 16Meg that also does not span a physical
 	64K boundary.  Then the DMA will be programmed to transfer data from
 	the peripheral and into that buffer.  Once the DMA has moved the data
 	into this buffer, the operating system will then copy the data from
 	the buffer to the address where the data is really supposed to be
 	stored.</para>
 	  
       <para>When writing data from an address above 16Meg to a DMA-based
 	peripheral, the data must be first copied from where it resides into a
 	buffer located below 16Meg, and then the DMA can copy the data from
 	the buffer to the hardware.  In FreeBSD, these reserved buffers are
 	called <quote>Bounce Buffers</quote>.  In the &ms-dos; world, they are
 	sometimes called <quote>Smart Buffers</quote>.</para>
 	  
       <note>
 	<para>A new implementation of the 8237, called the 82374, allows 16
 	  bits of page register to be specified and enables access to the entire
 	  32 bit address space, without the use of bounce buffers.</para>
       </note>
     </sect2>
 
     <sect2>
       <title>DMA Operational Modes and Settings</title>
       
       <para>The 8237 DMA can be operated in several modes.  The main ones
 	are:</para>
 	  
       <variablelist>
 	<varlistentry>
 	  <term>Single</term>
 
 	  <listitem>
 	    <para>A single byte (or word) is transferred.  The DMA must
 	      release and re-acquire the bus for each additional byte. This is
 	      commonly-used by devices that cannot transfer the entire block
 	      of data immediately.  The peripheral will request the DMA each
 	      time it is ready for another transfer.</para>
 	    
 	    <para>The standard PC-compatible floppy disk controller (NEC 765)
 	      only has a one-byte buffer, so it uses this mode.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>Block/Demand</term>
 		
 	  <listitem>
 	    <para>Once the DMA acquires the system bus, an entire block of
 	      data is transferred, up to a maximum of 64K.  If the peripheral
 	      needs additional time, it can assert the READY signal to suspend
 	      the transfer briefly.  READY should not be used excessively, and
 	      for slow peripheral transfers, the Single Transfer Mode should
 	      be used instead.</para>
 		  
 	    <para>The difference between Block and Demand is that once a Block
 	      transfer is started, it runs until the transfer count reaches
 	      zero.  DRQ only needs to be asserted until -DACK is asserted.
 	      Demand Mode will transfer one more bytes until DRQ is
 	      de-asserted, at which point the DMA suspends the transfer and
 	      releases the bus back to the CPU.  When DRQ is asserted later,
 	      the transfer resumes where it was suspended.</para>
 		  
 	    <para>Older hard disk controllers used Demand Mode until CPU
 	      speeds increased to the point that it was more efficient to
 	      transfer the data using the CPU, particularly if the memory
 	      locations used in the transfer were above the 16Meg mark.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>Cascade</term>
 		
 	  <listitem>
 	    <para>This mechanism allows a DMA channel to request the bus, but
 	      then the attached peripheral device is responsible for placing
 	      the addressing information on the bus instead of the DMA.  This
 	      is also used to implement a technique known as <quote>Bus
 	      Mastering</quote>.</para>
 		  
 	    <para>When a DMA channel in Cascade Mode receives control of the
 	      bus, the DMA does not place addresses and I/O control signals on
 	      the bus like the DMA normally does when it is active.  Instead,
 	      the DMA only asserts the -DACK signal for the active DMA
 	      channel.</para>
 		  
 	    <para>At this point it is up to the peripheral connected to that
 	      DMA channel to provide address and bus control signals.  The
 	      peripheral has complete control over the system bus, and can do
 	      reads and/or writes to any address below 16Meg.  When the
 	      peripheral is finished with the bus, it de-asserts the DRQ line,
 	      and the DMA controller can then return control to the CPU or to
 	      some other DMA channel.</para>
 		  
 	    <para>Cascade Mode can be used to chain multiple DMA controllers
 	      together, and this is exactly what DMA Channel 4 is used for in
 	      the PC architecture.  When a peripheral requests the bus on DMA
 	      channels 0, 1, 2 or 3, the slave DMA controller asserts HLDREQ,
 	      but this wire is actually connected to DRQ4 on the primary DMA
 	      controller instead of to the CPU.  The primary DMA controller,
 	      thinking it has work to do on Channel 4, requests the bus from
 	      the CPU using HLDREQ signal.  Once the CPU grants the bus to the
 	      primary DMA controller, -DACK4 is asserted, and that wire is
 	      actually connected to the HLDA signal on the slave DMA
 	      controller.  The slave DMA controller then transfers data for
 	      the DMA channel that requested it (0, 1, 2 or 3), or the slave
 	      DMA may grant the bus to a peripheral that wants to perform its
 	      own bus-mastering, such as a SCSI controller.</para>
 		  
 	    <para>Because of this wiring arrangement, only DMA channels 0, 1,
 	      2, 3, 5, 6 and 7 are usable with peripherals on PC/AT
 	      systems.</para>
 	    
 	    <note>
 	      <para>DMA channel 0 was reserved for refresh operations in early
 		IBM PC computers, but is generally available for use by
 		peripherals in modern systems.</para>
 	    </note>
 	    
 	    <para>When a peripheral is performing Bus Mastering, it is
 	      important that the peripheral transmit data to or from memory
 	      constantly while it holds the system bus.  If the peripheral
 	      cannot do this, it must release the bus frequently so that the
 	      system can perform refresh operations on main memory.</para>
 		  
 	    <para>The Dynamic RAM used in all PCs for main memory must be
 	      accessed frequently to keep the bits stored in the components
 	      <quote>charged</quote>.  Dynamic RAM essentially consists of
 	      millions of capacitors with each one holding one bit of data.
 	      These capacitors are charged with power to represent a
 	      <literal>1</literal> or drained to represent a
 	      <literal>0</literal>.  Because all capacitors leak, power must
 	      be added at regular intervals to keep the <literal>1</literal>
 	      values intact.  The RAM chips actually handle the task of
 	      pumping power back into all of the appropriate locations in RAM,
 	      but they must be told when to do it by the rest of the computer
 	      so that the refresh activity will not interfere with the computer
 	      wanting to access RAM normally.  If the computer is unable to
 	      refresh memory, the contents of memory will become corrupted in
 	      just a few milliseconds.</para>
 		  
 	    <para>Since memory read and write cycles <quote>count</quote> as
 	      refresh cycles (a dynamic RAM refresh cycle is actually an
 	      incomplete memory read cycle), as long as the peripheral
 	      controller continues reading or writing data to sequential
 	      memory locations, that action will refresh all of memory.</para>
 		  
 	    <para>Bus-mastering is found in some SCSI host interfaces and
 	      other high-performance peripheral controllers.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>Autoinitialize</term>
 	  
 	  <listitem>
 	    <para>This mode causes the DMA to perform Byte, Block or Demand
 	      transfers, but when the DMA transfer counter reaches zero, the
 	      counter and address are set back to where they were when the DMA
 	      channel was originally programmed.  This means that as long as
 	      the peripheral requests transfers, they will be granted.  It is
 	      up to the CPU to move new data into the fixed buffer ahead of
 	      where the DMA is about to transfer it when doing output
 	      operations, and to read new data out of the buffer behind where the
 	      DMA is writing when doing input operations.</para>
 		  
 	    <para>This technique is frequently used on audio devices that have
 	      small or no hardware <quote>sample</quote> buffers.  There is
 	      additional CPU overhead to manage this <quote>circular</quote>
 	      buffer, but in some cases this may be the only way to eliminate
 	      the latency that occurs when the DMA counter reaches zero and
 	      the DMA stops transfers until it is reprogrammed.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
     </sect2>
 
     <sect2>
       <title>Programming the DMA</title>
       
       <para>The DMA channel that is to be programmed should always be
 	<quote>masked</quote> before loading any settings.  This is because the
 	hardware might unexpectedly assert the DRQ for that channel, and the
 	DMA might respond, even though not all of the parameters have been
 	loaded or updated.</para>
 	  
       <para>Once masked, the host must specify the direction of the transfer
 	(memory-to-I/O or I/O-to-memory), what mode of DMA operation is to be
 	used for the transfer (Single, Block, Demand, Cascade, etc), and
 	finally the address and length of the transfer are loaded.  The length
 	that is loaded is one less than the amount you expect the DMA to
 	transfer.  The LSB and MSB of the address and length are written to
 	the same 8-bit I/O port, so another port must be written to first to
 	guarantee that the DMA accepts the first byte as the LSB and the
 	second byte as the MSB of the length and address.</para>
 	  
       <para>Then, be sure to update the Page Register, which is external to
 	the DMA and is accessed through a different set of I/O ports.</para>
 	  
       <para>Once all the settings are ready, the DMA channel can be un-masked.
 	That DMA channel is now considered to be <quote>armed</quote>, and will
 	respond when the DRQ line for that channel is asserted.</para>
 	  
       <para>Refer to a hardware data book for precise programming details for
 	the 8237.  You will also need to refer to the I/O port map for the PC
 	system, which describes where the DMA and Page Register ports are
 	located.  A complete port map table is located below.</para>
     </sect2>
 
     <sect2>
       <title>DMA Port Map</title>
       
       <para>All systems based on the IBM-PC and PC/AT have the DMA hardware
 	located at the same I/O ports.  The complete list is provided below.
 	Ports assigned to DMA Controller #2 are undefined on non-AT
 	designs.</para>
 	  
       <sect3>
 	<title>0x00&ndash;0x1f DMA Controller #1 (Channels 0, 1, 2 and
 	  3)</title>
 	    
 	<para>DMA Address and Count Registers</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0x00</entry>
 		<entry>write</entry>
 		<entry>Channel 0 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x00</entry>
 		<entry>read</entry>
 		<entry>Channel 0 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x01</entry>
 		<entry>write</entry>
 		<entry>Channel 0 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x01</entry>
 		<entry>read</entry>
 		<entry>Channel 0 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x02</entry>
 		<entry>write</entry>
 		<entry>Channel 1 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x02</entry>
 		<entry>read</entry>
 		<entry>Channel 1 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x03</entry>
 		<entry>write</entry>
 		<entry>Channel 1 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x03</entry>
 		<entry>read</entry>
 		<entry>Channel 1 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x04</entry>
 		<entry>write</entry>
 		<entry>Channel 2 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x04</entry>
 		<entry>read</entry>
 		<entry>Channel 2 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x05</entry>
 		<entry>write</entry>
 		<entry>Channel 2 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x05</entry>
 		<entry>read</entry>
 		<entry>Channel 2 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x06</entry>
 		<entry>write</entry>
 		<entry>Channel 3 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x06</entry>
 		<entry>read</entry>
 		<entry>Channel 3 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x07</entry>
 		<entry>write</entry>
 		<entry>Channel 3 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x07</entry>
 		<entry>read</entry>
 		<entry>Channel 3 remaining word count</entry>
 	      </row>		  
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>DMA Command Registers</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0x08</entry>
 		<entry>write</entry>
 		<entry>Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x08</entry>
 		<entry>read</entry>
 		<entry>Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x09</entry>
 		<entry>write</entry>
 		<entry>Request Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x09</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0a</entry>
 		<entry>write</entry>
 		<entry>Single Mask Register Bit</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0a</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0b</entry>
 		<entry>write</entry>
 		<entry>Mode Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0b</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0c</entry>
 		<entry>write</entry>
 		<entry>Clear LSB/MSB Flip-Flop</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0c</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0d</entry>
 		<entry>write</entry>
 		<entry>Master Clear/Reset</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0d</entry>
 		<entry>read</entry>
 		<entry>Temporary Register (not available on newer
 		  versions)</entry>
 	      </row>
 	      <row>
 		<entry>0x0e</entry>
 		<entry>write</entry>
 		<entry>Clear Mask Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0e</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0f</entry>
 		<entry>write</entry>
 		<entry>Write All Mask Register Bits</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x0f</entry>
 		<entry>read</entry>
 		<entry>Read All Mask Register Bits (only in &intel;
 		  82374)</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
       
       <sect3>
 	<title>0xc0&ndash;0xdf DMA Controller #2 (Channels 4, 5, 6 and
 	  7)</title>
 
 	<para>DMA Address and Count Registers</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0xc0</entry>
 		<entry>write</entry>
 		<entry>Channel 4 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc0</entry>
 		<entry>read</entry>
 		<entry>Channel 4 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc2</entry>
 		<entry>write</entry>
 		<entry>Channel 4 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc2</entry>
 		<entry>read</entry>
 		<entry>Channel 4 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc4</entry>
 		<entry>write</entry>
 		<entry>Channel 5 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc4</entry>
 		<entry>read</entry>
 		<entry>Channel 5 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc6</entry>
 		<entry>write</entry>
 		<entry>Channel 5 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc6</entry>
 		<entry>read</entry>
 		<entry>Channel 5 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc8</entry>
 		<entry>write</entry>
 		<entry>Channel 6 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xc8</entry>
 		<entry>read</entry>
 		<entry>Channel 6 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xca</entry>
 		<entry>write</entry>
 		<entry>Channel 6 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xca</entry>
 		<entry>read</entry>
 		<entry>Channel 6 remaining word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xcc</entry>
 		<entry>write</entry>
 		<entry>Channel 7 starting address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xcc</entry>
 		<entry>read</entry>
 		<entry>Channel 7 current address</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xce</entry>
 		<entry>write</entry>
 		<entry>Channel 7 starting word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xce</entry>
 		<entry>read</entry>
 		<entry>Channel 7 remaining word count</entry>
 	      </row>		  
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>DMA Command Registers</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0xd0</entry>
 		<entry>write</entry>
 		<entry>Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd0</entry>
 		<entry>read</entry>
 		<entry>Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd2</entry>
 		<entry>write</entry>
 		<entry>Request Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd2</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd4</entry>
 		<entry>write</entry>
 		<entry>Single Mask Register Bit</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd4</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd6</entry>
 		<entry>write</entry>
 		<entry>Mode Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd6</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd8</entry>
 		<entry>write</entry>
 		<entry>Clear LSB/MSB Flip-Flop</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xd8</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
     
 
 	      
 	      <row>
 		<entry>0xda</entry>
 		<entry>write</entry>
 		<entry>Master Clear/Reset</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xda</entry>
 		<entry>read</entry>
 		<entry>Temporary Register (not present in &intel;
 		  82374)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xdc</entry>
 		<entry>write</entry>
 		<entry>Clear Mask Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xdc</entry>
 		<entry>read</entry>
 		<entry>-</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xde</entry>
 		<entry>write</entry>
 		<entry>Write All Mask Register Bits</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0xdf</entry>
 		<entry>read</entry>
 		<entry>Read All Mask Register Bits (only in &intel;
 		  82374)</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
       
       <sect3>
 	<title>0x80&ndash;0x9f DMA Page Registers</title>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0x87</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x83</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x81</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x82</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x8b</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x89</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x8a</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 Low byte (23-16) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x8f</entry>
 		<entry>r/w</entry>
 		<entry>Low byte page Refresh</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
       
       <sect3>
 	<title>0x400&ndash;0x4ff 82374 Enhanced DMA Registers</title>
 
 	<para>The &intel; 82374 EISA System Component (ESC) was introduced in
 	  early 1996 and includes a DMA controller that provides a superset of
 	  8237 functionality as well as other PC-compatible core peripheral
 	  components in a single package.  This chip is targeted at both EISA
 	  and PCI platforms, and provides modern DMA features like
 	  scatter-gather, ring buffers as well as direct access by the system
 	  DMA to all 32 bits of address space.</para>
 	    
 	<para>If these features are used, code should also be included to
 	  provide similar functionality in the previous 16 years worth of
 	  PC-compatible computers.  For compatibility reasons, some of the
 	  82374 registers must be programmed <emphasis>after</emphasis>
 	  programming the traditional 8237 registers for each  transfer.
 	  Writing to a traditional 8237 register forces the contents of some
 	  of the 82374 enhanced registers to zero to provide backward software
 	  compatibility.</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <tbody>
 	      <row>
 		<entry>0x401</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x403</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x405</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x407</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4c6</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ca</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ce</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 High byte (bits 23-16) word count</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x487</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x483</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x481</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x482</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x48b</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x489</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x48a</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 High byte (bits 31-24) page Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x48f</entry>
 		<entry>r/w</entry>
 		<entry>High byte page Refresh</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e0</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e1</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e2</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e4</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e5</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e6</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e8</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4e9</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ea</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ec</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ed</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4ee</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4f4</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4f5</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4f6</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4f8</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4f9</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 Stop Register (bits 15-8)</entry>
 	      </row>
 
 	      <row>
 		<entry>0x4fa</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4fc</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 Stop Register (bits 7-2)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4fd</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 Stop Register (bits 15-8)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4fe</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 Stop Register (bits 23-16)</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x40a</entry>
 		<entry>write</entry>
 		<entry>Channels 0-3 Chaining Mode Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x40a</entry>
 		<entry>read</entry>
 		<entry>Channel Interrupt Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4d4</entry>
 		<entry>write</entry>
 		<entry>Channels 4-7 Chaining Mode Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x4d4</entry>
 		<entry>read</entry>
 		<entry>Chaining Mode Status</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x40c</entry>
 		<entry>read</entry>
 		<entry>Chain Buffer Expiration Control Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x410</entry>
 		<entry>write</entry>
 		<entry>Channel 0 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x411</entry>
 		<entry>write</entry>
 		<entry>Channel 1 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x412</entry>
 		<entry>write</entry>
 		<entry>Channel 2 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x413</entry>
 		<entry>write</entry>
 		<entry>Channel 3 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x415</entry>
 		<entry>write</entry>
 		<entry>Channel 5 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x416</entry>
 		<entry>write</entry>
 		<entry>Channel 6 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x417</entry>
 		<entry>write</entry>
 		<entry>Channel 7 Scatter-Gather Command Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x418</entry>
 		<entry>read</entry>
 		<entry>Channel 0 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x419</entry>
 		<entry>read</entry>
 		<entry>Channel 1 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x41a</entry>
 		<entry>read</entry>
 		<entry>Channel 2 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x41b</entry>
 		<entry>read</entry>
 		<entry>Channel 3 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x41d</entry>
 		<entry>read</entry>
 		<entry>Channel 5 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x41e</entry>
 		<entry>read</entry>
 		<entry>Channel 5 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x41f</entry>
 		<entry>read</entry>
 		<entry>Channel 7 Scatter-Gather Status Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x420-0x423</entry>
 		<entry>r/w</entry>
 		<entry>Channel 0 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x424-0x427</entry>
 		<entry>r/w</entry>
 		<entry>Channel 1 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x428-0x42b</entry>
 		<entry>r/w</entry>
 		<entry>Channel 2 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x42c-0x42f</entry>
 		<entry>r/w</entry>
 		<entry>Channel 3 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x434-0x437</entry>
 		<entry>r/w</entry>
 		<entry>Channel 5 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x438-0x43b</entry>
 		<entry>r/w</entry>
 		<entry>Channel 6 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	      
 	      <row>
 		<entry>0x43c-0x43f</entry>
 		<entry>r/w</entry>
 		<entry>Channel 7 Scatter-Gather Descriptor Table Pointer
 		  Register</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
     </sect2>
   </sect1>
 
 </chapter>
diff --git a/en_US.ISO8859-1/books/developers-handbook/introduction/chapter.sgml b/en_US.ISO8859-1/books/developers-handbook/introduction/chapter.sgml
index 7cc9e29cdb..9086d21bff 100644
--- a/en_US.ISO8859-1/books/developers-handbook/introduction/chapter.sgml
+++ b/en_US.ISO8859-1/books/developers-handbook/introduction/chapter.sgml
@@ -1,226 +1,226 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="introduction">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Murray</firstname>
         <surname>Stokely</surname>
         <contrib>Contributed by </contrib>
       </author>
       <author>
         <firstname>Jeroen</firstname>
         <surname>Ruigrok van der Werven</surname>
       </author>
     </authorgroup>
   </chapterinfo>
   <title>Introduction</title>
 
   <sect1 id="introduction-devel">
     <title>Developing on FreeBSD</title>
 
     <para>So here we are.  System all installed and you are ready to
       start programming.  But where to start?  What does FreeBSD
       provide?  What can it do for me, as a programmer?</para>
 
     <para>These are some questions which this chapter tries to answer.
       Of course, programming has different levels of proficiency like
       any other trade.  For some it is a hobby, for others it is their
       profession.  The information in this chapter might be more aimed
       towards the beginning programmer, but may also serve to be
       useful for the programmer taking her first steps on the FreeBSD
       platform.</para>      
 
   </sect1>
 
   <sect1 id="introduction-bsdvision">
     <title>The BSD Vision</title>
 
     <para>To produce the best &unix; like operating system package
       possible, with due respect to the original software tools
       ideology as well as usability, performance and
       stability.</para>
   </sect1>
  
   <sect1 id="introduction-archguide">
     <title>Architectural Guidelines</title>
 
     <para>Our ideology can be described by the following
     guidelines</para>
 
     <itemizedlist>
 
       <listitem><para>Do not add new functionality unless an
         implementor cannot complete a real application without
         it.</para></listitem>
 
       <listitem><para>It is as important to decide what a system is
         not as to decide what it is. Do not serve all the world's
         needs; rather, make the system extensible so that additional
         needs can be met in an upwardly compatible
         fashion.</para></listitem>
 
       <listitem><para>The only thing worse than generalizing from one
         example is generalizing from no examples at
         all. </para></listitem>
 
       <listitem><para>If a problem is not completely understood, it is
         probably best to provide no solution at all.</para></listitem>
 
       <listitem><para>If you can get 90 percent of the desired effect
         for 10 percent of the work, use the simpler
         solution.</para></listitem>
 
       <listitem><para>Isolate complexity as much as
         possible.</para></listitem>
 
       <listitem><para>Provide mechanism, rather than policy. In
         particular, place user interface policy in the client's
         hands.</para></listitem>
 
      </itemizedlist>
 
      <para>From Scheifler & Gettys: "X Window System"</para>
 
   </sect1>
 
   <sect1 id="introduction-layout">
     <title>The Layout of 
       <filename class="directory">/usr/src</filename></title>
 
     <para>The complete source code to FreeBSD is available from our
       public CVS repository.  The source code is normally installed in
       <filename class=directory>/usr/src</filename> which contains the
       following subdirectories:</para>
 
     <para>
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Directory</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 	  
 	  <tbody>
 	    <row>
 	    <entry><filename class=directory>bin/</filename></entry>
             <entry>Source for files in
             <filename>/bin</filename></entry>
 	    </row>
 	    
 	    <row>
 	    <entry><filename class=directory>contrib/</filename></entry>
 	    <entry>Source for files from contributed software.</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>crypto/</filename></entry>
 	    <entry>Cryptographical sources</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>etc/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/etc</filename></entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>games/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/usr/games</filename></entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>gnu/</filename></entry>
 	    <entry>Utilities covered by the GNU Public License</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>include/</filename></entry>
             <entry>Source for files in <filename
             class=directory>/usr/include</filename></entry>
 	    </row>
 
 	    <row>
 	    <entry><filename
  class=directory>kerberosIV/</filename></entry>
             <entry>Source for Kerberos version IV</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename
  class=directory>kerberos5/</filename></entry>
             <entry>Source for Kerberos version 5</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>lib/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/usr/lib</filename></entry>
 	    </row>
 	    
 	    <row>
 	    <entry><filename class=directory>libexec/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/usr/libexec</filename></entry>
 	    </row>
 	    
 	    <row>
 	    <entry><filename
  class=directory>release/</filename></entry>
             <entry>Files required to produce a FreeBSD release</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>sbin/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/sbin</filename></entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>secure/</filename></entry>
 	    <entry>FreeSec sources</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>share/</filename></entry>
 	    <entry>Source for files in <filename
 	    class=directory>/usr/share</filename></entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>sys/</filename></entry>
 	    <entry>Kernel source files</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename class=directory>tools/</filename></entry>
 	    <entry>Tools used for maintenance and testing of
 	    FreeBSD</entry>
 	    </row>
 
 	    <row>
 	    <entry><filename
  class=directory>usr.bin/</filename></entry>
             <entry>Source for files in <filename
  class=directory>/usr/bin</filename></entry>
             </row>
 
 	    <row>
 	    <entry><filename
  class=directory>usr.sbin/</filename></entry>
             <entry>Source for files in <filename
  class=directory>/usr/sbin</filename></entry>
             </row>
           </tbody>
 	</tgroup>
       </informaltable>
     </para>
   </sect1>
 </chapter>
diff --git a/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml b/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml
index bc15b992ac..640afcfb23 100644
--- a/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml
+++ b/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml
@@ -1,525 +1,525 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
     <chapter id="secure">
       <chapterinfo>
 	<authorgroup>
 	  <author>
 	    <firstname>Murray</firstname>
 	    <surname>Stockely</surname>
 	    <contrib>Contributed by </contrib>
 	  </author>
 	</authorgroup>
       </chapterinfo>
 
       <title>Secure Programming</title>
       
       <sect1 id="secure-synopsis"><title>Synopsis</title>
  
       <para>This chapter describes some of the security issues that
       have plagued &unix; programmers for decades and some of the new
       tools available to help programmers avoid writing exploitable
       code.</para>
       </sect1>
 
       <sect1 id="secure-philosophy"><title>Secure Design
       Methodology</title>
 
       <para>Writing secure applications takes a very scrutinous and
       pessimistic outlook on life.  Applications should be run with
       the principle of <quote>least privilege</quote> so that no
       process is ever running with more than the bare minimum access
       that it needs to accomplish its function.  Previously tested
       code should be reused whenever possible to avoid common
       mistakes that others may have already fixed.</para>
 
       <para>One of the pitfalls of the &unix; environment is how easy it
       is to make assumptions about the sanity of the environment.
       Applications should never trust user input (in all its forms),
       system resources, inter-process communication, or the timing of
       events.  &unix; processes do not execute synchronously so logical
       operations are rarely atomic.</para>
       </sect1>
 
       <sect1 id="secure-bufferov"><title>Buffer Overflows</title> 
 
       <para>Buffer Overflows have been around since the very
       beginnings of the Von-Neuman <xref linkend="COD"> architecture.
 
       <indexterm><primary>buffer overflow</primary></indexterm> 
       <indexterm><primary>Von-Neuman</primary></indexterm>
 
       They first gained widespread notoriety in 1988 with the Morris
       Internet worm.  Unfortunately, the same basic attack remains
 
       <indexterm><primary>Morris Internet worm</primary></indexterm>
 
       effective today.  Of the 17 CERT security advisories of 1999, 10
 
       <indexterm>
         <primary>CERT</primary><secondary>security advisories</secondary>
       </indexterm>
 
       of them were directly caused by buffer-overflow software bugs.
       By far the most common type of buffer overflow attack is based
       on corrupting the stack.</para>
 
       <indexterm><primary>stack</primary></indexterm> 
       <indexterm><primary>arguments</primary></indexterm> 
 
       <para>Most modern computer systems use a stack to pass arguments
       to procedures and to store local variables.  A stack is a last
       in first out (LIFO) buffer in the high memory area of a process
       image.  When a program invokes a function a new "stack frame" is
    
       <indexterm><primary>LIFO</primary></indexterm>
       <indexterm>
         <primary>process image</primary>
 	  <secondary>stack pointer</secondary>
       </indexterm>
 
       created.  This stack frame consists of the arguments passed to
       the function as well as a dynamic amount of local variable
       space.  The "stack pointer" is a register that holds the current
 
       <indexterm><primary>stack frame</primary></indexterm>
       <indexterm><primary>stack pointer</primary></indexterm>
 
       location of the top of the stack.  Since this value is
       constantly changing as new values are pushed onto the top of the
       stack, many implementations also provide a "frame pointer" that
       is located near the beginning of a stack frame so that local
       variables can more easily be addressed relative to this
       value. <xref linkend="COD"> The return address for function
 
       <indexterm><primary>frame pointer</primary></indexterm> 
       <indexterm>
         <primary>process image</primary>
         <secondary>frame pointer</secondary>
       </indexterm>
       <indexterm><primary>return address</primary></indexterm> 
       <indexterm><primary>stack-overflow</primary></indexterm>
 
       calls is also stored on the stack, and this is the cause of
       stack-overflow exploits since overflowing a local variable in a
       function can overwrite the return address of that function,
       potentially allowing a malicious user to execute any code he or
       she wants.</para>
 
       <para>Although stack-based attacks are by far the most common,
       it would also be possible to overrun the stack with a heap-based
       (malloc/free) attack.</para>
 
       <para>The C programming language does not perform automatic
       bounds checking on arrays or pointers as many other languages
       do.  In addition, the standard C library is filled with a
       handful of very dangerous functions.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols=2>
           <tbody>
           <row><entry><function>strcpy</function>(char *dest, const char
           *src)</entry>
           <entry><simpara>May overflow the dest buffer</simpara></entry>
           </row>
 
           <row><entry><function>strcat</function>(char *dest, const char
           *src)</entry>
           <entry><simpara>May overflow the dest buffer</simpara></entry>
           </row>
 
           <row><entry><function>getwd</function>(char *buf)</entry>
           <entry><simpara>May overflow the buf buffer</simpara></entry>
           </row>
 
           <row><entry><function>gets</function>(char *s)</entry>
           <entry><simpara>May overflow the s buffer</simpara></entry>
           </row>
 
           <row><entry><function>[vf]scanf</function>(const char *format,
           ...)</entry>
           <entry><simpara>May overflow its arguments.</simpara></entry>
           </row>
 
           <row><entry><function>realpath</function>(char *path, char
           resolved_path[])</entry>
           <entry><simpara>May overflow the path buffer</simpara></entry>
           </row>
 
           <row><entry><function>[v]sprintf</function>(char *str, const char
           *format, ...)</entry>
           <entry><simpara>May overflow the str buffer.</simpara></entry>
           </row>
           </tbody>
         </tgroup>
       </informaltable>
 
       <sect2><title>Example Buffer Overflow</title>
 
       <para>The following example code contains a buffer overflow
       designed to overwrite the return address and skip the
       instruction immediately following the function call.  (Inspired
       by <xref linkend="Phrack">)</para>
 
 <programlisting>#include <sgmltag>stdio.h</sgmltag>
 
 void manipulate(char *buffer) {
   char newbuffer[80];
   strcpy(newbuffer,buffer);
 }
 
 int main() {
   char ch,buffer[4096];
   int i=0;
 
   while ((buffer[i++] = getchar()) != '\n') {};
   
   i=1;
   manipulate(buffer);
   i=2;
   printf("The value of i is : %d\n",i);
   return 0;
 }</programlisting>
 
       <para>Let us examine what the memory image of this process would
       look like if we were to input 160 spaces into our little program
       before hitting return.</para> 
 
       <para>[XXX figure here!]</para>
 
       <para>Obviously more malicious input can be devised to execute
       actual compiled instructions (such as exec(/bin/sh)).</para>
       </sect2>
 
       <sect2><title>Avoiding Buffer Overflows</title>
 
       <para>The most straightforward solution to the problem of
       stack-overflows is to always use length restricted memory and
       string copy functions.  <function>strncpy</function> and
       <function>strncat</function> are part of the standard C library.
 
       <indexterm>
         <primary>string copy functions</primary>
 	  <secondary>strncpy</secondary>
       </indexterm>      
       <indexterm>
         <primary>string copy functions</primary>
 	  <secondary>strncat</secondary>
       </indexterm>      
 
       These functions accept a length value as a parameter which
       should be no larger than the size of the destination buffer.
       These functions will then copy up to `length' bytes from the
       source to the destination.  However there are a number of
       problems with these functions.  Neither function guarantees NUL
       termination if the size of the input buffer is as large as the
 
       <indexterm><primary>NUL termination</primary></indexterm>
 
       destination.  The length parameter is also used inconsistently
       between strncpy and strncat so it is easy for programmers to get
       confused as to their proper usage.  There is also a significant
       performance loss compared to <function>strcpy</function> when
       copying a short string into a large buffer since
       <function>strncpy</function> NUL fills up the size
       specified.</para>
 
       <para>In OpenBSD, another memory copy implementation has been
 
       <indexterm><primary>OpenBSD</primary></indexterm>
 
       created to get around these problem.  The
       <function>strlcpy</function> and <function>strlcat</function>
       functions guarantee that they will always null terminate the
       destination string when given a non-zero length argument.  For
       more information about these functions see <xref
       linkend="OpenBSD">.  The OpenBSD <function>strlcpy</function> and
       <function>strlcat</function> instructions have been in FreeBSD
       since 3.3.</para>
 
       <indexterm>
         <primary>string copy functions</primary>
 	  <secondary>strlcpy</secondary>
       </indexterm>
 
       <indexterm>
 	<primary>string copy functions</primary>
           <secondary>strlcat</secondary>
       </indexterm>
 
         <sect3><title>Compiler based run-time bounds checking</title>
 
 	<indexterm><primary>bounds checking</primary>
 	<secondary>compiler-based</secondary></indexterm>
 
         <para>Unfortunately there is still a very large assortment of
         code in public use which blindly copies memory around without
         using any of the bounded copy routines we just discussed.
         Fortunately, there is another solution.  Several compiler
         add-ons and libraries exist to do Run-time bounds checking in
         C/C++.</para> 
 
 	<indexterm><primary>StackGuard</primary></indexterm> 
 	<indexterm><primary>gcc</primary></indexterm>  
 
         <para>StackGuard is one such add-on that is implemented as a
         small patch to the gcc code generator.  From the <ulink
           url="http://immunix.org/stackguard.html">StackGuard
           website</ulink>:
 
         <blockquote><para>"StackGuard detects and defeats stack
         smashing attacks by protecting the return address on the stack
         from being altered.  StackGuard places a "canary" word next to
         the return address when a function is called.  If the canary
         word has been altered when the function returns, then a stack
         smashing attack has been attempted, and the program responds
         by emitting an intruder alert into syslog, and then
         halts."</para></blockquote> 
 
         <blockquote><para>"StackGuard is implemented as a small patch
         to the gcc code generator, specifically the function_prolog()
         and function_epilog() routines.  function_prolog() has been
         enhanced to lay down canaries on the stack when functions
         start, and function_epilog() checks canary integrity when the
         function exits.  Any attempt at corrupting the return address
         is thus detected before the function
         returns."</para></blockquote>
         </para>
 
         <indexterm><primary>buffer overflow</primary></indexterm>
 
         <para>Recompiling your application with StackGuard is an
         effective means of stopping most buffer-overflow attacks, but
         it can still be compromised.</para>
 
         </sect3>
 
         <sect3><title>Library based run-time bounds checking</title>
 
   	<indexterm>
 	  <primary>bounds checking</primary>
 	  <secondary>library-based</secondary>
 	</indexterm>
 
         <para>Compiler-based mechanisms are completely useless for
         binary-only software for which you cannot recompile.  For
         these situations there are a number of libraries which
         re-implement the unsafe functions of the C-library
         (<function>strcpy</function>, <function>fscanf</function>,
         <function>getwd</function>, etc..) and ensure that these
         functions can never write past the stack pointer.</para>
 
         <itemizedlist>
         <listitem><simpara>libsafe</simpara></listitem>
         <listitem><simpara>libverify</simpara></listitem>
         <listitem><simpara>libparanoia</simpara></listitem>
         </itemizedlist>
 
 	<para>Unfortunately these library-based defenses have a number
         of shortcomings.  These libraries only protect against a very
         small set of security related issues and they neglect to fix
         the actual problem.  These defenses may fail if the
         application was compiled with -fomit-frame-pointer.  Also, the
         LD_PRELOAD and LD_LIBRARY_PATH environment variables can be
         overwritten/unset by the user.</para>
         </sect3>
 
         </sect2>
       </sect1>
 
       <sect1 id="secure-setuid"><title>SetUID issues</title>
 
       <indexterm><primary>seteuid</primary></indexterm>
 
       <para>There are at least 6 different IDs associated with any
       given process.  Because of this you have to be very careful with
       the access that your process has at any given time.  In
       particular, all seteuid applications should give up their
       privileges as soon as it is no longer required.</para>
 
       <indexterm>
         <primary>user IDs</primary>
           <secondary>real user ID</secondary>
       </indexterm>
       <indexterm>
         <primary>user IDs</primary>
           <secondary>effective user ID</secondary>
       </indexterm>
 
       <para>The real user ID can only be changed by a superuser
       process.  The <application>login</application> program sets this
       when a user initially logs in and it is seldom changed.</para>
 
       <para>The effective user ID is set by the
       <function>exec()</function> functions if a program has its
       seteuid bit set.  An application can call
       <function>seteuid()</function> at any time to set the effective
       user ID to either the real user ID or the saved set-user-ID.
       When the effective user ID is set by <function>exec()</function>
       functions, the previous value is saved in the saved set-user-ID.</para>
 
       </sect1>
 
       <sect1 id="secure-chroot"><title>Limiting your program's environment</title>
 
       <indexterm><primary>chroot()</primary></indexterm>
 
       <para>The traditional method of restricting a process
       is with the <function>chroot()</function> system call.  This
       system call changes the root directory from which all other
       paths are referenced for a process and any child processes.  For
       this call to succeed the process must have execute (search)
       permission on the directory being referenced.  The new
       environment does not actually take effect until you
       <function>chdir()</function> into your new environment.  It
       should also be noted that a process can easily break out of a
       chroot environment if it has root privilege.  This could be
       accomplished by creating device nodes to read kernel memory,
       attaching a debugger to a process outside of the jail, or in
       many other creative ways.</para>
       
       <para>The behavior of the <function>chroot()</function> system
       call can be controlled somewhat with the
       kern.chroot_allow_open_directories <command>sysctl</command>
       variable.  When this value is set to 0,
       <function>chroot()</function> will fail with EPERM if there are
       any directories open.  If set to the default value of 1, then
       <function>chroot()</function> will fail with EPERM if there are
       any directories open and the process is already subject to a
       <function>chroot()</function> call.  For any other value, the
       check for open directories will be bypassed completely.</para>
 
       <sect2><title>FreeBSD's jail functionality</title>
 
       <indexterm><primary>jail</primary></indexterm>
 
       <para>The concept of a Jail extends upon the
       <function>chroot()</function> by limiting the powers of the
       superuser to create a true `virtual server'.  Once a prison is
       set up all network communication must take place through the
       specified IP address, and the power of "root privilege" in this
       jail is severely constrained.</para>
 
       <para>While in a prison, any tests of superuser power within the
       kernel using the <function>suser()</function> call will fail.
       However, some calls to <function>suser()</function> have been
       changed to a new interface <function>suser_xxx()</function>.
       This function is responsible for recognizing or denying access
       to superuser power for imprisoned processes.</para>
 
       <para>A superuser process within a jailed environment has the
       power to:</para>
 
       <itemizedlist>
       <listitem><simpara>Manipulate credential with
         <function>setuid</function>, <function>seteuid</function>,
         <function>setgid</function>, <function>setegid</function>,
         <function>setgroups</function>, <function>setreuid</function>,
         <function>setregid</function>, <function>setlogin</function></simpara></listitem>
       <listitem><simpara>Set resource limits with <function>setrlimit</function></simpara></listitem>
       <listitem><simpara>Modify some sysctl nodes
         (kern.hostname)</simpara></listitem>
       <listitem><simpara><function>chroot()</function></simpara></listitem>
       <listitem><simpara>Set flags on a vnode:
         <function>chflags</function>,
         <function>fchflags</function></simpara></listitem>
       <listitem><simpara>Set attributes of a vnode such as file
         permission, owner, group, size, access time, and modification
         time.</simpara></listitem>
       <listitem><simpara>Bind to privileged ports in the Internet
         domain (ports < 1024)</simpara></listitem>
       </itemizedlist>
 
       <para><function>Jail</function> is a very useful tool for
       running applications in a secure environment but it does have
       some shortcomings.  Currently, the IPC mechanisms have not been
       converted to the <function>suser_xxx</function> so applications
       such as MySQL cannot be run within a jail.  Superuser access
       may have a very limited meaning within a jail, but there is
       no way to specify exactly what "very limited" means.</para>
       </sect2>
 
       <sect2><title>&posix;.1e Process Capabilities</title>
 
       <indexterm><primary>POSIX.1e Process Capabilities</primary></indexterm>
       <indexterm><primary>TrustedBSD</primary></indexterm>
 
       <para>&posix; has released a working draft that adds event
       auditing, access control lists, fine grained privileges,
       information labeling, and mandatory access control.</para>
       <para>This is a work in progress and is the focus of the <ulink
       url="http://www.trustedbsd.org/">TrustedBSD</ulink> project.  Some
       of the initial work has been committed to FreeBSD-current
       (cap_set_proc(3)).</para>
 
       </sect2>
 
       </sect1>
 
       <sect1 id="secure-trust"><title>Trust</title>
 
       <para>An application should never assume that anything about the
       users environment is sane.  This includes (but is certainly not
       limited to): user input, signals, environment variables,
       resources, IPC, mmaps, the filesystem working directory, file
       descriptors, the # of open files, etc.</para>
 
       <indexterm><primary>positive filtering</primary></indexterm>
       <indexterm><primary>data validation</primary></indexterm>
 
       <para>You should never assume that you can catch all forms of
       invalid input that a user might supply.  Instead, your
       application should use positive filtering to only allow a
       specific subset of inputs that you deem safe.  Improper data
       validation has been the cause of many exploits, especially with
       CGI scripts on the world wide web.  For filenames you need to be
       extra careful about paths ("../", "/"), symbolic links, and
       shell escape characters.</para>
 
       <indexterm><primary>Perl Taint mode</primary></indexterm>
 
       <para>Perl has a really cool feature called "Taint" mode which
       can be used to prevent scripts from using data derived outside
       the program in an unsafe way.  This mode will check command line
       arguments, environment variables, locale information, the
       results of certain syscalls (<function>readdir()</function>,
       <function>readlink()</function>,
       <function>getpwxxx()</function>, and all file input.</para>
 
       </sect1>
 
       <sect1 id="secure-race-conditions">
       <title>Race Conditions</title>
 
       <para>A race condition is anomalous behavior caused by the
       unexpected dependence on the relative timing of events.  In
       other words, a programmer incorrectly assumed that a particular
       event would always happen before another.</para>
 
       <indexterm><primary>race conditions</primary>
       <secondary>signals</secondary></indexterm>
 
       <indexterm><primary>race conditions</primary>
       <secondary>access checks</secondary></indexterm>
 
       <indexterm><primary>race conditions</primary>
       <secondary>file opens</secondary></indexterm>
 
       <para>Some of the common causes of race conditions are signals,
       access checks, and file opens.  Signals are asynchronous events
       by nature so special care must be taken in dealing with them.
       Checking access with <function>access(2)</function> then
       <function>open(2)</function> is clearly non-atomic.  Users can
       move files in between the two calls.  Instead, privileged
       applications should <function>seteuid()</function> and then call
       <function>open()</function> directly.  Along the same lines, an
       application should always set a proper umask before
       <function>open()</function> to obviate the need for spurious
       <function>chmod()</function> calls.</para>
 
       </sect1>
 
      </chapter>
diff --git a/en_US.ISO8859-1/books/faq/book.sgml b/en_US.ISO8859-1/books/faq/book.sgml
index cf8b9f01f9..ba6a6c1fcf 100644
--- a/en_US.ISO8859-1/books/faq/book.sgml
+++ b/en_US.ISO8859-1/books/faq/book.sgml
@@ -1,12445 +1,12445 @@
 <!DOCTYPE book PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % books.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Books Entity Set//EN">
 %books.ent;
 <!ENTITY bibliography SYSTEM "../../../share/sgml/bibliography.sgml">
 ]>
 
 <book>
   <bookinfo>
     <title>Frequently Asked Questions for FreeBSD 3.X, 4.X, 5.X, and 6.X</title>
 
     <corpauthor>The FreeBSD Documentation Project</corpauthor>
 
     <pubdate>$FreeBSD$</pubdate>
 
     <copyright>
       <year>1995</year>
       <year>1996</year>
       <year>1997</year>
       <year>1998</year>
       <year>1999</year>
       <year>2000</year>
       <year>2001</year>
       <year>2002</year>
       <year>2003</year>
       <year>2004</year>
       <holder>The FreeBSD Documentation Project</holder>
     </copyright>
 
     &bookinfo.legalnotice;
 
     <legalnotice id="trademarks" role="trademarks">
       &tm-attrib.freebsd;
       &tm-attrib.3com;
       &tm-attrib.adobe;
       &tm-attrib.creative;
       &tm-attrib.cvsup;
       &tm-attrib.ibm;
       &tm-attrib.ieee;
       &tm-attrib.intel;
       &tm-attrib.iomega;
       &tm-attrib.linux;
       &tm-attrib.microsoft;
       &tm-attrib.mips;
       &tm-attrib.netscape;
       &tm-attrib.opengroup;
       &tm-attrib.oracle;
       &tm-attrib.sgi;
       &tm-attrib.sparc;
       &tm-attrib.sun;
       &tm-attrib.usrobotics;
       &tm-attrib.xfree86;
       &tm-attrib.general;
     </legalnotice>
 
     <abstract>
       <para>This is the FAQ for FreeBSD versions 3.X, 4.X, 5.X, and 6.X.
         All entries are assumed to be relevant to FreeBSD 3.0 and
         later, unless otherwise noted.  If you are interested in
         helping with this project, send email to the &a.doc;.  The
         latest version of this document is always available from the
         <ulink
         url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/faq/index.html">FreeBSD
         World Wide Web server</ulink>. It may also be downloaded as
         one large <ulink url="book.html">HTML</ulink> file with HTTP
         or as plain text, &postscript;, PDF, etc. from the <ulink
         url="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">FreeBSD FTP
         server</ulink>. You may also want to <ulink
         url="&url.base;/search/index.html">Search the
         FAQ</ulink>.</para>
     </abstract>
   </bookinfo>
 
   <chapter id="introduction">
     <title>Introduction</title>
 
     <para>Welcome to the FreeBSD 3.X-6.X FAQ!</para>
 
     <para>As is usual with Usenet FAQs, this document aims to cover the
       most frequently asked questions concerning the FreeBSD operating
       system (and of course answer them!).  Although originally intended
       to reduce bandwidth and avoid the same old questions being asked
       over and over again, FAQs have become recognized as valuable
       information resources.</para>
 
     <para>Every effort has been made to make this FAQ as informative as
       possible; if you have any suggestions as to how it may be improved,
       please feel free to mail them to the &a.doc;.</para>
 
     <qandaset>
       <qandaentry>
         <question id="what-is-FreeBSD">
           <para>What is FreeBSD?</para>
         </question>
 
         <answer>
          <para>Briefly, FreeBSD is a &unix; like operating system for
            the Alpha/AXP, AMD64 and Intel EM64T, &i386; IA-64,
            PC-98, and &ultrasparc; platforms
            based on U.C. Berkeley's <quote>4.4BSD-Lite</quote>
            release, with some <quote>4.4BSD-Lite2</quote>
            enhancements.  It is also based indirectly on William
            Jolitz's port of U.C.  Berkeley's <quote>Net/2</quote> to
            the &i386;, known as <quote>386BSD</quote>, though very
            little of the 386BSD code remains.  A fuller description of
            what FreeBSD is and how it can work for you may be found on
            the <ulink url="&url.base;/index.html">FreeBSD home
            page</ulink>.</para>
 
          <para>FreeBSD is used by companies, Internet Service Providers,
            researchers, computer professionals, students and home users
            all over the world in their work, education and recreation.</para>
 
          <para>For more detailed information on FreeBSD, please see the
            <ulink url="&url.books.handbook;/index.html">FreeBSD
            Handbook</ulink>.</para>
        </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="FreeBSD-goals">
           <para>What is the goal of the FreeBSD Project?</para>
         </question>
 
         <answer>
           <para>The goal of the FreeBSD Project is to provide software
             that may be used for any purpose and without strings attached.
             Many of us have a significant investment in the code (and
             project) and would certainly not mind a little financial
             compensation now and then, but we definitely do not
             insist on it.  We believe that our first and foremost
             <quote>mission</quote> is to provide code to any and all
             comers, and for whatever purpose, so that the code gets the
             widest possible use and provides the widest possible benefit.
             This is, we believe, one of the most fundamental goals of Free
             Software and one that we enthusiastically support.</para>
 
           <para>That code in our source tree which falls under the
             <ulink url="http://www.FreeBSD.org/copyright/COPYING">GNU
             General Public License (GPL)</ulink> or <ulink
             url="http://www.FreeBSD.org/copyright/COPYING.LIB">GNU
             Library General Public License (LGPL)</ulink> comes with
             slightly more strings attached, though at least on the
             side of enforced access rather than the usual opposite.
             Due to the additional complexities that can evolve in the
             commercial use of GPL software, we do, however, endeavor
             to replace such software with submissions under the more
             relaxed <ulink
             url="http://www.FreeBSD.org/copyright/freebsd-license.html">
             FreeBSD license</ulink> whenever possible.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bsd-license-restrictions">
           <para>Does the FreeBSD license have any restrictions?</para>
         </question>
 
         <answer>
           <para>Yes.  Those restrictions do not control how you use
             the code, merely how you treat the FreeBSD Project itself.
             If you have serious license concerns, read the actual
             <ulink
             url="http://www.FreeBSD.org/copyright/freebsd-license.html">
             license</ulink>.  For the simply curious, the license can
             be summarized like this.</para>
 
           <itemizedlist>
             <listitem>
               <para>Do not claim that you wrote this.</para>
             </listitem>
 
             <listitem>
               <para>Do not sue us if it breaks.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="replace-current-OS">
           <para>Can FreeBSD replace my current operating system?</para>
         </question>
 
         <answer>
           <para>For most people, yes.  But this question is not quite
             that cut-and-dried.</para>
 
           <para>Most people do not actually use an operating system.
             They use applications.  The applications are what really
             use the operating system.  FreeBSD is designed to provide
             a robust and full-featured environment for applications.
             It supports a wide variety of web browsers, office suites,
             email readers, graphics programs, programming
             environments, network servers, and just about everything
             else you might want.  Most of these applications can be
             managed through the <ulink
             url="http://www.FreeBSD.org/ports/">Ports
             Collection</ulink>.</para>
 
           <para>If you need to use an application that is only
             available on one operating system, you simply cannot
             replace that operating system.  Chances are there is a very
             similar application on FreeBSD, however.  If you want a
             solid office or Internet server, a reliable workstation,
             or just the ability to do your job without interruptions,
             FreeBSD will almost certainly do everything you need.
             Many computer users across the world, including both
             novices and experienced &unix; administrators, use FreeBSD
             as their only desktop operating system.</para>
 
           <para>If you are migrating to FreeBSD from some other &unix;
             environment, you already know most of what you need to.
             If your background is in graphic-driven operating systems
             such as &windows; and older versions of &macos;, expect to
             invest additional time learning the &unix; way of doing
             things.  This FAQ and the <ulink
             url="&url.books.handbook;/index.html">FreeBSD Handbook</ulink> are
             excellent places to start.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="why-called-FreeBSD">
           <para>Why is it called FreeBSD?</para>
         </question>
 
         <answer>
           <itemizedlist>
             <listitem>
               <para>It may be used free of charge, even by commercial
                 users.</para>
             </listitem>
 
             <listitem>
               <para>Full source for the operating system is freely
                 available, and the minimum possible restrictions have
                 been placed upon its use, distribution and incorporation
                 into other work (commercial or non-commercial).</para>
             </listitem>
 
             <listitem>
               <para>Anyone who has an improvement or bug fix is free
                 to submit their code and have it added to the source tree
                 (subject to one or two obvious provisions).</para>
             </listitem>
           </itemizedlist>
 
           <para>It is worth pointing out that the word
             <quote>free</quote> is being used in two ways here, one meaning
             <quote>at no cost</quote>, the other meaning <quote>you can do
             whatever you like</quote>.  Apart from one or two things you
             <emphasis>cannot</emphasis> do with the FreeBSD code, for
             example pretending you wrote it, you can really do whatever you
             like with it.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="differences-to-other-bsds">
 	  <para>What are the differences between FreeBSD and NetBSD, OpenBSD,
 	    and other open source BSD operating systems?</para>
 	</question>
 
 	<answer>
 	  <para>James Howard wrote a good explanation of the history
 	    and differences between the various projects for <ulink
 	    url="http://www.daemonnews.org/">DaemonNews</ulink>,
 	    called <ulink
 	    url="http://www.daemonnews.org/200104/bsd_family.html">The
 	    BSD Family Tree</ulink> which goes a fair way to answering
 	    this question.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="latest-version">
           <para>What is the latest version of FreeBSD?</para>
         </question>
 
 <!--
   This answer is a hack to deal with the fact that for now there are
   multiple "latest" versions of FreeBSD.
 -->
 
         <answer>
 	  <para>At this point in FreeBSD's development, there are three
 	    parallel development branches; releases are being made from
 	    two of the three branches.  The 4.X series of releases
 	    is being made from the <emphasis>4-STABLE</emphasis> branch
 	    and the 5.X series of releases is being made from
 	    <emphasis>5-STABLE</emphasis>.  It will be some time in
 	    mid-to-late 2005 before the first release will be made from the
 	    <emphasis>6-CURRENT</emphasis> branch; that release (6.0)
 	    will be aimed at early adopters.</para>
 
 	  <para>Up until the release of 5.3, the 4.X series was the
 	    one known as <emphasis>-STABLE</emphasis>.  However,
 	    as of 5.3, 5.X has been designated the new
 	    <emphasis>-STABLE</emphasis> and 4.X will no longer see
 	    much new development.  Instead, it will be designated
 	    for an &quot;extended support&quot; status and receive
 	    only fixes for major problems (such as security-related
 	    fixes.)</para>
 
 <!-- note: the entity definitions are out of date -->
           <para>Version <ulink
             url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/">&rel.current;</ulink>
             is the latest release from the
             <emphasis>5-STABLE</emphasis> branch; it was released in
             &rel.current.date;.  Version <ulink
             url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel2.current;-RELEASE/">&rel2.current;</ulink>
             is the latest release from the
             <emphasis>4-STABLE</emphasis> branch; it was released in
             &rel2.current.date;.</para>
 
           <para>Briefly, <emphasis>-STABLE</emphasis> is aimed at the
             ISP, corporate user, or any user who wants stability and a
             minimal number of changes compared to the new (and
             possibly unstable) features of the latest
             <emphasis>-CURRENT</emphasis> snapshot.  Releases can come
             from either branch, but <emphasis>-CURRENT</emphasis>
             should only be used if you are prepared for its increased
             volatility (relative to <emphasis>-STABLE</emphasis>, that
             is).</para>
 
           <para>Releases are made <link linkend="release-freq">every
             few months</link>. While many people stay more up-to-date with
             the FreeBSD sources (see the questions on <link
             linkend="current">FreeBSD-CURRENT</link> and <link
             linkend="stable">FreeBSD-STABLE</link>) than that, doing so
             is more of a commitment, as the sources are a moving
             target.</para>
 
 	  <para>More information on FreeBSD releases can be found on
 	    the <ulink
 	    url="http://www.FreeBSD.org/releng/index.html">Release
 	    Engineering page</ulink> on the FreeBSD Web site.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="current">
           <para>What is FreeBSD-CURRENT?</para>
         </question>
 
         <answer>
           <para><ulink
             url="&url.books.handbook;/cutting-edge.html#CURRENT">FreeBSD-CURRENT</ulink>
             is the development version of the operating system, which
             will in due course become the new &os.stable; branch.
             As such, it is
             really only of interest to developers working on the
             system and die-hard hobbyists.  See the <ulink
             url="&url.books.handbook;/cutting-edge.html#CURRENT">relevant
             section</ulink> in the <ulink
             url="&url.books.handbook;/index.html">handbook</ulink> for details
             on running -CURRENT.</para>
 
           <para>If you are not familiar with the operating system or are
             not capable of identifying the difference between a real
             problem and a temporary problem, you should not use
             FreeBSD-CURRENT.  This branch sometimes evolves quite quickly
             and can be un-buildable for a number of days at a time.
             People that use FreeBSD-CURRENT are expected to be able to
             analyze any problems and only report them if they are deemed
             to be mistakes rather than <quote>glitches</quote>. Questions
             such as <quote>make world produces some error about
             groups</quote> on the -CURRENT mailing list may be
             treated with contempt.</para>
 
           <para>Every day, <ulink
             url="&url.base;/releases/snapshots.html">snapshot
             </ulink> releases are made based on the current state of the
             -CURRENT and -STABLE branches.  Distributions of the
             occasional snapshot are made available. The goals
             behind each snapshot release are:</para>
 
           <itemizedlist>
             <listitem>
               <para>To test the latest version of the installation
                 software.</para>
             </listitem>
 
             <listitem>
               <para>To give people who would like to run -CURRENT or
                 -STABLE but who do not have the time or bandwidth to
                 follow it on a day-to-day basis an easy way of
                 bootstrapping it onto their systems.</para>
             </listitem>
 
             <listitem>
               <para>To preserve a fixed reference point for the code in
                 question, just in case we break something really badly
                 later.  (Although CVS normally prevents anything horrible
                 like this happening :)</para>
             </listitem>
 
             <listitem>
               <para>To ensure that all new features and fixes in need
                 of testing have the greatest possible number of
                 potential testers.</para>
             </listitem>
           </itemizedlist>
 
           <para>No claims are made that any -CURRENT snapshot can be
             considered <quote>production quality</quote> for any purpose.
             If you want to run a stable and fully tested system, you will
             have to stick to full releases, or use the -STABLE
             snapshots.</para>
 
           <para>Snapshot releases are directly available from <ulink
             url="ftp://current.FreeBSD.org/pub/FreeBSD/snapshots/">
             ftp://current.FreeBSD.org/pub/FreeBSD/snapshots/</ulink>.</para>
 
           <para>Snapshots are generated, on the average, daily for
             all actively developed branches.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="stable">
           <para>What is the FreeBSD-STABLE concept?</para>
         </question>
 
         <answer>
           <para>Back when FreeBSD 2.0.5 was released, FreeBSD
             development branched in two.  One branch was named <ulink
             url="&url.books.handbook;/current-stable.html#STABLE">-STABLE</ulink>,
             one <ulink
             url="&url.books.handbook;/current-stable.html#CURRENT">-CURRENT</ulink>.
             FreeBSD-STABLE is intended for Internet Service Providers
             and other commercial enterprises for whom sudden shifts or
             experimental features are quite undesirable.  It receives
             only well-tested bug fixes and other small incremental
             enhancements.  FreeBSD-CURRENT, on the other hand, has
             been one unbroken line since 2.0 was released, leading
             towards 5.3-RELEASE (and beyond).  Just before 5.3-RELEASE, the
             5-STABLE branch was created, and
             &os.current; became 6-CURRENT.  For more detailed information,
             see <quote><ulink url="&url.articles.releng;/release-proc.html#REL-BRANCH">
 		FreeBSD Release Engineering:
 		Creating the Release Branch</ulink></quote>.</para>
 
           <para>The 2.2-STABLE branch was retired with the release of 2.2.8.
             The 3-STABLE branch has ended with the release of 3.5.1, the
             final 3.X release.  The only changes made to either of these
             branches will be, for the most part, security-related bug
             fixes.  Support for the 4-STABLE branch will continue
 	    for some time but focus primarily on security-related bug
 	    fixes and other serious issues.</para>
 
           <para>5-STABLE is the actively developed -STABLE branch.
             The latest release on the 5-STABLE branch is
             &rel.current;-RELEASE, which was released in
             &rel.current.date;.</para>
 
           <para>The 6-CURRENT branch is the actively developed
 	    -CURRENT branch toward the next generation of &os;.
 	    See <link linkend="current">What is &os;-CURRENT?</link> for more
             information on this branch.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="release-freq">
           <para>When are FreeBSD releases made?</para>
         </question>
 
         <answer>
 	  <para>The &a.re; releases a new version of FreeBSD about every
 	    four months, on average.  Release dates are announced well in
 	    advance, so that the people working on the system know
 	    when their projects need to be finished and tested.  
 	    A testing period precedes each release, in order to ensure
 	    that the addition of new features does not compromise the
 	    stability of the release.
 	    Many users regard this caution as one of the best things about
 	    FreeBSD, even though waiting for all the latest goodies to reach
 	    -STABLE can be a little frustrating.</para>
 
 	  <para>More information on the release engineering process
 	    (including a schedule of upcoming releases) can be found
 	    on the <ulink
 	    url="http://www.FreeBSD.org/releng/index.html">release
 	    engineering</ulink> pages on the FreeBSD Web site.</para>
 
           <para>For people who need or want a little more excitement,
             binary snapshots are made daily as discussed above.</para>
          </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="responsible">
           <para>Who is responsible for FreeBSD?</para>
         </question>
 
         <answer>
           <para>The key decisions concerning the FreeBSD project, such
             as the overall direction of the project and who is allowed
             to add code to the source tree, are made by a <ulink
             url="&url.articles.contributors;/article.html#STAFF-CORE">core
             team</ulink> of 9 people. There is a much larger team of
             more than 300 <ulink
             url="&url.articles.contributors;/article.html#STAFF-COMMITTERS">committers</ulink>
             who are authorized to make changes directly to the FreeBSD
             source tree.</para>
 
           <para>However, most non-trivial changes are discussed in advance
             in the <link linkend="mailing">mailing lists</link>, and there
             are no restrictions on who may take part in the
             discussion.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="where-get">
           <para>Where can I get FreeBSD?</para>
         </question>
 
         <answer>
           <para>Every significant release of FreeBSD is available via
             anonymous FTP from the <ulink
             url="ftp://ftp.FreeBSD.org/pub/FreeBSD/">
             FreeBSD FTP site</ulink>:</para>
 
           <itemizedlist>
             <listitem>
               <para>The latest release, &rel.current;-RELEASE can be
                 found in the <ulink
                 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/">&rel.current;-RELEASE directory</ulink>.</para>
             </listitem>
 
             <listitem>
               <para><ulink
                 url="ftp://current.FreeBSD.org/pub/FreeBSD/">
                 Snapshot</ulink> releases are made daily for the
                 <link linkend="current">-CURRENT</link> branch, these being
                 of service purely to bleeding-edge testers and
                 developers.</para>
             </listitem>
 
             <listitem>
               <para>The latest 5-STABLE release, &rel2.current;-RELEASE can be
                 found in the <ulink
                 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel2.current;-RELEASE/">&rel2.current;-RELEASE directory</ulink>.</para>
             </listitem>
 
             <listitem>
               <para><ulink
                 url="ftp://current.FreeBSD.org/pub/FreeBSD/snapshots/">5.X
                 snapshots</ulink> are usually made daily.</para>
             </listitem>
           </itemizedlist>
 
 	  <para>Information about obtaining FreeBSD on CD, DVD, and other
 	    media can be found in <ulink url="&url.books.handbook;/mirrors.html">the
 	      Handbook</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="howto-mirror">
           <para>How do I set up a FreeBSD mirror?</para>
         </question>
 
 	<answer>
 	  <para>Information on setting up a FreeBSD mirror can be
 	    found in the <ulink url="&url.articles.hubs;/">Mirroring
 	    FreeBSD</ulink> article.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="access-pr">
           <para>How do I access the Problem Report database?</para>
         </question>
 
         <answer>
           <para>The Problem Report database of all user change requests
             may be queried by using our web-based PR
             <ulink
             url="http://www.FreeBSD.org/cgi/query-pr-summary.cgi?query">
             query</ulink>
             interface.  The &man.send-pr.1; command can
             be used to submit problem reports and change requests via
             electronic mail.</para>
 
 	  <para>The web-based problem report submission interface is
 	    currently disabled due to persistent abuse.</para>
 
           <para>Before submitting a problem report, please read <ulink
             url="&url.articles.problem-reports;/article.html">Writing
             FreeBSD Problem Reports</ulink>, an article on how to write
             good problem reports.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="become-web-mirror">
           <para>How do I become a FreeBSD Web mirror?</para>
         </question>
 
         <answer>
           <para>There are multiple ways to mirror the Web pages.</para>
 
           <itemizedlist>
             <listitem>
               <para>You can retrieve the formatted files from a
                 FreeBSD CVSup server using the application
                 <filename role="package">net/cvsup</filename>.  The file
                 <filename>/usr/share/examples/cvsup/www-supfile</filename>
                 contains an example CVSup configuration file for web
                 mirrors.</para>
             </listitem>
 
             <listitem>
               <para>You can download the web site source code from any
                 FreeBSD FTP server using your favorite ftp mirror
                 tool.  Keep in mind that you have to build these
                 sources before publishing them.  Start mirroring at
                 <ulink url="ftp://ftp.FreeBSD.org/pub/FreeBSD/FreeBSD-current/www/"></ulink>.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="other-info-sources">
           <para>What other sources of information are there?</para>
         </question>
 
         <answer>
           <para>Please check the <ulink
             url="http://www.FreeBSD.org/docs.html">Documentation</ulink>
             list on the main <ulink
             url="http://www.FreeBSD.org">FreeBSD</ulink> web
             site.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="support">
     <title>Documentation and Support</title>
     
     <qandaset>
       <qandaentry>
 	<question id="books">
 	  <para>What good books are there about FreeBSD?</para>
 	</question>
 	
 	<answer>
 	  <para>The project produces a wide range of documentation,
 	    available online from this link: <ulink
 	    url="http://www.FreeBSD.org/docs.html"></ulink>.  The same
 	    documents are available as packages, that you can easily
 	    install on your FreeBSD system.  More details on
 	    documentation packages can be found in the next
 	    paragraphs.</para>
 	    
 	    <para>In addition, the Bibliography at the end of this
 	    FAQ, and the one in the Handbook reference other
 	    recommended books.</para>
 	</answer>
       </qandaentry>
       
       <qandaentry>
         <question id="doc-formats">
           <para>Is the documentation available in other formats, such as plain
             text (ASCII), or &postscript;?</para>
         </question>
 
         <answer>
           <para>Yes.  The documentation is available in a number of
             different formats and compression schemes on the FreeBSD
             FTP site, in the <ulink
             url="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">/pub/FreeBSD/doc/</ulink>
             directory.</para>
 
           <para>The documentation is categorized in a number of different
             ways.  These include:</para>
 
           <itemizedlist>
             <listitem>
               <para>The document's name, such as <literal>faq</literal>, or
                 <literal>handbook</literal>.</para>
             </listitem>
 
             <listitem>
               <para>The document's language and encoding.  These are
                 based on the locale names you will find under
                 <filename>/usr/share/locale</filename> on your FreeBSD
                 system.  The current languages and encodings that we
                 have for documentation are as follows:</para>
 
-              <informaltable frame="none">
+              <informaltable frame="none" pgwide="1">
                 <tgroup cols="2">
                   <thead>
                     <row>
                       <entry>Name</entry>
 
                       <entry>Meaning</entry>
                     </row>
                   </thead>
 
                   <tbody>
                     <row>
                       <entry><literal>en_US.ISO8859-1</literal></entry>
 
                       <entry>US English</entry>
                     </row>
 
                     <row>
                       <entry><literal>de_DE.ISO8859-1</literal></entry>
 
                       <entry>German</entry>
                     </row>
 
                     <row>
                       <entry><literal>es_ES.ISO8859-1</literal></entry>
 
                       <entry>Spanish</entry>
                     </row>
 
                     <row>
                       <entry><literal>fr_FR.ISO8859-1</literal></entry>
 
                       <entry>French</entry>
                     </row>
 
 		    <row>
 		      <entry><literal>it_IT.ISO8859-15</literal></entry>
 
 		      <entry>Italian</entry>
 		    </row>
 
                     <row>
                       <entry><literal>ja_JP.eucJP</literal></entry>
 
                       <entry>Japanese (EUC encoding)</entry>
                     </row>
 
                     <row>
                       <entry><literal>ru_RU.KOI8-R</literal></entry>
 
                       <entry>Russian (KOI8-R encoding)</entry>
                     </row>
 
                     <row>
                       <entry><literal>zh_TW.Big5</literal></entry>
 
                       <entry>Chinese (Big5 encoding)</entry>
                     </row>
                   </tbody>
                 </tgroup>
               </informaltable>
 
               <note>
                 <para>Some documents may not be available in all
                   languages.</para>
               </note>
             </listitem>
 
             <listitem>
               <para>The document's format.  We produce the documentation in a
                 number of different output formats.  Each format has its own
                 advantages and disadvantages.  Some formats are better suited
                 for online reading, while others are meant to be aesthetically
                 pleasing when printed on paper.  Having the documentation
                 available in any of these formats ensures that our readers
                 will be able to read the parts they are interested in, either
                 on their monitor, or on paper after printing the documents.
                 The currently available formats are:</para>
 
-              <informaltable frame="none">
+              <informaltable frame="none" pgwide="1">
                 <tgroup cols="2">
                   <thead>
                     <row>
                       <entry>Format</entry>
 
                       <entry>Meaning</entry>
                     </row>
                   </thead>
 
                   <tbody>
                     <row>
                       <entry><literal>html-split</literal></entry>
 
                       <entry>A collection of small, linked, HTML
                         files.</entry>
                     </row>
 
                     <row>
                       <entry><literal>html</literal></entry>
 
                       <entry>One large HTML file containing the entire
                         document</entry>
                     </row>
 
                     <row>
                       <entry><literal>pdb</literal></entry>
 
                       <entry>Palm Pilot database format, for use with the
                         <ulink url="http://www.iSilo.com/">iSilo</ulink>
                         reader.</entry>
                     </row>
 
                     <row>
                       <entry><literal>pdf</literal></entry>
 
                       <entry>Adobe's Portable Document Format</entry>
                     </row>
 
                     <row>
                       <entry><literal>ps</literal></entry>
 
                       <entry>&postscript;</entry>
                     </row>
 
                     <row>
                       <entry><literal>rtf</literal></entry>
 
                       <entry>Microsoft's Rich Text Format<footnote>
                           <para>Page numbers are not automatically
                           updated when loading this format into Word.
                           Press <keycombo
                           action="simul"><keycap>CTRL</keycap><keycap>A</keycap></keycombo>,
                           <keycombo
                           action="simul"><keycap>CTRL</keycap><keycap>END</keycap></keycombo>,
                           <keycap>F9</keycap> after loading the
                           document, to update the page numbers.</para>
                         </footnote>
                       </entry>
                     </row>
 
                     <row>
                       <entry><literal>txt</literal></entry>
 
                       <entry>Plain text</entry>
                     </row>
                   </tbody>
                 </tgroup>
               </informaltable>
             </listitem>
 
             <listitem>
               <para>The compression and packaging scheme.  There are three of
                 these currently in use.</para>
 
               <orderedlist>
                 <listitem>
                   <para>Where the format is
                     <literal>html-split</literal>, the files are
                     bundled up using &man.tar.1;.  The resulting
                     <filename>.tar</filename> file is then compressed
                     using the compression schemes detailed in the next
                     point.</para>
                 </listitem>
 
                 <listitem>
                   <para>All the other formats generate one file,
                     called
                     <filename>book.<replaceable>format</replaceable></filename>
                     (i.e., <filename>book.pdb</filename>,
                     <filename>book.html</filename>, and so on).</para>
 
                   <para>These files are then compressed using two
                     compression schemes.</para>
 
-                  <informaltable frame="none">
+                  <informaltable frame="none" pgwide="1">
                     <tgroup cols="2">
                       <thead>
                         <row>
                           <entry>Scheme</entry>
 
                           <entry>Description</entry>
                         </row>
                       </thead>
 
                       <tbody>
                         <row>
                           <entry><literal>zip</literal></entry>
 
                           <entry>The Zip format.  If you want to
                             uncompress this on FreeBSD you will need
                             to install the <filename
                             role="package">archivers/unzip</filename>
                             port first.</entry>
                         </row>
 
                         <row>
                           <entry><literal>bz2</literal></entry>
 
                           <entry>The BZip2 format.  Less widespread
                             than Zip, but generally gives
                             smaller files.  Install the <filename
                             role="package">archivers/bzip2</filename>
                             port to uncompress these files.</entry>
                         </row>
                       </tbody>
                     </tgroup>
                   </informaltable>
 
                   <para>So the &postscript; version of the Handbook,
                     compressed using BZip2 will be stored in a file
                     called <filename>book.ps.bz2</filename> in the
                     <filename>handbook/</filename> directory.</para>
                 </listitem>
               </orderedlist>
             </listitem>
           </itemizedlist>
 
           <para>After choosing the format and compression mechanism that you
             want to download, you must then decide whether or not you want to
             download the document as a FreeBSD
             <emphasis>package</emphasis>.</para>
 
           <para>The advantage of downloading and installing the package is
             that the documentation can then be managed using the normal
             FreeBSD package management comments, such as &man.pkg.add.1; and
             &man.pkg.delete.1;.</para>
 
           <para>If you decide to download and install the package then
             you must know the filename to download.  The
             documentation-as-packages files are stored in a directory
             called <filename>packages</filename>.  Each package file
             looks like
             <filename><replaceable>document-name</replaceable>.<replaceable>lang</replaceable>.<replaceable>encoding</replaceable>.<replaceable>format</replaceable>.tgz</filename>.</para>
 
           <para>For example, the FAQ, in English, formatted as PDF, is in the
             package called
             <filename>faq.en_US.ISO8859-1.pdf.tgz</filename>.</para>
 
           <para>Knowing this, you can use the following command to
             install the English PDF FAQ package.</para>
 
           <screen>&prompt.root; <userinput>pkg_add ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/packages/faq.en_US.ISO8859-1.pdf.tgz</userinput></screen>
 
           <para>Having done that, you can use &man.pkg.info.1; to determine
             where the file has been installed.</para>
 
           <screen>&prompt.root; <userinput>pkg_info -f faq.en_US.ISO8859-1.pdf</userinput>
 Information for faq.en_US.ISO8859-1.pdf:
 
 Packing list:
         Package name: faq.en_US.ISO8859-1.pdf
         CWD to /usr/share/doc/en_US.ISO8859-1/books/faq
 File: book.pdf
         CWD to .
 File: +COMMENT (ignored)
 File: +DESC (ignored)</screen>
 
           <para>As you can see, <filename>book.pdf</filename> will
             have been installed into
             <filename>/usr/share/doc/en_US.ISO8859-1/books/faq</filename>.</para>
 
           <para>If you do not want to use the packages then you will have to
             download the compressed files yourself, uncompress them, and then
             copy the appropriate documents into place.</para>
 
           <para>For example, the split HTML version of the FAQ,
             compressed using &man.bzip2.1;, can be found in the
             <filename>doc/en_US.ISO8859-1/books/faq/book.html-split.tar.bz2</filename>
             file.  To download and uncompress that file you would have
             to do this.</para>
 
           <screen>&prompt.root; <userinput>fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/en_US.ISO8859-1/books/faq/book.html-split.tar.bz2</userinput>
 &prompt.root; <userinput>bzip2 -d book.html-split.tar.bz2</userinput>
 &prompt.root; <userinput>tar xvf book.html-split.tar</userinput></screen>
 
           <para>You will be left with a collection of
             <filename>.html</filename> files.  The main one is called
             <filename>index.html</filename>, which will contain the
             table of contents, introductory material, and links to the
             other parts of the document.  You can then copy or move
             these to their final location as necessary.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mailing">
           <para>Where do I find info on the FreeBSD mailing lists?</para>
         </question>
 
         <answer>
           <para>You can find full information in the <ulink
             url="&url.books.handbook;/eresources.html#ERESOURCES-MAIL">Handbook
             entry on mailing-lists</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="y2k">
           <para>Where do I find the FreeBSD Y2K info?</para>
         </question>
 
         <answer>
           <para>You can find full information in the <ulink
             url="&url.base;/y2kbug.html">FreeBSD Y2K page</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="newsgroups">
           <para>What FreeBSD news groups are available?</para>
         </question>
 
         <answer>
           <para>You can find full information in the <ulink
             url="&url.books.handbook;/eresources-news.html">Handbook entry on
             newsgroups</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="irc">
           <para>Are there FreeBSD IRC (Internet Relay Chat)
             channels?</para>
         </question>
 
         <answer>
           <para>Yes, most major IRC networks host a FreeBSD chat
             channel:</para>
 
           <itemizedlist>
             <listitem>
               <para>Channel <literal>#FreeBSD</literal> on
                 <ulink url="http://www.efnet.org/index.php">EFNet</ulink>
                 is a FreeBSD forum, but do not go there for tech
                 support or try to get folks there to help you avoid
                 the pain of reading manual pages or doing your own research.
                 It is a chat channel, first and foremost, and topics there
                 are just as likely to involve sex, sports or nuclear
                 weapons as they are FreeBSD.  You Have Been Warned!
                 Available at server <hostid>irc.chat.org</hostid>.</para>
             </listitem>
 
             <listitem>
               <para>Channel <literal>#FreeBSDhelp</literal> on
                 <ulink url="http://www.efnet.org/index.php">EFNet</ulink>
                 is a channel dedicated to helping FreeBSD users. They
                 are much more sympathetic to questions than
                 <literal>#FreeBSD</literal> is.</para>
             </listitem>
 
             <listitem>
               <para>Channel <literal>#FreeBSD</literal> on
                 <ulink url="http://www.dal.net/">DALNET</ulink>
                 is available at <hostid>irc.dal.net</hostid> in the
                 US and  <hostid>irc.eu.dal.net</hostid> in Europe.</para>
             </listitem>
 
             <listitem>
               <para>Channel <literal>#FreeBSD</literal> on
                 <ulink url="http://www.undernet.org/">UNDERNET</ulink>
                 is available at <hostid>us.undernet.org</hostid>
                 in the US and  <hostid>eu.undernet.org</hostid> in Europe.
                 Since it is a help channel, be prepared to read the
                 documents you are referred to.</para>
             </listitem>
 
             <listitem>
               <para>Channel <literal>#FreeBSD</literal> on <ulink
                 url="http://www.hybnet.net/">HybNet</ulink>.  This channel
                 <emphasis>is</emphasis> a help channel.  A list of servers
                 can be found on the <ulink
                 url="http://www.hybnet.net/">HybNet web site</ulink>.</para>
             </listitem>
           </itemizedlist>
 
           <para>Each of these channels are distinct and are not
             connected to each other.  Their chat styles also differ,
             so you may need to try each to find one suited to your
             chat style.  As with <emphasis>all</emphasis> types of IRC
             traffic, if you are easily offended or cannot deal with
             lots of young people (and more than a few older ones)
             doing the verbal equivalent of jello wrestling, do not
             even bother with it.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="training">
 	  <para>Where can I get commercial FreeBSD training and support?</para>
 	</question>
 
 	<answer>
 	  <para>DaemonNews provides commercial training and support for
 	    FreeBSD.  More information can be found at their 
 	    <ulink url="http://www.bsdmall.com/">BSD Mall</ulink> 
 	    site.</para>
 
 	  <para>FreeBSD Services Ltd provide commercial support for FreeBSD
 	    in the UK (as well as selling FreeBSD on DVD).  See their
 	    <ulink url="http://www.freebsd-services.com">web site</ulink>
 	    for more information.</para>
 
           <para>The FreeBSD Mall provides commercial FreeBSD support.
             You can get more information at their <ulink
             url="http://www.freebsdmall.com/">web site</ulink>.</para>
 
 	  <para>Any other organizations providing training and support should
 	    contact the project in order to be listed here.</para>
 	</answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter
     id="install">
     <chapterinfo>
       <author>
 	<firstname>Nik</firstname>
 	<surname>Clayton</surname>
 	<affiliation>
 	  <address><email>nik@FreeBSD.org</email></address>
 	</affiliation>
       </author>
     </chapterinfo>
     
     <title>Installation</title>
 
     <qandaset>
       <qandaentry>
         <question id="floppy-download">
           <para>Which file do I download to get FreeBSD?</para>
         </question>
 
         <answer>
           <para>Prior to release 3.1, you only needed one floppy image to
             install FreeBSD, namely <filename>floppies/boot.flp</filename>.
             However, since release 3.1 the Project has added out-of-the-box
             support for a wide variety of hardware, which takes up more
             space.  For 3.X and later you need two floppy images:
             <filename>floppies/kernel.flp</filename> and
             <filename>floppies/mfsroot.flp</filename>. These images need to
             be copied onto floppies by tools like
             <command>fdimage</command> or &man.dd.1;.
             In &os; 5.3 and later, the boot floppies have been restructured
             and you need <filename>floppies/boot.flp</filename> and
             all the <filename>floppies/kern<replaceable>X</replaceable></filename>
             files (of which there are currently two).</para>
 
           <para>If you need to download the distributions yourself (for a
             DOS filesystem install, for instance), below are some
             recommendations for distributions to grab:</para>
 
 
           <itemizedlist>
             <listitem>
               <para>base/ (bin/ in 4.X)</para>
             </listitem>
 
             <listitem>
               <para>manpages/</para>
             </listitem>
 
             <listitem>
               <para>compat*/</para>
             </listitem>
 
             <listitem>
               <para>doc/</para>
             </listitem>
 
             <listitem>
               <para>src/ssys.*</para>
             </listitem>
           </itemizedlist>
 
 
           <para>Full instructions on this procedure and a little bit more
             about installation issues in general can be found in the
             <ulink url="&url.books.handbook;/install.html">Handbook entry on
             installing FreeBSD</ulink>.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="floppy-image-too-large">
           <para>What do I do if the floppy images does not fit on a single
             floppy?</para>
         </question>
 
         <answer>
           <para>A 3.5 inch (1.44MB) floppy can accommodate 1474560 bytes
             of data. The boot image is exactly 1474560 bytes in size.</para>
 
           <para>Common mistakes when preparing the boot floppy are:</para>
 
           <itemizedlist>
             <listitem>
               <para>Not downloading the floppy image in
                 <emphasis>binary</emphasis> mode when using
                 <acronym>FTP</acronym>.</para>
 
 
               <para>Some FTP clients default their transfer mode to
                 <emphasis>ascii</emphasis> and attempt to change any
                 end-of-line characters received to match the conventions
                 used by the client's system. This will almost invariably
                 corrupt the boot image. Check the size of the downloaded
                 boot image: if it is not <emphasis>exactly</emphasis> that
                 on the server, then the download process is suspect.</para>
 
               <para>To workaround: type <emphasis>binary</emphasis> at the
                 FTP command prompt after getting connected to the server
                 and before starting the download of the image.</para>
             </listitem>
 
             <listitem>
               <para>Using the DOS <command>copy</command> command (or
                 equivalent GUI tool) to transfer the boot image to
                 floppy.</para>
 
               <para>Programs like <command>copy</command> will not work as
                 the boot image has been created to be booted into directly.
                 The image has the complete content of the floppy, track for
                 track, and is not meant to be placed on the floppy as a
                 regular file. You have to transfer it to the floppy
                 <quote>raw</quote>, using the low-level tools (e.g.
                 <command>fdimage</command> or <command>rawrite</command>)
                 described in the <ulink
                 url="&url.books.handbook;/install.html">installation guide to
                 FreeBSD</ulink>.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="install-instructions-location">
           <para>Where are the instructions for installing FreeBSD?</para>
         </question>
 
         <answer>
           <para>Installation instructions can be found in the
             <ulink url="&url.books.handbook;/install.html">Handbook entry on installing FreeBSD</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="need-to-run">
           <para>What do I need in order to run FreeBSD?</para>
         </question>
 
         <answer>
           <para>For versions prior to 5.X, you will need a 386 or better
             PC, with 5 MB or more of RAM
             and at least 60 MB of hard disk space. It can run with a low
             end MDA graphics card but to run X11R6, a VGA or better video
             card is needed.  For &os; 5.X and later you will need a 486 or better
             PC, with 8 MB or more of RAM and at least 150 MB of hard disk
             space.</para>
 
           <para>See also <xref linkend="hardware">.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="four-meg-ram-install">
           <para>I have only 4 MB of RAM. Can I install FreeBSD?</para>
         </question>
 
         <answer>
           <para>FreeBSD 2.1.7 was the last version of FreeBSD that
             could be installed on a 4MB system.  FreeBSD 2.2 and later
             needs at least 5MB, and &os; 5.X and later need at least 8MB to
             install on a new system.</para>
 
           <para>All versions of FreeBSD prior to 5.X will <emphasis>run</emphasis>
             in 4MB of RAM, they just cannot run the installation
             program in 4MB. You can add extra memory for the install
             process, if you like, and then after the system is up and
             running, go back to 4MB. Or you could swap your disk into
             a system which has &gt;4MB, install onto the disk and then
             swap it back.</para>
 
           <para>After the installation, if you build a custom kernel,
             it will run in 4 MB. Someone has even successfully booted
             with 2 MB, although the system was almost unusable.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="custom-boot-floppy">
           <para>How can I make my own custom install floppy?</para>
         </question>
 
         <answer>
           <para>Currently there is no way to <emphasis>just</emphasis>
             make a custom install floppy. You have to cut a whole new
             release, which will include your install floppy.</para>
 
           <para>To make a custom release, follow the instructions in the
             <ulink url="&url.articles.releng;/article.html">Release
             Engineering</ulink> article.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multiboot">
           <para>Can I have more than one operating system on my PC?</para>
         </question>
 
         <answer>
           <para>Have a look at
             <ulink url="&url.articles.multi-os;/index.html">
             the multi-OS page</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="windows-coexist">
           <para>Can &windows; co-exist with FreeBSD?</para>
         </question>
 
         <answer>
           <para>Install &windows; first, then FreeBSD.
             FreeBSD's boot manager will then manage to boot &windows; and
             FreeBSD. If you install &windows; second, it will boorishly
             overwrite your boot manager without even asking. If that
             happens, see the next section.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="win95-damaged-boot-manager">
           <para>&windows; killed my boot manager!
             How do I get it back?</para>
         </question>
 
         <answer>
           <para>You can reinstall the boot manager FreeBSD comes with in
             one of three ways:</para>
 
           <itemizedlist>
             <listitem>
               <para>Running DOS, go into the tools/ directory of your
                 FreeBSD distribution and look for
                 <filename>bootinst.exe</filename>.  You run it like
                 so:</para>
 
               <screen><prompt>...\TOOLS&gt;</prompt> <userinput>bootinst.exe boot.bin</userinput></screen>
 
               <para>and the boot manager will be reinstalled.</para>
             </listitem>
 
             <listitem>
               <para>Boot the FreeBSD boot floppy again and go to the
                 Custom installation menu item. Choose Partition. Select the
                  drive which used to contain your boot manager (likely the
                  first one) and when you come to the partition editor for
                  it, as the very first thing (e.g. do not make any changes)
                  select (W)rite. This will ask for confirmation, say yes,
                  and when you get the Boot Manager selection prompt, be
                  sure to select <quote>Boot Manager</quote>. This will
                  re-write the boot manager to disk. Now quit out of the
                  installation menu and reboot off the hard disk as
                  normal.</para>
             </listitem>
 
             <listitem>
               <para>Boot the FreeBSD boot floppy (or CDROM) and choose the
                 <quote>Fixit</quote> menu item. Select either the Fixit
                 floppy or CDROM #2 (the <quote>live</quote> filesystem
                 option) as appropriate and enter the fixit shell. Then
                 execute the following command:</para>
 
               <screen><prompt>Fixit#</prompt> <userinput>fdisk -B -b /boot/boot0 <replaceable>bootdevice</replaceable></userinput></screen>
 
               <para>substituting <replaceable>bootdevice</replaceable> for
                 your real
                 boot device such as <devicename>ad0</devicename> (first IDE
                 disk), <devicename>ad4</devicename> (first IDE disk on
                 auxiliary controller), <devicename>da0</devicename> (first
                 SCSI disk), etc.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="boot-on-thinkpad">
           <para>My A, T, or X series IBM Thinkpad locks up when I first
             booted up my FreeBSD installation.  How can I solve this?</para>
         </question>
 
         <answer>
           <para>A bug in early revisions of IBM's BIOS on these machines
             mistakenly identifies the FreeBSD partition as a potential FAT
             suspend-to-disk partition.  When the BIOS tries to parse the
             FreeBSD partition it hangs.</para>
 
           <para>According to IBM<footnote><para>In an e-mail from Keith
                 Frechette
                 <email>kfrechet@us.ibm.com</email>.</para></footnote>, the
             following model/BIOS release numbers incorporate the fix.</para>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="2">
               <thead>
                 <row>
                   <entry>Model</entry>
                   <entry>BIOS revision</entry>
                 </row>
               </thead>
 
               <tbody>
                 <row>
                   <entry>T20</entry>
                   <entry>IYET49WW or later</entry>
                 </row>
 
                 <row>
                   <entry>T21</entry>
                   <entry>KZET22WW or later</entry>
                 </row>
 
                 <row>
                   <entry>A20p</entry>
                   <entry>IVET62WW or later</entry>
                 </row>
 
                 <row>
                   <entry>A20m</entry>
                   <entry>IWET54WW or later</entry>
                 </row>
 
                 <row>
                   <entry>A21p</entry>
                   <entry>KYET27WW or later</entry>
                 </row>
 
                 <row>
                   <entry>A21m</entry>
                   <entry>KXET24WW or later</entry>
                 </row>
 
                 <row>
                   <entry>A21e</entry>
                   <entry>KUET30WW</entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
 
 	  <para>It has been reported that later IBM BIOS revisions may
 	    have reintroduced the bug.  <ulink
 	    url="http://docs.FreeBSD.org/cgi/mid.cgi?20010427133759.A71732">This
 	    message</ulink> from Jacques Vidrine to the &a.mobile;
 	    describes a procedure which may work if your newer IBM
 	    laptop does not boot FreeBSD properly, and you can upgrade
 	    or downgrade the BIOS.</para>
 	
           <para>If you have an earlier BIOS, and upgrading is not an option, a
             workaround is to install FreeBSD, change the partition ID FreeBSD
             uses, and install new boot blocks that can handle the different
             partition ID.</para>
 
           <para>First, you will need to restore the machine to a state where
             it can get through its self-test screen.  Doing this requires
             powering up the machine without letting it find a FreeBSD
             partition on its primary disk.  One way is to remove the hard disk
             and temporarily move it to an older ThinkPad (such as a ThinkPad
             600) or a desktop PC with an appropriate conversion cable.  Once
             it is there, you can delete the FreeBSD partition and move the hard
             disk back.  The ThinkPad should now be in a bootable state
             again.</para>
 
           <para>With the machine functional again, you can use the workaround
             procedure described here to get a working FreeBSD
             installation.</para>
 
           <procedure>
             <step>
               <para>Download <filename>boot1</filename> and
                 <filename>boot2</filename> from <ulink
                   url="http://people.FreeBSD.org/~bmah/ThinkPad/"></ulink>.
                 Put these files somewhere you will be able to retrieve them
                 later.</para>
             </step>
 
             <step>
               <para>Install FreeBSD as normal on to the ThinkPad.
                 <emphasis>Do not</emphasis> use <literal>Dangerously
                   Dedicated</literal> mode.  <emphasis>Do not</emphasis>
                 reboot when the install has finished.</para>
             </step>
 
             <step>
               <para>Either switch to the <quote>Emergency Holographic
                   Shell</quote> (<keycombo action="simul"><keycap>ALT</keycap>
                   <keycap>F4</keycap></keycombo>) or start a
                 <quote>fixit</quote> shell.</para>
             </step>
 
             <step>
               <para>Use &man.fdisk.8; to change the FreeBSD partition ID from
                 <literal>165</literal> to <literal>166</literal> (this is the
                   type used by OpenBSD).</para>
             </step>
 
             <step>
               <para>Bring the <filename>boot1</filename> and
                 <filename>boot2</filename> files to the local
                 filesystem.</para>
             </step>
 
             <step>
               <para>Use &man.disklabel.8; to write <filename>boot1</filename>
                 and <filename>boot2</filename> to your FreeBSD slice.</para>
 
               <screen>&prompt.root; <userinput>disklabel -B -b boot1 -s boot2 ad0s<replaceable>n</replaceable></userinput></screen>
 
               <para><replaceable>n</replaceable> is the number of the slice
                 where you installed FreeBSD.</para>
             </step>
 
             <step>
               <para>Reboot.  At the boot prompt you will be given the option
                 of booting <literal>OpenBSD</literal>.  This will actually
                 boot FreeBSD.</para>
             </step>
           </procedure>
 
           <para>Getting this to work in the case where you want to dual boot
           OpenBSD and FreeBSD on the same laptop is left as an exercise for
           the reader.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="install-bad-blocks">
           <para>Can I install on a disk with bad blocks?</para>
         </question>
 
         <answer>
           <para>Prior to 3.0, FreeBSD included a utility known as
             <command>bad144</command>, which automatically remapped bad
             blocks. Because modern IDE drives perform this function
             themselves, <command>bad144</command> has been removed from the
             FreeBSD source tree. If you wish to install FreeBSD 3.0 or
             later, we strongly suggest you purchase a newer disk drive. If
             you do not wish to do this, you must run FreeBSD 2.X.</para>
             <para>If you are seeing bad block errors with a modern IDE
             drive, chances are the drive is going to die very soon (the
             drive's internal remapping functions are no longer sufficient
             to fix the bad blocks, which means the disk is heavily
             corrupted); we suggest you buy a new hard drive.</para>
 
           <para>If you have a SCSI drive with bad blocks, see
             <link linkend="awre">this answer</link>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bad144-3x-4x">
           <para>I have just upgraded from 3.X to 4.X, and my first boot
             failed with <errorname>bad sector table not
             supported</errorname></para>
         </question>
 
         <answer>
           <para>FreeBSD 3.X and earlier supported
             <command>bad144</command>, which automatically remapped
             bad blocks.  FreeBSD 4.X and later do not support this, as
             modern IDE drives include this functionality.  See <link
             linkend="install-bad-blocks">this question</link> for
             more information.</para>
 
           <para>To fix this after an upgrade, you need to physically
             place the drive in a working system and use
             &man.disklabel.8; as discussed in the following
             questions.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="find-bad144">
           <para>How do I tell if a drive has <command>bad144</command>
             information on it before I try to upgrade to FreeBSD 4.0
             and it fails?</para>
         </question>
 
         <answer>
           <para>Use &man.disklabel.8; for this.  <command>disklabel -r
             <replaceable>drive device</replaceable></command> will
             give you the contents of your disk label.  Look for a
             <literal>flags</literal> field.  If you see
             <literal>flags: badsect</literal>, this drive is using
             bad144.  For example, the following drive has
             <command>bad144</command> enabled.:</para>
 
           <screen>&prompt.root; <userinput>disklabel -r wd0</userinput>
 # /dev/rwd0c:
 type: ESDI
 disk: wd0s1
 label:
 flags: badsect
 bytes/sector: 512
 sectors/track: 63</screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="disable-bad144">
           <para>How do I remove <command>bad144</command> from my
             pre-4.X system so I can upgrade safely?</para>
         </question>
 
         <answer>
           <para>Use <command>disklabel -e -rwd0 </command> to edit the
             disklabel in place.  Just remove the word
             <literal>badsect</literal> from the flags field, save, and
             exit.  The bad144 file will still take up some space on
             your drive, but the disk itself will be usable.</para>
 
           <para>We still recommend you purchase a new disk if you have
             a large number of bad blocks.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="boot-floppy-strangeness">
           <para>Strange things happen when I boot the install floppy!
             What is happening?</para>
         </question>
 
         <answer>
           <para>If you are seeing things like the machine grinding to a halt
             or spontaneously rebooting when you try to boot the install
             floppy, here are three questions to ask yourself:-</para>
 
           <orderedlist>
             <listitem>
               <para>Did you use a new, freshly-formatted, error-free floppy
                 (preferably a brand-new one straight out of the box, as
                 opposed to the magazine cover disk that has been lying under
                 the bed for the last three years)?</para>
             </listitem>
 
             <listitem>
               <para>Did you download the floppy image in binary (or image)
                 mode? (do not be embarrassed, even the best of us have
                 accidentally downloaded a binary file in ASCII mode at
                 least once!)</para>
             </listitem>
 
             <listitem>
               <para>If you are using &windows; 95 or 98 did you run
                 <command>fdimage</command> or
                 <command>rawrite</command> in pure DOS mode? These
                 operating systems can interfere with programs that
                 write directly to hardware, which the disk creation
                 program does; even running it inside a DOS shell in
                 the GUI can cause this problem.</para>
             </listitem>
           </orderedlist>
 
           <para>There have also been reports of &netscape; causing problems
             when downloading the boot floppy, so it is probably best to use
             a different FTP client if you can.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="no-install-cdrom">
           <para>I booted from my ATAPI CDROM, but the install program
             says no CDROM is found.  Where did it go?</para>
         </question>
 
         <answer>
           <para>The usual cause of this problem is a mis-configured CDROM
             drive.  Many PCs now ship with the CDROM as the slave device on
             the secondary IDE controller, with no master device on that
             controller.  This is illegal according to the ATAPI specification,
             but &windows; plays fast and loose with the specification, and the
             BIOS ignores it when booting.  This is why the BIOS was able to
             see the  CDROM to boot from it, but why FreeBSD cannot see it to
             complete  the install.</para>
 
           <para>Reconfigure your system so that the CDROM is either the
             master device on the IDE controller it is attached to, or make
             sure that it is the slave on an IDE controller that also has a
             master device.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="install-PLIP">
           <para>Can I install on my laptop over PLIP (Parallel Line
             IP)?</para>
         </question>
 
         <answer>
           <para>Yes. Use a standard Laplink cable. If necessary, you
             can check out the <ulink url="&url.books.handbook;/network-plip.html">PLIP
             section of the Handbook</ulink> for details on parallel
             port networking.</para>
 
           <para>If you are running FreeBSD 3.X or earlier, also look at
             the <ulink
             url="http://www.jp.freebsd.org/PAO/">Mobile
             Computing page</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="geometry">
           <para>Which geometry should I use for a disk drive?</para>
         </question>
 
         <answer>
             <note>
               <para>By the <quote>geometry</quote> of a disk, we mean
               the number of cylinders, heads and sectors/track on a
               disk.  We will refer to this as C/H/S for
               convenience. This is how the PC's BIOS works out which
               area on a disk to read/write from.</para>
             </note>
 
           <para>This causes a lot of confusion among new system
             administrators.  First of all, the
             <emphasis>physical</emphasis> geometry of a SCSI drive is
             totally irrelevant, as FreeBSD works in term of disk
             blocks. In fact, there is no such thing as
             <quote>the</quote> physical geometry, as the sector
             density varies across the disk.  What manufacturers claim
             is the <quote>physical geometry</quote> is usually the
             geometry that they have determined wastes the least
             space. For IDE disks, FreeBSD does work in terms of C/H/S,
             but all modern drives internally convert this into block
             references.</para>
 
           <para>All that matters is the <emphasis>logical</emphasis>
             geometry.  This is the answer that the BIOS gets when it
             asks the drive <quote>what is your geometry?</quote> It
             then uses this geometry to access the disk. As FreeBSD
             uses the BIOS when booting, it is very important to get
             this right. In particular, if you have more than one
             operating system on a disk, they must all agree on the
             geometry.  Otherwise you will have serious problems
             booting!</para>
 
           <para>For SCSI disks, the geometry to use depends on whether
            extended translation support is turned on in your
            controller (this is often referred to as <quote>support for
            DOS disks &gt;1GB</quote> or something similar). If it is
            turned off, then use <replaceable>N</replaceable>
            cylinders, 64 heads and 32 sectors/track, where
            <replaceable>N</replaceable> is the capacity of the disk in
            MB. For example, a 2GB disk should pretend to have 2048
            cylinders, 64 heads and 32 sectors/track.</para>
 
           <para>If it <emphasis>is</emphasis> turned on (it is often
             supplied this way to get around certain limitations in
             &ms-dos;) and the disk capacity is more than 1GB, use M
             cylinders, 63 sectors per track (<emphasis>not</emphasis>
             64), and 255 heads, where <literal>M</literal> is the disk capacity in MB
             divided by 7.844238 (!). So our example 2GB drive would
             have 261 cylinders, 63 sectors per track and 255
             heads.</para>
 
           <para>If you are not sure about this, or FreeBSD fails to
             detect the geometry correctly during installation, the
             simplest way around this is usually to create a small DOS
             partition on the disk. The BIOS should then detect the
             correct geometry, and you can always remove the DOS
             partition in the partition editor if you do not want to
             keep it.  You might want to leave it around for
             programming network cards and the like, however.</para>
 
           <para>Alternatively, there is a freely available utility
             distributed with FreeBSD called
             <filename>pfdisk.exe</filename>.  You can find it in the
             <filename>tools</filename> subdirectory on the FreeBSD
             CDROM or on the various FreeBSD FTP sites.  This program
             can be used to work out what geometry the other operating
             systems on the disk are using. You can then enter this
             geometry in the partition editor.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="disk-divide-restrictions">
           <para>Are there any restrictions on how I divide the disk up?</para>
         </question>
 
         <answer>
           <para>Yes. You must make sure that your root partition is below 1024
             cylinders so the BIOS can boot the kernel from it.  (Note that
             this is a limitation in the PC's BIOS, not FreeBSD).</para>
 
           <para>For a SCSI drive, this will normally imply that the root
             partition will be in the first 1024MB (or in the first 4096MB
             if extended translation is turned on - see previous question).
             For IDE, the corresponding figure is 504MB.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="disk-manager">
           <para>Is FreeBSD compatible with any disk managers?</para>
         </question>
 
         <answer>
           <para>FreeBSD recognizes the Ontrack Disk Manager and makes
             allowances for it. Other disk managers are not supported.</para>
 
           <para>If you just want to use the disk with FreeBSD you do not
             need a disk manager. Just configure the disk for as much space
             as the BIOS can deal with (usually 504 megabytes), and FreeBSD
             should figure out how much space you really have. If you are
             using an old disk with an MFM controller, you may need to
             explicitly tell FreeBSD how many cylinders to use.</para>
 
           <para>If you want to use the disk with FreeBSD and another
             operating system, you may be able to do without a disk manager:
             just make sure the FreeBSD boot partition and the slice for
             the other operating system are in the first 1024 cylinders. If
             you are reasonably careful, a 20 megabyte boot partition should
             be plenty.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="missing-os">
           <para>When I boot FreeBSD for the first time after install I get <errorname>Missing Operating
             System</errorname>.  What is happening?</para>
         </question>
 
         <answer>
           <para>This is classically a case of FreeBSD and DOS or some other
             OS conflicting over their ideas of disk <link
             linkend="geometry">geometry</link>. You will have to reinstall
             FreeBSD, but obeying the instructions given above will almost
             always get you going.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="stop-at-boot-manager">
           <para>Why can I not get past the boot manager's <prompt>F?</prompt>
             prompt?</para>
         </question>
 
         <answer>
           <para>This is another symptom of the problem described in the
             preceding question. Your BIOS geometry and FreeBSD geometry
             settings do not agree! If your controller or BIOS supports
             cylinder translation (often marked as <quote>&gt;1GB drive
             support</quote>), try toggling its setting and reinstalling
             FreeBSD.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="need-complete-sources">
           <para>Do I need to install the complete sources?</para>
         </question>
 
         <answer>
           <para>In general, no.  However, we would strongly recommend that
             you install, at a minimum, the <literal>base</literal> source
             kit, which includes several of the files mentioned here, and
             the <literal>sys</literal> (kernel) source kit, which includes
             sources for the kernel. There is nothing in the system which
             requires the presence of the sources to operate, however,
             except for the kernel-configuration program &man.config.8;.
             With the exception of the kernel sources, our build structure
             is set up so that you can read-only mount the sources from
             elsewhere via NFS and still be able to make new binaries
             (due to the kernel-source restriction, we recommend that
             you not mount this on <filename>/usr/src</filename> directly,
             but rather in some other location with appropriate symbolic
             links to duplicate the top-level structure of the source
             tree).</para>
 
           <para>Having the sources on-line and knowing how to build a
             system with them will make it much easier for you to upgrade
             to future releases of FreeBSD.</para>
 
           <para>To actually select a subset of the sources, use the Custom
             menu item when you are in the Distributions menu of the
             system installation tool.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="need-kernel">
           <para>Do I need to build a kernel?</para>
         </question>
 
         <answer>
           <para>Building a new kernel was originally pretty much a required
             step in a FreeBSD installation, but more recent releases have
             benefited from the introduction of much friendlier kernel
             configuration methods. In 4.X and earlier, when at the FreeBSD boot prompt (boot:),
             use the <option>-c</option> flag and you will be dropped into a
             visual configuration screen which allows you to configure the
             kernel's settings for most common ISA cards.  In &os; 5.X and later
             this has been replaced by much more flexible "hints" which
             can be set from the loader prompt.</para>
 
           <para>It may still be worthwhile building a new
             kernel containing just the drivers that you need, just to save a
             bit of RAM, but it is no longer necessary for most
             systems.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="password-encryption">
           <para>Should I use DES, Blowfish, or MD5 passwords and how
             do I specify which form my users receive?</para>
         </question>
 
         <answer>
           <para>The default password format on FreeBSD is to use
             <emphasis>MD5</emphasis>-based passwords. These are
             believed to be more secure than the traditional &unix;
             password format, which used a scheme based on the
             <emphasis>DES</emphasis> algorithm.  DES passwords are
             still available if you need to share your password file
             with legacy operating systems which still use the less
             secure password format (they are available if you choose
             to install the <quote>crypto</quote> distribution in
             sysinstall, or by installing the crypto sources if
             building from source). Installing the crypto libraries
             will also allow you to use the Blowfish password format,
             which is more secure.  Which password format to use for
             new passwords is controlled by the
             <quote>passwd_format</quote> login capability in
             <filename>/etc/login.conf</filename>, which takes values
             of <quote>des</quote>, <quote>blf</quote> (if these are
             available) or <quote>md5</quote>.  See the
             &man.login.conf.5; manual page for more information about
             login capabilities.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="boot-floppy-hangs">
           <para>Why does the boot floppy start, but hang at the
             <literal>Probing Devices...</literal> screen?</para>
         </question>
 
         <answer>
 
           <para>If you have a IDE &iomegazip; or &jaz; drive installed, remove it
             and try again. The boot floppy can get confused by the drives.
             After the system is installed you can reconnect the drive.
             Hopefully this will be fixed in a later release.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="panic-on-install-reboot">
           <para>Why do I get a <errorname>panic: can't mount root</errorname>
             error when rebooting the system after installation?</para>
         </question>
 
         <answer>
           <para>This error comes from confusion between the boot block's
             and the kernel's understanding of the disk devices. The error
             usually manifests on two-disk IDE systems, with the hard disks
             arranged as the master or single device on separate IDE
             controllers, with FreeBSD installed on the secondary IDE
             controller. The boot blocks think the system is installed on
             wd1 (the second BIOS disk) while the kernel assigns the first
             disk on the secondary controller device wd2. After the device
             probing, the kernel tries to mount what the boot blocks think
             is the boot disk, wd1, while it is really wd2, and
             fails.</para>
 
           <para>To fix the problem, do one of the following:</para>
 
             <orderedlist>
               <listitem>
                 <para>For FreeBSD 3.3 and later, reboot the system and hit
                   <keycap>Enter</keycap> at the <literal>Booting kernel
                   in 10 seconds; hit [Enter] to interrupt</literal> prompt.
                   This will drop you into the boot loader.</para>
 
                 <para>Then type
                   <literal>
                   set root_disk_unit="<replaceable>disk_number</replaceable>"
                   </literal>. <replaceable>disk_number</replaceable>
                   will be <literal>0</literal> if FreeBSD is installed on
                   the master drive on the first IDE controller,
                   <literal>1</literal> if it is installed on the slave on
                   the first IDE controller, <literal>2</literal> if it is
                   installed on the master of the second IDE controller, and
                   <literal>3</literal> if it is installed on the slave of
                   the second IDE controller.</para>
 
                 <para>Then type <literal>boot</literal>, and your system
                   should boot correctly.</para>
 
                 <para>To make this change permanent (ie so you do not
                   have to do this every time you reboot or turn on
                   your FreeBSD machine), put the line <literal>
                   root_disk_unit="<replaceable>disk_number</replaceable>"</literal>
                   in <filename>/boot/loader.conf.local
                   </filename>.</para>
               </listitem>
 
               <listitem>
                 <para>If using FreeBSD 3.2 or earlier, at the Boot:
                   prompt, enter <literal>1:wd(2,a)kernel</literal> and
                   press <keycap>Enter</keycap>.  If the system starts,
                   then run the command <command>echo "1:wd(2,a)kernel"
                   &gt; /boot.config</command> to make it the default
                   boot string.</para>
               </listitem>
 
               <listitem>
                 <para>Move the FreeBSD disk onto the primary IDE controller,
                   so the hard disks are consecutive.</para>
               </listitem>
 
               <listitem>
                 <para><ulink url="&url.books.handbook;/kernelconfig.html">Rebuild
                   your kernel,</ulink> modify the wd configuration lines to
                   read:</para>
 
                   <programlisting>controller      wdc0    at isa? port "IO_WD1" bio irq 14 vector wdintr
 disk            wd0     at wdc0 drive 0
 # disk            wd1     at wdc0 drive 1 # comment out this line
 
 controller      wdc1    at isa? port "IO_WD2" bio irq 15 vector wdintr
 disk            wd1     at wdc1 drive 0 # change from wd2 to wd1
 disk            wd2     at wdc1 drive 1 # change from wd3 to wd2</programlisting>
 
                 <para>Install the new kernel.  If you moved your disks and
                   wish to restore the previous configuration, replace the
                   disks in the desired configuration and reboot.  Your
                   system should boot successfully.</para>
               </listitem>
             </orderedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="memory-limits">
           <para>What are the limits for memory?</para>
         </question>
 
         <answer>
           <para>The limit is 4 gigabytes on a standard &i386; install.
             Beginning with &os; versions 4.9 and 5.1, more memory can be
             supported through &man.pae.4;.  This does require a kernel
             recompile, with an extra option to enable PAE:</para>
 
             <programlisting>options       PAE</programlisting>
 
           <para>&os;/pc98 has a limit of 4 GB memory, and PAE can not
             be used with it.  On &os;/alpha, the limit on memory depends
             on the type of hardware in use - consult the Alpha Hardware
             Release Notes for details.  Other architectures
             supported by &os; have much higher theoretical limits on
             maximum memory (many terabytes).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ffs-limits">
           <para>What are the limits for ffs filesystems?</para>
         </question>
 
         <answer>
           <para>For ffs filesystems, the maximum theoretical limit is 8
             terabytes (2G blocks), or 16TB for the default block size of
             8K. In practice, there is a soft limit of 1 terabyte, but with
             modifications filesystems with 4 terabytes are possible (and
             exist).</para>
 
           <para>The maximum size of a single ffs file is approximately 1G
             blocks, or 4TB with a block size of 4K.</para>
 
           <table>
             <title>Maximum file sizes</title>
 
             <tgroup cols="5">
               <thead>
                 <row>
                   <entry>fs block size</entry>
 
                   <entry>2.2.7-stable</entry>
 
                   <entry>3.0-current</entry>
 
                   <entry>works</entry>
 
                   <entry>should work</entry>
                 </row>
               </thead>
 
               <tbody>
                 <row>
                   <entry>4K</entry>
 
                   <entry>4T-1</entry>
 
                   <entry>4T-1</entry>
 
                   <entry>4T-1</entry>
 
                   <entry>&gt;4T</entry>
                 </row>
 
                 <row>
                   <entry>8K</entry>
 
                   <entry>&gt;32G</entry>
 
                   <entry>8T-1</entry>
 
                   <entry>&gt;32G</entry>
 
                   <entry>32T-1</entry>
                 </row>
 
                 <row>
                   <entry>16K</entry>
 
                   <entry>&gt;128G</entry>
 
                   <entry>16T-1</entry>
 
                   <entry>&gt;128G</entry>
 
                   <entry>32T-1</entry>
                 </row>
 
                 <row>
                   <entry>32K</entry>
 
                   <entry>&gt;512G</entry>
 
                   <entry>32T-1</entry>
 
                   <entry>&gt;512G</entry>
 
                   <entry>64T-1</entry>
                 </row>
 
                 <row>
                   <entry>64K</entry>
 
                   <entry>&gt;2048G</entry>
 
                   <entry>64T-1</entry>
 
                   <entry>&gt;2048G</entry>
 
                   <entry>128T-1</entry>
                 </row>
               </tbody>
             </tgroup>
           </table>
 
           <para>When the fs block size is 4K, triple indirect blocks work
             and everything should be limited by the maximum fs block number
             that can be represented using triple indirect blocks (approx.
             1K^3 + 1K^2 + 1K), but everything is limited by a (wrong) limit
             of 1G-1 on fs block numbers. The limit on fs block numbers
             should be 2G-1. There are some bugs for fs block numbers near
             2G-1, but such block numbers are unreachable when the fs block
             size is 4K.</para>
 
           <para>For block sizes of 8K and larger, everything should be
             limited by the 2G-1 limit on fs block numbers, but is actually
             limited by the 1G-1 limit on fs block numbers, except under
             -STABLE triple indirect blocks are unreachable, so the limit is
             the maximum fs block number that can be represented using
             double indirect blocks (approx. (blocksize/4)^2 +
             (blocksize/4)), and under -CURRENT exceeding this limit may
             cause problems. Using the correct limit of 2G-1 blocks does
             cause problems.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="archsw-readin-failed-error">
           <para>Why do I get an error message,
             <errorname>archsw.readin.failed</errorname> after compiling
             and booting a new kernel?</para>
         </question>
 
         <answer>
           <para>You can boot by specifying the kernel directly at the second
             stage, pressing any key when the | shows up before loader is
             started. More specifically, you have upgraded the source for
             your kernel, and installed a new kernel builtin from them
             <emphasis>without making world</emphasis>. This is not
             supported. Make world.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="security-profiles">
           <para>What are these <quote>security profiles</quote>?</para>
         </question>
 
         <answer>
           <para>A <quote>security profile</quote> is a set of configuration
             options that attempts to achieve the desired ratio of security
             to convenience by enabling and disabling certain programs and
             other settings.  For full details, see the <ulink
             url="&url.books.handbook;/install-post.html#SECURITYPROFILE">Security
             Profile</ulink> section of the Handbook's <ulink
             url="&url.books.handbook;/install-post.html">post-install
             chapter</ulink>.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter
     id="hardware">
     <title>Hardware compatibility</title>
 
       <sect1 id="compatibility-general">
 	<title>General</title>
 
     <qandaset>
       <qandaentry>
         <question id="which-hardware-to-get">
           <para>I want to get a piece of hardware for my FreeBSD
             system.  Which model/brand/type is best?</para>
         </question>
 
         <answer>
           <para>This is discussed continually on the FreeBSD mailing
             lists.  Since hardware changes so quickly, however, we
             expect this.  We <emphasis>still</emphasis> strongly
             recommend that you read through the Hardware notes for &os;
 	    <ulink url="&rel.current.hardware;">&rel.current;</ulink>
 	    or
 	    <ulink url="&rel2.current.hardware;">&rel2.current;</ulink>
 	    and search the mailing list
             <ulink url="http://www.FreeBSD.org/search/#mailinglists">
             archives</ulink> before asking about the latest and
             greatest hardware.  Chances are a discussion about the
             type of hardware you are looking for took place just last
             week.</para>
 
           <para>If you are looking for a laptop, check the
             FreeBSD-mobile mailing list archives.  Otherwise, you
             probably want the archives for FreeBSD-questions, or
             possibly a specific mailing list for a particular hardware
             type.</para>
         </answer>
       </qandaentry>
 
     </qandaset>
       </sect1>
 
       <sect1 id="compatibility-processors">
 	<title>Architectures and processors</title>
 
     <qandaset>
       <qandaentry>
         <question id="architectures">
           <para>Does FreeBSD support architectures other than the x86?</para>
         </question>
 
         <answer>
 
           <para>Yes.  FreeBSD currently runs on the Intel x86 and DEC (now
             Compaq) Alpha architectures.  As of FreeBSD 5.0, the
             AMD64 and Intel EM64T, IA-64, and &sparc64; architectures are also
             supported.
             Upcoming platforms are
             &mips; and &powerpc;, join the &a.ppc; or the
             &a.mips; respectively for more information about ongoing
             work on these platforms.  For general discussion on new
             architectures, join the &a.platforms;.</para>
 
           <para>If your machine has a different architecture and you need
             something right now, we suggest you look at <ulink
             url="http://www.netbsd.org/">NetBSD</ulink> or <ulink
             url="http://www.openbsd.org/">OpenBSD</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="smp-support">
           <para>Does FreeBSD support Symmetric Multiprocessing
             (SMP)?</para>
         </question>
 
         <answer>
           <para>Yes.  SMP was enabled by default in the
             <emphasis>GENERIC</emphasis> kernel as of &os; 5.2.</para>
 
           <para>The intention was also to enable it by default for
 	    the &os; 5.3 release, but problems running the SMP kernel
 	    on certain UP machines led to the decision to disable it
 	    until those problems can be addressed.  This is a priority
 	    for &os; 5.4.</para>
 
           <para>In &os; 4.X, SMP is not enabled in the default kernel,
             so you must recompile your kernel to enable SMP.  Take a
             look at <filename>/sys/i386/conf/LINT</filename> to learn
             which options to put in your kernel config file.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="no-math-coprocessor">
           <para>I do not have a math co-processor - is that bad?</para>
         </question>
 
         <answer>
             <note>
               <para>This will only affect 386/486SX/486SLC owners - other
                 machines will have one built into the CPU.</para>
             </note>
 
           <para>In general this will not cause any problems, but there are
             circumstances where you will take a hit, either in performance
             or accuracy of the math emulation code (see the section <link
             linkend="emul">on FP emulation</link>). In particular, drawing
             arcs in X will be VERY slow. It is highly recommended that you
             buy a math co-processor; it is well worth it.</para>
 
             <note>
               <para>Some math co-processors are better than others.  It
                 pains us to say it, but nobody ever got fired for buying
                 Intel. Unless you are sure it works with FreeBSD, beware of
                 clones.</para>
             </note>
         </answer>
       </qandaentry>
 
 	</qandaset>
 
       </sect1>
 
       <sect1 id="compatibility-drives">
 	<title>Hard drives, tape drives, and CD and DVD drives</title>
 
 	<qandaset>
 
       <qandaentry>
         <question id="supported-hard-drives">
           <para>What kind of hard drives does FreeBSD support?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports EIDE and SCSI drives (with a compatible
             controller; see the next section), and all drives using the
             original <quote>Western Digital</quote> interface (MFM, RLL,
             ESDI, and of course IDE). A few ESDI controllers that use
             proprietary interfaces may not work: stick to WD1002/3/6/7
             interfaces and clones.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="supported-scsi-controllers">
           <para>Which SCSI controllers are supported?</para>
         </question>
 
         <answer>
           <para>See the complete list in the Hardware Notes for &os;
 	    <ulink url="&rel.current.hardware;">&rel.current;</ulink> or
 	    <ulink url="&rel2.current.hardware;">&rel2.current;</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="tape-support">
           <para>What types of tape drives are supported?</para>
         </question>
 
         <answer>
 
           <para>FreeBSD supports SCSI and QIC-36 (with a QIC-02 interface).
             This includes 8-mm (aka Exabyte) and DAT drives.</para>
 
           <para>Some of the early 8-mm drives are not quite compatible
           with SCSI-2, and may not work well with FreeBSD.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="tape-changer-support">
           <para>Does FreeBSD support tape changers?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports SCSI changers using the &man.ch.4;
             device and the &man.chio.1; command. The details of how you
             actually control the changer can be found in the &man.chio.1;
             manual page.</para>
 
           <para>If you are not using <application>AMANDA</application>
             or some other product that already understands changers,
             remember that they only know how to move a tape from one
             point to another, so you need to keep track of which slot a
             tape is in, and which slot the tape currently in the drive
             needs to go back to.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="supported-cdrom-drives">
           <para>Which CDROM drives are supported by FreeBSD?</para>
         </question>
 
         <answer>
           <para>Any SCSI drive connected to a supported controller is
             supported.</para>
 
           <para>The following proprietary CDROM interfaces are also
             supported:</para>
 
             <itemizedlist>
               <listitem>
                 <para>Mitsumi LU002 (8bit), LU005 (16bit) and FX001D
                   (16bit 2x Speed).</para>
               </listitem>
 
               <listitem>
                 <para>Sony CDU 31/33A</para>
               </listitem>
 
               <listitem>
                 <para>Sound Blaster Non-SCSI CDROM</para>
               </listitem>
 
               <listitem>
                 <para>Matsushita/Panasonic CDROM</para>
               </listitem>
 
               <listitem>
                 <para>ATAPI compatible IDE CDROMs</para>
               </listitem>
             </itemizedlist>
 
           <para>All non-SCSI cards are known to be extremely slow compared
             to SCSI drives, and some ATAPI CDROMs may not work.</para>
 
           <para>The official FreeBSD CDROM ISO, and CDROMs from Daemon
             News and FreeBSD Mall, support booting directly from the
             CD.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="supported-cdrw-drives">
           <para>Which CD-RW drives are supported by FreeBSD?</para>
         </question>
 
 	<answer>
 	  <para>FreeBSD supports any ATAPI-compatible IDE CD-R or CD-RW
 	    drive.  For FreeBSD versions 4.0 and later, see the manual page for
 	      &man.burncd.8;.  For earlier FreeBSD versions, see the examples
 	    in <filename>/usr/share/examples/atapi</filename>.</para>
 
 	  <para>FreeBSD also supports any SCSI CD-R or CD-RW drives.
 	    Install and use the <command>cdrecord</command> command from the
 	    ports or packages system, and make sure that you have the
 	    <devicename>pass</devicename> device compiled in your
 	    kernel.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="zip-support">
           <para>Does FreeBSD support &iomegazip; drives?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports SCSI and ATAPI (IDE) &iomegazip; drives out
             of the box, of course. SCSI ZIP drives can only be set to
             run at SCSI target IDs 5 or 6, but if your SCSI host
             adapter's BIOS supports it you can even boot from it.  It
             is not clear which host adapters support booting from
             targets other than 0 or 1, so you will have to consult
             your adapter's documentation if you would like to use this
             feature.</para>
 
           <para>FreeBSD also supports Parallel Port Zip Drives.  Check
             that your kernel contains the
             <devicename>scbus0</devicename>,
             <devicename>da0</devicename>,
             <devicename>ppbus0</devicename>, and
             <devicename>vp0</devicename> drivers (the GENERIC kernel
             contains everything except
             <devicename>vp0</devicename>). With all these drivers
             present, the Parallel Port drive should be available as
             <devicename>/dev/da0s4</devicename>. Disks can be mounted
             using <command>mount /dev/da0s4 /mnt</command> OR (for dos
             disks) <command>mount_msdos /dev/da0s4 /mnt</command> as
             appropriate.</para>
 
           <para>Also check out <link linkend="jaz">the FAQ on
             removable drives</link> later in this chapter, and <link
             linkend="disklabel">the note on
             <quote>formatting</quote></link>in the Administration
             chapter.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="jaz-zip-removable-support">
           <para>Does FreeBSD support &jaz;, EZ and other removable drives?</para>
         </question>
 
         <answer>
           <para>Apart from the IDE version of the EZ drive, these are all
             SCSI devices, so they should all look like SCSI disks to
             FreeBSD, and the IDE EZ should look like an IDE drive.</para>
 
           <para><anchor id="jaz">I am not sure how well FreeBSD supports
             changing the media out while running. You will of course need
             to dismount the drive before swapping media, and make sure that
             any external units are powered on when you boot the system so
             FreeBSD can see them.</para>
 
           <para>See <link linkend="disklabel">this note on
             <quote>formatting</quote></link>.</para>
         </answer>
       </qandaentry>
 
 	</qandaset>
 
       </sect1>
 
       <sect1 id="compatibility-kbd-mice">
 	<title>Keyboards and mice</title>
 
 	<qandaset>
 
       <qandaentry>
         <question id="usbkbd">
           <para>Does FreeBSD support my USB keyboard?</para>
         </question>
 
         <answer>
           <para>FreeBSD 4.X and later supports USB keyboards
             out-of-the-box.  Preliminary USB device support appeared
             in FreeBSD 3.1, but might not always work as of version
             3.2.  If you want to experiment with the USB keyboard
             support in FreeBSD 3.X, follow the procedure described
             below.</para>
 
           <procedure>
             <step>
               <para>Use a version of FreeBSD 3.X later than
                 3.2.</para>
             </step>
 
             <step>
               <para>Add the following lines to your kernel configuration
                 file, and rebuild the kernel.</para>
 
               <programlisting>controller      uhci0
 controller      ohci0
 controller      usb0
 controller      ukbd0
 options         KBD_INSTALL_CDEV</programlisting>
             </step>
 
             <step>
               <para>Go to the <filename>/dev</filename> directory and create
                 device nodes as follows:</para>
 
               <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>./MAKEDEV kbd0 kbd1</userinput></screen>
             </step>
 
             <step>
               <para>Edit <filename>/etc/rc.conf</filename> and add the
                 following lines:</para>
 
               <programlisting>usbd_enable="YES"
 usbd_flags=""</programlisting>
 
             </step>
           </procedure>
 
 	  <para>If you want to use a USB keyboard in FreeBSD 4.X or
 	    later, you just need to enable USB support in
 	    <filename>/etc/rc.conf</filename>.</para>
 
           <para>Once you have USB keyboard support enabled on your
             system, the AT keyboard becomes
             <devicename>/dev/kbd0</devicename> and the USB keyboard
             becomes <devicename>/dev/kbd1</devicename>, if both are
             connected to the system.  If there is the USB keyboard
             only, it will be
             <devicename>/dev/ukbd0</devicename>.</para>
 
           <para>If you want to use the USB keyboard in the console, you
             have to explicitly tell the console driver to use the existing
             USB keyboard. This can be done by running the following
             command as a part of system initialization.</para>
 
           <screen>&prompt.root; <userinput>kbdcontrol -k /dev/kbd1 &lt; /dev/ttyv0 &gt; /dev/null</userinput></screen>
 
           <para>Note that if the USB keyboard is the only keyboard, it is
             accessed as <devicename>/dev/kbd0</devicename>, thus, the command
             should look like:</para>
 
           <screen>&prompt.root; <userinput>kbdcontrol -k /dev/kbd0 &lt; /dev/ttyv0 &gt; /dev/null</userinput></screen>
 
           <para><filename>/etc/rc.i386</filename> is a good place to add the
             above command.</para>
 
           <para>Once this is done, the USB keyboard should work in the X
             environment as well without any special settings.</para>
 
           <para>Hot-plugging and unplugging of the USB keyboard may not
             work quite right yet. We recommend connecting the keyboard
             before starting the system and leaving it connected until the
             system is shutdown to avoid troubles.</para>
 
           <para>See the &man.ukbd.4; manual page for more information.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="busmouse">
           <para>I have an unusual bus mouse. How do I set it up?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports the bus mouse and the InPort bus mouse
             from such manufactures as Microsoft, Logitech and ATI. The bus
             device driver is compiled in the GENERIC kernel by default in
             FreeBSD versions 2.X, but not included in version 3.0 or later.
             If you are building a custom kernel with the bus mouse driver,
             make sure to add the following line to the kernel config
             file</para>
 
           <para>In FreeBSD 3.0 or before, add:</para>
 
           <programlisting>device mse0 at isa? port 0x23c tty irq5 vector mseintr</programlisting>
 
           <para>In FreeBSD 3.X, the line should be:</para>
 
           <programlisting>device mse0 at isa? port 0x23c tty irq5</programlisting>
 
           <para>And in FreeBSD 4.X and later, the line should read:</para>
 
           <programlisting>device mse0 at isa? port 0x23c irq5</programlisting>
 
           <para>Bus mice usually comes with dedicated interface cards.
             These cards may allow you to set the port address and the IRQ
             number other than shown above. Refer to the manual of your
             mouse and the &man.mse.4; manual page for more information.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ps2mouse">
           <para>How do I use my PS/2 (<quote>mouse port</quote> or
             <quote>keyboard</quote>) mouse?</para>
         </question>
 
         <answer>
           <para>The PS/2 mouse is supported out-of-the-box in all
             recent versions of FreeBSD.  The necessary device driver,
             <devicename>psm</devicename>, is included in the GENERIC
             kernel.</para>
 
           <para>If your custom kernel does not have this, add the
             appropriate following line to your kernel configuration
             file and compile a new kernel.</para>
 
           <para>In FreeBSD 3.0 or earlier, the line should be:</para>
 
           <programlisting>device psm0 at isa? port "IO_KBD" conflicts tty irq 12 vector psmintr</programlisting>
 
           <para>In FreeBSD 3.1 or later, the line should be:</para>
 
           <programlisting>device psm0 at isa? tty irq 12</programlisting>
 
           <para>In FreeBSD 4.0 or later, the line should be:</para>
 
           <programlisting>device psm0 at atkbdc? irq 12</programlisting>
 
           <para>Once the kernel detects <devicename>psm0</devicename>
             correctly at boot time, make sure that an entry for
             <devicename>psm0</devicename> exists in
             <filename>/dev</filename>.  You can do this by
             typing:</para>
 
           <screen>&prompt.root; <userinput>cd /dev; sh MAKEDEV psm0</userinput></screen>
 
           <para>when logged in as <username>root</username>.</para>
 
           <note>
 	    <para>You can omit this step if you are running FreeBSD
 	      5.0-RELEASE or newer with &man.devfs.5; enabled,
 	      since the proper device nodes will be created automatically
 	      under <filename>/dev</filename>.</para>
 	  </note>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="moused">
           <para>Is it possible to use a mouse in any way outside the X
             Window system?</para>
         </question>
 
         <answer>
           <para>If you are using the default console driver,
             &man.syscons.4;, you can use a mouse pointer in text
             consoles to cut &amp; paste text. Run the mouse daemon,
             &man.moused.8;, and turn on the mouse pointer in the
             virtual console:</para>
 
           <screen>&prompt.root; <userinput>moused -p /dev/<replaceable>xxxx</replaceable> -t <replaceable>yyyy</replaceable></userinput>
 &prompt.root; <userinput>vidcontrol -m on</userinput></screen>
 
           <para>Where <replaceable>xxxx</replaceable> is the mouse
             device name and <replaceable>yyyy</replaceable> is a
             protocol type for the mouse.  The mouse daemon can
             automatically determine the protocol type of most
             mice, except old serial mice. Specify the
             <literal>auto</literal> protocol to invoke automatic
             detection.  If automatic detection does not work, see the
             &man.moused.8; manual page for a list of supported
             protocol types.</para>
 
           <para>If you have a PS/2 mouse, just add
             <literal>moused_enable="YES"</literal> to
             <filename>/etc/rc.conf</filename> to start the mouse
             daemon at boot-time.  Additionally, if you would like to
             use the mouse daemon on all virtual terminals instead of
             just the console, add <literal>allscreens_flags="-m
             on"</literal> to <filename>/etc/rc.conf</filename>.</para>
 
           <para>When the mouse daemon is running, access to the mouse
             must be coordinated between the mouse daemon and other
             programs such as X Windows. Refer to the FAQ <link
             linkend="x-and-moused">Why does my mouse not work with
             X?</link> for more details on this issue.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="text-mode-cut-paste">
           <para>How do I cut and paste text with a mouse in the text
             console?</para>
         </question>
 
         <answer>
           <para>Once you get the mouse daemon running (see the <link
             linkend="moused">previous section</link>), hold down the
             button 1 (left button) and move the mouse to select a
             region of text. Then, press the button 2 (middle button)
             to paste it at the text cursor.  Pressing button 3 (right
             button) will <quote>extend</quote> the selected region of
             text.</para>
 
 	  <para>If your mouse does not have a middle button, you may
             wish to emulate one or remap buttons using mouse daemon
             options. See the &man.moused.8; manual page for
             details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="usbmouse">
           <para>Does FreeBSD support any USB mice?</para>
         </question>
 
         <answer>
 
           <para>Preliminary USB device support was added to FreeBSD
             3.1.  It did not always work through early versions of
             3.X.  As of FreeBSD 4.0, USB devices should work out of
             the box.  If you want to experiment with the USB mouse
             support under FreeBSD 3.X, follow the procedure described
             below.</para>
 
           <procedure>
             <step>
               <para>Use FreeBSD 3.2 or later.</para>
             </step>
 
             <step>
               <para>Add the following lines to your kernel configuration
                 file, and rebuild the kernel.</para>
 
               <programlisting>device  uhci
 device  ohci
 device  usb
 device  ums</programlisting>
 
               <para>In versions of FreeBSD before 4.0, use this
                 instead:</para>
 
               <programlisting>controller        uhci0
 controller        ohci0
 controller        usb0
 device            ums0</programlisting>
             </step>
 
             <step>
               <para>Go to the <filename>/dev</filename> directory and
                 create a device node as follows:</para>
 
               <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>./MAKEDEV ums0</userinput></screen>
 
               <note>
 	        <para>You can omit this step if you are running FreeBSD
 	          5.0-RELEASE or newer with &man.devfs.5; enabled,
 	          since the proper device nodes will be created automatically
 	          under <filename>/dev</filename>.</para>
 	      </note>
             </step>
 
             <step>
               <para>Edit <filename>/etc/rc.conf</filename> and add the
                 following lines:</para>
 
               <programlisting>moused_enable="YES"
 moused_type="auto"
 moused_port="/dev/ums0"
 moused_flags=""
 usbd_enable="YES"
 usbd_flags=""</programlisting>
 
               <para>See the <link linkend="moused">previous section</link>
                 for more detailed discussion on moused.</para>
             </step>
 
             <step>
               <para>In order to use the USB mouse in the X session, edit
                 <filename>XF86Config</filename>.  If you are using &xfree86;
                 3.3.2 or later, be sure to have the following lines in the
                 <emphasis>Pointer</emphasis> section:</para>
 
               <programlisting>Device          "/dev/sysmouse"
 Protocol        "Auto"</programlisting>
 
               <para>If you are using earlier versions of &xfree86;, be sure to
                 have the following lines in the <emphasis>Pointer</emphasis>
                 section:</para>
 
               <programlisting>Device          "/dev/sysmouse"
 Protocol        "SysMouse"</programlisting>
             </step>
           </procedure>
 
           <para>Refer to <link linkend="x-and-moused">another section</link>
             on the mouse support in the X environment.</para>
 
           <para>Hot-plugging and unplugging of the USB mouse may not work
             quite right yet. It is a good idea connect the mouse before you
             start the system and leave it connected until the system is
             shutdown to avoid trouble.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mouse-wheel-buttons">
           <para>My mouse has a fancy wheel and buttons.  Can I use them in
             FreeBSD?</para>
         </question>
 
         <answer>
           <para>The answer is, unfortunately, <quote>It depends</quote>.
             These mice with additional features require specialized driver
             in most cases. Unless the mouse device driver or the user
             program has specific support for the mouse, it will act just
             like a standard two, or three button mouse.</para>
 
           <para>For the possible usage of wheels in the X Window
             environment, refer to <link linkend="x-and-wheel">that
             section</link>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="laptop-mouse-trackball">
           <para>How do I use the mouse/trackball/touchpad on my laptop?</para>
         </question>
 
         <answer>
           <para>Please refer to <link linkend="ps2mouse">the answer to
             the previous question</link>.  Also check out the <ulink
             url="http://www.FreeBSD.org/docs.html#PAO">Mobile
             Computing page</ulink>.</para>
         </answer>
       </qandaentry>
 
 	</qandaset>
 
       </sect1>
 
       <sect1 id="compatibility-networking">
 	<title>Networking and serial devices</title>
 
 	<qandaset>
 
       <qandaentry>
         <question id="network-cards">
           <para>Which network cards does FreeBSD support?</para>
         </question>
 
         <answer>
           <para>See the Hardware Notes supplied with each release of
             FreeBSD for a more
             complete list.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="internal-plugnplay-modem">
           <para>Why is FreeBSD not finding my internal Plug &amp; Play
             modem?</para>
         </question>
 
         <answer>
           <para>You will need to add the modem's PnP ID to the PnP ID
             list in the serial driver. To enable Plug &amp; Play support,
             compile a new kernel with <literal>controller pnp0</literal> in
             the configuration file, then reboot the system. The kernel will
             print the PnP IDs of all the devices it finds. Copy the PnP ID
             from the modem to the table in
             <filename>/sys/i386/isa/sio.c</filename>, at about line 2777.
             Look for the string <literal>SUP1310</literal> in the structure
             <literal>siopnp_ids[]</literal> to find the table. Build the
             kernel again, install, reboot, and your modem should be
             found.</para>
 
           <para>You may have to manually configure the PnP devices using
             the <literal>pnp</literal> command in the boot-time
             configuration with a command like</para>
 
           <programlisting>pnp 1 0 enable os irq0 3 drq0 0 port0 0x2f8</programlisting>
 
           <para>to make the modem show.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="support-winmodem">
           <para>Does FreeBSD support software modems, such as Winmodems?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports many software modems via add-on
             software.  The <filename role="package">comms/ltmdm</filename> port adds
             support for modems based on the very popular Lucent LT
             chipset.  The <filename role="package">comms/mwavem</filename> port
             supports the modem in IBM Thinkpad 600 and 700
             laptops.</para>
 
           <para>You cannot install FreeBSD via a software modem; this
             software must be installed after the OS is
             installed.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="support-broadcom">
 	  <para>Is there a native driver for the Broadcom 43xx cards?</para>
 	</question>
 
 	<answer>
 	  <para>No, and there is not likely to be.</para>
 
 	  <para>Broadcom refuses to publically release programming
 	    information for their wireless chipsets, most likely because
 	    they use software controlled radios.  In order to get FCC type
 	    acceptance for their parts, they have to ensure that users
 	    cannot arbitrarily set things like operating frequencies,
 	    modulation parameters and power output.  But without knowing
 	    how to program the chipsets, it is nearly impossible to write
 	    a driver.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multiport-serial-support">
           <para>Which multi-port serial cards are supported by
             FreeBSD?</para>
         </question>
 
         <answer>
           <para>There is a list of these in the <ulink
             url="&url.books.handbook;/install.html#INSTALL-MISC">Miscellaneous
             devices</ulink> section of the handbook.</para>
 
           <para>Some unnamed clone cards have also been known to work,
             especially those that claim to be AST compatible.</para>
 
           <para>Check the &man.sio.4; manual page to get more
             information on configuring such cards.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="serial-console-prompt">
           <para>How do I get the boot: prompt to show on the serial
             console?</para>
         </question>
 
         <answer>
             <orderedlist>
               <listitem>
                 <para>Build a kernel with
                   <literal>options COMCONSOLE</literal>.</para>
               </listitem>
 
               <listitem>
                 <para>Create /boot.config and place <option>-P</option>
                   as the only text in the file.</para>
               </listitem>
 
               <listitem>
                 <para>Unplug the keyboard from the system.</para>
               </listitem>
             </orderedlist>
 
           <para>See
             <filename>/usr/src/sys/i386/boot/biosboot/README.serial</filename>
             for information.</para>
         </answer>
       </qandaentry>
 
 	</qandaset>
 
       </sect1>
 
       <sect1 id="compatibility-sound">
 	<title>Sound devices</title>
 
 	<qandaset>
 
       <qandaentry>
         <question id="sound-card-support">
           <para>Which sound cards are supported by FreeBSD?</para>
         </question>
 
         <answer>
           <para>&os; supports various sound cards including the &soundblaster;,
 	    &soundblaster; Pro, &soundblaster; 16, Pro Audio Spectrum 16,
             AdLib, and Gravis UltraSound sound cards (for more details,
             see <ulink url="&url.base;/releases/">&os; Release Information</ulink>
             and the &man.snd.4; manual page).
             There is also limited support for
             MPU-401 and compatible MIDI cards. Cards conforming to the
             &microsoft; Sound System specification are also supported.</para>
 
             <note>
               <para>This is only for sound!  This driver does not support
                 CDROMs, SCSI or joysticks on these cards, except for the
                 &soundblaster;. The &soundblaster; SCSI interface and some
                 non-SCSI CDROMs are supported, but you cannot boot off this
                 device.</para>
              </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="es1370-silent-pcm">
           <para>Workarounds for no sound from es1370 with &man.pcm.4; driver?</para>
         </question>
 
         <answer>
           <para>You can run the following command every time the machine
             booted up:</para>
 
           <screen>&prompt.root; <userinput>mixer pcm 100 vol 100 cd 100</userinput></screen>
         </answer>
       </qandaentry>
 
 	</qandaset>
 
       </sect1>
 
       <sect1 id="compatibility-other">
 	<title>Other hardware</title>
 
 	<qandaset>
 
       <qandaentry>
         <question id="other-device-support">
           <para>What other devices does FreeBSD support?</para>
         </question>
 
         <answer>
           <para>See the <ulink
             url="&url.books.handbook;/install.html#INSTALL-MISC">Handbook</ulink>
             for the list of other devices supported.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="power-management-support">
           <para>Does FreeBSD support power management on my laptop?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports <acronym>APM</acronym> on certain machines.
             Please look in the <filename>LINT</filename> kernel config file,
             searching for the <acronym>APM</acronym> keyword.  Further
             information can be found in &man.apm.4;.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="micron-hang-boot">
           <para>Why does my Micron system hang at boot time?</para>
         </question>
 
         <answer>
           <para>Certain Micron motherboards have a non-conforming PCI BIOS
             implementation that causes grief when FreeBSD boots because PCI
             devices do not get configured at their reported addresses.</para>
 
           <para>Disable the <quote>Plug and Play Operating System</quote>
             flag in the BIOS to work around this problem. More information
             can be found at <ulink
             url="http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micron">
             http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micron</ulink></para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="asusk7v-boot-failure">
           <para>The boot floppy hangs on a system with an ASUS K7V
             motherboard.  How do I fix this?</para>
         </question>
 
         <answer>
           <para>Go into the BIOS setup and disable the <quote>boot virus
             protection</quote>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="micron-3comnic-failure">
           <para>Why does my &tm.3com; PCI network card not work with my Micron
             computer?</para>
         </question>
 
         <answer>
           <para>Certain Micron motherboards have a non-conforming PCI BIOS
             implementation that does not configure PCI devices at the
             addresses reported. This causes grief when FreeBSD
             boots.</para>
 
           <para>To work around this problem, disable the
             <quote>Plug and Play Operating System</quote> flag in the
             BIOS.</para>
 
           <para>More information on this problem is available at URL:
             <ulink url="http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micron"></ulink></para>
         </answer>
       </qandaentry>
     </qandaset>
 
       </sect1>
 
   </chapter>
 
   <chapter id="troubleshoot">
     <title>Troubleshooting</title>
 
     <qandaset>
       <qandaentry>
         <question id="awre">
           <para>What do I do when I have bad blocks on my hard drive?</para>
         </question>
 
         <answer>
           <para>With SCSI drives, the drive should be capable of re-mapping
             these automatically.  However, many drives are shipped with
             this feature disabled, for some mysterious reason...</para>
 
           <para>To enable this, you will need to edit the first device page
             mode, which can be done on FreeBSD by giving the command
             (as <username>root</username>)</para>
 
           <screen>&prompt.root; <userinput>camcontrol modepage sd0 -m 1 -e -P 3</userinput></screen>
 
           <para>and changing the values of AWRE and ARRE from 0 to 1:-</para>
 
           <programlisting>AWRE (Auto Write Reallocation Enbld):  1
 ARRE (Auto Read Reallocation Enbld):  1</programlisting>
 
           <para>The following paragraphs were submitted by Ted Mittelstaedt
             <email>tedm@toybox.placo.com</email>:</para>
 
           <para>For IDE drives, any bad block is usually a sign of
             potential trouble. All modern IDE drives come with internal
             bad-block remapping turned on. All IDE hard drive manufacturers
             today offer extensive warranties and will replace drives with
             bad blocks on them.</para>
 
           <para>If you still want to attempt to rescue an IDE drive with
             bad blocks, you can attempt to download the IDE drive
             manufacturer's IDE diagnostic program, and run this against the
             drive. Sometimes these programs can be set to force the drive
             electronics to rescan the drive for bad blocks and lock them
             out.</para>
 
           <para>For ESDI, RLL and MFM drives, bad blocks are a normal part
             of the drive and are no sign of trouble, generally. With a PC,
             the disk drive controller card and BIOS handle the task of
             locking out bad sectors. This is fine for operating systems
             like DOS that use BIOS code to access the disk. However,
             FreeBSD's disk driver does not go through the BIOS, therefore a
             mechanism, bad144, exists that replaces this functionality.
             bad144 only works with the wd driver (which means it is not
             supported in FreeBSD 4.0), it is <emphasis>not</emphasis> able to be used with SCSI.
             bad144 works by entering all bad sectors found into a special
             file.</para>
 
           <para>One caveat with bad144 - the bad block special file is
             placed on the last track of the disk. As this file may possibly
             contain a listing for a bad sector that would occur near the
             beginning of the disk, where the /kernel file might be located,
             it therefore must be accessible to the bootstrap program that
             uses BIOS calls to read the kernel file. This means that the
             disk with bad144 used on it must not exceed 1024 cylinders, 16
             heads, and 63 sectors. This places an effective limit of 500MB
             on a disk that is mapped with bad144.</para>
 
           <para>To use bad144, simply set the <quote>Bad Block</quote>
             scanning to ON in the FreeBSD fdisk screen during the initial
             install. This works up through FreeBSD 2.2.7. The disk must
             have less than 1024 cylinders. It is generally recommended that
             the disk drive has been in operation for at least 4 hours prior
             to this to allow for thermal expansion and track
             wandering.</para>
 
           <para>If the disk has more than 1024 cylinders (such as a large
             ESDI drive) the ESDI controller uses a special translation mode
             to make it work under DOS. The wd driver understands about
             these translation modes, IF you enter the
             <quote>translated</quote> geometry with the <quote>set
             geometry</quote> command in fdisk. You must also NOT use the
             <quote>dangerously dedicated</quote> mode of creating the
             FreeBSD partition, as this ignores the geometry. Also, even
             though fdisk will use your overridden geometry, it still knows
             the true size of the disk, and will attempt to create a too
             large FreeBSD partition. If the disk geometry is changed to the
             translated geometry, the partition MUST be manually created
             with the number of blocks.</para>
 
           <para>A quick trick to use is to set up the large ESDI disk
             with the ESDI controller, boot it with a DOS disk and
             format it with a DOS partition. Then, boot the FreeBSD
             install and in the fdisk screen, read off and write down
             the blocksize and block numbers for the DOS
             partition. Then, reset the geometry to the same that DOS
             uses, delete the DOS partition, and create a
             <quote>cooperative</quote> FreeBSD partition using the
             blocksize you recorded earlier. Then, set the partition
             bootable and turn on bad block scanning. During the actual
             install, bad144 will run first, before any filesystems are
             created (you can view this with an <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F2</keycap></keycombo>).
             If it has any trouble creating the badsector file, you
             have set too large a disk geometry - reboot the system and
             start all over again (including repartitioning and
             reformatting with DOS).</para>
 
           <para>If remapping is enabled and you are seeing bad blocks,
             consider replacing the drive. The bad blocks will only get
             worse as time goes on.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bustek742a-eisa-scsi">
           <para>Why does FreeBSD not recognize my Bustek 742a EISA
             SCSI controller?</para>
         </question>
 
         <answer>
           <para>This info is specific to the 742a but may also cover
             other Buslogic cards.  (Bustek = Buslogic)</para>
 
           <para>There are 2 general <quote>versions</quote> of the 742a
             card. They are hardware revisions A-G, and revisions H -
             onwards. The revision letter is located after the Assembly
             number on the edge of the card. The 742a has 2 ROM chips on it,
             one is the BIOS chip and the other is the Firmware chip.
             FreeBSD does not care what version of BIOS chip you have but it
             does care about what version of firmware chip. Buslogic will
             send upgrade ROMs out if you call their tech support dept. The
             BIOS and Firmware chips are shipped as a matched pair. You must
             have the most current Firmware ROM in your adapter card for
             your hardware revision.</para>
 
           <para>The REV A-G cards can only accept BIOS/Firmware sets up to
             2.41/2.21. The REV H- up cards can accept the most current
             BIOS/Firmware sets of 4.70/3.37. The difference between the
             firmware sets is that the 3.37 firmware supports <quote>round
             robin</quote>.</para>
 
           <para>The Buslogic cards also have a serial number on them.  If
             you have an old hardware revision card you can call the Buslogic
             RMA department and give them the serial number and attempt to
             exchange the card for a newer hardware revision. If the card is
             young enough they will do so.</para>
 
           <para>FreeBSD 2.1 only supports Firmware revisions 2.21 onward.
             If you have a Firmware revision older than this your card will
             not be recognized as a Buslogic card. It may be recognized as
             an &adaptec; 1540, however. The early Buslogic firmware contains
             an AHA1540 <quote>emulation</quote> mode. This is not a good
             thing for an EISA card, however.</para>
 
           <para>If you have an old hardware revision card and you obtain
             the 2.21 firmware for it, you will need to check the position
             of jumper W1 to B-C, the default is A-B.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="hpnetserver-scsi-failure">
           <para>Why does FreeBSD not detect my HP Netserver's SCSI
             controller?</para>
         </question>
 
         <answer>
           <para>This is basically a known problem.  The EISA on-board SCSI
             controller in the HP Netserver machines occupies EISA slot
             number 11, so all the <quote>true</quote> EISA slots are in
             front of it. Alas, the address space for EISA slots &gt;= 10
             collides with the address space assigned to PCI, and FreeBSD's
             auto-configuration currently cannot handle this situation very
             well.</para>
 
           <para>So now, the best you can do is to pretend there is no
             address range clash :), by bumping the kernel option
             <literal>EISA_SLOTS</literal> to a value of 12. Configure and
             compile a kernel, as described in the <ulink
             url="&url.books.handbook;/kernelconfig.html">Handbook entry on
             configuring the kernel</ulink>.</para>
 
           <para>Of course, this does present you with a chicken-and-egg
             problem when installing on such a machine. In order to work
             around this problem, a special hack is available inside
             <emphasis>UserConfig</emphasis>. Do not use the
             <quote>visual</quote> interface, but the plain command-line
             interface there. Simply type</para>
 
           <programlisting>eisa 12
 quit</programlisting>
 
           <para>at the prompt, and install your system as usual.  While
             it is recommended you compile and install a custom kernel
             anyway.</para>
 
           <para>Hopefully, future versions will have a proper fix for
             this problem.</para>
 
             <note>
               <para>You cannot use a
                 <literal>dangerously dedicated</literal> disk
                 with an HP Netserver. See <link linkend="dedicate">this
                 note</link> for more info.</para>
             </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ed1-timeout">
           <para>I keep seeing messages like
             <errorname>ed1: timeout</errorname>.  What do these messages
             mean?</para>
         </question>
 
         <answer>
           <para>This is usually caused by an interrupt conflict (e.g.,
             two boards using the same IRQ). FreeBSD prior to 2.0.5R used to
             be tolerant of this, and the network driver would still
             function in the presence of IRQ conflicts. However, with 2.0.5R
             and later, IRQ conflicts are no longer tolerated. Boot with the
             -c option and change the ed0/de0/... entry to match your
             board.</para>
 
           <para>If you are using the BNC connector on your network card,
             you may also see device timeouts because of bad termination. To
             check this, attach a terminator directly to the NIC (with no
             cable) and see if the error messages go away.</para>
 
           <para>Some NE2000 compatible cards will give this error if there
             is no link on the UTP port or if the cable is disconnected.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bad-3c509">
           <para>Why did my &tm.3com; 3C509 card stop working for no
             apparent reason?</para>
         </question>
 
         <answer>
           <para>This card has a bad habit of losing its configuration
             information.  Refresh your card's settings with the DOS
             utility <command>3c5x9.exe</command>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="printer-slow">
           <para>My parallel printer is ridiculously slow. What can I do?</para>
         </question>
 
         <answer>
           <para>If the only problem is that the printer is terribly
             slow, try changing your <ulink
             url="&url.books.handbook;/printing-intro-setup.html#PRINTING-PARALLEL-PORT-MODE">printer
             port mode</ulink> as discussed in the <ulink
             url="&url.books.handbook;/printing-intro-setup.html">Printer
             Setup</ulink> section of the Handbook.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="signal11">
           <para>Why do my programs occasionally die with
             <errorname>Signal 11</errorname> errors?</para>
         </question>
 
         <answer>
           <para>Signal 11 errors are caused when your process has attempted
             to access memory which the operating system has not granted it
             access to. If something like this is happening at seemingly
             random intervals then you need to start investigating things
             very carefully.</para>
 
           <para>These problems can usually be attributed to either:</para>
 
           <orderedlist>
             <listitem>
               <para>If the problem is occurring only in a specific
                 application that you are developing yourself it is probably
                 a bug in your code.</para>
             </listitem>
 
             <listitem>
               <para>If it is a problem with part of the base FreeBSD system,
                 it may also be buggy code, but more often than not these
                 problems are found and fixed long before us general FAQ
                 readers get to use these bits of code (that is what -current
                 is for).</para>
             </listitem>
           </orderedlist>
 
           <para>In particular, a dead giveaway that this is
             <emphasis>not</emphasis> a FreeBSD bug is if you see the
             problem when you are compiling a program, but the activity
             that the compiler is carrying out changes each
             time.</para>
 
           <para>For example, suppose you are running <quote>make
             buildworld</quote>, and the compile fails while trying to
             compile <filename>ls.c</filename> into
             <filename>ls.o</filename>. If you then run <quote>make
             buildworld</quote> again, and the compile fails in the same
             place then this is a broken build -- try updating your sources
             and try again. If the compile fails elsewhere then this is
             almost certainly hardware.</para>
 
           <para>What you should do:</para>
 
           <para>In the first case you can use a debugger e.g. gdb to find
             the point in the program which is attempting to access a bogus
             address and then fix it.</para>
 
           <para>In the second case you need to verify that it is not your
             hardware at fault.</para>
 
           <para>Common causes of this include:</para>
 
           <orderedlist>
             <listitem>
               <para>Your hard disks might be overheating: Check the fans in
                 your case are still working, as your disk (and perhaps
                 other hardware might be overheating).</para>
             </listitem>
 
             <listitem>
               <para>The processor running is overheating: This might be
                 because the processor has been overclocked, or the fan on
                 the processor might have died. In either case you need to
                 ensure that you have hardware running at what it is
                 specified to run at, at least while trying to solve this
                 problem. i.e. Clock it back to the default settings.</para>
 
               <para>If you are overclocking then note that it is far cheaper
                 to have a slow system than a fried system that needs
                 replacing! Also the wider community is not often
                 sympathetic to problems on overclocked systems, whether you
                 believe it is safe or not.</para>
             </listitem>
 
             <listitem>
               <para>Dodgy memory: If you have multiple memory SIMMS/DIMMS
                 installed then pull them all out and try running the
                 machine with each SIMM or DIMM individually and narrow the
                 problem down to either the problematic DIMM/SIMM or perhaps
                 even a combination.</para>
             </listitem>
 
             <listitem>
               <para>Over-optimistic Motherboard settings: In your BIOS
                 settings, and some motherboard jumpers you have options to
                 set various timings, mostly the defaults will be
                 sufficient, but sometimes, setting the wait states on RAM
                 too low, or setting the <quote>RAM Speed: Turbo</quote> option, or
                 similar in the BIOS will cause strange behavior. A
                 possible idea is to set to BIOS defaults, but it might be
                 worth noting down your settings first!</para>
             </listitem>
 
             <listitem>
               <para>Unclean or insufficient power to the motherboard. If you
                 have any unused I/O boards, hard disks, or CDROMs in your
                 system, try temporarily removing them or disconnecting the
                 power cable from them, to see if your power supply can
                 manage a smaller load. Or try another power supply,
                 preferably one with a little more power (for instance, if
                 your current power supply is rated at 250 Watts try one
                 rated at 300 Watts).</para>
             </listitem>
 
           </orderedlist>
 
           <para>You should also read the SIG11 FAQ (listed below) which has
             excellent explanations of all these problems, albeit from a
             &linux; viewpoint. It also discusses how memory testing software
             or hardware can still pass faulty memory.</para>
 
           <para>Finally, if none of this has helped it is possible that
             you have just found a bug in FreeBSD, and you should follow the
             instructions to send a problem report.</para>
 
           <para>There is an extensive FAQ on this at <ulink
             url="http://www.bitwizard.nl/sig11/">
             the SIG11 problem FAQ</ulink></para>
           </answer>
         </qandaentry>
 
         <qandaentry>
           <question id="trap-12-panic">
             <para>My system crashes with either <errorname>Fatal
               trap 12: page fault in kernel mode</errorname>, or
               <errorname>panic:</errorname>, and spits out a
               bunch of information.  What should I do?</para>
           </question>
 
           <answer>
             <para>The FreeBSD developers are very interested in these
               errors, but need some more information than just the
               error you see.  Copy your full crash message.  Then
               consult the FAQ section on <link linkend=
               "KERNEL-PANIC-TROUBLESHOOTING">kernel panics</link>,
               build a debugging kernel, and get a backtrace.  This
               might sound difficult, but you do not need any
               programming skills; you just have to follow the
               instructions.</para>
           </answer>
         </qandaentry>
 
         <qandaentry>
           <question id="screen-loses-sync">
             <para>Why does the screen go black and lose sync when I
               boot?</para>
           </question>
 
           <answer>
             <para>This is a known problem with the ATI Mach 64 video card.
               The problem is that this card uses address
               <literal>2e8</literal>, and the fourth serial port does too.
               Due to a bug (feature?) in the &man.sio.4;
               driver it will touch this port even if you do not have the
               fourth serial port, and <emphasis>even</emphasis> if
               you disable sio3 (the fourth port) which normally uses this
               address.</para>
 
             <para>Until the bug has been fixed, you can use this
               workaround:</para>
 
               <orderedlist>
                 <listitem>
                   <para>Enter <option>-c</option> at the boot prompt.
                     (This will put the kernel into configuration mode).</para>
                 </listitem>
 
                 <listitem>
                   <para>Disable <devicename>sio0</devicename>,
                     <devicename>sio1</devicename>,
                     <devicename>sio2</devicename> and
                     <devicename>sio3</devicename> (all of them).  This way
                     the sio driver does not get activated -&gt; no
                     problems.</para>
                 </listitem>
 
                 <listitem>
                   <para>Type exit to continue booting.</para>
                 </listitem>
               </orderedlist>
 
           <para>If you want to be able to use your serial ports, you will
             have to build a new kernel with the following modification: in
             <filename>/usr/src/sys/i386/isa/sio.c</filename> find the one
             occurrence of the string <literal>0x2e8</literal> and remove
             that string and the preceding comma (keep the trailing comma).
             Now follow the normal procedure of building a new
             kernel.</para>
 
           <para>Even after applying these workarounds, you may still find
             that the X Window System does not work properly. If this is the
             case, make sure that the &xfree86; version you are using is at
             least &xfree86; 3.3.3 or higher. This version and upwards has
             built-in support for the Mach64 cards and even a dedicated X
             server for those cards.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="reallybigram">
           <para>Why does FreeBSD only use 64 MB of RAM when my system has
             128 MB of RAM installed?</para>
         </question>
 
         <answer>
           <para>Due to the manner in which FreeBSD gets the memory size
             from the BIOS, it can only detect 16 bits worth of Kbytes in
             size (65535 Kbytes = 64MB) (or less... some BIOSes peg the
             memory size to 16M). If you have more than 64MB, FreeBSD will
             attempt to detect it; however, the attempt may fail.</para>
 
           <para>To work around this problem, you need to use the kernel
             option specified below. There is a way to get complete memory
             information from the BIOS, but we do not have room in the
             bootblocks to do it. Someday when lack of room in the
             bootblocks is fixed, we will use the extended BIOS functions to
             get the full memory information...but for now we are stuck with
             the kernel option.</para>
 
           <para><literal>options "MAXMEM=<replaceable>n</replaceable>"</literal></para>
 
           <para>Where <replaceable>n</replaceable> is your memory in
             Kilobytes. For a 128 MB machine, you would want to use
             <literal>131072</literal>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="panic-kmemmap-too-small">
           <para>Why does FreeBSD panic with
             <errorname>kmem_map too small!</errorname>?</para>
         </question>
 
         <answer>
           <para>The panic indicates that the system ran out of virtual
             memory for network buffers (specifically, mbuf clusters). You
             can increase the amount of VM available for mbuf clusters by
             adding:</para>
 
           <para><literal>options NMBCLUSTERS=<replaceable>n</replaceable></literal></para>
 
           <para>to your kernel config file, where
             <replaceable>n</replaceable> is a number in the range
             512-4096, depending on the number of concurrent TCP
             connections you need to support. We recommend trying
             2048 - this should get rid of the panic completely. You
             can monitor the number of mbuf clusters allocated/in use
             on the system with <command>netstat -m</command> (see
             &man.netstat.1;). The default value for NMBCLUSTERS is
             <literal>1024 + MAXUSERS * 64</literal>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="proc-table-full">
           <para>Why do I get the error <errorname>/kernel: proc: table
             is full</errorname>?</para>
         </question>
 
         <answer>
           <para>The FreeBSD kernel will only allow a certain number of
             processes to exist at one time.  The number is based on
             the <literal>MAXUSERS</literal> option in the kernel
             configuration.  <literal>MAXUSERS</literal> also affects
             various other in-kernel limits, such as network buffers
             (see <link linkend="panic-kmemmap-too-small">this</link>
             earlier question).  If your machine is heavily loaded, you
             probably want to increase <literal>MAXUSERS</literal>.
             This will increase these other system limits in addition
             to the maximum number of processes.</para>
 
           <para>After FreeBSD 4.4, <literal>MAXUSERS</literal> became
             a tunable value that could be set with
             <varname>kern.maxusers</varname> in
             <filename>/boot/loader.conf</filename>.  In earlier
             versions of FreeBSD, you need to adjust
             <literal>MAXUSERS</literal> in your kernel
             configuration.</para>
 
           <para>If your machine is lightly loaded, and you are simply
             running a very large number of processes, you can adjust
             this with the <varname>kern.maxproc</varname> sysctl.  If
             these processes are being run by a single user, you will
             also need to adjust <varname>kern.maxprocperuid</varname>
             to be one less than your new
             <varname>kern.maxproc</varname> value.  (It must be at
             least one less because one system program, &man.init.8;,
             must always be running.)</para>
 
           <para>To make a sysctl permanent across reboots, set this in
             <filename>/etc/sysctl.conf</filename> in recent versions
             of FreeBSD, or <filename>/etc/rc.local</filename> in older
             versions.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cmap-busy-panic">
           <para>Why do I get an error reading <errorname>CMAP
               busy</errorname> when rebooting with a new
             kernel?</para>
         </question>
 
         <answer>
           <para>The logic that attempts to detect an out of date
             <filename>/var/db/kvm_*.db</filename> files sometimes fails
             and using a mismatched file can sometimes lead to panics.</para>
 
           <para>If this happens, reboot single-user and do:</para>
 
           <screen>&prompt.root; <userinput>rm /var/db/kvm_*.db</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="brkadrint-illegal-host-access">
           <para>What does the message <errorname>ahc0: brkadrint,
               Illegal Host Access at seqaddr 0x0</errorname>
             mean?</para>
         </question>
 
         <answer>
           <para>This is a conflict with an Ultrastor SCSI Host Adapter.</para>
 
           <para>During the boot process enter the kernel configuration
             menu and disable
             <devicename>uha0</devicename>,
             which is causing the problem.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="aci0-illegal-cable">
           <para>When I boot my system, I get the error
             <errorname>ahc0: illegal cable configuration</errorname>.
             My cabling is correct.  What is going on?</para>
         </question>
 
         <answer>
            <para>Your motherboard lacks the external logic to support
              automatic termination.  Switch your SCSI BIOS to specify
              the correct termination for your configuration rather
              than automatic termination.  The AIC7XXX driver cannot
              determine if the external logic for cable detection (and
              thus auto-termination) is available.  The driver simply
              assumes that this support must exist if the configuration
              contained in the serial EEPROM is set to "automatic
              termination".  Without the external cable detection logic
              the driver will often configure termination incorrectly,
              which can compromise the reliability of the SCSI
              bus.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mail-loopback">
           <para>Why does Sendmail give me an error reading
             <quote><errorname>mail loops back to
               myself</errorname></quote>?</para>
         </question>
 
         <answer>
           <para>This is answered in the sendmail FAQ as follows:-</para>
 
 <literallayout>        * I'm getting "Local configuration error" messages, such as:
 
         553 relay.domain.net config error: mail loops back to myself
         554 &lt;user@domain.net&gt;... Local configuration error
 
         How can I solve this problem?
 
         You have asked mail to the domain (e.g., domain.net) to be
         forwarded to a specific host (in this case, relay.domain.net)
         by using an MX record, but the relay machine does not recognize
         itself as domain.net.  Add domain.net to /etc/mail/local-host-names
         (if you are using FEATURE(use_cw_file)) or add "Cw domain.net"
         to /etc/mail/sendmail.cf.
             </literallayout>
 
           <para>The current version of the <ulink
             url="ftp://rtfm.mit.edu/pub/usenet/news.answers/mail/sendmail-faq">sendmail
             FAQ</ulink> is no longer maintained with the sendmail release.
             It is however regularly posted to <ulink
             url="news:comp.mail.sendmail">comp.mail.sendmail</ulink>,
             <ulink url="news:comp.mail.misc">comp.mail.misc</ulink>, <ulink
             url="news:comp.mail.smail">comp.mail.smail</ulink>, <ulink
             url="news:comp.answers">comp.answers</ulink>, and <ulink
             url="news:news.answers">news.answers</ulink>. You can also
             receive a copy via email by sending a message to
             <email>mail-server@rtfm.mit.edu</email> with the command
             <literal>send usenet/news.answers/mail/sendmail-faq</literal>
             as the body of the message.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="remote-fullscreen">
           <para>Why do full screen applications on remote machines
             misbehave?</para>
         </question>
 
         <answer>
           <para>The remote machine may be setting your terminal type
             to something other than the <literal>cons25</literal> terminal
             type required by the FreeBSD console.</para>
 
           <para>There are a number of possible work-arounds for this
             problem:</para>
             <itemizedlist>
               <listitem>
                 <para>After logging on to the remote machine, set your
                   TERM shell variable to <literal>ansi</literal> or
                   <literal>sco</literal> if the remote machine knows
                   about these terminal types.</para>
               </listitem>
 
               <listitem>
                 <para>Use a VT100 emulator like
                   <application>screen</application> at the FreeBSD console.
                   <application>screen</application> offers you the ability
                   to run multiple concurrent sessions from one terminal,
                   and is a neat program in its own right. Each
                   <application>screen</application> window behaves like a
                   VT100 terminal, so the TERM variable at the remote end
                   should be set to <literal>vt100</literal>.</para>
               </listitem>
 
               <listitem>
                 <para>Install the <literal>cons25</literal> terminal
                   database entry on the remote machine. The way to do this
                   depends on the operating system on the remote machine.
                   The system administration manuals for the remote system
                   should be able to help you here.</para>
               </listitem>
 
               <listitem>
                 <para>Fire up an X server at the FreeBSD end and login to
                   the remote machine using an X based terminal emulator
                   such as <command>xterm</command> or
                   <command>rxvt</command>. The TERM variable at the remote
                   host should be set to <literal>xterm</literal> or
                   <literal>vt100</literal>.</para>
               </listitem>
             </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="calcru-negative">
           <para>Why does my machine print
             <errorname>calcru: negative time...</errorname>?</para>
         </question>
 
         <answer>
           <para>This can be caused by various hardware or software
             ailments relating to interrupts. It may be due to bugs but can
             also happen by nature of certain devices. Running TCP/IP over
             the parallel port using a large MTU is one good way to provoke
             this problem. Graphics accelerators can also get you here, in
             which case you should check the interrupt setting of the card
             first.</para>
 
           <para>A side effect of this problem are dying processes with the
             message <quote>SIGXCPU exceeded cpu time limit</quote>.</para>
 
           <para>For FreeBSD 3.0 and later from Nov 29, 1998 forward: If the
             problem cannot be fixed otherwise the solution is to set
             this sysctl variable:</para>
 
           <screen>&prompt.root; <userinput>sysctl -w kern.timecounter.method=1</userinput></screen>
 
 	  <note>
 	    <para>The <option>-w</option> option of &man.sysctl.8; is
 	      deprecated and silently ignored in &os; 4.4-RELEASE and all
 	      newer versions.  You can safely ommit it when setting options
 	      with <command>sysctl</command> as shown above.</para>
 	  </note>
 
           <para>This means a performance impact, but considering the cause
             of this problem, you probably will not notice. If the problem
             persists, keep the sysctl set to one and set the
             <literal>NTIMECOUNTER</literal> option in your kernel to
             increasingly large values. If by the time you have reached
             <literal>NTIMECOUNTER=20</literal> the problem is not solved,
             interrupts are too hosed on your machine for reliable
             time keeping.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="pcm0-not-found">
           <para>I see <errorname>pcm0 not found</errorname> or my
             sound card is found as <devicename>pcm1</devicename> but I
             have <literal>device pcm0</literal> in my kernel config
             file.  What is going on?</para>
         </question>
 
         <answer>
           <para>This occurs in &os; 3.X with PCI sound cards. The
             <devicename>pcm0</devicename> device is reserved
             exclusively for ISA-based cards so, if you have a PCI
             card, then you will see this error, and your card will
             appear as <devicename>pcm1</devicename>.
 
             <note>
               <para>You cannot remove the warning by simply changing
                 the line in the kernel config file to <literal>device
                 pcm1</literal> as this will result in
                 <devicename>pcm1</devicename> being reserved for ISA
                 cards and your PCI card being found as
                 <devicename>pcm2</devicename> (along with the warning
                 <errorname>pcm1 not found</errorname>).</para>
             </note>
 
 	  <para>If you have a PCI sound card, you will also have to make the
 	    <devicename>snd1</devicename> device rather than
 	    <devicename>snd0</devicename>:</para>
 
 	  <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>./MAKEDEV snd1</userinput></screen>
 
           <para>This situation does not arise in &os; 4.X as a lot
             of work has been done to make it more
             <emphasis>PnP-centric</emphasis> and the
             <devicename>pcm0</devicename> device is no longer reserved
             exclusively for ISA cards</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="pnp-not-found">
           <para>Why is my PnP card no longer found (or found as
             <literal>unknown</literal>) since upgrading to FreeBSD 4.X?</para>
         </question>
 
         <answer>
           <para>FreeBSD 4.X is now much more <emphasis>PnP-centric</emphasis>
             and this has had the side effect of some PnP devices (e.g. sound
             cards and internal modems) not working even though they worked
             under FreeBSD 3.X.</para>
 
           <para>The reasons for this behavior are explained by the following
             e-mail, posted to the freebsd-questions mailing list by Peter
             Wemm, in answer to a question about an internal modem that was
             no longer found after an upgrade to FreeBSD 4.X (the comments
             in <literal>[]</literal> have been added to clarify the
             context.</para>
 
           <note>
             <para>The contents of this quotation has been updated from
              its original text.</para>
           </note>
 
           <blockquote>
             <para>The PNP bios preconfigured it [the modem] and left it
               laying around in port space, so [in 3.X] the old-style ISA
               probes <quote>found</quote> it there.</para>
 
             <para>Under 4.0, the ISA code is much more PnP-centric. It was
               possible [in 3.X] for an ISA probe to find a
               <quote>stray</quote> device and then for the PNP device id to
               match and then fail due to resource conflicts. So, it
               disables the programmable cards first so this double probing
               cannot happen. It also means that it needs to know the PnP
               ids for supported PnP hardware. Making this more user
               tweakable is on the TODO list.</para>
           </blockquote>
 
           <para>To get the device working again requires finding its PnP id
             and adding it to the list that the ISA probes use to identify
             PnP devices. This is obtained using &man.pnpinfo.8; to probe the
             device, for example this is the output from &man.pnpinfo.8; for
             an internal modem:</para>
 
           <screen>&prompt.root; <userinput>pnpinfo</userinput>
 Checking for Plug-n-Play devices...
 
 Card assigned CSN #1
 Vendor ID PMC2430 (0x3024a341), Serial Number 0xffffffff
 PnP Version 1.0, Vendor Version 0
 Device Description: Pace 56 Voice Internal Plug & Play Modem
 
 Logical Device ID: PMC2430 0x3024a341 #0
         Device supports I/O Range Check
 TAG Start DF
     I/O Range 0x3f8 .. 0x3f8, alignment 0x8, len 0x8
         [16-bit addr]
     IRQ: 4  - only one type (true/edge)</screen>
 
           <para>[more TAG lines elided]</para>
 
           <screen>TAG End DF
 End Tag
 
 Successfully got 31 resources, 1 logical fdevs
 -- card select # 0x0001
 
 CSN PMC2430 (0x3024a341), Serial Number 0xffffffff
 
 Logical device #0
 IO:  0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8 0x03e8
 IRQ 5 0
 DMA 4 0
 IO range check 0x00 activate 0x01</screen>
 
           <para>The information you require is in the
             <quote>Vendor ID</quote> line at the start of the output. The
             hexadecimal number in parentheses (0x3024a341 in this example)
             is the PnP id and the string immediately before this (PMC2430)
             is a unique ASCII id.</para>
 
           <para>Alternatively, if &man.pnpinfo.8; does not list the card in
             question, &man.pciconf.8; can be used instead.  This is part of
             the output from <command>pciconf -vl</command> for an onboard
             sound chip:</para>
 
           <screen>&prompt.root; <userinput>pciconf -vl</userinput>
 chip1@pci0:31:5:        class=0x040100 card=0x00931028 chip=0x24158086 rev=0x02 hdr=0x00
     vendor   = 'Intel Corporation'
     device   = '82801AA 8xx Chipset AC'97 Audio Controller'
     class    = multimedia
     subclass = audio</screen>
 
           <para>Here, you would use the <varname>chip</varname> value,
             <quote>0x24158086</quote>.</para>
 
           <para>This information (Vendor ID or chip value) needs adding 
             to the file
             <filename>/usr/src/sys/isa/sio.c</filename>.</para>
 
           <para>You should first make a backup of <filename>sio.c</filename>
             just in case things go wrong. You will also need it to make the
             patch to submit with your PR (you are going to submit a PR,
             are you not?) then edit <filename>sio.c</filename> and search
             for the line</para>
 
           <programlisting>static struct isa_pnp_id sio_ids[] = {</programlisting>
 
           <para>then scroll down to find the correct place to add the entry
             for your device. The entries look like this, and are sorted on
             the ASCII Vendor ID string which should be included in the
             comment to the right of the line of code along with all (if it
             will fit) or part of the <emphasis>Device Description</emphasis>
             from the output of &man.pnpinfo.8;:</para>
 
           <programlisting>{0x0f804f3f, NULL},     /* OZO800f - Zoom 2812 (56k Modem) */
 {0x39804f3f, NULL},     /* OZO8039 - Zoom 56k flex */
 {0x3024a341, NULL},     /* PMC2430 - Pace 56 Voice Internal Modem */
 {0x1000eb49, NULL},     /* ROK0010 - Rockwell ? */
 {0x5002734a, NULL},     /* RSS0250 - 5614Jx3(G) Internal Modem */</programlisting>
 
           <para>Add the hexadecimal Vendor ID for your device in the
             correct place, save the file, rebuild your kernel, and reboot.
             Your device should now be found as an <literal>sio</literal>
             device as it was under FreeBSD 3.X</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="nlist-failed">
           <para>Why do I get the error <errorname>nlist failed</errorname> when
             running, for example, <command>top</command> or
             <command>systat</command>?</para>
         </question>
 
         <answer>
           <para>The problem is that the application you are trying to run is
             looking for a specific kernel symbol, but, for whatever reason,
             cannot find it; this error stems from one of two problems:</para>
 
           <itemizedlist>
             <listitem>
               <para>Your kernel and userland are not synchronized (i.e., you
                 built a new kernel but did not do an
                 <maketarget>installworld</maketarget>, or vice versa), and
                 thus the symbol table is different from what the user
                 application thinks it is.  If this is the case, simply
                 complete the upgrade process (see
                 <filename>/usr/src/UPDATING</filename> for the correct
                 sequence).</para>
             </listitem>
 
             <listitem>
               <para>You are not using <command>/boot/loader</command> to load
                 your kernel, but doing it directly from boot2 (see
                 &man.boot.8;).  While there is nothing wrong with bypassing
                 <command>/boot/loader</command>, it generally does a better
                 job of making the kernel symbols available to user
                 applications.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="connection-delay">
           <para>Why does it take so long to connect to my computer via
             <command>ssh</command> or <command>telnet</command>?</para>
         </question>
 
         <answer>
           <para>The symptom: there is a long delay between the time the TCP
             connection is established and the time when the client software
             asks for a password (or, in &man.telnet.1;'s case, when a login
             prompt appears).</para>
 
           <para>The problem: more likely than not, the delay is caused by
             the server software trying to resolve the client's IP address
             into a hostname.  Many servers, including the Telnet and SSH
             servers that come with FreeBSD, do this in order to, among
             other things, store the hostname in a log file for future
             reference by the administrator.</para>
 
           <para>The remedy: if the problem occurs whenever you connect from
             your computer (the client) to any server, the problem is with
             the client; likewise, if the problem only occurs when someone
             connects to your computer (the server) the problem is with the
             server.</para>
 
           <para>If the problem is with the client, the only remedy is to
             fix the DNS so the server can resolve it.  If this is on a
             local network, consider it a server problem and keep reading;
             conversely, if this is on the global Internet, you will most
             likely need to contact your ISP and ask them to fix it for
             you.</para>
 
           <para>If the problem is with the server, and this is on a local
             network, you need to configure the server to be able to resolve
             address-to-hostname queries for your local address range.  See
             the &man.hosts.5; and &man.named.8; manual pages for more
             information.  If this is on the global Internet, the problem
             may be that your server's resolver is not functioning
             correctly.  To check, try to look up another host--say,
             <hostid>www.yahoo.com</hostid>.  If it does not work, that is
             your problem.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="stray-irq">
           <para>What does <errorname>stray IRQ</errorname> mean?</para>
         </question>
 	<answer>
 	  <para>Stray IRQs are indications of hardware IRQ glitches,
             mostly from hardware that removes its interrupt request in
             the middle of the interrupt request acknowledge
             cycle.</para>
 	  <para>One has three options for dealing with this:</para>
 	  <itemizedlist>
 	    <listitem>
 	      <para>Live with the warnings.  All except the first 5
                 per irq are suppressed anyway.</para>
 	    </listitem>
 	    <listitem>
 	      <para>Break the warnings by changing 5 to 0 in
 	        <function>isa_strayintr()</function> so that all the
 	        warnings are suppressed.</para>
 	    </listitem>
 	    <listitem>
 	      <para>Break the warnings by installing parallel port
               hardware that uses irq 7 and the PPP driver for it (this
               happens on most systems), and install an ide drive or
               other hardware that uses irq 15 and a suitable driver
               for it.</para>
 	    </listitem>
 	  </itemizedlist>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="file-table-full">
           <para>Why does <errorname>file: table is full</errorname> show up
             repeatedly in dmesg?</para>
         </question>
         <answer>
           <para>
             This error message indicates you have exhausted the number
             of available file descriptors on your system.  Please see
             the <ulink
             url="&url.books.handbook;/configtuning-kernel-limits.html#KERN-MAXFILES">kern.maxfiles
             </ulink>section of the <ulink
             url="&url.books.handbook;/configtuning-kernel-limits.html">Tuning
             Kernel Limits</ulink> section of the Handbook for a
             discussion and solution.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="laptop-clock-skew">
 	  <para>Why does the clock on my laptop keep incorrect time?</para>
 	</question>
 
 	<answer>
 	  <para>Your laptop has two or more clocks, and FreeBSD has chosen to
 	    use the wrong one.</para>
 
 	  <para>Run &man.dmesg.8;, and check for lines that contain
 	    <literal>Timecounter</literal>.  The last line printed is the one
 	    that FreeBSD chose, and will almost certainly be
 	    <literal>TSC</literal>.</para>
 
 	  <screen>&prompt.root; <userinput>dmesg | grep Timecounter</userinput>
 Timecounter "i8254"  frequency 1193182 Hz
 Timecounter "TSC"  frequency 595573479 Hz</screen>
 
 	  <para>You can confirm this by checking the
 	    <varname>kern.timecounter.hardware</varname>
 	      &man.sysctl.3;.</para>
 
 	  <screen>&prompt.root; <userinput>sysctl kern.timecounter.hardware</userinput>
 kern.timecounter.hardware: TSC</screen>
 	
 	  <para>The BIOS may modify the TSC clock&mdash;perhaps to change the
 	    speed of the processor when running from batteries, or going into
 	    a power saving mode, but FreeBSD is unaware of these adjustments,
 	    and appears to gain or lose time.</para>
 
 	  <para>In this example, the <literal>i8254</literal> clock is also
 	    available, and can be selected by writing its name to the
 	    <varname>kern.timecounter.hardware</varname>
 	      &man.sysctl.3;.</para>
 
 	  <screen>&prompt.root; <userinput>sysctl -w kern.timecounter.hardware=i8254</userinput>
 kern.timecounter.hardware: TSC -&gt; i8254</screen>
 
 	  <para>Your laptop should now start keeping more accurate
 	    time.</para>
 
 	  <para>To have this change automatically run at boot time, add the
 	    following line to <filename>/etc/sysctl.conf</filename>.</para>
 
 	  <programlisting>kern.timecounter.hardware=i8254</programlisting>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="null-null">
 	  <para>Why did my laptop fail to correctly probe PC cards?</para>
 	</question>
 
 	<answer>
 	  <para>This problem is common on laptops that boot more than
 	    one operating system.  Some non-BSD operating systems
 	    leave PC card hardware in an inconsistent state.
 	    <command>pccardd</command> will detect the card as
 	    <errorname>"(null)""(null)"</errorname> instead of its
 	    actual model.</para>
 
 	  <para>You must remove all power from the PC card slot to
 	    fully reset the hardware.  Completely power off the
 	    laptop.  (Do not suspend it, do not let it go into standby;
 	    the power needs to be completely off.)  Wait a few
 	    moments, and reboot.  Your PC card should work now.</para>
 
 	  <para>Some laptop hardware lies when it claims to be off.
 	    If the above does not work shut down, remove the battery,
 	    wait a moment, replace the battery, and reboot.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="boot-read-error">
           <para>Why does FreeBSD's boot loader display
             <errorname>Read error</errorname> and stop after the BIOS
             screen?</para>
         </question>
 
         <answer>
           <para>FreeBSD's boot loader is incorrectly recognizing the hard 
             drive's geometry. This must be manually set within fdisk when 
             creating or modifying FreeBSD's slice.
           </para>
 
           <para>The correct drive geometry values can be found within the
             machine's BIOS. Look for the number of cylinders, heads and
             sectors for the particular drive.
           </para>
 
           <para>Within &man.sysinstall.8;'s fdisk, hit
             <keycap>G</keycap> to set the drive geometry.</para>
 
           <para>A dialog will pop up requesting the number of
             cylinders, heads and sectors.  Type the numbers found from
             the BIOS separated by forward slashes.  For example, values
             of 5000 cylinders, 250 heads, and 60 sectors would be entered as
             <userinput>5000/250/60</userinput>.
           </para>
 
           <para>Press enter to set the values, and hit
             <keycap>W</keycap> to write the new partition table to the
             drive.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bootmanager-restore">
           <para>Another operating system destroyed my Boot Manager.  How do I 
             get it back?</para>
         </question>
 
         <answer>
           <para>Enter &man.sysinstall.8; and choose Configure,
             then Fdisk.  Select the disk the Boot Manager resided on
             with the <keycap>space</keycap> key.  Press 
             <keycap>W</keycap> to write changes to the drive.  A prompt
             will appear asking which boot loader to install.  Select this,
             and it will be restored.
           </para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="indefinite-wait-buffer">
           <para>What does the error <errorname>swap_pager: indefinite
             wait buffer:</errorname> mean?</para>
         </question>
 
         <answer>
           <para>This means that a process is trying to page memory to
             disk, and the page attempt has hung trying to access the
             disk for more than 20 seconds.  It might be caused by bad
             blocks on the disk drive, disk wiring, cables, or any
             other disk I/O-related hardware.  If the drive itself is
             actually bad, you will also see disk errors in
             <filename>/var/log/messages</filename> and in the output
             of <command>dmesg</command>.  Otherwise, check your cables
             and connections.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="udma-icrc">
           <para>What are <quote>UDMA ICRC</quote> errors, and how do I
             fix them?</para>
         </question>
 
         <answer>
           <para>The &man.ata.4; driver reports <quote>UDMA ICRC</quote>
             errors when a DMA transfer to or from a drive is corrupted.
             The driver will retry the operation a few times.  Should
             the retries fail, it will switch from DMA to the slower PIO
             mode of communication with the device.</para>
 
           <para>The problem can be caused by many factors, although
             perhaps the most common cause is faulty or incorrect
             cabling.  Check that the ATA cables are undamaged and rated
             for the Ultra DMA mode in use.  If you are using removable
             drive trays, they must also be compatible.  Be sure that
             all connections are making good contact.  Problems have
             also been noticed when an old drive is installed on the
             same ATA channel as an Ultra DMA 66 (or faster) drive.
             Lastly, these errors can indicate that the drive is
             failing.  Most drive vendors provide testing software for
             their drives, so test your drive, and, if necessary, back
             up your data and replace it.</para>
 
           <para>The &man.atacontrol.8; utility can be used to show and
             select the DMA or PIO modes used for each ATA device.  In
             particular, <command>atacontrol mode
             <replaceable>channel</replaceable></command> will show the
             modes in use on a particular ATA channel, where the primary
             channel is numbered 0, and so on.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="lock-order-reversal">
           <para>What is a <errorname>lock order reversal</errorname>?</para>
         </question>
 
         <answer>
           <para>&a.rwatson; answered this question very succinctly on
             the freebsd-current list in a thread entitled <quote><ulink
             url="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=65165+0+/usr/local/www/db/text/2003/freebsd-current/20031221.freebsd-current">lock
             order reversals - what do they mean?</ulink></quote></para>
 
           <blockquote>
             <attribution>&a.rwatson; on freebsd-current, December 14,
               2003</attribution>
 
             <para>These warnings are generated by Witness, a run-time lock
               diagnostic system found in FreeBSD -CURRENT kernels (but
               removed in releases).  You can read more about Witness in the
               &man.witness.4; man page, which talks about its capabilities.  Among
               other things, Witness performs run-time lock order verification
               using a combination of hard coded lock orders, and run-time
               detected lock orders, and generates console warnings when lock
               orders are violated.  The intent of this is to detect the
               potential for deadlocks due to lock order violations; it is worth
               observing that Witness is actually slightly conservative, and so
               it is possible to get false positives.  In the event that Witness
               is accurately reporting a lock order problem, it is basically
               saying "If you were unlucky, a deadlock would have happened
               here".  There are a couple of "well known" false positives,
               which we need to do a better job of documenting to prevent
               spurious reports.  The non-well-known ones typically correspond
               to bugs in newly added locking, as lock order reversals usually
               get fixed pretty quickly because Witness is busy generating
               warnings :-).</para>
           </blockquote>
 
           <note>
             <para>See <ulink
               url="http://sources.zabbadoz.net/freebsd/lor.html">Bjoern
               Zeeb's lock order reversal page</ulink> for the status of
               known lock order reversals.</para>
           </note>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="commercial">
     <title>Commercial Applications</title>
 
       <note>
         <para>This section is still very sparse, though we are hoping, of
           course, that companies will add to it! :) The FreeBSD group has
           no financial interest in any of the companies listed here but
           simply lists them as a public service (and feels that commercial
           interest in FreeBSD can have very positive effects on FreeBSD's
           long-term viability). We encourage commercial software vendors to
           send their entries here for inclusion. See <ulink
           url="&url.base;/commercial/index.html">the
           Vendors page</ulink> for a longer list.</para>
       </note>
 
     <qandaset>
       <qandaentry>
         <question id="officesuite">
           <para>Where can I get an Office Suite for FreeBSD?</para>
         </question>
 
         <answer>
 	  <itemizedlist>
   	    <listitem>
 	      <para><ulink url="http://www.freebsdmall.com/">The
                 FreeBSD Mall</ulink> offers a FreeBSD native version
                 of <ulink
                 url="http://www.vistasource.com/">VistaSource</ulink>
                 ApplixWare 5.</para>
 	
 	      <para>ApplixWare is a rich full-featured, commercial
 	        Office Suite for FreeBSD containing a word processor,
 	        spreadsheet, presentation program, vector drawing
 	        package, and other applications.
 		</para>
 
 	      <para>ApplixWare is offered as part of the FreeBSD Mall's BSD
 		Desktop Edition.</para>
 
   	    </listitem>
 	    <listitem>
 	      <para>The &linux; version of <ulink
 	        url="http://www.sun.com/staroffice/">StarOffice</ulink>
 	        works flawlessly on FreeBSD.  The easiest way to
 	        install the &linux; version of StarOffice is through the
 	        <ulink url="&url.books.handbook;/ports.html">FreeBSD Ports
 	        collection</ulink>.  The
 	        open-source <ulink
 	        url="http://www.openoffice.org/">OpenOffice</ulink>
 	        suite also works, and is also in the Ports Collection.</para>
 	    </listitem>
 	  </itemizedlist>
         </answer>
       </qandaentry>
       <qandaentry>
         <question id="motif">
           <para>Where can I get &motif; for FreeBSD?</para>
         </question>
 
         <answer>
 	  <para>The Open Group has released the source code to &motif; 2.2.2.
 	    You can install the <literal>open-motif</literal> package, or
 	    compile it from ports.  Refer to
 	    <ulink url="&url.books.handbook;/ports.html">the ports section of the
 	      Handbook</ulink> for more information on how to do this.
 
 	    <note>
 	      <para>The Open &motif; distribution only allows redistribution
 		if it is running on an <ulink url="http://www.opensource.org/">
 		  open source</ulink> operating system.</para>
 	    </note>
 	  </para>
 
           <para>In addition, there are commercial distributions of the &motif;
             software available.  These, however, are not for free, but their
             license allows them to be used in closed-source software.
 	    Contact <link linkend="apps2go">Apps2go</link> for the
             least expensive ELF &motif; 2.1.20 distribution for FreeBSD
             (either &i386; or Alpha).<anchor id="apps2go"></para>
 
           <para>There are two distributions, the <quote>development
             edition</quote> and the <quote>runtime edition</quote> (for
             much less).  These distributions includes:</para>
 
             <itemizedlist>
               <listitem>
                 <para>OSF/&motif; manager, xmbind, panner, wsm.</para>
               </listitem>
 
               <listitem>
                 <para>Development kit with uil, mrm, xm, xmcxx, include
                   and Imake files.</para>
               </listitem>
 
               <listitem>
                 <para>Static and dynamic ELF libraries (for use with
                   FreeBSD 3.0 and above).</para>
               </listitem>
 
               <listitem>
                 <para>Demonstration applets.</para>
               </listitem>
             </itemizedlist>
 
           <para>Be sure to specify that you want the FreeBSD version of
             &motif; when ordering (do not forget to mention the architecture
             you want too)! Versions for NetBSD and OpenBSD are also sold by
             <emphasis>Apps2go</emphasis>. This is currently a FTP only
             download.</para>
 
             <variablelist>
               <varlistentry>
                 <term>More info</term>
                 <listitem>
                   <para><ulink url="http://www.apps2go.com/">
                     Apps2go WWW page</ulink></para>
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>or</term>
                   <listitem>
                     <para>
                       <email>sales@apps2go.com</email> or
                       <email>support@apps2go.com</email>
                       </para>
                   </listitem>
                 </varlistentry>
 
                 <varlistentry>
                   <term>or</term>
                   <listitem>
                     <para>phone (817) 431 8775  or +1 817 431-8775</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
 
           <para>Contact <link linkend="metrox">Metro Link</link>
             for an either ELF or a.out &motif; 2.1 distribution for
             FreeBSD.</para>
 
           <para>This distribution includes:</para>
             <itemizedlist>
               <listitem>
                 <para>OSF/&motif; manager, xmbind, panner, wsm.</para>
               </listitem>
 
               <listitem>
                 <para>Development kit with uil, mrm, xm, xmcxx, include
                   and Imake files.</para>
               </listitem>
 
               <listitem>
                 <para>Static and dynamic libraries (specify ELF for use
                   with FreeBSD 3.0 and later; or a.out for use with FreeBSD
                   2.2.8 and earlier).</para>
               </listitem>
 
               <listitem>
                 <para>Demonstration applets.</para>
               </listitem>
 
               <listitem>
               <para>Preformatted manual pages.</para>
               </listitem>
 
               </itemizedlist>
 
           <para>Be sure to specify that you want the FreeBSD version
             of &motif; when ordering! Versions for &linux; are also sold by
             <emphasis>Metro Link</emphasis>. This is available on either a
             CDROM or for FTP download.</para>
 
           <para>Contact <link linkend="xig">Xi Graphics</link> for an
             a.out &motif; 2.0 distribution for FreeBSD.</para>
 
           <para>This distribution includes:</para>
             <itemizedlist>
               <listitem>
                 <para>OSF/&motif; manager, xmbind, panner, wsm.</para>
               </listitem>
 
               <listitem>
                 <para>Development kit with uil, mrm, xm, xmcxx, include
                   and Imake files.</para>
               </listitem>
 
               <listitem>
                 <para>Static and dynamic libraries (for use with FreeBSD
                   2.2.8 and earlier).</para>
               </listitem>
 
               <listitem>
                 <para>Demonstration applets.</para>
               </listitem>
 
               <listitem>
                 <para>Preformatted manual pages.</para>
               </listitem>
             </itemizedlist>
 
           <para>Be sure to specify that you want the FreeBSD version
             of &motif; when ordering! Versions for BSDI and &linux; are also
             sold by <emphasis>Xi Graphics</emphasis>. This is currently a 4
             diskette set... in the future this will change to a unified CD
             distribution like their CDE.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cde">
           <para>Where can I get CDE for FreeBSD?</para>
         </question>
 
         <answer>
           <para><link linkend="xig">Xi Graphics</link> used to sell CDE
             for FreeBSD, but no longer do.</para>
 
           <para><ulink url="http://www.kde.org/">KDE</ulink> is an open
             source X11 desktop which is similar to CDE in many respects.
             You might also like the look and feel of <ulink
             url="http://www.xfce.org/">xfce</ulink>. KDE and xfce are both
             in the <ulink url="&url.base;/ports/index.html">ports
             system</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="commercial-xserver">
           <para>Are there any commercial high-performance X servers?</para>
         </question>
 
         <answer>
           <para>Yes, <ulink url="http://www.xig.com/">Xi Graphics</ulink>
             and <ulink url="http://www.metrolink.com/">Metro Link</ulink>
             sell Accelerated-X product for FreeBSD and other Intel based
             systems.</para>
 
           <para>The Metro Link offering is a high performance X Server
             that offers easy configuration using the FreeBSD Package suite
             of tools, support for multiple concurrent video boards and is
             distributed in binary form only, in a convenient FTP download.
             Not to mention the Metro Link offering is available at the very
             reasonable price of $39. <anchor id="metrox"></para>
 
           <para>Metro Link also sells both ELF and a.out &motif; for
             FreeBSD (see above).</para>
 
             <variablelist>
               <varlistentry>
                 <term>More info</term>
                 <listitem>
                   <para><ulink url="http://www.metrolink.com/">
                     Metro Link WWW page</ulink></para>
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>or</term>
                 <listitem>
                   <para><email>sales@metrolink.com</email>
                     or <email>tech@metrolink.com</email>
                     </para>
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>or</term>
                   <listitem>
                     <para>phone (954) 938-0283  or +1 954 938-0283</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
 
           <para>The Xi Graphics offering is a high performance X Server
             that offers easy configuration, support for multiple concurrent
             video boards and is distributed in binary form only, in a
             unified diskette distribution for FreeBSD and &linux;. Xi
             Graphics also offers a high performance X Server tailored for
             laptop support.<anchor id="xig"></para>
 
           <para>There is a free <quote>compatibility demo</quote> of
             version 5.0 available.</para>
 
           <para>Xi Graphics also sells &motif; and CDE for FreeBSD (see
             above).</para>
 
             <variablelist>
               <varlistentry>
                 <term>More info</term>
                 <listitem>
                   <para><ulink url="http://www.xig.com/">
                     Xi Graphics WWW page</ulink></para>
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>or</term>
                   <listitem>
                     <para><email>sales@xig.com</email>
                       or <email>support@xig.com</email>
                       </para>
                   </listitem>
                 </varlistentry>
 
                 <varlistentry>
                   <term>or</term>
                   <listitem>
                     <para>phone (800) 946 7433  or +1 303 298-7478.</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="database-systems">
           <para>Are there any Database systems for FreeBSD?</para>
         </question>
 
         <answer>
           <para>Yes! See the <ulink
             url="&url.base;/commercial/software_bycat.html#CATEGORY_DATABASE">
             Commercial Vendors</ulink> section of FreeBSD's Web site.</para>
 
           <para>Also see the <ulink
             url="&url.base;/ports/databases.html">
             Databases</ulink> section of the Ports collection.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="oracle-support">
           <para>Can I run &oracle; on FreeBSD?</para>
         </question>
 
         <answer>
           <para>Yes. The following pages tell you exactly how to set up
             &linux;-&oracle; on FreeBSD:</para>
 
             <itemizedlist>
               <listitem>
                 <para><ulink
                   url="http://www.scc.nl/~marcel/howto-oracle.html">
                   http://www.scc.nl/~marcel/howto-oracle.html</ulink></para>
               </listitem>
 
               <listitem>
                 <para><ulink
                   url="http://www.lf.net/lf/pi/oracle/install-linux-oracle-on-freebsd">
 
                   http://www.lf.net/lf/pi/oracle/install-linux-oracle-on-freebsd</ulink></para>
 
               </listitem>
             </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="commercial-webbrowsers">
           <para>Are there any commercial web browsers avaliable for &os;?</para>
         </question>
 
         <answer>
           <para>Yes.  Opera is a multi-platform web browser and is available for &os;.
             See <ulink url="http://www.opera.com/">www.opera.com</ulink> for details.
             A version of Opera, paid for by banner ads, is also available in ports.</para>
         </answer>
       </qandaentry>
 
     </qandaset>
   </chapter>
 
   <chapter id="applications">
     <title>User Applications</title>
 
     <qandaset>
       <qandaentry>
         <question id="user-apps">
           <para>So, where are all the user applications?</para>
         </question>
 
         <answer>
           <para>Please take a look at <ulink
             url="&url.base;/ports/index.html">the ports page</ulink>
             for info on software packages ported to FreeBSD.  The list
             currently tops &os.numports; and is growing daily, so come
             back to check often or subscribe to the
             <literal>freebsd-announce</literal> <link
             linkend="mailing">mailing list</link> for periodic updates
             on new entries.</para>
 
           <para>Most ports should work on the 4.X, 5.X, and 6.X branches.
             Each time a FreeBSD release is made, a snapshot of the
             ports tree at the time of release in also included in the
             <filename>ports/</filename> directory.</para>
 
           <para>We also support the concept of a
             <quote>package</quote>, essentially no more than a compressed
             binary distribution with a little extra intelligence
             embedded in it for doing whatever custom installation work
             is required. A package can be installed and uninstalled
             again easily without having to know the gory details of
             which files it includes.</para>
 
           <para>Use the package installation menu in
             <filename>/stand/sysinstall</filename> (under the
             post-configuration menu item) or invoke the
             &man.pkg.add.1; command on the specific package files you
             are interested in installing. Package files can usually be
             identified by their <filename>.tgz</filename> or <filename>.tbz</filename> suffix and
             CDROM distribution people will have a
             <filename>packages/All</filename> directory on their CD
             which contains such files. They can also be downloaded
             over the net for various versions of FreeBSD at the
             following locations:</para>
 
             <variablelist>
               <varlistentry>
                 <term>for 4.X-RELEASE/4-STABLE</term>
                 <listitem>
                   <para><ulink
                     url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/">
                     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/</ulink></para>
 
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>for 5.X-RELEASE/5-STABLE</term>
                 <listitem>
                   <para><ulink
                     url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/">
                     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current</ulink></para>
                 </listitem>
               </varlistentry>
 
               <varlistentry>
                 <term>for 6-CURRENT</term>
                 <listitem>
                   <para><ulink
                     url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-6-current/">
                     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-6-current</ulink></para>
                 </listitem>
               </varlistentry>
             </variablelist>
 
           <para>or your nearest local mirror site.</para>
 
           <para>Note that all ports may not be available as packages since
             new ones are constantly being added. It is always a good idea
             to check back periodically to see which packages are available
             at the <ulink
             url="ftp://ftp.FreeBSD.org/pub/FreeBSD/">ftp.FreeBSD.org</ulink>
             master site.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="emul">
            <para>Why does ghostscript give lots of errors with my
               386/486SX?</para>
         </question>
 
         <answer>
           <para>You do not have a math co-processor, right?
             You will need to add the alternative math emulator to your
             kernel; you do this by adding the following to your kernel
             config file and it will be compiled in.</para>
 
           <programlisting>options GPL_MATH_EMULATE</programlisting>
 
             <note>
               <para>You will need to remove the
                 <literal>MATH_EMULATE</literal> option when you do
                 this.</para>
             </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="configure-inn">
           <para>How do I configure INN (Internet News) for my machine?</para>
         </question>
 
         <answer>
           <para>After installing the <filename
             role="package">news/inn</filename> package or port, an
             excellent place to start is <ulink
             url="http://www.visi.com/~barr/INN.html">Dave
             Barr's INN Page</ulink> where you will find the INN
             FAQ.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="java">
           <para>Does FreeBSD support &java;?</para>
         </question>
 
         <answer>
           <para>Yes. Please see <ulink
             url="&url.base;/java/index.html">
             http://www.FreeBSD.org/java/</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ports-4x">
           <para>Why can I not build this port on my 4.X-STABLE machine?</para>
         </question>
 
         <answer>
           <para>If you are running a FreeBSD version that lags
             significantly behind -CURRENT or -STABLE, you may need to
             update your ports collection; see the <ulink
 	    url="&url.books.porters-handbook;/keeping-up.html">
 	    Keeping Up</ulink> section of the Porter's Handbook for further
 	    information on how to do this.
             If you are up to date,
             then someone might have committed a change to the port which
             works for -CURRENT but which broke the port for -STABLE. Please
             submit a bug report on this with the
             &man.send-pr.1; command, since the ports
             collection is supposed to work for both the -CURRENT and
             -STABLE branches.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="make-index">
 	  <para>I just tried to build <filename>INDEX</filename>
 	    using <command>make index</command>, and it failed.
 	    Why?</para>
 	</question>
 
 	<answer>
 	  <para>First, always make sure that you have a completely
 	    up-to-date Ports Collection.  Errors that affect building
 	    <filename>INDEX</filename> from an up-to-date copy of the
 	    Ports Collection are high-visibility and are thus almost
 	    always fixed immediately.</para>
 
 	  <para>However, if you are up-to-date, perhaps you are seeing
 	    another problem.  <command>make index</command> has a
 	    known bug in dealing with incomplete copies of the Ports
 	    Collection.  It assumes that you have a local copy of every
 	    single port that every other port that you have a local copy
 	    of depends on.  To explain, if you have a copy of
 	    <filename>foo/bar</filename> on your disk, and
 	    <filename>foo/bar</filename> depends on
 	    <filename>baz/quux</filename>, then you must also have
 	    a copy of <filename>baz/quux</filename> on your disk, and
 	    the ports <filename>baz/quux</filename> depends on, and
 	    so on.  Otherwise, <command>make index</command> has
 	    insufficient information to create its dependency tree.</para>
 
 	  <para>This is particularly a problem for &os; users who
 	    utilize &man.cvsup.1; to track the Ports Collection but
 	    choose not to install certain categories by specifying
 	    them in <filename>refuse</filename>.  In theory, one
 	    should be able to refuse categories, but in practice
 	    there are too many ports that depend on ports in other
 	    categories.  Until someone comes up with a solution for
 	    this problem, the general rule is is that if you want to
 	    build <filename>INDEX</filename>, you must have a complete
 	    copy of the Ports Collection.</para>
 
 	  <para>There are rare cases where <filename>INDEX</filename>
 	    will not build due to odd cases involving
 	    <makevar>WITH_<replaceable>*</replaceable></makevar> or
 	    <makevar>WITHOUT_<replaceable>*</replaceable></makevar>
 	    variables being set in <filename>make.conf</filename>.  If
 	    you suspect that this is the case, please try to make
 	    <filename>INDEX</filename> with those Makevars turned off
 	    before reporting it to &a.ports;.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cvsup-in-base">
 	  <para>Why is CVSup not integrated in the main FreeBSD tree?
 	  </para>
 	</question>
 
 	<answer>
 	  <para>The FreeBSD base system is designed as self-hosting - it
 	    should be possible to build the whole operating system starting
 	    with a very limited set of tools.  Thus, the actual build tools
 	    needed to compile the FreeBSD sources are bundled with the
 	    sources themselves.  This includes a C compiler (&man.gcc.1;),
 	    &man.make.1;, &man.awk.1;, and similar tools.</para>
 
 	  <para>Since CVSup is written in Modula-3, adding it to the FreeBSD
 	    base system would also require adding and maintaining a Modula-3
 	    compiler.  This would lead to both a growth in the disk space
 	    consumed by the FreeBSD sources and additional maintenance work.
 	    Thus, it is much easier for both the developers and users to
 	    keep CVSup as a separate port, which can be easily installed as
 	    a package bundled on the FreeBSD installation CDs.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ports-update">
            <para>I updated the sources, now how do I update my installed
              ports?</para>
         </question>
 
         <answer>
           <para>FreeBSD does not include a port upgrading tool, but it
             does have some tools to make the upgrade process somewhat
             easier.  You can also install additional tools to simplify
             port handling.</para>
 
           <para>The &man.pkg.version.1; command can generate a script
             that will update installed ports to the latest version in
             the ports tree.</para>
 
           <screen>&prompt.root; <userinput>pkg_version -c &gt; <replaceable>/tmp/myscript</replaceable></userinput></screen>
 
           <para>The output script <emphasis>must</emphasis> be edited by
             hand before you use it. Recent versions of
             &man.pkg.version.1; force this by inserting an
             &man.exit.1; at the beginning of the script.</para>
 
           <para>You should save the output of the script, as it will note
             packages that depend on the one that has been updated. These
             may or may not need to be updated as well. The usual case where
             they need to be updated is that a shared library has changed
             version numbers, so the ports that used that library need to be
             rebuilt to use the new version.</para>
 
 	  <note>
 	    <para>Beginning with FreeBSD 5.0 (and higher revisions),
 	      &man.pkg.version.1; no longer supports the
 	      <option>-c</option> option.</para>
 	  </note>
 
           <para>If you have the disk space, you can use the
             <command>portupgrade</command> tool to automate all of
             this.  <command>portupgrade</command> includes various
             tools to simplify package handling.  It is available under
             <filename role="package">sysutils/portupgrade</filename>.
             Since it is written in Ruby,
             <command>portupgrade</command> is an unlikely candidate for
             integration with the main FreeBSD tree.  That should not
             stop anyone from using it, however.</para>
 
           <para>If your system is up full time, the &man.periodic.8; system
             can be used to generate a weekly list of ports that might need
             updating by setting
             <literal>weekly_status_pkg_enable="YES"</literal> in
             <filename>/etc/periodic.conf</filename>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="minimal-sh">
           <para>Why is <command>/bin/sh</command> so minimal?  Why does
             FreeBSD not use <command>bash</command> or another shell?</para>
         </question>
 
         <answer>
           <para>Because &posix; says that there shall be such a shell.</para>
 
           <para>The more complicated answer: many people need to write shell
             scripts which will be portable across many systems. That is why
             &posix; specifies the shell and utility commands in great detail.
             Most scripts are written in Bourne shell, and because several
             important programming interfaces (&man.make.1;, &man.system.3;,
             &man.popen.3;, and analogues in higher-level scripting
             languages like Perl and Tcl) are specified to use the Bourne
             shell to interpret commands. Because the Bourne shell is so
             often and widely used, it is important for it to be quick to
             start, be deterministic in its behavior, and have a small
             memory footprint.</para>
 
           <para>The existing implementation is our best effort at meeting as
             many of these requirements simultaneously as we can. In order to
             keep <command>/bin/sh</command> small, we have not provided many
             of the convenience features that other shells have. That is why the
             Ports Collection includes more featureful shells like bash, scsh,
             tcsh, and zsh.  (You can compare for yourself the memory
             utilization of all these shells by looking at the
             <quote>VSZ</quote> and <quote>RSS</quote> columns in a <command>ps
               -u</command> listing.)</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="netscape-slow-startup">
           <para>Why do &netscape; and Opera take so long to
             start?</para>
         </question>
 
         <answer>
           <para>The usual answer is that DNS on your system is
             misconfigured.  Both &netscape; and Opera perform DNS checks
             when starting up.  The browser will not appear on your
             desktop until the program either gets a response or
             determines that the system has no network
             connection.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="ports-base-update">
 	  <para>I updated parts of the Ports Collection using CVSup, and
 	    now many ports fail to build with mysterious error messages!
 	    What happened?  Is the Ports Collection broken in some major
 	    way?</para>
 	</question>
 
 	<answer>
 	  <para>If you only update parts of the Ports Collection, using
 	    one of its CVSup subcollections and not the
 	    <literal>ports-all</literal> CVSup collection, you should
 	    <emphasis>always</emphasis> update the
 	    <literal>ports-base</literal> subcollection too!  The reasons
 	    are described <ulink
 	    url="&url.books.handbook;/cvsup.html#CVSUP-COLLEC-PBASE-WARN">in the
 	    Handbook</ulink>.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="midi-sound-files">
 	  <para>How do I create audio CDs from my MIDI files?</para>
 	</question>
 
 	<answer><para>To create audio CDs from MIDI files, first
           install <filename role="package">audio/timidity++</filename>
           from ports then install manually the GUS patches set by Eric
           A. Welsh, available at <ulink
           url="http://www.stardate.bc.ca/eawpatches/html/default.htm"></ulink>.
           After timidity++ has been installed properly, midi files may
           be converted to wav files with the following command
           line:</para>
 
         <screen>&prompt.user; <userinput>timidity -Ow -s 44100 -o /tmp/juke/01.wav 01.mid</userinput></screen>
 
           <para>The wav files can then be converted to other formats
             or burned onto audio CDs, as described in the FreeBSD
             Handbook.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="kernelconfig">
     <title>Kernel Configuration</title>
 
     <qandaset>
       <qandaentry>
         <question id="make-kernel">
           <para>I would like to customize my kernel. Is it difficult?</para>
         </question>
 
         <answer>
           <para>Not at all! Check out the <ulink
             url="&url.books.handbook;/kernelconfig.html">
             kernel config section of the Handbook</ulink>.</para>
 
             <note>
 	      <para>We recommend that you make a dated snapshot of
 	        your new <filename>/kernel</filename> called
 	        <filename>/kernel.YYMMDD</filename> after you get it
 	        working properly.  Also back up your new
 	        <filename>/modules</filename> directory to
 	        <filename>/modules.YYMMDD</filename>.  That way, if
 	        you make a mistake the next time you play with your
 	        configuration you can boot the backup kernel instead
 	        of having to fall back to
 	        <filename>kernel.GENERIC</filename>. This is
 	        particularly important if you are now booting from a
 	        controller that GENERIC does not support.</para>
             </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="missing-hw-float">
           <para>My kernel compiles fail because
             <literal>_hw_float</literal> is missing.  How do I solve
             this problem?</para>
         </question>
 
         <answer>
           <para>Let me guess. You removed
             <devicename>npx0</devicename> (see &man.npx.4;)
             from your kernel configuration file because you do not have a
             math co-processor, right? Wrong! :-) The
             <devicename>npx0</devicename> is
             <emphasis>MANDATORY</emphasis>. Even if you do not have a
             mathematic co-processor, you <emphasis>must</emphasis>
             include the <devicename>npx0</devicename> device.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="why-kernel-big">
           <para>Why is my kernel so big (over 10MB)?</para>
         </question>
 
         <answer>
           <para>Chances are, you compiled your kernel in
             <emphasis>debug mode</emphasis>.  Kernels built in debug
             mode contain many symbols that are used for debugging, thus
             greatly increasing the size of the kernel.  Note that if you
             running a FreeBSD 3.0 or later system, there will be little
             or no performance decrease from running a debug kernel,
             and it is useful to keep one around in case of a system
             panic.</para>
 
           <para>However, if you are running low on disk space, or
             you simply do not want to run a debug kernel, make sure
             that both of the following are true:</para>
 
           <itemizedlist>
             <listitem>
               <para>You do not have a line in your kernel
                 configuration file that reads:</para>
 
               <programlisting>makeoptions DEBUG=-g</programlisting>
             </listitem>
 
             <listitem>
               <para>You are not running &man.config.8; with
                 the <option>-g</option> option.</para>
             </listitem>
           </itemizedlist>
 
           <para>Both of the above situations will cause your kernel to
             be built in debug mode.  As long as you make sure you follow
             the steps above, you can build your kernel normally, and you
             should notice a fairly large size decrease; most kernels
             tend to be around 1.5MB to 2MB.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multiport-serial-interrupts">
           <para>Why do I get interrupt conflicts with multi-port serial
             code?</para>
         </question>
 
         <answer>
           <para>When I compile a kernel
             with multi-port serial code, it tells me that only the first
             port is probed and the rest skipped due to interrupt conflicts.
             How do I fix this?</para>
 
           <para>The problem here is that
             FreeBSD has code built-in to keep the kernel from getting
             trashed due to hardware or software conflicts. The way to fix
             this is to leave out the IRQ settings on all but one port. Here
             is an example:</para>
 
           <programlisting>#
 # Multiport high-speed serial line - 16550 UARTS
 #
 device sio2 at isa? port 0x2a0 tty irq 5 flags 0x501 vector siointr
 device sio3 at isa? port 0x2a8 tty flags 0x501 vector siointr
 device sio4 at isa? port 0x2b0 tty flags 0x501 vector siointr
 device sio5 at isa? port 0x2b8 tty flags 0x501 vector siointr</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="generic-kernel-build-failure">
           <para>Why does every kernel I try to build fail to compile, even
             GENERIC?</para>
         </question>
 
         <answer>
           <para>There are a number of possible causes for this problem.
             They are, in no particular order:</para>
 
           <itemizedlist>
             <listitem>
               <para>You are not using the new <command>make
                 buildkernel</command> and <command>make
                 installkernel</command> targets, and your source tree is
                 different from the one used to build the currently running
                 system (e.g., you are compiling 4.3-RELEASE on a 4.0-RELEASE
                 system).  If you are attempting an upgrade, please read the
                 <filename>/usr/src/UPDATING</filename> file, paying
                 particular attention to the <quote>COMMON ITEMS</quote>
                 section at the end.</para>
             </listitem>
 
             <listitem>
               <para>You are using the new <command>make
                 buildkernel</command> and <command>make
                 installkernel</command> targets, but you failed to assert
                 the completion of the <command>make buildworld</command>
                 target.  The <command>make buildkernel</command> target
                 relies on files generated by the <command>make
                 buildworld</command> target to complete its job
                 correctly.</para>
             </listitem>
 
             <listitem>
               <para>Even if you are trying to build <link
                 linkend="stable">FreeBSD-STABLE</link>, it is possible that
                 you fetched the source tree at a time when it was either
                 being modified, or broken for other reasons; only releases
                 are absolutely guaranteed to be buildable, although <link
                 linkend="stable">FreeBSD-STABLE</link> builds fine the
                 majority of the time.  If you have not already done so, try
                 re-fetching the source tree and see if the problem goes
                 away.  Try using a different server in case the one you are
                 using is having problems.</para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="scheduler-in-use">
           <para>How can I verify which scheduler is in use on a
             running system?</para>
         </question>
 
         <answer>
           <para>Just type:
             <screen>&prompt.root; <userinput>sysctl kern.quantum</userinput></screen>
             If you see
             <screen>unknown oid 'kern.quantum'</screen>
             it means that the current scheduler is <quote>SCHED_ULE</quote>, however,
             if you see
             <screen>kern.quantum: 100000</screen>
 	     then the original scheduler <quote>SCHED_4BSD</quote> is the current selection.
           </para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="scheduler-kern-quantum">
           <para>What is <literal>kern.quantum</literal>?</para>
         </question>
 
         <answer>
           <para><literal>kern.quantum</literal> is the maximum number of
             ticks a process can run without being preempted.  It is
             specific to the 4BSD scheduler, so you can use its
             presence or absence to determine which scheduler is in
             use.
           </para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="disks">
     <title>Disks, Filesystems, and Boot Loaders</title>
 
     <qandaset>
       <qandaentry>
         <question id="adding-disks">
           <para>How can I add my new hard disk to my FreeBSD system?</para>
         </question>
 
         <answer>
           <para>See the Disk Formatting Tutorial at <ulink
             url="&url.articles.formatting-media;/index.html">
             www.FreeBSD.org</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="new-huge-disk">
           <para>How do I move my system over to my huge new disk?</para>
         </question>
 
         <answer>
           <para>The best way is to reinstall the OS on the new
             disk, then move the user data over.  This is highly
             recommended if you have been tracking -STABLE for more
             than one release, or have updated a release instead of
             installing a new one.  You can install booteasy on both
             disks with &man.boot0cfg.8;, and dual boot them until
             you are happy with the new configuration.  Skip the
             next paragraph to find out how to move the data after
             doing this.</para>
 
           <para>Should you decide not to do a fresh install, you
             need to partition and label the new disk with either
             <filename>/stand/sysinstall</filename>, or &man.fdisk.8;
             and &man.disklabel.8;.  You should also install booteasy
             on both disks with &man.boot0cfg.8;, so that you can
             dual boot to the old or new system after the copying
             is done.  See the <ulink
             url="&url.articles.formatting-media;/index.html">
             formatting-media article</ulink> for details on this
             process.</para>
 
           <para>Now you have the new disk set up, and are ready
             to move the data.  Unfortunately, you cannot just blindly
             copy the data.  Things like device files (in
 	    <filename>/dev</filename>), flags, and links tend to
             screw that up.  You need to use tools that understand
             these things, which means &man.dump.8;.
             Although it is suggested that you move the data in single user
             mode, it is not required.</para>
 
           <para>You should never use anything but &man.dump.8; and
             &man.restore.8; to move the root filesystem.  The
             &man.tar.1; command may work - then again, it may not.
             You should also use &man.dump.8; and &man.restore.8;
             if you are moving a single partition to another empty
             partition.  The sequence of steps to use dump to move
             a partitions data to a new partition is:</para>
 
           <procedure>
             <step>
               <para>newfs the new partition.</para>
             </step>
 
             <step>
               <para>mount it on a temporary mount point.</para>
             </step>
 
             <step>
               <para>cd to that directory.</para>
             </step>
 
             <step>
               <para>dump the old partition, piping output to the
                 new one.</para>
             </step>
           </procedure>
 
           <para>For example, if you are going to move root to
             <devicename>/dev/ad1s1a</devicename>, with
             <filename>/mnt</filename> as the temporary mount point,
             it is:</para>
 
           <screen>&prompt.root; <userinput>newfs /dev/ad1s1a</userinput>
 &prompt.root; <userinput>mount /dev/ad1s1a /mnt</userinput>
 &prompt.root; <userinput>cd /mnt</userinput>
 &prompt.root; <userinput>dump 0af - / | restore xf -</userinput></screen>
 
           <para>Rearranging your partitions with dump takes a bit more
             work. To merge a partition like <filename>/var</filename>
             into its parent, create the new partition large enough
             for both, move the parent partition as described above,
             then move the child partition into the empty directory
             that the first move created:</para>
 	  
           <screen>&prompt.root; <userinput>newfs /dev/ad1s1a</userinput>
 &prompt.root; <userinput>mount /dev/ad1s1a /mnt</userinput>
 &prompt.root; <userinput>cd /mnt</userinput>
 &prompt.root; <userinput>dump 0af - / | restore xf -</userinput>
 &prompt.root; <userinput>cd var</userinput>
 &prompt.root; <userinput>dump 0af - /var | restore xf -</userinput></screen>
 
 	  <para>To split a directory from its parent, say putting
 	    <filename>/var</filename> on its own partition when it was not
 	    before, create both partitions, then mount the child partition
 	    on the appropriate directory in the temporary mount point, then
 	    move the old single partition:</para>
 
           <screen>&prompt.root; <userinput>newfs /dev/ad1s1a</userinput>
 &prompt.root; <userinput>newfs /dev/ad1s1d</userinput>
 &prompt.root; <userinput>mount /dev/ad1s1a /mnt</userinput>
 &prompt.root; <userinput>mkdir /mnt/var</userinput>
 &prompt.root; <userinput>mount /dev/ad1s1d /mnt/var</userinput>
 &prompt.root; <userinput>cd /mnt</userinput>
 &prompt.root; <userinput>dump 0af - / | restore xf -</userinput></screen>
 
           <para>You might prefer &man.cpio.1;, &man.pax.1;,
             &man.tar.1; to &man.dump.8; for user data. At the time of
             this writing, these are known to lose file flag information,
             so use them with caution.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dangerously-dedicated">
           <para>Will a <quote>dangerously dedicated</quote> disk endanger
             my health?</para>
         </question>
 
         <answer>
 
           <para><anchor id="dedicate">The installation procedure allows
             you to chose two different methods in partitioning your
             hard disk(s). The default way makes it compatible with other
             operating systems on the same machine, by using fdisk table
             entries (called <quote>slices</quote> in FreeBSD), with a
             FreeBSD slice that employs partitions of its own. Optionally,
             one can chose to install a boot-selector to switch between the
             possible operating systems on the disk(s). The alternative uses
             the entire disk for FreeBSD, and makes no attempt to be
             compatible with other operating systems.</para>
 
           <para>So why it is called <quote>dangerous</quote>?  A disk
             in this mode does not contain what normal PC utilities
             would consider a valid fdisk table. Depending on how well
             they have been designed, they might complain at you once
             they are getting in contact with such a disk, or even
             worse, they might damage the BSD bootstrap without even
             asking or notifying you. In addition, the
             <quote>dangerously dedicated</quote> disk's layout is
             known to confuse many BIOSes, including those from AWARD
             (e.g. as found in HP Netserver and Micronics systems as
             well as many others) and Symbios/NCR (for the popular
             53C8xx range of SCSI controllers). This is not a complete
             list, there are more. Symptoms of this confusion include
             the <errorname>read error</errorname> message printed by
             the FreeBSD bootstrap when it cannot find itself, as well
             as system lockups when booting.</para>
 
           <para>Why have this mode at all then?  It only saves a few kbytes
             of disk space, and it can cause real problems for a new
             installation. <quote>Dangerously dedicated</quote> mode's
             origins lie in a desire to avoid one of the most common
             problems plaguing new FreeBSD installers - matching the BIOS
             <quote>geometry</quote> numbers for a disk to the disk
             itself.</para>
 
           <para><quote>Geometry</quote> is an outdated concept, but one
             still at the heart of the PC's BIOS and its interaction with
             disks. When the FreeBSD installer creates slices, it has to
             record the location of these slices on the disk in a fashion
             that corresponds with the way the BIOS expects to find them. If
             it gets it wrong, you will not be able to boot.</para>
 
           <para><quote>Dangerously dedicated</quote> mode tries to work
             around this by making the problem simpler. In some cases, it
             gets it right. But it is meant to be used as a last-ditch
             alternative - there are better ways to solve the problem 99
             times out of 100.</para>
 
           <para>So, how do you avoid the need for <quote>DD</quote> mode
             when you are installing? Start by making a note of the geometry
             that your BIOS claims to be using for your disks. You can
             arrange to have the kernel print this as it boots by specifying
             <option>-v</option> at the <literal>boot:</literal> prompt, or
             using <command>boot -v</command> in the loader. Just before the
             installer starts, the kernel will print a list of BIOS
             geometries. Do not panic - wait for the installer to start and
             then use scrollback to read the numbers. Typically the BIOS
             disk units will be in the same order that FreeBSD lists your
             disks, first IDE, then SCSI.</para>
 
           <para>When you are slicing up your disk, check that the disk
             geometry displayed in the FDISK screen is correct (ie. it
             matches the BIOS numbers); if it is wrong, use the
             <keycap>g</keycap> key to fix it. You may have to do this if
             there is absolutely nothing on the disk, or if the disk has been
             moved from another system. Note that this is only an issue with
             the disk that you are going to boot from; FreeBSD will sort
             itself out just fine with any other disks you may have.</para>
 
           <para>Once you have got the BIOS and FreeBSD agreeing about the
             geometry of the disk, your problems are almost guaranteed to be
             over, and with no need for <quote>DD</quote> mode at all. If,
             however, you are still greeted with the dreaded <errorname>read
             error</errorname> message when you try to boot, it is time to cross
             your fingers and go for it - there is nothing left to
             lose.</para>
 
           <para>To return a <quote>dangerously dedicated</quote> disk
             for normal PC use, there are basically two options. The first
             is, you write enough NULL bytes over the MBR to make any
             subsequent installation believe this to be a blank disk. You
             can do this for example with</para>
 
           <screen>&prompt.root; <userinput>dd if=/dev/zero of=/dev/rda0 count=15</userinput></screen>
 
           <para>Alternatively, the undocumented DOS
             <quote>feature</quote></para>
 
           <screen><prompt>C:\&gt;</prompt> <userinput>fdisk /mbr</userinput></screen>
 
           <para>will to install a new master boot record as well, thus
             clobbering the BSD bootstrap.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="safe-softupdates">
           <para>Which partitions can safely use Soft Updates?  I have
             heard that Soft Updates on <filename>/</filename> can cause
             problems.</para>
         </question>
 
         <answer>
           <para>Short answer: you can usually use Soft Updates safely
             on all partitions.</para>
 
           <para>Long answer: There used to be some concern over using
             Soft Updates on the root partition.  Soft Updates has two
             characteristics that caused this.  First, a Soft Updates
             partition has a small chance of losing data during a
             system crash.  (The partition will not be corrupted; the
             data will simply be lost.)  Also, Soft Updates can cause
             temporary space shortages.</para>
 
           <para>When using Soft Updates, the kernel can take up to
             thirty seconds to actually write changes to the physical
             disk.  If you delete a large file, the file still resides
             on disk until the kernel actually performs the deletion.
             This can cause a very simple race condition.  Suppose you
             delete one large file and immediately create another large
             file.  The first large file is not yet actually removed
             from the physical disk, so the disk might not have enough
             room for the second large file.  You get an error that the
             partition does not have enough space, although you know
             perfectly well that you just released a large chunk of
             space!  When you try again mere seconds later, the file
             creation works as you expect.  This has left more than one
             user scratching his head and doubting his sanity, the
             FreeBSD filesystem, or both.</para>
 
           <para>If a system should crash after the kernel accepts a
             chunk of data for writing to disk, but before that data is
             actually written out, data could be lost or corrupted.
             This risk is extremely small, but generally manageable.
             Use of IDE write caching greatly increases this risk; it
             is strongly recommended that you disable IDE write caching
             when using Soft Updates.</para>
 
           <para>These issues affect all partitions using Soft Updates.
             So, what does this mean for the root partition?</para>
 
           <para>Vital information on the root partition changes very
             rarely.  Files such as <filename>/kernel</filename> and
             the contents of <filename>/etc</filename> only change
             during system maintenance, or when users change their
             passwords.  If the system crashed during the
             thirty-second window after such a change is made, it is
             possible that data could be lost.  This risk is negligible
             for most applications, but you should be aware that it
             exists.  If your system cannot tolerate this much risk,
             do not use Soft Updates on the root filesystem!</para>
 
           <para><filename>/</filename> is traditionally one of the
             smallest partitions.  By default, FreeBSD puts the
             <filename>/tmp</filename> directory on
             <filename>/</filename>.  If you have a busy
             <filename>/tmp</filename>, you might see intermittent
             space problems.  Symlinking <filename>/tmp</filename> to
             <filename>/var/tmp</filename> will solve this
             problem.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="inappropriate-ccd">
           <para>What is inappropriate about my ccd?</para>
         </question>
 
         <answer>
           <para>The symptom of this is:</para>
 
           <screen>&prompt.root; <userinput>ccdconfig -C</userinput>
 ccdconfig: ioctl (CCDIOCSET): /dev/ccd0c: Inappropriate file type or format</screen>
 
           <para>This usually happens when you are trying to concatenate
             the <literal>c</literal> partitions, which default to type
             <literal>unused</literal>. The ccd driver requires the
             underlying partition type to be FS_BSDFFS. Edit the disklabel
             of the disks you are trying to concatenate and change the types
             of partitions to <literal>4.2BSD</literal>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ccd-disklabel">
           <para>Why can I not edit the disklabel on my ccd?</para>
         </question>
 
         <answer>
           <para>The symptom of this is:</para>
 
           <screen>&prompt.root; <userinput>disklabel ccd0</userinput>
 (it prints something sensible here, so let us try to edit it)
 &prompt.root; <userinput>disklabel -e ccd0</userinput>
 (edit, save, quit)
 disklabel: ioctl DIOCWDINFO: No disk label on disk;
 use "disklabel -r" to install initial label</screen>
 
           <para>This is because the disklabel returned by ccd is actually
             a <quote>fake</quote> one that is not really on the disk.
             You can solve this problem by writing it back explicitly,
             as in:</para>
 
           <screen>&prompt.root; <userinput>disklabel ccd0 &gt; /tmp/disklabel.tmp</userinput>
 &prompt.root; <userinput>disklabel -Rr ccd0 /tmp/disklabel.tmp</userinput>
 &prompt.root; <userinput>disklabel -e ccd0</userinput>
 (this will work now)</screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mount-foreign-fs">
           <para>Can I mount other foreign filesystems under FreeBSD?</para>
         </question>
 
         <answer>
           <variablelist>
             <varlistentry>
               <term>Digital UNIX</term>
 
               <listitem>
                 <para>UFS CDROMs can be mounted directly on FreeBSD.
                   Mounting disk partitions from Digital UNIX and other
                   systems that support UFS may be more complex, depending
                   on the details of the disk partitioning for the operating
                   system in question.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
               <term>&linux;</term>
 
               <listitem>
                 <para>FreeBSD supports <literal>ext2fs</literal>
                   partitions.  See &man.mount.ext2fs.8; for more
                   information.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
               <term>&windowsnt;</term>
 
               <listitem>
                 <para>FreeBSD includes a read-only NTFS driver.  For
 		  more information, see &man.mount.ntfs.8;.
                 </para>
               </listitem>
             </varlistentry>
           </variablelist>
 
           <para>Any other information on this subject would be
             appreciated.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mount-dos">
           <para>How do I mount a secondary DOS partition?</para>
         </question>
 
         <answer>
 
         <para>The secondary DOS partitions are found after ALL the
           primary partitions. For example, if you have an
           <quote>E</quote> partition as the second DOS partition on
           the second SCSI drive, you need to create the special files
           for <quote>slice 5</quote> in <filename>/dev</filename>,
           then mount <devicename>/dev/da1s5</devicename>:</para>
 
         <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV da1s5</userinput>
 &prompt.root; <userinput>mount -t msdos /dev/da1s5 /dos/e</userinput></screen>
 
         <note>
 	  <para>You can omit this step if you are running FreeBSD
 	    5.0-RELEASE or newer with &man.devfs.5;
 	    enabled.</para>
 	</note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="crypto-filesystem">
           <para>Is there a cryptographic filesystem for &os;?</para>
         </question>
 
         <answer>
           <para>Yes; see the <filename
             role="package">security/cfs</filename> port.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="nt-bootloader">
           <para>How can I use the &windowsnt; loader to boot FreeBSD?</para>
         </question>
 
         <answer>
           <para>The general idea is that you copy the first sector of your
             native root FreeBSD partition into a file in the DOS/&windowsnt;
             partition. Assuming you name that file something like
             <filename>c:\bootsect.bsd</filename> (inspired by
             <filename>c:\bootsect.dos</filename>), you can then edit the
             <filename>c:\boot.ini</filename> file to come up with something
             like this:</para>
 
           <programlisting>[boot loader]
 timeout=30
 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
 [operating systems]
 multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows NT"
 C:\BOOTSECT.BSD="FreeBSD"
 C:\="DOS"</programlisting>
 
           <para>If FreeBSD is installed on the same disk as the &windowsnt; boot
             partition simply copy <filename>/boot/boot1</filename> to
             <filename>C:\BOOTSECT.BSD</filename>. However, if FreeBSD is
             installed on a different disk <filename>/boot/boot1</filename>
             will not work, <filename>/boot/boot0</filename> is needed.</para>
 
           <para><filename>/boot/boot0</filename> needs to be installed
             using sysinstall by selecting the FreeBSD boot manager on
             the screen which asks if you wish to use a boot
             manager. This is because <filename>/boot/boot0</filename>
             has the partition table area filled with NULL characters
             but sysinstall copies the partition table before copying
             <filename>/boot/boot0</filename> to the MBR.</para>
 
             <warning>
               <para><emphasis>Do not simply copy <filename>/boot/boot0</filename>
                 instead of <filename>/boot/boot1</filename>; you will
                 overwrite your partition table and render your computer
                 un-bootable!</emphasis></para>
             </warning>
 
           <para>When the FreeBSD boot manager runs it records the last
             OS booted by setting the active flag on the partition table
             entry for that OS and then writes the whole 512-bytes of itself
             back to the MBR so if you just copy
             <filename>/boot/boot0</filename> to
             <filename>C:\BOOTSECT.BSD</filename> then it writes an empty
             partition table, with the active flag set on one entry, to the
             MBR.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="lilo-bootloader">
           <para>How do I boot FreeBSD and &linux; from LILO?</para>
         </question>
 
         <answer>
           <para>If you have FreeBSD and &linux; on the same disk, just follow
             LILO's installation instructions for booting a non-&linux;
             operating system.  Very briefly, these are:</para>
 
           <para>Boot &linux;, and add the following lines to
             <filename>/etc/lilo.conf</filename>:</para>
 
             <programlisting>other=/dev/hda2
         table=/dev/hda
         label=FreeBSD</programlisting>
 
           <para>(the above assumes that your FreeBSD slice is known to
             &linux; as <devicename>/dev/hda2</devicename>; tailor to
             suit your setup).  Then, run <command>lilo</command> as
             <username>root</username> and you should be done.</para>
 
           <para>If FreeBSD resides on another disk, you need to add
             <literal>loader=/boot/chain.b</literal> to the LILO entry.
             For example:</para>
 
           <programlisting>other=/dev/dab4
         table=/dev/dab
         loader=/boot/chain.b
         label=FreeBSD</programlisting>
 
           <para>In some cases you may need to specify the BIOS drive number
             to the FreeBSD boot loader to successfully boot off the second
             disk.  For example, if your FreeBSD SCSI disk is probed by BIOS
             as BIOS disk 1, at the FreeBSD boot loader prompt you need to
             specify:</para>
 
           <screen>Boot: <userinput>1:da(0,a)/kernel</userinput></screen>
 
           <para>On FreeBSD 2.2.5 and later, you can configure
             &man.boot.8;
             to automatically do this for you at boot time.</para>
 
           <para>The <ulink
             url="http://sunsite.unc.edu/LDP/HOWTO/mini/Linux+FreeBSD.html">
             &linux;+FreeBSD mini-HOWTO</ulink> is a good reference for
             FreeBSD and &linux; interoperability issues.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="booteasy-loader">
           <para>How do I boot FreeBSD and &linux; using BootEasy?</para>
         </question>
 
         <answer>
           <para>Install LILO at the start of your &linux; boot partition
             instead of in the Master Boot Record.   You can then boot LILO
             from BootEasy.</para>
 
           <para>If you are running &windows; 95 and &linux; this is recommended
             anyway, to make it simpler to get &linux; booting again if you
             should need to reinstall &windows; 95 (which is a Jealous
             Operating System, and will bear no other Operating Systems in
             the Master Boot Record).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="changing-bootprompt">
           <para>How do I change the boot prompt from <literal>???</literal> to
             something more meaningful?</para>
         </question>
 
         <answer>
           <para>You can not do that with the standard boot manager without
             rewriting it. There are a number of other boot managers
             in the <filename>sysutils</filename> ports category that
             provide this functionality.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="removable-drives">
           <para>I have a new removable drive, how do I use it?</para>
         </question>
 
         <answer>
 
           <para>Whether it is a removable drive like a &iomegazip; or an EZ drive
             (or even a floppy, if you want to use it that way), or a new
             hard disk, once it is installed and recognized by the system,
             and you have your cartridge/floppy/whatever slotted in, things
             are pretty much the same for all devices.</para>
 
           <para><anchor id="disklabel">(this section is based on <ulink
             url="http://www.vmunix.com/mark/FreeBSD/ZIP-FAQ.html">
             Mark Mayo's ZIP FAQ</ulink>)</para>
 
           <para>If it is a ZIP drive or a floppy, you have already got a DOS
             filesystem on it, you can use a command like this:</para>
 
           <screen>&prompt.root; <userinput>mount -t msdos /dev/fd0c /floppy</userinput></screen>
 
           <para>if it is a floppy, or this:</para>
 
           <screen>&prompt.root; <userinput>mount -t msdos /dev/da2s4 /zip</userinput></screen>
 
           <para>for a ZIP disk with the factory configuration.</para>
 
           <para>For other disks, see how they are laid out using
             &man.fdisk.8; or
             &man.sysinstall.8;.</para>
 
           <para>The rest of the examples will be for a ZIP drive on da2,
             the third SCSI disk.</para>
 
           <para>Unless it is a floppy, or a removable you plan on sharing
             with other people, it is probably a better idea to stick a BSD
             filesystem on it. You will get long filename support, at least a
             2X improvement in performance, and a lot more stability. First,
             you need to redo the DOS-level partitions/filesystems. You can
             either use &man.fdisk.8; or
             <filename>/stand/sysinstall</filename>, or for a small drive
             that you do not want to bother with multiple operating system
             support on, just blow away the whole FAT partition table
             (slices) and just use the BSD partitioning:</para>
 
           <screen>&prompt.root; <userinput>dd if=/dev/zero of=/dev/rda2 count=2</userinput>
 &prompt.root; <userinput>disklabel -Brw da2 auto</userinput></screen>
 
           <para>You can use disklabel or
             <filename>/stand/sysinstall</filename> to create multiple BSD
             partitions. You will certainly want to do this if you are adding
             swap space on a fixed disk, but it is probably irrelevant on a
             removable drive like a ZIP.</para>
 
           <para>Finally, create a new filesystem, this one is on our ZIP
             drive using the whole disk:</para>
 
           <screen>&prompt.root; <userinput>newfs /dev/rda2c</userinput></screen>
 
           <para>and mount it:</para>
 
           <screen>&prompt.root; <userinput>mount /dev/da2c /zip</userinput></screen>
 
           <para>and it is probably a good idea to add a line like this
             to <filename>/etc/fstab</filename> (see &man.fstab.5;) so
             you can just type <command>mount /zip</command> in the
             future:</para>
 
           <programlisting>/dev/da2c /zip ffs rw,noauto 0 0</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mount-cd-superblock">
           <para>Why do I get <errorname>Incorrect super block</errorname> when
             mounting a CDROM?</para>
         </question>
 
         <answer>
           <para>You have to tell &man.mount.8; the type of the device
             that you want to mount.  This is described in the <ulink
             url="&url.books.handbook;/creating-cds.html"> Handbook section on
             optical media</ulink>, specifically the section <ulink
             url="&url.books.handbook;/creating-cds.html#MOUNTING-CD">Using Data
             CDs</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cdrom-not-configured">
           <para>Why do I get <errorname>Device not
             configured</errorname> when mounting a CDROM?</para>
         </question>
 
         <answer>
           <para>This generally means that there is no CDROM in the
             CDROM drive, or the drive is not visible on the
             bus. Please see the <ulink
             url="&url.books.handbook;/creating-cds.html#MOUNTING-CD">Using Data
             CDs</ulink> section of the Handbook for a detailed
             discussion of this issue.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cdrom-unicode-filenames">
           <para>Why do all non-English characters in filenames show up as
             <quote>?</quote> on my CDs when mounted in FreeBSD?</para>
         </question>
 
         <answer>
           <para>Your CDROM probably uses the <quote>Joliet</quote>
             extension for storing information about files and
             directories.  This is discussed in the Handbook chapter on
             <ulink url="&url.books.handbook;/creating-cds.html">creating and
             using CDROMs</ulink>, specifically the section on <ulink
             url="&url.books.handbook;/creating-cds.html#MOUNTING-CD">Using Data
             CDROMs</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="burncd-isofs">
           <para>I burned a CD under FreeBSD and now I can not read it
             under any other operating system. Why?</para>
         </question>
   
         <answer>
           <para>You most likely burned a raw file to your CD, rather
             than creating an ISO 9660 filesystem.  Take a look at the
             <ulink url="&url.books.handbook;/creating-cds.html">Handbook
             chapter on creating CDROMs</ulink>, particularly the
             section on <ulink
             url="&url.books.handbook;/creating-cds.html#RAWDATA-CD">burning raw
             data CDs</ulink>.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="copy-cd">
           <para>How can I create an image of a data CD?</para>
         </question>
 
         <answer>
           <para>This is discussed in the Handbook section on <ulink
             url="&url.books.handbook;/creating-cds.html#IMAGING-CD">duplicating
             data CDs</ulink>. For more on working with CDROMs, see the
             <ulink url="&url.books.handbook;/creating-cds.html">Creating CDs
             Section</ulink> in the Storage chapter in the
             Handbook.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mount-audio-CD">
           <para>Why can I not <command>mount</command> an audio
           CD?</para>
          </question>
 
         <answer>
           <para>If you try to mount an audio CD, you will get an error
             like <errorname>cd9660: /dev/acd0c: Invalid
             argument</errorname>.  This is because
             <command>mount</command> only works on filesystems.  Audio
             CDs do not have filesystems; they just have data.  You
             need a program that reads audio CDs, such as the
             <filename role="package">audio/xmcd</filename> port.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multi-session-CD">
           <para>How do I <command>mount</command> a multi-session CD?</para>
         </question>
 
         <answer>
           <para>By default, &man.mount.8; will attempt to mount the
             last data track (session) of a CD.  If you would like to
             load an earlier session, you must use the
             <option>-s</option> command line argument.  Please see
             &man.mount.cd9660.8; for specific examples.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="user-floppymount">
           <para>How do I let ordinary users mount floppies, CDROMs and
             other removable media?</para>
         </question>
 
         <answer>
           <para>Ordinary users can be permitted to mount devices. Here is
             how:</para>
 
           <procedure>
             <step>
               <para>As <username>root</username> set the sysctl variable
                 <varname>vfs.usermount</varname> to
                 <literal>1</literal>.</para>
 
               <screen>&prompt.root; <userinput>sysctl -w vfs.usermount=1</userinput></screen>
             </step>
 
             <step>
               <para>As <username>root</username> assign the appropriate
                 permissions to the block device associated with the
                 removable media.</para>
 
               <para>For example, to allow users to mount the first floppy
                 drive, use:</para>
 
               <screen>&prompt.root; <userinput>chmod 666 /dev/fd0</userinput></screen>
 
               <para>To allow users in the group
                 <groupname>operator</groupname> to mount the CDROM drive,
                 use:</para>
 
               <screen>&prompt.root; <userinput>chgrp operator /dev/cd0c</userinput>
 &prompt.root; <userinput>chmod 640 /dev/cd0c</userinput></screen>
             </step>
 
             <step>
               <para>Finally, add the line
                 <literal><varname>vfs.usermount</varname>=1</literal>
                 to the file <filename>/etc/sysctl.conf</filename> so
                 that it is reset at system boot time.</para>
             </step>
           </procedure>
 
           <para>All users can now mount the floppy
             <devicename>/dev/fd0</devicename> onto a directory that they
             own:</para>
 
           <screen>&prompt.user; <userinput>mkdir ~/my-mount-point</userinput>
 &prompt.user; <userinput>mount -t msdos /dev/fd0 ~/my-mount-point</userinput></screen>
 
           <para>Users in group <groupname>operator</groupname> can now
             mount the CDROM <devicename>/dev/cd0c</devicename> onto a
             directory that they own:</para>
 
           <screen>&prompt.user; <userinput>mkdir ~/my-mount-point</userinput>
 &prompt.user; <userinput>mount -t cd9660 /dev/cd0c ~/my-mount-point</userinput></screen>
 
           <para>Unmounting the device is simple:</para>
 
           <screen>&prompt.user; <userinput>umount ~/my-mount-point</userinput></screen>
 
           <para>Enabling <varname>vfs.usermount</varname>, however,
             has negative security implications.  A better way to
             access &ms-dos; formatted media is to use the
             <filename role="package">emulators/mtools</filename>
             package in the ports collection.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="du-vs-df">
           <para>The <command>du</command> and <command>df</command>
             commands show different amounts of disk space available.
             What is going on?</para>
         </question>
 
         <answer>
           <para>You need to understand what <command>du</command> and
             <command>df</command> really do.  <command>du</command>
             goes through the directory tree, measures how large each
             file is, and presents the totals.  <command>df</command>
             just asks the filesystem how much space it has left.  They
             seem to be the same thing, but a file without a directory
             entry will affect <command>df</command> but not
             <command>du</command>.</para>
 
           <para>When a program is using a file, and you delete the
             file, the file is not really removed from the filesystem
             until the program stops using it.  The file is immediately
             deleted from the directory listing, however.  You can see
             this easily enough with a program such as
             <command>more</command>.  Assume you have a file large
             enough that its presence affects the output of
             <command>du</command> and <command>df</command>.  (Since
             disks can be so large today, this might be a
             <emphasis>very</emphasis> large file!)  If you delete this
             file while using <command>more</command> on it,
             <command>more</command> does not immediately choke and
             complain that it cannot view the file.  The entry is
             simply removed from the directory so no other program or
             user can access it.  <command>du</command> shows that it
             is gone &mdash; it has walked the directory tree and the file
             is not listed.  <command>df</command> shows that it is
             still there, as the filesystem knows that
             <command>more</command> is still using that space.  Once
             you end the <command>more</command> session,
             <command>du</command> and <command>df</command> will
             agree.</para>
 
           <para>Note that Soft Updates can delay the freeing of disk
             space; you might need to wait up to 30 seconds for the
             change to be visible!</para>
 
           <para>This situation is common on web servers.  Many people
             set up a FreeBSD web server and forget to rotate the log
             files.  The access log fills up <filename>/var</filename>.
             The new administrator deletes the file, but the system
             still complains that the partition is full.  Stopping and
             restarting the web server program would free the file,
             allowing the system to release the disk space.  To prevent
             this from happening, set up &man.newsyslog.8;.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="add-swap-space">
           <para>How can I add more swap space?</para>
         </question>
 
         <answer>
           <para>In the <ulink
           url="&url.books.handbook;/config-tuning.html">Configuration and
           Tuning</ulink> section of the Handbook, you will find a
           <ulink
           url="&url.books.handbook;/adding-swap-space.html">section</ulink>
           describing how to do this.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="disk-more-than-full">
           <para>How is it possible for a partition to be more than 100%
             full?</para>
         </question>
 
         <answer>
 	  <para>A portion of each UFS partition (8%, by default) is
 	    reserved for use by the operating system and the
 	    <username>root</username> user.
 	    &man.df.1; does not count that space when
 	    calculating the <literal>Capacity</literal> column, so it can
 	    exceed 100%.  Also, you will notice that the
 	    <literal>Blocks</literal> column is always greater than the
 	    sum of the <literal>Used</literal> and
 	    <literal>Avail</literal> columns, usually by a factor of
 	    8%.</para>
 
 	  <para>For more details, look up the <option>-m</option> option
 	    in &man.tunefs.8;.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="admin">
     <title>System Administration</title>
 
     <qandaset>
       <qandaentry>
         <question id="startup-config-files">
           <para>Where are the system start-up configuration files?</para>
         </question>
 
         <answer>
           <para>The primary configuration file is
             <filename>/etc/defaults/rc.conf</filename> (see
             &man.rc.conf.5;) System startup scripts such as
             <filename>/etc/rc</filename> and
             <filename>/etc/rc.d</filename> (see &man.rc.8;) just
             include this file.  <emphasis>Do not edit this
             file!</emphasis> Instead, if there is any entry in
             <filename>/etc/defaults/rc.conf</filename> that you want
             to change, you should copy the line into
             <filename>/etc/rc.conf</filename> and change it
             there.</para>
 
           <para>For example, if you wish to start named, the included
             DNS server, all you need to do is:</para>
 
           <screen>&prompt.root; <userinput>echo named_enable="YES" &gt;&gt; /etc/rc.conf</userinput></screen>
 
           <para>To start up local services, place shell scripts in the
             <filename>/usr/local/etc/rc.d</filename> directory. These
             shell scripts should be set executable, and end with a
             .sh.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="adding-users">
           <para>How do I add a user easily?</para>
         </question>
 
         <answer>
           <para>Use the &man.adduser.8; command, or the &man.pw.8;
             command for more complicated situations.</para>
 
           <para>To remove the user, use the &man.rmuser.8; command or,
             if necessary, &man.pw.8;.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="root-not-found-cron-errors">
           <para>Why do I keep getting messages like <errorname>root: not
             found</errorname> after editing my crontab file?</para>
         </question>
 
         <answer>
           <para>This is normally caused by editing the system crontab
             (<filename>/etc/crontab</filename>) and then using
             &man.crontab.1; to install it:</para>
 
           <screen>&prompt.root; <userinput>crontab /etc/crontab</userinput></screen>
 
           <para>This is not the correct way to do things.  The system
             crontab has a different format to the per-user crontabs
             which &man.crontab.1; updates (the &man.crontab.5; manual
             page explains the differences in more detail).</para>
 
           <para>If this is what you did, the extra crontab is simply a
             copy of <filename>/etc/crontab</filename> in the wrong
             format it.  Delete it with the command:</para>
 
           <screen>&prompt.root; <userinput>crontab -r</userinput></screen>
 
           <para>Next time, when you edit
             <filename>/etc/crontab</filename>, you should not do
             anything to inform &man.cron.8; of the changes, since it
             will notice them automatically.</para>
 
           <para>If you want something to be run once per day, week, or
             month, it is probably better to add shell scripts
             <filename>/usr/local/etc/periodic</filename>, and let the
             &man.periodic.8; command run from the system cron schedule
             it with the other periodic system tasks.</para>
 
           <para>The actual reason for the error is that the system
             crontab has an extra field, specifying which user to run the
             command as.  In the default system crontab provided with
             FreeBSD, this is <username>root</username> for all entries.
             When this crontab is used as the <username>root</username>
             user's crontab (which is <emphasis>not</emphasis> the
             same as the system crontab), &man.cron.8; assumes the string
             <literal>root</literal> is the first word of the command to
             execute, but no such command exists.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="su-wheel-group">
 	  <para>Why do I get the error, <errorname>you are not in the correct
 	    group to su root</errorname> when I try to su to
 	    <username>root</username>?</para>
 	</question>
 
 	<answer>
 	  <para>This is a security feature.  In order to su to
 	    <username>root</username> (or any other account with superuser
 	    privileges), you must be in the <groupname>wheel</groupname>
 	    group.  If this feature were not there, anybody with an account
 	    on a system who also found out <username>root</username>'s
 	    password would be able to gain superuser level access to the
 	    system.  With this feature, this is not strictly true;
 	    &man.su.1; will prevent them from even trying to enter the
 	    password if they are not in <groupname>wheel</groupname>.</para>
 
 	  <para>To allow someone to su to <username>root</username>, simply
 	    put them in the <groupname>wheel</groupname> group.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="rcconf-readonly">
           <para>I made a mistake in <filename>rc.conf</filename>,
             or another startup file, and
             now I cannot edit it because the filesystem is read-only.
             What should I do?</para>
         </question>
 
         <answer>
           <para>When you get the prompt to enter the shell
             pathname, simply press <literal>ENTER</literal>, and run
             <command>mount /</command> to re-mount the root filesystem in
             read/write mode. You may also need to run <command>mount -a -t
             ufs</command> to mount the filesystem where your favourite
             editor is defined. If your favourite editor is on a network
             filesystem, you will need to either configure the network
             manually before you can mount network filesystems, or use an
             editor which resides on a local filesystem, such as
             &man.ed.1;.</para>
 
           <para>If you intend to use a full screen editor such
             as &man.vi.1; or &man.emacs.1;, you may also need to
             run <command>export TERM=cons25</command> so that these
             editors can load the correct data from the &man.termcap.5;
             database.</para>
 
           <para>Once you have performed these steps, you can edit
             <filename>/etc/rc.conf</filename> as you usually would
             to fix the syntax error.  The error message displayed
             immediately after the kernel boot messages should tell you
             the number of the line in the file which is at fault.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="printer-setup">
           <para>Why am I having trouble setting up my printer?</para>
         </question>
 
         <answer>
           <para>Please have a look at the Handbook entry on printing. It
             should cover most of your problem. See the <ulink
             url="&url.books.handbook;/printing.html">
             Handbook entry on printing</ulink>.</para>
 
 	  <para>Some printers require a host-based driver to do any
 	    kind of printing.  These so-called
 	    <quote>WinPrinters</quote> are not natively supported by
 	    FreeBSD.  If your printer does not work in DOS or &windowsnt;
 	    4.0, it is probably a WinPrinter.  Your only hope of
 	    getting one of these to work is to check if the <filename
 	    role="package">print/pnm2ppa</filename> port supports
 	    it.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="keyboard-mappings">
           <para>How can I correct the keyboard mappings for my system?</para>
         </question>
 
         <answer>
           <para>Please see the Handbook section on <ulink
             url="&url.books.handbook;/using-localization.html">using
             localization</ulink>, specifically the section on <ulink
             url="&url.books.handbook;/using-localization.html#SETTING-CONSOLE">console
             setup</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="pnp-resources">
           <para>Why do I get messages like: <errorname>unknown: &lt;PNP0303&gt;
             can't assign resources</errorname> on boot?</para>
         </question>
 
         <answer>
 	  <para>The following is an excerpt from a post to the
 	    freebsd-current mailing list.</para>
 
 	  <blockquote>
 	    <attribution>&a.wollman;, 24 April 2001</attribution>
 
 	    <para>The <quote>can't assign resources</quote> messages
 	      indicate that the devices are legacy ISA devices for which a
 	      non-PnP-aware driver is compiled into the kernel.  These
 	      include devices such as keyboard controllers, the
 	      programmable interrupt controller chip, and several other
 	      bits of standard infrastructure.  The resources cannot be
 	      assigned because there is already a driver using those
 	      addresses.</para>
 	  </blockquote>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="user-quotas">
           <para>Why can I not get user quotas to work properly?</para>
         </question>
 
         <answer>
             <!-- XXX
               This may be the worst answer in the entire document.
             -->
             <orderedlist>
               <listitem>
                 <para>Do not turn on quotas on <filename>/</filename>.</para>
               </listitem>
 
               <listitem>
                 <para>Put the quota file on the filesystem that the quotas
                   are to be enforced on, i.e.:</para>
 
-                <informaltable frame="none">
+                <informaltable frame="none" pgwide="1">
                   <tgroup cols="2">
                     <thead>
                       <row>
                         <entry>Filesystem</entry>
                         <entry>Quota file</entry>
                       </row>
                     </thead>
 
                     <tbody>
                       <row>
                         <entry><filename>/usr</filename></entry>
                         <entry><filename>/usr/admin/quotas</filename></entry>
                       </row>
 
                       <row>
                         <entry><filename>/home</filename></entry>
                         <entry><filename>/home/admin/quotas</filename></entry>
                       </row>
 
                       <row>
                         <entry>&hellip;</entry>
                         <entry>&hellip;</entry>
                       </row>
                     </tbody>
                   </tgroup>
                 </informaltable>
               </listitem>
             </orderedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="sysv-ipc">
           <para>Does FreeBSD support System V IPC primitives?</para>
         </question>
 
         <answer>
           <para>Yes, FreeBSD supports System V-style IPC, including
             shared memory, messages and semaphores.  Versions of
             FreeBSD later than 3.2 support System V IPC in the GENERIC
             kernel.  In earlier versions of FreeBSD, enable this
             support by adding the following lines to your kernel
             config.</para>
 
           <programlisting>options    SYSVSHM          # enable shared memory
 options    SYSVSEM          # enable for semaphores
 options    SYSVMSG          # enable for messaging</programlisting>
 
           <para>Recompile and install your kernel.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="sendmail-alternative">
           <para>What other mail-server software can I use instead of
             Sendmail?</para>
         </question>
 
         <answer>
           <para><ulink url="http://www.sendmail.org/">Sendmail</ulink> is
             the default mail-server software for FreeBSD, but you can
             easily replace it with one of the other MTA (for instance,
             an MTA installed from the ports).</para>
 
           <para>There are various alternative MTAs in the ports tree
             already, with <filename
             role="package">mail/exim</filename>, <filename
             role="package">mail/postfix</filename>, <filename
             role="package">mail/qmail</filename>, and <filename
             role="package">mail/zmailer</filename> being some of the
             most popular choices.</para>
 
           <para>Diversity is nice, and the fact that you have many
             different mail-servers to chose from is considered a
             good thing; therefore try to avoid
             asking questions like <quote>Is Sendmail better than
             Qmail?</quote> in the mailing lists.  If you do feel like
             asking, first check the mailing list archives.  The
             advantages and disadvantages of each and every one of the
             available MTAs have already been discussed a few
             times.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="forgot-root-pw">
           <para>I have forgotten the <username>root</username> password!  What
 	    do I do?</para>
         </question><answer>
 
           <para>Do not panic!  Simply restart the system, type
             <userinput>boot -s</userinput> at the Boot: prompt (just
             <userinput>-s</userinput> for FreeBSD releases before 3.2) to
             enter Single User mode. At the question about the shell to use,
             hit ENTER. You will be dropped to a &prompt.root; prompt. Enter
             <command>mount -u /</command> to remount your root filesystem
             read/write, then run <command>mount -a</command> to remount all
             the filesystems. Run <command>passwd root</command> to change
             the <username>root</username> password then run &man.exit.1; to
 	    continue booting.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="CAD-reboot">
           <para>How do I keep <keycombo
             action="simul"><keycap>Control</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo>
             from rebooting the system?</para>
         </question>
 
         <answer>
           <para>If you are using syscons (the default console driver)
             build and install a new kernel with the
             line</para>
 
           <programlisting>options SC_DISABLE_REBOOT</programlisting>
 
           <para>in the configuration file. If you use the PCVT console
             driver, use the following kernel configuration line
             instead.</para>
 
           <programlisting>options PCVT_CTRL_ALT_DEL</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dos-to-unix-txt">
           <para>How do I reformat DOS text files to &unix; ones?</para>
         </question>
 
         <answer>
 
           <para>Simply use this perl command:</para>
 
           <screen>&prompt.user; <userinput>perl -i.bak -npe 's/\r\n/\n/g' file ...</userinput></screen>
 
           <para>file is the file(s) to process.  The modification is done
             in-place, with the original file stored with a .bak
             extension.</para>
 
           <para>Alternatively you can use the
             &man.tr.1;
             command:</para>
 
           <screen>&prompt.user; <userinput>tr -d '\r' &lt; <replaceable>dos-text-file</replaceable> &gt; <replaceable>unix-file</replaceable></userinput></screen>
 
           <para><replaceable>dos-text-file</replaceable> is the file
             containing DOS text while <replaceable>unix-file</replaceable>
             will contain the converted output.  This can be quite a bit
             faster than using perl.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="kill-by-name">
           <para>How do I kill processes by name?</para>
         </question><answer>
 
           <para>Use &man.killall.1;.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="root-acl">
           <para>Why is su bugging me about not being in
             <username>root</username>'s ACL?</para>
         </question>
 
         <answer>
 
           <para>The error comes from the Kerberos distributed
             authentication system.  The problem is not fatal but annoying.
             You can either run su with the -K option, or uninstall
             Kerberos as described in the next question.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="uninstall-kerberos">
           <para>How do I uninstall Kerberos?</para>
         </question>
 
         <answer>
 
           <para>To remove Kerberos from the system, reinstall the bin
             distribution for the release you are running.  If you have
             the CDROM, you can mount the cd (we will assume on /cdrom)
             and run</para>
 
           <screen>&prompt.root; <userinput>cd /cdrom/bin</userinput>
 &prompt.root; <userinput>./install.sh</userinput></screen>
 
           <para>Alternately, you can remove all
             <makevar>MAKE_KERBEROS</makevar> options from
             <filename>/etc/make.conf</filename> and rebuild
             world.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="where-is-makedev">
 	  <para>What happened to
 	    <filename>/dev/MAKEDEV</filename>?</para>
 	</question>
 
 	<answer>
 	  <para>FreeBSD 5.X and beyond use the &man.devfs.8; device-on-demand
 	    system.  Device drivers automatically create new device
 	    nodes as they are needed, obsoleting
 	    <filename>/dev/MAKEDEV</filename>.</para>
 
 	  <para>If you are running FreeBSD 4.X or earlier and
 	    <filename>/dev/MAKEDEV</filename> is missing, then you
 	    really do have a problem.  Grab a copy from the system
 	    source code, probably in
 	    <filename>/usr/src/etc/MAKEDEV</filename>.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="add-pty">
           <para>How do I add pseudoterminals to the system?</para>
         </question>
 
         <answer>
 
           <para>If you have lots of telnet, ssh, X, or screen users,
             you will probably run out of pseudoterminals.  Here is how to
             add more:</para>
 
             <procedure>
               <step>
                 <para>Build and install a new kernel with the line</para>
 
                 <programlisting>pseudo-device pty 256</programlisting>
 
                 <para>in the configuration file.</para>
               </step>
 
               <step>
                 <para>Run the commands</para>
 
                 <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV pty{1,2,3,4,5,6,7}</userinput></screen>
 
                 <para>to make 256 device nodes for the new terminals.</para>
 
               </step>
 
               <step>
                 <para>Edit <filename>/etc/ttys</filename> and add lines
                 for each of the 256 terminals. They should match the form
                 of the existing entries, i.e. they look like</para>
 
                 <programlisting>ttyqc none network</programlisting>
 
                 <para>The order of the letter designations is
                   <literal>tty[pqrsPQRS][0-9a-v]</literal>, using a
                   regular expression.  </para>
               </step>
 
               <step>
                 <para>Reboot the system with the new kernel and you are
                   ready to go.</para>
               </step>
             </procedure>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="create-snd0">
           <para>Why can I not create the snd0 device?</para>
         </question>
 
         <answer>
           <para>There is no <devicename>snd</devicename> device.  The name
             is used as a shorthand for the various devices that make up the
             FreeBSD sound driver, such as <devicename>mixer</devicename>,
             <devicename>sequencer</devicename>, and
             <devicename>dsp</devicename>.</para>
 
           <para>To create these devices you should</para>
 
           <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV snd0</userinput></screen>
 
           <note>
 	    <para>You can omit this step if you are running FreeBSD
 	      5.0-RELEASE or newer with &man.devfs.5;
 	      enabled.</para>
 	  </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="reread-rc">
           <para>How do I re-read <filename>/etc/rc.conf</filename> and
             re-start <filename>/etc/rc</filename> without a
             reboot?</para>
         </question>
 
         <answer>
 
           <para>Go into single user mode and then back to multi user
             mode.</para>
 
           <para>On the console do:</para>
 
           <screen>&prompt.root; <userinput>shutdown now</userinput>
 (Note: without -r or -h)
 
 &prompt.root; <userinput>return</userinput>
 &prompt.root; <userinput>exit</userinput></screen>
         </answer>
       </qandaentry>
 
 
       <qandaentry>
         <question id="release-candidate">
           <para>I tried to update my system to the latest -STABLE, but
             got -BETAx, -RC or -PRERELEASE!  What is going on?</para>
         </question>
 
         <answer>
           <para>Short answer: it is just a name.  RC stands for
             <quote>Release Candidate</quote>.  It signifies that a
             release is imminent.  In FreeBSD, -PRERELEASE is typically
             synonymous with the code freeze before a release.  (For
             some releases, the -BETA label was used in the same way as
             -PRERELEASE.)</para>
 
           <para>Long answer: FreeBSD derives its releases from one of
             two places.  Major, dot-zero, releases, such as
             3.0-RELEASE and 4.0-RELEASE, are branched from the head of
             the development stream, commonly referred to as <link
             linkend="current">-CURRENT</link>.  Minor releases, such
             as 3.1-RELEASE or 4.2-RELEASE, have been snapshots of the active
             <link linkend="stable">-STABLE</link> branch.  Starting with
 	    4.3-RELEASE, each release also now has its own branch which can be
 	    tracked by people requiring an extremely conservative rate
 	    of development (typically only security advisories).</para>
 
           <para>When a release is about to be made, the branch from
             which it will be derived from has to undergo a certain
             process.  Part of this process is a code freeze.  When a
             code freeze is initiated, the name of the branch is
             changed to reflect that it is about to become a release.
             For example, if the branch used to be called 4.5-STABLE,
             its name will be changed to 4.6-PRERELEASE to signify the
             code freeze and signify that extra pre-release testing
             should be happening.  Bug fixes can still be committed to
             be part of the release.  When the source code is in shape
             for the release the name will be changed to 4.6-RC to
             signify that a release is about to be made from it.  Once
             in the RC stage, only the most critical bugs found can be
             fixed.  Once the release (4.6-RELEASE in this example) and
             release branch have been made, the branch will be renamed
             to 4.6-STABLE.</para>
 
           <para>For more information on version numbers and the
             various CVS branches, refer to the
             <ulink url="&url.articles.releng;/article.html">Release
             Engineering</ulink> article.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="kernel-chflag-failure">
           <para>I tried to install a new kernel, and the chflags
             failed.  How do I get around this?</para>
         </question>
 
         <answer>
           <para>Short answer: You are probably at security level
             greater than 0.  Reboot directly to single user mode to
             install the kernel.</para>
 
           <para>Long answer: FreeBSD disallows changing system flags
             at security levels greater than 0.  You can check your
             security level with the command:</para>
 
           <screen>&prompt.root; <userinput>sysctl kern.securelevel</userinput></screen>
 
            <para>You cannot lower the security level; you have to boot to
              single mode to install the kernel, or change the security
              level in <filename>/etc/rc.conf</filename> then reboot. See
              the &man.init.8; manual page for details on securelevel, and see
              <filename>/etc/defaults/rc.conf</filename> and the
              &man.rc.conf.5; manual page for more information on
              rc.conf.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="kernel-securelevel-time">
           <para>I cannot change the time on my system by more than one second!
                 How do I get around this?</para>
         </question>
 
         <answer>
           <para>Short answer: You are probably at security level
             greater than 1.  Reboot directly to single user mode to
             change the date.</para>
 
           <para>Long answer: FreeBSD disallows changing the time by
               more that one second at security levels greater than 1.  You
               can check your security level with the command:</para>
 
           <screen>&prompt.root; <userinput>sysctl kern.securelevel</userinput></screen>
 
            <para>You cannot lower the security level; you have to boot
              to single mode to change the date, or change the security
              level in <filename>/etc/rc.conf</filename> then
              reboot. See the &man.init.8; manual page for details on
              securelevel, and see
              <filename>/etc/defaults/rc.conf</filename> and the
              &man.rc.conf.5; manual page for more information on
              rc.conf.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="statd-mem-leak">
           <para>Why is <command>rpc.statd</command> using 256 megabytes of
             memory?</para>
         </question>
 
         <answer>
           <para>No, there is no memory leak, and it is not using 256 Mbytes
             of memory.  It simply likes to (i.e., always does) map an
             obscene amount of memory into its address space for convenience.
             There is nothing terribly wrong with this from a technical
             standpoint; it just throws off things like &man.top.1; and
             &man.ps.1;.</para>
 
           <para>&man.rpc.statd.8; maps its status file (resident on
             <filename>/var</filename>) into its address space; to save
             worrying about remapping it later when it needs to grow, it maps
             it with a generous size.  This is very evident from the source
             code, where one can see that the length argument to &man.mmap.2;
             is <literal>0x10000000</literal>, or one sixteenth of the
             address space on an IA32, or exactly 256MB.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="unsetting-schg">
           <para>Why can I not unset the <literal>schg</literal> file
             flag?</para>
         </question>
 
         <answer>
           <para>You are running at an elevated (i.e., greater than 0)
             securelevel.  Lower the securelevel and try again.  For more
             information, see <link linkend="securelevel">the FAQ entry on
             securelevel</link> and the &man.init.8; manual page.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ssh-shosts">
 	  <para>Why does SSH authentication through
 	    <filename>.shosts</filename> not work by default in recent
 	    versions of FreeBSD?</para>
 	</question>
 
 	<answer>
 	  <para>The reason why <filename>.shosts</filename>
 	    authentication does not work by default in more recent
 	    versions of FreeBSD is because &man.ssh.1; 
 	    is not installed suid <username>root</username> by default.  To
 	    <quote>fix</quote> this, you can do one of the
 	    following:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>As a permanent fix, set
 		<makevar>ENABLE_SUID_SSH</makevar> to <literal>true</literal>
 		in <filename>/etc/make.conf</filename> and rebuild ssh
 		(or run <command>make world</command>).</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>As a temporary fix, change the mode on
 		<filename>/usr/bin/ssh</filename> to <literal>4555</literal>
 		by running <command>chmod 4555 /usr/bin/ssh</command> as
 		<username>root</username>.  Then add
 		<makevar>ENABLE_SUID_SSH= true</makevar> to
 		<filename>/etc/make.conf</filename> so the change takes
 		effect the next time <command>make world</command> is
 		run.</para>
 	    </listitem>
 	  </itemizedlist>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="vnlru">
           <para>What is <literal>vnlru</literal>?</para>
         </question>
 
         <answer>
           <para><literal>vnlru</literal> flushes and frees vnodes when
             the system hits the <varname>kern.maxvnodes</varname>
             limit.  This kernel thread sits mostly idle, and only
             activates if you have a huge amount of RAM and are
             accessing tens of thousands of tiny files.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="top-memory-states">
 	  <para>What do the various memory states displayed by
 	    <command>top</command> mean?</para>
         </question>
 <!-- Provided by John Dyson via Usenet -->
         <answer>
           <itemizedlist>
             <listitem><para><literal>Active</literal>: pages recently
               statistically used.</para></listitem>
 
             <listitem><para><literal>Inactive</literal>: pages
               recently statistically unused.</para></listitem>
 
             <listitem><para><literal>Cache</literal>: (most often)
               pages that have percolated from inactive to a status
               where they maintain their data, but can often be
               immediately reused (either with their old association,
               or reused with a new association.)  There can be certain
               immediate transitions from <literal>active</literal> to <literal>cache</literal> state if the
               page is known to be clean (unmodified), but that
               transition is a matter of policy, depending upon the
               algorithm choice of the VM system
               maintainer.</para></listitem>
 
             <listitem><para><literal>Free</literal>: pages without
               data content, and can be immediately used in certain
               circumstances where cache pages might be ineligible.
               Free pages can be reused at interrupt or process
               state.</para></listitem>
 
             <listitem><para><literal>Wired</literal>: pages that are
               fixed into memory, usually for kernel purposes, but also
               sometimes for special use in
               processes.</para></listitem>
           </itemizedlist>
 
           <para>Pages are most often written to disk (sort of a VM
             sync) when they are in the inactive state, but active
             pages can also be synced (but requires the
             availability of certain CPU features.) This depends upon
             the CPU tracking of the modified bit being available,
             and in certain situations there can be an advantage for a
             block of VM pages to be synced, whether they are active or
             inactive.  In most common cases, it is best to think of
             the inactive queue to be a queue of relatively unused
             pages that might or might not be in the process of being
             written to disk.  Cached pages are already synced, not
             mapped, but available for immediate process use with their
             old association or with a new association.  Free pages are
             available at interrupt level, but cached or free pages can
             be used at process state for reuse.  Cache pages are not
             adequately locked to be available at interrupt
             level.</para>
 
           <para>There are some other flags (e.g., busy flag or busy
             count) that might modify some of the rules that I
             described.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="free-memory-amount">
 	  <para>How much free memory is available?</para>
         </question>
 <!-- Provided by John Dyson via Usenet -->
         <answer>
           <para>There are a couple of kinds of <quote>free
             memory</quote>.  One kind is the amount of memory
             immediately available without paging anything else out.
             That is approximately the size of cache queue + size of
             free queue (with a derating factor, depending upon system
             tuning.)  Another kind of <quote>free memory</quote> is
             the total amount of <acronym>VM</acronym> space.  That can
             be complex, but is dependent upon the amount of swap space
             and memory.  Other kinds of <quote>free memory</quote>
             descriptions are also possible, but it is relatively
             useless to define these, but rather it is important to
             make sure that the paging rate is kept low, and to avoid
             running out of swap space.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="var-empty">
 	  <para>What is <filename>/var/empty</filename>?  I can not
 	    delete it!</para>
 	</question>
 
 	<answer>
 	  <para><filename>/var/empty</filename> is a directory that the
 	    &man.sshd.8; program uses when performing privilege separation.
 	    The <filename>/var/empty</filename> directory is empty, owned by
 	    <username>root</username> and has the <literal>schg</literal>
 	    flag set.</para>
 
 	  <para>Although it is not recommended to delete this directory, to
 	    do so you will need to unset the <literal>schg</literal> flag
 	    first.  See the &man.chflags.1; manual page for more information
 	    (and bear in mind the answer to <link linkend="unsetting-schg">
 	    the question on unsetting the schg flag</link>).
 	  </para>
 	</answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="x">
     <title>The X Window System and Virtual Consoles</title>
 
     <qandaset>
       <qandaentry>
         <question id="whatis-X">
           <para>What is the X Window System?</para>
         </question>
 
         <answer>
 
           <para>The X Window System is the most widely available windowing system
 	    capable of running on &unix; or &unix; like systems, including
 	    &os;.  <ulink url= "http://www.x.org">The X.Org
 	    Foundation</ulink> administers the <ulink
             url="http://www.x.org/X11_protocol.html">X protocol
 	    standards</ulink>.  The current release of the specification
 	    is 11.6, so you will often see references shortened to
 	    <literal>X11R6</literal> or even just <literal>X11</literal>.
 	  </para>
 
 	  <para>Many implementations are available for different
 	    architectures and operating systems.  For instance, an
 	    implementation of the server-side code is properly known
 	    as an <literal>X server</literal>.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="which-X">
           <para>Which X implementations are available for &os;?</para>
         </question>
 
         <answer>
 
 	  <para>Historically, the default implementation of X on
 	    &os; has been
 	    &xfree86; which is maintained by
 	    <ulink url="http://www.xfree86.org">The XFree86 Project,
 	    Inc.</ulink>  This software was installed by default on
 	    &os; versions up until 4.10 and 5.2.  Although &xorg;
 	    itself maintained an implementation during that time
 	    period, it was basically only provided as a reference
 	    platform, as it had suffered greatly from bitrot over
 	    the years.</para>
 	    
 	  <para>However, early in 2004, some XFree86 developers left
 	    that project
 	    over issues including the pace of code changes, future
 	    directions, and interpersonal conflicts, and are now contributing
 	    code directly to &xorg; instead.  At that time, &xorg; updated its
 	    source tree to the last &xfree86; release before its subsequent
 	    licensing change (<application>XFree86 version 4.3.99.903</application>), incorporated
 	    many changes that had previously been maintained separately,
 	    and has released that software as <application>X11R6.7.0</application>.  A separate but
 	    related project, <ulink url="http://www.freedesktop.org">
 	    freedesktop.org</ulink> (or <literal>fd.o</literal> for short),
 	    is working on rearchitecting the original &xfree86; code to
 	    offload more work onto the graphics cards (with the goal of
 	    increased performance) and make it more modular
 	    (with the goal of increased maintainability, and thus faster
 	    releases as well as easier configuration).  &xorg; intends to
 	    incorporate the freedesktop.org changes in its future releases.</para>
 
 	  <para>As of July 2004, in &os.current;,
 	    &xfree86; has been replaced with &xorg; as the default
 	    implementation.  The &xfree86; ports
 	    (<filename role="package">x11/XFree86-4</filename> and
 	    subports) remain in the ports collection and are still
 	    the default for &os.stable;.</para>
 
 	  <note>
 	    <para>The above describes the default X implementation installed.
 	      It is still possible to install either implementation by
 	      following the instructions in the entry for 20040723 in
 	      <filename>/usr/ports/UPDATING</filename>.</para>
 	  </note>
 
 	  <warning>
 	    <para>It is not currently
 	    possible to mix-and-match pieces of each implementation;
 	      one must choose one or the other.</para>
 	  </warning>
 
 	  <note>
 	    <para>The following paragraphs refer to the
 	      &xfree86; implementation, but most should also be applicable
 	      to the &xorg; implementation as well.  While the default
 	      configuration filename for the &xorg; implementation is
 	      <filename>xorg.conf</filename>, it will search for
 	      <filename>XF86Config</filename> if it cannot find it.</para>
 	  </note>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xorg-compatibility">
           <para>Will my existing applications run with the &xorg; suite?</para>
         </question>
 
         <answer>
 	  <para>The &xorg; software is written to the same X11R6 specification
 	    that &xfree86; is, so basic applications should work
 	    unchanged.  A few lesser-used protocols have been deprecated
 	    (<literal>XIE</literal>, <literal>PEX</literal>, and
 	    <literal>lbxproxy</literal>), but in the first two cases, the
 	    &os; port of &xfree86; did not support them either.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xfree86-split">
           <para>Why did the X projects split, anyway?</para>
         </question>
 
         <answer>
 	  <para>The answer to this question is outside the scope of
 	  this FAQ.  Note that there are voluminous postings in various
 	  mailing list archives on the Internet; please use your favorite
 	  search engine to investigate the history instead of asking this
 	  question on the &os; mailing lists.  It may even be the case
 	  that only the participants will ever know for certain.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="why-choose-xorg">
           <para>Why did &os; choose to go with the &xorg; ports by default?</para>
         </question>
 
         <answer>
 	  <para>The &xorg; developers claim that their goal is to release
 	  more often and incorporate new features more quickly.  If they
 	  are able to do so, this will be very attractive.  Also, their
 	  software still uses the traditional X license, while &xfree86;
 	  is now using their modified one.</para>
 
 	  <note>
 	    <para>This decision is still controversial.  Only time will
 	      tell which implementation proves technically superior.  Each
 	      &os; user should decide which they prefer.</para>
 	  </note>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="running-X">
           <para>I want to run X, how do I go about it?</para>
         </question>
 
         <answer>
 
           <para>The easiest way is to simply specify that you want to
             run X during the installation process.</para>
 
           <para>Then read and follow the documentation on the
             <command>xf86config</command> tool, which assists you in
             configuring &xfree86; for your particular graphics
             card/mouse/etc.</para>
 
           <para>You may also wish to investigate the Xaccel server.
             See the section on <link linkend="xig">Xi Graphics</link> or
             <link linkend="metrox">Metro Link</link> for more details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="running-X-securelevels">
           <para>I <emphasis>tried</emphasis> to run X, but I get an
             <errorname>KDENABIO failed (Operation not permitted)</errorname>
             error when I type <command>startx</command>. What do I do
             now?</para>
         </question>
 
         <answer>
           <para>Your system is probably running at a raised securelevel.
             It is not possible to start X at a raised
             securelevel.  To see why, look at the &man.init.8; manual
             page.</para>
 
           <para>So the question is what else you should do instead,
             and you basically have two choices: set your securelevel
             back down to zero (usually from <filename>/etc/rc.conf</filename>),
             or run &man.xdm.1; at boot time (before the securelevel is
             raised).</para>
 
           <para>See <xref linkend="xdm-boot"> for more information about
             running &man.xdm.1; at boot time.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="x-and-moused">
           <para>Why does my mouse not work with X?</para>
         </question>
 
         <answer>
           <para>If you are using syscons (the default console driver),
             you can configure FreeBSD to support a mouse pointer on each
             virtual screen. In order to avoid conflicting with X, syscons
             supports a virtual device called
             <devicename>/dev/sysmouse</devicename>. All mouse events received
             from the real mouse device are written to the sysmouse device
             via moused. If you wish to use your mouse on one or more
             virtual consoles, <emphasis>and</emphasis> use X, see
             <xref linkend="moused" remap="another section"> and set up
             moused.</para>
 
           <para>Then edit <filename>/etc/XF86Config</filename> and make
             sure you have the following lines.</para>
 
           <programlisting>Section         Pointer
 Protocol        "SysMouse"
 Device          "/dev/sysmouse"
 .....</programlisting>
 
           <para>The above example is for &xfree86; 3.3.2 or later.  For
             earlier versions, the <emphasis>Protocol</emphasis> should be
             <emphasis>MouseSystems</emphasis>.</para>
 
           <para>Some people prefer to use
             <devicename>/dev/mouse</devicename> under X.  To make this
             work, <devicename>/dev/mouse</devicename> should be linked
             to <devicename>/dev/sysmouse</devicename> (see
             &man.sysmouse.4;):</para>
 
           <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>rm -f mouse</userinput>
 &prompt.root; <userinput>ln -s sysmouse mouse</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="x-and-wheel">
           <para>My mouse has a fancy wheel.  Can I use it in X?</para>
         </question>
 
         <answer>
           <para>Yes.  But you need to customize X client programs. See <ulink
             url="http://www.inria.fr/koala/colas/mouse-wheel-scroll/">
             Colas Nahaboo's web page
             (http://www.inria.fr/koala/colas/mouse-wheel-scroll/)
             </ulink>.</para>
 
           <para>If you want to use the <application>imwheel</application>
             program, just follow these simple steps.</para>
 
           <orderedlist>
             <listitem>
               <para>Translate the Wheel Events</para>
 
               <para>The <application>imwheel</application> program
                 works by translating mouse button 4 and mouse button 5
                 events into key events.  Thus, you have to get the
                 mouse driver to translate mouse wheel events to button
                 4 and 5 events.  There are two ways of doing this, the
                 first way is to have &man.moused.8; do the
                 translation.  The second way is for the X server
                 itself to do the event translation.</para>
 
               <orderedlist>
                 <listitem>
                   <para>Using &man.moused.8; to Translate Wheel
                     Events</para>
 
                   <para>To have &man.moused.8; perform the event
                     translations, simply add <option>-z 4</option> to
                     the command line used to start &man.moused.8;.
                     For example, if you normally start &man.moused.8;
                     via <command>moused -p /dev/psm0</command> you
                     would start it by entering <command>moused -p
                     /dev/psm0 -z 4</command> instead.  If you start
                     &man.moused.8; automatically during bootup via
                     <filename>/etc/rc.conf</filename>, you can simply
                     add <option>-z 4</option> to the
                     <varname>moused_flags</varname> variable in
                     <filename>/etc/rc.conf</filename>.</para>
 
                   <para>You now need to tell X that you have a 5
                     button mouse.  To do this, simply add the line
                     <literal>Buttons 5</literal> to the
                     <quote>Pointer</quote> section of
                     <filename>/etc/XF86Config</filename>.  For
                     example, you might have the following
                     <quote>Pointer</quote> section in
                     <filename>/etc/XF86Config</filename>.</para>
 
                   <example>
                     <title><quote>Pointer</quote> Section for Wheeled
                       Mouse in &xfree86; 3.3.x series XF86Config with moused
                       Translation</title>
 
                     <programlisting>Section "Pointer"
    Protocol        "SysMouse"
    Device          "/dev/sysmouse"
    Buttons         5
 EndSection</programlisting>
                   </example>
 
                   <example>
                     <title><quote>InputDevice</quote> Section for Wheeled
                       Mouse in &xfree86; 4.x series XF86Config with X Server
                       Translation</title>
 
                     <programlisting>Section "InputDevice"
    Identifier      "Mouse1"
    Driver          "mouse"
    Option          "Protocol" "auto"
    Option          "Device" "/dev/sysmouse"
    Option          "Buttons" "5"
 EndSection</programlisting>
                   </example>
 
                   <example>
                     <title><quote>.emacs</quote> example for naive
                       page scrolling with Wheeled Mouse</title>
                     <programlisting>;; wheel mouse
 (global-set-key [mouse-4] 'scroll-down)
 (global-set-key [mouse-5] 'scroll-up)</programlisting>
                   </example>
 
                 </listitem>
 
                 <listitem>
                   <para>Using Your X Server to Translate the Wheel
                     Events</para>
 
                   <para>If you are not running &man.moused.8;, or if
                     you do not want &man.moused.8; to translate your
                     wheel events, you can have the X server do the
                     event translation instead.  This requires a couple
                     of modifications to your
                     <filename>/etc/XF86Config</filename> file.  First,
                     you need to choose the proper protocol for your
                     mouse.  Most wheeled mice use the
                     <quote>&intellimouse;</quote> protocol.  However,
                     &xfree86; does support other protocols, such as
                     <quote>MouseManPlusPS/2</quote> for the Logitech
                     MouseMan+ mice.  Once you have chosen the protocol
                     you will use, you need to add a
                     <varname>Protocol</varname> line to the
                     <quote>Pointer</quote> section.</para>
 
                   <para>Secondly, you need to tell the X server to
                     remap wheel scroll events to mouse buttons 4 and
                     5.  This is done with the
                     <varname>ZAxisMapping</varname> option.</para>
 
                   <para>For example, if you are not using
                       &man.moused.8;, and you have an &intellimouse;
                       attached to the PS/2 mouse port you would use
                       the following in
                       <filename>/etc/XF86Config</filename>.</para>
 
                   <example>
                     <title><quote>Pointer</quote> Section for Wheeled
                       Mouse in <filename>XF86Config</filename> with X
                       Server Translation</title>
 
                     <programlisting>Section "Pointer"
    Protocol        "IntelliMouse"
    Device          "/dev/psm0"
    ZAxisMapping    4 5
 EndSection</programlisting>
                   </example>
 
                   <example>
                     <title><quote>InputDevice</quote> Section for Wheeled
                       Mouse in &xfree86; 4.x series XF86Config with X Server
                       Translation</title>
 
                     <programlisting>Section "InputDevice"
    Identifier      "Mouse1"
    Driver          "mouse"
    Option          "Protocol" "auto"
    Option          "Device" "/dev/psm0"
    Option          "ZAxisMapping" "4 5"
 EndSection</programlisting>
                   </example>
 
                   <example>
                     <title><quote>.emacs</quote> example for naive
                       page scrolling with Wheeled Mouse</title>
                     <programlisting>;; wheel mouse
 (global-set-key [mouse-4] 'scroll-down)
 (global-set-key [mouse-5] 'scroll-up)</programlisting>
                   </example>
 
                 </listitem>
               </orderedlist>
             </listitem>
 
             <listitem>
               <para>Install <application>imwheel</application></para>
 
               <para>Next, install <application>imwheel</application>
                 from the Ports collection.  It can be found in the
                 <filename>x11</filename> category.  This program will
                 map the wheel events from your mouse into keyboard
                 events.  For example, it might send <keycap>Page
                 Up</keycap> to a program when you scroll the wheel
                 forwards.  <application>Imwheel</application> uses a
                 configuration file to map the wheel events to
                 key presses so that it can send different keys to
                 different applications.  The default
                 <application>imwheel</application> configuration file
                 is installed in
                 <filename>/usr/X11R6/etc/imwheelrc</filename>.  You
                 can copy it to <filename>~/.imwheelrc</filename> and
                 then edit it if you wish to customize
                 <application>imwheel</application>'s configuration.
                 The format of the configuration file is documented in
                 &man.imwheel.1;.</para>
             </listitem>
 
             <listitem>
               <para>Configure <application>Emacs</application> to Work
                 with <application>Imwheel</application>
                 (<emphasis>optional</emphasis>)</para>
 
               <para>If you use <application>emacs</application> or
                 <application>XEmacs</application>, then you need to
                 add a small section to your
                 <filename>~/.emacs</filename> file.  For
                 <application>emacs</application>, add the
                 following:</para>
 
               <example>
                 <title><application>Emacs</application> Configuration
                   for <application>Imwheel</application></title>
 
                 <programlisting>;;; For imwheel
 (setq imwheel-scroll-interval 3)
 (defun imwheel-scroll-down-some-lines ()
   (interactive)
   (scroll-down imwheel-scroll-interval))
 (defun imwheel-scroll-up-some-lines ()
   (interactive)
   (scroll-up imwheel-scroll-interval))
 (global-set-key [?\M-\C-\)] 'imwheel-scroll-up-some-lines)
 (global-set-key [?\M-\C-\(] 'imwheel-scroll-down-some-lines)
 ;;; end imwheel section</programlisting>
               </example>
 
               <para>For <application>XEmacs</application>, add the
                 following to your <filename>~/.emacs</filename> file
                 instead:</para>
 
               <example>
                 <title><application>XEmacs</application> Configuration
                   for <application>Imwheel</application></title>
 
                 <programlisting>;;; For imwheel
 (mwheel-install)
 (setq mwheel-follow-mouse t)
 ;;; end imwheel section</programlisting>
               </example>
             </listitem>
 
             <listitem>
               <para>Run <application>Imwheel</application></para>
 
               <para>You can just type <command>imwheel</command>
                 in an xterm to start it up once it is installed.  It
                 will background itself and take effect immediately.
                 If you want to always use
                 <application>imwheel</application>, simply add it to
                 your <filename>.xinitrc</filename> or
                 <filename>.xsession</filename> file.  You can safely
                 ignore any warnings <application>imwheel</application>
                 displays about PID files.  Those warnings only apply
                 to the &linux; version of
                 <application>imwheel</application>.</para>
             </listitem>
           </orderedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="no-remote-x11">
           <para>How do I use remote X displays?</para>
         </question>
 
         <answer>
           <para>For security reasons, the default setting is to not allow a
             machine to remotely open a window.</para>
 
           <para>To enable this feature, simply start
             <application>X</application> with the optional
             <option>-listen_tcp</option> argument:</para>
             <screen>&prompt.user; <userinput>startx
             -listen_tcp</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="window-menu-weird">
           <para>Why do X Window menus and dialog boxes not work
             right?</para>
         </question>
 
         <answer>
           <para>Try turning off the <keycap>Num Lock</keycap> key.</para>
 
           <para>If your <keycap>Num Lock</keycap> key is on by default
             at boot-time, you may add the following line in the
             <literal>Keyboard</literal> section of the
             <filename>XF86Config</filename> file.</para>
 
           <programlisting># Let the server do the NumLock processing.  This should only be
 # required when using pre-R6 clients
     ServerNumLock</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="virtual-console">
           <para>What is a virtual console and how do I make more?</para>
         </question>
 
         <answer>
           <para>Virtual consoles, put simply, enable you to have several
             simultaneous sessions on the same machine without doing anything
             complicated like setting up a network or running X.</para>
 
           <para>When the system starts, it will display a login prompt on
             the monitor after displaying all the boot messages. You can
             then type in your login name and password and start working (or
             playing!) on the first virtual console.</para>
 
           <para>At some point, you will probably wish to start another
             session, perhaps to look at documentation for a program
             you are running or to read your mail while waiting for an
             FTP transfer to finish. Just do <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F2</keycap></keycombo>
             (hold down the <keycap>Alt</keycap> key and press the
             <keycap>F2</keycap> key), and you will find a login prompt
             waiting for you on the second <quote>virtual
             console</quote>!  When you want to go back to the original
             session, do <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F1</keycap></keycombo>.</para>
 
           <para>The default FreeBSD installation has three virtual
             consoles enabled (8 starting with 3.3-RELEASE), and
             <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F1</keycap></keycombo>,
             <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F2</keycap></keycombo>,
             and <keycombo
             action="simul"><keycap>Alt</keycap><keycap>F3</keycap></keycombo>
             will switch between these virtual consoles.</para>
 
           <para>To enable more of them, edit
             <filename>/etc/ttys</filename> (see &man.ttys.5;)
             and add entries for <devicename>ttyv4</devicename>
             to <devicename>ttyvc</devicename> after the comment on
             <quote>Virtual terminals</quote>:</para>
 
           <programlisting># Edit the existing entry for ttyv3 in /etc/ttys and change
 # "off" to "on".
 ttyv3   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv4   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv5   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv6   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv7   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv8   "/usr/libexec/getty Pc"         cons25  on secure
 ttyv9   "/usr/libexec/getty Pc"         cons25  on secure
 ttyva   "/usr/libexec/getty Pc"         cons25  on secure
 ttyvb   "/usr/libexec/getty Pc"         cons25  on secure</programlisting>
 
           <para>Use as many or as few as you want.  The more virtual
             terminals you have, the more resources that are used; this
             can be important if you have 8MB RAM or less.  You may also
             want to change the <literal>secure</literal>
             to <literal>insecure</literal>.</para>
 
             <important>
               <para>If you want to run an X server you
                 <emphasis>must</emphasis> leave at least one virtual
                 terminal unused (or turned off) for it to use. That is to
                 say that if you want to have a login prompt pop up for all
                 twelve of your Alt-function keys, you are out of luck - you
                 can only do this for eleven of them if you also want to run
                 an X server on the same machine.</para>
             </important>
 
           <para>The easiest way to disable a console is by turning it off.
             For example, if you had the full 12 terminal allocation
             mentioned above and you wanted to run X, you would change
             settings for virtual terminal 12 from:</para>
 
           <programlisting>ttyvb   "/usr/libexec/getty Pc"         cons25  on  secure</programlisting>
 
           <para>to:</para>
 
           <programlisting>ttyvb   "/usr/libexec/getty Pc"         cons25  off secure</programlisting>
 
           <para>If your keyboard has only ten function keys, you would
             end up with:</para>
 
 <programlisting>ttyv9   "/usr/libexec/getty Pc"         cons25  off secure
 ttyva   "/usr/libexec/getty Pc"         cons25  off secure
 ttyvb   "/usr/libexec/getty Pc"         cons25  off secure</programlisting>
 
           <para>(You could also just delete these lines.)</para>
 
           <para>Once you have edited <filename>/etc/ttys</filename>,
             the next step is to make sure that you have enough virtual
             terminal devices.  The easiest way to do this is:</para>
 
           <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV vty12</userinput></screen>
 
 	  <note>
 	    <para>On FreeBSD 5.X and beyond you do not have to create devices
 	      manually if you are using <literal>DEVFS</literal>,
 	      since the proper device nodes will be automatically
 	      created under <filename
 	      class="directory">/dev</filename>.</para>
 	  </note>
 
           <para>Next, the easiest (and cleanest) way to activate the
             virtual consoles is to reboot.  However, if you really do not
             want to reboot, you can just shut down the X Window system
             and execute (as <username>root</username>):</para>
 
           <screen>&prompt.root; <userinput>kill -HUP 1</userinput></screen>
 
           <para>It is imperative that you completely shut down X Window if
             it is running, before running this command.  If you do not,
             your system will probably appear to hang/lock up after
             executing the kill command.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="vty-from-x">
           <para>How do I access the virtual consoles from X?</para>
         </question>
 
         <answer>
           <para>Use <keycombo action="simul">
               <keycap>Ctrl</keycap>
               <keycap>Alt</keycap>
               <keycap>F<replaceable>n</replaceable></keycap>
             </keycombo> to switch back to a virtual console.
             <keycombo action="simul">
               <keycap>Ctrl</keycap>
               <keycap>Alt</keycap>
               <keycap>F1</keycap>
             </keycombo> would return you to the first virtual console.</para>
 
           <para>Once you are back to a text console, you can then use
             <keycombo action="simul">
               <keycap>Alt</keycap>
               <keycap>F<replaceable>n</replaceable></keycap>
             </keycombo> as normal to move between them.</para>
 
           <para>To return to the X session, you must switch to the
             virtual console running X.  If you invoked X from the
             command line, (e.g., using <command>startx</command>) then
             the X session will attach to the next unused virtual
             console, not the text console from which it was invoked.
             If you have eight active virtual terminals then X will be
             running on the ninth, and you would use
             <keycombo action="simul">
               <keycap>Alt</keycap>
               <keycap>F9</keycap>
             </keycombo> to return.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xdm-boot">
           <para>How do I start XDM on boot?</para>
         </question><answer>
 
           <para>There are two schools of thought on how to start
             &man.xdm.1;. One school starts xdm from
             <filename>/etc/ttys</filename> (see &man.ttys.5;) using
             the supplied example, while the other simply runs xdm from
             <filename>rc.local</filename> (see &man.rc.8;) or from a
             <filename>X.sh</filename> script in
             <filename>/usr/local/etc/rc.d</filename>. Both are equally
             valid, and one may work in situations where the other does
             not.  In both cases the result is the same: X will pop up
             a graphical login: prompt.</para>
 
           <para>The ttys method has the advantage of documenting which
             vty X will start on and passing the responsibility of
             restarting the X server on logout to init.  The rc.local
             method makes it easy to kill xdm if there is a problem
             starting the X server.</para>
 
           <para>If loaded from rc.local, <command>xdm</command> should
             be started without any arguments (i.e., as a daemon). xdm must
             start AFTER getty runs, or else getty and xdm will conflict,
             locking out the console. The best way around this is to have
             the script sleep 10 seconds or so then launch xdm.</para>
 
           <para>If you are to start <command>xdm</command> from
             <filename>/etc/ttys</filename>, there still is a chance of
             conflict between <command>xdm</command> and
             &man.getty.8;. One way to avoid this is to add the
             <literal>vt</literal> number in the
             <filename>/usr/X11R6/lib/X11/xdm/Xservers</filename>
             file.</para>
 
           <programlisting>:0 local /usr/X11R6/bin/X vt4</programlisting>
 
           <para>The above example will direct the X server to run in
             <devicename>/dev/ttyv3</devicename>. Note the number is offset by
             one. The X server counts the vty from one, whereas the FreeBSD
             kernel numbers the vty from zero.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xconsole-failure">
           <para>Why do I get <errorname>Couldn't open console</errorname>
             when I run xconsole?</para>
         </question>
 
         <answer>
           <para>If you start <application>X</application>
             with
             <command>startx</command>, the permissions on
             <devicename>/dev/console</devicename> will
             <emphasis>not</emphasis> get changed, resulting in
             things like
             <command>xterm -C</command> and
             <command>xconsole</command> not working.</para>
 
           <para>This is because of the way console permissions are set
             by default. On a multi-user system, one does not necessarily
             want just any user to be able to write on the system console.
             For users who are logging directly onto a machine with a VTY,
             the &man.fbtab.5;
             file exists to solve such problems.</para>
 
           <para>In a nutshell, make sure an uncommented line of the
             form</para>
 
           <programlisting>/dev/ttyv0 0600 /dev/console</programlisting>
 
           <para>is in <filename>/etc/fbtab</filename> (see
             &man.fbtab.5;) and it will ensure that whomever logs in on
             <devicename>/dev/ttyv0</devicename> will own the
             console.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xfree86-root">
           <para>Before, I was able to run &xfree86; as a regular user.  Why does
             it now say that I must be <username>root</username>?</para>
         </question>
 
         <answer>
           <para>All X servers need to be run as
             <username>root</username> in order to get direct access to
             your video hardware.  Older versions of &xfree86; (&lt;=
             3.3.6) installed all bundled servers to be automatically
             run as <username>root</username> (setuid to
             <username>root</username>).  This is obviously a security
             hazard because X servers are large, complicated programs.
             Newer versions of &xfree86; do not install the servers
             setuid to <username>root</username> for just this
             reason.</para>
 
           <para>Obviously, running an X server as the
             <username>root</username> user is not acceptable, nor a
             good idea security-wise.  There are two ways to be able to
             use X as a regular user.  The first is to use
             <command>xdm</command> or another display manager (e.g.,
             <command>kdm</command>); the second is to use the
             <command>Xwrapper</command>.</para>
 
           <para><command>xdm</command> is a daemon that handles graphical
             logins.  It is usually started at boot time, and is responsible
             for authenticating users and starting their sessions; it is
             essentially the graphical counterpart of
             &man.getty.8; and &man.login.1;.  For
             more information on <command>xdm</command> see
             <ulink url="http://www.xfree86.org/support.html">the &xfree86;
             documentation</ulink>, and the <link linkend="xdm-boot">the FAQ
             entry</link> on it.</para>
 
           <para><command>Xwrapper</command> is the X server wrapper; it is
             a small utility to enable one to manually run an X server while
             maintaining reasonable safety.  It performs some sanity checks
             on the command line arguments given, and if they pass, runs the
             appropriate X server.  If you do not want to run a display
             manger for whatever reason, this is for you.  If you have
             installed the complete ports collection, you can find the port in
             <filename>/usr/ports/x11/wrapper</filename>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ps2-x">
           <para>Why does my PS/2 mouse misbehave under X?</para>
         </question>
 
         <answer>
           <para>Your mouse and the mouse driver may have somewhat become
             out of synchronization.</para>
 
           <para>
             In rare cases the driver may erroneously report
             synchronization problem and you may see the kernel
             message:</para>
 
           <programlisting>psmintr: out of sync (xxxx != yyyy)</programlisting>
 
           <para>and notice that your mouse does not work properly.</para>
 
           <para>If this happens, disable the synchronization check code
             by setting the driver flags for the PS/2 mouse driver to 0x100.
             Enter <emphasis>UserConfig</emphasis> by giving the
             <option>-c</option> option at the boot prompt:</para>
 
           <screen>boot: <userinput>-c</userinput></screen>
 
           <para>Then, in the <emphasis>UserConfig</emphasis> command
             line, type:</para>
 
           <screen>UserConfig&gt; <userinput>flags psm0 0x100</userinput>
 UserConfig&gt; <userinput>quit</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ps2-mousesystems">
           <para>Why does my PS/2 mouse from MouseSystems not
             work?</para>
         </question>
 
         <answer>
           <para>There have been some reports that certain model of PS/2
             mouse from MouseSystems works only if it is put into the
             <quote>high resolution</quote> mode.  Otherwise, the mouse
             cursor may jump to the upper-left corner of the screen every
             so often.</para>
 
           <para>Specify the flags 0x04 to the PS/2 mouse driver to put
             the mouse into the high resolution mode.  Enter
             <emphasis>UserConfig</emphasis> by giving the
             <option>-c</option> option at the boot prompt:</para>
 
           <screen>boot: <userinput>-c</userinput></screen>
 
           <para>Then, in the <emphasis>UserConfig</emphasis> command line,
             type:</para>
 
           <screen>UserConfig&gt; <userinput>flags psm0 0x04</userinput>
 UserConfig&gt; <userinput>quit</userinput></screen>
 
           <para>See the previous section for another possible cause of mouse
             problems.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="imake-tmpl">
           <para>When building an X app, <command>imake</command> cannot
             find <filename>Imake.tmpl</filename>.  Where is it?</para>
         </question>
 
         <answer>
 
           <para><filename>Imake.tmpl</filename> is part of the Imake
             package, a standard X application building tool.
             <filename>Imake.tmpl</filename>, as well as several header
             files that are required to build X apps, is contained in
             the X prog distribution. You can install this from
             sysinstall or manually from the X distribution
             files.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="xfree86-version">
           <para>An X app I am building depends on &xfree86; 3.3.X, but I
           have &xfree86; 4.X installed. What should I do?</para>
         </question>
 
         <answer>
           <para>To tell the port build to link to the &xfree86; 4.X libraries,
 	  add the following to <filename>/etc/make.conf</filename>, (if you 
           do not have this file, create it):</para>
 
 	  <programlisting>XFREE86_VERSION=        4</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mouse-button-reverse">
           <para>How do I reverse the mouse buttons?</para>
         </question>
 
         <answer>
           <para>Run the command
             <command>xmodmap -e "pointer = 3 2 1"</command> from your
             <filename>.xinitrc</filename> or <filename>.xsession</filename>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="install-splash">
           <para>How do I install a splash screen and where do I find
             them?</para>
         </question>
 
         <answer>
 
           <para>Just prior to the release of FreeBSD 3.1, a new
             feature was added to allow the display of
             <quote>splash</quote> screens during the boot
             messages. The splash screens currently must be a 256 color
             bitmap (<filename>*.BMP</filename>) or ZSoft PCX
             (<filename>*.PCX</filename>) file. In addition, they must
             have a resolution of 320x200 or less to work on standard
             VGA adapters. If you compile VESA support into your
             kernel, then you can use larger bitmaps up to 1024x768.
             The actual VESA support can either be compiled directly
             into the kernel with the <literal>VESA</literal> kernel
             config option or by loading the VESA kld module during
             bootup.</para>
 
           <para>To use a splash screen, you need to modify the startup
             files that control the boot process for FreeBSD. The files for
             this changed prior to the release of FreeBSD 3.2, so there are
             now two ways of loading a splash screen:</para>
 
             <itemizedlist>
               <listitem>
                 <para>FreeBSD 3.1</para>
 
                 <para>The first step is to find a bitmap version of your
                   splash screen. Release 3.1 only supports &windows; bitmap
                   splash screens. Once you have found your splash screen of
                   choice copy it to <filename>/boot/splash.bmp</filename>.
                   Next, you need to have a
                   <filename>/boot/loader.rc</filename> file that contains
                   the following lines:</para>
 
                 <programlisting>load kernel
 load -t splash_image_data /boot/splash.bmp
 load splash_bmp
 autoboot</programlisting>
 
               </listitem>
 
               <listitem>
                 <para>FreeBSD 3.2+</para>
 
                 <para>In addition to adding support for PCX splash screens,
                   FreeBSD 3.2 includes a nicer way of configuring the boot
                   process. If you wish, you can use the method listed above
                   for FreeBSD 3.1. If you do and you want to use PCX,
                   replace <literal>splash_bmp</literal> with
                   <literal>splash_pcx</literal>. If, on the other hand, you
                   want to use the newer boot configuration, you need to
                   create a <filename>/boot/loader.rc</filename> file that
                   contains the following lines:</para>
 
                 <programlisting>include /boot/loader.4th
 start</programlisting>
 
                 <para>and a <filename>/boot/loader.conf</filename> that
                   contains the following:</para>
 
                 <programlisting>splash_bmp_load="YES"
 bitmap_load="YES"</programlisting>
 
                 <para>This assumes you are using
                   <filename>/boot/splash.bmp</filename> for your splash
                   screen.  If you would rather use a PCX file, copy it to
                   <filename>/boot/splash.pcx</filename>, create a
                   <filename>/boot/loader.rc</filename> as instructed
                   above, and create a
                   <filename>/boot/loader.conf</filename> that
                   contains:</para>
 
                 <programlisting>splash_pcx_load="YES"
 bitmap_load="YES"
 bitmap_name="/boot/splash.pcx"</programlisting>
 
               </listitem>
             </itemizedlist>
 
           <para>Now all you need is a splash screen.  For that you can
             surf on over to the gallery at
 	    <ulink url="http://www.baldwin.cx/splash/"></ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="windows-keys">
           <para>Can I use the &windows;
 	    keys on my keyboard in X?</para>
         </question>
 
         <answer>
           <para>Yes. All you need to do is use &man.xmodmap.1; to define
             what function you wish them to perform.</para>
 
           <para>Assuming all <quote>&windows;</quote> keyboards
             are standard then the keycodes for the 3 keys are</para>
 
           <itemizedlist>
             <listitem>
               <para>115 - &windows; key, between
 		the left-hand Ctrl and Alt keys</para>
             </listitem>
 
             <listitem>
               <para>116 - &windows; key, to the
 		right of the <keycap>AltGr</keycap> key</para>
             </listitem>
 
             <listitem>
               <para>117 - <keycap>Menu</keycap> key, to the left of
               the right-hand <keycap>Ctrl</keycap> key</para>
             </listitem>
           </itemizedlist>
 
           <para>To have the left &windows; key print a comma,
 	    try this.</para>
 
           <screen>&prompt.root; <userinput>xmodmap -e "keycode 115 = comma"</userinput></screen>
 
           <para>You will probably have to re-start your window manager
             to see the result.</para>
 
           <para>To have the &windows;
 	    key-mappings enabled automatically every time you start X either
 	    put the <command>xmodmap</command> commands in your
 	    <filename>~/.xinitrc</filename> file or, preferably, create a file
 	    <filename>~/.xmodmaprc</filename> and include the
 	    <command>xmodmap</command> options, one per line, then add the
 	    line</para>
 
           <programlisting>xmodmap $HOME/.xmodmaprc</programlisting>
 
           <para>to your <filename>~/.xinitrc</filename>.</para>
 
 	  <para>For example, you could map the 3 keys to be
 	    <keycap>F13</keycap>, <keycap>F14</keycap>, and
 	    <keycap>F15</keycap>, respectively.  This would make it
 	    easy to map them to useful functions within applications
 	    or your window manager, as demonstrated further
 	    down.</para>
 
           <para>To do this put the following in
             <filename>~/.xmodmaprc</filename>.</para>
 
           <programlisting>keycode 115 = F13
 keycode 116 = F14
 keycode 117 = F15</programlisting>
 
 	  <para>If you use <command>fvwm2</command>, for example, you
 	    could map the keys so that <keycap>F13</keycap> iconifies
 	    (or de-iconifies) the window the cursor is in,
 	    <keycap>F14</keycap> brings the window the cursor is in to
 	    the front or, if it is already at the front, pushes it to
 	    the back, and <keycap>F15</keycap> pops up the main
 	    Workplace (application) menu even if the cursor is not on
 	    the desktop, which is useful if you do not have any part
 	    of the desktop visible (and the logo on the key matches
 	    its functionality).</para>
 
 	  <para>The following entries in
 	    <filename>~/.fvwmrc</filename> implement the
 	    aforementioned setup:</para>
 
           <programlisting>Key F13        FTIWS    A        Iconify
 Key F14        FTIWS    A        RaiseLower
 Key F15        A        A        Menu Workplace Nop</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="x-3d-acceleration">
           <para>How can I get 3D hardware acceleration for
             &opengl;?</para>
         </question>
 
         <answer>
           <para>The availability of 3D acceleration depends on the
             version of &xfree86; or &xorg; that you are using and the type of video chip
             you have.  If you have an NVIDIA chip, you can use the binary
             drivers provided for FreeBSD on the
             <ulink url="http://www.nvidia.com/content/drivers/drivers.asp">
             Drivers</ulink> section of their website.  For other cards
             with &xfree86;-4 or &xorg;, including the Matrox G200/G400, ATI Rage
             128/Radeon, and 3dfx Voodoo 3, 4, 5, and Banshee,
             information on hardware acceleration is available on the
             <ulink
             url="http://people.FreeBSD.org/~anholt/dri/">XFree86-4
             Direct Rendering on FreeBSD</ulink> page.  Users of
             &xfree86; version 3.3 can use the Utah-GLX port found in
             <filename role="package">graphics/utah-glx</filename> to
             get limited accelerated &opengl; on the Matrox Gx00, ATI
             Rage Pro, SiS 6326, i810, Savage, and older NVIDIA
             chips.</para>
           </answer>
         </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="networking">
     <title>Networking</title>
 
     <qandaset>
       <qandaentry>
         <question id="diskless-booting">
           <para>Where can I get information on
             <quote>diskless booting</quote>?</para>
           </question>
 
           <answer>
             <para><quote>Diskless booting</quote> means that the FreeBSD
               box is booted over a network, and reads the necessary files
               from a server instead of its hard disk. For full details,
               please read <ulink url="&url.books.handbook;/diskless.html">the
               Handbook entry on diskless booting</ulink></para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="router">
           <para>Can a FreeBSD box be used as a dedicated network
             router?</para>
         </question>
 
         <answer>
           <para>Yes.  Please see the Handbook entry on <ulink
             url="&url.books.handbook;/advanced-networking.html"> advanced
             networking</ulink>, specifically the section on <ulink
             url="&url.books.handbook;/network-routing.html">routing
             and gateways</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="win95-connection">
           <para>Can I connect my &windows; box to the Internet via
             FreeBSD?</para>
         </question>
 
         <answer>
           <para>Typically, people who ask this question have two PCs
             at home, one with FreeBSD and one with some version of
             &windows; the idea is to use the FreeBSD box to connect to
             the Internet and then be able to access the Internet from
             the &windows; box through the FreeBSD box. This is really
             just a special case of the previous question and works
             perfectly well.</para>
 
 	  <para>If you are using dialup to connect to the Internet
             user-mode &man.ppp.8; contains a <option>-nat</option>
             option. If you run &man.ppp.8; with the
             <option>-nat</option> option, set
             <literal>gateway_enable</literal> to
             <emphasis>YES</emphasis> in
             <filename>/etc/rc.conf</filename>, and configure your
             &windows; machine correctly, this should work fine. For more
             information, please see the &man.ppp.8; manual page or the
             <ulink url="&url.books.handbook;/userppp.html">Handbook entry on
             user PPP</ulink>.</para>
 
           <para>If you are using kernel-mode PPP or have an Ethernet
             connection to the Internet, you need to use
             &man.natd.8;. Please look at the <ulink
             url="&url.books.handbook;/network-natd.html">natd</ulink> section
             of the Handbook for a tutorial.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="slip-ppp-support">
           <para>Does FreeBSD support SLIP and PPP?</para>
         </question>
 
         <answer>
           <para>Yes.  See the manual pages for &man.slattach.8;,
             &man.sliplogin.8;, &man.ppp.8;, and &man.pppd.8;.  &man.ppp.8;
             and &man.pppd.8; provide support for both incoming and outgoing
             connections, while &man.sliplogin.8; deals exclusively with
             incoming connections, and &man.slattach.8; deals exclusively
             with outgoing connections.</para>
 
           <para>For more information on how to use these, please see the
             <ulink url="&url.books.handbook;/ppp-and-slip.html">Handbook chapter on
             PPP and SLIP</ulink>.</para>
 
           <para>If you only have access to the Internet through a
             <quote>shell account</quote>, you may want to have a look
             at the <filename role="package">net/slirp</filename>
             package.  It can provide you with (limited) access to
             services such as ftp and http direct from your local
             machine.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="natd">
           <para>Does FreeBSD support NAT or Masquerading?</para>
         </question>
 
         <answer>
 	  <para>Yes.  If you want to use NAT over a user PPP
 	    connection, please see the <ulink
 	    url="&url.books.handbook;/userppp.html">Handbook entry on user
 	    PPP</ulink>.  If you want to use NAT over some other sort
 	    of network connection, please look at the <ulink
 	    url="&url.books.handbook;/network-natd.html">natd</ulink> section
 	    of the Handbook.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="parallel-connect">
           <para>How do I connect two FreeBSD systems over a parallel line
             using PLIP?</para>
         </question>
 
         <answer>
           <para>Please see the <ulink url="&url.books.handbook;/plip.html">PLIP
           section</ulink> of the Handbook.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="create-dev-net">
           <para>Why can I not create a <devicename>/dev/ed0</devicename>
             device?</para>
         </question>
 
         <answer>
           <para>Because they are not necessary. In the Berkeley
             networking framework, network interfaces are only directly
             accessible by kernel code. Please see the
             <filename>/etc/rc.network</filename> file and the manual
             pages for the various network programs mentioned there for
             more information. If this leaves you totally confused,
             then you should pick up a book describing network
             administration on another BSD-related operating system;
             with few significant exceptions, administering networking
             on FreeBSD is basically the same as on &sunos; 4.0 or
             Ultrix.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ethernet-aliases">
           <para>How can I set up Ethernet aliases?</para>
         </question>
 
 	<answer>
 	  <para>If the alias is on the same subnet as an address
 	    already configured on the interface, then add 
 	    <literal>netmask 0xffffffff</literal> to your
 	    &man.ifconfig.8; command-line, as in the following:</para>
 
 	  <screen>&prompt.root; <userinput>ifconfig ed0 alias 192.0.2.2 netmask 0xffffffff</userinput></screen>
 
 	  <para>Otherwise, just specify the network address and
 	    netmask as usual:</para>
 
 	  <screen>&prompt.root; <userinput>ifconfig ed0 alias 172.16.141.5 netmask 0xffffff00</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="port-3c503">
           <para>How do I get my 3C503 to use the other network
             port?</para>
         </question>
 
         <answer>
           <para>If you want to use the other ports, you will have to specify
             an additional parameter on the
             &man.ifconfig.8; command line. The default port is
             <literal>link0</literal>. To use the AUI port instead of the
             BNC one, use <literal>link2</literal>.  These flags should be
             specified using the ifconfig_* variables in
             <filename>/etc/rc.conf</filename> (see &man.rc.conf.5;).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="nfs">
           <para>Why am I having trouble with NFS and FreeBSD?</para>
         </question>
 
         <answer>
           <para>Certain PC network cards are better than others (to put
             it mildly) and can sometimes cause problems with network
             intensive applications like NFS.</para>
 
           <para>See <ulink url="&url.books.handbook;/nfs.html">
             the Handbook entry on NFS</ulink> for more information on
             this topic.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="nfs-linux">
           <para>Why can I not NFS-mount from a &linux; box?</para>
         </question>
 
         <answer>
           <para>Some versions of the &linux; NFS code only accept mount
             requests from a privileged port; try</para>
 
           <screen>&prompt.root; <userinput>mount -o -P linuxbox:/blah /mnt</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="nfs-sun">
           <para>Why can I not NFS-mount from a Sun box?</para>
         </question>
 
         <answer>
           <para>&sun; workstations running &sunos; 4.X only accept mount
             requests from a privileged port; try</para>
 
           <screen>&prompt.root; <userinput>mount -o -P sunbox:/blah /mnt</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="exports-errors">
           <para>Why does <command>mountd</command> keep telling me it
             <errorname>can't change attributes</errorname> and that I have a
             <errorname>bad exports list</errorname> on my FreeBSD NFS
             server?</para>
         </question>
 
         <answer>
           <para>The most frequent problem is not understanding the
             correct format of <filename>/etc/exports</filename>.
             Please review &man.exports.5; and the <ulink
             url="&url.books.handbook;/nfs.html">NFS</ulink> entry in the
             Handbook, especially the section on <ulink
             url="&url.books.handbook;/nfs.html#CONFIGURING-NFS">configuring
             NFS</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-nextstep">
           <para>Why am I having problems talking PPP to NeXTStep
             machines?</para>
         </question>
 
         <answer>
 
           <para>Try disabling the TCP extensions in
             <filename>/etc/rc.conf</filename> (see &man.rc.conf.5;) by
             changing the following variable to NO:</para>
 
           <programlisting>tcp_extensions=NO</programlisting>
 
           <para>Xylogic's Annex boxes are also broken in this regard
             and you must use the above change to connect through
             them.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ip-multicast">
           <para>How do I enable IP multicast support?</para>
         </question>
 
         <answer>
           <para>FreeBSD supports multicast host operations by
             default. If you want your box to run as a multicast
             router, you need to recompile your kernel with the
             <literal>MROUTING</literal> option and run
             &man.mrouted.8;. FreeBSD will start &man.mrouted.8; at
             boot time if the flag <literal>mrouted_enable</literal> is
             set to <literal>"YES"</literal> in
             <filename>/etc/rc.conf</filename>.</para>
 
           <para>MBONE tools are available in their own ports category,
             <ulink
             url="http://www.FreeBSD.org/ports/mbone.html">mbone</ulink>.
             If you are looking for the conference tools
             <command>vic</command> and <command>vat</command>, look
             there!</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dec-pci-chipset">
           <para>Which network cards are based on the DEC PCI
              chipset?</para>
         </question><answer>
 
           <para>Here is a list compiled by Glen Foster
              <email>gfoster@driver.nsta.org</email>,
              with some more modern additions:</para>
 
           <table>
             <title>Network cards based on the DEC PCI chipset</title>
 
             <tgroup cols=2>
               <thead>
                 <row>
                   <entry>Vendor</entry>
                   <entry>Model</entry>
                 </row>
               </thead>
 
               <tbody>
                 <row>
                   <entry>ASUS</entry>
                   <entry>PCI-L101-TB</entry>
                 </row>
                 <row>
                   <entry>Accton</entry>
                   <entry>ENI1203</entry>
                 </row>
                 <row>
                   <entry>Cogent</entry>
                   <entry>EM960PCI</entry>
                 </row>
                 <row>
                   <entry>Compex</entry>
                   <entry>ENET32-PCI</entry>
                 </row>
                 <row>
                   <entry>D-Link</entry>
                   <entry>DE-530</entry>
                 </row>
                 <row>
                   <entry>Dayna</entry>
                   <entry>DP1203, DP2100</entry>
                 </row>
                 <row>
                   <entry>DEC</entry>
                   <entry>DE435, DE450</entry>
                 </row>
                 <row>
                   <entry>Danpex</entry>
                   <entry>EN-9400P3</entry>
                 </row>
                 <row>
                   <entry>JCIS</entry>
                   <entry>Condor JC1260</entry>
                 </row>
                 <row>
                   <entry>Linksys</entry>
                   <entry>EtherPCI</entry>
                 </row>
                 <row>
                   <entry>Mylex</entry>
                   <entry>LNP101</entry>
                 </row>
                 <row>
                   <entry>SMC</entry>
                   <entry>EtherPower 10/100 (Model 9332)</entry>
                 </row>
                 <row>
                   <entry>SMC</entry>
                   <entry>EtherPower (Model 8432)</entry>
                 </row>
                 <row>
                   <entry>TopWare</entry>
                   <entry>TE-3500P</entry>
                 </row>
                 <row>
                   <entry>Znyx (2.2.x)</entry>
                   <entry>ZX312, ZX314, ZX342, ZX345, ZX346, ZX348</entry>
                 </row>
                 <row>
                   <entry>Znyx (3.x)</entry>
                   <entry>ZX345Q, ZX346Q, ZX348Q, ZX412Q, ZX414, ZX442, ZX444,
                     ZX474, ZX478, ZX212, ZX214 (10mbps/hd)</entry>
                 </row>
               </tbody>
             </tgroup>
           </table>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="fqdn-hosts">
           <para>Why do I have to use the FQDN for hosts on my
             site?</para>
         </question>
 
         <answer>
           <para>You will probably find that the host is actually in a
             different domain; for example, if you are in foo.example.org and
             you wish to reach a host called <hostid>mumble</hostid> in the
             <hostid role="domainname">example.org</hostid> domain, you will
             have to refer to it by the fully-qualified domain name, <hostid
             role="fqdn">mumble.example.org</hostid>, instead of just
             <hostid>mumble</hostid>.</para>
 
           <para>Traditionally, this was allowed by BSD BIND resolvers.
             However the current version of
             <application>bind</application> (see &man.named.8;)
             that ships with FreeBSD no longer provides default
             abbreviations for non-fully qualified domain names other than
             the domain you are in. So an unqualified host
             <hostid>mumble</hostid> must either be found as <hostid
             role="fqdn">mumble.foo.example.org</hostid>, or it will be searched
             for in the root domain.</para>
 
           <para>This is different from the previous behavior, where the
             search continued across
             <hostid role="domainname">mumble.example.org</hostid>, and
             <hostid role="domainname">mumble.edu</hostid>.  Have a look at
             RFC 1535 for why this was considered bad practice, or even a
             security hole.</para>
 
           <para>As a good workaround, you can place the line</para>
 
           <programlisting>search foo.example.org example.org</programlisting>
 
           <para>instead of the previous</para>
 
           <programlisting>domain foo.example.org</programlisting>
 
           <para>into your <filename>/etc/resolv.conf</filename> file
             (see &man.resolv.conf.5;).  However, make sure that the
             search order does not go beyond the <quote>boundary
             between local and public administration</quote>, as RFC
             1535 calls it.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="network-permission-denied">
           <para>Why do I get an error, <errorname>Permission
             denied</errorname>, for all networking operations?</para>
         </question>
 
         <answer>
           <para>If you have compiled your kernel with the
             <literal>IPFIREWALL</literal> option, you need to be aware
             that the default policy is to deny all packets that are
             not explicitly allowed.</para>
 
           <para>If you had unintentionally misconfigured your system
             for firewalling, you can restore network operability by
             typing the following while logged in as
             <username>root</username>:</para>
 
           <screen>&prompt.root; <userinput>ipfw add 65534 allow all from any to any</userinput></screen>
 
           <para>You can also set
             <literal>firewall_type="open"</literal> in
             <filename>/etc/rc.conf</filename>.</para>
 
           <para>For further information on configuring a FreeBSD
             firewall, see the <ulink url="&url.books.handbook;/firewalls.html">
             Handbook section</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ipfw-overhead">
           <para>How much overhead does IPFW incur?</para>
         </question>
 
         <answer>
           <para>Please see the Handbook's <ulink
             url="&url.books.handbook;/firewalls.html">Firewalls</ulink>
             section, specifically the section on <ulink
             url="&url.books.handbook;/firewalls.html#IPFW-OVERHEAD">IPFW
             Overhead & Optimization</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ipfw-fwd">
           <para>Why is my <command>ipfw</command> <quote>fwd</quote> rule
             to redirect a service to another machine not working?</para>
         </question>
 
         <answer>
           <para>Possibly because you want to do network address translation
             (NAT) and not just forward packets.  A <quote>fwd</quote> rule
             does exactly what it says; it forwards packets.  It does not
             actually change the data inside the packet.  Say we have a rule
             like:</para>
 
           <screen>01000 fwd <replaceable>10.0.0.1</replaceable> from any to <replaceable>foo 21</replaceable></screen>
 
           <para>When a packet with a destination address of
             <replaceable>foo</replaceable> arrives at the machine with this
             rule, the packet is forwarded to
             <replaceable>10.0.0.1</replaceable>, but it still has the
             destination address of <replaceable>foo</replaceable>!  The
             destination address of the packet is <emphasis>not</emphasis>
             changed to <replaceable>10.0.0.1</replaceable>.  Most machines
             would probably drop a packet that they receive with a
             destination address that is not their own.  Therefore, using a
             <quote>fwd</quote> rule does not often work the way the user
             expects.  This behavior is a feature and not a bug.</para>
 
           <para>See the <link linkend="service-redirect">FAQ about
             redirecting services</link>, the &man.natd.8; manual, or one of
             the several port redirecting utilities in the <ulink
             url="&url.base;/ports/index.html">ports collection</ulink> for a correct way to do
             this.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="service-redirect">
           <para>How can I redirect service requests from one machine to
             another?</para>
         </question>
 
         <answer>
           <para>You can redirect FTP (and other service) request with
             the <literal>socket</literal> package, available in the ports
             tree in category <quote>sysutils</quote>. Simply replace the
             service's command line to call socket instead, like so:</para>
 
           <programlisting>ftp stream tcp nowait nobody /usr/local/bin/socket socket <replaceable>ftp.example.com</replaceable> <replaceable>ftp</replaceable></programlisting>
 
           <para>where <replaceable>ftp.example.com</replaceable> and
             <replaceable>ftp</replaceable> are the host and port to
             redirect to, respectively.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bandwidth-mgr-tool">
           <para>Where can I get a bandwidth management tool?</para>
         </question>
 
         <answer>
           <para>There are three bandwidth management tools available for
 	    FreeBSD.  &man.dummynet.4; is integrated into FreeBSD (or more
 	    specifically, &man.ipfw.4;); <ulink
 	    url="http://www.csl.sony.co.jp/person/kjc/programs.html">ALTQ</ulink>
 	    is available for free; Bandwidth Manager from <ulink
 	    url="http://www.etinc.com/">Emerging Technologies</ulink> is a
 	    commercial product.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bpf-not-configured">
           <para>Why do I get <errorname>/dev/bpf0: device not
             configured</errorname>?</para>
         </question>
 
         <answer>
           <para>You are running a program that requires the Berkeley
             Packet Filter (&man.bpf.4;), but it is not in your kernel.
             Add this to your kernel config file and build a new
             kernel:</para>
 
           <programlisting>pseudo-device bpf        # Berkeley Packet Filter</programlisting>
 
           <para>On FreeBSD 4.X and earlier, you must also create the
             device node.  After rebooting, go to the
             <filename>/dev</filename> directory and run:</para>
 
           <screen>&prompt.root; <userinput>sh MAKEDEV bpf0</userinput></screen>
 
           <para>Please see the <ulink
             url="&url.books.handbook;/kernelconfig-nodes.html"> Handbook entry
             on device nodes</ulink> for more information on managing
             devices.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="mount-smb-share">
           <para>How do I mount a disk from a &windows; machine that is on my
             network, like smbmount in &linux;?</para>
         </question>
 
         <answer>
           <para>Use the <application>SMBFS</application> toolset.  It
             includes a set of kernel modifications and a set of
             userland programs.  The programs and information are
             available as <filename role="package">net/smbfs</filename>
             in the ports collection, or in the base system as of
             4.5-RELEASE and later.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="icmp-response-bw-limit">
           <para>What are these messages about <quote>icmp-response
             bandwidth limit 300/200 pps</quote> in my log
             files?</para>
         </question>
 
         <answer>
           <para>This is the kernel telling you that some activity is
             provoking it to send more ICMP or TCP reset (RST)
             responses than it thinks it should.  ICMP responses are
             often generated as a result of attempted connections to
             unused UDP ports.  TCP resets are generated as a result of
             attempted connections to unopened TCP ports.  Among
             others, these are the kinds of activities which may cause
             these messages:</para>
 
           <itemizedlist>
             <listitem>
               <para>Brute-force denial of service (DoS) attacks (as
                 opposed to single-packet attacks which exploit a
                 specific vulnerability).</para>
             </listitem>
 
             <listitem>
               <para>Port scans which attempt to connect to a large
                 number of ports (as opposed to only trying a few
                 well-known ports).</para>
             </listitem>
           </itemizedlist>
 
           <para>The first number in the message tells you how many
             packets the kernel would have sent if the limit was not in
             place, and the second number tells you the limit.  You can
             control the limit using the
             <varname>net.inet.icmp.icmplim</varname> sysctl variable
             like this, where <literal>300</literal> is the limit in
             packets per second:</para>
 
           <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim=300</userinput></screen>
 
           <para>If you do not want to see messages about this in your
             log files, but you still want the kernel to do response
             limiting, you can use the
             <varname>net.inet.icmp.icmplim_output</varname> sysctl
             variable to disable the output like this:</para>
 
           <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim_output=0</userinput></screen>
 
           <para>Finally, if you want to disable response limiting, you
             can set the <varname>net.inet.icmp.icmplim</varname>
             sysctl variable (see above for an example) to
             <literal>0</literal>.  Disabling response limiting is
             discouraged for the reasons listed above.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="unknown-hw-addr-format">
           <para>What are these <errorname>arp: unknown hardware
             address format</errorname> error messages?</para>
         </question>
 
         <answer>
           <para>This means that some device on your local Ethernet is
             using a MAC address in a format that FreeBSD does not
             recognize.  This is probably caused by someone
             experimenting with an Ethernet card somewhere else on the
             network.  You will see this most commonly on cable modem
             networks.  It is harmless, and should not affect the
             performance of your FreeBSD machine.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="cvsup-missing-libs">
 	  <para>I have just installed CVSup but trying to execute it
             produces errors.  What is wrong?</para>
 	</question>
 
 	<answer>
 	  <para>First, see if the error message you are receiving is
             like the one shown below.</para>
 
 	  <programlisting>/usr/libexec/ld-elf.so.1: Shared object "libXaw.so.6" not found</programlisting>
 
 	  <para>Errors like these are caused by installing the
             <filename role="package">net/cvsup</filename> port on a
             machine which does not have the
             <application>&xfree86;</application> suite. If you want to
             use the <acronym>GUI</acronym> included with
             <application>CVSup</application> you will need to install
             <application>&xfree86;</application> now. Alternatively if
             you just wish to use <application>CVSup</application> from
             a command line you should delete the package previously
             installed. Then install the <filename
             role="package">net/cvsup-without-gui</filename> port. This
             is covered in more detail in the <ulink
             url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html">CVSup
             section</ulink> of the Handbook.</para>
 	</answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="security">
     <title>Security</title>
     <qandaset>
       <qandaentry>
         <question id="sandbox">
           <para>What is a sandbox?</para>
         </question><answer>
 
           <para><quote>Sandbox</quote> is a security term.  It can
             mean two things:</para>
 
             <itemizedlist>
               <listitem>
 
                 <para>A process which is placed inside a set of virtual
                   walls that are designed to prevent someone who breaks
                   into the process from being able to break into the wider
                   system.</para>
 
                 <para>The process is said to be able to
                   <quote>play</quote> inside the walls.  That is,
                   nothing the process does in regards to executing code is
                   supposed to be able to breech the walls so you do not
                   have to do a detailed audit of its code to be able to
                   say certain things about its security.</para>
 
                 <para>The walls might be a userid, for example.  This is
                   the definition used in the security and named man
                   pages.</para>
 
                 <para>Take the <literal>ntalk</literal> service, for
                   example (see /etc/inetd.conf). This service used to run
                   as userid <username>root</username>. Now it runs as userid
 		  <username>tty</username>. The <username>tty</username> user
                   is a sandbox designed to make it more difficult for
                   someone who has successfully hacked into the system via
                   ntalk from being able to hack beyond that user id.</para>
               </listitem>
 
               <listitem>
 
                 <para>A process which is placed inside a simulation of the
                   machine. This is more hard-core. Basically it means that
                   someone who is able to break into the process may believe
                   that he can break into the wider machine but is, in fact,
                   only breaking into a simulation of that machine and not
                   modifying any real data.</para>
 
                 <para>The most common way to accomplish this is to build a
                   simulated environment in a subdirectory and then run the
                   processes in that directory chroot'd (i.e.
                   <filename>/</filename> for that process is this
                   directory, not the real <filename>/</filename> of the
                   system).</para>
 
                 <para>Another common use is to mount an underlying
                   filesystem read-only and then create a filesystem layer
                   on top of it that gives a process a seemingly writeable
                   view into that filesystem. The process may believe it is
                   able to write to those files, but only the process sees
                   the effects - other processes in the system do not,
                   necessarily.</para>
 
                 <para>An attempt is made to make this sort of sandbox so
                   transparent that the user (or hacker) does not realize
                   that he is sitting in it.</para>
               </listitem>
             </itemizedlist>
 
           <para>&unix; implements two core sandboxes.  One is at the
             process level, and one is at the userid level.</para>
 
           <para>Every &unix; process is completely firewalled off from every
             other &unix; process.  One process cannot modify the address
             space of another.  This is unlike &windows; where a process
             can easily overwrite the address space of any other, leading
             to a crash.</para>
 
           <para>A &unix; process is owned by a particular userid.  If
             the userid is not the <username>root</username> user, it
             serves to firewall the process off from processes owned by
             other users.  The userid is also used to firewall off
             on-disk data.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="securelevel">
           <para>What is securelevel?</para>
         </question>
 
         <answer>
           <para>The securelevel is a security mechanism implemented in the
             kernel.  Basically, when the securelevel is positive, the
             kernel restricts certain tasks; not even the superuser (i.e.,
             <username>root</username>) is allowed to do them.  At the time
             of this writing, the securelevel mechanism is capable of, among
             other things, limiting the ability to,</para>
 
           <itemizedlist>
             <listitem>
               <para>unset certain file flags, such as
                 <literal>schg</literal> (the system immutable flag),</para>
             </listitem>
 
             <listitem>
               <para>write to kernel memory via
                 <devicename>/dev/mem</devicename> and
                 <devicename>/dev/kmem</devicename>,</para>
             </listitem>
 
             <listitem>
               <para>load kernel modules, and</para>
             </listitem>
 
             <listitem>
               <para>alter &man.ipfirewall.4; rules.</para>
             </listitem>
           </itemizedlist>
 
           <para>To check the status of the securelevel on a running system,
             simply execute the following command:</para>
 
           <screen>&prompt.root; <userinput>sysctl kern.securelevel</userinput></screen>
 
           <para>The output will contain the name of the &man.sysctl.8;
             variable (in this case, <varname>kern.securelevel</varname>)
             and a number.  The latter is the current value of the
             securelevel.  If it is positive (i.e., greater than 0), at
             least some of the securelevel's protections are enabled.</para>
 
           <para>You cannot lower the securelevel of a running system; being
             able to do that would defeat its purpose.  If you need to do a
             task that requires that the securelevel be non-positive (e.g.,
             an <maketarget>installworld</maketarget> or changing the date),
             you will have to change the securelevel setting in
             <filename>/etc/rc.conf</filename> (you want to look for the
             <varname>kern_securelevel</varname> and
             <varname>kern_securelevel_enable</varname> variables) and
             reboot.</para>
 
           <para>For more information on securelevel and the specific things
             all the levels do, please consult the &man.init.8; manual
             page.</para>
 
             <warning>
               <para>Securelevel is not a silver bullet; it has many known
                 deficiencies.  More often than not, it provides a false
                 sense of security.</para>
 
               <para>One of its biggest problems is that in order for it to
                 be at all effective, all files used in the boot process up
                 until the securelevel is set must be protected.  If an
                 attacker can get the system to execute their code prior to
                 the securelevel being set (which happens quite late in the
                 boot process since some things the system must do at
                 start-up cannot be done at an elevated securelevel), its
                 protections are invalidated.  While this task of protecting
                 all files used in the boot process is not technically
                 impossible, if it is achieved, system maintenance will
                 become a nightmare since one would have to take the system
                 down, at least to single-user mode, to modify a
                 configuration file.</para>
 
               <para>This point and others are often discussed on the
                 mailing lists, particularly the &a.security;. Please search
                 the archives <ulink
                 url="&url.base;/search/index.html">here</ulink> for an
                 extensive discussion.  Some people are hopeful that
                 securelevel will soon go away in favor of a more
                 fine-grained mechanism, but things are still hazy in this
                 respect.</para>
 
               <para>Consider yourself warned.</para>
             </warning>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="extra-named-port">
 	  <para>BIND (<command>named</command>) is listening on port 53 and
 	    some other high-numbered port.  What is going on?</para>
 	</question>
 
 	<answer>
 	  <para>FreeBSD 3.0 and later use a version of BIND
 	    that uses a random high-numbered port for outgoing queries.  If
 	    you want to use port 53 for outgoing queries, either to get
 	    past a firewall or to make yourself feel better, you can try
 	    the following in
 	    <filename>/etc/namedb/named.conf</filename>:</para>
 
 	  <programlisting>options {
         query-source address * port 53;
 };</programlisting>
 
 	  <para>You can replace the <literal>*</literal> with a single IP
 	    address if you want to tighten things further.</para>
 
 	  <para>Congratulations, by the way.  It is good practice to read
 	    your &man.sockstat.1; output and notice odd
 	    things!</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="sendmail-port-587">
           <para>Sendmail is listening on port 587 as well as the
             standard port 25! What is going on?</para>
         </question>
 
         <answer>
           <para>Recent versions of Sendmail support a
             mail submission feature that runs over port 587.  This is
             not yet widely supported, but is growing in
             popularity.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="toor-account">
           <para>What is this UID 0 <username>toor</username> account? Have I
             been compromised?</para>
         </question>
 
         <answer>
           <para>Do not worry. <username>toor</username> is an
             <quote>alternative</quote> superuser account (toor is root
             spelt backwards). Previously it was created when the
             &man.bash.1; shell was installed but now it is created by
             default. It is intended to be used with a non-standard shell so
             you do not have to change <username>root</username>'s default
             shell. This is important as shells which are not part of the
             base distribution (for example a shell installed from ports or
             packages) are likely to be installed in
             <filename>/usr/local/bin</filename> which, by default, resides
             on a different filesystem. If <username>root</username>'s shell
             is located in <filename>/usr/local/bin</filename> and
             <filename>/usr</filename> (or whatever filesystem contains
             <filename>/usr/local/bin</filename>) is not mounted for some
             reason, <username>root</username> will not be able to log in to
             fix a problem (although if you reboot into single user mode
             you will be prompted for the path to a shell).</para>
 
           <para>Some people use <username>toor</username> for
             day-to-day <username>root</username> tasks with a
             non-standard shell, leaving <username>root</username>,
             with a standard shell, for single user mode or
             emergencies. By default you cannot log in using
             <username>toor</username> as it does not have a password,
             so log in as <username>root</username> and set a password
             for <username>toor</username> if you want to use
             it.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="suidperl">
           <para>Why is <command>suidperl</command> not working
             properly?</para>
         </question>
 
         <answer>
           <para>For security reasons, <command>suidperl</command> is
             installed without the suid bit by default.  The system
             administrator can enable suid behavior with the following
             command.</para>
 
 	    <screen>&prompt.root; <userinput>chmod u+s /usr/bin/suidperl</userinput></screen>
 
           <para>If you want <command>suidperl</command> to be built
             suid during upgrades from source, edit
             <filename>/etc/make.conf</filename> and add
             <varname>ENABLE_SUIDPERL=true</varname> before you run
             <command>make buildworld</command>.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="ppp">
     <title>PPP</title>
 
     <qandaset>
       <qandaentry>
         <question id="userppp">
           <para>I cannot make &man.ppp.8; work.  What am I doing wrong?</para>
         </question>
 
         <answer>
           <para>You should first read the &man.ppp.8; manual page and
             the <ulink url="&url.books.handbook;/ppp-and-slip.html#USERPPP">
             PPP section of the handbook</ulink>.  Enable logging with
             the command</para>
 
           <programlisting>set log Phase Chat Connect Carrier lcp ipcp ccp command</programlisting>
 
           <para>This command may be typed at the &man.ppp.8; command
             prompt or it may be entered in the
             <filename>/etc/ppp/ppp.conf</filename> configuration file
             (the start of the <literal>default</literal> section is
             the best place to put it).  Make sure that
             <filename>/etc/syslog.conf</filename> (see
             &man.syslog.conf.5;) contains the lines</para>
 
           <programlisting>!ppp
 *.*        /var/log/ppp.log</programlisting>
 
           <para>and that the file <filename>/var/log/ppp.log</filename>
             exists.  You can now find out a lot about what is going on
             from the log file.  Do not worry if it does not all make sense.
             If you need to get help from someone, it may make sense to
             them.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-hangs">
           <para>Why does &man.ppp.8; hang when I run it?</para>
         </question>
 
         <answer>
           <para>This is usually because your hostname will not resolve.
             The best way to fix this is to make sure that
             <filename>/etc/hosts</filename> is consulted by your
             resolver first by editing <filename>/etc/host.conf</filename>
             and putting the <literal>hosts</literal> line first.  Then,
             simply put an entry in <filename>/etc/hosts</filename> for
             your local machine.  If you have no local network, change your
             <hostid>localhost</hostid> line:</para>
 
           <programlisting>127.0.0.1        foo.example.com foo localhost</programlisting>
 
           <para>Otherwise, simply add another entry for your host.
             Consult the relevant manual pages for more details.</para>
 
           <para>You should be able to successfully <command>ping -c1
             `hostname`</command> when you are done.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-nodial-auto">
           <para>Why will &man.ppp.8; not dial in <literal>-auto</literal>
             mode?</para>
         </question>
 
         <answer>
           <para>First, check that you have got a default route.  By
             running <command>netstat -rn</command> (see
             &man.netstat.1;), you should see two entries like
             this:</para>
 
           <programlisting>Destination        Gateway            Flags     Refs     Use     Netif Expire
 default            10.0.0.2           UGSc        0        0      tun0
 10.0.0.2           10.0.0.1           UH          0        0      tun0</programlisting>
 
           <para>This is assuming that you have used the addresses from the
             handbook, the manual page or from the ppp.conf.sample file.
             If you do not have a default route, it may be because you are
             running an old version of &man.ppp.8;
             that does not understand the word <literal>HISADDR</literal>
             in the ppp.conf file.</para>
 
           <para>Another reason for the default route line being
             missing is that you have mistakenly set up a default
             router in your <filename>/etc/rc.conf</filename> (see
             &man.rc.conf.5;) file
             and you have omitted the line saying</para>
 
           <programlisting>delete ALL</programlisting>
 
           <para>from <filename>ppp.conf</filename>.  If this is the
             case, go back to the <ulink
             url="&url.books.handbook;/ppp-and-slip.html#USERPPP-FINAL"> Final
             system configuration</ulink> section of the
             handbook.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="no-route-to-host">
           <para>What does <errorname>No route to host</errorname> mean?</para>
         </question>
 
         <answer>
           <para>This error is usually due to a missing</para>
 
           <programlisting>MYADDR:
   delete ALL
   add 0 0 HISADDR</programlisting>
 
           <para>section in your <filename>/etc/ppp/ppp.linkup</filename>
             file.  This is only necessary if you have a dynamic IP address
             or do not know the address of your gateway.  If you are using
             interactive mode, you can type the following after entering
             <literal>packet mode</literal> (packet mode is
             indicated by the capitalized <acronym>PPP</acronym> in the
             prompt):</para>
 
          <programlisting>delete ALL
 add 0 0 HISADDR</programlisting>
 
           <para>Refer to the <ulink
             url="&url.books.handbook;/ppp-and-slip.html#USERPPP-DYNAMICIP">
             PPP and Dynamic IP addresses</ulink> section of the handbook
             for further details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="connection-threeminutedrop">
           <para>Why does my connection drop after about 3 minutes?</para>
         </question>
 
         <answer>
           <para>The default PPP timeout is 3 minutes.  This can be
             adjusted with the line</para>
 
           <programlisting>set timeout <replaceable>NNN</replaceable></programlisting>
 
           <para>where <replaceable>NNN</replaceable> is the number of
             seconds of inactivity before the connection is closed.  If
             <replaceable>NNN</replaceable> is zero, the connection is never
             closed due to a timeout. It is possible to put this command in
             the <filename>ppp.conf</filename> file, or to type it at the
             prompt in interactive mode. It is also possible to adjust it on
             the fly while the line is active by connecting to
             <application>ppp</application>'s server socket using
             &man.telnet.1; or &man.pppctl.8;.
             Refer to the
             &man.ppp.8; man
             page for further details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-drop-heavy-load">
           <para>Why does my connection drop under heavy load?</para>
         </question>
 
         <answer>
           <para>If you have Link Quality Reporting (LQR) configured,
             it is possible that too many LQR packets are lost between
             your machine and the peer.  Ppp deduces that the line must
             therefore be bad, and disconnects.  Prior to FreeBSD version
             2.2.5, LQR was enabled by default.  It is now disabled by
             default. LQR can be disabled with the line</para>
 
           <programlisting>disable lqr</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-drop-random">
           <para>Why does my connection drop after a random amount of
             time?</para>
         </question>
 
         <answer>
           <para>Sometimes, on a noisy phone line or even on a line with
             call waiting enabled, your modem may hang up because it
             thinks (incorrectly) that it lost carrier.</para>
 
           <para>There is a setting on most modems for determining how
             tolerant it should be to temporary losses of carrier.  On a
             USR &sportster; for example, this is measured by the S10
             register in tenths of a second.  To make your modem more
             forgiving, you could add the following send-expect sequence
             to your dial string:</para>
 
           <programlisting>set dial "...... ATS10=10 OK ......"</programlisting>
 
           <para>Refer to your modem manual for details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-hangs-random">
           <para>Why does my connection hang after a random amount of
             time?</para>
         </question><answer>
 
           <para>Many people experience hung connections with no apparent
             explanation.  The first thing to establish is which side of
             the link is hung.</para>
 
           <para>If you are using an external modem, you can simply try
             using &man.ping.8; to see if the <acronym>TD</acronym>
             light is flashing when you transmit data.  If it flashes
             (and the <acronym>RD</acronym> light does not), the
             problem is with the remote end. If <acronym>TD</acronym>
             does not flash, the problem is local. With an internal
             modem, you will need to use the <literal>set
             server</literal> command in your
             <filename>ppp.conf</filename> file. When the hang occurs,
             connect to &man.ppp.8; using &man.pppctl.8;. If your
             network connection suddenly revives (PPP was revived due
             to the activity on the diagnostic socket) or if you cannot
             connect (assuming the <literal>set socket</literal>
             command succeeded at startup time), the problem is
             local. If you can connect and things are still hung,
             enable local async logging with <literal>set log local
             async</literal> and use &man.ping.8; from another window
             or terminal to make use of the link. The async logging
             will show you the data being transmitted and received on
             the link. If data is going out and not coming back, the
             problem is remote.</para>
 
           <para>Having established whether the problem is local or remote,
             you now have two possibilities:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>If the problem is remote, read on entry <xref
 	          linkend="ppp-remote-not-responding">.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>If the problem is local, read on entry <xref
 	          linkend="ppp-hung">.</para>
 	    </listitem>
 	  </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-remote-not-responding">
           <para>The remote end is not responding.  What can I do?</para>
         </question>
 
         <answer>
           <para>There is very little you can do about this.  Most ISPs
             will refuse to help if you are not running a Microsoft OS.
             You can <literal>enable lqr</literal> in your
             <filename>ppp.conf</filename> file, allowing &man.ppp.8; to detect
             the remote failure and hang up, but this detection is
             relatively slow and therefore not that useful.  You may want to
             avoid telling your ISP that you are running user-PPP...</para>
 
           <para>First, try disabling all local compression by adding the
             following to your configuration:</para>
 
           <programlisting>disable pred1 deflate deflate24 protocomp acfcomp shortseq vj
 deny pred1 deflate deflate24 protocomp acfcomp shortseq vj</programlisting>
 
           <para>Then reconnect to ensure that this makes no difference.
             If things improve or if the problem is solved completely,
             determine which setting makes the difference through trial
             and error.  This will provide good ammunition when you contact
             your ISP (although it may make it apparent that you are not
             running a Microsoft product).</para>
 
           <para>Before contacting your ISP, enable async logging
             locally and wait until the connection hangs again.  This
             may use up quite a bit of disk space.  The last data read
             from the port may be of interest.  It is usually ascii
             data, and may even describe the problem (<quote>Memory
             fault, core dumped</quote>?).</para>
 
           <para>If your ISP is helpful, they should be able to enable
             logging on their end, then when the next link drop occurs,
             they may be able to tell you why their side is having a
             problem.  Feel free to send the details to &a.brian;, or
             even to ask your ISP to contact me directly.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-hung">
           <para>&man.ppp.8; has hung.  What can I do?</para>
         </question>
 
         <answer>
           <para>Your best bet here is to rebuild &man.ppp.8; by adding
             <literal>CFLAGS+=-g</literal> and
             <literal>STRIP=</literal> to the end of the Makefile, then
             doing a <command>make clean &amp;&amp; make &amp;&amp;
             make install</command>.  When &man.ppp.8; hangs, find the
             &man.ppp.8; process id with <command>ps ajxww | fgrep
             ppp</command> and run <command>gdb ppp
             <replaceable>PID</replaceable></command>.  From the gdb
             prompt, you can then use <command>bt</command> to get a
             stack trace.</para>
 
           <para>Send the results to &a.brian;.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-loginok-thennothing">
           <para>Why does nothing happen after the <quote>Login OK!</quote>
             message?</para>
         </question>
 
         <answer>
           <para>Prior to FreeBSD version 2.2.5, once the link was
             established, &man.ppp.8; would wait for the peer to
             initiate the Line Control Protocol (LCP).  Many ISPs will
             not initiate negotiations and expect the client to do so.
             To force &man.ppp.8; to initiate the LCP, use the
             following line:</para>
 
           <programlisting>set openmode active</programlisting>
 
             <note>
               <para>It usually does no harm if both sides initiate
                 negotiation, so openmode is now active by default.
                 However, the next section explains when it
                 <emphasis>does</emphasis> do some harm.</para>
             </note>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-same-magic">
           <para>I keep seeing errors about magic being the same.  What does
             it mean?</para>
         </question>
 
         <answer>
           <para>Occasionally, just after connecting, you may see messages
             in the log that say <quote>magic is the same</quote>.
             Sometimes, these messages are harmless, and sometimes one side
             or the other exits.  Most PPP implementations cannot survive
             this problem, and even if the link seems to come up, you will see
             repeated configure requests and configure acknowledgments in
             the log file until &man.ppp.8; eventually gives up and closes the
             connection.</para>
 
           <para>This normally happens on server machines with slow
             disks that are spawning a getty on the port, and executing
             &man.ppp.8; from a login script or program after login.  I
             have also heard reports of it happening consistently when
             using slirp.  The reason is that in the time taken between
             &man.getty.8; exiting and &man.ppp.8; starting, the
             client-side &man.ppp.8; starts sending Line Control
             Protocol (LCP) packets.  Because ECHO is still switched on
             for the port on the server, the client &man.ppp.8; sees
             these packets <quote>reflect</quote> back.</para>
 
           <para>One part of the LCP negotiation is to establish a
             magic number for each side of the link so that
             <quote>reflections</quote> can be detected. The protocol
             says that when the peer tries to negotiate the same magic
             number, a NAK should be sent and a new magic number should
             be chosen.  During the period that the server port has
             ECHO turned on, the client &man.ppp.8; sends LCP packets,
             sees the same magic in the reflected packet and NAKs
             it. It also sees the NAK reflect (which also means
             &man.ppp.8; must change its magic). This produces a
             potentially enormous number of magic number changes, all
             of which are happily piling into the server's tty
             buffer. As soon as &man.ppp.8; starts on the server, it is
             flooded with magic number changes and almost immediately
             decides it has tried enough to negotiate LCP and gives
             up. Meanwhile, the client, who no longer sees the
             reflections, becomes happy just in time to see a hangup
             from the server.</para>
 
           <para>This can be avoided by allowing the peer to start
             negotiating with the following line in your ppp.conf
             file:</para>
 
           <programlisting>set openmode passive</programlisting>
 
           <para>This tells &man.ppp.8; to wait for the server to initiate LCP
             negotiations.  Some servers however may never initiate
             negotiations.  If this is the case, you can do something
             like:</para>
 
           <programlisting>set openmode active 3</programlisting>
 
           <para>This tells &man.ppp.8; to be passive for 3 seconds, and then to
             start sending LCP requests.  If the peer starts sending
             requests during this period, &man.ppp.8; will immediately respond
             rather than waiting for the full 3 second period.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-lcp-constant">
           <para>LCP negotiations continue until the connection is
             closed.  What is wrong?</para>
         </question>
 
         <answer>
           <para>There is currently an implementation mis-feature in
             &man.ppp.8; where it does not associate
             LCP, CCP &amp; IPCP responses with their original requests. As
             a result, if one PPP
             implementation is more than 6 seconds slower than the other
             side, the other side will send two additional LCP configuration
             requests. This is fatal.</para>
 
           <para>Consider two implementations,
             <hostid>A</hostid> and
             <hostid>B</hostid>. <hostid>A</hostid> starts
             sending LCP requests immediately after connecting and
             <hostid>B</hostid> takes 7 seconds to start. When
             <hostid>B</hostid> starts, <hostid>A</hostid>
             has sent 3 LCP REQs. We are assuming the line has ECHO switched
             off, otherwise we would see magic number problems as described in
             the previous section. <hostid>B</hostid> sends a
             REQ, then an ACK to the first of
             <hostid>A</hostid>'s REQs. This results in
             <hostid>A</hostid> entering the <acronym>OPENED</acronym>
             state and sending and ACK (the first) back to
             <hostid>B</hostid>. In the meantime,
             <hostid>B</hostid> sends back two more ACKs in response to
             the two additional REQs sent by <hostid>A</hostid>
             before <hostid>B</hostid> started up.
             <hostid>B</hostid> then receives the first ACK from
             <hostid>A</hostid> and enters the
             <acronym>OPENED</acronym> state.
             <hostid>A</hostid> receives the second ACK from
             <hostid>B</hostid> and goes back to the
             <acronym>REQ-SENT</acronym> state, sending another (forth) REQ
             as per the RFC. It then receives the third ACK and enters the
             <acronym>OPENED</acronym> state. In the meantime,
             <hostid>B</hostid> receives the forth REQ from
             <hostid>A</hostid>, resulting in it reverting to the
             <acronym>ACK-SENT</acronym> state and sending
             another (second) REQ and (forth) ACK as per the RFC.
             <hostid>A</hostid> gets the REQ, goes into
             <acronym>REQ-SENT</acronym> and sends another REQ. It
             immediately receives the following ACK and enters
             <acronym>OPENED</acronym>.</para>
 
           <para>This goes on until one side figures out that they are
             getting nowhere and gives up.</para>
 
           <para>The best way to avoid this is to configure one side to be
             <literal>passive</literal> - that is, make one side
             wait for the other to start negotiating.  This can be done
             with the</para>
 
           <programlisting>set openmode passive</programlisting>
 
           <para>command.  Care should be taken with this option.  You
             should also use the</para>
 
           <programlisting>set stopped N</programlisting>
 
           <para>command to limit the amount of time that
             &man.ppp.8; waits for the peer to begin
             negotiations.  Alternatively, the</para>
 
           <programlisting>set openmode active N</programlisting>
 
           <para>command (where <replaceable>N</replaceable> is the
             number of seconds to wait before starting negotiations) can be
             used.  Check the manual page for details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-shell-test-lockup">
           <para>Why does &man.ppp.8; lock up when I shell out to test
             it?</para>
         </question>
 
         <answer>
           <para>When you execute the <command>shell</command> or
             <command>!</command> command, &man.ppp.8; executes a
             shell (or if you have passed any arguments,
             &man.ppp.8; will execute those arguments). Ppp will
             wait for the command to complete before continuing. If you
             attempt to use the PPP link while running the command, the link
             will appear to have frozen. This is because
             &man.ppp.8; is waiting for the command to
             complete.</para>
 
           <para>If you wish to execute commands like this, use the
             <command>!bg</command> command instead.  This will execute
             the given command in the background, and &man.ppp.8; can
             continue to service the link.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-nullmodem">
           <para>Why does &man.ppp.8; over a null-modem cable never exit?</para>
         </question>
 
         <answer>
           <para>There is no way for &man.ppp.8; to
             automatically determine that a direct connection has been
             dropped.  This is due to the lines that are used in a
             null-modem serial cable.  When using this sort of connection,
             LQR should always be enabled with the line</para>
 
           <programlisting>enable lqr</programlisting>
 
           <para>LQR is accepted by default if negotiated by the peer.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-auto-noreasondial">
           <para>Why does &man.ppp.8; dial for no reason in -auto mode?</para>
         </question><answer>
 
           <para>If &man.ppp.8; is dialing unexpectedly, you must
             determine the cause, and set up Dial filters (dfilters) to
             prevent such dialing.</para>
 
           <para>To determine the cause, use the following line:</para>
 
           <programlisting>set log +tcp/ip</programlisting>
 
           <para>This will log all traffic through the connection.  The
             next time the line comes up unexpectedly, you will see the
             reason logged with a convenient timestamp next to
             it.</para>
 
           <para>You can now disable dialing under these circumstances.
             Usually, this sort of problem arises due to DNS lookups.
             To prevent DNS lookups from establishing a connection
             (this will <emphasis>not</emphasis> prevent &man.ppp.8;
             from passing the packets through an established
             connection), use the following:</para>
 
           <programlisting>set dfilter 1 deny udp src eq 53
 set dfilter 2 deny udp dst eq 53
 set dfilter 3 permit 0/0 0/0</programlisting>
 
           <para>This is not always suitable, as it will effectively
             break your demand-dial capabilities - most programs will
             need a DNS lookup before doing any other network related
             things.</para>
 
           <para>In the DNS case, you should try to determine what is
             actually trying to resolve a host name.  A lot of the
             time, &man.sendmail.8; is the culprit.  You should make
             sure that you tell sendmail not to do any DNS lookups in
             its configuration file.  See the section on <ulink
             url="&url.books.handbook;/smtp-dialup.html">using email with a
             dialup connection</ulink> in the FreeBSD Handbook for
             details on how to create your own configuration file and
             what should go into it.  You may also want to add the
             following line to your <filename>.mc</filename>
             file:</para>
 
           <programlisting>define(`confDELIVERY_MODE', `d')dnl</programlisting>
 
           <para>This will make sendmail queue everything until the
             queue is run (usually, sendmail is invoked with
             <option>-bd -q30m</option>, telling it to run the queue
             every 30 minutes) or until a <command>sendmail
             -q</command> is done (perhaps from your ppp.linkup
             file).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ccp-errors">
           <para>What do these CCP errors mean?</para>
         </question>
 
         <answer>
           <para>I keep seeing the following errors in my log file:</para>
 
           <programlisting>CCP: CcpSendConfigReq
 CCP: Received Terminate Ack (1) state = Req-Sent (6)</programlisting>
 
           <para>This is because &man.ppp.8; is trying to negotiate Predictor1
             compression, and the peer does not want to negotiate any
             compression at all.  The messages are harmless, but if you
             wish to remove them, you can disable Predictor1 compression
             locally too:</para>
 
           <programlisting>disable pred1</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-connectionspeed">
           <para>Why does &man.ppp.8; not log my connection speed?</para>
         </question>
 
         <answer>
 
           <para>In order to log all lines of your modem
             <quote>conversation</quote>, you must enable the
             following:</para>
 
           <programlisting>set log +connect</programlisting>
 
           <para>This will make &man.ppp.8; log
             everything up until the last requested <quote>expect</quote>
             string.</para>
 
           <para>If you wish to see your connect speed and are using PAP
             or CHAP (and therefore do not have anything to
             <quote>chat</quote> after the CONNECT in the dial script - no
             <literal>set login</literal> script), you must make sure that
             you instruct &man.ppp.8; to <quote>expect</quote> the whole CONNECT
             line, something like this:</para>
 
           <programlisting>set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 4 \
   \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"</programlisting>
 
           <para>Here, we get our CONNECT, send nothing, then expect a
             line-feed, forcing &man.ppp.8; to read
             the whole CONNECT response.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-ignores-backslash">
           <para>Why does &man.ppp.8; ignore the <literal>\</literal> character
             in my chat script?</para>
         </question><answer>
 
           <para>Ppp parses each line in your config files so that it can
             interpret strings such as
             <literal>set phone "123 456 789"</literal> correctly and
             realize that the number is actually only
             <emphasis>one</emphasis> argument. In order to specify a
             <literal>&quot;</literal> character, you must escape it
             using a backslash (<literal>\</literal>).</para>
 
           <para>When the chat interpreter parses each argument, it
             re-interprets the argument in order to find any special
             escape sequences such as <literal>\P</literal> or
             <literal>\T</literal> (see the manual page).  As a result of this
             double-parsing, you must remember to use the correct number of
             escapes.</para>
 
           <para>If you wish to actually send a <literal>\</literal>
             character to (say) your modem, you would need something
             like:</para>
 
           <programlisting>set dial "\"\" ATZ OK-ATZ-OK AT\\\\X OK"</programlisting>
 
           <para>resulting in the following sequence:</para>
 
           <programlisting>ATZ
 OK
 AT\X
 OK</programlisting>
 
           <para>or</para>
 
           <programlisting>set phone 1234567
 set dial "\"\" ATZ OK ATDT\\T"</programlisting>
 
           <para>resulting in the following sequence:</para>
 
           <programlisting>ATZ
 OK
 ATDT1234567</programlisting>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-segfault-nocore">
           <para>Why does &man.ppp.8; get a seg-fault, but I see no
             <filename>ppp.core</filename> file?</para>
         </question>
 
         <answer>
           <para>Ppp (or any other program for that matter) should
             never dump core.  Because &man.ppp.8; runs with an
             effective user id of 0, the operating system will not
             write &man.ppp.8;'s core image to disk before terminating
             it.  If, however &man.ppp.8; is actually terminating due
             to a segmentation violation or some other signal that
             normally causes core to be dumped,
             <emphasis>and</emphasis> you are sure you are using the
             latest version (see the start of this section), then you
             should do the following:</para>
 
           <screen>&prompt.user; <userinput>tar xfz ppp-*.src.tar.gz</userinput>
 &prompt.user; <userinput>cd ppp*/ppp</userinput>
 &prompt.user; <userinput>echo STRIP= &gt;&gt;Makefile</userinput>
 &prompt.user; <userinput>echo CFLAGS+=-g &gt;&gt;Makefile</userinput>
 &prompt.user; <userinput>make clean all</userinput>
 &prompt.user; <userinput>su</userinput>
 &prompt.root; <userinput>make install</userinput>
 &prompt.root; <userinput>chmod 555 /usr/sbin/ppp</userinput></screen>
 
           <para>You will now have a debuggable version of &man.ppp.8;
             installed.  You will have to be <username>root</username>
             to run &man.ppp.8; as all of its privileges have been
             revoked.  When you start &man.ppp.8;, take a careful note
             of what your current directory was at the time.</para>
 
           <para>Now, if and when &man.ppp.8; receives the segmentation
             violation, it will dump a core file called
             <filename>ppp.core</filename>.  You should then do the
             following:</para>
 
           <screen>&prompt.user; <userinput>su</userinput>
 &prompt.root; <userinput>gdb /usr/sbin/ppp ppp.core</userinput>
 <prompt>(gdb)</prompt> <userinput>bt</userinput>
 .....
 <prompt>(gdb)</prompt> <userinput>f 0</userinput>
 ....
 <prompt>(gdb)</prompt> <userinput>i args</userinput>
 ....
 <prompt>(gdb)</prompt> <userinput>l</userinput>
 .....</screen>
 
           <para>All of this information should be given alongside your
             question, making it possible to diagnose the problem.</para>
 
           <para>If you are familiar with gdb, you may wish to find out some
             other bits and pieces such as what actually caused the dump and
             the addresses &amp; values of the relevant variables.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-autodialprocess-noconnect">
           <para>Why does the process that forces a dial in auto mode never
             connect?</para>
         </question>
 
         <answer>
           <para>This was a known problem with
             &man.ppp.8; set up to negotiate a
             dynamic local IP number with the peer in auto mode.  It is
             fixed in the latest version - search the manual page for
             <literal>iface</literal>.</para>
 
           <para>The problem was that when that initial program calls
             &man.connect.2;, the IP number of the tun interface is assigned
             to the socket endpoint. The kernel creates the first outgoing
             packet and writes it to the tun device.
             &man.ppp.8; then reads the packet and
             establishes a connection. If, as a result of
             &man.ppp.8;'s dynamic IP assignment, the
             interface address is changed, the original socket endpoint will
             be invalid. Any subsequent packets sent to the peer will
             usually be dropped. Even if they are not, any responses will
             not route back to the originating machine as the IP number is
             no longer owned by that machine.</para>
 
           <para>There are several theoretical ways to approach this
             problem. It would be nicest if the peer would re-assign the
             same IP number if possible <literal>:-)</literal>
             The current version of &man.ppp.8; does
             this, but most other implementations do not.</para>
 
           <para>The easiest method from our side would be to never
             change the tun interface IP number, but instead to change
             all outgoing packets so that the source IP number is
             changed from the interface IP to the negotiated IP on the
             fly. This is essentially what the
             <literal>iface-alias</literal> option in the latest
             version of &man.ppp.8; is doing (with the help of
             &man.libalias.3; and &man.ppp.8;'s <option>-nat</option>
             switch) - it is maintaining all previous interface
             addresses and NATing them to the last negotiated
             address.</para>
 
           <para>Another alternative (and probably the most reliable) would
             be to implement a system call that changes all bound sockets
             from one IP to another.  &man.ppp.8; would
             use this call to modify the sockets of all existing programs
             when a new IP number is negotiated. The same system call could
             be used by dhcp clients when they are forced to re-bind() their
             sockets.</para>
 
           <para>Yet another possibility is to allow an interface to be
             brought up without an IP number. Outgoing packets would be
             given an IP number of 255.255.255.255 up until the first
             SIOCAIFADDR ioctl is done. This would result in fully binding
             the socket. It would be up to &man.ppp.8;
             to change the source IP number, but only if it is set to
             255.255.255.255, and only the IP number and IP checksum would
             need to change. This, however is a bit of a hack as the kernel
             would be sending bad packets to an improperly configured
             interface, on the assumption that some other mechanism is
             capable of fixing things retrospectively.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ppp-nat-games">
           <para>Why do most games not work with the -nat switch?</para>
         </question>
 
         <answer>
           <para>The reason games and the like do not work when libalias
             is in use is that the machine on the outside will try to open a
             connection or send (unsolicited) UDP packets to the machine on
             the inside. The NAT software does not know that it should send
             these packets to the interior machine.</para>
 
           <para>To make things work, make sure that the only thing
             running is the software that you are having problems with, then
             either run tcpdump on the tun interface of the gateway or
             enable &man.ppp.8; tcp/ip logging (<literal>set log +tcp/ip</literal>)
             on the gateway.</para>
 
           <para>When you start the offending software, you should see
             packets passing through the gateway machine. When
             something comes back from the outside, it will be dropped
             (that is the problem). Note the port number of these
             packets then shut down the offending software. Do this a
             few times to see if the port numbers are consistent. If
             they are, then the following line in the relevant section
             of <filename>/etc/ppp/ppp.conf</filename> will make the
             software functional:</para>
 
           <programlisting>nat port <replaceable>proto</replaceable> <replaceable>internalmachine</replaceable>:<replaceable>port</replaceable> <replaceable>port</replaceable></programlisting>
 
           <para>where <replaceable>proto</replaceable> is either
             <literal>tcp</literal> or <literal>udp</literal>,
             <replaceable>internalmachine</replaceable> is the machine that
             you want the packets to be sent to and
             <replaceable>port</replaceable> is the destination port number
             of the packets.</para>
 
           <para>You will not be able to use the software on other machines
             without changing the above command, and running the software
             on two internal machines at the same time is out of the question
             - after all, the outside world is seeing your entire internal
             network as being just a single machine.</para>
 
           <para>If the port numbers are not consistent, there are three
             more options:</para>
 
           <orderedlist>
             <listitem>
               <para>Submit support in libalias. Examples of
                 <quote>special cases</quote> can be found in
                 <filename>/usr/src/lib/libalias/alias_*.c</filename>
                 (<filename>alias_ftp.c</filename> is a good
                 prototype). This usually involves reading certain
                 recognised outgoing packets, identifying the
                 instruction that tells the outside machine to initiate
                 a connection back to the internal machine on a
                 specific (random) port and setting up a
                 <quote>route</quote> in the alias table so that the
                 subsequent packets know where to go.</para>
 
               <para>This is the most difficult solution, but it is the
                 best and will make the software work with multiple
                 machines.</para>
             </listitem>
 
             <listitem>
               <para>Use a proxy.  The application may support socks5
                 for example, or (as in the <quote>cvsup</quote> case)
                 may have a <quote>passive</quote> option that avoids
                 ever requesting that the peer open connections back to
                 the local machine.</para>
             </listitem>
 
             <listitem>
               <para>Redirect everything to the internal machine using
                 <literal>nat addr</literal>.  This is the
                 sledge-hammer approach.</para>
             </listitem>
           </orderedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="useful-port-numbers">
           <para>Has anybody made a list of useful port numbers?</para>
         </question><answer>
 
           <para>Not yet, but this is intended to grow into such a list
             (if any interest is shown).  In each example,
             <replaceable>internal</replaceable> should be replaced with
             the IP number of the machine playing the game.</para>
 
           <itemizedlist>
             <listitem>
               <para><application>Asheron's Call</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>
                 :65000 65000</literal></para>
 
               <para>Manually change the port number within the game to
                 65000. If you have got a number of machines that you wish
                 to play on assign a unique port number for each (i.e.
                 65001, 65002, etc) and add a <literal>nat port</literal>
                 line for each one.</para>
             </listitem>
 
             <listitem>
               <para><application>Half Life</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:27005
                 27015</literal></para>
             </listitem>
 
             <listitem>
               <para><application>PCAnywhere 8.0</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:5632
                 5632</literal></para>
 
               <para><literal>nat port tcp
                 <replaceable>internal</replaceable>:5631
                 5631</literal></para>
             </listitem>
 
             <listitem>
               <para><application>Quake</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:6112
                 6112</literal></para>
 
               <para>Alternatively, you may want to take a look at <ulink
                 url="http://www.battle.net/support/proxy/">
                 www.battle.net</ulink> for Quake proxy support.</para>
             </listitem>
 
             <listitem>
               <para><application>Quake 2</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:27901
                 27910</literal></para>
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:60021
                 60021</literal></para>
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:60040
                 60040</literal></para>
             </listitem>
 
             <listitem>
               <para><application>Red Alert</application></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:8675
                 8675</literal></para>
 
               <para><literal>nat port udp
                 <replaceable>internal</replaceable>:5009
                 5009</literal></para>
             </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="fcs-errors">
           <para>What are FCS errors?</para>
         </question>
 
         <answer>
           <para>FCS stands for <literal>F</literal>rame
             <literal>C</literal>heck <literal>S</literal>equence.
             Each PPP packet has a checksum attached to ensure that the
             data being received is the data being sent.  If the FCS of
             an incoming packet is incorrect, the packet is dropped and
             the HDLC FCS count is increased.  The HDLC error values
             can be displayed using the <literal>show hdlc</literal>
             command.</para>
 
           <para>If your link is bad (or if your serial driver is dropping
             packets), you will see the occasional FCS error.  This is not
             usually worth worrying about although it does slow down the
             compression protocols substantially.  If you have an external
             modem, make sure your cable is properly shielded from
             interference - this may eradicate the problem.</para>
 
           <para>If your link freezes as soon as you have connected and you
             see a large number of FCS errors, this may be because your link
             is not 8 bit clean. Make sure your modem is not using software
             flow control (XON/XOFF). If your datalink
             <emphasis>must</emphasis> use software flow control, use the
             command <literal>set accmap 0x000a0000</literal> to tell
             &man.ppp.8; to escape the <literal>^Q</literal> and
             <literal>^S</literal> characters.</para>
 
           <para>Another reason for seeing too many FCS errors may be
             that the remote end has stopped talking
             <acronym>PPP</acronym>. You may want to enable
             <literal>async</literal> logging at this point to
             determine if the incoming data is actually a login or
             shell prompt. If you have a shell prompt at the remote
             end, it is possible to terminate &man.ppp.8; without
             dropping the line by using the <literal>close
             lcp</literal> command (a following <literal>term</literal>
             command will reconnect you to the shell on the remote
             machine.</para>
 
           <para>If nothing in your log file indicates why the link might
             have been terminated, you should ask the remote administrator
             (your ISP?) why the session was terminated.</para>
         </answer>
       </qandaentry>
 
       <qandaentry id=PPPoEwithNAT>
         <question id="macos-win98-pppoe-freeze">
           <para>Why do &macos; and &windows; 98 connections freeze when
             running PPPoE on the gateway?</para>
         </question>
 
         <answer>
           <para>Thanks to Michael Wozniak
             <email>mwozniak@netcom.ca</email> for figuring this out and
             Dan Flemming <email>danflemming@mac.com</email> for the Mac
             solution:</para>
 
           <para>This is due to what is called a <quote>Black Hole</quote>
             router.  &macos; and &windows; 98 (and maybe other Microsoft OSs)
             send TCP packets with a requested segment size too big to fit
             into a PPPoE frame (MTU is 1500 by default for Ethernet)
             <emphasis>and</emphasis> have the <quote>do not
             fragment</quote> bit set (default of TCP) and the Telco router
             is not sending ICMP <quote>must fragment</quote> back to the
             www site you are trying to load.  (Alternatively, the router is
             sending the ICMP packet correctly, but the firewall at the www
             site is dropping it.)  When the www server is sending
             you frames that do not fit into the PPPoE pipe the Telco router
             drops them on the floor and your page does not load (some
             pages/graphics do as they are smaller than a MSS.) This seems
             to be the default of most Telco PPPoE configurations (if only
             they knew how to program a router... sigh...)</para>
 
           <para>One fix is to use regedit on your 95/98 boxes to add the
             following registry entry...</para>
 
           <programlisting>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\MaxMTU</programlisting>
 
           <para>It should be a string with a value
             <quote>1436</quote>, as some ADSL routers are reported to
             be unable to deal with packets larger than this.  This
             registry key has been changed to
             <literal>Tcpip\Parameters\Interfaces\<replaceable>ID for
             adapter</replaceable>\MTU</literal> in &windows; 2000 and
             becomes a DWORD.</para>
 
           <para>Refer to the Microsoft Knowledge Base documents <ulink
             url="http://support.microsoft.com/support/kb/articles/Q158/4/74.asp">Q158474
             - Windows TCPIP Registry Entries</ulink> and <ulink
             url="http://support.microsoft.com/support/kb/articles/Q120/6/42.asp">Q120642
             - TCPIP & NBT Configuration Parameters for &windowsnt;
             </ulink> for more information on changing &windows; MTU to
             work with a NAT router.</para>
 
           <para>Another regedit possibility under &windows; 2000 is to
             set the
             <literal>Tcpip\Parameters\Interfaces\<replaceable>ID for
             adapter</replaceable>\EnablePMTUBHDetect</literal> DWORD
             to 1 as mentioned in the Microsoft document 120642
             mentioned above.</para>
 
           <para>Unfortunately, &macos; does not provide an interface for
             changing TCP/IP settings. However, there is commercial software
             available, such as OTAdvancedTuner (OT for OpenTransport, the
             &macos; TCP/IP stack) by <ulink
             url="http://www.softworks.com/">Sustainable Softworks</ulink>,
             that will allow users to customize TCP/IP settings. &macos; NAT
             users should select <literal>ip_interface_MTU</literal> from
             the drop-down menu, enter <literal>1450</literal> instead of
             <literal>1500</literal> in the box, click the box next to
             <literal>Save as Auto Configure</literal>, and click
             <literal>Make Active</literal>.</para>
 
           <para>The latest version of &man.ppp.8;
             (2.3 or greater) has an <command>enable tcpmssfixup</command>
             command that will automatically adjust the MSS to an appropriate
             value.  This facility is enabled by default.  If you are stuck
             with an older version of &man.ppp.8;, you
             may want to look at the <application>tcpmssd</application>
             port.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="desperation">
           <para>None of this helps - I am desperate!  What can I do?</para>
         </question>
 
         <answer>
           <para>If all else fails, send as much information as you can,
             including your config files, how you are starting
             &man.ppp.8;, the relevant parts of your
             log file and the output of the <command>netstat -rn</command>
             command (before and after connecting) to the &a.questions; or
             the <ulink url="news:comp.unix.bsd.freebsd.misc">
             comp.unix.bsd.freebsd.misc</ulink> news group, and someone
             should point you in the right direction.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="serial">
     <title>Serial Communications</title>
 
     <para>This section answers common questions about serial
       communications with FreeBSD.  PPP and SLIP are covered in the
       <link linkend="networking">Networking</link> section.</para>
 
 
     <qandaset>
       <qandaentry>
         <question id="found-serial">
           <para>How do I tell if FreeBSD found my serial ports?</para>
         </question>
 
         <answer>
           <para>As the FreeBSD kernel boots, it will probe for the serial
             ports in your system for which the kernel was configured.
             You can either watch your system closely for the messages it
             prints or run the command</para>
 
           <screen>&prompt.user; <userinput>dmesg | grep sio</userinput></screen>
 
           <para>after your system is up and running.</para>
 
           <para>Here is some example output from the above command:</para>
 
           <programlisting>sio0 at 0x3f8-0x3ff irq 4 on isa
 sio0: type 16550A
 sio1 at 0x2f8-0x2ff irq 3 on isa
 sio1: type 16550A</programlisting>
 
           <para>This shows two serial ports.  The first is on irq 4, is
             using port address <literal>0x3f8</literal>, and has a
             16550A-type UART chip.  The second uses the same kind of chip
             but is on irq 3 and is at port address <literal>0x2f8</literal>.
             Internal modem cards are treated just like serial ports---except
             that they always have a modem <quote>attached</quote> to the
             port.</para>
 
           <para>The <filename>GENERIC</filename> kernel includes support
             for two serial ports using the same irq and port address
             settings in the above example.  If these settings are not
             right for your system, or if you have added modem cards or have
             more serial ports than your kernel is configured for, just
             reconfigure your kernel.  See section
             <link linkend="make-kernel">about building a kernel</link> for
             more details.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="found-modem">
           <para>How do I tell if FreeBSD found my modem cards?</para>
         </question>
 
         <answer>
           <para>Refer to the answer to the previous question.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="access-serial-ports">
           <para>How do I access the serial ports on FreeBSD?</para>
         </question>
 
         <answer>
           <para>The third serial port, <devicename>sio2</devicename>
             (see &man.sio.4;, known as <devicename>COM3</devicename> in DOS), is on
             <devicename>/dev/cuaa2</devicename> for dial-out devices,
             and on <devicename>/dev/ttyd2</devicename> for dial-in
             devices.  What is the difference between these two classes
             of devices?</para>
 
           <para>You use
             <devicename>ttyd<replaceable>X</replaceable></devicename>
             for dial-ins.  When opening
             <devicename>/dev/ttyd<replaceable>X</replaceable></devicename>
             in blocking mode, a process will wait for the
             corresponding
             <devicename>cuaa<replaceable>X</replaceable></devicename>
             device to become inactive, and then wait for the carrier
             detect line to go active.  When you open the
             <devicename>cuaa<replaceable>X</replaceable></devicename>
             device, it makes sure the serial port is not already in
             use by the
             <devicename>ttyd<replaceable>X</replaceable></devicename>
             device. If the port is available, it <quote>steals</quote>
             it from the
             <devicename>ttyd<replaceable>X</replaceable></devicename>
             device. Also, the
             <devicename>cuaa<replaceable>X</replaceable></devicename>
             device does not care about carrier detect. With this
             scheme and an auto-answer modem, you can have remote users
             log in and you can still dial out with the same modem and
             the system will take care of all the conflicts.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="enable-multiport-serial">
           <para>How do I enable support for a multiport serial
             card?</para>
         </question>
 
         <answer>
           <para>Again, the section on kernel configuration provides
             information about configuring your kernel. For a multiport
             serial card, place an &man.sio.4; line for each serial
             port on the card in the kernel configuration file. But
             place the irq and vector specifiers on only one of the
             entries. All of the ports on the card should share one
             irq.  For consistency, use the last serial port to specify
             the irq.  Also, specify the
             <literal>COM_MULTIPORT</literal> option.</para>
 
           <para>The following example is for an AST 4-port serial card on
             irq 7:</para>
 
           <programlisting>options "COM_MULTIPORT"
 device sio4 at isa? port 0x2a0 tty flags 0x781
 device sio5 at isa? port 0x2a8 tty flags 0x781
 device sio6 at isa? port 0x2b0 tty flags 0x781
 device sio7 at isa? port 0x2b8 tty flags 0x781 irq 7 vector siointr</programlisting>
 
           <para>The flags indicate that the master port has minor number 7
             (<literal>0x700</literal>), diagnostics enabled during probe
             (<literal>0x080</literal>), and all the ports share an irq
             (<literal>0x001</literal>).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multiport-serial-share-irq">
           <para>Can FreeBSD handle multiport serial cards sharing
             irqs?</para>
         </question>
 
         <answer>
           <para>Not yet. You will have to use a different irq for each
             card.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="default-serial-params">
           <para>Can I set the default serial parameters for a
             port?</para>
         </question>
 
         <answer>
           <para>The
             <devicename>ttyd<replaceable>X</replaceable></devicename>
             (or
             <devicename>cuaa<replaceable>X</replaceable></devicename>)
             device is the regular device you will want to open for
             your applications.  When a process opens the device, it
             will have a default set of terminal I/O settings. You can
             see these settings with the command</para>
 
           <screen>&prompt.root; <userinput>stty -a -f /dev/ttyd1</userinput></screen>
 
           <para>When you change the settings to this device, the settings
             are in effect until the device is closed.  When it is reopened,
             it goes back to the default set.  To make changes to the
             default set, you can open and adjust the settings of the
             <quote>initial state</quote> device. For example, to turn on
             <acronym>CLOCAL</acronym> mode, 8 bits, and
             <acronym>XON/XOFF</acronym> flow control by default for
             ttyd5, do:</para>
 
           <screen>&prompt.root; <userinput>stty -f /dev/ttyid5 clocal cs8 ixon ixoff</userinput></screen>
 
           <para>A good place to do this is in
             <filename>/etc/rc.serial</filename>. Now, an application
             will have these settings by default when it opens
             <filename>ttyd5</filename>.  It can still change these
             settings to its liking, though.</para>
 
           <para>You can also prevent certain settings from being
             changed by an application by making adjustments to the
             <quote>lock state</quote> device.  For example, to lock
             the speed of <devicename>ttyd5</devicename> to 57600 bps,
             do</para>
 
           <screen>&prompt.root; <userinput>stty -f /dev/ttyld5 57600</userinput></screen>
 
           <para>Now, an application that opens
             <devicename>ttyd5</devicename> and tries to change the
             speed of the port will be stuck with 57600 bps.</para>
 
           <para>Naturally, you should make the initial state and lock
             state devices writable only by
             <username>root</username>. The &man.MAKEDEV.8; script does
             <emphasis>NOT</emphasis> do this when it creates the
             device entries.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="enable-dialup">
           <para>How can I enable dialup logins on my modem?</para>
         </question>
 
         <answer>
           <para>So you want to become an Internet service provider, eh?
             First, you will need one or more modems that can auto-answer.
             Your modem will need to assert carrier-detect when it detects a
             carrier and not assert it all the time. It will need to hang up
             the phone and reset itself when the data terminal ready
             (<acronym>DTR</acronym>) line goes from on to off. It should
             probably use <filename>RTS/CTS</filename> flow control or no
             local flow control at all. Finally, it must use a constant
             speed between the computer and itself, but (to be nice to your
             callers) it should negotiate a speed between itself and the
             remote modem.</para>
 
           <para>For many Hayes command-set--compatible modems, this
             command will make these settings and store them in
             nonvolatile memory:</para>
 
           <programlisting>AT &amp;C1 &amp;D3 &amp;K3 &amp;Q6 S0=1 &amp;W</programlisting>
 
           <para>See the section <link linkend="direct-at">on sending AT
             commands</link> below for information on how to make these
             settings without resorting to an &ms-dos; terminal program.</para>
 
           <para>Next, make an entry in <filename>/etc/ttys</filename>
             (see &man.ttys.5;) for the modem.  This file lists all the
             ports on which the operating system will await logins.
             Add a line that looks something like this:</para>
 
           <programlisting>ttyd1 "/usr/libexec/getty std.57600" dialup on insecure</programlisting>
 
           <para>This line indicates that the second serial port
             (<devicename>/dev/ttyd1</devicename>) has a modem
             connected running at 57600 bps and no parity
             (<literal>std.57600</literal>, which comes from the file
             <filename>/etc/gettytab</filename>, see &man.gettytab.5;).
             The terminal type for this port is
             <literal>dialup</literal>.  The port is
             <literal>on</literal> and is
             <literal>insecure</literal>---meaning
             <username>root</username> logins on the port are not
             allowed. For dialin ports like this one, use the
             <devicename>ttyd<replaceable>X</replaceable></devicename>
             entry.</para>
 
           <para>It is common practice to use <literal>dialup</literal>
             as the terminal type. Many users set up in their
             <filename>.profile</filename> or
             <filename>.login</filename> files a prompt for the actual
             terminal type if the starting type is dialup. The example
             shows the port as insecure. To become
             <username>root</username> on this port, you have to login
             as a regular user, then &man.su.1; to become
             <username>root</username>. If you use
             <literal>secure</literal> then <username>root</username>
             can login in directly.</para>
 
           <para>After making modifications to
             <filename>/etc/ttys</filename>, you need to send a hangup
             or <acronym>HUP</acronym> signal to the &man.init.8;
             process:</para>
 
           <screen>&prompt.root; <userinput>kill -HUP 1</userinput></screen>
 
           <para>This forces the &man.init.8; process to reread
             <filename>/etc/ttys</filename>.  The init process will
             then start getty processes on all <literal>on</literal>
             ports.  You can find out if logins are available for your
             port by typing</para>
 
           <screen>&prompt.user; <userinput>ps -ax | grep '[t]tyd1'</userinput></screen>
 
           <para>You should see something like:</para>
 
           <programlisting>747 ??  I      0:00.04 /usr/libexec/getty std.57600 ttyd1</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dumb-terminal">
           <para>How can I connect a dumb terminal to my FreeBSD
             box?</para>
         </question>
 
         <answer>
           <para>If you are using another computer as a terminal into your
             FreeBSD system, get a null modem cable to go between the two
             serial ports.  If you are using an actual terminal, see its
             accompanying instructions.</para>
 
           <para>Then, modify <filename>/etc/ttys</filename> (see
             &man.ttys.5;), like above.  For example, if you are
             hooking up a WYSE-50 terminal to the fifth serial port,
             use an entry like this:</para>
 
           <programlisting>ttyd4 "/usr/libexec/getty std.38400" wyse50 on secure</programlisting>
 
           <para>This example shows that the port on
             <devicename>/dev/ttyd4</devicename> has a wyse50 terminal
             connected at 38400 bps with no parity
             (<literal>std.38400</literal> from
             <filename>/etc/gettytab</filename>, see &man.gettytab.5;)
             and <username>root</username> logins are allowed
             (<literal>secure</literal>).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="cannot-tip">
           <para>Why can I not run <command>tip</command> or
             <command>cu</command>?</para>
         </question>
 
         <answer>
           <para>On your system, the programs &man.tip.1; and
             &man.cu.1; are probably executable only by
             <username>uucp</username> and group
             <groupname>dialer</groupname>.  You can use the group
             <groupname>dialer</groupname> to control who has access to
             your modem or remote systems.  Just add yourself to group
             dialer.</para>
 
           <para>Alternatively, you can let everyone on your system run
             &man.tip.1; and &man.cu.1; by typing:</para>
 
           <screen>&prompt.root; <userinput>chmod 4511 /usr/bin/cu</userinput>
 &prompt.root; <userinput>chmod 4511 /usr/bin/tip</userinput></screen>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="hayes-unsupported">
           <para>My stock Hayes modem is not supported---what
             can I do?</para>
         </question>
 
         <answer>
           <para>Actually, the manual page for &man.tip.1; is out of
             date.  There is a generic Hayes dialer already built in.
             Just use <literal>at=hayes</literal> in your
             <filename>/etc/remote</filename> (see &man.remote.5;)
             file.</para>
 
           <para>The Hayes driver is not smart enough to recognize some of
             the advanced features of newer modems---messages like
             <literal>BUSY</literal>, <literal>NO DIALTONE</literal>, or
             <literal>CONNECT 115200</literal> will just confuse it. You
             should turn those messages off when you use &man.tip.1;
             (using <literal>ATX0&amp;W</literal>).</para>
 
           <para>Also, the dial timeout for &man.tip.1; is 60
             seconds.  Your modem should use something less, or else tip
             will think there is a communication problem.  Try
             <literal>ATS7=45&amp;W</literal>.</para>
 
           <para>Actually, as shipped &man.tip.1; does not yet
             support it fully. The solution is to edit the file
             <filename>tipconf.h</filename> in the directory
             <filename>/usr/src/usr.bin/tip/tip</filename>.  Obviously you
             need the source distribution to do this.</para>
 
           <para>Edit the line <literal>#define HAYES 0</literal>
             to <literal>#define HAYES 1</literal>. Then
             <command>make</command> and <command>make install</command>.
             Everything works nicely after that.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="direct-at">
           <para>How am I expected to enter these AT commands?</para>
         </question>
 
         <answer>
           <para>Make what is called a <quote>direct</quote> entry in
             your <filename>/etc/remote</filename> file (see
             &man.remote.5;).  For example, if your modem is hooked up
             to the first serial port,
             <devicename>/dev/cuaa0</devicename>, then put in the
             following line:</para>
 
           <programlisting>cuaa0:dv=/dev/cuaa0:br#19200:pa=none</programlisting>
 
           <para>Use the highest bps rate your modem supports in the br
             capability.  Then, type <command>tip
             <devicename>cuaa0</devicename></command> (see &man.tip.1;)
             and you will be connected to your modem.</para>
 
           <para>If there is no <devicename>/dev/cuaa0</devicename> on your
             system, do this:</para>
 
           <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV cuaa0</userinput></screen>
 
           <para>Or use cu as <username>root</username> with the
             following command:</para>
 
           <screen>&prompt.root; <userinput>cu -l<replaceable>line</replaceable> -s<replaceable>speed</replaceable></userinput></screen>
 
           <para>with <replaceable>line</replaceable> being the serial
             port (e.g.  <devicename>/dev/cuaa0</devicename>) and
             <replaceable>speed</replaceable> being the speed
             (e.g.<literal>57600</literal>).  When you are done
             entering the AT commands hit <literal>~.</literal> to
             exit.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="gt-failure">
           <para>Why does the <literal>&lt;@&gt;</literal> sign for the pn
             capability not work?</para></question><answer>
 
           <para>The <literal>&lt;@&gt;</literal> sign in the phone
             number capability tells tip to look in
             <filename>/etc/phones</filename> for a phone number.  But
             the <literal>&lt;@&gt;</literal> sign is also a special
             character in capability files like
             <filename>/etc/remote</filename>.  Escape it with a
             backslash:</para>
 
           <programlisting>pn=\@</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dial-command-line">
           <para>How can I dial a phone number on the command
             line?</para>
         </question><answer>
 
           <para>Put what is called a <quote>generic</quote> entry in
             your <filename>/etc/remote</filename> file (see
             &man.remote.5;).  For example:</para>
 
           <programlisting>tip115200|Dial any phone number at 115200 bps:\
         :dv=/dev/cuaa0:br#115200:at=hayes:pa=none:du:
 tip57600|Dial any phone number at 57600 bps:\
         :dv=/dev/cuaa0:br#57600:at=hayes:pa=none:du:</programlisting>
 
           <para>Then you can do something like <command>tip -115200
             5551234</command>.  If you prefer &man.cu.1; over
             &man.tip.1;, use a generic cu entry:</para>
 
           <programlisting>cu115200|Use cu to dial any number at 115200bps:\
         :dv=/dev/cuaa1:br#57600:at=hayes:pa=none:du:</programlisting>
 
           <para>and type <command>cu 5551234 -s 115200</command>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="set-bps">
           <para>Do I have to type in the bps rate every time I do
             that?</para>
         </question><answer>
 
           <para>Put in an entry for <literal>tip1200</literal> or
             <literal>cu1200</literal>, but go ahead and use whatever
             bps rate is appropriate with the br capability.
             &man.tip.1; thinks a good default is 1200 bps which is why
             it looks for a <literal>tip1200</literal> entry. You do
             not have to use 1200 bps, though.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="terminal-server">
           <para>How can I more easily access a number of hosts through a
             terminal server?</para>
         </question>
 
         <answer>
           <para>Rather than waiting until you are connected and typing
             <literal>CONNECT <replaceable>host</replaceable></literal>
             each time, use tip's <literal>cm</literal> capability. For
             example, these entries in
             <filename>/etc/remote</filename> (see &man.remote.5;):</para>
 
           <programlisting>pain|pain.deep13.com|Forrester's machine:\
         :cm=CONNECT pain\n:tc=deep13:
 muffin|muffin.deep13.com|Frank's machine:\
         :cm=CONNECT muffin\n:tc=deep13:
 deep13:Gizmonics Institute terminal server:\
         :dv=/dev/cuaa2:br#38400:at=hayes:du:pa=none:pn=5551234:</programlisting>
 
           <para>will let you type <command>tip pain</command> or
             <command>tip muffin</command> to connect to the hosts
             <hostid>pain</hostid> or <hostid>muffin</hostid>; and
             <command>tip deep13</command> to get to the terminal
             server.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="tip-multiline">
           <para>Can tip try more than one line for each site?</para>
         </question>
 
         <answer>
           <para>This is often a problem where a university has several
             modem lines and several thousand students trying to use
             them...</para>
 
           <para>Make an entry for your university in
             <filename>/etc/remote</filename> (see &man.remote.5;) and
             use <literal>&lt;\@&gt;</literal> for the
             <literal>pn</literal> capability:</para>
 
           <programlisting>big-university:\
         :pn=\@:tc=dialout
 dialout:\
         :dv=/dev/cuaa3:br#9600:at=courier:du:pa=none:</programlisting>
 
           <para>Then, list the phone numbers for the university in
             <filename>/etc/phones</filename> (see &man.phones.5;):</para>
 
           <programlisting>big-university 5551111
 big-university 5551112
 big-university 5551113
 big-university 5551114</programlisting>
 
           <para>&man.tip.1;
             will try each one in the listed order, then give
             up.  If you want to keep retrying, run &man.tip.1;
             in a while loop.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="multi-controlp">
           <para>Why do I have to hit <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>P</keycap></keycombo>
             twice to send <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>P</keycap></keycombo>
             once?</para>
         </question>
 
         <answer>
           <para><keycombo
             action="simul"><keycap>CTRL</keycap><keycap>P</keycap></keycombo>
             is the default <quote>force</quote> character, used to
             tell &man.tip.1; that the next character is literal data.
             You can set the force character to any other character
             with the <literal>~s</literal> escape, which means
             <quote>set a variable</quote>.</para>
 
           <para>Type <literal>~sforce=<replaceable>single-char
             </replaceable></literal> followed by a newline.
             <replaceable>single-char</replaceable> is any single
             character.  If you leave out
             <replaceable>single-char</replaceable>, then the force
             character is the nul character, which you can get by
             typing <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>2</keycap></keycombo>
             or <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>SPACE</keycap></keycombo>.
             A pretty good value for
             <replaceable>single-char</replaceable> is <keycombo
             action="simul"><keycap>SHIFT</keycap><keycap>CTRL</keycap><keycap>6</keycap></keycombo>,
             which I have seen only used on some terminal
             servers.</para>
 
           <para>You can have the force character be whatever you want
             by specifying the following in your
             <filename>$HOME/.tiprc</filename> file:</para>
 
           <programlisting>force=<replaceable>single-char</replaceable></programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="uppercase">
           <para>Why is everything I type suddenly in UPPER CASE?</para>
         </question>
 
         <answer>
           <para>You must have pressed <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>A</keycap></keycombo>,
             &man.tip.1; <quote>raise character</quote>, specially
             designed for people with broken <keycap>Caps Lock</keycap>
             keys. Use <literal>~s</literal> as above and set the
             variable <quote>raisechar</quote> to something reasonable.
             In fact, you can set it to the same as the force
             character, if you never expect to use either of these
             features.</para>
 
           <para>Here is a sample .tiprc file perfect for Emacs users
             who need to type <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>2</keycap></keycombo>
             and <keycombo
             action="simul"><keycap>CTRL</keycap><keycap>A</keycap></keycombo>
             a lot:</para>
 
           <programlisting>force=^^
 raisechar=^^</programlisting>
 
 <para>The ^^ is <keycombo action="simul"><keycap>SHIFT</keycap><keycap>CTRL</keycap><keycap>6</keycap></keycombo>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="tip-filetransfer">
           <para>How can I do file transfers with
             <command>tip</command>?</para>
         </question>
 
         <answer>
           <para>If you are talking to another &unix; system, you can
             send and receive files with <literal>~p</literal> (put)
             and <literal>~t</literal> (take).  These commands run
             &man.cat.1; and &man.echo.1; on the remote system to
             accept and send files.  The syntax is:</para>
 
           <programlisting>~p &lt;local-file&gt; [&lt;remote-file&gt;]
 ~t &lt;remote-file&gt; [&lt;local-file&gt;]</programlisting>
 
           <para>There is no error checking, so you probably should use
             another protocol, like zmodem.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="zmodem-tip">
           <para>How can I run zmodem with
             <application>tip</application>?</para>
         </question>
 
         <answer>
           <para>First, install one of the zmodem programs from the
             ports collection (such as one of the two from the comms
             category, <application>lrzsz</application> or
             <application>rzsz</application>.</para>
 
           <para>To receive files, start the sending program on the
             remote end.  Then, press enter and type <literal>~C
             rz</literal> (or <literal>~C lrz</literal> if you
             installed <application>lrzsz</application>) to begin
             receiving them locally.</para>
 
           <para>To send files, start the receiving program on the
             remote end.  Then, press enter and type <literal>~C sz
             <replaceable>files</replaceable></literal> (or <literal>~C
             lsz <replaceable>files</replaceable></literal>) to send
             them to the remote system.</para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="misc">
     <title>Miscellaneous Questions</title>
 
     <qandaset>
       <qandaentry>
         <question id="more-swap">
           <para>FreeBSD uses far more swap space than &linux;. Why?</para>
         </question>
 
         <answer>
           <para>FreeBSD only appears to use more swap than &linux;.  In
             actual fact, it does not. The main difference between FreeBSD
             and &linux; in this regard is that FreeBSD will proactively move
             entirely idle, unused pages of main memory into swap in order
             to make more main memory available for active use. &linux; tends
             to only move pages to swap as a last resort. The perceived
             heavier use of swap is balanced by the more efficient use of
             main memory.</para>
 
           <para>Note that while FreeBSD is proactive in this regard, it
             does not arbitrarily decide to swap pages when the system is
             truly idle.  Thus you will not find your system all paged
             out when you get up in the morning after leaving it idle
             overnight.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="top-freemem">
           <para>Why does <command>top</command> show very little free
             memory even when I have very few programs running?</para>
         </question>
 
         <answer>
           <para>The simple answer is that free memory is wasted
             memory.  Any memory that your programs do not actively
             allocate is used within the FreeBSD kernel as disk
             cache.  The values shown by &man.top.1; labeled as
             <literal>Inact</literal>, <literal>Cache</literal>, and
             <literal>Buf</literal> are all cached data at different
             aging levels.  This cached data means the system does
             not have to access a slow disk again for data it has
             accessed recently, thus increasing overall performance.
             In general, a low value shown for <literal>Free</literal>
             memory in &man.top.1; is good, provided it is not
             <emphasis>very</emphasis> low.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="chmod-symlinks">
           <para>Why will <command>chmod</command> not change the
             permissions on symlinks?</para>
         </question>
 
         <answer>
           <para>Symlinks do not have permissions, and by default,
             &man.chmod.1; will not follow symlinks to change the
             permissions on the target file. So if you have a file,
             <filename>foo</filename>, and a symlink to that file,
             <filename>bar</filename>, then this command will always
             succeed.</para>
 
           <screen>&prompt.user; <userinput>chmod g-w bar</userinput></screen>
 
           <para>However, the permissions on <filename>foo</filename> will
             not have changed.</para>
 
           <para>You have to use either <option>-H</option> or
             <option>-L</option> together with the <option>-R</option>
             option to make this work.  See the &man.chmod.1; and
             &man.symlink.7; manual pages for more info.</para>
 
             <warning>
               <para>The <option>-R</option> option does a
                 <emphasis>RECURSIVE</emphasis> &man.chmod.1;.  Be
                 careful about specifying directories or symlinks to
                 directories to &man.chmod.1;.  If you want to change
                 the permissions of a directory referenced by a
                 symlink, use &man.chmod.1; without any options and
                 follow the symlink with a trailing slash
                 (<filename>/</filename>).  For example, if
                 <filename>foo</filename> is a symlink to directory
                 <filename>bar</filename>, and you want to change the
                 permissions of <filename>foo</filename> (actually
                 <filename>bar</filename>), you would do something
                 like:</para>
 
               <screen>&prompt.user; <userinput>chmod 555 foo/</userinput></screen>
 
               <para>With the trailing slash, &man.chmod.1; will follow
                 the symlink, <filename>foo</filename>, to change the
                 permissions of the directory,
                 <filename>bar</filename>.</para>
             </warning>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dos-binaries">
           <para>Can I run DOS binaries under FreeBSD?</para>
         </question>
 
         <answer>
           <para>Yes, you can use <filename
             role="package">emulators/doscmd</filename>, a DOS emulation
             program, available in the &os; Ports Collection.</para>
 
 	  <note>
             <para>The <application>doscmd</application> program used to be an
               integrated part of &os;, but was removed before the release of
               &os; 5.3.</para>
 	  </note>
 
           <para>If <application>doscmd</application> will not suffice,
             the add-on utility <filename
             role="package">emulators/pcemu</filename> emulates an 8088 and
             enough BIOS services to run many DOS text mode
             applications.  It requires the X Window System.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="translation">
           <para>What do I need to do to translate a FreeBSD document into
             my native language?</para>
         </question>
 
         <answer>
           <para>See the <ulink url="&url.books.fdp-primer;/translations.html">
             Translation FAQ</ulink> in the FreeBSD Documentation Project
             Primer.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="freebsd-mail-bounces">
 	  <para>Why does my email to any address at FreeBSD.org bounce?</para>
         </question>
 
         <answer>
 	  <para>The FreeBSD.org mail system implements some of the
 	    stricter Postfix checks on incoming mail and rejects mail that is
             either misconfigured or is potential spam.  Your mail
             might bounce for one of the following reasons:</para>
 
 	  <itemizedlist>
 	    <listitem>
               <para>The email is being sent from a known spam
                 domain or IP block.</para>
 
               <para>The FreeBSD mail servers reject email from known
                 spam sources.  If you have service through a company
                 or domain who generates or relays spam, please switch
                 to a service provider who does not.</para>
             </listitem>
 
             <listitem>
               <para>The body of the email only contains HTML.</para>
 
               <para>Mail should be sent in plain text only.  Please
                 configure your mail user agent to send plain
                 text.</para>
             </listitem>
 
             <listitem>
               <para>The mailer at FreeBSD.org cannot resolve the IP
                 address of the connecting host back to a symbolic
                 name.</para>
 
               <para>Working reverse DNS is a standard requirement for
                 accepting mail from a host. Set up reverse DNS for
                 your mail server's IP address.  Many home services
                 (DSL, cable, dialup, etc.) will not give you this
                 option.  In this case, relay your email through your
                 service provider's mail server.</para>
             </listitem>
 
 	    <listitem>
 	      <para>The hostname given in the EHLO/HELO part of the SMTP
 		exchange cannot be resolved to an IP address.</para>
 
 	      <para>A fully qualified, resolvable host name is necessary
 		in this part of the SMTP dialogue before mail will be
 		accepted.  If you do not have a host name that is registered
 		in the DNS, then you should use your service provider's mail
 		server to relay your mail.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Your message had a message ID ending with the string
 		<quote>localhost</quote>.</para>
 
 	      <para>Some mail user agents generate bad message IDs which will
 		not be accepted.  You will need to persuade your mail user
 		agent to generate a valid message ID or else configure your
 		mail transfer agent to rewrite them.</para>
 	    </listitem>
           </itemizedlist>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="free-account">
           <para>Where can I find a free FreeBSD account?</para>
         </question>
 
         <answer>
           <para>While FreeBSD does not provide open access to any of their
             servers, others do provide open access &unix; systems.  The
             charge varies and limited services may be available.</para>
 
           <para><ulink url="http://www.arbornet.org/">Arbornet,
             Inc</ulink>, also known as M-Net, has been providing open
             access to &unix; systems since 1983.  Starting on an Altos
             running System III, the site switched to BSD/OS in 1991.  In
             June of 2000, the site switched again to FreeBSD.  M-Net can be
             accessed via telnet and SSH and provides basic access to the
             entire FreeBSD software suite.  However, network access is
             limited to members and patrons who donate to the system, which
             is run as a non-profit organization.  M-Net also provides an
             bulletin board system and interactive chat.</para>
 
           <para><ulink url="http://www.grex.org/">Grex</ulink> provides a
             site very similar to M-Net including the same bulletin board
             and interactive chat software.  However, the machine is a &sun;
             4M and is running &sunos;.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="sup-define">
           <para>What is <command>sup</command>, and how do I use
             it?</para>
         </question>
 
         <answer>
           <para><ulink url="http://www.FreeBSD.org/cgi/ports.cgi?^sup">
             SUP</ulink> stands for Software Update Protocol, and was
             developed by CMU for keeping their development trees in sync.
             We used it to keep remote sites in sync with our central
             development sources.</para>
 
           <para>SUP is not bandwidth friendly, and has been retired.
             The current recommended method to keep your sources up to
             date is <ulink url="&url.books.handbook;/synching.html#CVSUP">
             CVSup</ulink></para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="daemon-name">
           <para>What is the cute little red guy's name?</para>
         </question>
 
         <answer>
           <para>He does not have one, and is just called <quote>the BSD
             daemon</quote>.  If you insist upon using a name, call him
             <quote>beastie</quote>.  Note that <quote>beastie</quote>
             is pronounced <quote>BSD</quote>.</para>
 
           <para>You can learn more about the BSD daemon on his <ulink
             url="http://www.mckusick.com/beastie/index.html">home
             page</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="use-beastie">
           <para>Can I use the BSD daemon image?</para>
         </question>
 
         <answer>
           <para>Perhaps.  The BSD daemon is copyrighted by Marshall
             Kirk McKusick.  You will want to check his <ulink
             url="http://www.mckusick.com/beastie/mainpage/copyright.html">Statement
             on the Use of the BSD Daemon Figure</ulink> for detailed
             usage terms.</para>
 
           <para>In summary, you are free to use the image in a tasteful
             manner, for personal use, so long as appropriate credit is
             given.  If you want to use him commercially, you must
             contact Kirk McKusick.  More details are available on the
             <ulink
             url="http://www.mckusick.com/beastie/index.html">BSD
             Daemon's home page</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="daemon-images">
           <para>Do you have any BSD daemon images I could use?</para>
         </question>
 
         <answer>
           <para>You will find eps and Xfig drawings under
             <filename>/usr/share/examples/BSD_daemon/</filename>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="define-MFC">
           <para>What does <acronym>MFC</acronym> mean?</para>
         </question>
 
         <answer>
           <para>MFC is an acronym for <quote>Merged From -CURRENT</quote>.
             It is used in the CVS logs to denote when a change was
             migrated from the CURRENT to the STABLE branches.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="define-BSD">
           <para>What does <acronym>BSD</acronym> mean?</para>
         </question>
 
         <answer>
           <para>It stands for something in a secret language that only
             members can know. It does not translate literally but it is ok
             to tell you that BSD's translation is something between,
             <quote>Formula-1 Racing Team</quote>, <quote>Penguins are
             tasty snacks</quote>, and <quote>We have a better sense of
             humor than &linux;</quote>. :-)</para>
 
           <para>Seriously, BSD is an acronym for <quote>Berkeley
             Software Distribution</quote>, which is the name the
             Berkeley <acronym>CSRG</acronym> (Computer Systems Research
             Group) chose for their &unix; distribution way back when.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="define-pola">
 	  <para>What does <acronym>POLA</acronym> mean?</para>
 	</question>
 
 	<answer>
 	  <para>Principle of Least Astonishment.  It means that as
 	    FreeBSD evolves, changes visible to the user should be
 	    kept as unsurprising as possible.  For example,
 	    arbitrarily rearranging system startup variables in
 	    <filename>/etc/defaults/rc.conf</filename> violates POLA.
 	    Developers consider POLA when contemplating user-visible
 	    system changes.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="define-repocopy">
           <para>What is a repo-copy?</para>
         </question>
 
         <answer>
           <para>A repo-copy (which is a short form of <quote>repository
             copy</quote>) refers to the direct copying of files within
             the CVS repository.</para>
 
           <para>Without a repo-copy, if a file needed to be copied or
             moved to another place in the repository, the committer would
             run <command>cvs add</command> to put the file in its new
             location, and then <command>cvs rm</command> on the old file
             if the old copy was being removed.</para>
 
           <para>The disadvantage of this method is that the history
             (i.e. the entries in the CVS logs) of the file would not be
             copied to the new location. As the FreeBSD Project considers
             this history very useful, a repository copy is often used
             instead. This is a process where one of the repository meisters
             will copy the files directly within the repository, rather than
             using the &man.cvs.1; program.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bikeshed-painting">
           <para>Why should I care what color the bikeshed is?</para>
         </question>
 
         <answer>
           <para>The really, really short answer is that you should not.
             The somewhat longer answer is that just because you are
             capable of building a bikeshed does not mean you should stop
             others from building one just because you do not like the
             color they plan to paint it.  This is a metaphor indicating
             that you need not argue about every little feature just
             because you know enough to do so.  Some people have
             commented that the amount of noise generated by a change is
             inversely proportional to the complexity of the
             change.</para>
 
           <para>The longer and more complete answer is that after a very
             long argument about whether &man.sleep.1; should take
             fractional second arguments, &a.phk; posted a long
             message entitled <quote><ulink
             url="http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=506636+517178+/usr/local/www/db/text/1999/freebsd-hackers/19991003.freebsd-hackers">A bike
             shed (any colour will do) on greener grass...</ulink></quote>.
             The appropriate portions of that message are quoted
             below.</para>
 
           <blockquote>
             <attribution>&a.phk; on freebsd-hackers, October
               2, 1999</attribution>
 
             <para>
               <quote>What is it about this bike shed?</quote> Some
               of you have asked me.</para>
 
             <para>It is a long story, or rather it is an old story, but
               it is quite short actually.  C. Northcote Parkinson wrote
               a book in the early 1960s, called <quote>Parkinson's
               Law</quote>, which contains a lot of insight into the
               dynamics of management.</para>
 
             <para>[snip a bit of commentary on the book]</para>
 
             <para>In the specific example involving the bike shed, the
               other vital component is an atomic power-plant, I guess
               that illustrates the age of the book.</para>
 
             <para>Parkinson shows how you can go into the board of
               directors and get approval for building a multi-million or
               even billion dollar atomic power plant, but if you want to
               build a bike shed you will be tangled up in endless
               discussions.</para>
 
             <para>Parkinson explains that this is because an atomic
               plant is so vast, so expensive and so complicated that
               people cannot grasp it, and rather than try, they fall
               back on the assumption that somebody else checked all the
               details before it got this far.  Richard P. Feynmann
               gives a couple of interesting, and very much to the point,
               examples relating to Los Alamos in his books.</para>
 
             <para>A bike shed on the other hand.  Anyone can build one
               of those over a weekend, and still have time to watch the
               game on TV.  So no matter how well prepared, no matter how
               reasonable you are with your proposal, somebody will seize
               the chance to show that he is doing his job, that he is
               paying attention, that he is
               <emphasis>here</emphasis>.</para>
 
             <para>In Denmark we call it <quote>setting your
               fingerprint</quote>.  It is about personal pride and
               prestige, it is about being able to point somewhere and
               say <quote>There!  <emphasis>I</emphasis> did that.</quote>
               It is a strong trait in politicians, but present in most
               people given the chance.  Just think about footsteps in
               wet cement.</para>
           </blockquote>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="funnies">
     <title>The FreeBSD Funnies</title>
 
     <qandaset>
       <qandaentry>
         <question id="very-very-cool">
           <para>How cool is FreeBSD?</para>
         </question>
 
         <answer>
           <para>Q. Has anyone done any temperature testing while
             running FreeBSD? I know &linux; runs cooler than DOS, but have
             never seen a mention of FreeBSD. It seems to run really
             hot.</para>
 
           <para>A. No, but we have done numerous taste tests on
             blindfolded volunteers who have also had 250 micrograms of
             LSD-25 administered beforehand. 35% of the volunteers said that
             FreeBSD tasted sort of orange, whereas &linux; tasted like purple
             haze. Neither group mentioned any significant variances in
 	    temperature.  We eventually had to throw the
             results of this survey out entirely anyway when we found that
             too many volunteers were wandering out of the room during the
             tests, thus skewing the results.  We think most of the volunteers
             are at Apple now, working on their new <quote>scratch and
             sniff</quote> GUI. It is a funny old business we are in!</para>
 
           <para>Seriously, both FreeBSD and &linux; use the
             <acronym>HLT</acronym> (halt) instruction when the system is
             idle thus lowering its energy consumption and therefore the
             heat it generates. Also if you have APM (advanced power
             management) configured, then FreeBSD can also put the CPU into
             a low power mode.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="letmeoutofhere">
           <para>Who is scratching in my memory banks??</para>
         </question>
 
         <answer>
           <para>Q. Is there anything <quote>odd</quote> that FreeBSD
             does when compiling the kernel which would cause the memory to
             make a scratchy sound? When compiling (and for a brief moment
             after recognizing the floppy drive upon startup, as well), a
             strange scratchy sound emanates from what appears to be the
             memory banks.</para>
 
           <para>A. Yes!  You will see frequent references to
             <quote>daemons</quote> in the BSD documentation, and what most
             people do not know is that this refers to genuine, non-corporeal
             entities that now possess your computer. The scratchy sound
             coming from your memory is actually high-pitched whispering
             exchanged among the daemons as they best decide how to deal
             with various system administration tasks.</para>
 
           <para>If the noise gets to you, a good
             <command>fdisk /mbr</command> from DOS will get rid of them,
             but do not be surprised if they react adversely and try to stop
             you. In fact, if at any point during the exercise you hear the
             satanic voice of Bill Gates coming from the built-in speaker,
             take off running and do not ever look back! Freed from the
             counterbalancing influence of the BSD daemons, the twin demons
             of DOS and &windows; are often able to re-assert total control
             over your machine to the eternal damnation of your soul.
 	    Now that you know, given a choice you would probably prefer to get
 	    used to the scratchy noises, no?</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="changing-lightbulbs">
           <para>How many FreeBSD hackers does it take to change a
             lightbulb?</para>
         </question>
 
         <answer>
           <para>One thousand, one hundred and sixty-nine:</para>
 
           <para>Twenty-three to complain to -CURRENT about the lights
             being out;</para>
 
           <para>Four to claim that it is a configuration problem, and
             that such matters really belong on -questions;</para>
 
           <para>Three to submit PRs about it, one of which is misfiled
             under doc and consists only of <quote>it's dark</quote>;</para>
 
           <para>One to commit an untested lightbulb which breaks
             buildworld, then back it out five minutes later;</para>
 
           <para>Eight to flame the PR originators for not including
             patches in their PRs;</para>
 
           <para>Five to complain about buildworld being broken;</para>
 
           <para>Thirty-one to answer that it works for them, and they
             must have cvsupped at a bad time;</para>
 
           <para>One to post a patch for a new lightbulb to -hackers;</para>
 
           <para>One to complain that he had patches for this three years
             ago, but when he sent them to -CURRENT they were just ignored,
             and he has had bad experiences with the PR system; besides,
             the proposed new lightbulb is non-reflexive;</para>
 
           <para>Thirty-seven to scream that lightbulbs do not belong in
             the base system, that committers have no right to do things
             like this without consulting the Community, and WHAT IS
             -CORE DOING ABOUT IT!?</para>
 
           <para>Two hundred to complain about the color of the bicycle
             shed;</para>
 
           <para>Three to point out that the patch breaks &man.style.9;;</para>
 
           <para>Seventeen to complain that the proposed new lightbulb is
             under GPL;</para>
 
           <para>Five hundred and eighty-six to engage in a flame war
             about the comparative advantages of the GPL, the BSD
             license, the MIT license, the NPL, and the personal hygiene
             of unnamed FSF founders;</para>
 
           <para>Seven to move various portions of the thread to -chat
             and -advocacy;</para>
 
           <para>One to commit the suggested lightbulb, even though it
             shines dimmer than the old one;</para>
 
           <para>Two to back it out with a furious flame of a commit
             message, arguing that FreeBSD is better off in the dark than
             with a dim lightbulb;</para>
 
           <para>Forty-six to argue vociferously about the backing out
             of the dim lightbulb and demanding a statement from
             -core;</para>
 
           <para>Eleven to request a smaller lightbulb so it will fit
             their Tamagotchi if we ever decide to port FreeBSD to that
             platform;</para>
 
           <para>Seventy-three to complain about the SNR on -hackers and
             -chat and unsubscribe in protest;</para>
 
           <para>Thirteen to post <quote>unsubscribe</quote>,
             <quote>How do I unsubscribe?</quote>, or <quote>Please
             remove me from the list</quote>, followed by the usual
             footer;</para>
 
           <para>One to commit a working lightbulb while everybody is too
             busy flaming everybody else to notice;</para>
 
           <para>Thirty-one to point out that the new lightbulb would shine
             0.364% brighter if compiled with TenDRA (although it will have
             to be reshaped into a cube), and that FreeBSD should therefore
             switch to TenDRA instead of GCC;</para>
 
           <para>One to complain that the new lightbulb lacks
             fairings;</para>
 
           <para>Nine (including the PR originators) to ask
             <quote>what is MFC?</quote>;</para>
 
           <para>Fifty-seven to complain about the lights being out two
             weeks after the bulb has been changed.</para>
 
           <para><emphasis>&a.nik; adds:</emphasis></para>
 
           <para><emphasis>I was laughing quite hard at
             this.</emphasis></para>
 
           <para><emphasis>And then I thought, <quote>Hang on,
             shouldn't there be '1 to document it.' in that list
             somewhere?</quote></emphasis></para>
 
           <para><emphasis>And then I was enlightened :-)</emphasis></para>
         </answer>
       </qandaentry>
       
       <qandaentry>
         <question id="dev-null">
           <para>Where does data written to <filename>/dev/null</filename>
 	    go?</para>
         </question>
         <answer>
           <para>It goes into a special data sink in the CPU where it
             is converted to heat which is vented through the heatsink
             / fan assembly.  This is why CPU cooling is increasingly
             important; as people get used to faster processors, they
             become careless with their data and more and more of it
             ends up in <filename>/dev/null</filename>, overheating
             their CPUs.  If you delete <filename>/dev/null</filename>
             (which effectively disables the CPU data sink) your CPU
             may run cooler but your system will quickly become
             constipated with all that excess data and start to behave
             erratically.  If you have a fast network connection you
             can cool down your CPU by reading data out of
             <filename>/dev/random</filename> and sending it off
             somewhere; however you run the risk of overheating your
             network connection and <filename>/</filename> or angering
             your ISP, as most of the data will end up getting
             converted to heat by their equipment, but they generally
             have good cooling, so if you do not overdo it you should be
             OK.</para>
 
 	  <para><emphasis>Paul Robinson adds:</emphasis></para>
 
 	  <para>There are other methods. As every good sysadmin knows,
             it is part of standard practise to send data to the screen
             of interesting variety to keep all the pixies that make up
             your picture happy. Screen pixies (commonly mis-typed or
             re-named as <quote>pixels</quote> are categorised by the type of hat
             they wear (red, green or blue) and will hide or appear
             (thereby showing the colour of their hat) whenever they
             receive a little piece of food. Video cards turn data into
             pixie-food, and then send them to the pixies - the more
             expensive the card, the better the food, so the better
             behaved the pixies are. They also need constant stimulation
             - this is why screen savers exist.</para>
 
           <para>To take your suggestions further, you could just throw
             the random data to console, thereby letting the pixies
             consume it. This causes no heat to be produced at all,
             keeps the pixies happy and gets rid of your data quite
             quickly, even if it does make things look a bit messy on
             your screen.</para>
 
           <para>Incidentally, as an ex-admin of a large ISP who
             experienced many problems attempting to maintain a stable
             temperature in a server room, I would strongly discourage
             people sending the data they do not want out to the
             network. The fairies who do the packet switching and
             routing get annoyed by it as well.</para>
 	</answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="advanced">
     <title>Advanced Topics</title>
 
     <qandaset>
       <qandaentry>
         <question id="learn-advanced">
           <para>How can I learn more about FreeBSD's internals?</para>
         </question>
 
         <answer>
           <para>At this time, there is only one book on FreeBSD-specific OS
             internals, namely <quote>The Design and Implementation of the
             FreeBSD Operating System</quote> by Marshall Kirk McKusick and
             George V. Neville-Neil, ISBN 0-201-70245-2, which 
             focuses on version 5.X of FreeBSD.</para>
 
           <para>Additionally, much general &unix; knowledge is directly
             applicable to FreeBSD.</para>
 
           <para>For a list of relevant books, please check the Handbook's <ulink
             url="&url.books.handbook;/bibliography-osinternals.html">Operating
             System Internals Bibliography</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="how-to-contribute">
 	  <para>How can I contribute to FreeBSD?</para>
 	</question>
 
 	<answer>
 	  <para>Please see the article on <ulink
 	    url="&url.articles.contributing;/article.html">Contributing
 	    to FreeBSD</ulink> for specific advice on how to do this.
 	    Assistance is more than welcome!</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="define-snap-release">
           <para>What are SNAPs and RELEASEs?</para>
         </question>
 
         <answer>
           <para>There are currently three active/semi-active branches
             in the FreeBSD <ulink
             url="http://www.FreeBSD.org/cgi/cvsweb.cgi"> CVS
             Repository</ulink>. (Earlier branches are only changed
             very rarely, which is why there are only three active
             branches of development):</para>
 
             <itemizedlist>
               <listitem>
                 <para><literal>RELENG_4</literal>     AKA
                   <emphasis>4-STABLE</emphasis></para>
               </listitem>
 
               <listitem>
                 <para><literal>RELENG_5</literal>      AKA
                   <emphasis>5-STABLE</emphasis></para>
               </listitem>
 
               <listitem>
                 <para><literal>HEAD</literal>         AKA
                   <emphasis>-CURRENT</emphasis>  AKA
                   <emphasis>6.X-CURRENT</emphasis></para>
               </listitem>
 
             </itemizedlist>
 
           <para><literal>HEAD</literal> is not an actual branch tag,
             like the other two; it is simply a symbolic constant for
             <quote><emphasis>the current, non-branched development
             stream</emphasis></quote> which we simply refer to as
             <quote>-CURRENT</quote>.</para>
 
           <para>Right now, <quote>-CURRENT</quote> is the 6.X development
             stream; the <literal>4-STABLE</literal> branch,
             <symbol>RELENG_4</symbol>, forked off from
             <quote>-CURRENT</quote> in March 2000, and
             the <literal>5-STABLE</literal> branch,
             <symbol>RELENG_5</symbol>, forked off from
             <quote>-CURRENT</quote> in October 2004.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="custrel">
           <para>How do I make my own custom release?</para>
         </question>
 
         <answer>
           <para>Please see the <ulink
             url="&url.articles.releng;/article.html">
             Release Engineering</ulink> article.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="makeworld-clobbers">
           <para>Why does <command>make world</command> clobber my existing
             installed binaries?</para>
         </question>
 
         <answer>
           <para>Yes, this is the general idea; as its name might suggest,
             <command>make world</command> rebuilds every system binary from
             scratch, so you can be certain of having a clean and consistent
             environment at the end (which is why it takes so long).</para>
 
           <para>If the environment variable <literal>DESTDIR</literal>
             is defined while running <command>make world</command> or
             <command>make install</command>, the newly-created binaries
             will be deposited in a directory tree identical to the
             installed one, rooted at <literal>${DESTDIR}</literal>.
             Some random combination of shared libraries modifications and
             program rebuilds can cause this to fail in <command>make
             world</command> however.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
 	<question id="cvsup-round-robin">
 	  <para>Why isn't cvsup.FreeBSD.org a round robin DNS entry to
 	  share the load amongst the various CVSup servers?</para>
 	</question>
 
 	<answer>
 	  <para>While CVSup mirrors update from the master CVSup
 	    server hourly, this update might happen at any time during
 	    the hour.  This means that some servers have newer code
 	    than others, even though all servers have code that is
 	    less than an hour old.  If <hostid role="fqdn">cvsup.FreeBSD.org</hostid> was a round
 	    robin DNS entry that simply redirected users to a random
 	    CVSup server, running CVSup twice in a row could download
 	    code older than the code already on the system.</para>
 	</answer>
       </qandaentry>
 
       <qandaentry>
         <question id="bus-speed-defaulted">
           <para>Why does my system say <quote>(bus speed
             defaulted)</quote> when it boots?</para>
         </question>
 
         <answer>
 
           <para>The Adaptec 1542 SCSI host adapters allow the user to
             configure their bus access speed in software. Previous versions
             of the 1542 driver tried to determine the fastest usable speed
             and set the adapter to that. We found that this breaks some
             users' systems, so you now have to define the
             <symbol>TUNE_1542</symbol> kernel configuration option in order
             to have this take place. Using it on those systems where it
             works may make your disks run faster, but on those systems
             where it does not, your data could be corrupted.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="ctm">
           <para>Can I follow -CURRENT with limited Internet access?</para>
         </question>
 
         <answer>
           <para>Yes, you can do this <emphasis>without</emphasis>
             downloading the whole source tree by using the <ulink
             url="&url.books.handbook;/synching.html#CTM">CTM facility</ulink>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="split-240k">
           <para>How did you split the distribution into 240k files?</para>
         </question>
 
         <answer>
           <para>Newer BSD based systems have a <option>-b</option>
             option to &man.split.1; that allows them to split files on arbitrary
             byte boundaries.</para>
 
           <para>Here is an example from
             <filename>/usr/src/Makefile</filename>.</para>
 
           <programlisting>bin-tarball:
 (cd ${DISTDIR}; \
 tar cf - . \
 gzip --no-name -9 -c | \
 split -b 240640 - \
 ${RELEASEDIR}/tarballs/bindist/bin_tgz.)</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="submitting-kernel-extensions">
           <para>I have written a kernel extension, who do I send it
             to?</para>
         </question>
 
         <answer>
           <para>Please take a look at the article on <ulink
             url="&url.articles.contributing;/article.html">Contributing
             to FreeBSD</ulink> to learn how to submit code.</para>
 
           <para>And thanks for the thought!</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="pnp-initialize">
           <para>How are Plug N Play ISA cards detected and
             initialized?</para>
         </question>
 
         <answer>
           <para>By: Frank Durda IV
             <email>uhclem@nemesis.lonestar.org</email></para>
 
           <para>In a nutshell, there a few I/O ports that all of the
             PnP boards respond to when the host asks if anyone is out
             there. So when the PnP probe routine starts, it asks if there
             are any PnP boards present, and all the PnP boards respond with
             their model # to a I/O read of the same port, so the probe
             routine gets a wired-OR <quote>yes</quote> to that question. At
             least one bit will be on in that reply. Then the probe code is
             able to cause boards with board model IDs (assigned by
             Microsoft/Intel) lower than X to go <quote>off-line</quote>. It
             then looks to see if any boards are still responding to the
             query. If the answer was <literal>0</literal>, then there are
             no boards with IDs above X. Now probe asks if there are any
             boards below <literal>X</literal>. If so, probe knows there are
             boards with a model numbers below X. Probe then asks for boards
             greater than X-(limit/4) to go off-line. If repeats the query.
             By repeating this semi-binary search of IDs-in-range enough
             times, the probing code will eventually identify all PnP boards
             present in a given machine with a number of iterations that is
             much lower than what 2^64 would take.</para>
 
           <para>The IDs are two 32-bit fields (hence 2&circ;64) + 8 bit
             checksum. The first 32 bits are a vendor identifier. They never
             come out and say it, but it appears to be assumed that
             different types of boards from the same vendor could have
             different 32-bit vendor ids. The idea of needing 32 bits just
             for unique manufacturers is a bit excessive.</para>
 
           <para>The lower 32 bits are a serial #, Ethernet address,
             something that makes this one board unique. The vendor must
             never produce a second board that has the same lower 32 bits
             unless the upper 32 bits are also different. So you can have
             multiple boards of the same type in the machine and the full 64
             bits will still be unique.</para>
 
           <para>The 32 bit groups can never be all zero.  This allows the
             wired-OR to show non-zero bits during the initial binary
             search.</para>
 
           <para>Once the system has identified all the board IDs present,
             it will reactivate each board, one at a time (via the same I/O
             ports), and find out what resources the given board needs, what
             interrupt choices are available, etc. A scan is made over all
             the boards to collect this information.</para>
 
           <para>This info is then combined with info from any ECU files
             on the hard disk or wired into the MLB BIOS. The ECU and BIOS
             PnP support for hardware on the MLB is usually synthetic, and
             the peripherals do not really do genuine PnP. However by
             examining the BIOS info plus the ECU info, the probe routines
             can cause the devices that are PnP to avoid those devices the
             probe code cannot relocate.</para>
 
           <para>Then the PnP devices are visited once more and given
             their I/O, DMA, IRQ and Memory-map address assignments. The
             devices will then appear at those locations and remain there
             until the next reboot, although there is nothing that says you
             cannot move them around whenever you want.</para>
 
           <para>There is a lot of oversimplification above, but you
             should get the general idea.</para>
 
           <para>Microsoft took over some of the primary printer status
             ports to do PnP, on the logic that no boards decoded those
             addresses for the opposing I/O cycles. I found a genuine IBM
             printer board that did decode writes of the status port during
             the early PnP proposal review period, but MS said
             <quote>tough</quote>. So they do a write to the printer status
             port for setting addresses, plus that use that address +
             <literal>0x800</literal>, and a third I/O port for reading that
             can be located anywhere between <literal>0x200</literal> and
             <literal>0x3ff</literal>.</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="major-numbers">
           <para>Can you assign a major number for a device driver I have
             written?</para>
         </question>
 
         <answer>
 
 	  <para>&os.current; after February 2003 has a facility for
 	    dynamically and automatically allocating major numbers for
 	    device drivers at runtime.  This mechanism is highly
 	    preferred to the older procedure of statically allocating
 	    device numbers.  Some comments on this subject can be
 	    found in <filename>src/sys/conf/majors</filename>.</para>
 
 	  <para>If you are forced for some reason to use a static
 	    major number, the procedure for obtaining one depends on
 	    whether or not you plan on making the driver publicly
 	    available. If you do, then please send us a copy of the
 	    driver source code, plus the appropriate modifications to
 	    <filename>files.i386</filename>, a sample configuration
 	    file entry, and the appropriate &man.MAKEDEV.8; code to
 	    create any special files your device uses. If you do not,
 	    or are unable to because of licensing restrictions, then
 	    character major number 32 and block major number 8 have
 	    been reserved specifically for this purpose; please use
 	    them. In any case, we would appreciate hearing about your
 	    driver on the &a.hackers;.</para>
 
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="alternate-directory-layout">
           <para>What about alternative layout policies for
             directories?</para>
         </question>
 
         <answer>
           <para>In answer to the question of alternative layout policies
             for directories, the scheme that is currently in use is
             unchanged from what I wrote in 1983. I wrote that policy for
             the original fast filesystem, and never revisited it. It works
             well at keeping cylinder groups from filling up. As several of
             you have noted, it works poorly for find. Most filesystems are
             created from archives that were created by a depth first search
             (aka ftw). These directories end up being striped across the
             cylinder groups thus creating a worst possible scenario for
             future depth first searches. If one knew the total number of
             directories to be created, the solution would be to create
             (total / fs_ncg) per cylinder group before moving on.
             Obviously, one would have to create some heuristic to guess at
             this number. Even using a small fixed number like say 10 would
             make an order of magnitude improvement. To differentiate
             restores from normal operation (when the current algorithm is
             probably more sensible), you could use the clustering of up to
             10 if they were all done within a ten second window. Anyway, my
             conclusion is that this is an area ripe for
             experimentation.</para>
 
           <para>Kirk McKusick, September 1998</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="kernel-panic-troubleshooting">
           <para>How can I make the most of the data I see when my kernel
             panics?</para>
         </question>
 
         <answer>
           <para><emphasis>[This section was extracted from a mail
             written by &a.wpaul; on the freebsd-current
             <link linkend="mailing">mailing list</link> by &a.des;, who
             fixed a few typos and added the bracketed comments]
             </emphasis></para>
 
           <programlisting>From: Bill Paul &lt;wpaul@skynet.ctr.columbia.edu&gt;
 Subject: Re: the fs fun never stops
 To: Ben Rosengart
 Date: Sun, 20 Sep 1998 15:22:50 -0400 (EDT)
 Cc: current@FreeBSD.org</programlisting>
 
           <para><emphasis>Ben Rosengart posted the following
             panic message]</emphasis></para>
 
           <programlisting>&gt; Fatal trap 12: page fault while in kernel mode
 &gt; fault virtual address   = 0x40
 &gt; fault code              = supervisor read, page not present
 &gt; instruction pointer     = 0x8:0xf014a7e5
                                 ^^^^^^^^^^
 &gt; stack pointer           = 0x10:0xf4ed6f24
 &gt; frame pointer           = 0x10:0xf4ed6f28
 &gt; code segment            = base 0x0, limit 0xfffff, type 0x1b
 &gt;                         = DPL 0, pres 1, def32 1, gran 1
 &gt; processor eflags        = interrupt enabled, resume, IOPL = 0
 &gt; current process         = 80 (mount)
 &gt; interrupt mask          =
 &gt; trap number             = 12
 &gt; panic: page fault</programlisting>
 
           <para>[When] you see a message like this, it is not enough to just
             reproduce it and send it in. The instruction pointer value that
             I highlighted up there is important; unfortunately, it is also
             configuration dependent. In other words, the value varies
             depending on the exact kernel image that you are using. If
             you are using a GENERIC kernel image from one of the snapshots,
             then it is possible for somebody else to track down the
             offending function, but if you are running a custom kernel then
             only <emphasis>you</emphasis> can tell us where the fault
             occurred.</para>
 
           <para>What you should do is this:</para>
 
             <procedure>
               <step>
                 <para>Write down the instruction pointer value. Note that
                   the <literal>0x8:</literal> part at the beginning is not
                   significant in this case: it is the
                   <literal>0xf0xxxxxx</literal> part that we want.</para>
               </step>
 
               <step>
                 <para>When the system reboots, do the following:
 
                   <screen>&prompt.user; <userinput>nm -n /kernel.that.caused.the.panic | grep f0xxxxxx</userinput></screen>
 
                   where <literal>f0xxxxxx</literal> is the instruction
                   pointer value. The odds are you will not get an exact
                   match since the symbols in the kernel symbol table are
                   for the entry points of functions and the instruction
                   pointer address will be somewhere inside a function, not
                   at the start. If you do not get an exact match, omit the
                   last digit from the instruction pointer value and try
                   again, i.e.:
 
                   <screen>&prompt.user; <userinput>nm -n /kernel.that.caused.the.panic | grep f0xxxxx</userinput></screen>
 
                    If that does not yield any results, chop off another
                    digit. Repeat until you get some sort of output. The
                    result will be a possible list of functions which caused
                    the panic. This is a less than exact mechanism for
                    tracking down the point of failure, but it is better than
                    nothing.</para>
               </step>
             </procedure>
 
           <para>I see people constantly show panic messages like this
             but rarely do I see someone take the time to match up the
             instruction pointer with a function in the kernel symbol
             table.</para>
 
           <para>The best way to track down the cause of a panic is by
             capturing a crash dump, then using &man.gdb.1; to generate
             a stack trace on the crash dump.</para>
 
           <para>In any case, the method I normally use is this:</para>
 
             <procedure>
               <step>
                 <para>Set up a kernel config file, optionally adding
                   <literal>options DDB</literal> if you think you need
                   the kernel debugger for something. (I use this mainly
                   for setting breakpoints if I suspect an infinite loop
                   condition of some kind.)</para>
               </step>
 
               <step>
                 <para>Use <command>config -g
                   <replaceable>KERNELCONFIG</replaceable></command> to set
                   up the build directory.</para>
               </step>
 
               <step>
                 <para><command>cd /sys/compile/
                   <replaceable>KERNELCONFIG</replaceable>; make
                   </command></para>
               </step>
 
               <step>
                 <para>Wait for kernel to finish compiling.</para>
               </step>
 
               <step>
                 <para><command>make install</command></para>
               </step>
 
               <step>
                 <para>reboot</para>
               </step>
             </procedure>
 
           <para>The &man.make.1; process will have built two kernels.
             <filename>kernel</filename> and
             <filename>kernel.debug</filename>.
             <filename>kernel</filename> was installed as
             <filename>/kernel</filename>, while
             <filename>kernel.debug</filename> can be used as the
             source of debugging symbols for &man.gdb.1;.</para>
 
           <para>To make sure you capture a crash dump, you need edit
             <filename>/etc/rc.conf</filename> and set
             <literal>dumpdev</literal> to point to your swap
             partition. This will cause the &man.rc.8; scripts to use
             the &man.dumpon.8; command to enable crash dumps. You can
             also run &man.dumpon.8; manually.  After a panic, the
             crash dump can be recovered using &man.savecore.8;; if
             <literal>dumpdev</literal> is set in
             <filename>/etc/rc.conf</filename>, the &man.rc.8; scripts
             will run &man.savecore.8; automatically and put the crash
             dump in <filename>/var/crash</filename>.</para>
 
             <note>
               <para>FreeBSD crash dumps are usually the same size as the
                 physical RAM size of your machine. That is, if you have
                 64MB of RAM, you will get a 64MB crash dump. Therefore you
                 must make sure there is enough space in
                 <filename>/var/crash</filename> to hold the dump.
                 Alternatively, you run &man.savecore.8;
                 manually and have it recover the crash dump to another
                 directory where you have more room. It is possible to limit
                 the size of the crash dump by using <literal>options
                 MAXMEM=(foo)</literal> to set the amount of memory the
                 kernel will use to something a little more sensible. For
                 example, if you have 128MB of RAM, you can limit the
                 kernel's memory usage to 16MB so that your crash dump size
                 will be 16MB instead of 128MB.</para>
             </note>
 
           <para>Once you have recovered the crash dump, you can get a
             stack trace with &man.gdb.1; as follows:</para>
 
           <screen>&prompt.user; <userinput>gdb -k /sys/compile/KERNELCONFIG/kernel.debug /var/crash/vmcore.0</userinput>
 <prompt>(gdb)</prompt> <userinput>where</userinput></screen>
 
           <para>Note that there may be several screens worth of
             information; ideally you should use
             &man.script.1; to capture all of them. Using the
             unstripped kernel image with all the debug symbols should show
             the exact line of kernel source code where the panic occurred.
             Usually you have to read the stack trace from the bottom up in
             order to trace the exact sequence of events that lead to the
             crash. You can also use &man.gdb.1; to print out
             the contents of various variables or structures in order to
             examine the system state at the time of the crash.</para>
 
           <para>Now, if you are really insane and have a second computer,
             you can also configure &man.gdb.1; to do remote
             debugging such that you can use &man.gdb.1; on
             one system to debug the kernel on another system, including
             setting breakpoints, single-stepping through the kernel code,
             just like you can do with a normal user-mode program. I have not
             played with this yet as I do not often have the chance to set up
             two machines side by side for debugging purposes.</para>
 
           <para><emphasis>[Bill adds: "I forgot to mention one thing: if
             you have DDB enabled and the kernel drops into the debugger,
             you can force a panic (and a crash dump) just by typing 'panic'
             at the ddb prompt. It may stop in the debugger again during the
             panic phase. If it does, type 'continue' and it will finish the
             crash dump." -ed]</emphasis></para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="dlsym-failure">
           <para>Why has dlsym() stopped working for ELF executables?</para>
         </question>
 
         <answer>
           <para>The ELF toolchain does not, by default, make the symbols
             defined in an executable visible to the dynamic linker.
             Consequently <function>dlsym()</function> searches on handles
             obtained from calls to <function>dlopen(NULL,
             flags)</function> will fail to find such symbols.</para>
 
           <para>If you want to search, using
             <function>dlsym()</function>, for symbols present in the
             main executable of a process, you need to link the
             executable using the <option>-export-dynamic</option>
             option to the ELF linker (&man.ld.1;).</para>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question id="change-kernel-address-space">
           <para>How can I increase or reduce the kernel address space?</para>
         </question>
 
         <answer>
           <para>By default, the kernel address space is 256 MB on
             FreeBSD 3.X and 1 GB on FreeBSD 4.X. If you run a
             network-intensive server (e.g. a large FTP or HTTP server),
             you might find that 256 MB is not enough.</para>
 
           <para>So how do you increase the address space? There are two
             aspects to this. First, you need to tell the kernel to reserve
             a larger portion of the address space for itself. Second, since
             the kernel is loaded at the top of the address space, you need
             to lower the load address so it does not bump its head against
             the ceiling.</para>
 
           <para>The first goal is achieved by increasing the value of
             <literal>NKPDE</literal> in
             <filename>src/sys/i386/include/pmap.h</filename>. Here is what
             it looks like for a 1 GB address space:</para>
 
           <programlisting>#ifndef NKPDE
 #ifdef SMP
 #define NKPDE                   254     /* addressable number of page tables/pde's */
 #else
 #define NKPDE                   255     /* addressable number of page tables/pde's */
 #endif  /* SMP */
 #endif</programlisting>
 
           <para>To find the correct value of <literal>NKPDE</literal>,
             divide the desired address space size (in megabytes) by four,
             then subtract one for UP and two for SMP.</para>
 
           <para>To achieve the second goal, you need to compute the
             correct load address: simply subtract the address space size
             (in bytes) from 0x100100000; the result is 0xc0100000 for a 1
             GB address space. Set <symbol>LOAD_ADDRESS</symbol> in
             <filename>src/sys/i386/conf/Makefile.i386</filename> to that
             value; then set the location counter in the beginning of the
             section listing in
             <filename>src/sys/i386/conf/kernel.script</filename> to the
             same value, as follows:</para>
 
           <programlisting>OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
 OUTPUT_ARCH(i386)
 ENTRY(btext)
 SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/obj/elf/home/src/tmp/usr/i386-unknown-freebsdelf/lib);
 SECTIONS
 {
   /* Read-only sections, merged into text segment: */
   . = 0xc0100000 + SIZEOF_HEADERS;
   .interp     : { *(.interp)    }</programlisting>
 
           <para>Then reconfig and rebuild your kernel. You will
             probably have problems with &man.ps.1; &man.top.1; and the
             like; <command>make world</command> should take care of it
             (or a manual rebuild of <filename>libkvm</filename>,
             &man.ps.1; and &man.top.1; after copying the patched
             <filename>pmap.h</filename> to
             <filename>/usr/include/vm/</filename>.</para>
 
           <para>NOTE: the size of the kernel address space must be a
             multiple of four megabytes.</para>
 
           <para>[&a.dg; adds: <emphasis>I think the kernel address space
             needs to be a power of two, but I am not certain about that. The
           old(er) boot code used to monkey with the high order address bits
           and I think expected at least 256MB
           granularity.]</emphasis></para>
         </answer>
       </qandaentry>
     </qandaset>
   </chapter>
 
   <chapter id="acknowledgments">
     <title>Acknowledgments</title>
 
     <blockquote>
        <attribution>FreeBSD Core Team</attribution>
 
        <para>If you see a problem with this FAQ, or wish to submit an
          entry, please mail the &a.doc;.  We appreciate your feedback,
          and cannot make this a better FAQ without your help!</para>
     </blockquote>
 
       <variablelist>
         <varlistentry>
           <term>&a.jkh;</term>
             <listitem>
               <para>Occasional fits of FAQ-reshuffling and updating.</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>&a.dwhite;</term>
 
             <listitem>
               <para>Services above and beyond the call of duty on
                 freebsd-questions</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>&a.joerg;</term>
 
             <listitem>
               <para>Services above and beyond the call of duty on
                 Usenet</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>&a.wollman;</term>
 
             <listitem>
               <para>Networking and formatting</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>Jim Lowe</term>
 
             <listitem>
               <para>Multicast information</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>&a.pds;</term>
 
             <listitem>
               <para>FreeBSD FAQ typing machine slavey</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>The FreeBSD Team</term>
 
             <listitem>
               <para>Kvetching, moaning, submitting data</para>
 
             </listitem>
           </varlistentry>
         </variablelist>
 
     <para>And to any others we have forgotten, apologies and heartfelt
       thanks!</para>
   </chapter>
 
   &bibliography;
 </book>
diff --git a/en_US.ISO8859-1/books/fdp-primer/book.sgml b/en_US.ISO8859-1/books/fdp-primer/book.sgml
index 069593e594..8477b85427 100644
--- a/en_US.ISO8859-1/books/fdp-primer/book.sgml
+++ b/en_US.ISO8859-1/books/fdp-primer/book.sgml
@@ -1,259 +1,259 @@
 <!-- Copyright (c) 1998, 1999 Nik Clayton, All rights reserved.
 
      Redistribution and use in source (SGML DocBook) and 'compiled' forms
      (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
      modification, are permitted provided that the following conditions
      are met:
 
       1. Redistributions of source code (SGML DocBook) must retain the above
          copyright notice, this list of conditions and the following
          disclaimer as the first lines of this file unmodified.
 
       2. Redistributions in compiled form (transformed to other DTDs,
          converted to PDF, PostScript, RTF and other formats) must reproduce
          the above copyright notice, this list of conditions and the
          following disclaimer in the documentation and/or other materials
          provided with the distribution.
 
      THIS DOCUMENTATION IS PROVIDED BY NIK CLAYTON "AS IS" AND ANY EXPRESS OR
      IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
      OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
      DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY DIRECT,
      INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
      (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
      SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
      STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
      ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
      POSSIBILITY OF SUCH DAMAGE.
 
      $FreeBSD$
 -->
 
 <!DOCTYPE book PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % books.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Books Entity Set//EN">
 %books.ent;
 <!ENTITY % chapters SYSTEM "chapters.ent"> %chapters;
 <!ENTITY % not.published "INCLUDE">
 <!-- ENTITY index SYSTEM "index.sgml" -->
 ]>
 
 <book>
   <bookinfo>
     <title>FreeBSD Documentation Project Primer for New Contributors</title>
    
     <corpauthor>The FreeBSD Documentation Project</corpauthor>
  
     <copyright>
       <year>1998</year>
       <year>1999</year>
       <year>2000</year>
       <year>2001</year>
       <year>2002</year>
       <year>2003</year>
       <year>2004</year>
       <holder role="mailto:doceng@FreeBSD.org">DocEng</holder>
     </copyright>
 
     <pubdate role="rcs">$FreeBSD$</pubdate>
 
     <releaseinfo>$FreeBSD$</releaseinfo>
 
     &bookinfo.legalnotice;
  
     <abstract>
       <para>Thank you for becoming a part of the FreeBSD Documentation
         Project. Your contribution is extremely valuable.</para>
 
       <para>This primer covers everything you will need to know in order
         to start contributing to the FreeBSD Documentation Project, from
         the tools and software you will be using (both mandatory and
         recommended) to the philosophy behind the Documentation 
         Project.</para>
 
       <para>This document is a work in progress, and is not complete. Sections
 	that are known to be incomplete are indicated with a
 	<literal>*</literal> in their name.</para>
     </abstract>
   </bookinfo>
 
   <preface id="preface">
     <title>Preface</title>
 
     <sect1 id="preface-prompts">
       <title>Shell Prompts</title>
       
       <para>The following table shows the default system prompt and superuser
 	prompt. The examples will use this prompt to indicate which user you
 	should be running the example as.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>User</entry>
 	      <entry>Prompt</entry>
 	    </row>
 	  </thead>
 	  
 	  <tbody>
 	    <row>
 	      <entry>Normal user</entry>
 	      <entry>&prompt.user;</entry>
 	    </row>
 
 	    <row>
 	      <entry><username>root</username></entry>
 	      <entry>&prompt.root;</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect1>
     
     <sect1 id="preface-conventions">
       <title>Typographic Conventions</title>
 
       <para>The following table describes the typographic conventions used in
 	this book.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Meaning</entry>
 	      <entry>Examples</entry>
 	    </row>
 	  </thead>
 	  
 	  <tbody>
 	    <row>
 	      <entry>The name of commands, files, and directories. On screen
 		computer output.</entry>
 	      <entry><para>Edit your <filename>.login</filename>
 		  file.</para><para>Use <command>ls -a</command> to list all
 		  files.</para><para><screen>You have mail.</screen>
 		</para></entry>
 	    </row>
 
 	    <row>
 	      <entry>What you type, when contrasted with on-screen computer
 		output.</entry>
 
 	      <entry><screen>&prompt.user; <userinput>su</userinput>
 Password:</screen></entry>
 	    </row>
 
 	    <row>
 	      <entry>Manual page references.</entry>
 
 	      <entry>Use <citerefentry>
 		  <refentrytitle>su</refentrytitle>
 		  <manvolnum>1</manvolnum>
 		</citerefentry> to change user names.</entry>
 	    </row>
 
 	    <row>
 	      <entry>User and group names</entry>
 
 	      <entry>Only <username>root</username> can do this.</entry>
 	    </row>
 
 	    <row>
 	      <entry>Emphasis</entry>
 
 	      <entry>You <emphasis>must</emphasis> do this.</entry>
 	    </row>
 
 	    <row>
 	      <entry>Command line variables; replace with the real name or
 		variable.</entry>
 
 	      <entry>To delete a file, type <command>rm <filename><replaceable>filename</replaceable></filename></command></entry>
 	    </row>
 
 	    <row>
 	      <entry>Environment variables</entry>
 
 	      <entry><envar>$HOME</envar> is your home directory.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect1>
 
     <sect1 id="preface-notes">
       <title>Notes, tips, important information, warnings, and examples</title>
 
       <para>Within the text appear notes, warnings, and examples.</para>
 
       <note>
 	<para>Notes are represented like this, and contain information that
 	  you should take note of, as it may affect what you do.</para>
       </note>
 
       <tip>
 	<para>Tips are represented like this, and contain information that you 
 	  might find useful, or lead to an easier way to do something.</para>
       </tip>
 
       <important>
 	<para>Important information is represented like this.  Typically they
 	  flag extra steps you may need to carry out.</para>
       </important>
 
       <warning>
 	<para>Warnings are represented like this, and contain information
 	  warning you about possible damage if you do not follow the
 	  instructions. This damage may be physical, to your hardware or to
 	  you, or it may be non-physical, such as the inadvertent deletion of
 	  important files.</para>
       </warning>
 
       <example>
 	<title>A sample example</title>
 
 	<para>Examples are represented like this, and typically contain
 	  examples you should walk through, or show you what the results of a
 	  particular action should be.</para>
       </example>
     </sect1>
 
     <sect1 id="preface-acknowledgements">
       <title>Acknowledgments</title>
 
       <para>My thanks to Sue Blake, Patrick Durusau, Jon Hamilton, Peter
 	Flynn, and Christopher Maden, who took the time to read early drafts
 	of this document and offer many valuable comments and
 	criticisms.</para>
     </sect1>
   </preface>
   
   &chap.overview;
   &chap.tools;
   &chap.sgml-primer;
   &chap.sgml-markup;
   &chap.stylesheets;
   &chap.structure;
   &chap.doc-build;
   &chap.the-website;
   &chap.translations;
   &chap.writing-style;
   &chap.psgml-mode;
   &chap.see-also;
 
   &app.examples;
 
 <!--
   &index;  
 -->
 </book>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      End:
 -->
diff --git a/en_US.ISO8859-1/books/fdp-primer/sgml-markup/chapter.sgml b/en_US.ISO8859-1/books/fdp-primer/sgml-markup/chapter.sgml
index 2f49895cac..432dbc7914 100644
--- a/en_US.ISO8859-1/books/fdp-primer/sgml-markup/chapter.sgml
+++ b/en_US.ISO8859-1/books/fdp-primer/sgml-markup/chapter.sgml
@@ -1,2692 +1,2698 @@
 <!-- Copyright (c) 1998, 1999 Nik Clayton, All rights reserved.
 
      Redistribution and use in source (SGML DocBook) and 'compiled' forms
      (SGML HTML, PDF, PostScript, RTF and so forth) with or without
      modification, are permitted provided that the following conditions
      are met:
 
       1. Redistributions of source code (SGML DocBook) must retain the above
          copyright notice, this list of conditions and the following
          disclaimer as the first lines of this file unmodified.
 
       2. Redistributions in compiled form (transformed to other DTDs,
          converted to PDF, PostScript, RTF and other formats) must reproduce
          the above copyright notice, this list of conditions and the
          following disclaimer in the documentation and/or other materials
          provided with the distribution.
 
      THIS DOCUMENTATION IS PROVIDED BY NIK CLAYTON "AS IS" AND ANY EXPRESS OR
      IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
      OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
      DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY DIRECT,
      INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
      (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
      SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
      STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
      ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
      POSSIBILITY OF SUCH DAMAGE.
 
      $FreeBSD$
 -->
 
 <chapter id="sgml-markup">
   <title>SGML Markup</title>
 
   <para>This chapter describes the two markup languages you will encounter
     when you contribute to the FreeBSD documentation project.  Each section
     describes the markup language, and details the markup that you are likely
     to want to use, or that is already in use.</para>
 
   <para>These markup languages contain a large number of elements, and it can
     be confusing sometimes to know which element to use for a particular
     situation.  This section goes through the elements you are most likely to
     need, and gives examples of how you would use them.</para>
   
   <para>This is <emphasis>not</emphasis> an exhaustive list of elements, since
     that would just reiterate the documentation for each language.  The aim of
     this section is to list those elements more likely to be useful to you.
     If you have a question about how best to markup a particular piece of
     content, please post it to the &a.doc;.</para>
 
   <note>
     <title>Inline vs. block</title>
     
     <para>In the remainder of this document, when describing elements,
       <emphasis>inline</emphasis> means that the element can occur within a
       block element, and does not cause a line break.  A
       <emphasis>block</emphasis> element, by comparison, will cause a line
       break (and other processing) when it is encountered.</para>
   </note>
   
   <sect1 id="sgml-markup-html">
     <title>HTML</title>
     
     <para>HTML, the HyperText Markup Language, is the markup language of
       choice on the World Wide Web.  More information can be found at
       &lt;URL:<ulink url="http://www.w3.org/"></ulink>&gt;.</para>
 
     <para>HTML is used to markup pages on the FreeBSD web site.  It should not
       (generally) be used to mark up other documentation, 
       since DocBook offers a
       far richer set of elements to choose from.  Consequently, you will
       normally only encounter HTML pages if you are writing for the web
       site.</para>
 
     <para>HTML has gone through a number of versions, 1, 2, 3.0, 3.2, and the
       latest, 4.0 (available in both <emphasis>strict</emphasis> and
       <emphasis>loose</emphasis> variants).</para>
 	  
     <para>The HTML DTDs are available from the ports collection in the
       <filename role="package">textproc/html</filename> port.  They are automatically
       installed as part of the <filename role="package">textproc/docproj</filename>
       port.</para>
 
     <sect2>
       <title>Formal Public Identifier (FPI)</title>
 
       <para>There are a number of HTML FPIs, depending upon the version (also
 	known as the level) of HTML that you want to declare your document to
 	be compliant with.</para>
 
       <para>The majority of HTML documents on the FreeBSD web site comply with
 	the loose version of HTML 4.0.</para>
 
       <programlisting>PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"</programlisting>
     </sect2>
 
     <sect2>
       <title>Sectional elements</title>
 
       <para>An HTML document is normally split into two sections.  The first
 	section, called the <emphasis>head</emphasis>, contains
 	meta-information about the document, such as its title, the name of
 	the author, the parent document, and so on.  The second section, the
 	<emphasis>body</emphasis>, contains the content that will be displayed
 	to the user.</para>
 
       <para>These sections are indicated with <sgmltag>head</sgmltag> and
 	<sgmltag>body</sgmltag> elements respectively.  These elements are
 	contained within the top-level <sgmltag>html</sgmltag> element.</para>
 
       <example>
 	<title>Normal HTML document structure</title>
 
 	<programlisting>&lt;html>
   &lt;head>
 	  &lt;title><replaceable>The document's title</replaceable>&lt;/title>
   &lt;/head>
 
   &lt;body>
 
     &hellip;
 
   &lt;/body>
 &lt;/html></programlisting>
       </example>
     </sect2>
     
     <sect2>
       <title>Block elements</title>
 
       <sect3>
 	<title>Headings</title>
 
 	<para>HTML allows you to denote headings in your document, at up to
 	  six different levels.</para>
 
 	<para>The largest and most prominent heading is <sgmltag>h1</sgmltag>,
 	  then <sgmltag>h2</sgmltag>, continuing down to
 	  <sgmltag>h6</sgmltag>.</para>
 
 	<para>The element's content is the text of the heading.</para>
 
 	<example>
 	  <title><sgmltag>h1</sgmltag>, <sgmltag>h2</sgmltag>, etc.</title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<h1>First section</h1>
 
 <!-- Document introduction goes here -->
 
 <h2>This is the heading for the first section</h2>
 
 <!-- Content for the first section goes here -->
 
 <h3>This is the heading for the first sub-section</h3>
 
 <!-- Content for the first sub-section goes here -->
 
 <h2>This is the heading for the second section</h2>
 
 <!-- Content for the second section goes here -->]]></programlisting>	    
 	</example>
 	
 	<para>Generally, an HTML page should have one first level heading
 	  (<sgmltag>h1</sgmltag>).  This can contain many second level
 	  headings (<sgmltag>h2</sgmltag>), which can in turn contain many
 	  third level headings.  Each
 	  <sgmltag>h<replaceable>n</replaceable></sgmltag> element should have
 	  the same element, but one further up the hierarchy, preceding it.
 	  Leaving gaps in the numbering is to be avoided.</para>
 
 	<example>
 	  <title>Bad ordering of
 	    <sgmltag>h<replaceable>n</replaceable></sgmltag> elements</title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<h1>First section</h1>
 
 <!-- Document introduction -->
 
 <h3>Sub-section</h3>
 
 <!-- This is bad, <h2> has been left out -->]]></programlisting>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Paragraphs</title>
 
 	<para>HTML supports a single paragraph element,
 	  <sgmltag>p</sgmltag>.</para>
 
 	<example>
 	  <title><sgmltag>p</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>This is a paragraph.  It can contain just about any
   other element.</p>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Block quotations</title>
 
 	<para>A block quotation is an extended quotation from another document
 	  that should not appear within the current paragraph.</para>
 
 	<example>
 	  <title><sgmltag>blockquote</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>A small excerpt from the US Constitution:</p>
 
 <blockquote>We the People of the United States, in Order to form
   a more perfect Union, establish Justice, insure domestic
   Tranquility, provide for the common defence, promote the general
   Welfare, and secure the Blessings of Liberty to ourselves and our
   Posterity, do ordain and establish this Constitution for the
   United States of America.</blockquote>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Lists</title>
 
 	<para>You can present the user with three types of lists, ordered,
 	  unordered, and definition.</para>
 
 	<para>Typically, each entry in an ordered list will be numbered, while
 	  each entry in an unordered list will be preceded by a bullet point.
 	  Definition lists are composed of two sections for each entry.  The
 	  first section is the term being defined, and the second section is
 	  the definition of the term.</para>
 
 	<para>Ordered lists are indicated by the <sgmltag>ol</sgmltag>
 	  element, unordered lists by the <sgmltag>ul</sgmltag> element, and
 	  definition lists by the <sgmltag>dl</sgmltag> element.</para>
 
 	<para>Ordered and unordered lists contain listitems, indicated by the
 	  <sgmltag>li</sgmltag> element.  A listitem can contain textual
 	  content, or it may be further wrapped in one or more
 	  <sgmltag>p</sgmltag> elements.</para>
 
 	<para>Definition lists contain definition terms
 	  (<sgmltag>dt</sgmltag>) and definition descriptions
 	  (<sgmltag>dd</sgmltag>).  A definition term can only contain inline
 	  elements.  A definition description can contain other block
 	  elements.</para>
 
 	<example>
 	  <title><sgmltag>ul</sgmltag> and <sgmltag>ol</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>An unordered list.  Listitems will probably be
   preceded by bullets.</p>
 
 <ul>
   <li>First item</li>
 
   <li>Second item</li>
 
   <li>Third item</li>
 </ul>
 
 <p>An ordered list, with list items consisting of multiple
   paragraphs.  Each item (note: not each paragraph) will be
   numbered.</p>
 
 <ol>
   <li><p>This is the first item.  It only has one paragraph.</p></li>
 
   <li><p>This is the first paragraph of the second item.</p>
 
     <p>This is the second paragraph of the second item.</p></li>
 
   <li><p>This is the first and only paragraph of the third
     item.</p></li>
 </ol>]]></programlisting>
 	</example>
 
 	<example>
 	  <title>Definition lists with <sgmltag>dl</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<dl>
   <dt>Term 1</dt>
 
   <dd><p>Paragraph 1 of definition 1.</p>
 
     <p>Paragraph 2 of definition 1.</p></dd>
 
   <dt>Term 2</dt>
 
   <dd><p>Paragraph 1 of definition 2.</p></dd>
 
   <dt>Term 3</dt>
 
   <dd>Paragraph 1 of definition 3.  Note that the &lt;p&gt;
     element is not required in the single paragraph case.</dd>
 </dl>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Pre-formatted text</title>
 
 	<para>You can indicate that text should be shown to the user exactly
 	  as it is in the file.  Typically, this means that the text is shown
 	  in a fixed font, multiple spaces are not merged into one, and line
 	  breaks in the text are significant.</para>
 
 	<para>In order to do this, wrap the content in the
 	  <sgmltag>pre</sgmltag> element.</para>
 
 	<example>
 	  <title><sgmltag>pre</sgmltag></title>
 
 	  <para>You could use <sgmltag>pre</sgmltag> to mark up an e-mail
 	    message;</para>
 
 	  <programlisting><![ CDATA [<pre>  From: nik@FreeBSD.org
   To: freebsd-doc@FreeBSD.org
   Subject: New documentation available
 
   There is a new copy of my primer for contributors to the FreeBSD
   Documentation Project available at
 
     <URL:http://people.FreeBSD.org/~nik/primer/index.html>
 
   Comments appreciated.
 
   N</pre>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Tables</title>
 
 	<note>
 	  <para>Most text-mode browsers (such as Lynx) do not render tables
 	    particularly effectively.  If you are relying on the tabular
 	    display of your content, you should consider using alternative
 	    markup to prevent confusion.</para>
 	</note>
 
 	<para>Mark up tabular information using the <sgmltag>table</sgmltag>
 	  element.  A table consists of one or more table rows
 	  (<sgmltag>tr</sgmltag>), each containing one or more cells of table
 	  data (<sgmltag>td</sgmltag>).  Each cell can contain other block
 	  elements, such as paragraphs or lists.  It can also contain another
 	  table (this nesting can repeat indefinitely).  If the cell only
 	  contains one paragraph then you do not need to include the
 	  <sgmltag>p</sgmltag> element.</para>
 
 	<example>
 	  <title>Simple use of <sgmltag>table</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>This is a simple 2x2 table.</p>
 
 <table>
   <tr>
     <td>Top left cell</td>
 
     <td>Top right cell</td>
   </tr>
 
   <tr>
     <td>Bottom left cell</td>
 
     <td>Bottom right cell</td>
   </tr>
 </table>]]></programlisting></example>
 
 	<para>A cell can span multiple rows and columns.  To indicate this,
 	  add the <literal>rowspan</literal> and/or <literal>colspan</literal>
 	  attributes, with values indicating the number of rows of columns
 	  that should be spanned.</para>
 
 	<example>
 	  <title>Using <literal>rowspan</literal></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>One tall thin cell on the left, two short cells next to
   it on the right.</p>
 
 <table>
   <tr>
     <td rowspan="2">Long and thin</td>
   </tr>
 
   <tr>
     <td>Top cell</td>
 
     <td>Bottom cell</td>
   </tr>
 </table>]]></programlisting>
 	</example>
 
 	<example>
 	  <title>Using <literal>colspan</literal></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>One long cell on top, two short cells below it.</p>
 
 <table>
   <tr>
     <td colspan="2">Top cell</td>
   </tr>
 
   <tr>
     <td>Bottom left cell</td>
 
     <td>Bottom right cell</td>
   </tr>
 </table>]]></programlisting>
 	</example>
 
 	<example>
 	  <title>Using <literal>rowspan</literal> and
 	    <literal>colspan</literal> together</title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>On a 3x3 grid, the top left block is a 2x2 set of
   cells merged into one.  The other cells are normal.</p>
 
 <table>
   <tr>
     <td colspan="2" rowspan="2">Top left large cell</td>
 
     <td>Top right cell</td>
   </tr>
 
   <tr>
     <!-- Because the large cell on the left merges into
          this row, the first <td> will occur on its
          right -->
 	    
     <td>Middle right cell</td>
   </tr>
 
   <tr>
     <td>Bottom left cell</td>
 
     <td>Bottom middle cell</td>
 
     <td>Bottom right cell</td>
   </tr>
 </table>]]></programlisting>
 	</example>
       </sect3>
     </sect2>
 
     <sect2>
       <title>In-line elements</title>
 
       <sect3>
 	<title>Emphasizing information</title>
 
 	<para>You have two levels of emphasis available in HTML,
 	  <sgmltag>em</sgmltag> and <sgmltag>strong</sgmltag>.
 	  <sgmltag>em</sgmltag> is for a normal level of emphasis and
 	  <sgmltag>strong</sgmltag> indicates stronger emphasis.</para>
 
 	<para>Typically, <sgmltag>em</sgmltag> is rendered in italic and
 	  <sgmltag>strong</sgmltag> is rendered in bold.  This is not always
 	  the case, however, and you should not rely on it.</para>
 
 	<example>
 	  <title><sgmltag>em</sgmltag> and <sgmltag>strong</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p><em>This</em> has been emphasized, while
   <strong>this</strong> has been strongly emphasized.</p>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Bold and italics</title>
 
 	<para>Because HTML includes presentational markup, you can also
 	  indicate that particular content should be rendered in bold or
 	  italic.  The elements are <sgmltag>b</sgmltag> and
 	  <sgmltag>i</sgmltag> respectively.</para>
 
 	<example>
 	  <title><sgmltag>b</sgmltag> and <sgmltag>i</sgmltag></title>
 
 	  <programlisting><![ CDATA [<p><b>This</b> is in bold, while <i>this</i> is
   in italics.</p>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Indicating fixed pitch text</title>
 
 	<para>If you have content that should be rendered in a fixed pitch
 	  (typewriter) typeface, use <sgmltag>tt</sgmltag> (for
 	  <quote>teletype</quote>).</para>
 
 	<example>
 	  <title><sgmltag>tt</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>This document was originally written by
   Nik Clayton, who can be reached by e-mail as
   <tt>nik@FreeBSD.org</tt>.</p>]]></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Content size</title>
 
 	<para>You can indicate that content should be shown in a larger or
 	  smaller font.  There are three ways of doing this.</para>
 
 	<orderedlist>
 	  <listitem>
 	    <para>Use <sgmltag>big</sgmltag> and <sgmltag>small</sgmltag>
 	      around the content you wish to change size.  These tags can be
 	      nested, so <literal>&lt;big&gt;&lt;big&gt;This is much
 		bigger&lt;/big&gt;&lt;/big&gt;</literal> is possible.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Use <sgmltag>font</sgmltag> with the <literal>size</literal>
 	      attribute set to <literal>+1</literal> or <literal>-1</literal>
 	      respectively.  This has the same effect as using
 	      <sgmltag>big</sgmltag> or <sgmltag>small</sgmltag>.  However,
 	      the use of this approach is deprecated.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Use <sgmltag>font</sgmltag> with the <literal>size</literal>
 	      attribute set to a number between 1 and 7.  The default font size
 	      is <literal>3</literal>.  This approach is deprecated.</para>
 	  </listitem>
 	</orderedlist>
 
 	<example>
 	  <title><sgmltag>big</sgmltag>, <sgmltag>small</sgmltag>, and
 	    <sgmltag>font</sgmltag></title>
 
 	  <para>The following fragments all do the same thing.</para>
 
 	  <programlisting><![ CDATA [<p>This text is <small>slightly smaller</small>.  But
   this text is <big>slightly bigger</big>.</p>
 
 <p>This text is <font size="-1">slightly smaller</font>.  But
   this text is <font size="+1">slightly bigger</font.</p>
 
 <p>This text is <font size="2">slightly smaller</font>.  But
   this text is <font size="4">slightly bigger</font>.</p>]]></programlisting>
 	</example>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Links</title>
 
       <note>
 	<para>Links are also in-line elements.</para>
       </note>
 
       <sect3>
 	<title>Linking to other documents on the WWW</title>
 
 	<para>In order to include a link to another document on the WWW you
 	  must know the URL of the document you want to link to.</para>
 
 	<para>The link is indicated with <sgmltag>a</sgmltag>, and the
 	  <literal>href</literal> attribute contains the URL of the target
 	  document.  The content of the element becomes the link, and is
 	  normally indicated to the user in some way (underlining, change of
 	  color, different mouse cursor when over the link, and so
 	  on).</para>
 
 	<example>
 	  <title>Using <literal>&lt;a href="..."&gt;</literal></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p>More information is available at the
   <a href="http://www.FreeBSD.org/">FreeBSD web site</a>.</p>]]></programlisting>
 	</example>
 
 	<para>These links will take the user to the top of the chosen
 	  document.</para>
       </sect3>
       
       <sect3>
 	<title>Linking to other parts of documents</title>
 
 	<para>Linking to a point within another document (or within the same
 	  document) requires that the document author include anchors that you
 	  can link to.</para>
 
 	<para>Anchors are indicated with <sgmltag>a</sgmltag> and the
 	  <literal>name</literal> attribute instead of
 	  <literal>href</literal>.</para>
 
 	<example>
 	  <title>Using <literal>&lt;a name="..."&gt;</literal></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<p><a name="para1">This</a> paragraph can be referenced
   in other links with the name <tt>para1</tt>.</p>]]></programlisting>
 	</example>
 
 	<para>To link to a named part of a document, write a normal link to
 	  that document, but include the name of the anchor after a
 	  <literal>#</literal> symbol.</para>
 
 	<example>
 	  <title>Linking to a named part of another document</title>
 
 	  <para>Assume that the <literal>para1</literal> example resides in a
 	    document called <filename>foo.html</filename>.</para>
 
 	  <programlisting><![ CDATA [<p>More information can be found in the
   <a href="foo.html#para1">first paragraph</a> of
   <tt>foo.html</tt>.</p>]]></programlisting>
 	</example>
 
 	<para>If you are linking to a named anchor within the same document
 	  then you can omit the document's URL, and just include the name of
 	  the anchor (with the preceding <literal>#</literal>).</para>
 
 	<example>
 	  <title>Linking to a named part of the same document</title>
 
 	  <para>Assume that the <literal>para1</literal> example resides in
 	    this document</para>
 
 	  <programlisting><![ CDATA [<p>More information can be found in the
   <a href="#para1">first paragraph</a> of this
   document.</p>]]></programlisting>
 	</example>
       </sect3>
     </sect2>
   </sect1>
   
   <sect1 id="sgml-markup-docbook">
     <title>DocBook</title>
 
     <para>DocBook was originally developed by HaL Computer Systems and O'Reilly
       &amp; Associates to be a DTD for writing technical documentation
       <footnote><para>A short history can be found under <ulink
       url="http://www.oasis-open.org/committees/docbook/intro.shtml">
       http://www.oasis-open.org/committees/docbook/intro.shtml</ulink>.
       </para></footnote>. Since 1998 it is maintained by the <ulink
       url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=docbook">
       DocBook Technical Committee</ulink>.   As such, and unlike LinuxDoc
       and HTML, DocBook is very heavily oriented towards markup that
       describes <emphasis>what</emphasis> something is, rather than describing
       <emphasis>how</emphasis> it should be presented.</para>
 
     <note>
       <title><literal>formal</literal> vs. <literal>informal</literal></title>
 
       <para>Some elements may exist in two forms, <emphasis>formal</emphasis>
 	and <emphasis>informal</emphasis>.  Typically, the formal version of
 	the element will consist of a title followed by the informal
 	version of the element.  The informal version will not have a
 	title.</para>
     </note>
     
     <para>The DocBook DTD is available from the ports collection in the
       <filename role="package">textproc/docbook</filename> port.  It is automatically
       installed as part of the <filename role="package">textproc/docproj</filename>
       port.</para>
     
     <sect2>
       <title>FreeBSD extensions</title>
 
       <para>The FreeBSD Documentation Project has extended the DocBook DTD by
 	adding some new elements.  These elements serve to make some of the
 	markup more precise.</para>
 
       <para>Where a FreeBSD specific element is listed below it is clearly
 	marked.</para>
 
       <para>Throughout the rest of this document, the term
 	<quote>DocBook</quote> is used to mean the FreeBSD extended DocBook
 	DTD.</para>
       
       <note>
 	<para>There is nothing about these extensions that is FreeBSD
 	  specific, it was just felt that they were useful enhancements for
 	  this particular project.  Should anyone from any of the other *nix
 	  camps (NetBSD, OpenBSD, Linux, &hellip;) be interested in
 	  collaborating on a standard DocBook extension set, please get in
 	  touch with &a.doceng;.</para>
       </note>
 
       <para>The FreeBSD extensions are not (currently) in the ports
 	collection.  They are stored in the FreeBSD CVS tree, as <ulink
 	url="http://www.FreeBSD.org/cgi/cvsweb.cgi/doc/share/sgml/freebsd.dtd">doc/share/sgml/freebsd.dtd</ulink>.</para>
     </sect2>
 
     <sect2>
       <title>Formal Public Identifier (FPI)</title>
 
       <para>In compliance with the DocBook guidelines for writing FPIs for
 	  DocBook customizations, the FPI for the FreeBSD extended DocBook DTD
 	  is;</para>
 
 	<programlisting>PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN"</programlisting>
     </sect2>
 
     <sect2>
       <title>Document structure</title>
 
       <para>DocBook allows you to structure your documentation in several
 	ways.  In the FreeBSD Documentation Project we are using two primary
 	types of DocBook document: the book and the article.</para>
 
       <para>A book is organized into <sgmltag>chapter</sgmltag>s.  This is a
 	mandatory requirement.  There may be <sgmltag>part</sgmltag>s between
 	the book and the chapter to provide another layer of organization.
 	The Handbook is arranged in this way.</para>
 
       <para>A chapter may (or may not) contain one or more sections.  These
 	are indicated with the <sgmltag>sect1</sgmltag> element.  If a section
 	contains another section then use the <sgmltag>sect2</sgmltag>
 	element, and so on, up to <sgmltag>sect5</sgmltag>.</para>
 
       <para>Chapters and sections contain the remainder of the content.</para>
 
       <para>An article is simpler than a book, and does not use chapters.
 	Instead, the content of an article is organized into one or more
 	sections, using the same <sgmltag>sect1</sgmltag> (and
 	<sgmltag>sect2</sgmltag> and so on) elements that are used in
 	books.</para>
 
       <para>Obviously, you should consider the nature of the documentation you 
 	are writing in order to decide whether it is best marked up as a book
 	or an article.  Articles are well suited to information that does not
 	need to be broken down into several chapters, and that is, relatively 
 	speaking, quite short, at up to 20-25 pages of content.  Books are
 	best suited to information that can be broken up into several
 	chapters, possibly with appendices and similar content as well.</para>
 
       <para>The <ulink url="&url.base;/docs.html">FreeBSD
 	  tutorials</ulink> are all marked up as articles, while this
 	document, the <ulink url="&url.books.faq;/index.html">FreeBSD
 	  FAQ</ulink>, and the <ulink
 	  url="&url.books.handbook;/index.html">FreeBSD Handbook</ulink> are
 	all marked up as books.</para>
 
       <sect3>
 	<title>Starting a book</title>
 
 	<para>The content of the book is contained within the
 	  <sgmltag>book</sgmltag> element.  As well as containing structural
 	  markup, this element can contain elements that include additional
 	  information about the book.  This is either meta-information, used
 	  for reference purposes, or additional content used to produce a
 	  title page.</para>
 
 	<para>This additional information should be contained within
 	  <sgmltag>bookinfo</sgmltag>.</para>
 
 	<example>
 	  <title>Boilerplate <sgmltag>book</sgmltag> with
 	    <sgmltag>bookinfo</sgmltag></title>
 
 	  <!-- Can't put this in a marked section because of the
                replaceable elements -->
 	  <programlisting>&lt;book>
   &lt;bookinfo>
     &lt;title><replaceable>Your title here</replaceable>&lt;/title>
     
     &lt;author>
       &lt;firstname><replaceable>Your first name</replaceable>&lt;/firstname>
       &lt;surname><replaceable>Your surname</replaceable>&lt;/surname>
       &lt;affiliation>
         &lt;address>&lt;email><replaceable>Your e-mail address</replaceable>&lt;/email>&lt;/address>
       &lt;/affiliation>
     &lt;/author>
 
     &lt;copyright>
       &lt;year><replaceable>1998</replaceable>&lt;/year>
       &lt;holder role="mailto:<replaceable>your e-mail address</replaceable>"><replaceable>Your name</replaceable>&lt;/holder>
     &lt;/copyright>
 
     &lt;releaseinfo>&#36;FreeBSD&#36;&lt;/releaseinfo>
 
     &lt;abstract>
       &lt;para><replaceable>Include an abstract of the book's contents here.</replaceable>&lt;/para>
     &lt;/abstract>
   &lt;/bookinfo>
 
   &hellip;
 
 &lt;/book></programlisting>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Starting an article</title>
 
 	<para>The content of the article is contained within the
 	  <sgmltag>article</sgmltag> element.  As well as containing
 	  structural markup, this element can contain elements that include
 	  additional information about the article.  This is either
 	  meta-information, used for reference purposes, or additional content
 	  used to produce a title page.</para>
 
 	<para>This additional information should be contained within
 	  <sgmltag>articleinfo</sgmltag>.</para>
 
 	<example>
 	  <title>Boilerplate <sgmltag>article</sgmltag> with
 	    <sgmltag>articleinfo</sgmltag></title>
 
 	  <!-- Can't put this in a marked section because of the
                replaceable elements -->
 	  <programlisting>&lt;article>
   &lt;articleinfo>
     &lt;title><replaceable>Your title here</replaceable>&lt;/title>
     
     &lt;author>
       &lt;firstname><replaceable>Your first name</replaceable>&lt;/firstname>
       &lt;surname><replaceable>Your surname</replaceable>&lt;/surname>
       &lt;affiliation>
         &lt;address>&lt;email><replaceable>Your e-mail address</replaceable>&lt;/email>&lt;/address>
       &lt;/affiliation>
     &lt;/author>
 
     &lt;copyright>
       &lt;year><replaceable>1998</replaceable>&lt;/year>
       &lt;holder role="mailto:<replaceable>your e-mail address</replaceable>"><replaceable>Your name</replaceable>&lt;/holder>
     &lt;/copyright>
 
     &lt;releaseinfo>&#36;FreeBSD&#36;&lt;/releaseinfo>
 
     &lt;abstract>
       &lt;para><replaceable>Include an abstract of the article's contents here.</replaceable>&lt;/para>
     &lt;/abstract>
   &lt;/articleinfo>
 
   &hellip;
 
 &lt;/article></programlisting>
 	</example>	
       </sect3>
       <sect3>
 	<title>Indicating chapters</title>
 
 	<para>Use <sgmltag>chapter</sgmltag> to mark up your chapters.  Each
 	  chapter has a mandatory <sgmltag>title</sgmltag>.  Articles do not
 	  contain chapters, they are reserved for books.</para>
 
 	<example>
 	  <title>A simple chapter</title>
 
 	  <programlisting><![ CDATA [<chapter>
   <title>The chapter's title</title>
 
   ...
 </chapter>]]></programlisting>
 	</example>
 
 	<para>A chapter cannot be empty; it must contain elements in addition
 	  to <sgmltag>title</sgmltag>.  If you need to include an empty
 	  chapter then just use an empty paragraph.</para>
 
 	<example>
 	  <title>Empty chapters</title>
 
 	  <programlisting><![ CDATA [<chapter>
   <title>This is an empty chapter</title>
 
   <para></para>
 </chapter>]]></programlisting>	    
 	</example>
       </sect3>
 
       <sect3>
 	<title>Sections below chapters</title>
 
 	<para>In books, chapters may (but do not need to) be broken up into
 	  sections, subsections, and so on.  In articles, sections are the
 	  main structural element, and each  article must contain at least one
 	  section.  Use the
 	  <sgmltag>sect<replaceable>n</replaceable></sgmltag> element.  The
 	  <replaceable>n</replaceable> indicates the section number, which
 	  identifies the section level.</para>
 
 	<para>The first <sgmltag>sect<replaceable>n</replaceable></sgmltag> is
 	  <sgmltag>sect1</sgmltag>.  You can have one or more of these in a
 	  chapter.  They can contain one or more <sgmltag>sect2</sgmltag>
 	  elements, and so on, down to <sgmltag>sect5</sgmltag>.</para>
 
 	<example>
 	  <title>Sections in chapters</title>
 
 	  <programlisting><![ RCDATA [<chapter>
   <title>A sample chapter</title>
 
   <para>Some text in the chapter.</para>
 
   <sect1>
     <title>First section (1.1)</title>
 
     &hellip;
   </sect1>
 
   <sect1>
     <title>Second section (1.2)</title>
 
     <sect2>
       <title>First sub-section (1.2.1)</title>
 
       <sect3>
         <title>First sub-sub-section (1.2.1.1)</title>
 
         &hellip;
       </sect3>
     </sect2>
 
     <sect2>
       <title>Second sub-section (1.2.2)</title>
 
       &hellip;
     </sect2>
   </sect1>
 </chapter>]]></programlisting>
 	</example>
 	
 	<note>
 	  <para>This example includes section numbers in the section titles.
 	    You should not do this in your documents.  Adding the section
 	    numbers is carried out by the stylesheets (of which more
 	    later), and you do not need to manage them yourself.</para>
 	</note>
       </sect3>
       
       <sect3>
 	<title>Subdividing using <sgmltag>part</sgmltag>s</title>
 
 	<para>You can introduce another layer of organization between
 	  <sgmltag>book</sgmltag> and <sgmltag>chapter</sgmltag> with one or
 	  more <sgmltag>part</sgmltag>s.  This cannot be done in an
 	  <sgmltag>article</sgmltag>.</para>
 
 	<programlisting><![ CDATA [<part>
   <title>Introduction</title>
 
   <chapter>
     <title>Overview</title>
 
     ...
   </chapter>
 
   <chapter>
     <title>What is FreeBSD?</title>
 
     ...
   </chapter>
 
   <chapter>
     <title>History</title>
 
     ...
   </chapter>
 </part>]]></programlisting>
       </sect3>
     </sect2>
     
     <sect2>
       <title>Block elements</title>
       
       <sect3>
 	<title>Paragraphs</title>
 	
 	<para>DocBook supports three types of paragraphs:
 	  <sgmltag>formalpara</sgmltag>, <sgmltag>para</sgmltag>, and
 	  <sgmltag>simpara</sgmltag>.</para>
 	
 	<para>Most of the time you will only need to use
 	  <sgmltag>para</sgmltag>.  <sgmltag>formalpara</sgmltag> includes a
 	  <sgmltag>title</sgmltag> element, and <sgmltag>simpara</sgmltag>
 	  disallows some elements from within <sgmltag>para</sgmltag>.  Stick
 	  with <sgmltag>para</sgmltag>.</para>
 	  
 	<example>
 	  <title><sgmltag>para</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>This is a paragraph.  It can contain just about any
   other element.</para> ]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>This is a paragraph.  It can contain just about any other
 	    element.</para>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Block quotations</title>
 	
 	<para>A block quotation is an extended quotation from another document
 	  that should not appear within the current paragraph.  You will
 	  probably only need it infrequently.</para>
 	
 	<para>Blockquotes can optionally contain a title and an attribution
 	  (or they can be left untitled and unattributed).</para>
 
 	<example>
 	  <title><sgmltag>blockquote</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>A small excerpt from the US Constitution;</para>
 	      
 <blockquote>
   <title>Preamble to the Constitution of the United States</title>
 
   <attribution>Copied from a web site somewhere</attribution>
 	    
   <para>We the People of the United States, in Order to form a more perfect
     Union, establish Justice, insure domestic Tranquility, provide for the
     common defence, promote the general Welfare, and secure the Blessings
     of Liberty to ourselves and our Posterity, do ordain and establish this
     Constitution for the United States of America.</para>
 </blockquote>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <blockquote>
 	    <title>Preamble to the Constitution of the United States</title>
 	    
 	    <attribution>Copied from a web site somewhere</attribution>
 	    
 	    <para>We the People of the United States, in Order to form a more
 	      perfect Union, establish Justice, insure domestic Tranquility,
 	      provide for the common defence, promote the general Welfare, and
 	      secure the Blessings of Liberty to ourselves and our Posterity,
 	      do ordain and establish this Constitution for the United States
 	      of America.</para>
 	  </blockquote>	  
 	</example>
       </sect3>
       
       <sect3>
 	<title>Tips, notes, warnings, cautions, important information and
 	  sidebars.</title>
 	  
 	<para>You may need to include extra information separate from the
 	  main body of the text.  Typically this is <quote>meta</quote>
 	  information that the user should be aware of.</para>
 	
 	<para>Depending on the nature of the information, one of
 	  <sgmltag>tip</sgmltag>, <sgmltag>note</sgmltag>,
 	  <sgmltag>warning</sgmltag>, <sgmltag>caution</sgmltag>, and
 	  <sgmltag>important</sgmltag> should be used.  Alternatively, if the
 	  information is related to the main text but is not one of the above,
 	  use <sgmltag>sidebar</sgmltag>.</para>
 
 	<para>The circumstances in which to choose one of these elements over
 	  another is unclear.  The DocBook documentation suggests;</para>
 	
 	<itemizedlist>
 	  <listitem>
 	    <para>A Note is for information that should be heeded by all
 	      readers.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>An Important element is a variation on Note.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>A Caution is for information regarding possible data loss
 	      or software damage.</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>A Warning is for information regarding possible hardware
 	      damage or injury to life or limb.</para>
 	  </listitem>
 	</itemizedlist>
 	
 	<example>
 	  <title><sgmltag>warning</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<warning>
   <para>Installing FreeBSD may make you want to delete Windows from your
     hard disk.</para>
 </warning>]]></programlisting>
 	  </example>
 	  
 	<!-- Need to do this outside of the example -->
 	<warning>
 	  <para>Installing FreeBSD may make you want to delete Windows from
 	    your hard disk.</para>
 	</warning>	  
       </sect3>
       
       <sect3>
 	<title>Lists and procedures</title>
 	
 	<para>You will often need to list pieces of information to the user,
 	  or present them with a number of steps that must be carried out in
 	  order to accomplish a particular goal.</para>
 	
 	<para>In order to do this, use <sgmltag>itemizedlist</sgmltag>,
 	  <sgmltag>orderedlist</sgmltag>, or
 	  <sgmltag>procedure</sgmltag><footnote><para>There are other types of
 	      list element in DocBook, but we are not concerned with those at
 	      the moment.</para>
 	  </footnote>
 	</para>
 	  
 	<para><sgmltag>itemizedlist</sgmltag> and
 	  <sgmltag>orderedlist</sgmltag> are similar to their counterparts in
 	  HTML, <sgmltag>ul</sgmltag> and <sgmltag>ol</sgmltag>.  Each one
 	  consists of one or more <sgmltag>listitem</sgmltag> elements, and
 	  each <sgmltag>listitem</sgmltag> contains one or more block
 	  elements.  The <sgmltag>listitem</sgmltag> elements are analogous to
 	  HTML's <sgmltag>li</sgmltag> tags.  However, unlike HTML, they are
 	  required.</para>
 	
 	<para><sgmltag>procedure</sgmltag> is slightly different.  It consists
 	  of <sgmltag>step</sgmltag>s, which may in turn consists of more
 	  <sgmltag>step</sgmltag>s or <sgmltag>substep</sgmltag>s.  Each
 	  <sgmltag>step</sgmltag> contains block elements.</para>
 
 	<example>
 	  <title><sgmltag>itemizedlist</sgmltag>,
 	    <sgmltag>orderedlist</sgmltag>, and
 	    <sgmltag>procedure</sgmltag></title>
 	  
 	  <para>Use:</para>
 	    
 	  <programlisting><![ CDATA [<itemizedlist>
   <listitem>
     <para>This is the first itemized item.</para>
   </listitem>
 
   <listitem>
     <para>This is the second itemized item.</para>
   </listitem>
 </itemizedlist>
 
 <orderedlist>
   <listitem>
     <para>This is the first ordered item.</para>
   </listitem>
 
   <listitem>
     <para>This is the second ordered item.</para>
   </listitem>
 </orderedlist>
 
 <procedure>
   <step>
     <para>Do this.</para>
   </step>
 
   <step>
     <para>Then do this.</para>
   </step>
 
   <step>
     <para>And now do this.</para>
   </step>
 </procedure>]]></programlisting>
 	  
 	  <para>Appearance:</para>
 	  
 	  <itemizedlist>
 	    <listitem>
 	      <para>This is the first itemized item.</para>
 	    </listitem>
 	    
 	    <listitem>
 	      <para>This is the second itemized item.</para>
 	    </listitem>
 	  </itemizedlist>
 	  
 	  <orderedlist>
 	    <listitem>
 	      <para>This is the first ordered item.</para>
 	    </listitem>
 	    
 	    <listitem>
 	      <para>This is the second ordered item.</para>
 	    </listitem>
 	  </orderedlist>
 	</example>
 
 	<!-- Can't have <procedure> inside <example>, so this is a cheat -->
 	
 	<procedure>
 	  <step>
 	    <para>Do this.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Then do this.</para>
 	  </step>
 	  
 	  <step>
 	    <para>And now do this.</para>
 	  </step>
 	</procedure>	  
       </sect3>
       
       <sect3>
 	<title>Showing file samples</title>
 	
 	<para>If you want to show a fragment of a file (or perhaps a complete
 	  file) to the user, wrap it in the <sgmltag>programlisting</sgmltag>
 	  element.</para>
 	  
 	<para>White space and line breaks within
 	  <sgmltag>programlisting</sgmltag> <emphasis>are</emphasis>
 	  significant.  In particular, this means that the opening tag should
 	  appear on the same line as the first line of the output, and the
 	  closing tag should appear on the same line as the last line of the
 	  output, otherwise spurious blank lines may be included.</para>
 	  
 	<example>
 	  <title><sgmltag>programlisting</sgmltag></title>
 	    
 	  <para>Use:</para>
 	    
 	  <programlisting><![ CDATA[<para>When you have finished, your program should look like
   this:</para>
 
 <programlisting>#include &lt;stdio.h&gt;
 
 int
 main(void)
 {
     printf("hello, world\n");
 }</programlisting>]]></programlisting>
 
 	  <para>Notice how the angle brackets in the
 	    <literal>#include</literal> line need to be referenced by their
 	    entities instead of being included literally.</para>
 	    
 	  <para>Appearance:</para>
 	    
 	  <para>When you have finished, your program should look like
 	    this;</para>
 	    
 	  <programlisting>#include &lt;stdio.h&gt;
 
 int
 main(void)
 {
     printf("hello, world\n");
 }</programlisting>	    
 	</example>
       </sect3>
 
       <sect3>
 	<title>Callouts</title>
 
 	<para>A callout is a mechanism for referring back to an earlier piece
 	  of text or specific position within an earlier example without
 	  linking to it within the text.</para>
 
 	<para>To do this, mark areas of interest in your example
 	  (<sgmltag>programlisting</sgmltag>,
 	  <sgmltag>literallayout</sgmltag>, or whatever) with the
 	  <sgmltag>co</sgmltag> element.  Each element must have a unique
 	  <literal>id</literal> assigned to it.  After the example include a
 	  <sgmltag>calloutlist</sgmltag> that refers back to the example and
 	  provides additional commentary.</para>
 	
 	<example>
 	  <title><sgmltag>co</sgmltag> and
 	    <sgmltag>calloutlist</sgmltag></title>
 
 	  <programlisting><![ CDATA[<para>When you have finished, your program should look like
   this;</para>
 
 <programlisting>#include &lt;stdio.h&gt; <co id="co-ex-include">
 
 int <co id="co-ex-return">
 main(void)
 {
     printf("hello, world\n"); <co id="co-ex-printf">
 }</programlisting>
 
 <calloutlist>
   <callout arearefs="co-ex-include">
     <para>Includes the standard IO header file.</para>
   </callout>
 
   <callout arearefs="co-ex-return">
     <para>Specifies that <function>main()</function> returns an
       int.</para>
   </callout>
 
   <callout arearefs="co-ex-printf">
     <para>The <function>printf()</function> call that writes
       <literal>hello, world</literal> to standard output.</para>
   </callout>
 </calloutlist>]]></programlisting>
 
 	  <para>Appearance:</para>
 
 	  <para>When you have finished, your program should look like
 	    this;</para>
 
 	  <programlisting>#include &lt;stdio.h&gt; <co id="co-ex-include">
 
 int <co id="co-ex-return">
 main(void)
 {
     printf("hello, world\n"); <co id="co-ex-printf">
 }</programlisting>
 
 	  <calloutlist>
 	    <callout arearefs="co-ex-include">
 	      <para>Includes the standard IO header file.</para>
 	    </callout>
 	    
 	    <callout arearefs="co-ex-return">
 	      <para>Specifies that <function>main()</function> returns an
 		int.</para>
 	    </callout>
 	    
 	    <callout arearefs="co-ex-printf">
 	      <para>The <function>printf()</function> call that writes
 		<literal>hello, world</literal> to standard output.</para>
 	    </callout>
 	  </calloutlist>	  
 	</example>
       </sect3>
       
       <sect3>
 	<title>Tables</title>
 	
 	<para>Unlike HTML, you do not need to use tables for layout purposes,
 	  as the stylesheet handles those issues for you.  Instead, just use
 	  tables for marking up tabular data.</para>
 
 	<para>In general terms (and see the DocBook documentation for more
 	  detail) a table (which can be either formal or informal) consists of
 	  a <sgmltag>table</sgmltag> element.  This contains at least one
 	  <sgmltag>tgroup</sgmltag> element, which specifies (as an attribute)
 	  the number of columns in this table group.  Within the tablegroup
 	  you can then have one <sgmltag>thead</sgmltag> element, which
 	  contains elements for the table headings (column headings), and one
 	  <sgmltag>tbody</sgmltag> which contains the body of the
 	  table.</para>
 
 	<para>Both <sgmltag>tgroup</sgmltag> and <sgmltag>thead</sgmltag>
 	  contain <sgmltag>row</sgmltag> elements, which in turn contain
 	  <sgmltag>entry</sgmltag> elements.  Each <sgmltag>entry</sgmltag>
 	  element specifies one cell in the table.</para>
 	  
 	<example>
 	  <title><sgmltag>informaltable</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
-	  <programlisting><![ CDATA [<informaltable frame="none">
+	  <programlisting><![ CDATA [<informaltable frame="none" pgwide="1">
   <tgroup cols="2">
     <thead>
       <row>
         <entry>This is column head 1</entry>
         <entry>This is column head 2</entry>
       </row>
     </thead>
 
     <tbody>
       <row>
         <entry>Row 1, column 1</entry>
         <entry>Row 1, column 2</entry>
       </row>
 
       <row>
         <entry>Row 2, column 1</entry>
         <entry>Row 2, column 2</entry>
       </row>
     </tbody>
   </tgroup>
 </informaltable>]]></programlisting>
 	  
 	  <para>Appearance:</para>
 	  
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <thead>
 		<row>
 		  <entry>This is column head 1</entry>
 		  <entry>This is column head 2</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>Row 1, column 1</entry>
 		  <entry>Row 1, column 2</entry>
 		</row>
 		
 		<row>
 		  <entry>Row 2, column 1</entry>
 		  <entry>Row 2, column 2</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	</example>
 	
+	<para>Always use the <literal>pgwide</literal> attribute with
+	  a value of <literal>1</literal> with the
+	  <sgmltag>informaltable</sgmltag> element.  A bug in Internet
+	  Explorer can cause the table to rendered incorrectly if this
+	  is omitted.</para>
+
 	<para>If you do not want a border around the table the
 	  <literal>frame</literal> attribute can be added to the
 	  <sgmltag>informaltable</sgmltag> element with a value of
 	  <literal>none</literal> (i.e., <literal>&lt;informaltable
 	    frame="none"&gt;</literal>).</para>
 
 	<example>
 	  <title>Tables where <literal>frame="none"</literal></title>
 	  
 	  <para>Appearance:</para>
 	
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <thead>
 		<row>
 		  <entry>This is column head 1</entry>
 		  <entry>This is column head 2</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>Row 1, column 1</entry>
 		  <entry>Row 1, column 2</entry>
 		</row>
 		
 		<row>
 		  <entry>Row 2, column 1</entry>
 		  <entry>Row 2, column 2</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Examples for the user to follow</title>
 	
 	<para>A lot of the time you need to show examples for the user to
 	  follow.  Typically, these will consist of dialogs with the computer;
 	  the user types in a command, the user gets a response back, they
 	  type in another command, and so on.</para>
 	  
 	<para>A number of distinct elements and entities come into play
 	  here.</para>
 	
 	<variablelist>
 	  <varlistentry>
 	    <term><sgmltag>screen</sgmltag></term>
 	    
 	    <listitem>
 	      <para>Everything the user sees in this example will be on the
 		computer screen, so the next element is
 		<sgmltag>screen</sgmltag>.</para>
 		
 	      <para>Within <sgmltag>screen</sgmltag>, white space is
 		significant.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><sgmltag>prompt</sgmltag>,
 	      <literal>&amp;prompt.root;</literal> and
 	      <literal>&amp;prompt.user;</literal></term>
 	    
 	    <listitem>
 	      <para>Some of the things the user will be seeing on the screen
 		are prompts from the computer (either from the operating system, command
 		shell, or application).  These should be marked up using
 		<sgmltag>prompt</sgmltag>.</para>
 
 	      <para>As a special case, the two shell prompts for the normal
 		user and the root user have been provided as entities.  Every
 		time you want to indicate the user is at a shell prompt, use
 		one of <literal>&amp;prompt.root;</literal> and
 		<literal>&amp;prompt.user;</literal> as necessary.  They do
 		not need to be inside <sgmltag>prompt</sgmltag>.</para>
 
 	      <note>
 		<para><literal>&amp;prompt.root;</literal> and
 		  <literal>&amp;prompt.user;</literal> are FreeBSD
 		  extensions to DocBook, and are not part of the original
 		  DTD.</para>
 	      </note>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><sgmltag>userinput</sgmltag></term>
 	    
 	    <listitem>
 	      <para>When displaying text that the user should type in, wrap it
 		in <sgmltag>userinput</sgmltag> tags.  It will probably be
 		displayed differently to the user.</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
 	  
 	<example>
 	  <title><sgmltag>screen</sgmltag>, <sgmltag>prompt</sgmltag>, and
 	    <sgmltag>userinput</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<screen>&prompt.user; <userinput>ls -1</userinput>
 foo1
 foo2
 foo3
 &prompt.user; <userinput>ls -1 | grep foo2</userinput>
 foo2
 &prompt.user; <userinput>su</userinput>
 <prompt>Password: </prompt>
 &prompt.root; <userinput>cat foo2</userinput>
 This is the file called 'foo2'</screen>]]></programlisting>
 	  
 	  <para>Appearance:</para>
 	
 	  <screen>&prompt.user; <userinput>ls -1</userinput>
 foo1
 foo2
 foo3
 &prompt.user; <userinput>ls -1 | grep foo2</userinput>
 foo2
 &prompt.user; <userinput>su</userinput>
 <prompt>Password: </prompt>
 &prompt.root; <userinput>cat foo2</userinput>
 This is the file called 'foo2'</screen>
 	</example>
 	
 	<note>
 	  <para>Even though we are displaying the contents of the file
 	    <filename>foo2</filename>, it is <emphasis>not</emphasis> marked
 	    up as <sgmltag>programlisting</sgmltag>.  Reserve
 	    <sgmltag>programlisting</sgmltag> for showing fragments of files
 	    outside the context of user actions.</para>
 	</note>
       </sect3>
     </sect2>
     
     <sect2>
       <title>In-line elements</title>
       
       <sect3>
 	<title>Emphasizing information</title>
 	
 	<para>When you want to emphasize a particular word or phrase, use
 	  <sgmltag>emphasis</sgmltag>.  This may be presented as italic, or
 	  bold, or might be spoken differently with a text-to-speech
 	  system.</para>
 	
 	<para>There is no way to change the presentation of the emphasis
 	  within your document, no equivalent of HTML's <sgmltag>b</sgmltag>
 	  and <sgmltag>i</sgmltag>.  If the information you are presenting is
 	  important then consider presenting it in
 	  <sgmltag>important</sgmltag> rather than
 	  <sgmltag>emphasis</sgmltag>.</para>
 	  
 	<example>
 	  <title><sgmltag>emphasis</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>FreeBSD is without doubt <emphasis>the</emphasis>
   premiere Unix like operating system for the Intel architecture.</para>]]></programlisting>
 	  
 	  <para>Appearance:</para>
 	
 	  <para>FreeBSD is without doubt <emphasis>the</emphasis> premiere Unix
 	    like operating system for the Intel architecture.</para>
 	</example>
       </sect3>
 
       <sect3>
 	<title>Quotations</title>
 
 	<para>To quote text from another document or source, or to denote
 	  a phrase that is used figuratively, use <sgmltag>quote</sgmltag>.
 	  Within a <sgmltag>quote</sgmltag> tag, you may use most of the
 	  markup tags available for normal text.</para>
 
 	<example>
 	  <title>Quotations</title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<para>However, make sure that the search does not go beyond the
   <quote>boundary between local and public administration</quote>,
   as RFC 1535 calls it.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 
 	  <para>However, make sure that the search does not go beyond the
 	    <quote>boundary between local and public administration</quote>,
 	    as RFC 1535 calls it.</para>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Keys, mouse buttons, and combinations</title>
 
 	<para>To refer to a specific key on the keyboard, use
 	  <sgmltag>keycap</sgmltag>.  To refer to a mouse button, use
 	  <sgmltag>mousebutton</sgmltag>.  And to refer to combinations of key
 	  presses or mouse clicks, wrap them all in
 	  <sgmltag>keycombo</sgmltag>.</para>
 
 	<para><sgmltag>keycombo</sgmltag> has an attribute called
 	  <literal>action</literal>, which may be one of
 	  <literal>click</literal>, <literal>double-click</literal>,
 	  <literal>other</literal>, <literal>press</literal>,
 	  <literal>seq</literal>, or <literal>simul</literal>.  The last two
 	  values denote whether the keys or buttons should be pressed in
 	  sequence, or simultaneously.</para>
 
 	<para>The stylesheets automatically add any connecting symbols, such
 	  as <literal>+</literal>, between the key names, when wrapped in
 	  <sgmltag>keycombo</sgmltag>.</para>
 	
 	<example>
 	  <title>Keys, mouse buttons, and combinations</title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>To switch to the second virtual terminal, press 
   <keycombo action="simul"><keycap>Alt</keycap>
     <keycap>F1</keycap></keycombo>.</para>
 
 <para>To exit <command>vi</command> without saving your work, type
   <keycombo action="seq"><keycap>Esc</keycap><keycap>:</keycap>
     <keycap>q</keycap><keycap>!</keycap></keycombo>.</para>
 
 <para>My window manager is configured so that
   <keycombo action="simul"><keycap>Alt</keycap>
     <mousebutton>right</mousebutton>
   </keycombo> mouse button is used to move windows.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>To switch to the second virtual terminal, press 
 	    <keycombo action="simul"><keycap>Alt</keycap>
 	      <keycap>F1</keycap></keycombo>.</para>
 
 	  <para>To exit <command>vi</command> without saving your work, type
 	    <keycombo action="seq"><keycap>Esc</keycap><keycap>:</keycap>
 	      <keycap>q</keycap><keycap>!</keycap></keycombo>.</para>
 
 	  <para>My window manager is configured so that
 	    <keycombo action="simul"><keycap>Alt</keycap>
 	      <mousebutton>right</mousebutton>
 	    </keycombo> mouse button is used to move windows.</para>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Applications, commands, options, and cites</title>
 	
 	<para>You will frequently want to refer to both applications and
 	  commands when writing for the Handbook.  The distinction between
 	  them is simple: an application is the name for a suite (or possibly
 	  just 1) of programs that fulfil a particular task.  A command is the
 	  name of a program that the user can run.</para>
 
 	<para>In addition, you will occasionally need to list one or more of
 	  the options that a command might take.</para>
 	
 	<para>Finally, you will often want to list a command with its manual
 	  section number, in the <quote>command(number)</quote> format so
 	  common in Unix manuals.</para>
 	
 	<para>Mark up application names with
 	  <sgmltag>application</sgmltag>.</para>
 	
 	<para>When you want to list a command with its manual section number
 	  (which should be most of the time) the DocBook element is 
 	  <sgmltag>citerefentry</sgmltag>.  This will contain a further two
 	  elements, <sgmltag>refentrytitle</sgmltag> and
 	  <sgmltag>manvolnum</sgmltag>.  The content of
 	  <sgmltag>refentrytitle</sgmltag> is the name of the command, and the
 	  content of <sgmltag>manvolnum</sgmltag> is the manual page
 	  section.</para>
 
 	<para>This can be cumbersome to write, and so a series of <link
 	    linkend="sgml-primer-general-entities">general entities</link>
 	  have been created to make this easier.  Each entity takes the form
 	  <literal>&amp;man.<replaceable>manual-page</replaceable>.<replaceable>manual-section</replaceable>;</literal>.</para>
 
 	<para>The file that contains these entities is in
 	  <filename>doc/share/sgml/man-refs.ent</filename>, and can be
 	  referred to using this FPI:</para>
 
 	<programlisting>PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN"</programlisting>
 
 	<para>Therefore, the introduction to your documentation will probably
 	  look like this:</para>
 
 	<programlisting>&lt;!DOCTYPE book PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 
 &lt;!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN"&gt;
 %man;
 
 &hellip;
 
 ]&gt;</programlisting>
 
 	<para>Use <sgmltag>command</sgmltag> when you want to include a
 	  command name <quote>in-line</quote> but present it as something the
 	  user should type in.</para>
 
 	<para>Use <sgmltag>option</sgmltag> to mark up a command's
 	  options.</para>
 
 	<para>When referring to the same command multiple times in
 	  close proximity it is preferred to use the
 	  <literal>&amp;man.<replaceable>command</replaceable>.<replaceable>section</replaceable>;</literal>
 	  notation to markup the first reference and use
 	  <sgmltag>command</sgmltag> to markup subsequent references.
 	  This makes the generated output, especially HTML, appear
 	  visually better.</para>
 
 	<para>This can be confusing, and sometimes the choice is not always
 	  clear.  Hopefully this example makes it clearer.</para>
 
 	<example>
 	  <title>Applications, commands, and options.</title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para><application>Sendmail</application> is the most
   widely used Unix mail application.</para>
 
 <para><application>Sendmail</application> includes the
   <citerefentry>
     <refentrytitle>sendmail</refentrytitle>
     <manvolnum>8</manvolnum>
   </citerefentry>, &man.mailq.8;, and &man.newaliases.8;
   programs.</para>
 
 <para>One of the command line parameters to <citerefentry>
     <refentrytitle>sendmail</refentrytitle>
     <manvolnum>8</manvolnum>
   </citerefentry>, <option>-bp</option>, will display the current
   status of messages in the mail queue.  Check this on the command
   line by running <command>sendmail -bp</command>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para><application>Sendmail</application> is the most widely used
 	    Unix mail application.</para>
 	  
 	  <para><application>Sendmail</application> includes the
 	    <citerefentry>
 	      <refentrytitle>sendmail</refentrytitle>
 	      <manvolnum>8</manvolnum>
 	    </citerefentry>, <citerefentry>
 	      <refentrytitle>mailq</refentrytitle>
 	      <manvolnum>8</manvolnum>
 	    </citerefentry>, and <citerefentry>
 	      <refentrytitle>newaliases</refentrytitle>
 	      <manvolnum>8</manvolnum>
 	    </citerefentry> programs.</para>
 	  
 	  <para>One of the command line parameters to <citerefentry>
 	      <refentrytitle>sendmail</refentrytitle>
 	      <manvolnum>8</manvolnum>
 	    </citerefentry>, <option>-bp</option>, will display the current
 	    status of messages in the mail queue.  Check this on the command
 	    line by running <command>sendmail -bp</command>.</para>
 	</example>
 
 	<note>
 	  <para>Notice how the
 	    <literal>&amp;man.<replaceable>command</replaceable>.<replaceable>section</replaceable>;</literal> notation is easier to follow.</para>
 	</note>
       </sect3>
       
       <sect3>
 	<title>Files, directories, extensions</title>
 	
 	<para>Whenever you wish to refer to the name of a file, a directory,
 	  or a file extension, use <sgmltag>filename</sgmltag>.</para>
 	  
 	<example>
 	  <title><sgmltag>filename</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>The SGML source for the Handbook in English can be
   found in <filename>/usr/doc/en/handbook/</filename>.  The first
   file is called <filename>handbook.sgml</filename> in that
   directory.  You should also see a <filename>Makefile</filename>
   and a number of files with a <filename>.ent</filename>
   extension.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>The SGML source for the Handbook in English can be found in
 	    <filename>/usr/doc/en/handbook/</filename>.  The first file is
 	    called <filename>handbook.sgml</filename> in that directory.  You
 	    should also see a <filename>Makefile</filename> and a number of
 	    files with a <filename>.ent</filename> extension.</para>
 	</example>
       </sect3>
       
       <sect3>
         <title>The name of ports</title>
 	
 	<note>
 	  <title>FreeBSD extension</title>
 	  
 	  <para>These elements are part of the FreeBSD extension to DocBook,
 	    and do not exist in the original DocBook DTD.</para>
 	</note>
 	
         <para>You might need to include the name of a program from the
           FreeBSD Ports Collection in the documentation.  Use the
           <sgmltag>filename</sgmltag> tag with the <literal>role</literal>
           attribute set to <literal>package</literal> to identify these.
           Since ports
           can be installed in any number of locations, only include
           the category and the port name; do not include
           <filename>/usr/ports</filename>.</para>
 
         <example>
           <title><sgmltag>filename</sgmltag> tag with
             <literal>package</literal> role</title>
 
           <para>Use:</para>
 
           <programlisting><![ CDATA [<para>Install the <filename role="package">net/ethereal</filename> port to view network traffic.</para>]]></programlisting>
 
           <para>Appearance:</para>
 	  
           <para>Install the <filename role="package">net/ethereal</filename>
             port to view network traffic.</para>
         </example>
       </sect3>
 
       <sect3>
 	<title>Devices</title>
 	
 	<note>
 	  <title>FreeBSD extension</title>
 	  
 	  <para>These elements are part of the FreeBSD extension to DocBook,
 	    and do not exist in the original DocBook DTD.</para>
 	</note>
 	
 	<para>When referring to devices you have two choices.  You can either
 	  refer to the device as it appears in <filename>/dev</filename>, or
 	  you can use the name of the device as it appears in the kernel.  For
 	  this latter course, use <sgmltag>devicename</sgmltag>.</para>
 	  
 	<para>Sometimes you will not have a choice.  Some devices, such as
 	  networking cards, do not have entries in <filename>/dev</filename>,
 	  or the entries are markedly different from those entries.</para>
 	  
 	<example>
 	  <title><sgmltag>devicename</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para><devicename>sio</devicename> is used for serial
   communication in FreeBSD.  <devicename>sio</devicename> manifests
   through a number of entries in <filename>/dev</filename>, including
   <filename>/dev/ttyd0</filename> and <filename>/dev/cuaa0</filename>.</para>
 
 <para>By contrast, the networking devices, such as
   <devicename>ed0</devicename> do not appear in <filename>/dev</filename>.</para>
 
 <para>In MS-DOS, the first floppy drive is referred to as
   <devicename>a:</devicename>.  In FreeBSD it is
   <filename>/dev/fd0</filename>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	    
 	  <para><devicename>sio</devicename> is used for serial communication
 	    in FreeBSD.  <devicename>sio</devicename> manifests through a
 	    number of entries in <filename>/dev</filename>, including
 	    <filename>/dev/ttyd0</filename> and
 	    <filename>/dev/cuaa0</filename>.</para>
 	  
 	  <para>By contrast, the networking devices, such as
 	    <devicename>ed0</devicename> do not appear in
 	    <filename>/dev</filename>.</para>
 	    
 	  <para>In MS-DOS, the first floppy drive is referred to as
 	    <devicename>a:</devicename>.  In FreeBSD it is
 	    <filename>/dev/fd0</filename>.</para>	  
 	</example>
       </sect3>
 	
       <sect3>
 	<title>Hosts, domains, IP addresses, and so forth</title>
 	
 	<note>
 	  <title>FreeBSD extension</title>
 	  
 	  <para>These elements are part of the FreeBSD extension to DocBook,
 	    and do not exist in the original DocBook DTD.</para>
 	</note>
 	
 	<para>You can markup identification information for networked
 	  computers (hosts) in several ways, depending on the nature of the
 	  information.  All of them use <sgmltag>hostid</sgmltag> as the
 	  element, with the <literal>role</literal> attribute selecting the
 	  type of the marked up information.</para>
 	  
 	<variablelist>
 	  <varlistentry>
 	    <term>No role attribute, or
 	      <literal>role="hostname"</literal></term>
 	    
 	    <listitem>
 	      <para>With no role attribute (i.e.,
 		<sgmltag>hostid</sgmltag>...<sgmltag>/hostid</sgmltag>) the
 		marked up information is the simple hostname, such as
 		<literal>freefall</literal> or <literal>wcarchive</literal>.
 		You can explicitly specify this with
 		<literal>role="hostname"</literal>.</para>
 	    </listitem>
 	  </varlistentry>
 	    
 	  <varlistentry>
 	    <term><literal>role="domainname"</literal></term>
 	    
 	    <listitem>
 	      <para>The text is a domain name, such as
 		<literal>FreeBSD.org</literal> or
 		<literal>ngo.org.uk</literal>.  There is no hostname
 		component.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><literal>role="fqdn"</literal></term>
 	    
 	    <listitem>
 	      <para>The text is a Fully Qualified Domain Name, with both
 		hostname and domain name parts.</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>role="ipaddr"</literal></term>
 	    
 	    <listitem>
 	      <para>The text is an IP address, probably expressed as a dotted
 		quad.</para>
 	    </listitem>
 	  </varlistentry>
 
           <varlistentry>
             <term><literal>role="ip6addr"</literal></term>
 
             <listitem>
               <para>The text is an IPv6 address.</para>
             </listitem>
           </varlistentry>
 	  
 	  <varlistentry>
 	    <term><literal>role="netmask"</literal></term>
 	    
 	    <listitem>
 	      <para>The text is a network mask, which might be expressed as a
 		dotted quad, a hexadecimal string, or as a
 		<literal>/</literal> followed by a number.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><literal>role="mac"</literal></term>
 	    
 	    <listitem>
 	      <para>The text is an Ethernet MAC address, expressed as a series
 		of 2 digit hexadecimal numbers separated by colons.</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
 	  
 	<example>
 	  <title><sgmltag>hostid</sgmltag> and roles</title>
 	    
 	  <para>Use:</para>
 	    
 	  <programlisting><![ CDATA [<para>The local machine can always be referred to by the
   name <hostid>localhost</hostid>, which will have the IP address
   <hostid role="ipaddr">127.0.0.1</hostid>.</para>
 
 <para>The <hostid role="domainname">FreeBSD.org</hostid> domain
   contains a number of different hosts, including
   <hostid role="fqdn">freefall.FreeBSD.org</hostid> and
   <hostid role="fqdn">bento.FreeBSD.org</hostid>.</para>
 
 <para>When adding an IP alias to an interface (using
   <command>ifconfig</command>) <emphasis>always</emphasis> use a
   netmask of <hostid role="netmask">255.255.255.255</hostid>
   (which can also be expressed as <hostid
     role="netmask">0xffffffff</hostid>.</para>
 
 <para>The MAC address uniquely identifies every network card
   in existence.  A typical MAC address looks like <hostid
     role="mac">08:00:20:87:ef:d0</hostid>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>The local machine can always be referred to by the name
 	    <hostid>localhost</hostid>, which will have the IP address <hostid
 	      role="ipaddr">127.0.0.1</hostid>.</para>
 
 	  <para>The <hostid role="domainname">FreeBSD.org</hostid> domain
 	    contains a number of different hosts, including <hostid
 	      role="fqdn">freefall.FreeBSD.org</hostid> and <hostid
 	      role="fqdn">bento.FreeBSD.org</hostid>.</para>
 
 	  <para>When adding an IP alias to an interface (using
 	    <command>ifconfig</command>) <emphasis>always</emphasis> use a
 	    netmask of <hostid role="netmask">255.255.255.255</hostid> (which
 	    can also be expressed as <hostid
 	      role="netmask">0xffffffff</hostid>.</para>
 
 	  <para>The MAC address uniquely identifies every network card in
 	    existence.  A typical MAC address looks like <hostid
 	      role="mac">08:00:20:87:ef:d0</hostid>.</para>	  
 	</example>
       </sect3>
       
       <sect3>
 	<title>Usernames</title>
 	
 	<note>
 	  <title>FreeBSD extension</title>
 	  
 	  <para>These elements are part of the FreeBSD extension to DocBook,
 	    and do not exist in the original DocBook DTD.</para>
 	</note>
 	
 	<para>When you need to refer to a specific username, such as
 	  <literal>root</literal> or <literal>bin</literal>, use
 	  <sgmltag>username</sgmltag>.</para>
 	
 	<example>
 	  <title><sgmltag>username</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>To carry out most system administration functions you
   will need to be <username>root</username>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>To carry out most system administration functions you will
 	    need to be <username>root</username>.</para>
 	</example>
       </sect3>
       
       <sect3>
 	<title>Describing <filename>Makefile</filename>s</title>
 	
 	<note>
 	  <title>FreeBSD extension</title>
 	  
 	  <para>These elements are part of the FreeBSD extension to DocBook,
 	    and do not exist in the original DocBook DTD.</para>
 	</note>
 	
 	<para>Two elements exist to describe parts of
 	  <filename>Makefile</filename>s, <sgmltag>maketarget</sgmltag> and
 	  <sgmltag>makevar</sgmltag>.</para>
 	  
 	<para><sgmltag>maketarget</sgmltag> identifies a build target exported
 	  by a <filename>Makefile</filename> that can be given as a parameter
 	  to <command>make</command>.  <sgmltag>makevar</sgmltag> identifies a
 	  variable that can be set (in the environment, on the
 	  <command>make</command> command line, or within the
 	  <filename>Makefile</filename>) to influence the process.</para>
 
 	<example>
 	  <title><sgmltag>maketarget</sgmltag> and
 	    <sgmltag>makevar</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>Two common targets in a <filename>Makefile</filename>
   are <maketarget>all</maketarget> and <maketarget>clean</maketarget>.</para>
 
 <para>Typically, invoking <maketarget>all</maketarget> will rebuild the
   application, and invoking <maketarget>clean</maketarget> will remove
   the temporary files (<filename>.o</filename> for example) created by
   the build process.</para>
 
 <para><maketarget>clean</maketarget> may be controlled by a number of
   variables, including <makevar>CLOBBER</makevar> and
   <makevar>RECURSE</makevar>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>Two common targets in a <filename>Makefile</filename> are
 	    <maketarget>all</maketarget> and
 	    <maketarget>clean</maketarget>.</para>
 	    
 	  <para>Typically, invoking <maketarget>all</maketarget> will rebuild
 	    the application, and invoking <maketarget>clean</maketarget> will
 	    remove the temporary files (<filename>.o</filename> for example)
 	    created by the build process.</para>
 	    
 	  <para><maketarget>clean</maketarget> may be controlled by a number
 	    of variables, including <makevar>CLOBBER</makevar> and
 	    <makevar>RECURSE</makevar>.</para>	  
 	</example>
       </sect3>
       
       <sect3>
 	<title>Literal text</title>
 	
 	<para>You will often need to include <quote>literal</quote> text in the
 	  Handbook.  This is text that is excerpted from another file, or
 	  which should be copied from the Handbook into another file
 	  verbatim.</para>
 
 	<para>Some of the time, <sgmltag>programlisting</sgmltag> will be
 	  sufficient to denote this text.  <sgmltag>programlisting</sgmltag>
 	  is not always appropriate, particularly when you want to include a
 	  portion of a file <quote>in-line</quote> with the rest of the
 	  paragraph.</para>
 
 	<para>On these occasions, use <sgmltag>literal</sgmltag>.</para>
 	
 	<example>
 	  <title><sgmltag>literal</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<para>The <literal>maxusers 10</literal> line in the kernel
   configuration file determines the size of many system tables, and is
   a rough guide to how many simultaneous logins the system will
   support.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>The <literal>maxusers 10</literal> line in the kernel
 	    configuration file determines the size of many system tables, and
 	    is a rough guide to how many simultaneous logins the system will
 	    support.</para>
 	</example>
       </sect3>
 	
       <sect3>
 	<title>Showing items that the user <emphasis>must</emphasis> fill
 	  in</title>
 	
 	<para>There will often be times when you want to show the user what to
 	  do, or refer to a file, or command line, or similar, where the user
 	  cannot simply copy the examples that you provide, but must instead
 	  include some information themselves.</para>
 	
 	<para><sgmltag>replaceable</sgmltag> is designed for this eventuality.
 	  Use it <emphasis>inside</emphasis> other elements to indicate parts
 	  of that element's content that the user must replace.</para>
 	
 	<example>
 	  <title><sgmltag>replaceable</sgmltag></title>
 	  
 	  <para>Use:</para>
 	  
 	  <programlisting><![ CDATA [<informalexample>
   <screen>&prompt.user; <userinput>man <replaceable>command</replaceable></userinput></screen>
 </informalexample>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <informalexample>
 	    <screen>&prompt.user; <userinput>man <replaceable>command</replaceable></userinput></screen>
 	  </informalexample>
 	  
 	  <para><sgmltag>replaceable</sgmltag> can be used in many different
 	    elements, including <sgmltag>literal</sgmltag>.  This example also
 	    shows that <sgmltag>replaceable</sgmltag> should only be wrapped
 	    around the content that the user <emphasis>is</emphasis> meant to
 	    provide.  The other content should be left alone.</para>
 	    
 	  <para>Use:</para>
 	    
 	  <programlisting><![ CDATA [<para>The <literal>maxusers <replaceable>n</replaceable></literal>
   line in the kernel configuration file determines the size of many system
   tables, and is a rough guide to how many simultaneous logins the system will
   support.</para>
 
 <para>For a desktop workstation, <literal>32</literal> is a good value
   for <replaceable>n</replaceable>.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 	  
 	  <para>The <literal>maxusers <replaceable>n</replaceable></literal>
 	    line in the kernel configuration file determines the size of many
 	    system tables, and is a rough guide to how many simultaneous
 	    logins the system will support.</para>
 
 	  <para>For a desktop workstation, <literal>32</literal> is a good
 	    value for <replaceable>n</replaceable>.</para>	  
 	</example>
       </sect3>
 
       <sect3>
         <title>Quoting system errors</title>
 
         <para>You might want to show errors generated by FreeBSD.
           Mark these with <sgmltag>errorname</sgmltag>.  This
           indicates the exact error that appears.</para>
 
         <example>
           <title><sgmltag>errorname</sgmltag></title>
 
           <para>Use:</para>
 
 	  <programlisting><![ CDATA [ 
 <screen><errorname>Panic: cannot mount root</errorname></screen> ]]>
 </programlisting>
 
 
           <para>Appearance:</para>
 
           <informalexample>
             <screen><errorname>Panic: cannot mount root</errorname></screen>
           </informalexample>
         </example>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Images</title>
 
       <important>
 	<para>Image support in the documentation is currently extremely
 	  experimental.  I think the mechanisms described here are unlikely to
 	  change, but that is not guaranteed.</para>
 
 	<para>You will also need to install the
 	  <filename role="package">graphics/ImageMagick</filename> port, which is used to
 	  convert between the different image formats.  This is a big port,
 	  and most of it is not required.  However, while we are working on the
 	  <filename>Makefile</filename>s and other infrastructure it makes
 	  things easier.  This port is <emphasis>not</emphasis> in the
 	  <filename role="package">textproc/docproj</filename> meta port, you must install it
 	  by hand.</para>
 
 	<para>The best example of what follows in practice is the
 	  <filename>doc/en_US.ISO8859-1/articles/vm-design/</filename> document.
 	  If you are unsure of the description that follows, take a look at the
 	  files in that directory to see how everything hangs together.
 	  Experiment with creating different formatted versions of the
 	  document to see how the image markup appears in the formatted
 	  output.</para>
       </important>
 
       <sect3>
 	<title>Image formats</title>
 
 	<para>We currently support two formats for images.  The format you
 	  should use will depend on the nature of your image.</para>
 
 	<para>For images that are primarily vector based, such as network
 	  diagrams, time lines, and similar, use Encapsulated Postscript, and
 	  make sure that your images have the <filename>.eps</filename>
 	  extension.</para>
 
 	<para>For bitmaps, such as screen captures, use the Portable Network
 	  Graphic format, and make sure that your images have the
 	  <filename>.png</filename> extension.</para>
 
 	<para>These are the <emphasis>only</emphasis> formats in which images
 	  should be committed to the CVS repository.</para>
 
 	<para>Use the right format for the right image.  It is to be expected
 	  that your documentation will have a mix of EPS and PNG images.  The
 	  <filename>Makefile</filename>s ensure that the correct format image
 	  is chosen depending on the output format that you use for your
 	  documentation.  <emphasis>Do not commit the same image to the
 	    repository in two different formats</emphasis>.</para>
 
 	<important>
 	  <para>It is anticipated that the Documentation Project will switch to
 	    using the Scalable Vector Graphic (SVG) format for vector images.
 	    However, the current state of SVG capable editing tools makes this
 	    impractical.</para>
 	</important>
       </sect3>
 
       <sect3>
 	<title>Markup</title>
 
 	<para>The markup for an image is relatively simple.  First, markup a
 	  <sgmltag>mediaobject</sgmltag>.  The <sgmltag>mediaobject</sgmltag>
 	  can contain other, more specific objects.  We are concerned with
 	  two, the <sgmltag>imageobject</sgmltag> and the
 	  <sgmltag>textobject</sgmltag>.</para>
 
 	<para>You should include one <sgmltag>imageobject</sgmltag>, and two
 	  <sgmltag>textobject</sgmltag> elements.  The
 	  <sgmltag>imageobject</sgmltag> will point to the name of the image
 	  file that will be used (without the extension).  The
 	  <sgmltag>textobject</sgmltag> elements contain information that will
 	  be presented to the user as well as, or instead of, the
 	  image.</para>
 
 	<para>There are two circumstances where this can happen.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>When the reader is viewing the documentation in HTML.  In
 	      this case, each image will need to have associated alternate
 	      text to show the user, typically whilst the image is loading, or
 	      if they hover the mouse pointer over the image.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>When the reader is viewing the documentation in plain text.
 	      In this case, each image should have an ASCII art equivalent to
 	      show the user.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>An example will probably make things easier to understand.
 	  Suppose you have an image, called <filename>fig1</filename>, that
 	  you want to include in the document.  This image is of a rectangle
 	  with an A inside it.  The markup for this would be as
 	  follows.</para>
 
 	<programlisting>&lt;mediaobject>
   &lt;imageobject>
     &lt;imagedata fileref="fig1"> <co id="co-image-ext">
   &lt;/imageobject>
 
   &lt;textobject>
     &lt;literallayout class="monospaced">+---------------+ <co id="co-image-literal">
 |       A       |
 +---------------+&lt;/literallayout>
   &lt;/textobject>
 
   &lt;textobject>
     &lt;phrase>A picture&lt;/phrase> <co id="co-image-phrase">
   &lt;/textobject>
 &lt;/mediaobject></programlisting>
 
 	<calloutlist>
 	  <callout arearefs="co-image-ext">
 	    <para>Include an <sgmltag>imagedata</sgmltag> element inside the
 	      <sgmltag>imageobject</sgmltag> element.  The
 	      <literal>fileref</literal> attribute should contain the filename
 	      of the image to include, without the extension.  The stylesheets
 	      will work out which extension should be added to the filename
 	      automatically.</para>
 	  </callout>
 
 	  <callout arearefs="co-image-literal">
 	    <para>The first <sgmltag>textobject</sgmltag> should contain a
 	      <sgmltag>literallayout</sgmltag> element, where the
 	      <literal>class</literal> attribute is set to
 	      <literal>monospaced</literal>.  This is your opportunity to
 	      demonstrate your ASCII art skills.  This content will be used if
 	      the document is converted to plain text.</para>
 
 	    <para>Notice how the first and last lines of the content of the
 	      <sgmltag>literallayout</sgmltag> element butt up next to the
 	      element's tags.  This ensures no extraneous white space is
 	      included.</para>
 	  </callout>
 
 	  <callout arearefs="co-image-phrase">
 	    <para>The second <sgmltag>textobject</sgmltag> should contain a
 	      single <sgmltag>phrase</sgmltag> element.  The contents of this
 	      will become the <literal>alt</literal> attribute for the image
 	      when this document is converted to HTML.</para>
 	  </callout>
 	</calloutlist>
       </sect3>
 
       <sect3>
 	<title><filename>Makefile</filename> entries</title>
 
 	<para>Your images must be listed in the
 	  <filename>Makefile</filename> in the <makevar>IMAGES</makevar>
 	  variable.  This variable should contain the name of all your
 	  <emphasis>source</emphasis> images.  For example, if you have
 	  created three figures, <filename>fig1.eps</filename>,
 	  <filename>fig2.png</filename>, <filename>fig3.png</filename>, then
 	  your <filename>Makefile</filename> should have lines like this in
 	  it.</para>
 
 	<programlisting>&hellip;
 IMAGES= fig1.eps fig2.png fig3.png
 &hellip;</programlisting>
 
 	<para>or</para>
 
 	<programlisting>&hellip;
 IMAGES=  fig1.eps
 IMAGES+= fig2.png
 IMAGES+= fig3.png
 &hellip;</programlisting>
 
 	<para>Again, the <filename>Makefile</filename> will work out the
 	  complete list of images it needs to build your source document, you
 	  only need to list the image files <emphasis>you</emphasis>
 	  provided.</para>
       </sect3>
 
       <sect3>
 	<title>Images and chapters in subdirectories</title>
 
 	<para>You must be careful when you separate your documentation into
 	  smaller files (see <xref linkend="sgml-primer-include-using-gen-entities">) in
 	  different directories.</para>
 	  
 	<para>Suppose you have a book with three chapters, and the chapters
 	  are stored in their own directories, called
 	  <filename>chapter1/chapter.sgml</filename>,
 	  <filename>chapter2/chapter.sgml</filename>, and
 	  <filename>chapter3/chapter.sgml</filename>.  If each chapter has
 	  images associated with it, I suggest you place those images in each
 	  chapter's subdirectory (<filename>chapter1/</filename>,
 	  <filename>chapter2/</filename>, and
 	  <filename>chapter3/</filename>).</para>
 
 	<para>However, if you do this you must include the directory names in
 	  the <makevar>IMAGES</makevar> variable in the
 	  <filename>Makefile</filename>, <emphasis>and</emphasis> you must
 	  include the directory name in the <sgmltag>imagedata</sgmltag>
 	  element in your document.</para>
 
 	<para>For example, if you have <filename>chapter1/fig1.png</filename>,
 	  then <filename>chapter1/chapter.sgml</filename> should
 	  contain</para>
 
 	<programlisting>&lt;mediaobject>
   &lt;imageobject>
     &lt;imagedata fileref="chapter1/fig1"> <co id="co-image-dir">
   &lt;/imageobject>
 
   &hellip;
 
 &lt;/mediaobject></programlisting>
 	
 	<calloutlist>
 	  <callout arearefs="co-image-dir">
 	    <para>The directory name must be included in the
 	      <literal>fileref</literal> attribute</para>
 	  </callout>
 	</calloutlist>
 
 	<para>The <filename>Makefile</filename> must contain</para>
 
 	<programlisting>&hellip;
 IMAGES=  chapter1/fig1.png
 &hellip;</programlisting>
 
 	<para>Then everything should just work.</para>
       </sect3>
     </sect2>
     
     <sect2>
       <title>Links</title>
 
       <note>
 	<para>Links are also in-line elements.</para>
       </note>
 
       <sect3>
 	<title>Linking to other parts of the same document</title>
 
 	<para>Linking within the same document requires you to specify
 	  where you are linking from (i.e., the text the user will click, or
 	  otherwise indicate, as the source of the link) and where you are
 	  linking to (the link's destination).</para>
 
 	<para>Each element within DocBook has an attribute called
 	  <literal>id</literal>.  You can place text in this attribute to
 	  uniquely name the element it is attached to.</para>
 
 	  <para>This value will be used when you specify the link
 	  source.</para>
 
 	<para>Normally, you will only be linking to chapters or sections, so
 	  you would add the <literal>id</literal> attribute to these
 	  elements.</para>
 
 	<example>
 	  <title><literal>id on chapters and sections</literal></title>
 
 	  <programlisting><![ CDATA [<chapter id="chapter1">
   <title>Introduction</title>
 
   <para>This is the introduction.  It contains a subsection,
     which is identified as well.</para>
 
   <sect1 id="chapter1-sect1">
     <title>Sub-sect 1</title>
 
     <para>This is the subsection.</para>
   </sect1>
 </chapter>]]></programlisting>
 	</example>
 	
 	<para>Obviously, you should use more descriptive values.  The values
 	  must be unique within the document (i.e., not just the file, but the
 	  document the file might be included in as well).  Notice how the
 	  <literal>id</literal> for the subsection is constructed by appending
 	  text to the <literal>id</literal> of the chapter.  This helps to
 	  ensure that they are unique.</para>
 
 	<para>If you want to allow the user to jump into a specific portion of
 	  the document (possibly in the middle of a paragraph or an example),
 	  use <sgmltag>anchor</sgmltag>.  This element has no content, but
 	  takes an <literal>id</literal> attribute.</para>
 
 	<example>
 	  <title><sgmltag>anchor</sgmltag></title>
 
 	  <programlisting><![ CDATA [<para>This paragraph has an embedded
   <anchor id="para1">link target in it.  It will not show up in
   the document.</para>]]></programlisting>
 	</example>
 	
 	<para>When you want to provide the user with a link they can activate
 	  (probably by clicking) to go to a section of the document that has
 	  an <literal>id</literal> attribute, you can use either
 	  <sgmltag>xref</sgmltag> or <sgmltag>link</sgmltag>.</para>
 
 	<para>Both of these elements have a <literal>linkend</literal>
 	  attribute.  The value of this attribute should be the value that you
 	  have used in a <literal>id</literal> attribute (it does not matter
 	  if that value has not yet occurred in your document; this will work
 	  for forward links as well as backward links).</para>
 	
 	<para>If you use <sgmltag>xref</sgmltag> then you have no control over
 	  the text of the link.  It will be generated for you.</para>
 	
 	<example>
 	  <title>Using <sgmltag>xref</sgmltag></title>
 
 	  <para>Assume that this fragment appears somewhere in a document that
 	    includes the <literal>id</literal> example;</para>
 	  
 	  <programlisting><![ CDATA [<para>More information can be found
   in <xref linkend="chapter1">.</para>
 
 <para>More specific information can be found
   in <xref linkend="chapter1-sect1">.</para>]]></programlisting>
 
 	  <para>The text of the link will be generated automatically, and will
 	    look like (<emphasis>emphasized</emphasis> text indicates the text
 	    that will be the link);</para>
 
 	  <blockquote>
 	    <para>More information can be found in <emphasis>Chapter
 		One</emphasis>.</para>
 
 	    <para>More specific information can be found in <emphasis>the
 		section called Sub-sect 1</emphasis>.</para>
 	  </blockquote>
 	</example>
 	
 	<para>Notice how the text from the link is derived from the section
 	  title or the chapter number.</para>
 
 	<note>
 	  <para>This means that you <emphasis>cannot</emphasis> use
 	    <sgmltag>xref</sgmltag> to link to an <literal>id</literal>
 	    attribute on an <sgmltag>anchor</sgmltag> element.  The
 	    <sgmltag>anchor</sgmltag> has no content, so the
 	    <sgmltag>xref</sgmltag> cannot generate the text for the
 	    link.</para>
 	</note>
 	
 	<para>If you want to control the text of the link then use
 	  <sgmltag>link</sgmltag>.  This element wraps content, and the
 	  content will be used for the link.</para>
 
 	<example>
 	  <title>Using <sgmltag>link</sgmltag></title>
 
 	  <para>Assume that this fragment appears somewhere in a document that
 	    includes the <literal>id</literal> example.</para>
 
 	  <programlisting><![ CDATA [<para>More information can be found in
   <link linkend="chapter1">the first chapter</link>.</para>
 
 <para>More specific information can be found in
   <link linkend="chapter1-sect1">this</link> section.</para>]]></programlisting>
 	  
 	  <para>This will generate the following
 	    (<emphasis>emphasized</emphasis> text indicates the text that will
 	    be the link);</para>
 	  
 	  <blockquote>
 	    <para>More information can be found in <emphasis>the first
 		chapter</emphasis>.</para>
 	    
 	    <para>More specific information can be found in
 	      <emphasis>this</emphasis> section.</para>
 	  </blockquote>
 	</example>
 	
 	<note>
 	  <para>That last one is a bad example.  Never use words like
 	    <quote>this</quote> or <quote>here</quote> as the source for the
 	    link.  The reader will need to hunt around the surrounding context
 	    to see where the link is actually taking them.</para>
 	</note>
 
 	<note>
 	  <para>You <emphasis>can</emphasis> use <sgmltag>link</sgmltag> to
 	    include a link to an <literal>id</literal> on an
 	    <sgmltag>anchor</sgmltag> element, since the
 	    <sgmltag>link</sgmltag> content defines the text that will be used
 	    for the link.</para>
 	</note>
       </sect3>
 
       <sect3>
 	<title>Linking to documents on the WWW</title>
 
 	<para>Linking to external documents is much simpler, as long as you
 	  know the URL of the document you want to link to.  Use
 	  <sgmltag>ulink</sgmltag>.  The <literal>url</literal> attribute is
 	  the URL of the page that the link points to, and the content of the
 	  element is the text that will be displayed for the user to
 	  activate.</para>
 
 	<example>
 	  <title><sgmltag>ulink</sgmltag></title>
 
 	  <para>Use:</para>
 
 	  <programlisting><![ CDATA [<para>Of course, you could stop reading this document and
   go to the <ulink url="&url.base;/index.html">FreeBSD
   home page</ulink> instead.</para>]]></programlisting>
 
 	  <para>Appearance:</para>
 
 	  <para>Of course, you could stop reading this document and go to the
 	    <ulink url="&url.base;/index.html">FreeBSD home page</ulink>
 	    instead.</para>
 	</example>
       </sect3>
     </sect2>
   </sect1>
 </chapter>
 
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
diff --git a/en_US.ISO8859-1/books/fdp-primer/sgml-primer/chapter.sgml b/en_US.ISO8859-1/books/fdp-primer/sgml-primer/chapter.sgml
index 1643f7a568..5ad5d14f44 100644
--- a/en_US.ISO8859-1/books/fdp-primer/sgml-primer/chapter.sgml
+++ b/en_US.ISO8859-1/books/fdp-primer/sgml-primer/chapter.sgml
@@ -1,1580 +1,1580 @@
 <!-- Copyright (c) 1998, 1999 Nik Clayton, All rights reserved.
 
      Redistribution and use in source (SGML DocBook) and 'compiled' forms
      (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
      modification, are permitted provided that the following conditions
      are met:
 
       1. Redistributions of source code (SGML DocBook) must retain the above
          copyright notice, this list of conditions and the following
          disclaimer as the first lines of this file unmodified.
 
       2. Redistributions in compiled form (transformed to other DTDs,
          converted to PDF, PostScript, RTF and other formats) must reproduce
          the above copyright notice, this list of conditions and the
          following disclaimer in the documentation and/or other materials
          provided with the distribution.
 
      THIS DOCUMENTATION IS PROVIDED BY NIK CLAYTON "AS IS" AND ANY EXPRESS OR
      IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
      OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
      DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY DIRECT,
      INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
      (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
      SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
      STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
      ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
      POSSIBILITY OF SUCH DAMAGE.
 
      $FreeBSD$
 -->
 
 <chapter id="sgml-primer">
   <title>SGML Primer</title>
 
   <para>The majority of FDP documentation is written in applications of
     SGML.  This chapter explains exactly what that means, how to read
     and understand the source to the documentation, and the sort of SGML
     tricks you will see used in the documentation.</para>
 
   <para>Portions of this section were inspired by Mark Galassi's <ulink
       url="http://nis-www.lanl.gov/~rosalia/mydocs/docbook-intro/docbook-intro.html">Get Going With DocBook</ulink>.</para>
   
   <sect1 id="sgml-primer-overview">
     <title>Overview</title>
 
     <para>Way back when, electronic text was simple to deal with.  Admittedly, 
       you had to know which character set your document was written in (ASCII, 
       EBCDIC, or one of a number of others) but that was about it.  Text was
       text, and what you saw really was what you got.  No frills, no
       formatting, no intelligence.</para>
 
     <para>Inevitably, this was not enough.  Once you have text in a
       machine-usable format, you expect machines to be able to use it and
       manipulate it intelligently.  You would like to indicate that certain
       phrases should be emphasized, or added to a glossary, or be hyperlinks.
       You might want filenames to be shown in a <quote>typewriter</quote> style 
       font for viewing on screen, but as <quote>italics</quote> when printed,
       or any of a myriad of other options for presentation.</para>
 
     <para>It was once hoped that Artificial Intelligence (AI) would make this
       easy.  Your computer would read in the document and automatically
       identify key phrases, filenames, text that the reader should type in,
       examples, and more.  Unfortunately, real life has not happened quite
       like that, and our computers require some assistance before they can
       meaningfully process our text.</para>
 
     <para>More precisely, they need help identifying what is what.  You or I
       can look at
 
       <blockquote>
 	<para>To remove <filename>/tmp/foo</filename> use &man.rm.1;.</para>
 
 	<screen>&prompt.user; <userinput>rm /tmp/foo</userinput></screen>
       </blockquote>
 
       and easily see which parts are filenames, which are commands to be typed
       in, which parts are references to manual pages, and so on.  But the
       computer processing the document cannot.  For this we need
       markup.</para>
     
     <para><quote>Markup</quote> is commonly used to describe <quote>adding
       value</quote> or <quote>increasing cost</quote>.  The term takes on both
       these meanings when applied to text.  Markup is additional text included 
       in the document, distinguished from the document's content in some way,
       so that programs that process the document can read the markup and use
       it when making decisions about the document.  Editors can hide the
       markup from the user, so the user is not distracted by it.</para>
 
     <para>The extra information stored in the markup <emphasis>adds
       value</emphasis> to the document.  Adding the markup to the document
       must typically be done by a person&mdash;after all, if computers could
       recognize the text sufficiently well to add the markup then there would
       be no need to add it in the first place.  This <emphasis>increases the
       cost</emphasis> (i.e., the effort required) to create the
       document.</para>
 
     <para>The previous example is actually represented in this document like
       this;</para>
 
     <programlisting><![ CDATA [
 <para>To remove <filename>/tmp/foo</filename> use &man.rm.1;.</para>
 
 <screen>&prompt.user; <userinput>rm /tmp/foo</userinput></screen>]]></programlisting>
 
     <para>As you can see, the markup is clearly separate from the
       content.</para>
 
     <para>Obviously, if you are going to use markup you need to define what
       your markup means, and how it should be interpreted.  You will need a
       markup language that you can follow when marking up your
       documents.</para>
     
    <para>Of course, one markup language might not be enough.  A markup
       language for technical documentation has very different requirements
       than a markup language that was to be used for cookery recipes.  This,
       in turn, would be very different from a markup language used to describe
       poetry.  What you really need is a first language that you use to write
       these other markup languages.  A <emphasis>meta markup
       language</emphasis>.</para>
     
     <para>This is exactly what the Standard Generalized Markup Language (SGML)
       is.  Many markup languages have been written in SGML, including the two
       most used by the FDP, HTML and DocBook.</para>
     
     <para>Each language definition is more properly called a Document Type
       Definition (DTD).  The DTD specifies the name of the elements that can
       be used, what order they appear in (and whether some markup can be used
       inside other markup) and related information.  A DTD is sometimes
       referred to as an <emphasis>application</emphasis> of SGML.</para>
 
     <para id="sgml-primer-validating">A DTD is a <emphasis>complete</emphasis>
       specification of all the elements that are allowed to appear, the order
       in which they should appear, which elements are mandatory, which are
       optional, and so forth. This makes it possible to write an SGML
       <emphasis>parser</emphasis> which reads in both the DTD and a document
       which claims to conform to the DTD.  The parser can then confirm whether
       or not all the elements required by the DTD are in the document in the
       right order, and whether there are any errors in the markup.  This is
       normally referred to as <quote>validating  the document</quote>.</para>
 
     <note>
       <para>This processing simply confirms that the choice of elements, their 
 	ordering, and so on, conforms to that listed in the DTD.  It does
 	<emphasis>not</emphasis> check that you have used
 	<emphasis>appropriate</emphasis> markup for the content.  If you
 	tried to mark up all the filenames in your document as function
 	names, the parser would not flag this as an error (assuming, of
 	course, that your DTD defines elements for filenames and functions,
 	and that they are allowed to appear in the same place).</para>
     </note>
     
     <para>It is likely that most of your contributions to the Documentation
       Project will consist of content marked up in either HTML or DocBook,
       rather than alterations to the DTDs.  For this reason this book will
       not touch on how to write a DTD.</para>
   </sect1>
   
   <sect1 id="sgml-primer-elements">
     <title>Elements, tags, and attributes</title>
 
     <para>All the DTDs written in SGML share certain characteristics.  This is
       hardly surprising, as the philosophy behind SGML will inevitably show
       through. One of the most obvious manifestations of this philosophy is
       that of <emphasis>content</emphasis> and
       <emphasis>elements</emphasis>.</para>
 
     <para>Your documentation (whether it is a single web page, or a lengthy
       book) is considered to consist of content.  This content is then divided
       (and further subdivided) into elements.  The purpose of adding markup is
       to name and identify the boundaries of these elements for further
       processing.</para>
 
     <para>For example, consider a typical book.  At the very top level, the
       book is itself an element.  This <quote>book</quote> element obviously
       contains chapters, which can be considered to be elements in their own
       right.  Each chapter will contain more elements, such as paragraphs,
       quotations, and footnotes.  Each paragraph might contain further
       elements, identifying content that was direct speech, or the name of a
       character in the story.</para>
 
     <para>You might like to think of this as <quote>chunking</quote> content.
       At the very top level you have one chunk, the book.  Look a little
       deeper, and you have more chunks, the individual chapters.  These are
       chunked further into paragraphs, footnotes, character names, and so
       on.</para>
 
     <para>Notice how you can make this differentiation between different
       elements of the content without resorting to any SGML terms.  It really
       is surprisingly straightforward.  You could do this with a highlighter
       pen and a printout of the book, using different colors to indicate
       different chunks of content.</para>
 
     <para>Of course, we do not have an electronic highlighter pen, so we need
       some other way of indicating which element each piece of content belongs
       to.  In languages written in SGML (HTML, DocBook, et al) this is done by
       means of <emphasis>tags</emphasis>.</para>
 
     <para>A tag is used to identify where a particular element starts, and
       where the element ends.  <emphasis>The tag is not part of the element
       itself</emphasis>. Because each DTD was normally written to mark up
       specific types of information, each one will recognize different
       elements, and will therefore have different names for the tags.</para>
 
     <para>For an element called <replaceable>element-name</replaceable> the
       start tag will normally look like
       <literal>&lt;<replaceable>element-name</replaceable>&gt;</literal>.  The
       corresponding closing tag for this element is
       <literal>&lt;/<replaceable>element-name</replaceable>&gt;</literal>.</para>
 
     <example>
       <title>Using an element (start and end tags)</title>
 
       <para>HTML has an element for indicating that the content enclosed by
 	the element is a paragraph, called <literal>p</literal>.  This
 	element has both start and end tags.</para>
       
       <programlisting><![ CDATA [<p>This is a paragraph.  It starts with the start tag for
   the 'p' element, and it will end with the end tag for the 'p'
   element.</p>
 
 <p>This is another paragraph.  But this one is much shorter.</p>]]></programlisting>	  
     </example>
 
     <para>Not all elements require an end tag.  Some elements have no content.
       For example, in HTML you can indicate that you want a horizontal line to
       appear in the document.  Obviously, this line has no content, so just
       the start tag is required for this element.</para>
 
     <example>
       <title>Using an element (start tag only)</title>
 
       <para>HTML has an element for indicating a horizontal rule, called
 	<literal>hr</literal>.  This element does not wrap content, so only
 	has a start tag.</para>
 
       <programlisting><![ CDATA [<p>This is a paragraph.</p>
 
 <hr>
 
 <p>This is another paragraph.  A horizontal rule separates this
   from the previous paragraph.</p>]]></programlisting>
     </example>
     
     <para>If it is not obvious by now, elements can contain other elements.
       In the book example earlier, the book element contained all the chapter
       elements, which in turn contained all the paragraph elements, and so
       on.</para>
 
     <example>
       <title>Elements within elements; <sgmltag>em</sgmltag></title>
       
       <programlisting><![ CDATA [<p>This is a simple <em>paragraph</em> where some
   of the <em>words</em> have been <em>emphasized</em>.</p>]]></programlisting>
     </example>
     
     <para>The DTD will specify the rules detailing which elements can contain
       other elements, and exactly what they can contain.</para>
 
     <important>
       <para>People often confuse the terms tags and elements, and use the
 	terms as if they were interchangeable.  They are not.</para>
 
       <para>An element is a conceptual part of your document.  An element has
 	a defined start and end.  The tags mark where the element starts and
 	end.</para>
 
       <para>When this document (or anyone else knowledgeable about SGML) refers
 	to <quote>the &lt;p&gt; tag</quote> they mean the literal text
 	consisting of the three characters <literal>&lt;</literal>,
 	<literal>p</literal>, and <literal>&gt;</literal>.  But the phrase
 	<quote>the &lt;p&gt; element</quote> refers to the whole
 	element.</para>
 
       <para>This distinction <emphasis>is</emphasis> very subtle.  But keep it 
 	in mind.</para>
     </important>
       
     <para>Elements can have attributes.  An attribute has a name and a value,
       and is used for adding extra information to the element.  This might be
       information that indicates how the content should be rendered, or might
       be something that uniquely identifies that occurrence of the element, or
       it might be something else.</para>
 
     <para>An element's attributes are written <emphasis>inside</emphasis> the
       start tag for that element, and take the form
       <literal><replaceable>attribute-name</replaceable>="<replaceable>attribute-value</replaceable>"</literal>.</para>
 
     <para>In sufficiently recent versions of HTML, the <sgmltag>p</sgmltag>
       element has an attribute called <literal>align</literal>, which suggests
       an alignment (justification) for the paragraph to the program displaying
       the HTML.</para>
 
     <para>The <literal>align</literal> attribute can take one of four defined
       values, <literal>left</literal>, <literal>center</literal>,
       <literal>right</literal> and <literal>justify</literal>.  If the
       attribute is not specified then the default is
       <literal>left</literal>.</para>
 
     <example>
       <title>Using an element with an attribute</title>
       
       <programlisting><![ CDATA [<p align="left">The inclusion of the align attribute
   on this paragraph was superfluous, since the default is left.</p>
 
 <p align="center">This may appear in the center.</p>]]></programlisting>
     </example>
     
     <para>Some attributes will only take specific values, such as
       <literal>left</literal> or <literal>justify</literal>.  Others will
       allow you to enter anything you want.  If you need to include quotes
       (<literal>"</literal>) within an attribute then use single quotes around
       the attribute value.</para>
 
     <example>
       <title>Single quotes around attributes</title>
       
       <programlisting><![ CDATA [<p align='right'>I am on the right!</p>]]></programlisting>
     </example>
 
     <para>Sometimes you do not need to use quotes around attribute values at
       all.  However, the rules for doing this are subtle, and it is far
       simpler just to <emphasis>always</emphasis> quote your attribute
       values.</para>
 
     <para>The information on attributes, elements, and tags is stored
       in SGML catalogs.  The various Documentation Project tools use
       these catalog files to validate your work.  The tools in
       <filename role="package">textproc/docproj</filename> include a variety of SGML catalog
       files.  The FreeBSD Documentation Project includes its own set
       of catalog files.  Your tools need to know about both sorts of
       catalog files.</para>
 
     <sect2>
       <title>For you to do&hellip;</title>
 
       <para>In order to run the examples in this document you will need to
         install some software on your system and ensure that an environment
         variable is set correctly.</para>
     
       <procedure>
 	<step>
 	  <para>Download and install <filename role="package">textproc/docproj</filename>
 	    from the FreeBSD ports system.  This is a
             <emphasis>meta-port</emphasis> that should download and install
             all of the programs and supporting files that are used by the
             Documentation Project.</para>
 	</step>
 	
         <step>
           <para>Add lines to your shell startup files to set
             <envar>SGML_CATALOG_FILES</envar>. (If you are not working
             on the English version of the documentation, you will want
             to substitute the correct directory for your
             language.)</para>
     
 	  <example id="sgml-primer-envars">
 	    <title><filename>.profile</filename>, for &man.sh.1; and
 	      &man.bash.1; users</title>
 	    
 	    <programlisting>SGML_ROOT=/usr/local/share/sgml	    
 SGML_CATALOG_FILES=${SGML_ROOT}/jade/catalog
 SGML_CATALOG_FILES=${SGML_ROOT}/iso8879/catalog:$SGML_CATALOG_FILES
 SGML_CATALOG_FILES=${SGML_ROOT}/html/catalog:$SGML_CATALOG_FILES
 SGML_CATALOG_FILES=${SGML_ROOT}/docbook/4.1/catalog:$SGML_CATALOG_FILES
 SGML_CATALOG_FILES=/usr/doc/share/sgml/catalog:$SGML_CATALOG_FILES
 SGML_CATALOG_FILES=/usr/doc/en_US.ISO8859-1/share/sgml/catalog:$SGML_CATALOG_FILES
 export SGML_CATALOG_FILES</programlisting>
 	  </example>
 
 	  <example>
 	    <title><filename>.cshrc</filename>, for &man.csh.1; and
 	      &man.tcsh.1; users</title>
 	    
 	    <programlisting>setenv SGML_ROOT /usr/local/share/sgml
 setenv SGML_CATALOG_FILES ${SGML_ROOT}/jade/catalog
 setenv SGML_CATALOG_FILES ${SGML_ROOT}/iso8879/catalog:$SGML_CATALOG_FILES
 setenv SGML_CATALOG_FILES ${SGML_ROOT}/html/catalog:$SGML_CATALOG_FILES
 setenv SGML_CATALOG_FILES ${SGML_ROOT}/docbook/4.1/catalog:$SGML_CATALOG_FILES
 setenv SGML_CATALOG_FILES /usr/doc/share/sgml/catalog:$SGML_CATALOG_FILES
 setenv SGML_CATALOG_FILES /usr/doc/en_US.ISO8859-1/share/sgml/catalog:$SGML_CATALOG_FILES</programlisting>
           </example>
     
           <para>Then either log out, and log back in again, or run those
             commands from the command line to set the variable values.</para>
 	</step>
       </procedure>
     
       <procedure>
 	<step>
 	  <para>Create <filename>example.sgml</filename>, and enter the
             following text;</para>
 
 	  <programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 
 <html>
   <head>	     
     <title>An example HTML file</title>
   </head>
 
   <body>	    
     <p>This is a paragraph containing some text.</p>
 
     <p>This paragraph contains some more text.</p>
 
     <p align="right">This paragraph might be right-justified.</p>
   </body>	    
 </html>]]></programlisting>
 	</step>
 
 	<step>
 	  <para>Try to validate this file using an SGML parser.</para>
 
 	  <para>Part of <filename role="package">textproc/docproj</filename> is the
 	    <command>nsgmls</command> <link linkend="sgml-primer-validating">validating
 	    parser</link>.  Normally, <command>nsgmls</command> reads in a document
 	    marked up according to an SGML DTD and returns a copy of the
 	    document's Element Structure Information Set (ESIS, but that is
 	    not important right now).</para>
 
 	  <para>However, when <command>nsgmls</command> is given the <option>-s</option>
 	    parameter, <command>nsgmls</command> will suppress its normal output, and
 	    just print error messages.  This makes it a useful way to check to
 	    see if your document is valid or not.</para>
 
 	  <para>Use <command>nsgmls</command> to check that your document is
 	    valid;</para>
 
           <screen>&prompt.user; <userinput>nsgmls -s example.sgml</userinput></screen>
 
 	  <para>As you will see, <command>nsgmls</command> returns without displaying any
 	    output.  This means that your document validated
 	    successfully.</para>
 	</step>
 
 	<step>
 	  <para>See what happens when required elements are omitted.  Try
 	    removing the <sgmltag>title</sgmltag> and
 	    <sgmltag>/title</sgmltag> tags, and re-run the validation.</para>
 
           <screen>&prompt.user; <userinput>nsgmls -s example.sgml</userinput>
 nsgmls:example.sgml:5:4:E: character data is not allowed here
 nsgmls:example.sgml:6:8:E: end tag for "HEAD" which is not finished</screen>
 
 	  <para>The error output from <command>nsgmls</command> is organized into
 	    colon-separated groups, or columns.</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <thead>
 		<row>
 		  <entry>Column</entry>
 		  <entry>Meaning</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>1</entry>
 		  <entry>The name of the program generating the error.  This
 		    will always be <literal>nsgmls</literal>.</entry>
 		</row>
 
 		<row>
 		  <entry>2</entry>
 		  <entry>The name of the file that contains the error.</entry>
 		</row>
 
 		<row>
 		  <entry>3</entry>
 		  <entry>Line number where the error appears.</entry>
 		</row>
 
 		<row>
 		  <entry>4</entry>
 		  <entry>Column number where the error appears.</entry>
 		</row>
 
 		<row>
 		  <entry>5</entry>
 		  <entry>A one letter code indicating the nature of the
 		    message.  <literal>I</literal> indicates an informational
 		    message, <literal>W</literal> is for warnings, and
 		    <literal>E</literal> is for errors<footnote>
 		      <para>It is not always the fifth column either.
 			<command>nsgmls -sv</command> displays
 			<literal>nsgmls:I: SP version "1.3"</literal>
 			(depending on the installed version).  As you can see,
 			this is an informational message.</para>
 		    </footnote>, and <literal>X</literal> is for
 		    cross-references.  As you can see, these messages are
 		    errors.</entry>
 		</row>
 
 		<row>
 		  <entry>6</entry>
 		  <entry>The text of the error message.</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 
 	  <para>Simply omitting the <sgmltag>title</sgmltag> tags has
 	    generated 2 different errors.</para>
 
 	  <para>The first error indicates that content (in this case,
 	    characters, rather than the start tag for an element) has occurred
 	    where the SGML parser was expecting something else.  In this case,
 	    the parser was expecting to see one of the start tags for elements
 	    that are valid inside <sgmltag>head</sgmltag> (such as
 	    <sgmltag>title</sgmltag>).</para>
 
 	  <para>The second error is because <sgmltag>head</sgmltag> elements
 	    <emphasis>must</emphasis> contain a <sgmltag>title</sgmltag>
 	    element.  Because it does not <command>nsgmls</command> considers that the
 	    element has not been properly finished.  However, the closing tag
 	    indicates that the element has been closed before it has been
 	    finished.</para>
 	</step>
 
 	<step>
 	  <para>Put the <literal>title</literal> element back in.</para>
 	</step>
       </procedure>
     </sect2>
   </sect1>
 
   <sect1 id="sgml-primer-doctype-declaration">
     <title>The DOCTYPE declaration</title>
 
     <para>The beginning of each document that you write must specify the name
       of the DTD that the document conforms to.  This is so that SGML parsers
       can determine the DTD and ensure that the document does conform to 
       it.</para>
 
     <para>This information is generally expressed on one line, in the DOCTYPE
       declaration.</para>
 
     <para>A typical declaration for a document written to conform with version
       4.0 of the HTML DTD looks like this;</para>
 
     <programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN">]]></programlisting>
 
     <para>That line contains a number of different components.</para>
 
     <variablelist>
       <varlistentry>
 	<term><literal>&lt;!</literal></term>
 	
 	<listitem>
 	  <para>Is the <emphasis>indicator</emphasis> that indicates that this
 	    is an SGML declaration.  This line is declaring the document type.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term><literal>DOCTYPE</literal></term>
 	
 	<listitem>
 	  <para>Shows that this is an SGML declaration for the document
 	    type.</para>
 	</listitem>
       </varlistentry>
       
       <varlistentry>
 	<term><literal>html</literal></term>
 	
 	<listitem>
 	  <para>Names the first <link linkend="sgml-primer-elements">element</link> that
 	    will appear in the document.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term><literal>PUBLIC "-//W3C//DTD HTML 4.0//EN"</literal></term>
 
 	<listitem>
 	  <para>Lists the Formal Public Identifier (FPI)<indexterm>
 	      <primary>Formal Public Identifier</primary>
 	    </indexterm>
 	    for the DTD that this
 	    document conforms to.  Your SGML parser will use this to find the
 	    correct DTD when processing this document.</para>
 
 	  <para><literal>PUBLIC</literal> is not a part of the FPI, but
 	    indicates to the SGML processor how to find the DTD referenced in
 	    the FPI.  Other ways of telling the SGML parser how to find the
 	    DTD are shown <link
 	      linkend="sgml-primer-fpi-alternatives">later</link>.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term><literal>&gt;</literal></term>
 	
 	<listitem>
 	  <para>Returns to the document.</para>
 	</listitem>
       </varlistentry>
     </variablelist>
     
     <sect2>
       <title>Formal Public Identifiers (FPIs)<indexterm significance="preferred">
 	  <primary>Formal Public Identifier</primary>
 	</indexterm>
 </title>
 
       <note>
 	<para>You do not need to know this, but it is useful background, and
 	  might help you debug problems when your SGML processor can not locate
 	  the DTD you are using.</para>
       </note>
       
       <para>FPIs must follow a specific syntax.  This syntax is as
 	follows;</para>
 
       <programlisting>"<replaceable>Owner</replaceable>//<replaceable>Keyword</replaceable> <replaceable>Description</replaceable>//<replaceable>Language</replaceable>"</programlisting>
 
       <variablelist>
 	<varlistentry>
 	  <term><replaceable>Owner</replaceable></term>
 	  
 	  <listitem>
 	    <para>This indicates the owner of the FPI.</para>
 
 	    <para>If this string starts with <quote>ISO</quote> then this is an
 	      ISO owned FPI.  For example, the FPI <literal>"ISO
 		8879:1986//ENTITIES Greek Symbols//EN"</literal> lists
 	      <literal>ISO 8879:1986</literal> as being the owner for the set
 	      of entities for Greek symbols.  ISO 8879:1986 is the ISO number
 	      for the SGML standard.</para>
 
 	    <para>Otherwise, this string will either look like
 	      <literal>-//<replaceable>Owner</replaceable></literal> or
 	      <literal>+//<replaceable>Owner</replaceable></literal> (notice
 	      the only difference is the leading <literal>+</literal> or
 	      <literal>-</literal>).</para>
 
 	    <para>If the string starts with <literal>-</literal> then the
 	      owner information is unregistered, with a <literal>+</literal>
 	      it identifies it as being registered.</para>
 
 	    <para>ISO 9070:1991 defines how registered names are generated; it
 	      might be derived from the number of an ISO publication, an ISBN
 	      code, or an organization code assigned according to ISO 6523.
 	      In addition, a registration authority could be created in order
 	      to assign registered names.  The ISO council delegated this to
 	      the American National Standards Institute (ANSI).</para>
 
 	    <para>Because the FreeBSD Project has not been registered the
 	      owner string is <literal>-//FreeBSD</literal>.  And as you can
 	      see, the W3C are not a registered owner either.</para>
 	  </listitem>
 	</varlistentry>
 	
 	<varlistentry>
 	  <term><replaceable>Keyword</replaceable></term>
 	  
 	  <listitem>
 	    <para>There are several keywords that indicate the type of
 	      information in the file.  Some of the most common keywords are
 	      <literal>DTD</literal>, <literal>ELEMENT</literal>,
 	      <literal>ENTITIES</literal>, and <literal>TEXT</literal>.
 	      <literal>DTD</literal> is used only for DTD files,
 	      <literal>ELEMENT</literal> is usually used for DTD fragments
 	      that contain only entity or element declarations.
 	      <literal>TEXT</literal> is used for SGML content (text and
 	      tags).</para>
 	  </listitem>
 	</varlistentry>
 	
 	<varlistentry>
 	  <term><replaceable>Description</replaceable></term>
 	  
 	  <listitem>
 	    <para>Any description you want to supply for the contents of this
 	      file.  This may include version numbers or any short text that
 	      is meaningful to you and unique for the SGML system.</para>
 	  </listitem>
 	</varlistentry>
 	
 	<varlistentry>
 	  <term><replaceable>Language</replaceable></term>
 	  
 	  <listitem>
 	    <para>This is an ISO two-character code that identifies the native
 	      language for the file.  <literal>EN</literal> is used for
 	      English.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
       
       <sect3>
 	<title><filename>catalog</filename> files</title>
 	
 	<para>If you use the syntax above and process this document
 	  using an SGML processor, the processor will need to have some way of
 	  turning the FPI into the name of the file on your computer that
 	  contains the DTD.</para>
 	
 	<para>In order to do this it can use a catalog file.  A catalog file
 	  (typically called <filename>catalog</filename>) contains lines that
 	  map FPIs to filenames.  For example, if the catalog file contained
 	  the line;</para>
 	
 	<programlisting>PUBLIC "-//W3C//DTD HTML 4.0//EN"             "4.0/strict.dtd"</programlisting>
 
 	<para>The SGML processor would know to look up the DTD from
 	  <filename>strict.dtd</filename> in the <filename>4.0</filename>
 	  subdirectory of whichever directory held the
 	  <filename>catalog</filename> file that contained that line.</para>
 
 	<para>Look at the contents of
 	  <filename>/usr/local/share/sgml/html/catalog</filename>.  This is
 	  the catalog file for the HTML DTDs that will have been installed as
 	  part of the <filename role="package">textproc/docproj</filename> port.</para>
       </sect3>
 
       <sect3>
 	<title><envar>SGML_CATALOG_FILES</envar></title>
 
 	<para>In order to locate a <filename>catalog</filename> file, your
 	  SGML processor will need to know where to look.  Many of them
 	  feature command line parameters for specifying the path to one or
 	  more catalogs.</para>
 
 	<para>In addition, you can set <envar>SGML_CATALOG_FILES</envar> to
 	  point to the files.  This environment variable should consist of a
 	  colon-separated list of catalog files (including their full
 	  path).</para>
 
 	<para>Typically, you will want to include the following files;</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><filename>/usr/local/share/sgml/docbook/4.1/catalog</filename></para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>/usr/local/share/sgml/html/catalog</filename></para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>/usr/local/share/sgml/iso8879/catalog</filename></para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>/usr/local/share/sgml/jade/catalog</filename></para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>You should <link linkend="sgml-primer-envars">already have done
 	    this</link>.</para>
       </sect3>
     </sect2>
     
     <sect2 id="sgml-primer-fpi-alternatives">
       <title>Alternatives to FPIs</title>
       
       <para>Instead of using an FPI to indicate the DTD that the document
 	conforms to (and therefore, which file on the system contains the DTD)
 	you can explicitly specify the name of the file.</para>
       
       <para>The syntax for this is slightly different:</para>
       
       <programlisting><![ CDATA [<!DOCTYPE html SYSTEM "/path/to/file.dtd">]]></programlisting>
       
       <para>The <literal>SYSTEM</literal> keyword indicates that the SGML
 	processor should locate the DTD in a system specific fashion.  This
 	typically (but not always) means the DTD will be provided as a
 	filename.</para>
       
       <para>Using FPIs is preferred for reasons of portability.  You do not
 	want to have to ship a copy of the DTD around with your document, and
 	if you used the <literal>SYSTEM</literal> identifier then everyone
 	would need to keep their DTDs in the same place.</para>
     </sect2>
   </sect1>
   
   <sect1 id="sgml-primer-sgml-escape">
     <title>Escaping back to SGML</title>
 
     <para>Earlier in this primer I said that SGML is only used when writing a
       DTD.  This is not strictly true.  There is certain SGML syntax that you
       will want to be able to use within your documents.  For example,
       comments can be included in your document, and will be ignored by the
       parser.  Comments are entered using SGML syntax.  Other uses for SGML
       syntax in your document will be shown later too.</para>
       
     <para>Obviously, you need some way of indicating to the SGML processor
       that the following content is not elements within the document, but is
       SGML that the parser should act upon.</para>
 
     <para>These sections are marked by <literal>&lt;! ...  &gt;</literal> in
       your document.  Everything between these delimiters is SGML syntax as
       you might find within a DTD.</para>
 
     <para>As you may just have realized, the <link
 	linkend="sgml-primer-doctype-declaration">DOCTYPE declaration</link>
       is an example of SGML syntax that you need to include in your
       document&hellip;</para>
   </sect1>
   
   <sect1 id="sgml-primer-comments">
     <title>Comments</title>
     
     <para>Comments are an SGML construction, and are normally only valid
       inside a DTD.  However, as <xref linkend="sgml-primer-sgml-escape">
       shows, it is possible to use SGML syntax within your document.</para>
 
     <para>The delimiter for SGML comments is the string
       <quote><literal>--</literal></quote>.  The first occurrence of this string
       opens a comment, and the second closes it.</para>
 
     <example>
       <title>SGML generic comment</title>
 
       <programlisting>&lt;!-- test comment --></programlisting>
       
       <programlisting><![ CDATA [
 <!-- This is inside the comment -->
 
 <!-- This is another comment    -->
 
 <!-- This is one way
      of doing multiline comments -->
 
 <!-- This is another way of   --
   -- doing multiline comments -->]]></programlisting>
     </example>
 
     <![ %output.print; [
     <important>
       <title>Use 2 dashes</title>
 
       <para>There is a problem with producing the Postscript and PDF versions
 	of this document.  The above example probably shows just one hyphen
 	symbol, <literal>-</literal> after the <literal>&lt;!</literal> and
 	before the <literal>&gt;</literal>.</para>
 
       <para>You <emphasis>must</emphasis> use two <literal>-</literal>,
 	<emphasis>not</emphasis> one.  The Postscript and PDF versions have
 	translated the two <literal>-</literal> in the original to a longer,
 	more professional <emphasis>em-dash</emphasis>, and broken this
 	example in the process.</para>
 
       <para>The HTML, plain text, and RTF versions of this document are not
 	affected.</para>
     </important>
     ]]>
     
     <para>If you have used HTML before you may have been shown different rules
       for comments.  In particular, you may think that the string
       <literal>&lt;!--</literal> opens a comment, and it is only closed by
       <literal>--&gt;</literal>.</para>
 
     <para>This is <emphasis>not</emphasis> the case.  A lot of web browsers
       have broken HTML parsers, and will accept that as valid.  However, the
       SGML parsers used by the Documentation Project are much stricter, and
       will reject documents that make that error.</para>
 
     <example>
       <title>Erroneous SGML comments</title>
 
       <programlisting><![ CDATA [
 <!-- This is in the comment --
 
      THIS IS OUTSIDE THE COMMENT!
 
   -- back inside the comment -->]]></programlisting>
 
       <para>The SGML parser will treat this as though it were actually;</para>
 
       <programlisting>&lt;!THIS IS OUTSIDE THE COMMENT&gt;</programlisting>
 
       <para>This is not valid SGML, and may give confusing error
 	messages.</para>
 
       <programlisting><![ CDATA [<!--------------- This is a very bad idea --------------->]]></programlisting>
 
       <para>As the example suggests, <emphasis>do not</emphasis> write
 	comments like that.</para>
 
       <programlisting><![ CDATA [<!--===================================================-->]]></programlisting>
 
       <para>That is a (slightly) better approach, but it still potentially
 	confusing to people new to SGML.</para>
     </example>
 
     <sect2>
       <title>For you to do&hellip;</title>
 
       <procedure>
 	<step>
 	  <para>Add some comments to <filename>example.sgml</filename>, and
 	    check that the file still validates using <command>nsgmls</command></para>
 	</step>
 
 	<step>
 	  <para>Add some invalid comments to
 	    <filename>example.sgml</filename>, and see the error messages that
 	    <command>nsgmls</command> gives when it encounters an invalid comment.</para>
 	</step>
       </procedure>
     </sect2>
   </sect1>
     
   <sect1 id="sgml-primer-entities">
     <title>Entities</title>
 
     <para>Entities are a mechanism for assigning names to chunks of content.
       As an SGML parser processes your document, any entities it finds are
       replaced by the content of the entity.</para>
     
     <para>This is a good way to have re-usable, easily changeable chunks of
       content in your SGML documents.  It is also the only way to include one
       marked up file inside another using SGML.</para>
     
     <para>There are two types of entities which can be used in two different
       situations; <emphasis>general entities</emphasis> and
       <emphasis>parameter entities</emphasis>.</para>
     
     <sect2 id="sgml-primer-general-entities">
       <title>General Entities</title>
       
       <para>You cannot use general entities in an SGML context (although you
 	define them in one).  They can only be used in your document.
 	Contrast this with <link
 	  linkend="sgml-primer-parameter-entities">parameter
 	  entities</link>.</para>
 
       <para>Each general entity has a name.  When you want to reference a
 	general entity (and therefore include whatever text it represents in
 	your document), you write
 	<literal>&amp;<replaceable>entity-name</replaceable>;</literal>.  For
 	example, suppose you had an entity called
 	<literal>current.version</literal> which expanded to the current
 	version number of your product.  You could write;</para>
 
       <programlisting><![ CDATA [<para>The current version of our product is
   &current.version;.</para>]]></programlisting>
 
       <para>When the version number changes you can simply change the
 	definition of the value of the general entity and reprocess your
 	document.</para>
 
       <para>You can also use general entities to enter characters that you
 	could not otherwise include in an SGML document.  For example, &lt;
 	and &amp; cannot normally appear in an SGML document.  When the SGML
 	parser sees the &lt; symbol it assumes that a tag (either a start tag
 	or an end tag) is about to appear, and when it sees the &amp; symbol
 	it assumes the next text will be the name of an entity.</para>
 
       <para>Fortunately, you can use the two general entities &amp;lt; and
 	&amp;amp; whenever you need to include one or other of these </para>
 	
       <para>A general entity can only be defined within an SGML context.
 	Typically, this is done immediately after the DOCTYPE
 	declaration.</para>
 
       <example>
 	<title>Defining general entities</title>
 
 	<programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!ENTITY current.version    "3.0-RELEASE">
 <!ENTITY last.version       "2.2.7-RELEASE">
 ]>]]></programlisting>
 	  
 	<para>Notice how the DOCTYPE declaration has been extended by adding a
 	  square bracket at the end of the first line.  The two entities are
 	  then defined over the next two lines, before the square bracket is
 	  closed, and then the DOCTYPE declaration is closed.</para>
 
 	<para>The square brackets are necessary to indicate that we are
 	  extending the DTD indicated by the DOCTYPE declaration.</para>
       </example>
     </sect2>
     
     <sect2 id="sgml-primer-parameter-entities">
       <title>Parameter entities</title>
 
       <para>Like <link linkend="sgml-primer-general-entities">general
 	  entities</link>, parameter entities are used to assign names to
 	reusable chunks of text.  However, where as general entities can only
 	be used within your document, parameter entities can only be used
 	within an <link linkend="sgml-primer-sgml-escape">SGML
 	  context</link>.</para>
 
       <para>Parameter entities are defined in a similar way to general
 	entities.  However, instead of using
 	<literal>&amp;<replaceable>entity-name</replaceable>;</literal> to
 	refer to them, use
 	<literal>%<replaceable>entity-name</replaceable>;</literal><footnote>
 	  <para><emphasis>P</emphasis>arameter entities use the
 	    <emphasis>P</emphasis>ercent symbol.</para>
 	</footnote>.  The definition also includes the <literal>%</literal>
 	between the <literal>ENTITY</literal> keyword and the name of the
 	entity.</para>
       
       <example>
 	<title>Defining parameter entities</title>
 	
 	<programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!ENTITY % param.some "some">
 <!ENTITY % param.text "text">
 <!ENTITY % param.new  "%param.some more %param.text">
 
 <!-- %param.new now contains "some more text" -->
 ]>]]></programlisting>
       </example>
 	
       <para>This may not seem particularly useful.  It will be.</para>
     </sect2>
 
     <sect2>
       <title>For you to do&hellip;</title>
 
       <procedure>
 	<step>
 	  <para>Add a general entity to
 	    <filename>example.sgml</filename>.</para>
 
 	  <programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" [
 <!ENTITY version "1.1">
 ]>	  
 
 <html>
   <head>	     
     <title>An example HTML file</title>
   </head>
 
   <!-- You might well have some comments in here as well -->
 	  
   <body>	    
     <p>This is a paragraph containing some text.</p>
 
     <p>This paragraph contains some more text.</p>
 
     <p align="right">This paragraph might be right-justified.</p>
 
     <p>The current version of this document is: &version;</p>	  
   </body>	    
 </html>]]></programlisting>	  
 	</step>
 
 	<step>
 	  <para>Validate the document using <command>nsgmls</command></para>
 	</step>
 
 	<step>
 	  <para>Load <filename>example.sgml</filename> into your web browser
 	    (you may need to copy it to <filename>example.html</filename>
 	    before your browser recognizes it as an HTML document).</para>
 
 	  <para>Unless your browser is very advanced, you will not see the entity
 	    reference <literal>&amp;version;</literal> replaced with the
 	    version number.  Most web browsers have very simplistic parsers
 	    which do not handle proper SGML<footnote>
 	      <para>This is a shame.  Imagine all the problems and hacks (such
 		as Server Side Includes) that could be avoided if they
 		did.</para>
 	    </footnote>.</para>
 	</step>
 
 	<step>
 	  <para>The solution is to <emphasis>normalize</emphasis> your
 	    document using an SGML normalizer.  The normalizer reads in valid
 	    SGML and outputs equally valid SGML which has been transformed in
 	    some way.  One of the ways in which the normalizer transforms the
 	    SGML is to expand all the entity references in the document,
 	    replacing the entities with the text that they represent.</para>
 
 	  <para>You can use <command>sgmlnorm</command> to do this.</para>
 
           <screen>&prompt.user; <userinput>sgmlnorm example.sgml > example.html</userinput></screen>
 
 	  <para>You should find a normalized (i.e., entity references
 	    expanded) copy of your document in
 	    <filename>example.html</filename>, ready to load into your web
 	    browser.</para>
 	</step>
 
 	<step>
 	  <para>If you look at the output from <command>sgmlnorm</command>
 	    you will see that it does not include a DOCTYPE declaration at
 	    the start.  To include this you need to use the <option>-d</option>
 	    option;</para>
 
           <screen>&prompt.user; <userinput>sgmlnorm -d example.sgml > example.html</userinput></screen>
 	</step>
       </procedure>
     </sect2>
   </sect1>
   
   <sect1 id="sgml-primer-include">
     <title>Using entities to include files</title>
     
     <para>Entities (both <link
 	linkend="sgml-primer-general-entities">general</link> and <link
 	linkend="sgml-primer-parameter-entities">parameter</link>) are
       particularly useful when used to include one file inside another.</para>
 
     <sect2 id="sgml-primer-include-using-gen-entities">
       <title>Using general entities to include files</title>
       
       <para>Suppose you have some content for an SGML book organized into
 	files, one file per chapter, called
 	<filename>chapter1.sgml</filename>,
 	<filename>chapter2.sgml</filename>, and so forth, with a
 	<filename>book.sgml</filename> file that will contain these
 	chapters.</para>
 
       <para>In order to use the contents of these files as the values for your
 	entities, you declare them with the <literal>SYSTEM</literal> keyword.
 	This directs the SGML parser to use the contents of the named file as
 	the value of the entity.</para>
 
       <example>
 	<title>Using general entities to include files</title>
 	
 	<programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!ENTITY chapter.1 SYSTEM "chapter1.sgml">
 <!ENTITY chapter.2 SYSTEM "chapter2.sgml">
 <!ENTITY chapter.3 SYSTEM "chapter3.sgml">
 <!-- And so forth -->
 ]>
 
 <html>
   <!-- Use the entities to load in the chapters -->
 
   &chapter.1;
   &chapter.2;
   &chapter.3;
 </html>]]></programlisting>
       </example>
       
       <warning>
 	<para>When using general entities to include other files within a
 	  document, the files being included
 	  (<filename>chapter1.sgml</filename>,
 	  <filename>chapter2.sgml</filename>, and so on) <emphasis>must
 	    not</emphasis> start with a DOCTYPE declaration.  This is a syntax
 	  error.</para>
       </warning>
     </sect2>
     
     <sect2>
       <title>Using parameter entities to include files</title>
       
       <para>Recall that parameter entities can only be used inside an SGML
 	context.  Why then would you want to include a file within an SGML
 	context?</para>
 
       <para>You can use this to ensure that you can reuse your general
 	entities.</para>
 
       <para>Suppose that you had many chapters in your document, and you
 	reused these chapters in two different books, each book organizing the
 	chapters in a different fashion.</para>
 
       <para>You could list the entities at the top of each book, but this
 	quickly becomes cumbersome to manage.</para>
 
       <para>Instead, place the general entity definitions inside one file,
 	and use a parameter entity to include that file within your
 	document.</para>
 
       <example>
 	<title>Using parameter entities to include files</title>
 
 	<para>First, place your entity definitions in a separate file, called
 	  <filename>chapters.ent</filename>.  This file contains the
 	  following;</para>
 	  
 	<programlisting><![ CDATA [<!ENTITY chapter.1 SYSTEM "chapter1.sgml">
 <!ENTITY chapter.2 SYSTEM "chapter2.sgml">
 <!ENTITY chapter.3 SYSTEM "chapter3.sgml">]]></programlisting>
 
 	<para>Now create a parameter entity to refer to the contents of the
 	  file.  Then use the parameter entity to load the file into the
 	  document, which will then make all the general entities available
 	  for use.  Then use the general entities as before;</para>
 
 	<programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!-- Define a parameter entity to load in the chapter general entities -->
 <!ENTITY % chapters SYSTEM "chapters.ent">
 
 <!-- Now use the parameter entity to load in this file -->
 %chapters;
 ]>
 
 <html>
   &chapter.1;
   &chapter.2;
   &chapter.3;
 </html>]]></programlisting>
       </example>
     </sect2>
 
     <sect2>
       <title>For you to do&hellip;</title>
 
       <sect3>
 	<title>Use general entities to include files</title>
 
 	<procedure>
 	  <step>
 	    <para>Create three files, <filename>para1.sgml</filename>,
 	      <filename>para2.sgml</filename>, and
 	      <filename>para3.sgml</filename>.</para>
 
 	    <para>Put content similar to the following in each file;</para>
 
 	    <programlisting><![ CDATA [<p>This is the first paragraph.</p>]]></programlisting>
 	  </step>
 
 	  <step>
 	    <para>Edit <filename>example.sgml</filename> so that it looks like
 	      this;</para>
 
 	    <programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!ENTITY version "1.1">
 <!ENTITY para1 SYSTEM "para1.sgml">
 <!ENTITY para2 SYSTEM "para2.sgml">
 <!ENTITY para3 SYSTEM "para3.sgml">
 ]>
 
 <html>
   <head>
     <title>An example HTML file</title>
   </head>
 
   <body>
     <p>The current version of this document is: &version;</p>
 
     &para1;
     &para2;
     &para3;
   </body>
 </html>]]></programlisting>
 	  </step>
 
 	  <step>
 	    <para>Produce <filename>example.html</filename> by normalizing
 	      <filename>example.sgml</filename>.</para>
 
             <screen>&prompt.user; <userinput>sgmlnorm -d example.sgml > example.html</userinput></screen>
 	  </step>
 
 	  <step>
 	    <para>Load <filename>example.html</filename> into your web
 	      browser, and confirm that the
 	      <filename>para<replaceable>n</replaceable>.sgml</filename> files
 	      have been included in <filename>example.html</filename>.</para>
 	  </step>
 	</procedure>
       </sect3>
 
       <sect3>
 	<title>Use parameter entities to include files</title>
 
 	<note>
 	  <para>You must have taken the previous steps first.</para>
 	</note>
 	
 	<procedure>
 	  <step>
 	    <para>Edit <filename>example.sgml</filename> so that it looks like
 	      this;</para>
 	    
 	    <programlisting><![ CDATA [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 <!ENTITY % entities SYSTEM "entities.sgml"> %entities;
 ]>
 
 <html>
   <head>
     <title>An example HTML file</title>
   </head>
 
   <body>
     <p>The current version of this document is: &version;</p>
 
     &para1;
     &para2;
     &para3;
   </body>
 </html>]]></programlisting>
 	  </step>
 
 	  <step>
 	    <para>Create a new file, <filename>entities.sgml</filename>, with
 	      this content:</para>
 
 	    <programlisting><![ CDATA [<!ENTITY version "1.1">
 <!ENTITY para1 SYSTEM "para1.sgml">
 <!ENTITY para2 SYSTEM "para2.sgml">
 <!ENTITY para3 SYSTEM "para3.sgml">]]></programlisting>
 	  </step>
 
 	  <step>
 	    <para>Produce <filename>example.html</filename> by normalizing
 	      <filename>example.sgml</filename>.</para>
 
             <screen>&prompt.user; <userinput>sgmlnorm -d example.sgml > example.html</userinput></screen>
 	  </step>
 
 	  <step>
 	    <para>Load <filename>example.html</filename> into your web
 	      browser, and confirm that the
 	      <filename>para<replaceable>n</replaceable>.sgml</filename> files
 	      have been included in <filename>example.html</filename>.</para>
 	  </step>
 	</procedure>
       </sect3>
     </sect2>
   </sect1>
   
   <sect1 id="sgml-primer-marked-sections">
     <title>Marked sections</title>
     
     <para>SGML provides a mechanism to indicate that particular pieces of the
       document should be processed in a special way.  These are termed
       <quote>marked sections</quote>.</para>
 
     <example>
       <title>Structure of a marked section</title>
 
       <programlisting>&lt;![ <replaceable>KEYWORD</replaceable> [
   Contents of marked section
 ]]&gt;</programlisting>
     </example>
 
     <para>As you would expect, being an SGML construct, a marked section
       starts with <literal>&lt!</literal>.</para>
 
     <para>The first square bracket begins to delimit the marked
       section.</para>
 
     <para><replaceable>KEYWORD</replaceable> describes how this marked
       section should be processed by the parser.</para>
 
     <para>The second square bracket indicates that the content of the marked
       section starts here.</para>
     
     <para>The marked section is finished by closing the two square brackets,
       and then returning to the document context from the SGML context with
       <literal>&gt;</literal></para>
     
     <sect2>
       <title>Marked section keywords</title>
       
       <sect3>
 	<title><literal>CDATA</literal>, <literal>RCDATA</literal></title>
 	
 	<para>These keywords denote the marked sections <emphasis>content
 	    model</emphasis>, and allow you to change it from the
 	  default.</para>
 	
 	<para>When an SGML parser is processing a document it keeps track
 	  of what is called the <quote>content model</quote>.</para>
 	
 	<para>Briefly, the content model describes what sort of content the
 	  parser is expecting to see, and what it will do with it when it
 	  finds it.</para>
 
 	<para>The two content models you will probably find most useful are
 	  <literal>CDATA</literal> and <literal>RCDATA</literal>.</para>
 	
 	<para><literal>CDATA</literal> is for <quote>Character Data</quote>.
 	  If the parser is in this content model then it is expecting to see
 	  characters, and characters only.  In this model the &lt; and &amp;
 	  symbols lose their special status, and will be treated as ordinary
 	  characters.</para>
 	
 	<para><literal>RCDATA</literal> is for <quote>Entity references and
 	  character data</quote> If the parser is in this content model then it
 	  is expecting to see characters <emphasis>and</emphasis> entities.
 	  &lt; loses its special status, but &amp; will still be treated as
 	  starting the beginning of a general entity.</para>
 	
 	<para>This is particularly useful if you are including some verbatim
 	  text that contains lots of &lt; and &amp; characters.  While you
 	  could go through the text ensuring that every &lt; is converted to a
 	  &amp;lt; and every &amp; is converted to a &amp;amp;, it can be
 	  easier to mark the section as only containing CDATA.  When the SGML
 	  parser encounters this it will ignore the &lt; and &amp; symbols
 	  embedded in the content.</para>
 
         <note>
           <para>When you use <literal>CDATA</literal> or
             <literal>RCDATA</literal> in examples of text marked up in SGML,
             keep in mind that the content of <literal>CDATA</literal> is not
             validated.  You have to check the included SGML text using other
             means.  You could, for example, write the example in another
             document, validate the example code, and then paste it to your
             <literal>CDATA</literal> content.</para>
         </note>
 	<!-- The nesting of CDATA within the next example is disgusting -->
 	  
 	<example>
 	  <title>Using a CDATA marked section</title>
 	  
 	  <programlisting>&lt;para>Here is an example of how you would include some text
   that contained many &amp;lt; and &amp;amp; symbols.  The sample
   text is a fragment of HTML.  The surrounding text (&lt;para> and
   &lt;programlisting>) are from DocBook.&lt;/para>
 
 &lt;programlisting>
   &lt;![ CDATA [  <![ CDATA [
     <p>This is a sample that shows you some of the elements within
       HTML.  Since the angle brackets are used so many times, it is
       simpler to say the whole example is a CDATA marked section
       than to use the entity names for the left and right angle
       brackets throughout.</p>
 
     <ul>
       <li>This is a listitem</li>
       <li>This is a second listitem</li>
       <li>This is a third listitem</li>
     </ul>
 
     <p>This is the end of the example.</p>]]>
   ]]&gt;
 &lt;/programlisting></programlisting>
 
 	  <para>If you look at the source for this document you will see this
 	    technique used throughout.</para>
 	</example>
       </sect3>
       
       <sect3>
 	<title><literal>INCLUDE</literal> and
 	  <literal>IGNORE</literal></title>
 	
 	<para>If the keyword is <literal>INCLUDE</literal> then the contents
 	  of the marked section will be processed.  If the keyword is
 	  <literal>IGNORE</literal> then the marked section is ignored and
 	  will not be processed.  It will not appear in the output.</para>
 
 	<example>
 	  <title>Using <literal>INCLUDE</literal> and
 	    <literal>IGNORE</literal> in marked sections</title>
 
 	  <programlisting>&lt;![ INCLUDE [
   This text will be processed and included.
 ]]&gt;
 
 &lt;![ IGNORE [
   This text will not be processed or included.
 ]]&gt;</programlisting>
 	</example>
 	
 	<para>By itself, this is not too useful.  If you wanted to remove text
 	  from your document you could cut it out, or wrap it in
 	  comments.</para>
 	  
 	<para>It becomes more useful when you realize you can use <link
 	    linkend="sgml-primer-parameter-entities">parameter entities</link>
 	  to control this.  Remember that parameter entities can only be used
 	  in SGML contexts, and the keyword of a marked section
 	  <emphasis>is</emphasis> an SGML context.</para>
 
 	<para>For example, suppose that you produced a hard-copy version of
 	  some documentation and an electronic version.  In the electronic
 	  version you wanted to include some extra content that was not to
 	  appear in the hard-copy.</para>
 
 	<para>Create a parameter entity, and set its value to
 	  <literal>INCLUDE</literal>.  Write your document, using marked
 	  sections to delimit content that should only appear in the
 	  electronic version.  In these marked sections use the parameter
 	  entity in place of the keyword.</para>
 
 	<para>When you want to produce the hard-copy version of the document,
 	  change the parameter entity's value to <literal>IGNORE</literal> and
 	  reprocess the document.</para>
 
 	<example>
 	  <title>Using a parameter entity to control a marked
 	    section</title>
 	  
 	  <programlisting>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 &lt;!ENTITY % electronic.copy "INCLUDE">	     
 ]]&gt;
 
 ...
 
 &lt;![ %electronic.copy [
   This content should only appear in the electronic
   version of the document.
 ]]&gt;</programlisting>
 
 	  <para>When producing the hard-copy version, change the entity's
 	    definition to;</para>
 	  
 	  <programlisting>&lt;!ENTITY % electronic.copy "IGNORE"></programlisting>
 
 	  <para>On reprocessing the document, the marked sections that use
 	    <literal>%electronic.copy</literal> as their keyword will be
 	    ignored.</para>
 	</example>
       </sect3>
     </sect2>
 
     <sect2>
       <title>For you to do&hellip;</title>
 
       <procedure>
 	<step>
 	  <para>Create a new file, <filename>section.sgml</filename>, that
 	    contains the following;</para>
 
 	  <programlisting>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0//EN" [
 &lt;!ENTITY % text.output "INCLUDE">
 ]&gt;
 
 &lt;html>
   &lt;head>
     &lt;title>An example using marked sections&lt;/title>
   &lt;/head>
 
   &lt;body>	    
     &lt;p>This paragraph &lt;![ CDATA [contains many &lt;
       characters (&lt; &lt; &lt; &lt; &lt;) so it is easier
       to wrap it in a CDATA marked section ]]&gt;&lt;/p>
 
     &lt;![ IGNORE [
     &lt;p>This paragraph will definitely not be included in the
       output.&lt;/p>
     ]]&gt;
 
     &lt;![ <![ CDATA [%text.output]]> [
     &lt;p>This paragraph might appear in the output, or it
       might not.&lt;/p>
 
     &lt;p>Its appearance is controlled by the <![CDATA[%text.output]]>
       parameter entity.&lt;/p>	    
     ]]&gt;
   &lt;/body>
 &lt;/html></programlisting>	    
 	</step>
 
 	<step>
 	  <para>Normalize this file using &man.sgmlnorm.1; and examine the
 	    output.  Notice which paragraphs have appeared, which have
 	    disappeared, and what has happened to the content of the CDATA
 	    marked section.</para>
 	</step>
 
 	<step>
 	  <para>Change the definition of the <literal>text.output</literal>
 	    entity from <literal>INCLUDE</literal> to
 	    <literal>IGNORE</literal>.  Re-normalize the file, and examine the
 	    output to see what has changed.  </para>
 	</step>
       </procedure>
     </sect2>
   </sect1>
   
   <sect1 id="sgml-primer-conclusion">
     <title>Conclusion</title>
     
     <para>That is the conclusion of this SGML primer.  For reasons of space
       and complexity several things have not been covered in depth (or at
       all).  However, the previous sections cover enough SGML for you to be
       able to follow the organization of the FDP documentation.</para>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
index ca67526d6d..d7a639dd88 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@@ -1,4177 +1,4177 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="advanced-networking">
   <title>Advanced Networking</title>
 
   <sect1 id="advanced-networking-synopsis">
     <title>Synopsis</title>
 
     <para>This chapter will cover a number of advanced networking
       topics.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The basics of gateways and routes.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up IEEE 802.11 and &bluetooth; devices.</para>
       </listitem>
 
       <listitem>
 	<para>How to make FreeBSD act as a bridge.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up network booting on a diskless machine.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up network address translation.</para>
       </listitem>
 
       <listitem>
 	<para>How to connect two computers via PLIP.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up IPv6 on a FreeBSD machine.</para>
       </listitem>
 
       <listitem>
 	<para>How to configure ATM under &os;&nbsp;5.X.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Understand the basics of the <filename>/etc/rc</filename> scripts.</para>
       </listitem>
 
       <listitem>
 	<para>Be familiar with basic network terminology.</para>
       </listitem>
 
       <listitem>
         <para>Know how to configure and install a new FreeBSD kernel
           (<xref linkend="kernelconfig">).</para>
       </listitem>
 
       <listitem>
       <para>Know how to install additional third-party
         software (<xref linkend="ports">).</para>
       </listitem>
 
     </itemizedlist>
   </sect1>
 
   <sect1 id="network-routing">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Coranth</firstname>
       	  <surname>Gryphon</surname>
 	  <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Gateways and Routes</title>
 
     <indexterm><primary>routing</primary></indexterm>
     <indexterm><primary>gateway</primary></indexterm>
     <indexterm><primary>subnet</primary></indexterm>
     <para>For one machine to be able to find another over a network,
       there must be a mechanism in place to describe how to get from
       one to the other.  This is called
       <firstterm>routing</firstterm>.  A <quote>route</quote> is a
       defined pair of addresses: a <quote>destination</quote> and a
       <quote>gateway</quote>.  The pair indicates that if you are
       trying to get to this <emphasis>destination</emphasis>,
       communicate through this <emphasis>gateway</emphasis>.  There
       are three types of destinations: individual hosts, subnets, and
       <quote>default</quote>.  The <quote>default route</quote> is
       used if none of the other routes apply.  We will talk a little
       bit more about default routes later on.  There are also three
       types of gateways: individual hosts, interfaces (also called
       <quote>links</quote>), and Ethernet hardware addresses (MAC
       addresses).
     </para>
 
     <sect2>
       <title>An Example</title>
 
       <para>To illustrate different aspects of routing, we will use the
 	following example from <command>netstat</command>:</para>
 
       <screen>&prompt.user; <userinput>netstat -r</userinput>
 Routing tables
 
 Destination      Gateway            Flags     Refs     Use     Netif Expire
 
 default          outside-gw         UGSc       37      418      ppp0
 localhost        localhost          UH          0      181       lo0
 test0            0:e0:b5:36:cf:4f   UHLW        5    63288       ed0     77
 10.20.30.255     link#1             UHLW        1     2421
 example.com      link#1             UC          0        0
 host1            0:e0:a8:37:8:1e    UHLW        3     4601       lo0
 host2            0:e0:a8:37:8:1e    UHLW        0        5       lo0 =>
 host2.example.com link#1             UC          0        0
 224              link#1             UC          0        0</screen>
 
       <indexterm><primary>default route</primary></indexterm>
       <para>The first two lines specify the default route (which we
 	will cover in the <link linkend="network-routing-default">next
 	  section</link>) and the <hostid>localhost</hostid> route.</para>
 
       <indexterm><primary>loopback device</primary></indexterm>
       <para>The interface (<literal>Netif</literal> column) that this
 	routing table specifies to use for
 	<literal>localhost</literal> is <devicename>lo0</devicename>,
 	also known as the loopback device.  This says to keep all
 	traffic for this destination internal, rather than sending it
 	out over the LAN, since it will only end up back where it
 	started.</para>
 
       <indexterm>
         <primary>Ethernet</primary>
         <secondary>MAC address</secondary>
       </indexterm>
       <para>The next thing that stands out are the addresses beginning
 	with <hostid role="mac">0:e0:</hostid>.  These are Ethernet
 	hardware addresses, which are also known as MAC addresses.
 	FreeBSD will automatically identify any hosts
 	(<hostid>test0</hostid> in the example) on the local Ethernet
 	and add a route for that host, directly to it over the
 	Ethernet interface, <devicename>ed0</devicename>.  There is
 	also a timeout (<literal>Expire</literal> column) associated
 	with this type of route, which is used if we fail to hear from
 	the host in a specific amount of time.  When this happens, the
 	route to this host will be automatically deleted.  These hosts
 	are identified using a mechanism known as RIP (Routing
 	Information Protocol), which figures out routes to local hosts
 	based upon a shortest path determination.</para>
 
       <indexterm><primary>subnet</primary></indexterm>
       <para>FreeBSD will also add subnet routes for the local subnet (<hostid
 	  role="ipaddr">10.20.30.255</hostid> is the broadcast address for the
 	subnet <hostid role="ipaddr">10.20.30</hostid>, and <hostid
 	  role="domainname">example.com</hostid> is the domain name associated
 	with that subnet).  The designation <literal>link#1</literal> refers
 	to the first Ethernet card in the machine.  You will notice no
 	additional interface is specified for those.</para>
 
       <para>Both of these groups (local network hosts and local subnets) have
 	their routes automatically configured by a daemon called
 	<application>routed</application>.  If this is not run, then only
 	routes which are statically defined (i.e. entered explicitly) will
 	exist.</para>
 
       <para>The <literal>host1</literal> line refers to our host, which it
 	knows by Ethernet address.  Since we are the sending host, FreeBSD
 	knows to use the loopback interface (<devicename>lo0</devicename>)
 	rather than sending it out over the Ethernet interface.</para>
 
       <para>The two <literal>host2</literal> lines are an example of
 	what happens when we use an &man.ifconfig.8; alias (see the
 	section on Ethernet for reasons why we would do this).  The
 	<literal>=&gt;</literal> symbol after the
 	<devicename>lo0</devicename> interface says that not only are
 	we using the loopback (since this address also refers to the
 	local host), but specifically it is an alias.  Such routes
 	only show up on the host that supports the alias; all other
 	hosts on the local network will simply have a
 	<literal>link#1</literal> line for such routes.</para>
 
       <para>The final line (destination subnet <hostid role="ipaddr">224</hostid>) deals
 	with multicasting, which will be covered in another section.</para>
 
       <para>Finally, various attributes of each route can be seen in
 	the <literal>Flags</literal> column.  Below is a short table
 	of some of these flags and their meanings:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="4*">
 
 	  <tbody>
 	    <row>
 	      <entry>U</entry>
 	      <entry>Up: The route is active.</entry>
 	    </row>
 
 	    <row>
 	      <entry>H</entry>
 	      <entry>Host: The route destination is a single host.</entry>
 	    </row>
 
 	    <row>
 	      <entry>G</entry>
 	      <entry>Gateway: Send anything for this destination on to this
 		remote system, which will figure out from there where to send
 		it.</entry>
 	    </row>
 
 	    <row>
 	      <entry>S</entry>
 	      <entry>Static: This route was configured manually, not
 		automatically generated by the system.</entry>
 	    </row>
 
 	    <row>
 	      <entry>C</entry>
 	      <entry>Clone: Generates a new route based upon this route for
 		machines we connect to.  This type of route is normally used
 		for local networks.</entry>
 	    </row>
 
 	    <row>
 	      <entry>W</entry>
 	      <entry>WasCloned: Indicated a route that was auto-configured
 		based upon a local area network (Clone) route.</entry>
 	    </row>
 
 	    <row>
 	      <entry>L</entry>
 	      <entry>Link: Route involves references to Ethernet
 		hardware.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect2>
 
     <sect2 id="network-routing-default">
       <title>Default Routes</title>
 
       <indexterm><primary>default route</primary></indexterm>
       <para>When the local system needs to make a connection to a remote host,
 	it checks the routing table to determine if a known path exists.  If
 	the remote host falls into a subnet that we know how to reach (Cloned
 	routes), then the system checks to see if it can connect along that
 	interface.</para>
 
       <para>If all known paths fail, the system has one last option: the
 	<quote>default</quote> route.  This route is a special type of gateway
 	route (usually the only one present in the system), and is always
 	marked with a <literal>c</literal> in the flags field.  For hosts on a
 	local area network, this gateway is set to whatever machine has a
 	direct connection to the outside world (whether via PPP link,
 	DSL, cable modem, T1, or another network interface).</para>
 
       <para>If you are configuring the default route for a machine which
 	itself is functioning as the gateway to the outside world, then the
 	default route will be the gateway machine at your Internet Service
 	Provider's (ISP) site.</para>
 
       <para>Let us look at an example of default routes.  This is a common
 	configuration:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="advanced-networking/net-routing">
 	</imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced">
 [Local2]  &lt;--ether--&gt;  [Local1]  &lt;--PPP--&gt; [ISP-Serv]  &lt;--ether--&gt;  [T1-GW]
       </literallayout>
 	</textobject>
       </mediaobject>
 
       <para>The hosts <hostid>Local1</hostid> and
 	<hostid>Local2</hostid> are at your site.
 	<hostid>Local1</hostid> is connected to an ISP via a dial up
 	PPP connection.  This PPP server computer is connected through
 	a local area network to another gateway computer through an
 	external interface to the ISPs Internet feed.</para>
 
       <para>The default routes for each of your machines will be:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="3">
 	  <thead>
 	    <row>
 	      <entry>Host</entry>
 	      <entry>Default Gateway</entry>
 	      <entry>Interface</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>Local2</entry>
 	      <entry>Local1</entry>
 	      <entry>Ethernet</entry>
 	    </row>
 
 	    <row>
 	      <entry>Local1</entry>
 	      <entry>T1-GW</entry>
 	      <entry>PPP</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>A common question is <quote>Why (or how) would we set
 	the <hostid>T1-GW</hostid> to be the default gateway for
 	<hostid>Local1</hostid>, rather than the ISP server it is
 	connected to?</quote>.</para>
 
       <para>Remember, since the PPP interface is using an address on the ISP's
 	local network for your side of the connection, routes for any other
 	machines on the ISP's local network will be automatically generated.
 	Hence, you will already know how to reach the <hostid>T1-GW</hostid>
 	machine, so there is no need for the intermediate step
 	of sending traffic to the ISP server.</para>
 
       <para>It is common to use the address <hostid
 	  role="ipaddr">X.X.X.1</hostid> as the gateway address for your local
 	network.  So (using the same example), if your local class-C address
 	space was <hostid role="ipaddr">10.20.30</hostid> and your ISP was
 	using <hostid role="ipaddr">10.9.9</hostid> then the default routes
 	would be:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Host</entry>
 	      <entry>Default Route</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry>Local2 (10.20.30.2)</entry>
 	      <entry>Local1 (10.20.30.1)</entry>
 	    </row>
 	    <row>
 	      <entry>Local1 (10.20.30.1, 10.9.9.30)</entry>
 	      <entry>T1-GW (10.9.9.1)</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>You can easily define the default route via the
 	<filename>/etc/rc.conf</filename> file.  In our example, on the
 	<hostid>Local2</hostid> machine, we added the following line
 	in <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>defaultrouter="10.20.30.1"</programlisting>
 
       <para>It is also possible to do it directly from the command
 	line with the &man.route.8; command:</para>
 
       <screen>&prompt.root; <userinput>route add default 10.20.30.1</userinput></screen>
 
       <para>For more informations on manual manipulation of network
 	routing tables, consult &man.route.8; manual page.</para>
     </sect2>
 
     <sect2>
       <title>Dual Homed Hosts</title>
       <indexterm><primary>dual homed hosts</primary></indexterm>
       <para>There is one other type of configuration that we should cover, and
 	that is a host that sits on two different networks.  Technically, any
 	machine functioning as a gateway (in the example above, using a PPP
 	connection) counts as a dual-homed host.  But the term is really only
 	used to refer to a machine that sits on two local-area
 	networks.</para>
 
       <para>In one case, the machine has two Ethernet cards, each
 	having an address on the separate subnets.  Alternately, the
 	machine may only have one Ethernet card, and be using
 	&man.ifconfig.8; aliasing.  The former is used if two
 	physically separate Ethernet networks are in use, the latter
 	if there is one physical network segment, but two logically
 	separate subnets.</para>
 
       <para>Either way, routing tables are set up so that each subnet knows
 	that this machine is the defined gateway (inbound route) to the other
 	subnet.  This configuration, with the machine acting as a router
 	between the two subnets, is often used when we need to implement
 	packet filtering or firewall security in either or both
 	directions.</para>
 
       <para>If you want this machine to actually forward packets
         between the two interfaces, you need to tell FreeBSD to enable
         this ability.  See the next section for more details on how
 	to do this.</para>
     </sect2>
 
     <sect2 id="network-dedicated-router">
       <title>Building a Router</title>
 
       <indexterm><primary>router</primary></indexterm>
 
       <para>A network router is simply a system that forwards packets
 	from one interface to another.  Internet standards and good
 	engineering practice prevent the FreeBSD Project from enabling
 	this by default in FreeBSD.  You can enable this feature by
 	changing the following variable to <literal>YES</literal> in
 	&man.rc.conf.5;:</para>
 
       <programlisting>gateway_enable=YES          # Set to YES if this host will be a gateway</programlisting>
 
       <para>This option will set the &man.sysctl.8; variable
 	<varname>net.inet.ip.forwarding</varname> to
 	<literal>1</literal>.  If you should need to stop routing
 	temporarily, you can reset this to <literal>0</literal> temporarily.</para>
 
       <para>Your new router will need routes to know where to send the
 	traffic.  If your network is simple enough you can use static
 	routes.  FreeBSD also comes with the standard BSD routing
 	daemon &man.routed.8;, which speaks RIP (both version 1 and
 	version 2) and IRDP.  Support for BGP v4, OSPF v2, and other
 	sophisticated routing protocols is available with the
 	<filename role="package">net/zebra</filename> package.
 	Commercial products such as <application>&gated;</application> are also available for more
 	complex network routing solutions.</para>
 
 <indexterm><primary>BGP</primary></indexterm>
 <indexterm><primary>RIP</primary></indexterm>
 <indexterm><primary>OSPF</primary></indexterm>
 
       <para>Even when FreeBSD is configured in this way, it does not
 	completely comply with the Internet standard requirements for
 	routers.  It comes close enough for ordinary use,
 	however.</para>
     </sect2>
 
     <sect2>
       <sect2info>
 	<authorgroup>
 	  <author>
 	    <firstname>Al</firstname>
 	    <surname>Hoang</surname>
 	    <contrib>Contributed by </contrib>
 	  </author>
 	</authorgroup>
       </sect2info>
       <!-- Feb 2004 -->
       <title>Setting Up Static Routes</title>
 
       <sect3>
 	<title>Manual Configuration</title>
 
 	<para>Let us assume we have a network as follows:</para>
 
 	<mediaobject>
 	  <imageobject>
 	    <imagedata fileref="advanced-networking/static-routes">
 	  </imageobject>
 
 	  <textobject>
 	<literallayout class="monospaced">
     INTERNET
       | (10.0.0.1/24) Default Router to Internet
       |
       |Interface xl0
       |10.0.0.10/24
    +------+
    |      | RouterA
    |      | (FreeBSD gateway)
    +------+
       | Interface xl1
       | 192.168.1.1/24
       |
   +--------------------------------+
    Internal Net 1      | 192.168.1.2/24
                        |
                    +------+
                    |      | RouterB
                    |      |
                    +------+
                        | 192.168.2.1/24
                        |
                      Internal Net 2
 	</literallayout>
 	  </textobject>
 	</mediaobject>
 
 	<para>In this scenario, <hostid>RouterA</hostid> is our &os;
 	  machine that is acting as a router to the rest of the
 	  Internet.  It has a default route set to <hostid
 	  role="ipaddr">10.0.0.1</hostid> which allows it to connect
 	  with the outside world.  We will assume that
 	  <hostid>RouterB</hostid> is already configured properly and
 	  knows how to get wherever it needs to go.  (This is simple
 	  in this picture.  Just add a default route on
 	  <hostid>RouterB</hostid> using <hostid
 	  role="ipaddr">192.168.1.1</hostid> as the gateway.)</para>
 
 	<para>If we look at the routing table for
 	  <hostid>RouterA</hostid> we would see something like the
 	  following:</para>
 
 	<screen>&prompt.user; <userinput>netstat -nr</userinput>
 Routing tables
 
 Internet:
 Destination        Gateway            Flags    Refs      Use  Netif  Expire
 default            10.0.0.1           UGS         0    49378    xl0
 127.0.0.1          127.0.0.1          UH          0        6    lo0
 10.0.0/24          link#1             UC          0        0    xl0
 192.168.1/24       link#2             UC          0        0    xl1</screen>
 
 	<para>With the current routing table  <hostid>RouterA</hostid>
 	  will not be able to reach our Internal Net 2.  It does not
 	  have a route for <hostid
 	  role="ipaddr">192.168.2.0/24</hostid>.  One way to alleviate
 	  this is to manually add the route.  The following command
 	  would add the Internal Net 2 network to
 	  <hostid>RouterA</hostid>'s routing table using <hostid
 	  role="ipaddr">192.168.1.2</hostid> as the next hop:</para>
 
 	<screen>&prompt.root; <userinput>route add -net 192.168.2.0/24 192.168.1.2</userinput></screen>
 
 	<para>Now <hostid>RouterA</hostid> can reach any hosts on the
 	  <hostid role="ipaddr">192.168.2.0/24</hostid>
 	  network.</para>
       </sect3>
 
       <sect3>
 	<title>Persistent Configuration</title>
 
 	<para>The above example is perfect for configuring a static
 	  route on a running system.  However, one problem is that the
 	  routing information will not persist if you reboot your &os;
 	  machine.  The way to handle the addition of a static route
 	  is to put it in your <filename>/etc/rc.conf</filename>
 	  file:</para>
 
 	<programlisting># Add Internal Net 2 as a static route
 static_routes="internalnet2"
 route_internalnet2="-net 192.168.2.0/24 192.168.1.2"</programlisting>
 
 	<para>The <literal>static_routes</literal> configuration
 	  variable is a list of strings separated by a space.  Each
 	  string references to a route name.  In our above example we
 	  only have one string in <literal>static_routes</literal>.
 	  This string is <replaceable>internalnet2</replaceable>.  We
 	  then add a configuration variable called
 	  <literal>route_<replaceable>internalnet2</replaceable></literal>
 	  where we put all of the configuration parameters we would
 	  give to the &man.route.8; command.  For our example above we
 	  would have used the command:</para>
 
 	  <screen>&prompt.root; <userinput>route add -net 192.168.2.0/24 192.168.1.2</userinput></screen>
 
 	  <para>so we need <literal>"-net 192.168.2.0/24 192.168.1.2"</literal>.</para>
 
 	<para>As said above, we can have more than one string in
 	  <literal>static_routes</literal>.  This allows us to
 	  create multiple static routes.  The following lines shows
 	  an example of adding static routes for the <hostid
 	  role="ipaddr">192.168.0.0/24</hostid> and <hostid
 	  role="ipaddr">192.168.1.0/24</hostid> networks on an imaginary
 	  router:</para>
 
         <programlisting>static_routes="net1 net2"
 route_net1="-net 192.168.0.0/24 192.168.0.1"
 route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Routing Propagation</title>
       <indexterm><primary>routing propagation</primary></indexterm>
       <para>We have already talked about how we define our routes to the
 	outside world, but not about how the outside world finds us.</para>
 
       <para>We already know that routing tables can be set up so that all
 	traffic for a particular address space (in our examples, a class-C
 	subnet) can be sent to a particular host on that network, which will
 	forward the packets inbound.</para>
 
       <para>When you get an address space assigned to your site, your service
 	provider will set up their routing tables so that all traffic for your
 	subnet will be sent down your PPP link to your site.  But how do sites
 	across the country know to send to your ISP?</para>
 
       <para>There is a system (much like the distributed DNS information) that
 	keeps track of all assigned address-spaces, and defines their point of
 	connection to the Internet Backbone.  The <quote>Backbone</quote> are
 	the main trunk lines that carry Internet traffic across the country,
 	and around the world.  Each backbone machine has a copy of a master
 	set of tables, which direct traffic for a particular network to a
 	specific backbone carrier, and from there down the chain of service
 	providers until it reaches your network.</para>
 
       <para>It is the task of your service provider to advertise to the
 	backbone sites that they are the point of connection (and thus the
 	path inward) for your site.  This is known as route
 	propagation.</para>
     </sect2>
 
     <sect2>
       <title>Troubleshooting</title>
       <indexterm>
         <primary><command>traceroute</command></primary>
       </indexterm>
       <para>Sometimes, there is a problem with routing propagation, and some
 	sites are unable to connect to you.  Perhaps the most useful command
 	for trying to figure out where routing is breaking down is the
 	  &man.traceroute.8; command.  It is equally useful if you cannot seem
 	to make a connection to a remote machine (i.e. &man.ping.8;
 	fails).</para>
 
       <para>The &man.traceroute.8; command is run with the name of the remote
 	host you are trying to connect to.  It will show the gateway hosts
 	along the path of the attempt, eventually either reaching the target
 	host, or terminating because of a lack of connection.</para>
 
       <para>For more information, see the manual page for
 	  &man.traceroute.8;.</para>
     </sect2>
 
     <sect2>
       <title>Multicast Routing</title>
       <indexterm>
 	<primary>multicast</primary>
 	<secondary>options MROUTING</secondary>
       </indexterm>
       <para>FreeBSD supports both multicast applications and multicast
 	routing natively.  Multicast applications do not require any
 	special configuration of FreeBSD; applications will generally
 	run out of the box.  Multicast routing
 	requires that support be compiled into the kernel:</para>
 
       <programlisting>options MROUTING</programlisting>
 
       <para>In addition, the multicast routing daemon, &man.mrouted.8;
 	must be configured to set up tunnels and <acronym>DVMRP</acronym> via
 	<filename>/etc/mrouted.conf</filename>.  More details on
 	multicast configuration may be found in the manual page for
 	&man.mrouted.8;.</para>
     </sect2>
   </sect1>
 
   <sect1 id="network-wireless">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Eric</firstname>
           <surname>Anderson</surname>
           <contrib>Written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Wireless Networking</title>
 
    <indexterm><primary>wireless networking</primary></indexterm>
    <indexterm>
      <primary>802.11</primary>
      <see>wireless networking</see>
    </indexterm>
 
    <sect2>
       <title>Introduction</title>
       <para>It can be very useful to be able to use a computer without the
       annoyance of having a network cable attached at all times.  FreeBSD can
       be used as a wireless client, and even as a wireless <quote>access
       point</quote>.</para>
    </sect2>
 
    <sect2>
      <title>Wireless Modes of Operation</title>
      <para>There are two different ways to configure 802.11 wireless devices:
       BSS and IBSS.</para>
 
      <sect3>
        <title>BSS Mode</title>
        <para>BSS mode is the mode that typically is used.  BSS mode is
         also called infrastructure mode.  In this mode, a number of
         wireless access points are connected to a wired network.  Each
         wireless network has its own name.  This name is called the
         SSID of the network.</para>
 
        <para>Wireless clients connect to these wireless access
         points. The IEEE 802.11 standard defines the protocol that
         wireless networks use to connect.  A wireless client can be
         tied to a specific network, when a SSID is set.  A wireless
         client can also attach to any network by not explicitly
         setting a SSID.</para>
      </sect3>
 
      <sect3>
        <title>IBSS Mode</title>
        <para>IBSS mode, also called ad-hoc mode, is designed for point
          to point connections.  There are actually two types of ad-hoc
          mode.  One is IBSS mode, also called ad-hoc or IEEE ad-hoc
          mode.  This mode is defined by the IEEE 802.11 standards.
          The second is called demo ad-hoc mode or Lucent ad-hoc mode
          (and sometimes, confusingly, ad-hoc mode).  This is the old,
          pre-802.11 ad-hoc mode and should only be used for legacy
 	 installations.  We will not cover either of the ad-hoc modes
          further.</para>
      </sect3>
    </sect2>
 
    <sect2>
      <title>Infrastructure Mode</title>
      <sect3>
        <title>Access Points</title>
 
        <para>Access points are wireless networking devices that allow
         one or more wireless clients to use the device as a central
         hub.  When using an access point, all clients communicate
         through the access point.  Multiple access points are often
         used to cover a complete area such as a house, business, or
         park with a wireless network.</para>
 
        <para>Access points typically have multiple network
        connections: the wireless card, and one or more wired Ethernet
        adapters for connection to the rest of the network.
        </para>
 
        <para>Access points can either be purchased prebuilt, or you
         can build your own with FreeBSD and a supported wireless card.
         Several vendors make wireless access points and wireless cards
         with various features.</para>
      </sect3>
 
      <sect3>
        <title>Building a FreeBSD Access Point</title>
        <indexterm><primary>wireless networking</primary>
          <secondary>access point</secondary>
        </indexterm>
 
        <sect4><title>Requirements</title>
 
          <para>In order to set up a wireless access point with
           FreeBSD, you need to have a compatible wireless card.
           Currently, only cards with the Prism chipset are
           supported. You will also need a wired network card that is
           supported by FreeBSD (this should not be difficult to find,
           FreeBSD supports a lot of different devices).  For this
           guide, we will assume you want to &man.bridge.4; all traffic
           between the wireless device and the network attached to the
           wired network card.</para>
 
 	 <para>The hostap functionality that FreeBSD uses to implement
            the access point works best with certain versions of
            firmware.  Prism 2 cards should use firmware version 1.3.4
            or newer.  Prism 2.5 and Prism 3 cards should use firmware
            1.4.9.  Older versions of the firmware way or may not
            function correctly.  At this time, the only way to update
            cards is with &windows; firmware update utilities available
            from your card's manufacturer.</para>
        </sect4>
 
        <sect4>
          <title>Setting It Up</title>
          <para>First, make sure your system can see the wireless card:</para>
          <screen>&prompt.root; <userinput>ifconfig -a</userinput>
 wi0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
         inet6 fe80::202:2dff:fe2d:c938%wi0 prefixlen 64 scopeid 0x7
         inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
         ether 00:09:2d:2d:c9:50
         media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps)
         status: no carrier
         ssid ""
         stationname "FreeBSD Wireless node"
         channel 10 authmode OPEN powersavemode OFF powersavesleep 100
         wepmode OFF weptxkey 1</screen>
 
          <para>Do not worry about the details now, just make sure it shows you
           something to indicate you have a wireless card installed.
 	  If you have trouble seeing the wireless interface, and you
 	  are using a PC Card, you may want to check out
 	  &man.pccardc.8; and &man.pccardd.8; manual pages for more
 	  information.</para>
 
          <para>Next, you will need to load a module in order to get
           the bridging part of FreeBSD ready for the access point.
           To load the &man.bridge.4; module, simply run the
           following command:</para>
 
          <screen>&prompt.root; <userinput>kldload bridge</userinput></screen>
 
          <para>It should not have produced any errors when loading the
           module.  If it did, you may need to compile the
           &man.bridge.4; code into your kernel.  The <link
           linkend="network-bridging">Bridging</link> section of this handbook
           should be able to help you accomplish that task.</para>
 
          <para>Now that you have the bridging stuff done, we need to
           tell the FreeBSD kernel which interfaces to bridge together.
           We do that by using &man.sysctl.8;:</para>
 
          <screen>&prompt.root; <userinput>sysctl net.link.ether.bridge=1</userinput>
 &prompt.root; <userinput>sysctl net.link.ether.bridge_cfg="wi0,xl0"</userinput>
 &prompt.root; <userinput>sysctl net.inet.ip.forwarding=1</userinput></screen>
 
 	<para>On &os;&nbsp;5.2-RELEASE and later, you have to use
 	  instead the following options:</para>
 
 	<screen>&prompt.root; <userinput>sysctl net.link.ether.bridge.enable=1</userinput>
 &prompt.root; <userinput>sysctl net.link.ether.bridge.config="wi0,xl0"</userinput>
 &prompt.root; <userinput>sysctl net.inet.ip.forwarding=1</userinput></screen>
 
          <para>Now it is time for the wireless card setup.
          The following command will set the card into an access point:</para>
 
          <screen>
 &prompt.root; <userinput>ifconfig wi0 ssid <replaceable>my_net</replaceable> channel 11 media DS/11Mbps mediaopt hostap up stationname "<replaceable>FreeBSD AP</replaceable>"</userinput>
          </screen>
 
          <para>The &man.ifconfig.8; line brings the
 	  <devicename>wi0</devicename> interface up, sets its SSID to
 	  <replaceable>my_net</replaceable>, and sets the station name to
 	  <replaceable>FreeBSD AP</replaceable>.  The <option>media
 	  DS/11Mbps</option> sets the card into 11Mbps mode and is
 	  needed for any <option>mediaopt</option> to take effect.
 	  The <option>mediaopt hostap</option> option places the
 	  interface into access point mode.  The <option>channel
 	  11</option> option sets the 802.11b channel to use.  The
 	  &man.wicontrol.8; manual page has valid channel options for
 	  your regulatory domain.
          </para>
 
          <para>Now you should have a complete functioning access point
           up and running.  You are encouraged to read
           &man.wicontrol.8;, &man.ifconfig.8;, and &man.wi.4; for
           further information.
          </para>
 
          <para>It is also suggested that you read the section on encryption that follows.</para>
        </sect4>
 
        <sect4>
          <title>Status Information</title>
 	 <para>Once the access point is configured and operational,
 	   operators will want to see the clients that are associated
 	   with the access point.  At any time, the operator may type:</para>
 
          <screen>&prompt.root; <userinput>wicontrol -l</userinput>
 1 station:
 00:09:b7:7b:9d:16  asid=04c0, flags=3&lt;ASSOC,AUTH&gt;, caps=1&lt;ESS&gt;, rates=f&lt;1M,2M,5.5M,11M&gt;, sig=38/15
 </screen>
 
          <para>This shows that there is one station associated, along
            with its parameters.  The signal indicated should be used
            as a relative indication of strength only.  Its
            translation to dBm or other units varies between different
            firmware revisions.</para>
        </sect4>
      </sect3>
 
      <sect3>
        <title>Clients</title>
 
        <para>A wireless client is a system that accesses an access
        point or another client directly. </para>
 
        <para>Typically, wireless clients only have one network device,
        the wireless networking card.</para>
 
        <para>There are a few different ways to configure a wireless
         client.  These are based on the different wireless modes,
         generally BSS (infrastructure mode, which requires an access
         point), and IBSS (ad-hoc, or peer-to-peer mode).  In our
         example, we will use the most popular of the two, BSS mode, to
         talk to an access point.</para>
 
        <sect4>
        <title>Requirements</title>
        <para>There is only one real requirement for setting up FreeBSD as a wireless client.
         You will need a wireless card that is supported by FreeBSD.</para>
        </sect4>
 
        <sect4>
        <title>Setting Up a Wireless FreeBSD Client</title>
 
        <para>You will need to know a few things about the wireless
         network you are joining before you start.  In this example, we
         are joining a network that has a name of
         <replaceable>my_net</replaceable>, and encryption turned off.</para>
 
        <note><para>In this example, we are not using encryption, which
         is a dangerous situation.  In the next section, you will learn
         how to turn on encryption, why it is important to do so,
         and why some encryption technologies still do not completely
         protect you.</para></note>
 
        <para>Make sure your card is recognized by FreeBSD:</para>
 
        <screen>&prompt.root; <userinput>ifconfig -a</userinput>
 wi0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
         inet6 fe80::202:2dff:fe2d:c938%wi0 prefixlen 64 scopeid 0x7
         inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
         ether 00:09:2d:2d:c9:50
         media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps)
         status: no carrier
         ssid ""
         stationname "FreeBSD Wireless node"
         channel 10 authmode OPEN powersavemode OFF powersavesleep 100
         wepmode OFF weptxkey 1</screen>
 
        <para>Now, we can set the card to the correct settings for our
        network:</para>
 
        <screen>&prompt.root; <userinput>ifconfig wi0 inet <replaceable>192.168.0.20</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>my_net</replaceable></userinput></screen>
 
        <para>Replace <hostid role="ipaddr">192.168.0.20</hostid> and
         <hostid role="netmask">255.255.255.0</hostid> with a valid IP
         address and netmask on your wired network.  Remember, our
         access point is bridging the data between the wireless
         network, and the wired network, so it will appear to the other
         devices on your network that you are on the wired network just
         as they are.</para>
 
        <para>Once you have done that, you should be able to ping hosts
         on the wired network just as if you were connected using a
         standard wired connection.</para>
 
        <para>If you are experiencing problems with your wireless
         connection, check to make sure that you are associated
         (connected) to the access point:</para>
 
        <screen>&prompt.root; <userinput>ifconfig wi0</userinput></screen>
 
        <para>should return some information, and you should see:</para>
        <screen>status: associated</screen>
 
        <para>If it does not show <literal>associated</literal>, then you may be out of
        range of the access point, have encryption on, or
        possibly have a configuration problem.</para>
 
        </sect4>
      </sect3>
 
      <sect3>
       <title>Encryption</title>
       <indexterm>
         <primary>wireless networking</primary>
         <secondary>encryption</secondary>
       </indexterm>
 
       <para>Encryption on a wireless network is important because you
        no longer have the ability to keep the network contained in a
        well protected area.  Your wireless data will be broadcast
        across your entire neighborhood, so anyone who cares to read it
        can.  This is where encryption comes in.  By encrypting the
        data that is sent over the airwaves, you make it much more
        difficult for any interested party to grab your data right out
        of the air. </para>
 
      <para>The two most common ways to encrypt the data between your
       client and the access point are WEP, and &man.ipsec.4;.</para>
 
      <sect4>
      <title>WEP</title>
       <indexterm><primary>WEP</primary></indexterm>
 
       <para>WEP is an abbreviation for Wired Equivalency Protocol.
        WEP is an attempt to make wireless networks as safe and secure
        as a wired network.  Unfortunately, it has been cracked, and is
        fairly trivial to break.  This also means it is not something
        to rely on when it comes to encrypting sensitive data.  </para>
 
       <para>It is better than nothing, so use the following to turn on
        WEP on your new FreeBSD access point:</para>
 
       <screen>&prompt.root; <userinput>ifconfig wi0 inet up ssid <replaceable>my_net</replaceable> wepmode on wepkey <replaceable>0x1234567890</replaceable> media DS/11Mbps mediaopt hostap</userinput></screen>
 
       <para>And you can turn on WEP on a client with this command:</para>
 
       <screen>&prompt.root; <userinput>ifconfig wi0 inet <replaceable>192.168.0.20</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>my_net</replaceable> wepmode on wepkey <replaceable>0x1234567890</replaceable></userinput></screen>
 
       <para>Note that you should replace the <replaceable>0x1234567890</replaceable> with a more unique key.</para>
 
      </sect4>
 
      <sect4>
      <title>IPsec</title>
 
      <para>&man.ipsec.4; is a much more robust and powerful tool for
        encrypting data across a network.  This is definitely the
        preferred way to encrypt data over a wireless network.  You can
        read more about &man.ipsec.4; security and how to implement it
        in the <link linkend="ipsec">IPsec</link> section of this
        handbook.</para>
      </sect4>
     </sect3>
 
     <sect3>
     <title>Tools</title>
 
     <para>There are a small number of tools available for use in
       debugging and setting up your wireless network, and here we will
       attempt to describe some of them and what they do.</para>
 
     <sect4>
     <title>The <application>bsd-airtools</application> Package</title>
 
     <para>The <application>bsd-airtools</application> package is a
       complete toolset that includes wireless auditing tools for WEP
       key cracking, access point detection, etc.</para>
 
     <para>The <application>bsd-airtools</application> utilities can be
       installed from the <filename
       role="package">net/bsd-airtools</filename> port.  Information on
       installing ports can be found in <xref linkend="ports"> of this
       handbook.</para>
 
     <para>The program <command>dstumbler</command> is the packaged
       tool that allows for access point discovery and signal to noise
       ratio graphing.  If you are having a hard time getting your
       access point up and running, <command>dstumbler</command> may
       help you get started.</para>
 
     <para>To test your wireless network security, you may choose to
       use <quote>dweputils</quote> (<command>dwepcrack</command>,
       <command>dwepdump</command> and <command>dwepkeygen</command>)
       to help you determine if WEP is the right solution to your
       wireless security needs.</para>
 
     </sect4>
 
     <sect4>
     <title>The <command>wicontrol</command>, <command>ancontrol</command> and <command>raycontrol</command> Utilities</title>
 
     <para>These are the tools you can use to control how your wireless
       card behaves on the wireless network.  In the examples above, we
       have chosen to use &man.wicontrol.8;, since our wireless card is
       a <devicename>wi0</devicename> interface.  If you had a Cisco
       wireless device, it would come up as
       <devicename>an0</devicename>, and therefore you would use
       &man.ancontrol.8;.</para>
 
     </sect4>
 
     <sect4>
     <title>The <command>ifconfig</command> Command</title>
     <indexterm><primary>ifconfig</primary></indexterm>
 
     <para>The &man.ifconfig.8; command can be used to do many of the same options
       as &man.wicontrol.8;, however it does lack a few options.  Check
       &man.ifconfig.8; for command line parameters and options.</para>
 
     </sect4>
 
     </sect3>
 
     <sect3>
     <title>Supported Cards</title>
     <sect4>
     <title>Access Points</title>
 
     <para>The only cards that are currently supported for BSS (as an
       access point) mode are devices based on the Prism 2, 2.5, or 3
       chipsets. For a complete list, look at &man.wi.4;.</para>
 
     </sect4>
 
     <sect4>
     <title>802.11b Clients</title>
 
     <para>Almost all 802.11b wireless cards are currently supported
       under FreeBSD.  Most cards based on Prism, Spectrum24, Hermes,
       Aironet, and Raylink will work as a wireless network card in
       IBSS (ad-hoc, peer-to-peer, and BSS) mode.</para>
 
     </sect4>
 
     <sect4>
     <title>802.11a & 802.11g Clients</title>
 
     <para>The &man.ath.4; device driver supports 802.11a and 802.11g. 
       If your card is based on an Atheros chipset, you may
       be able to use this driver.</para>
 
     <para>Unfortunately, there are still many vendors that do not
       provide schematics for their drivers to the open source
       community because they regard such information as trade
       secrets. Consequently, the developers of FreeBSD and other
       operating systems are left two choices: develop the drivers by
       a long and pain-staking process of reverse engineering or using
       the existing driver binaries available for the
       &microsoft.windows; platforms. Most developers, including those
       involved with FreeBSD, have taken the latter approach.</para>
 
     <para>Thanks to the contributions of Bill Paul (wpaul), as of
       FreeBSD&nbsp;5.3-RELEASE there is <quote>native</quote>
       support for the Network Driver Interface Specification
       (NDIS). The FreeBSD NDISulator (otherwise known as Project Evil)
       takes a &windows; driver binary and basically tricks it into
       thinking it is running on &windows;.  This feature is still
       relatively new, but most test cases seem to work
       adequately.</para>
 
     <para>In order to use the NDISulator, you need three things:</para>
 
     <orderedlist>
      <listitem>
       <para>Kernel sources</para>
      </listitem>
      <listitem>
       <para>&windowsxp; driver binary 
         (<filename>.SYS</filename> extension)</para>
      </listitem>
      <listitem>
       <para>&windowsxp; driver configuration file 
         (<filename>.INF</filename> extension)</para>
      </listitem>
     </orderedlist>
  
       <para>You may need to compile the &man.ndis.4; mini port driver 
         wrapper module. As <username>root</username>:</para> 
 
     <screen>&prompt.root; cd /usr/src/sys/modules/ndis
 &prompt.root; make && make install</screen>
 
     <para>Locate the files for your specific card. Generally, they can
       be found on the included CDs or at the vendors' websites. In the
       following examples, we will use
       <filename>W32DRIVER.SYS</filename> and
       <filename>W32DRIVER.INF</filename>.</para>
 
     <para>The next step is to compile the driver binary into a
       loadable kernel module. To accomplish this, as
       <username>root</username>, go into the
       <filename>if_ndis</filename> module directory and copy the
       &windows; driver files into it:</para>
 
    <screen>&prompt.root; <userinput>cd /usr/src/sys/modules/if_ndis</userinput>
 &prompt.root; <userinput>cp <replaceable>/path/to/driver/W32DRIVER.SYS</replaceable> ./</userinput>
 &prompt.root; <userinput>cp <replaceable>/path/to/driver/W32DRIVER.INF</replaceable> ./</userinput></screen>
 
     <para>We will now use the <command>ndiscvt</command> utility to
       create the driver definition header
       <filename>ndis_driver_data.h</filename> to build the
       module:</para>
 
     <screen>&prompt.root; ndiscvt -i <replaceable>W32DRIVER.INF</replaceable> -s <replaceable>W32DRIVER.SYS</replaceable> -o ndis_driver_data.h</screen>
 
     <para>The <option>-i</option> and <option>-s</option> options specify 
       the configuration and binary files, respectively. We use the 
       <option>-o ndis_driver_data.h</option> option because the 
       <filename>Makefile</filename> will be looking for this file when it 
       comes time to build the module. </para>
 
     <note>
       <para>Some &windows; drivers require additional files to operate. You
         may include them with <command>ndiscvt</command> by using the 
         <option>-f</option> option. Consult the &man.ndiscvt.8; manual page 
         for more information.</para>
     </note>
 
     <para>Finally, we can build and install the driver module:</para>
 
     <screen>&prompt.root; <userinput>make && make install</userinput></screen>
 
     <para>To use the driver, you must load the appropriate modules:</para>
 
     <screen>&prompt.root; <userinput>kldload ndis</userinput>
 &prompt.root; <userinput>kldload if_ndis</userinput></screen>
 
     <para>The first command loads the NDIS miniport driver wrapper,
       the second loads the actual network interface.  Check
       &man.dmesg.8; to see if there were any errors loading.  If all
       went well, you should get output resembling the
       following:</para>
 
     <screen>ndis0: &lt;Wireless-G PCI Adapter&gt; mem 0xf4100000-0xf4101fff irq 3 at device 8.0 on pci1
 ndis0: NDIS API version: 5.0
 ndis0: Ethernet address: 0a:b1:2c:d3:4e:f5
 ndis0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
 ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54Mbps</screen>
   
     <para>From here you can treat the <devicename>ndis0</devicename> device 
       like any other wireless device (e.g. <devicename>wi0</devicename>) and 
       consult the earlier sections of this chapter.</para>
     
     </sect4>
 
     </sect3>
    </sect2>
   </sect1>
 
   <sect1 id="network-bluetooth">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Pav</firstname>
           <surname>Lucistnik</surname>
           <contrib>Written by </contrib>
           <affiliation>
             <address><email>pav@oook.cz</email></address>
           </affiliation>
         </author>
       </authorgroup>
     </sect1info>
     <title>Bluetooth</title>
 
     <indexterm><primary>Bluetooth</primary></indexterm>
     <sect2>
       <title>Introduction</title>
       <para>Bluetooth is a wireless technology for creating personal networks
         operating in the 2.4 GHz unlicensed band, with a range of 10 meters.
         Networks are usually formed ad-hoc from portable devices such as
         cellular phones, handhelds and laptops. Unlike the other popular
         wireless technology, Wi-Fi, Bluetooth offers higher level service
         profiles, e.g. FTP-like file servers, file pushing, voice transport,
         serial line emulation, and more.</para>
 
       <para>The Bluetooth stack in &os; is implemented using the Netgraph
         framework (see &man.netgraph.4;). A broad variety of Bluetooth USB
         dongles is supported by the &man.ng.ubt.4; driver. The Broadcom BCM2033
         chip based Bluetooth devices are supported via the &man.ubtbcmfw.4; and
         &man.ng.ubt.4; drivers. The 3Com Bluetooth PC Card 3CRWB60-A is
         supported by the &man.ng.bt3c.4; driver. Serial and UART based
         Bluetooth devices are supported via &man.sio.4;, &man.ng.h4.4;
         and &man.hcseriald.8;. This section describes the use of the USB
         Bluetooth dongle. Bluetooth support is available in &os; 5.0 and newer
         systems.</para>
     </sect2>
 
     <sect2>
       <title>Plugging in the Device</title>
       <para>By default Bluetooth device drivers are available as kernel modules.
         Before attaching a device, you will need to load the driver into the
         kernel:</para>
 
       <screen>&prompt.root; <userinput>kldload ng_ubt</userinput></screen>
 
       <para>If the Bluetooth device is present in the system during system
         startup, load the module from
         <filename>/boot/loader.conf</filename>:</para>
 
       <programlisting>ng_ubt_load="YES"</programlisting>
 
       <para>Plug in your USB dongle. The output similar to the following will
         appear on the console (or in syslog):</para>
 
       <screen>ubt0: vendor 0x0a12 product 0x0001, rev 1.10/5.25, addr 2
 ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
 ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3,
       wMaxPacketSize=49, nframes=6, buffer size=294</screen>
 
       <para>Copy
         <filename>/usr/share/examples/netgraph/bluetooth/rc.bluetooth</filename>
         into some convenient place, like <filename>/etc/rc.bluetooth</filename>.
         This script is used to start and stop the Bluetooth stack. It is a good
         idea to stop the stack before unplugging the device, but it is not
         (usually) fatal. When starting the stack, you will receive output similar
         to the following:</para>
 
       <screen>&prompt.root; <userinput>/etc/rc.bluetooth start ubt0</userinput>
 BD_ADDR: 00:02:72:00:d4:1a
 Features: 0xff 0xff 0xf 00 00 00 00 00
 &lt;3-Slot&gt; &lt;5-Slot&gt; &lt;Encryption&gt; &lt;Slot offset&gt;
 &lt;Timing accuracy&gt; &lt;Switch&gt; &lt;Hold mode&gt; &lt;Sniff mode&gt;
 &lt;Park mode&gt; &lt;RSSI&gt; &lt;Channel quality&gt; &lt;SCO link&gt;
 &lt;HV2 packets&gt; &lt;HV3 packets&gt; &lt;u-law log&gt; &lt;A-law log&gt; &lt;CVSD&gt;
 &lt;Paging scheme&gt; &lt;Power control&gt; &lt;Transparent SCO data&gt;
 Max. ACL packet size: 192 bytes
 Number of ACL packets: 8
 Max. SCO packet size: 64 bytes
 Number of SCO packets: 8</screen>
 
     </sect2>
 
     <indexterm><primary>HCI</primary></indexterm>
     <sect2>
       <title>Host Controller Interface (HCI)</title>
 
       <para>Host Controller Interface (HCI) provides a command interface to the
         baseband controller and link manager, and access to hardware status and
         control registers. This interface provides a uniform method of accessing
         the Bluetooth baseband capabilities. HCI layer on the Host exchanges
         data and commands with the HCI firmware on the Bluetooth hardware.
         The Host Controller Transport Layer (i.e. physical bus) driver provides
         both HCI layers with the ability to exchange information with each
         other.</para>
 
       <para>A single Netgraph node of type <emphasis>hci</emphasis> is
         created for a single Bluetooth device. The HCI node is normally
         connected to the Bluetooth device driver node (downstream) and
         the L2CAP node (upstream). All HCI operations must be performed
         on the HCI node and not on the device driver node. Default name
         for the HCI node is <quote>devicehci</quote>.
         For more details refer to the &man.ng.hci.4; manual page.</para>
 
       <para>One of the most common tasks is discovery of Bluetooth devices in
         RF proximity. This operation is called <emphasis>inquiry</emphasis>.
         Inquiry and other HCI related operations are done with the
         &man.hccontrol.8; utility. The example below shows how to find out
         which Bluetooth devices are in range. You should receive the list of
         devices in a few seconds. Note that a remote device will only answer
         the inquiry if it put into <emphasis>discoverable</emphasis>
         mode.</para>
 
       <screen>&prompt.user; <userinput>hccontrol -n ubt0hci inquiry</userinput>
 Inquiry result, num_responses=1
 Inquiry result #0
        BD_ADDR: 00:80:37:29:19:a4
        Page Scan Rep. Mode: 0x1
        Page Scan Period Mode: 00
        Page Scan Mode: 00
        Class: 52:02:04
        Clock offset: 0x78ef
 Inquiry complete. Status: No error [00]</screen>
 
       <para><literal>BD_ADDR</literal> is unique address of a Bluetooth
         device, similar to MAC addresses of a network card. This address
         is needed for further communication with a device. It is possible
         to assign human readable name to a BD_ADDR.
         The <filename>/etc/bluetooth/hosts</filename> file contains information
         regarding the known Bluetooth hosts. The following example shows how
         to obtain human readable name that was assigned to the remote
         device:</para>
 
       <screen>&prompt.user; <userinput>hccontrol -n ubt0hci remote_name_request 00:80:37:29:19:a4</userinput>
 BD_ADDR: 00:80:37:29:19:a4
 Name: Pav's T39</screen>
 
       <para>If you perform an inquiry on a remote Bluetooth device, it will
         find your computer as <quote>your.host.name (ubt0)</quote>. The name
         assigned to the local device can be changed at any time.</para>
 
       <para>The Bluetooth system provides a point-to-point connection (only two
         Bluetooth units involved), or a point-to-multipoint connection. In the
         point-to-multipoint connection the connection is shared among several
         Bluetooth devices. The following example shows how to obtain the list
         of active baseband connections for the local device:</para>
 
       <screen>&prompt.user; <userinput>hccontrol -n ubt0hci read_connection_list</userinput>
 Remote BD_ADDR    Handle Type Mode Role Encrypt Pending Queue State
 00:80:37:29:19:a4     41  ACL    0 MAST    NONE       0     0 OPEN</screen>
 
       <para>A <emphasis>connection handle</emphasis> is useful when termination
         of the baseband connection is required. Note, that it is normally not
         required to do it by hand. The stack will automatically terminate
         inactive baseband connections.</para>
 
       <screen>&prompt.root; <userinput>hccontrol -n ubt0hci disconnect 41</userinput>
 Connection handle: 41
 Reason: Connection terminated by local host [0x16]</screen>
 
       <para>Refer to <command>hccontrol help</command> for a complete listing
         of available HCI commands. Most of the HCI commands do not require
         superuser privileges.</para>
 
     </sect2>
 
     <indexterm><primary>L2CAP</primary></indexterm>
     <sect2>
       <title>Logical Link Control and Adaptation Protocol (L2CAP)</title>
 
       <para>Logical Link Control and Adaptation Protocol (L2CAP) provides
         connection-oriented and connectionless data services to upper layer
         protocols with protocol multiplexing capability and segmentation and
         reassembly operation. L2CAP permits higher level protocols and
         applications to transmit and receive L2CAP data packets up to 64
         kilobytes in length.</para>
 
       <para>L2CAP is based around the concept of <emphasis>channels</emphasis>.
         Channel is a logical connection on top of baseband connection. Each
         channel is bound to a single protocol in a many-to-one fashion. Multiple
         channels can be bound to the same protocol, but a channel cannot be
         bound to multiple protocols. Each L2CAP packet received on a channel is
         directed to the appropriate higher level protocol. Multiple channels
         can share the same baseband connection.</para>
 
       <para>A single Netgraph node of type <emphasis>l2cap</emphasis> is
         created for a single Bluetooth device. The L2CAP node is normally
         connected to the Bluetooth HCI node (downstream) and Bluetooth sockets
         nodes (upstream). Default name for the L2CAP node is
         <quote>devicel2cap</quote>. For more details refer to the
         &man.ng.l2cap.4; manual page.</para>
 
       <para>A useful command is &man.l2ping.8;, which can be used to ping
         other devices. Some Bluetooth implementations might not return all of
         the data sent to them, so <literal>0 bytes</literal> in the following
         example is normal.</para>
 
       <screen>&prompt.root; <userinput>l2ping -a 00:80:37:29:19:a4</userinput>
 0 bytes from 0:80:37:29:19:a4 seq_no=0 time=48.633 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=1 time=37.551 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=2 time=28.324 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=3 time=46.150 ms result=0</screen>
 
       <para>The &man.l2control.8; utility is used to perform various operations
         on L2CAP nodes. This example shows how to obtain the list of logical
         connections (channels) and the list of baseband connections for the
         local device:</para>
 
       <screen>&prompt.user; <userinput>l2control -a 00:02:72:00:d4:1a read_channel_list</userinput>
 L2CAP channels:
 Remote BD_ADDR     SCID/ DCID   PSM  IMTU/ OMTU State
 00:07:e0:00:0b:ca    66/   64     3   132/  672 OPEN
 &prompt.user; <userinput>l2control -a 00:02:72:00:d4:1a read_connection_list</userinput>
 L2CAP connections:
 Remote BD_ADDR    Handle Flags Pending State
 00:07:e0:00:0b:ca     41 O           0 OPEN</screen>
 
       <para>Another diagnostic tool is &man.btsockstat.1;. It does a job
         similar to as &man.netstat.1; does, but for Bluetooth network-related
         data structures. The example below shows the same logical connection as
         &man.l2control.8; above.</para>
 
       <screen>&prompt.user; <userinput>btsockstat</userinput>
 Active L2CAP sockets
 PCB      Recv-Q Send-Q Local address/PSM       Foreign address   CID   State
 c2afe900      0      0 00:02:72:00:d4:1a/3     00:07:e0:00:0b:ca 66    OPEN
 Active RFCOMM sessions
 L2PCB    PCB      Flag MTU   Out-Q DLCs State
 c2afe900 c2b53380 1    127   0     Yes  OPEN
 Active RFCOMM sockets
 PCB      Recv-Q Send-Q Local address     Foreign address   Chan DLCI State
 c2e8bc80      0    250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3    6    OPEN</screen>
 
     </sect2>
 
     <indexterm><primary>RFCOMM</primary></indexterm>
     <sect2>
       <title>RFCOMM Protocol</title>
 
       <para>The RFCOMM protocol provides emulation of serial ports over the
         L2CAP protocol. The protocol is based on the ETSI standard TS 07.10.
         RFCOMM is a simple transport protocol, with additional provisions for
         emulating the 9 circuits of RS-232 (EIATIA-232-E) serial ports. The
         RFCOMM protocol supports up to 60 simultaneous connections (RFCOMM
         channels) between two Bluetooth devices.</para>
 
       <para>For the purposes of RFCOMM, a complete communication path involves
         two applications running on different devices (the communication
         endpoints) with a communication segment between them. RFCOMM is intended
         to cover applications that make use of the serial ports of the devices
         in which they reside. The communication segment is a Bluetooth link from
         one device to another (direct connect).</para>
 
       <para>RFCOMM is only concerned with the connection between the devices in
         the direct connect case, or between the device and a modem in the
         network case. RFCOMM can support other configurations, such as modules
         that communicate via Bluetooth wireless technology on one side and
         provide a wired interface on the other side.</para>
 
       <para>In &os; the RFCOMM protocol is implemented at the Bluetooth sockets
         layer.</para>
     </sect2>
 
     <indexterm><primary>pairing</primary></indexterm>
     <sect2>
       <title>Pairing of Devices</title>
 
       <para>By default, Bluetooth communication is not authenticated, and any
         device can talk to any other device. A Bluetooth device (for example,
         cellular phone) may choose to require authentication to provide a
         particular service (for example, Dial-Up service). Bluetooth
         authentication is normally done with <emphasis>PIN codes</emphasis>.
         A PIN code is an ASCII string up to 16 characters in length. User is
         required to enter the same PIN code on both devices. Once user has
         entered the PIN code, both devices will generate a
         <emphasis>link key</emphasis>. After that the link key can be stored
         either in the devices themselves or in a persistent storage. Next time
         both devices will use previously generated link key. The described
         above procedure is called <emphasis>pairing</emphasis>. Note that if
         the link key is lost by any device then pairing must be repeated.</para>
 
       <para>The &man.hcsecd.8; daemon is responsible for handling of all
         Bluetooth authentication requests. The default configuration file is
         <filename>/etc/bluetooth/hcsecd.conf</filename>. An example section for
         a cellular phone with the PIN code arbitrarily set to
         <quote>1234</quote> is shown below:</para>
 
       <programlisting>device {
         bdaddr  00:80:37:29:19:a4;
         name    "Pav's T39";
         key     nokey;
         pin     "1234";
       }</programlisting>
 
       <para>There is no limitation on PIN codes (except length). Some devices
         (for example Bluetooth headsets) may have a fixed PIN code built in.
         The <option>-d</option> switch forces the &man.hcsecd.8; daemon to stay
         in the foreground, so it is easy to see what is happening. Set the
         remote device to receive pairing and initiate the Bluetooth connection
         to the remote device. The remote device should say that pairing was
         accepted, and request the PIN code. Enter the same PIN code as you
         have in <filename>hcsecd.conf</filename>. Now your PC and the remote
         device are paired. Alternatively, you can initiate pairing on the remote
         device.  The following is a sample of the
         <application>hcsecd</application> daemon output:</para>
 
 <programlisting>hcsecd[16484]: Got Link_Key_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', link key doesn't exist
 hcsecd[16484]: Sending Link_Key_Negative_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Got PIN_Code_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', PIN code exists
 hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4</programlisting>
 
     </sect2>
 
     <indexterm><primary>SDP</primary></indexterm>
     <sect2>
       <title>Service Discovery Protocol (SDP)</title>
       <para>The Service Discovery Protocol (SDP) provides the means for client
         applications to discover the existence of services provided by server
         applications as well as the attributes of those services. The attributes
         of a service include the type or class of service offered and the
         mechanism or protocol information needed to utilize the service.</para>
 
       <para>SDP involves communication between a SDP server and a SDP client.
         The server maintains a list of service records that describe the
         characteristics of services associated with the server. Each service
         record contains information about a single service. A client may 
         retrieve information from a service record maintained by the SDP server
         by issuing a SDP request. If the client, or an application associated
         with the client, decides to use a service, it must open a separate
         connection to the service provider in order to utilize the service.
         SDP provides a mechanism for discovering services and their attributes,
         but it does not provide a mechanism for utilizing those services.</para>
 
       <para>Normally, a SDP client searches for services based on some desired
         characteristics of the services. However, there are times when it is
         desirable to discover which types of services are described by an SDP
         server's service records without any a priori information about the
         services. This process of looking for any offered services is called
         <emphasis>browsing</emphasis>.</para>
  
       <para>The Bluetooth SDP server &man.sdpd.8; and command line client
         &man.sdpcontrol.8; are included in the standard &os; installation.
         The following example shows how to perform a SDP browse query.</para>
 
       <screen>&prompt.user; <userinput>sdpcontrol -a 00:01:03:fc:6e:ec browse</userinput>
 Record Handle: 00000000
 Service Class ID List:
         Service Discovery Server (0x1000)
 Protocol Descriptor List:
         L2CAP (0x0100)
                 Protocol specific parameter #1: u/int/uuid16 1
                 Protocol specific parameter #2: u/int/uuid16 1
 
 Record Handle: 0x00000001
 Service Class ID List:
         Browse Group Descriptor (0x1001)
 
 Record Handle: 0x00000002
 Service Class ID List:
         LAN Access Using PPP (0x1102)
 Protocol Descriptor List:
         L2CAP (0x0100)
         RFCOMM (0x0003)
                 Protocol specific parameter #1: u/int8/bool 1
 Bluetooth Profile Descriptor List:
         LAN Access Using PPP (0x1102) ver. 1.0
 </screen>
 
       <para>... and so on. Note that each service has a list of attributes
         (RFCOMM channel for example). Depending on the service you might need to
         make a note of some of the attributes. Some Bluetooth implementations do
         not support service browsing and may return an empty list. In this case
         it is possible to search for the specific service. The example below
         shows how to search for the OBEX Object Push (OPUSH) service:</para>
 
       <screen>&prompt.user; <userinput>sdpcontrol -a 00:01:03:fc:6e:ec search OPUSH</userinput></screen>
 
       <para>Offering services on &os; to Bluetooth clients is done with the
         &man.sdpd.8; server:</para>
       <screen>&prompt.root; <userinput>sdpd</userinput></screen>
 
       <para>The local server application that wants to provide Bluetooth
         service to the remote clients will register service with the local
         SDP daemon. The example of such application is &man.rfcomm.pppd.8;.
         Once started it will register Bluetooth LAN service with the local
         SDP daemon.</para>
 
       <para>The list of services registered with the local SDP server can be
         obtained by issuing SDP browse query via local control channel:</para>
 
       <screen>&prompt.root; <userinput>sdpcontrol -l browse</userinput></screen>
 
     </sect2>
 
     <sect2>
       <title>Dial-Up Networking (DUN) and Network Access with PPP (LAN)
         Profiles</title>
 
       <para>The Dial-Up Networking (DUN) profile is mostly used with modems
         and cellular phones. The scenarios covered by this profile are the
         following:</para>
 
       <itemizedlist>
         <listitem><para>use of a cellular phone or modem by a computer as
           a wireless modem for connecting to a dial-up Internet access server,
           or using other dial-up services;</para></listitem>
 
         <listitem><para>use of a cellular phone or modem by a computer to
           receive data calls.</para></listitem>
       </itemizedlist>
 
       <para>Network Access with PPP (LAN) profile can be used in the following
         situations:</para>
 
       <itemizedlist>
         <listitem><para>LAN access for a single Bluetooth device;
            </para></listitem>
 
         <listitem><para>LAN access for multiple Bluetooth devices;
           </para></listitem>
 
         <listitem><para>PC to PC (using PPP networking over serial cable
           emulation).</para></listitem>
       </itemizedlist>
 
       <para>In &os; both profiles are implemented with &man.ppp.8; and
         &man.rfcomm.pppd.8; - a wrapper that converts RFCOMM Bluetooth
         connection into something PPP can operate with. Before any profile
         can be used, a new PPP label in the <filename>/etc/ppp/ppp.conf</filename>
         must be created. Consult &man.rfcomm.pppd.8; manual page for examples.
       </para>
 
       <para>In the following example &man.rfcomm.pppd.8; will be used to open
         RFCOMM connection to remote device with BD_ADDR 00:80:37:29:19:a4 on
         DUN RFCOMM channel. The actual RFCOMM channel number will be obtained
         from the remote device via SDP. It is possible to specify RFCOMM channel
         by hand, and in this case &man.rfcomm.pppd.8; will not perform SDP
         query. Use &man.sdpcontrol.8; to find out RFCOMM
         channel on the remote device.</para>
 
       <screen>&prompt.root; <userinput>rfcomm_pppd -a 00:80:37:29:19:a4 -c -C dun -l rfcomm-dialup</userinput></screen>
 
       <para>In order to provide Network Access with PPP (LAN) service the
         &man.sdpd.8; server must be running. A new entry for LAN clients must
         be created in the <filename>/etc/ppp/ppp.conf</filename> file. Consult
         &man.rfcomm.pppd.8; manual page for examples. Finally, start RFCOMM PPP
         server on valid RFCOMM channel number. The RFCOMM PPP server will
         automatically register Bluetooth LAN service with the local SDP daemon.
         The example below shows how to start RFCOMM PPP server.</para>
 
       <screen>&prompt.root; <userinput>rfcomm_pppd -s -C 7 -l rfcomm-server</userinput></screen>
 
     </sect2>
 
     <indexterm><primary>OBEX</primary></indexterm>
     <sect2>
       <title>OBEX Object Push (OPUSH) Profile</title>
       <para>OBEX is a widely used protocol for simple file transfers between
         mobile devices. Its main use is in infrared communication, where it is
         used for generic file transfers between notebooks or PDAs,
         and for sending business cards or calendar entries between cellular
         phones and other devices with PIM applications.</para>
 
       <para>The OBEX server and client are implemented as a third-party package
         <application>obexapp</application>, which is available as
 	<filename role="package">comms/obexapp</filename> port.</para>
 
       <para>OBEX client is used to push and/or pull objects from the OBEX server.
         An object can, for example, be a business card or an appointment.
         The OBEX client can obtain RFCOMM channel number from the remote device
         via SDP. This can be done by specifying service name instead of RFCOMM
         channel number. Supported service names are: IrMC, FTRN and OPUSH.
         It is possible to specify RFCOMM channel as a number. Below is an
         example of an OBEX session, where device information object is pulled
         from the cellular phone, and a new object (business card) is pushed
         into the phone's directory.</para>
 
       <screen>&prompt.user; <userinput>obexapp -a 00:80:37:29:19:a4 -C IrMC</userinput>
 obex&gt; get
 get: remote file&gt; telecom/devinfo.txt
 get: local file&gt; devinfo-t39.txt
 Success, response: OK, Success (0x20)
 obex&gt; put
 put: local file&gt; new.vcf
 put: remote file&gt; new.vcf
 Success, response: OK, Success (0x20)
 obex&gt; di
 Success, response: OK, Success (0x20)</screen>
 
       <para>In order to provide OBEX Object Push service,
         &man.sdpd.8; server must be running. A root folder, where all incoming
         objects will be stored, must be created. The default path to the root
         folder is <filename>/var/spool/obex</filename>. Finally, start OBEX
         server on valid RFCOMM channel number. The OBEX server will
         automatically register OBEX Object Push service with the local SDP
         daemon. The example below shows how to start OBEX server.</para>
 
       <screen>&prompt.root; <userinput>obexapp -s -C 10</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Serial Port Profile (SPP)</title>
       <para>The Serial Port Profile (SPP) allows Bluetooth devices to perform
         RS232 (or similar) serial cable emulation. The scenario covered by this
         profile deals with legacy applications using Bluetooth as a cable
         replacement, through a virtual serial port abstraction.</para>
 
       <para>The &man.rfcomm.sppd.1; utility implements the Serial Port profile.
         A pseudo tty is used as a virtual serial port abstraction. The example
         below shows how to connect to a remote device Serial Port service.
         Note that you do not have to specify a RFCOMM channel -
         &man.rfcomm.sppd.1; can obtain it from the remote device via SDP.
         If you would like to override this, specify a RFCOMM channel on the
         command line.</para>
 
       <screen>&prompt.root; <userinput>rfcomm_sppd -a 00:07:E0:00:0B:CA -t /dev/ttyp6</userinput>
 rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
 
       <para>Once connected, the pseudo tty can be used as serial port:</para>
 
       <screen>&prompt.root; <userinput>cu -l ttyp6</userinput></screen>
 
     </sect2>
 
     <sect2>
       <title>Troubleshooting</title>
 
       <sect3>
         <title>A remote device cannot connect</title>
         <para>Some older Bluetooth devices do not support role switching.
           By default, when &os; is accepting a new connection, it tries to
           perform a role switch and become master. Devices, which do not
           support this will not be able to connect. Note that role switching is
           performed when a new connection is being established, so it is not
           possible to ask the remote device if it does support role switching.
           There is a HCI option to disable role switching on the local
           side:</para>
 
         <screen>&prompt.root; <userinput>hccontrol -n ubt0hci write_node_role_switch 0</userinput></screen>
 
       </sect3>
 
       <sect3>
         <title>Something is going wrong, can I see what exactly is happening?</title>
         <para>Yes, you can. Use the <application>hcidump-1.5</application>
           third-party package that can be downloaded from
           <ulink url="http://www.geocities.com/m_evmenkin/"></ulink>.
           The <application>hcidump</application> utility is similar to
           &man.tcpdump.1;. It can be used to display the content of the Bluetooth
           packets on the terminal and to dump the Bluetooth packets to a
           file.</para>
       </sect3>
 
     </sect2>
 
   </sect1>
 
   <sect1 id="network-bridging">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Steve</firstname>
       	  <surname>Peterson</surname>
 	  <contrib>Written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Bridging</title>
 
     <sect2>
       <title>Introduction</title>
       <indexterm><primary>IP subnet</primary></indexterm>
       <indexterm><primary>bridge</primary></indexterm>
       <para>It is sometimes useful to divide one physical network
 	(such as an Ethernet segment) into two separate network
 	segments without having to create IP subnets and use a router
 	to connect the segments together.  A device that connects two
 	networks together in this fashion is called a
 	<quote>bridge</quote>.  A FreeBSD system with two network
 	interface cards can act as a bridge.</para>
 
       <para>The bridge works by learning the MAC layer addresses
 	(Ethernet addresses) of the devices on each of its network interfaces.
 	It forwards traffic between two networks only when its source and
 	destination are on different networks.</para>
 
       <para>In many respects, a bridge is like an Ethernet switch with very
 	few ports.</para>
     </sect2>
 
     <sect2>
       <title>Situations Where Bridging Is Appropriate</title>
 
       <para>There are two common situations in which a bridge is used
 	today.</para>
 
       <sect3>
 	<title>High Traffic on a Segment</title>
 
 	<para>Situation one is where your physical network segment is
 	  overloaded with traffic, but you do not want for whatever reason to
 	  subnet the network and interconnect the subnets with a
 	  router.</para>
 
 	<para>Let us consider an example of a newspaper where the Editorial and
 	  Production departments are on the same subnetwork.  The Editorial
 	  users all use server <hostid>A</hostid> for file service, and the Production users
 	  are on server <hostid>B</hostid>.  An Ethernet network is used to connect all users together,
 	  and high loads on the network are slowing things down.</para>
 
 	<para>If the Editorial users could be segregated on one
 	  network segment and the Production users on another, the two
 	  network segments could be connected with a bridge.  Only the
 	  network traffic destined for interfaces on the
 	  <quote>other</quote> side of the bridge would be sent to the
 	  other network, reducing congestion on each network
 	  segment.</para>
       </sect3>
 
       <sect3>
 	<title>Filtering/Traffic Shaping Firewall</title>
 	<indexterm><primary>firewall</primary></indexterm>
 	<indexterm><primary>network address translation</primary></indexterm>
 
 	<para>The second common situation is where firewall functionality is
 	  needed without network address translation (NAT).</para>
 
 	<para>An example is a small company that is connected via DSL
 	  or ISDN to their ISP.  They have a 13 globally-accessible IP
 	  addresses from their ISP and have 10 PCs on their network.
 	  In this situation, using a router-based firewall is
 	  difficult because of subnetting issues.</para>
 
 	<indexterm><primary>router</primary></indexterm>
 	<indexterm><primary>DSL</primary></indexterm>
 	<indexterm><primary>ISDN</primary></indexterm>
 	<para>A bridge-based firewall can be configured and dropped into the
 	  path just downstream of their DSL/ISDN router without any IP
 	  numbering issues.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Configuring a Bridge</title>
 
       <sect3>
 	<title>Network Interface Card Selection</title>
 
 	<para>A bridge requires at least two network cards to function.
 	  Unfortunately, not all network interface cards as of FreeBSD&nbsp;4.0
 	  support bridging.  Read &man.bridge.4; for details on the cards that
 	  are supported.</para>
 
 	<para>Install and test the two network cards before continuing.</para>
       </sect3>
 
       <sect3>
 	<title>Kernel Configuration Changes</title>
 	<indexterm>
 	  <primary>kernel options</primary>
 	  <secondary>options BRIDGE</secondary>
 	</indexterm>
 
 	<para>To enable kernel support for bridging, add the:</para>
 
 	<programlisting>options BRIDGE</programlisting>
 
 	<para>statement to your kernel configuration file, and rebuild your
 	  kernel.</para>
       </sect3>
 
       <sect3>
 	<title>Firewall Support</title>
 	<indexterm><primary>firewall</primary></indexterm>
 	<para>If you are planning to use the bridge as a firewall, you
 	  will need to add the <literal>IPFIREWALL</literal> option as
 	  well.  Read <xref linkend="firewalls"> for general
 	  information on configuring the bridge as a firewall.</para>
 
 	<para>If you need to allow non-IP packets (such as ARP) to flow
 	  through the bridge, there is a firewall option that
 	  must be set.  This option is
 	  <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal>.  Note that this
 	  changes the default rule for the firewall to accept any packet.
 	  Make sure you know how this changes the meaning of your ruleset
 	  before you set it.</para>
       </sect3>
 
       <sect3>
 	<title>Traffic Shaping Support</title>
 
 	<para>If you want to use the bridge as a traffic shaper, you will need
 	  to add the <literal>DUMMYNET</literal> option to your kernel
 	  configuration.  Read &man.dummynet.4; for further
 	  information.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Enabling the Bridge</title>
 
       <para>Add the line:</para>
 
       <programlisting>net.link.ether.bridge=1</programlisting>
 
       <para>to <filename>/etc/sysctl.conf</filename> to enable the bridge at
 	runtime, and the line:</para>
 
       <programlisting>net.link.ether.bridge_cfg=<replaceable>if1</replaceable>,<replaceable>if2</replaceable></programlisting>
 
       <para>to enable bridging on the specified interfaces (replace
 	<replaceable>if1</replaceable> and
 	<replaceable>if2</replaceable> with the names of your two
 	network interfaces).  If you want the bridged packets to be
 	filtered by &man.ipfw.8;, you should add:</para>
 
       <programlisting>net.link.ether.bridge_ipfw=1</programlisting>
 
       <para>as well.</para>
 
       <para>For &os;&nbsp;5.2-RELEASE and later, use instead the following
 	lines:</para>
 
       <programlisting>net.link.ether.bridge.enable=1
 net.link.ether.bridge.config=<replaceable>if1</replaceable>,<replaceable>if2</replaceable>
 net.link.ether.bridge.ipfw=1</programlisting>
 
     </sect2>
     
     <sect2>
       <title>Other Information</title>
 
       <para>If you want to be able to &man.ssh.1; into the bridge from the network,
 	it is correct to assign one of the network cards an IP address.  The
 	consensus is that assigning both cards an address is a bad
 	idea.</para>
 
       <para>If you have multiple bridges on your network, there cannot be more
 	than one path between any two workstations.  Technically, this means
 	that there is no support for spanning tree link management.</para>
 
       <para>A bridge can add latency to your &man.ping.8; times, especially for
         traffic from one segment to another.</para>
       
     </sect2>
   </sect1>
 
   <sect1 id="network-diskless">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Jean-Fran&ccedil;ois</firstname>
           <surname>Dock&egrave;s</surname>
           <contrib>Updated by </contrib>
         </author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Alex</firstname>
 	  <surname>Dupre</surname>
 	  <contrib>Reorganized and enhanced by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Diskless Operation</title>
 
     <indexterm><primary>diskless workstation</primary></indexterm>
     <indexterm><primary>diskless operation</primary></indexterm>
 
     <para>A FreeBSD machine can boot over the network and operate without a
       local disk, using filesystems mounted from an <acronym>NFS</acronym> server.  No system
       modification is necessary, beyond standard configuration files.
       Such a system is relatively easy to  set up because all the necessary elements
       are readily available:</para>
     <itemizedlist>
       <listitem>
 	<para>There are at least two possible methods to load the kernel over
 	  the network:</para>
 	<itemizedlist>
 	  <listitem>
 	    <para><acronym>PXE</acronym>: The &intel; Preboot eXecution
 	      Environment system is a form of smart boot ROM built into some
 	      networking cards or motherboards.  See &man.pxeboot.8; for more
 	      details.</para>
 	  </listitem>
 	  <listitem>
 	    <para>The <application>Etherboot</application>
 	      port (<filename
 	      role="package">net/etherboot</filename>) produces
 	      ROM-able code to boot kernels over the network.  The
 	      code can be either burnt into a boot PROM on a network
 	      card, or loaded from a local floppy (or hard) disk
 	      drive, or from a running &ms-dos; system.  Many network
 	      cards are supported.</para>
 	  </listitem>
 	</itemizedlist>
 	</listitem>
 
       <listitem>
 	<para>A sample script
 	  (<filename>/usr/share/examples/diskless/clone_root</filename>) eases
 	  the creation and maintenance of the workstation's root filesystem
 	  on the server.  The script will probably require a little
 	  customization but it will get you started very quickly.</para>
       </listitem>
 
       <listitem>
 	<para>Standard system startup files exist in <filename>/etc</filename>
 	  to detect and support a diskless system startup.</para>
       </listitem>
 
       <listitem>
 	<para>Swapping, if needed, can be done either to an <acronym>NFS</acronym> file or to
 	  a local disk.</para>
       </listitem>
     </itemizedlist>
 
     <para>There are many ways to set up diskless workstations.  Many
       elements are involved, and most can be customized to suit local
       taste.  The following will describe variations on the setup of a complete system,
       emphasizing simplicity and compatibility with the
       standard FreeBSD startup scripts.  The system described has the
       following characteristics:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The diskless workstations use a shared
 	  read-only <filename>/</filename> filesystem, and a shared
 	  read-only <filename>/usr</filename>.</para>
 	<para>The root filesystem is a copy of a
 	  standard FreeBSD root (typically the server's), with some
 	  configuration files overridden by ones specific to diskless
 	  operation or, possibly, to the workstation they belong to.</para>
 	<para>The parts of the root which have to be
 	  writable are overlaid with &man.mfs.8; (&os;&nbsp;4.X) or &man.md.4; (&os;&nbsp;5.X) filesystems.  Any changes
 	  will be lost when the system reboots.</para>
       </listitem>
       <listitem>
 	<para>The kernel is transferred and loaded either with
 	  <application>Etherboot</application> or <acronym>PXE</acronym>
 	  as some situations may mandate the use of either method.</para>
       </listitem>
     </itemizedlist>
 
     <caution><para>As described, this system is insecure.  It should
 	live in a protected area of a network, and be untrusted by
 	other hosts.</para>
     </caution>
 
     <para>All the information in this section has been tested
       using &os; releases 4.9-RELEASE and 5.2.1-RELEASE.  The text is
       primarily structured for 4.X usage.  Notes have been inserted where
       appropriate to indicate 5.X changes.</para>
 
     <sect2>
       <title>Background Information</title>
 
       <para>Setting up diskless workstations is both relatively
 	straightforward and prone to errors.  These are sometimes
 	difficult to diagnose for a number of reasons.  For example:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Compile time options may determine different behaviors at
 	    runtime.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Error messages are often cryptic or totally absent.</para>
 	</listitem>
       </itemizedlist>
 
       <para>In this context, having some knowledge of the background
 	mechanisms involved is very useful to solve the problems that
 	may arise.</para>
 
       <para>Several operations need to be performed for a successful
 	bootstrap:</para>
         
       <itemizedlist>
 	<listitem>
 	  <para>The machine needs to obtain initial parameters such as its IP
 	    address, executable filename, server name, root path.  This is
 	    done using the <acronym>DHCP</acronym> or BOOTP protocols.
 	    <acronym>DHCP</acronym> is a compatible extension of BOOTP, and
 	    uses the same port numbers and basic packet format.</para>
 
 	  <para>It is possible to configure a system to use only BOOTP.
 	    The &man.bootpd.8; server program is included in the base &os;
 	    system.</para>
 
 	  <para>However, <acronym>DHCP</acronym> has a number of advantages
 	    over BOOTP (nicer configuration files, possibility of using
 	    <acronym>PXE</acronym>, plus many others not directly related to
 	    diskless operation), and we will describe mainly a
 	    <acronym>DHCP</acronym> configuration, with equivalent examples
 	    using &man.bootpd.8; when possible.  The sample configuration will
 	    use the <application>ISC DHCP</application> software package
 	    (release 3.0.1.r12 was installed on the test server).</para>
 	</listitem>
 
 	<listitem>
 	  <para>The machine needs to transfer one or several programs to local
 	    memory.  Either <acronym>TFTP</acronym> or <acronym>NFS</acronym>
 	    are used.  The choice between <acronym>TFTP</acronym> and
 	    <acronym>NFS</acronym> is a compile time option in several places.
 	    A common source of error is to specify filenames for the wrong
 	    protocol: <acronym>TFTP</acronym> typically transfers all files from
 	    a single directory on the server, and would expect filenames
 	    relative to this directory.  <acronym>NFS</acronym> needs absolute
 	    file paths.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The possible intermediate bootstrap programs and the kernel
 	    need to be initialized and executed.  There are several important
 	    variations in this area:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para><acronym>PXE</acronym> will load &man.pxeboot.8;, which is
 		a modified version of the &os; third stage loader.  The
 		&man.loader.8; will obtain most parameters necessary to system
 		startup, and leave them in the kernel environment before
 		transferring control.  It is possible to use a
 		<filename>GENERIC</filename> kernel in this case.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para><application>Etherboot</application>, will directly
 		load the kernel, with less preparation.  You will need to
 		build a kernel with specific options.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para><acronym>PXE</acronym> and <application>Etherboot</application>
 	    work equally well with 4.X systems.  Because 5.X kernels
 	    normally let the &man.loader.8; do more work for them,
 	    <acronym>PXE</acronym> is preferred for 5.X systems.</para>
 
 	  <para>If your <acronym>BIOS</acronym> and network cards support
 	    <acronym>PXE</acronym>, you should probably use it.  However,
 	    it is still possible to start a 5.X system with
 	    <application>Etherboot</application>.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Finally, the machine needs to access its filesystems.
 	    <acronym>NFS</acronym> is used in all cases.</para>
 	</listitem>
       </itemizedlist>
 
       <para>See also &man.diskless.8; manual page.</para>
     </sect2>
 
     <sect2>
       <title>Setup Instructions</title>
 
       <sect3>
 	  <title>Configuration Using <application>ISC DHCP</application></title>
 	  <indexterm>
 	    <primary>DHCP</primary>
 	    <secondary>diskless operation</secondary>
 	  </indexterm>
 
 	  <para>The <application>ISC DHCP</application> server can answer
 	    both BOOTP and <acronym>DHCP</acronym> requests.</para>
 
 	  <para>As of release 4.9, <application>ISC DHCP
   	    3.0</application> is not part of the base
 	    system.  You will first need to install the
 	    <filename role="package">net/isc-dhcp3-server</filename> port or the
 	    corresponding package.</para>
 
 	  <para>Once <application>ISC DHCP</application> is installed, it
 	    needs a configuration file to run, (normally named
 	    <filename>/usr/local/etc/dhcpd.conf</filename>).  Here follows
 	    a commented example, where host <hostid>margaux</hostid>
 	    uses <application>Etherboot</application> and host
 	    <hostid>corbieres</hostid> uses <acronym>PXE</acronym>:</para>
 
           <programlisting>
 default-lease-time 600;
 max-lease-time 7200;
 authoritative;
 
 option domain-name "example.com";
 option domain-name-servers 192.168.4.1;
 option routers 192.168.4.1;
 
 subnet 192.168.4.0 netmask 255.255.255.0 {
   use-host-decl-names on; <co id="co-dhcp-host-name">
   option subnet-mask 255.255.255.0;
   option broadcast-address 192.168.4.255;
 
   host margaux {
     hardware ethernet 01:23:45:67:89:ab;
     fixed-address margaux.example.com;
     next-server 192.168.4.4; <co id="co-dhcp-next-server">
     filename "/data/misc/kernel.diskless"; <co id="co-dhcp-filename">
     option root-path "192.168.4.4:/data/misc/diskless"; <co id="co-dhcp-root-path">
   }
   host corbieres {
     hardware ethernet 00:02:b3:27:62:df;
     fixed-address corbieres.example.com;
     next-server 192.168.4.4;
     filename "pxeboot";
     option root-path "192.168.4.4:/data/misc/diskless";
   }
 }
           </programlisting>
 
 	  <calloutlist>
 	    <callout arearefs="co-dhcp-host-name"><para>This option tells
 		<application>dhcpd</application> to send the value in the
 		<literal>host</literal> declarations as the hostname for the
 		diskless host.  An alternate way would be to add an
 		<literal>option host-name
 		  <replaceable>margaux</replaceable></literal> inside the
 		<literal>host</literal> declarations.</para>
 	    </callout>
 
 	    <callout arearefs="co-dhcp-next-server"><para>The
 		<literal>next-server</literal> directive designates
 		the <acronym>TFTP</acronym> or <acronym>NFS</acronym> server to
 		use for loading loader or kernel file (the default is to use
 		the same host as the
 		<acronym>DHCP</acronym> server).</para>
 	    </callout>
 
 	    <callout arearefs="co-dhcp-filename"><para>The
 		<literal>filename</literal> directive defines the file that
 		<application>Etherboot</application> or <acronym>PXE</acronym>
 		will load for the next execution step.  It must be specified
 		according to the transfer method used.
 		<application>Etherboot</application> can be compiled to use
 		<acronym>NFS</acronym> or <acronym>TFTP</acronym>.  The &os;
 		port configures <acronym>NFS</acronym> by default.
 		<acronym>PXE</acronym> uses <acronym>TFTP</acronym>, which is
 		why a relative filename is used here (this may depend on the
 		<acronym>TFTP</acronym> server configuration, but would be
 		fairly typical).  Also, <acronym>PXE</acronym> loads
 		<filename>pxeboot</filename>, not the kernel.  There are other
 		interesting possibilities, like loading
 		<filename>pxeboot</filename> from a &os; CD-ROM
 		<filename role="directory">/boot</filename> directory (as
 		&man.pxeboot.8; can load a <filename>GENERIC</filename> kernel,
 		this makes it possible to use <acronym>PXE</acronym> to boot
 		from a remote CD-ROM).</para>
 	    </callout>
 
 	    <callout arearefs="co-dhcp-root-path"><para>The
 		<literal>root-path</literal> option defines the path to
 		the root filesystem, in usual <acronym>NFS</acronym> notation.
 		When using <acronym>PXE</acronym>, it is possible to leave off
 		the host's IP as long as you do not enable the kernel option
 		BOOTP.  The <acronym>NFS</acronym> server will then be
 		the same as the <acronym>TFTP</acronym> one.</para>
 	    </callout>
 	  </calloutlist>
 
       </sect3>
       <sect3>
 	  <title>Configuration Using BOOTP</title>
 	  <indexterm>
 	    <primary>BOOTP</primary>
 	    <secondary>diskless operation</secondary>
 	  </indexterm>
 
 	  <para>Here follows an equivalent <application>bootpd</application>
 	    configuration (reduced to one client).  This would be found in
 	    <filename>/etc/bootptab</filename>.</para>
 
 	  <para>Please note that <application>Etherboot</application>
 	    must be compiled with the non-default option
 	    <literal>NO_DHCP_SUPPORT</literal> in order to use BOOTP,
 	    and that <acronym>PXE</acronym> <emphasis>needs</emphasis> <acronym>DHCP</acronym>.  The only
 	    obvious advantage of <application>bootpd</application> is
 	    that it exists in the base system.</para>
 
           <programlisting>
 .def100:\
   :hn:ht=1:sa=192.168.4.4:vm=rfc1048:\
   :sm=255.255.255.0:\
   :ds=192.168.4.1:\
   :gw=192.168.4.1:\
   :hd="/tftpboot":\
   :bf="/kernel.diskless":\
   :rp="192.168.4.4:/data/misc/diskless":
 
 margaux:ha=0123456789ab:tc=.def100
           </programlisting>
       </sect3>
 
       <sect3>
 	<title>Preparing a Boot Program with
 	  <application>Etherboot</application></title>
 
 	<indexterm>
 	  <primary>Etherboot</primary>
 	</indexterm>
 
 	<para><ulink url="http://etherboot.sourceforge.net">Etherboot's Web
 	  site</ulink> contains
 	  <ulink url="http://etherboot.sourceforge.net/doc/html/userman/t1.html">
 	  extensive documentation</ulink> mainly intended for Linux
 	  systems, but nonetheless containing useful information.  The
 	  following will just outline how you would use
 	  <application>Etherboot</application> on a FreeBSD
 	  system.</para>
 
 	<para>You must first install the <filename
 	  role="package">net/etherboot</filename> package or port.</para>
 
 	<para>You can change the <application>Etherboot</application>
 	  configuration (i.e. to use <acronym>TFTP</acronym> instead of
 	  <acronym>NFS</acronym>) by editing the <filename>Config</filename>
 	  file in the <application>Etherboot</application> source
 	  directory.</para>
 
 	<para>For our setup, we shall use a boot floppy.  For other methods
 	  (PROM, or &ms-dos; program), please refer to the
 	  <application>Etherboot</application> documentation.</para>
 
 	<para>To make a boot floppy, insert a floppy in the drive on the
 	  machine where you installed <application>Etherboot</application>,
 	  then change your current directory to the <filename>src</filename>
 	  directory in the <application>Etherboot</application> tree and
 	  type:</para>
 
 	<screen>
 &prompt.root; <userinput>gmake bin32/<replaceable>devicetype</replaceable>.fd0</userinput>
 	</screen>
 
 	<para><replaceable>devicetype</replaceable> depends on the type of
 	  the Ethernet card in the diskless workstation.  Refer to the
 	  <filename>NIC</filename> file in the same directory to determine the
 	  right <replaceable>devicetype</replaceable>.</para>
 
       </sect3>
 
       <sect3>
 	<title>Booting with <acronym>PXE</acronym></title>
 
 	<para>By default, the &man.pxeboot.8; loader loads the kernel via
 	  <acronym>NFS</acronym>.  It can be compiled to use
 	  <acronym>TFTP</acronym> instead by specifying the
 	  <literal>LOADER_TFTP_SUPPORT</literal> option in
 	  <filename>/etc/make.conf</filename>.  See the comments in
 	  <filename>/etc/defaults/make.conf</filename> (or
 	  <filename>/usr/share/examples/etc/make.conf</filename> for 5.X
 	  systems) for instructions.</para>
 
 	<para>There are two other undocumented <filename>make.conf</filename>
 	  options which may be useful for setting up a serial console diskless
 	  machine: <literal>BOOT_PXELDR_PROBE_KEYBOARD</literal>, and
 	  <literal>BOOT_PXELDR_ALWAYS_SERIAL</literal> (the latter only exists
 	  on &os;&nbsp;5.X).</para>
 
 	<para>To use <acronym>PXE</acronym> when the machine starts, you will
 	  usually need to select the <literal>Boot from network</literal>
 	  option in your <acronym>BIOS</acronym> setup, or type a function key
 	  during the PC initialization.</para>
       </sect3>
 
       <sect3>
 	<title>Configuring the <acronym>TFTP</acronym> and <acronym>NFS</acronym> Servers</title>
 
 	<indexterm>
 	  <primary>TFTP</primary>
 	  <secondary>diskless operation</secondary>
 	</indexterm>
 	<indexterm>
 	  <primary>NFS</primary>
 	  <secondary>diskless operation</secondary>
 	</indexterm>
 
 	<para>If you are using <acronym>PXE</acronym> or
 	  <application>Etherboot</application> configured to use
 	  <acronym>TFTP</acronym>, you need to enable
 	  <application>tftpd</application> on the file server:</para>
         <procedure>
           <step>
             <para>Create a directory from which <application>tftpd</application>
             will serve the files, e.g. <filename>/tftpboot</filename>.</para>
           </step>
 
           <step>
             <para>Add this line to your
 	      <filename>/etc/inetd.conf</filename>:</para>
 
 	    <programlisting>tftp	dgram	udp	wait	root	/usr/libexec/tftpd	tftpd -l -s /tftpboot</programlisting>
 
 	    <note><para>It appears that at least some <acronym>PXE</acronym> versions want
 		the <acronym>TCP</acronym> version of <acronym>TFTP</acronym>.  In this case, add a second line,
 		replacing <literal>dgram udp</literal> with <literal>stream
 		tcp</literal>.</para>
 	    </note>
           </step>
 	  <step>
 	    <para>Tell <application>inetd</application> to reread its configuration
 	      file:</para>
 	    <screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
 	  </step>
         </procedure>
 
 	<para>You can place the <filename>tftpboot</filename>
 	  directory anywhere on the server.  Make sure that the
 	  location is set in both <filename>inetd.conf</filename> and
 	  <filename>dhcpd.conf</filename>.</para>
 
 	<para>In all cases, you also need to enable <acronym>NFS</acronym> and export the
 	  appropriate filesystem on the <acronym>NFS</acronym> server.</para>
 
         <procedure>
           <step>
             <para>Add this to <filename>/etc/rc.conf</filename>:</para>
 	    <programlisting>nfs_server_enable="YES"</programlisting>
           </step>
 
           <step>
             <para>Export the filesystem where the diskless root directory
 	      is located by adding the following to
 	      <filename>/etc/exports</filename> (adjust the volume mount
 	      point and replace <replaceable>margaux corbieres</replaceable>
 	      with the names of the diskless workstations):</para>
 
 	    <programlisting><replaceable>/data/misc</replaceable> -alldirs -ro <replaceable>margaux corbieres</replaceable></programlisting>
           </step>
 	  <step>
 	    <para>Tell <application>mountd</application> to reread its configuration
 	      file.  If you actually needed to enable <acronym>NFS</acronym> in
 	      <filename>/etc/rc.conf</filename>
 	      at the first step, you probably want to reboot instead.</para>
 	    <screen>&prompt.root; <userinput>kill -HUP `cat /var/run/mountd.pid`</userinput></screen>
 	  </step>
         </procedure>
 
       </sect3>
 
       <sect3>
 	<title>Building a Diskless Kernel</title>
 
 	<indexterm>
 	  <primary>diskless operation</primary>
 	  <secondary>kernel configuration</secondary>
 	</indexterm>
 
 	<para>If using <application>Etherboot</application>, you need to
 	  create a kernel configuration file for the diskless client
 	  with the following options (in addition to the usual ones):</para>
 
 	<programlisting>
 options     BOOTP          # Use BOOTP to obtain IP address/hostname
 options     BOOTP_NFSROOT  # NFS mount root filesystem using BOOTP info
 	</programlisting>
 
 	<para>You may also want to use <literal>BOOTP_NFSV3</literal>,
 	  <literal>BOOT_COMPAT</literal> and <literal>BOOTP_WIRED_TO</literal>
 	  (refer to <filename>LINT</filename> in 4.X or
 	  <filename>NOTES</filename> on 5.X).</para>
 
 	<para>These option names are historical and slightly misleading as
 	  they actually enable indifferent use of <acronym>DHCP</acronym> and
 	  BOOTP inside the kernel (it is also possible to force strict BOOTP
 	  or <acronym>DHCP</acronym> use).</para>
 
 	<para>Build the kernel (see <xref linkend="kernelconfig">),
 	  and copy it to the place specified
 	  in <filename>dhcpd.conf</filename>.</para>
 
 	<note>
 	  <para>When using <acronym>PXE</acronym>, building a kernel with the
 	  above options is not strictly necessary (though suggested).
 	  Enabling them will cause more <acronym>DHCP</acronym> requests to be
 	  issued during kernel startup, with a small risk of inconsistency
 	  between the new values and those retrieved by &man.pxeboot.8; in some
 	  special cases.  The advantage of using them is that the host name
 	  will be set as a side effect.  Otherwise you will need to set the
 	  host name by another method, for example in a client-specific
 	  <filename>rc.conf</filename> file.</para>
 	</note>
 
 	<note>
 	  <para>In order to be loadable with
 	    <application>Etherboot</application>, a 5.X kernel needs to have
 	    the device hints compiled in.  You would typically set the
 	    following option in the configuration file (see the
 	    <filename>NOTES</filename> configuration comments file):</para>
 
 	  <programlisting>hints		"GENERIC.hints"</programlisting>
 	</note>
 
       </sect3>
 
       <sect3>
 	  <title>Preparing the Root Filesystem</title>
 
 	<indexterm>
 	  <primary>root file system</primary>
 	  <secondary>diskless operation</secondary>
 	</indexterm>
 
 	<para>You need to create a root filesystem for the diskless
 	  workstations, in the location listed as
 	  <literal>root-path</literal> in
 	  <filename>dhcpd.conf</filename>.  The following sections describe
 	  two ways to do it.</para>
 
 	<sect4>
 	  <title>Using the <filename>clone_root</filename> Script</title>
 
 	<para>This is the quickest way to create a root filesystem, but
 	  currently it is only supported on &os;&nbsp;4.X.  This shell script
 	  is located at
 	  <filename>/usr/share/examples/diskless/clone_root</filename>
 	  and needs customization, at least to adjust
 	  the place where the filesystem will be created (the
 	  <literal>DEST</literal> variable).</para>
 
 	<para>Refer to the comments at the top of the script for
 	    instructions.  They explain how the base filesystem is built,
 	    and how files may be selectively overridden by versions specific
 	    to diskless operation, to a subnetwork, or to an individual
 	    workstation.  They also give examples for the diskless
 	    <filename>/etc/fstab</filename> and <filename>
 	    /etc/rc.conf</filename> files.</para>
 
 	  <para>The <filename>README</filename> files in
 	    <filename>/usr/share/examples/diskless</filename> contain a lot
 	    of interesting background information, but, together with the
 	    other examples in the <filename>diskless</filename> directory,
 	    they actually document a configuration method which is distinct
 	    from the one used by <filename>clone_root</filename> and
 	    the system startup scripts in
 	    <filename role="directory">/etc</filename>, which is a little
 	    confusing.  Use them for reference only, except if you prefer 
 	    the method that they describe, in which case you will need
 	    customized <filename>rc</filename> scripts.</para>
 	</sect4>
 
 	<sect4>
 	  <title>Using the Standard <command>make world</command>
 	    Procedure</title>
 
 	  <para>This method can be applied to either &os;&nbsp;4.X or 5.X and
 	    will install a complete virgin system (not only the root filesystem)
 	    into <envar>DESTDIR</envar>.
 	    All you have to do is simply execute the following script:</para>
 
 	  <programlisting>#!/bin/sh
 export DESTDIR=/data/misc/diskless
 mkdir -p ${DESTDIR}
 cd /usr/src; make world && make kernel
 cd /usr/src/etc; make distribution</programlisting>
 
 	  <para>Once done, you may need to customize your
 	    <filename>/etc/rc.conf</filename> and
 	    <filename>/etc/fstab</filename> placed into
 	    <envar>DESTDIR</envar> according to your needs.</para>
 	</sect4>
       </sect3>
 
       <sect3>
 	<title>Configuring Swap</title>
 
 	<para>If needed, a swap file located on the server can be
 	  accessed via <acronym>NFS</acronym>.  One of the methods commonly
 	  used to do this has been discontinued in release 5.X.</para>
 
 	<sect4>
 	  <title><acronym>NFS</acronym> Swap with &os;&nbsp;4.X</title>
 
 	  <para>The swap file location and size can be specified with
 	    BOOTP/<acronym>DHCP</acronym> &os;-specific options 128 and 129.
 	    Examples of configuration files for
 	    <application>ISC DHCP 3.0</application> or
 	    <application>bootpd</application> follow:</para>
 
 	<procedure>
 	  <step><para>Add the following lines to
 	  <filename>dhcpd.conf</filename>:</para>
 	    <programlisting>
 # Global section
 option swap-path code 128 = string;
 option swap-size code 129 = integer 32;
 
 host margaux {
   ... # Standard lines, see above
   option swap-path <replaceable>"192.168.4.4:/netswapvolume/netswap"</replaceable>;
   option swap-size <replaceable>64000</replaceable>;
 }
 	    </programlisting>
 
 	    <para><literal>swap-path</literal> is the path to a directory
 	      where swap files will be located.  Each file will be named
 	      <filename>swap.<replaceable>client-ip</replaceable></filename>.</para>
 
 	    <para>Older versions of <application>dhcpd</application> used a syntax of
 	      <literal>option option-128 "...</literal>, which is no
 	      longer supported.</para>
 	    <para><filename>/etc/bootptab</filename> would use the
 	      following syntax instead:</para>
 
 	    <programlisting>T128="192.168.4.4:/netswapvolume/netswap":T129=0000fa00</programlisting>
 
 	    <note><para>In <filename>/etc/bootptab</filename>, the swap
 	      size must be expressed in hexadecimal format.</para></note>
 	  </step>
 
 	  <step>
 	    <para>On the <acronym>NFS</acronym> swap file server, create the swap
 	    file(s):</para>
             <screen>
 &prompt.root; <userinput>mkdir <replaceable>/netswapvolume/netswap</replaceable></userinput>
 &prompt.root; <userinput>cd <replaceable>/netswapvolume/netswap</replaceable></userinput>
 &prompt.root; <userinput>dd if=/dev/zero bs=1024 count=<replaceable>64000</replaceable> of=swap.<replaceable>192.168.4.6</replaceable></userinput>
 &prompt.root; <userinput>chmod 0600 swap.<replaceable>192.168.4.6</replaceable></userinput>
             </screen>
 	    <para><replaceable>192.168.4.6</replaceable> is the IP address
 	      for the diskless client.</para>
 	  </step>
 
 	  <step>
 	    <para>On the <acronym>NFS</acronym> swap file server, add the following line to
 	    <filename>/etc/exports</filename>:</para>
 	    <programlisting>
 <replaceable>/netswapvolume</replaceable>  -maproot=0:10 -alldirs <replaceable>margaux corbieres</replaceable>
 	    </programlisting>
 	    <para>Then tell <application>mountd</application> to reread the
 		<filename>exports</filename> file, as above.</para>
 	  </step>
 	</procedure>
 	</sect4>
 
 	<sect4>
 	  <title><acronym>NFS</acronym> Swap with &os&nbsp;5.X</title>
 
 	  <para>The kernel does not support enabling <acronym>NFS</acronym>
 	    swap at boot time.  Swap must be enabled by the startup scripts,
 	    by mounting a writeable file system and creating and enabling a
 	    swap file.  To create a swap file of appropriate size, you can do
 	    like this:</para>
 
 	  <screen>&prompt.root; <userinput>dd if=/dev/zero of=<replaceable>/path/to/swapfile</replaceable> bs=1k count=1 oseek=<replaceable>100000</replaceable></userinput></screen>
 
 	  <para>To enable it you have to add the following line to your
 	    <filename>rc.conf</filename>:</para>
 
 	  <programlisting>swapfile=<replaceable>/path/to/swapfile</replaceable></programlisting>
         </sect4>
       </sect3>
 
       <sect3>
 	<title>Miscellaneous Issues</title>
 
 
 	<sect4>
 	  <title>Running with a Read-only <filename>/usr</filename></title>
 
 	  <indexterm>
 	    <primary>diskless operation</primary>
 	    <secondary>/usr read-only</secondary>
 	  </indexterm>
 
 	    <para>If the diskless workstation is configured to run X, you
 	    will have to adjust the <application>XDM</application> configuration file, which puts
 	    the error log on <filename>/usr</filename> by default.</para>
 	</sect4>
 	<sect4>
 	  <title>Using a Non-FreeBSD Server</title>
 
 	  <para>When the server for the root filesystem is not running FreeBSD,
 	    you will have to create the root filesystem on a
 	    FreeBSD machine, then copy it to its destination, using
 	    <command>tar</command> or <command>cpio</command>.</para>
 	  <para>In this situation, there are sometimes
 	    problems with the special files in <filename>/dev</filename>,
 	    due to differing major/minor integer sizes.  A solution to this
 	    problem is to export a directory from the non-FreeBSD server,
 	    mount this directory onto a FreeBSD machine, and run
 	    <command>MAKEDEV</command> on the FreeBSD machine
 	    to create the correct device entries (FreeBSD 5.0 and later
 	    use &man.devfs.5; to allocate device nodes transparently for
 	    the user, running <command>MAKEDEV</command> on these
 	    versions is pointless).</para>
 
 	</sect4>
 
       </sect3>
 
     </sect2>
   </sect1>
 
   <sect1 id="network-isdn">
     <title>ISDN</title>
 
     <indexterm>
       <primary>ISDN</primary>
     </indexterm>
 
     <para>A good resource for information on ISDN technology and hardware is
       <ulink url="http://www.alumni.caltech.edu/~dank/isdn/">Dan Kegel's ISDN
 	Page</ulink>.</para>
 
     <para>A quick simple road map to ISDN follows:</para>
 
     <itemizedlist>
       <listitem>
         <para>If you live in Europe you might want to investigate the ISDN card
           section.</para>
       </listitem>
 
       <listitem>
 	<para>If you are planning to use ISDN primarily to connect to the
 	  Internet with an Internet Provider on a dial-up non-dedicated basis,
 	  you might look into Terminal Adapters.  This will give you the
 	  most flexibility, with the fewest problems, if you change
 	  providers.</para>
       </listitem>
 
       <listitem>
 	<para>If you are connecting two LANs together, or connecting to the
 	  Internet with a dedicated ISDN connection, you might consider
 	  the stand alone router/bridge option.</para>
       </listitem>
     </itemizedlist>
 
     <para>Cost is a significant factor in determining what solution you will
       choose.  The following options are listed from least expensive to most
       expensive.</para>
 
     <sect2 id="network-isdn-cards">
       <sect2info>
         <authorgroup>
           <author>
             <firstname>Hellmuth</firstname>
             <surname>Michaelis</surname>
             <contrib>Contributed by </contrib>
           </author>
         </authorgroup>
       </sect2info>
       <title>ISDN Cards</title>
 
       <indexterm>
         <primary>ISDN</primary>
         <secondary>cards</secondary>
       </indexterm>
 
       <para>FreeBSD's ISDN implementation supports only the DSS1/Q.931
 	(or Euro-ISDN) standard using passive cards.  Starting with
 	FreeBSD&nbsp;4.4, some active cards are supported where the firmware
 	also supports other signaling protocols; this also includes the
 	first supported Primary Rate (PRI) ISDN card.</para>
 
       <para>The <application>isdn4bsd</application> software allows you to connect
 	to other ISDN routers using either IP over raw HDLC or by using
 	synchronous PPP: either by using kernel PPP with <literal>isppp</literal>, a
 	modified &man.sppp.4; driver, or by using userland &man.ppp.8;.  By using
 	userland &man.ppp.8;, channel bonding of two or more ISDN
 	B-channels is possible.  A telephone answering machine
 	application is also available as well as many utilities such as
 	a software 300 Baud modem.</para>
 
       <para>Some growing number of PC ISDN cards are supported under
 	FreeBSD and the reports show that it is successfully used all
 	over Europe and in many other parts of the world.</para>
 
       <para>The passive ISDN cards supported are mostly the ones with
 	the Infineon (formerly Siemens) ISAC/HSCX/IPAC ISDN chipsets,
 	but also ISDN cards with chips from Cologne Chip (ISA bus only),
 	PCI cards with Winbond W6692 chips, some cards with the
 	Tiger300/320/ISAC chipset combinations and some vendor specific
 	chipset based cards such as the AVM Fritz!Card PCI V.1.0 and the
 	AVM Fritz!Card PnP.</para>
 
       <para>Currently the active supported ISDN cards are the AVM B1
 	(ISA and PCI) BRI cards and the AVM T1 PCI PRI cards.</para>
 
       <para>For documentation on <application>isdn4bsd</application>,
 	have a look at <filename>/usr/share/examples/isdn/</filename>
 	directory on your FreeBSD system or at the <ulink
 	  url="http://www.freebsd-support.de/i4b/">homepage of
 	  isdn4bsd</ulink> which also has pointers to hints, erratas and
 	much more documentation such as the <ulink
 	  url="http://people.FreeBSD.org/~hm/">isdn4bsd
 	  handbook</ulink>.</para>
 
       <para>In case you are interested in adding support for a
 	different ISDN protocol, a currently unsupported ISDN PC card or
 	otherwise enhancing <application>isdn4bsd</application>, please
 	get in touch with &a.hm;.</para>
 
       <para>For questions regarding the installation, configuration
 	and troubleshooting <application>isdn4bsd</application>, a
 	&a.isdn.name; mailing list is available.</para>
     </sect2>
 
     <sect2>
       <title>ISDN Terminal Adapters</title>
 
       <para>Terminal adapters (TA), are to ISDN what modems are to regular
 	phone lines.</para>
       <indexterm><primary>modem</primary></indexterm>
       <para>Most TA's use the standard Hayes modem AT command set, and can be
 	used as a drop in replacement for a modem.</para>
 
       <para>A TA will operate basically the same as a modem except connection
 	and throughput speeds will be much faster than your old modem.  You
 	will need to configure <link linkend="ppp">PPP</link> exactly the same
 	as for a modem setup.  Make sure you set your serial speed as high as
 	possible.</para>
       <indexterm><primary>PPP</primary></indexterm>
       <para>The main advantage of using a TA to connect to an Internet
 	Provider is that you can do Dynamic PPP.  As IP address space becomes
 	more and more scarce, most providers are not willing to provide you
 	with a static IP anymore.  Most stand-alone routers are not able to
 	accommodate dynamic IP allocation.</para>
 
       <para>TA's completely rely on the PPP daemon that you are running for
 	their features and stability of connection.  This allows you to
 	upgrade easily from using a modem to ISDN on a FreeBSD machine, if you
 	already have PPP set up.  However, at the same time any problems you
 	experienced with the PPP program and are going to persist.</para>
 
       <para>If you want maximum stability, use the kernel <link
 	  linkend="ppp">PPP</link> option, not the <link
 	  linkend="userppp">userland PPP</link>.</para>
 
       <para>The following TA's are known to work with FreeBSD:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Motorola BitSurfer and Bitsurfer Pro</para>
 	</listitem>
 
 	<listitem>
 	  <para>Adtran</para>
 	</listitem>
       </itemizedlist>
 
       <para>Most other TA's will probably work as well, TA vendors try to make
 	sure their product can accept most of the standard modem AT command
 	set.</para>
 
       <para>The real problem with external TA's is that, like modems,
 	you need a good serial card in your computer.</para>
 
       <para>You should read the <ulink
 	url="&url.articles.serial-uart;/index.html">FreeBSD Serial
 	Hardware</ulink> tutorial for a detailed understanding of
 	serial devices, and the differences between asynchronous and
 	synchronous serial ports.</para>
 
       <para>A TA running off a standard PC serial port (asynchronous) limits
 	you to 115.2&nbsp;Kbs, even though you have a 128&nbsp;Kbs connection.
 	To fully utilize the 128&nbsp;Kbs that ISDN is capable of,
 	you must move the TA to a synchronous serial card.</para>
 
       <para>Do not be fooled into buying an internal TA and thinking you have
 	avoided the synchronous/asynchronous issue.  Internal TA's simply have
 	a standard PC serial port chip built into them.  All this will do is
 	save you having to buy another serial cable and find another empty
 	electrical socket.</para>
 
       <para>A synchronous card with a TA is at least as fast as a stand-alone
 	router, and with a simple 386 FreeBSD box driving it, probably more
 	flexible.</para>
 
       <para>The choice of synchronous card/TA v.s. stand-alone router is largely a
 	religious issue.  There has been some discussion of this in
 	the mailing lists.  We suggest you search the <ulink
 	url="&url.base;/search/index.html">archives</ulink> for
 	the complete discussion.</para>
     </sect2>
 
     <sect2>
       <title>Stand-alone ISDN Bridges/Routers</title>
       <indexterm>
         <primary>ISDN</primary>
 	<secondary>stand-alone bridges/routers</secondary>
       </indexterm>
       <para>ISDN bridges or routers are not at all specific to FreeBSD
 	or any other operating system.  For a more complete
 	description of routing and bridging technology, please refer
 	to a networking reference book.</para>
 
       <para>In the context of this section, the terms router and bridge will
 	be used interchangeably.</para>
 
       <para>As the cost of low end ISDN routers/bridges comes down, it
 	will likely become a more and more popular choice.  An ISDN
 	router is a small box that plugs directly into your local
 	Ethernet network, and manages its own connection to the other
 	bridge/router.  It has built in software to communicate via
 	PPP and other popular protocols.</para>
 
       <para>A router will allow you much faster throughput than a
 	standard TA, since it will be using a full synchronous ISDN
 	connection.</para>
 
       <para>The main problem with ISDN routers and bridges is that
 	interoperability between manufacturers can still be a problem.
 	If you are planning to connect to an Internet provider, you
 	should discuss your needs with them.</para>
 
       <para>If you are planning to connect two LAN segments together,
 	such as your home LAN to the office LAN, this is the simplest
 	lowest
 	maintenance solution.  Since you are buying the equipment for
 	both sides of the connection you can be assured that the link
 	will work.</para>
 
       <para>For example to connect a home computer or branch office
 	network to a head office network the following setup could be
 	used:</para>
 
       <example>
 	<title>Branch Office or Home Network</title>
 
 	<indexterm><primary>10 base 2</primary></indexterm>
 	<para>Network uses a bus based topology with 10 base 2
 	  Ethernet (<quote>thinnet</quote>).  Connect router to network cable with
 	  AUI/10BT transceiver, if necessary.</para>
 
         <mediaobject>
           <imageobject>
             <imagedata fileref="advanced-networking/isdn-bus">
           </imageobject>
 
 	  <textobject>
 	    <literallayout class="monospaced">---Sun workstation
 |
 ---FreeBSD box
 |
 ---Windows 95
 |
 Stand-alone router
    |
 ISDN BRI line</literallayout>
           </textobject>
 
 	  <textobject>
 	    <phrase>10 Base 2 Ethernet</phrase>
 	  </textobject>
 	</mediaobject>
 
 	<para>If your home/branch office is only one computer you can use a
 	  twisted pair crossover cable to connect to the stand-alone router
 	  directly.</para>
       </example>
 
       <example>
 	<title>Head Office or Other LAN</title>
 
 	<indexterm><primary>10 base T</primary></indexterm>
 	<para>Network uses a star topology with 10 base T Ethernet
   	  (<quote>Twisted Pair</quote>).</para>
 
         <mediaobject>
           <imageobject>
             <imagedata fileref="advanced-networking/isdn-twisted-pair">
           </imageobject>
 
 	  <textobject>
 	    <literallayout class="monospaced">    -------Novell Server
     | H |
     |   ---Sun
     |   |
     | U ---FreeBSD
     |   |
     |   ---Windows 95
     | B |
     |___---Stand-alone router
                 |
         ISDN BRI line</literallayout>
 	  </textobject>
 
 	  <textobject>
 	    <phrase>ISDN Network Diagram</phrase>
 	  </textobject>
 	</mediaobject>
       </example>
 
       <para>One large advantage of most routers/bridges is that they allow you
 	to have 2 <emphasis>separate independent</emphasis> PPP connections to
 	2 separate sites at the <emphasis>same</emphasis> time.  This is not
 	supported on most TA's, except for specific (usually expensive) models
 	that
 	have two serial ports.  Do not confuse this with channel bonding, MPP,
 	etc.</para>
 
       <para>This can be a very useful feature if, for example, you
 	have an dedicated ISDN connection at your office and would
 	like to tap into it, but do not want to get another ISDN line
 	at work.  A router at the office location can manage a
 	dedicated B channel connection (64&nbsp;Kbps) to the Internet
 	and use the other B channel for a separate data connection.
 	The second B channel can be used for dial-in, dial-out or
 	dynamically bonding (MPP, etc.) with the first B channel for
 	more bandwidth.</para>
 
       <indexterm><primary>IPX/SPX</primary></indexterm>
       <para>An Ethernet bridge will also allow you to transmit more than just
 	IP traffic.  You can also send IPX/SPX or whatever other protocols you
 	use.</para>
     </sect2>
   </sect1>
 
   <sect1 id="network-natd">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Chern</firstname>
           <surname>Lee</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Network Address Translation</title>
 
     <sect2 id="network-natoverview">
       <title>Overview</title>
       <indexterm>
         <primary><application>natd</application></primary>
       </indexterm>
       <para>FreeBSD's Network Address Translation daemon, commonly known as
         &man.natd.8; is a daemon that accepts incoming raw IP packets,
         changes the source to the local machine and re-injects these packets
         back into the outgoing IP packet stream.  &man.natd.8; does this by changing
         the source IP address and port such that when data is received back,
         it is able to determine the original location of the data and forward
         it back to its original requester.</para>
       <indexterm><primary>Internet connection sharing</primary></indexterm>
       <indexterm><primary>IP masquerading</primary></indexterm>
       <para>The most common use of NAT is to perform what is commonly known as
         Internet Connection Sharing.</para>
     </sect2>
 
     <sect2 id="network-natsetup">
       <title>Setup</title>
       <para>Due to the diminishing IP space in IPv4, and the increased number
         of users on high-speed consumer lines such as cable or DSL, people are
         increasingly in need of an Internet Connection Sharing solution.  The
         ability to connect several computers online through one connection and
         IP address makes &man.natd.8; a reasonable choice.</para>
 
       <para>Most commonly, a user has a machine connected to a cable or DSL
         line with one IP address and wishes to use this one connected computer to
         provide Internet access to several more over a LAN.</para>
 
       <para>To do this, the FreeBSD machine on the Internet must act as a
         gateway.  This gateway machine must have two NICs&mdash;one for connecting
         to the Internet router, the other connecting to a LAN.  All the
         machines on the LAN are connected through a hub or switch.</para>
 
       <mediaobject>
         <imageobject>
           <imagedata fileref="advanced-networking/natd">
         </imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced">  _______       __________       ________
  |       |     |          |     |        |
  |  Hub  |-----| Client B |-----| Router |----- Internet
  |_______|     |__________|     |________|
      |
  ____|_____
 |          |
 | Client A |
 |__________|</literallayout>
         </textobject>
 
 	<textobject>
 	  <phrase>Network Layout</phrase>
 	</textobject>
       </mediaobject>
 
       <para>A setup like this is commonly used to share an Internet
         connection.  One of the <acronym>LAN</acronym> machines is
         connected to the Internet.  The rest of the machines access
         the Internet through that <quote>gateway</quote>
         machine.</para>
     </sect2>
 
     <sect2 id="network-natdkernconfiguration">
       <indexterm>
         <primary>kernel</primary>
 	<secondary>configuration</secondary>
       </indexterm>
       <title>Configuration</title>
       <para>The following options must be in the kernel configuration
         file:</para>
       <programlisting>options IPFIREWALL
 options IPDIVERT</programlisting>
 
       <para>Additionally, at choice, the following may also be suitable:</para>
       <programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT
 options IPFIREWALL_VERBOSE</programlisting>
 
       <para>The following must be in <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>gateway_enable="YES" <co id="co-natd-gateway-enable">
 firewall_enable="YES" <co id="co-natd-firewall-enable">
 firewall_type="OPEN" <co id="co-natd-firewall-type">
 natd_enable="YES"
 natd_interface="<replaceable>fxp0</replaceable>" <co id="co-natd-natd-interface">
 natd_flags="" <co id="co-natd-natd-flags"></programlisting>
 
       <calloutlist>
         <callout arearefs="co-natd-gateway-enable">
           <para>Sets up the machine to act as a gateway.  Running
             <command>sysctl net.inet.ip.forwarding=1</command> would
             have the same effect.</para>
         <callout arearefs="co-natd-firewall-enable">
           <para>Enables the firewall rules in
             <filename>/etc/rc.firewall</filename> at boot.</para>
         <callout arearefs="co-natd-firewall-type">
           <para>This specifies a predefined firewall ruleset that
             allows anything in.  See
             <filename>/etc/rc.firewall</filename> for additional
             types.</para>
         <callout arearefs="co-natd-natd-interface">
           <para>Indicates which interface to forward packets through
             (the interface connected to the Internet).</para>
         <callout arearefs="co-natd-natd-flags">
           <para>Any additional configuration options passed to
             &man.natd.8; on boot.</para>
       </calloutlist>
 
       <para>Having the previous options defined in
         <filename>/etc/rc.conf</filename> would run
         <command>natd -interface fxp0</command> at boot.  This can also
         be run manually.</para>
 
       <note>
 	<para>It is also possible to use a configuration file for
 	  &man.natd.8; when there are too many options to pass.  In this
 	  case, the configuration file must be defined by adding the
 	  following line to <filename>/etc/rc.conf</filename>:</para>
 
 	<programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
 
 	<para>The <filename>/etc/natd.conf</filename> file will
 	  contain a list of configuration options, one per line.  For
 	  example the next section case would use the following
 	  file:</para>
 
 	<programlisting>redirect_port tcp 192.168.0.2:6667 6667
 redirect_port tcp 192.168.0.3:80 80</programlisting>
 
 	<para>For more information about the configuration file,
 	  consult the &man.natd.8; manual page about the
 	  <option>-f</option> option.</para>
       </note>
 
       <para>Each machine and interface behind the LAN should be
         assigned IP address numbers in the private network space as
         defined by <ulink
         url="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC 1918</ulink>
         and have a default gateway of the <application>natd</application> machine's internal IP
         address.</para>
 
       <para>For example, client <hostid>A</hostid> and
         <hostid>B</hostid> behind the LAN have IP addresses of <hostid
         role="ipaddr">192.168.0.2</hostid> and <hostid
         role="ipaddr">192.168.0.3</hostid>, while the natd machine's
         LAN interface has an IP address of <hostid
         role="ipaddr">192.168.0.1</hostid>.  Client <hostid>A</hostid>
         and <hostid>B</hostid>'s default gateway must be set to that
         of the <application>natd</application> machine, <hostid
         role="ipaddr">192.168.0.1</hostid>.  The <application>natd</application> machine's
         external, or Internet interface does not require any special
         modification for &man.natd.8; to work.</para>
     </sect2>
 
     <sect2 id="network-natdport-redirection">
       <title>Port Redirection</title>
 
       <para>The drawback with &man.natd.8; is that the LAN clients are not accessible
         from the Internet.  Clients on the LAN can make outgoing connections to
         the world but cannot receive incoming ones.  This presents a problem
         if trying to run Internet services on one of the LAN client machines.
         A simple way around this is to redirect selected Internet ports on the
         <application>natd</application> machine to a LAN client.
       </para>
 
       <para>For example, an IRC server runs on client <hostid>A</hostid>, and a web server runs
         on client <hostid>B</hostid>.  For this to work properly, connections received on ports
         6667 (IRC) and 80 (web) must be redirected to the respective machines.
       </para>
 
       <para>The <option>-redirect_port</option> must be passed to
         &man.natd.8; with the proper options.  The syntax is as follows:</para>
       <programlisting>     -redirect_port proto targetIP:targetPORT[-targetPORT]
                  [aliasIP:]aliasPORT[-aliasPORT]
                  [remoteIP[:remotePORT[-remotePORT]]]</programlisting>
 
       <para>In the above example, the argument should be:</para>
 
         <programlisting>    -redirect_port tcp 192.168.0.2:6667 6667
     -redirect_port tcp 192.168.0.3:80 80</programlisting>
 
       <para>
         This will redirect the proper <emphasis>tcp</emphasis> ports to the
         LAN client machines.
       </para>
 
       <para>The <option>-redirect_port</option> argument can be used to indicate port
         ranges over individual ports.  For example, <replaceable>tcp
         192.168.0.2:2000-3000 2000-3000</replaceable> would redirect
         all connections received on ports 2000 to 3000 to ports 2000
         to 3000 on client <hostid>A</hostid>.</para>
 
       <para>These options can be used when directly running
         &man.natd.8;, placed within the
         <literal>natd_flags=""</literal> option in
         <filename>/etc/rc.conf</filename>,
 	or passed via a configuration file.</para>
 
       <para>For further configuration options, consult &man.natd.8;</para>
     </sect2>
 
     <sect2 id="network-natdaddress-redirection">
       <title>Address Redirection</title>
       <indexterm><primary>address redirection</primary></indexterm>
       <para>Address redirection is useful if several IP addresses are
         available, yet they must be on one machine.  With this,
         &man.natd.8; can assign each LAN client its own external IP address.
         &man.natd.8; then rewrites outgoing packets from the LAN clients
         with the proper external IP address and redirects
         all traffic incoming on that particular IP address back to
         the specific LAN client.  This is also known as static NAT.
         For example, the IP addresses <hostid role="ipaddr">128.1.1.1</hostid>,
         <hostid role="ipaddr">128.1.1.2</hostid>, and
         <hostid role="ipaddr">128.1.1.3</hostid> belong to the <application>natd</application> gateway
         machine.  <hostid role="ipaddr">128.1.1.1</hostid> can be used
         as the <application>natd</application> gateway machine's external IP address, while
         <hostid role="ipaddr">128.1.1.2</hostid> and
         <hostid role="ipaddr">128.1.1.3</hostid> are forwarded back to LAN
         clients <hostid>A</hostid> and <hostid>B</hostid>.</para>
 
       <para>The <option>-redirect_address</option> syntax is as follows:</para>
 
       <programlisting>-redirect_address localIP publicIP</programlisting>
 
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
           <tbody>
             <row>
               <entry>localIP</entry>
               <entry>The internal IP address of the LAN client.</entry>
             </row>
             <row>
               <entry>publicIP</entry>
               <entry>The external IP address corresponding to the LAN client.</entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
 
       <para>In the example, this argument would read:</para>
 
       <programlisting>-redirect_address 192.168.0.2 128.1.1.2
 -redirect_address 192.168.0.3 128.1.1.3</programlisting>
 
       <para>Like <option>-redirect_port</option>, these arguments are also placed within
         the <literal>natd_flags=""</literal> option of <filename>/etc/rc.conf</filename>, or passed via a configuration file.  With address
         redirection, there is no need for port redirection since all data
         received on a particular IP address is redirected.</para>
 
       <para>The external IP addresses on the <application>natd</application> machine must be active and aliased
         to the external interface.  Look at &man.rc.conf.5; to do so.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="network-plip">
     <title>Parallel Line IP (PLIP)</title>
 
     <indexterm><primary>PLIP</primary></indexterm>
     <indexterm><primary>Parallel Line IP</primary></indexterm>
 
     <para>PLIP lets us run TCP/IP between parallel ports.  It is
       useful on machines without network cards, or to install on
       laptops.  In this section, we will discuss:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Creating a parallel (laplink) cable.</para>
       </listitem>
 
       <listitem>
 	<para>Connecting two computers with PLIP.</para>
       </listitem>
     </itemizedlist>
 
     <sect2 id="network-create-parallel-cable">
       <title>Creating a Parallel Cable</title>
 
       <para>You can purchase a parallel cable at most computer supply
         stores.  If you cannot do that, or you just want to know how
         it is done, the following table shows how to make one out of a normal parallel
         printer cable.</para>
 
       <table frame="none">
 	<title>Wiring a Parallel Cable for Networking</title>
 
 	<tgroup cols="5">
 	  <thead>
 	    <row>
 	      <entry>A-name</entry>
 
 	      <entry>A-End</entry>
 
 	      <entry>B-End</entry>
 
 	      <entry>Descr.</entry>
 
 	      <entry>Post/Bit</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><literallayout>DATA0
 -ERROR</literallayout></entry>
 
 	      <entry><literallayout>2
 15</literallayout></entry>
 
 	      <entry><literallayout>15
 2</literallayout></entry>
 
 	      <entry>Data</entry>
 
 	      <entry><literallayout>0/0x01
 1/0x08</literallayout></entry>
 	    </row>
 
 	    <row>
 	      <entry><literallayout>DATA1
 +SLCT</literallayout></entry>
 
 	      <entry><literallayout>3
 13</literallayout></entry>
 
 	      <entry><literallayout>13
 3</literallayout></entry>
 
 	      <entry>Data</entry>
 
 	      <entry><literallayout>0/0x02
 1/0x10</literallayout></entry>
 	    </row>
 
 	    <row>
 	      <entry><literallayout>DATA2
 +PE</literallayout></entry>
 
 	      <entry><literallayout>4
 12</literallayout></entry>
 
 	      <entry><literallayout>12
 4</literallayout></entry>
 
 	      <entry>Data</entry>
 
 	      <entry><literallayout>0/0x04
 1/0x20</literallayout></entry>
 	    </row>
 
 	    <row>
 	      <entry><literallayout>DATA3
 -ACK</literallayout></entry>
 
 	      <entry><literallayout>5
 10</literallayout></entry>
 
 	      <entry><literallayout>10
 5</literallayout></entry>
 
 	      <entry>Strobe</entry>
 
 	      <entry><literallayout>0/0x08
 1/0x40</literallayout></entry>
 	    </row>
 
 	    <row>
 	      <entry><literallayout>DATA4
 BUSY</literallayout></entry>
 
 	      <entry><literallayout>6
 11</literallayout></entry>
 
 	      <entry><literallayout>11
 6</literallayout></entry>
 
 	      <entry>Data</entry>
 
 	      <entry><literallayout>0/0x10
 1/0x80</literallayout></entry>
 	    </row>
 
 	    <row>
 	      <entry>GND</entry>
 
 	      <entry>18-25</entry>
 
 	      <entry>18-25</entry>
 
 	      <entry>GND</entry>
 
 	      <entry>-</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
     </sect2>
 
     <sect2 id="network-plip-setup">
       <title>Setting Up PLIP</title>
 
       <para>First, you have to get a laplink cable.
 	Then, confirm that both computers have a kernel with &man.lpt.4; driver
 	support:</para>
 
       <screen>&prompt.root; <userinput>grep lp /var/run/dmesg.boot</userinput>
 lpt0: &lt;Printer&gt; on ppbus0
 lpt0: Interrupt-driven port</screen>
 
       <para>The parallel port must be an interrupt driven port, under
 	&os;&nbsp;4.X, you should have a line similar to the
 	following in your kernel configuration file:</para>
 
       <programlisting>device ppc0 at isa? irq 7</programlisting>
 
       <para>Under &os;&nbsp;5.X, the
 	<filename>/boot/device.hints</filename> file should contain the
 	following lines:</para>
 
       <programlisting>hint.ppc.0.at="isa"
 hint.ppc.0.irq="7"</programlisting>
 
       <para>Then check if the kernel configuration file has a
 	<literal>device plip</literal> line or if the
 	<filename>plip.ko</filename> kernel module is loaded.  In both
 	cases the parallel networking interface should appear when you
 	directly use the &man.ifconfig.8; command.  Under
 	&os;&nbsp;4.X like this:</para>
 
       <screen>&prompt.root; <userinput>ifconfig lp0</userinput>
 lp0: flags=8810&lt;POINTOPOINT,SIMPLEX,MULTICAST&gt; mtu 1500</screen>
 
       <para>and for &os;&nbsp;5.X:</para>
 
       <screen>&prompt.root; <userinput>ifconfig plip0</userinput>
 plip0: flags=8810&lt;POINTOPOINT,SIMPLEX,MULTICAST&gt; mtu 1500</screen>
 
       <note><para>The device name used for parallel interface is
 	different between &os;&nbsp;4.X
 	(<devicename>lp<replaceable>X</replaceable></devicename>)
 	and &os;&nbsp;5.X
 	(<devicename>plip<replaceable>X</replaceable></devicename>).</para></note>
 
       <para>Plug in the laplink cable into the parallel interface on
 	both computers.</para>
 
       <para>Configure the network interface parameters on both
 	sites as <username>root</username>.  For example, if you want connect
 	the host <hostid>host1</hostid> running &os;&nbsp;4.X with <hostid>host2</hostid> running &os;&nbsp;5.X:</para>
 
       <programlisting>                 host1 &lt;-----&gt; host2
 IP Address    10.0.0.1      10.0.0.2</programlisting>
 
       <para>Configure the interface on <hostid>host1</hostid> by doing:</para>
 
       <screen>&prompt.root; <userinput>ifconfig lp0 10.0.0.1 10.0.0.2</userinput></screen>
 
       <para>Configure the interface on <hostid>host2</hostid> by doing:</para>
 
       <screen>&prompt.root; <userinput>ifconfig plip0 10.0.0.2 10.0.0.1</userinput></screen>
 
 
       <para>You now should have a working connection.  Please read the
         manual pages &man.lp.4; and &man.lpt.4; for more details.</para>
 
       <para>You should also add both hosts to
 	<filename>/etc/hosts</filename>:</para>
 
       <programlisting>127.0.0.1               localhost.my.domain localhost
 10.0.0.1                host1.my.domain host1
 10.0.0.2                host2.my.domain</programlisting>
 
       <para>To confirm the connection works, go to each host and ping
 	the other.  For example, on <hostid>host1</hostid>:</para>
 
           <screen>&prompt.root; <userinput>ifconfig lp0</userinput>
 lp0: flags=8851&lt;UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
         inet 10.0.0.1 --&gt; 10.0.0.2 netmask 0xff000000
 &prompt.root; <userinput>netstat -r</userinput>
 Routing tables
 
 Internet:
 Destination        Gateway          Flags     Refs     Use      Netif Expire
 host2              host1              UH          0       0       lp0
 &prompt.root; <userinput>ping -c 4 host2</userinput>
 PING host2 (10.0.0.2): 56 data bytes
 64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=2.774 ms
 64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=2.530 ms
 64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=2.556 ms
 64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=2.714 ms
 
 --- host2 ping statistics ---
 4 packets transmitted, 4 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
 
     </sect2>
   </sect1>
 
   <sect1 id="network-ipv6">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Aaron</firstname>
 	  <surname>Kaplan</surname>
 	  <contrib>Originally Written by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Restructured and Added by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
    <author>
       <firstname>Brad</firstname>
       <surname>Davis</surname>
       <contrib>Extended by </contrib>
    </author>
       </authorgroup>
 
     </sect1info>
 
     <title>IPv6</title>
     <para>IPv6 (also know as IPng <quote>IP next generation</quote>) is
       the new version of the well known IP protocol (also know as
       <acronym>IPv4</acronym>).  Like the other current *BSD systems,
       FreeBSD includes the KAME IPv6 reference implementation.
       So your FreeBSD system comes with all you will need to experiment with IPv6.
       This section focuses on getting IPv6 configured and running.</para>
 
     <para>In the early 1990s, people became aware of the rapidly
       diminishing address space of IPv4.  Given the expansion rate of the
       Internet there were two major concerns:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Running out of addresses.  Today this is not so much of a concern
 	  anymore since private address spaces
 	  (<hostid role="ipaddr">10.0.0.0/8</hostid>,
 	  <hostid role="ipaddr">192.168.0.0/24</hostid>,
 	  etc.) and Network Address Translation (<acronym>NAT</acronym>) are
 	  being employed.</para>
       </listitem>
 
       <listitem>
 	<para>Router table entries were getting too large.  This is
 	  still a concern today.</para>
       </listitem>
     </itemizedlist>
 
     <para>IPv6 deals with these and many other issues:</para>
 
     <itemizedlist>
       <listitem>
 	<para>128 bit address space.  In other words theoretically there are
 	  340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
 	  available.  This means there are approximately
 	  6.67 * 10^27 IPv6 addresses per square meter on our planet.</para>
       </listitem>
 
       <listitem>
 	<para>Routers will only store network aggregation addresses in their routing
 	  tables thus reducing the average space of a routing table to 8192
 	  entries.</para>
       </listitem>
     </itemizedlist>
 
     <para>There are also lots of other useful features of IPv6 such as:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Address autoconfiguration (<ulink
 	  url="http://www.ietf.org/rfc/rfc2462.txt">RFC2462</ulink>)</para>
       </listitem>
 
       <listitem>
 	<para>Anycast addresses (<quote>one-out-of many</quote>)</para>
       </listitem>
 
       <listitem>
 	<para>Mandatory multicast addresses</para>
       </listitem>
 
       <listitem>
 	<para>IPsec (IP security)</para>
       </listitem>
 
       <listitem>
 	<para>Simplified header structure</para>
       </listitem>
 
       <listitem>
 	<para>Mobile <acronym>IP</acronym></para>
       </listitem>
 
       <listitem>
 	<para>IPv6-to-IPv4 transition mechanisms</para>
       </listitem>
     </itemizedlist>
 
 
     <para>For more information see:</para>
 
     <itemizedlist>
       <listitem>
 	<para>IPv6 overview at <ulink url="http://playground.sun.com/pub/ipng/html/ipng-main.html">playground.sun.com</ulink></para>
       </listitem>
 
       <listitem>
 	<para><ulink url="http://www.kame.net">KAME.net</ulink></para>
       </listitem>
 
       <listitem>
 	<para><ulink url="http://www.6bone.net">6bone.net</ulink></para>
       </listitem>
     </itemizedlist>
 
     <sect2>
       <title>Background on IPv6 Addresses</title>
       <para>There are different types of IPv6 addresses: Unicast, Anycast and
 	Multicast.</para>
 
       <para>Unicast addresses are the well known addresses.  A packet sent
 	to a unicast address arrives exactly at the interface belonging to
 	the address.</para>
 
       <para>Anycast addresses are syntactically indistinguishable from unicast
 	addresses but they address a group of interfaces.  The packet destined for
 	an anycast address will arrive at the nearest (in router metric)
 	interface.  Anycast addresses may only be used by routers.</para>
 
       <para>Multicast addresses identify a group of interfaces.  A packet destined
 	for a multicast address will arrive at all interfaces belonging to the
 	multicast group.</para>
 
 	<note><para>The IPv4 broadcast address (usually <hostid role="ipaddr">xxx.xxx.xxx.255</hostid>) is expressed
 	  by multicast addresses in IPv6.</para></note>
 
       <table frame="none">
 	<title>Reserved IPv6 addresses</title>
 
 	<tgroup cols="4">
 	  <thead>
 	    <row>
 	      <entry>IPv6 address</entry>
 	      <entry>Prefixlength (Bits)</entry>
 	      <entry>Description</entry>
 	      <entry>Notes</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><hostid role="ip6addr">::</hostid></entry>
 	      <entry>128 bits</entry>
 	      <entry>unspecified</entry>
 	      <entry>cf. <hostid role="ipaddr">0.0.0.0</hostid> in
 		IPv4</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid role="ip6addr">::1</hostid></entry>
 	      <entry>128 bits</entry>
 	      <entry>loopback address</entry>
 	      <entry>cf. <hostid role="ipaddr">127.0.0.1</hostid> in
 		IPv4</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid
 		role="ip6addr">::00:xx:xx:xx:xx</hostid></entry>
 	      <entry>96 bits</entry>
 	      <entry>embedded IPv4</entry>
 	      <entry>The lower 32 bits are the IPv4 address.  Also
 		called <quote>IPv4 compatible IPv6
 		address</quote></entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid
 		role="ip6addr">::ff:xx:xx:xx:xx</hostid></entry>
 	      <entry>96 bits</entry>
 	      <entry>IPv4 mapped IPv6 address</entry>
 	      <entry>The lower 32 bits are the IPv4 address.
 		For hosts which do not support IPv6.</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid role="ip6addr">fe80::</hostid> - <hostid
 		role="ip6addr">feb::</hostid></entry>
 	      <entry>10 bits</entry>
 	      <entry>link-local</entry>
 	      <entry>cf. loopback address in IPv4</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid role="ip6addr">fec0::</hostid> - <hostid
 		role="ip6addr">fef::</hostid></entry>
 	      <entry>10 bits</entry>
 	      <entry>site-local</entry>
 	      <entry>&nbsp;</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid role="ip6addr">ff::</hostid></entry>
 	      <entry>8 bits</entry>
 	      <entry>multicast</entry>
 	      <entry>&nbsp;</entry>
 	    </row>
 
 	    <row>
 	      <entry><hostid role="ip6addr">001</hostid> (base
 		2)</entry>
 	      <entry>3 bits</entry>
 	      <entry>global unicast</entry>
 	      <entry>All global unicast addresses are assigned from
 		this pool.  The first 3 bits are
 		<quote>001</quote>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
     </sect2>
 
     <sect2>
       <title>Reading IPv6 Addresses</title>
       <para>The canonical form is represented as: <hostid role="ip6addr">x:x:x:x:x:x:x:x</hostid>, each
 	<quote>x</quote> being a 16 Bit hex value.  For example
 	<hostid role="ip6addr">FEBC:A574:382B:23C1:AA49:4592:4EFE:9982</hostid></para>
 
       <para>Often an address will have long substrings of all zeros
 	therefore one such substring per address can be abbreviated by <quote>::</quote>.
 	Also up to three leading <quote>0</quote>s per hexquad can be omitted.
 	For example <hostid role="ip6addr">fe80::1</hostid>
 	corresponds to the canonical form
 	<hostid role="ip6addr">fe80:0000:0000:0000:0000:0000:0000:0001</hostid>.</para>
 
       <para>A third form is to write the last 32 Bit part in the
 	well known (decimal) IPv4 style with dots <quote>.</quote>
 	as separators.  For example
 	<hostid role="ip6addr">2002::10.0.0.1</hostid>
 	corresponds to the (hexadecimal) canonical representation
 	<hostid role="ip6addr">2002:0000:0000:0000:0000:0000:0a00:0001</hostid>
 	which in turn is equivalent to
 	writing <hostid role="ip6addr">2002::a00:1</hostid>.</para>
 
       <para>By now the reader should be able to understand the following:</para>
 
       <screen>&prompt.root; <userinput>ifconfig</userinput></screen>
 
       <programlisting>rl0: flags=8943&lt;UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST&gt; mtu 1500
          inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
          inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
          ether 00:00:21:03:08:e1
          media: Ethernet autoselect (100baseTX )
          status: active</programlisting>
 
       <para><hostid role="ip6addr">fe80::200:21ff:fe03:8e1%rl0</hostid>
 	is an auto configured link-local address.  It is generated from the MAC
 	address as part of the auto configuration.</para>
 
       <para>For further information on the structure of IPv6 addresses
 	see <ulink
 	url="http://www.ietf.org/rfc/rfc3513.txt">RFC3513</ulink>.</para>
     </sect2>
 
     <sect2>
       <title>Getting Connected</title>
 
       <para>Currently there are four ways to connect to other IPv6 hosts and networks:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Join the experimental 6bone</para>
 	</listitem>
 
 	<listitem>
 	  <para>Getting an IPv6 network from your upstream provider.  Talk to your
 	    Internet provider for instructions.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Tunnel via 6-to-4 (<ulink
 	    url="http://www.ietf.org/rfc/rfc3068.txt">RFC3068</ulink>)</para>
 	</listitem>
 
 	<listitem>
 	  <para>Use the <filename role="package">net/freenet6</filename> port if you are on a dial-up connection.</para>
 	</listitem>
       </itemizedlist>
 
       <para>Here we will talk on how to connect to the 6bone since it currently seems
 	to be the most popular way.</para>
 
       <para>First take a look at the <ulink url="http://www.6bone.net/">6bone</ulink> site and find a 6bone connection nearest to
 	you.  Write to the responsible person and with a little bit of luck you
 	will be given instructions on how to set up your connection.  Usually this
 	involves setting up a GRE (gif) tunnel.</para>
 
       <para>Here is a typical example on setting up a &man.gif.4; tunnel:</para>
 
       <screen>&prompt.root; <userinput>ifconfig gif0 create</userinput>
 &prompt.root; <userinput>ifconfig gif0</userinput>
 gif0: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1280
 &prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>MY_IPv4_ADDR</replaceable>  <replaceable>HIS_IPv4_ADDR</replaceable></userinput>
 &prompt.root; <userinput>ifconfig gif0 inet6 alias <replaceable>MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR</replaceable></userinput></screen>
 
       <para>Replace the capitalized words by the information you received from the
 	upstream 6bone node.</para>
 
       <para>This establishes the tunnel.  Check if the tunnel is working by &man.ping6.8;
 	'ing <hostid role="ip6addr">ff02::1%gif0</hostid>.  You should receive two ping replies.</para>
 
 	<note><para>In case you are intrigued by the address <hostid role="ip6addr">ff02:1%gif0</hostid>, this is a
 	  multicast address.  <literal>%gif0</literal> states that the multicast address at network
 	  interface <devicename>gif0</devicename> is to be used.  Since we <command>ping</command> a multicast address the
 	  other endpoint of the tunnel should reply as well.</para></note>
 
       <para>By now setting up a route to your 6bone uplink should be rather
 	straightforward:</para>
 
       <screen>&prompt.root; <userinput>route add -inet6 default -interface gif0</userinput>
 &prompt.root; <userinput>ping6 -n <replaceable>MY_UPLINK</replaceable></userinput></screen>
 
       <screen>&prompt.root; <userinput>traceroute6 www.jp.FreeBSD.org</userinput>
 (3ffe:505:2008:1:2a0:24ff:fe57:e561) from 3ffe:8060:100::40:2, 30 hops max, 12 byte packets
      1  atnet-meta6  14.147 ms  15.499 ms  24.319 ms
      2  6bone-gw2-ATNET-NT.ipv6.tilab.com  103.408 ms  95.072 ms *
      3  3ffe:1831:0:ffff::4  138.645 ms  134.437 ms  144.257 ms
      4  3ffe:1810:0:6:290:27ff:fe79:7677  282.975 ms  278.666 ms  292.811 ms
      5  3ffe:1800:0:ff00::4  400.131 ms  396.324 ms  394.769 ms
      6  3ffe:1800:0:3:290:27ff:fe14:cdee  394.712 ms  397.19 ms  394.102 ms</screen>
 
       <para>This output will differ from machine to machine.  By now you should be
 	able to reach the IPv6 site <ulink url="http://www.kame.net">www.kame.net</ulink>
 	and see the dancing tortoise &mdash; that is if you have a IPv6 enabled browser such as
 	<filename role="package">www/mozilla</filename>, <application>Konqueror</application>,
 	which is part of <filename role="package">x11/kdebase3</filename>,
 	or <filename role="package">www/epiphany</filename>.</para>
 
     </sect2>
 
     <sect2>
       <title>DNS in the IPv6 World</title>
 
       <para>There used to be two types of DNS records for IPv6.  The IETF
 	has declared A6 records obsolete.  AAAA records are the standard
 	now.</para>
 
       <para>Using AAAA records is straightforward.  Assign your hostname to the new
 	IPv6 address you just received by adding:</para>
 
       <programlisting>MYHOSTNAME           AAAA    MYIPv6ADDR</programlisting>
 
       <para>To your primary zone DNS file.  In case you do not serve your own
 	<acronym>DNS</acronym> zones ask your <acronym>DNS</acronym> provider.
 	Current versions of <application>bind</application> (version 8.3 and 9)
 	and <filename role="package">dns/djbdns</filename> (with the IPv6 patch)
 	support AAAA records.</para>
     </sect2>
 
     <sect2>
       <title>Applying the needed changes to <filename>/etc/rc.conf</filename></title>
 
       <sect3>
 	<title>IPv6 Client Settings</title>
 
 	<para>These settings will help you configure a machine that will be on
 	  your LAN and act as a client, not a router.  To have &man.rtsol.8;
 	  autoconfigure your interface on boot all you need to add is:</para>
 
 	<programlisting>ipv6_enable="YES"</programlisting>
 
 	<para>To statically assign an IP address such as <hostid role="ip6addr">
 	  2001:471:1f11:251:290:27ff:fee0:2093</hostid>, to your
 	  <devicename>fxp0</devicename> interface, add:</para>
 
 	<programlisting>ipv6_ifconfig_fxp0="2001:471:1f11:251:290:27ff:fee0:2093"</programlisting>
 
 	<para>To assign a default router of
 	  <hostid role="ip6addr">2001:471:1f11:251::1</hostid>
 	  add the following to <filename>/etc/rc.conf</filename>:</para>
 
 	<programlisting>ipv6_defaultrouter="2001:471:1f11:251::1"</programlisting>
 
       </sect3>
 
       <sect3>
 	<title>IPv6 Router/Gateway Settings</title>
 
 	<para>This will help you take the directions that your tunnel provider,
 	  such as the <ulink url="http://www.6bone.net/">6bone</ulink>, has
 	  given you and convert it into settings that will persist through reboots.
 	  To restore your tunnel on startup use something like the following in
 	  <filename>/etc/rc.conf</filename>:</para>
 
 	<para>List the Generic Tunneling interfaces that will be configured, for
 	  example <devicename>gif0</devicename>:</para>
 
 	<programlisting>gif_interfaces="gif0"</programlisting>
 
 	<para>To configure the interface with a local endpoint of
 	  <replaceable>MY_IPv4_ADDR</replaceable> to a remote endpoint of
 	  <replaceable>REMOTE_IPv4_ADDR</replaceable>:</para>
 
 	<programlisting>gifconfig_gif0="<replaceable>MY_IPv4_ADDR REMOTE_IPv4_ADDR</replaceable>"</programlisting>
 
 	<para>To apply the IPv6 address you have been assigned for use as your
 	  IPv6 tunnel endpoint, add:</para>
 
 	<programlisting>ipv6_ifconfig_gif0="<replaceable>MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR</replaceable>"</programlisting>
 
 	<para>Then all you have to do is set the default route for IPv6.  This is
 	  the other side of the IPv6 tunnel:</para>
 
 	<programlisting>ipv6_defaultrouter="<replaceable>MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR</replaceable>"</programlisting>
 
       </sect3>
     </sect2>
 
     <sect2>
       <title>Router Advertisement and Host Auto Configuration</title>
 
       <para>This section will help you setup &man.rtadvd.8; to advertise the
 	IPv6 default route.</para>
 
       <para>To enable &man.rtadvd.8; you will need the following in your
 	<filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>rtadvd_enable="YES"</programlisting>
 
       <para>It is important that you specify the interface on which to do
 	IPv6 router solicitation.  For example to tell &man.rtadvd.8; to use
 	<devicename>fxp0</devicename>:</para>
 
       <programlisting>rtadvd_interfaces="fxp0"</programlisting>
 
       <para>Now we must create the configuration file,
 	<filename>/etc/rtadvd.conf</filename>.  Here is an example:</para>
 
       <programlisting>fxp0:\
 	:addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether:</programlisting>
 
       <para>Replace <devicename>fxp0</devicename> with the interface you
 	are going to be using.</para>
 
       <para>Next, replace <hostid role="ip6addr">2001:471:1f11:246::</hostid>
 	with the prefix of your allocation.</para>
 
       <para>If you are dedicated a <hostid role="netmask">/64</hostid> subnet
 	you will not need to change anything else.  Otherwise, you will need to
 	change the <literal>prefixlen#</literal> to the correct value.</para>
 
    </sect2>
   </sect1>
 
   <sect1 id="network-atm">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Harti</firstname>
 	  <surname>Brandt</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Asynchronous Transfer Mode (ATM) on &os;&nbsp;5.X</title>
 
     <sect2>
       <title>Configuring classical IP over ATM (PVCs)</title>
 
       <para>Classical IP over ATM (<acronym>CLIP</acronym>) is the
 	simplest method to use Asynchronous Transfer Mode (ATM)
 	with IP.  It can be used with
 	switched connections (SVCs) and with permanent connections
 	(PVCs).  This section describes how to set up a network based
 	on PVCs.</para>
 
       <sect3>
 	<title>Fully meshed configurations</title>
 
 	<para>The first method to set up a <acronym>CLIP</acronym> with
 	  PVCs is to connect each machine to each other machine in the
 	  network via a dedicated PVC.  While this is simple to
 	  configure it tends to become impractical for a larger number
 	  of machines.  The example supposes that we have four
 	  machines in the network, each connected to the <acronym role="Asynchronous Transfer Mode">ATM</acronym> network
 	  with an <acronym role="Asynchronous Transfer Mode">ATM</acronym> adapter card.  The first step is the planning of
 	  the IP addresses and the <acronym role="Asynchronous
 	  Transfer Mode">ATM</acronym> connections between the
 	  machines.  We use the following:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <colspec colwidth="1*">
 	    <colspec colwidth="1*">
 	    <thead>
 	      <row>
 		<entry>Host</entry>
 		<entry>IP Address</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><hostid>hostA</hostid></entry>
 		<entry><hostid role="ipaddr">192.168.173.1</hostid></entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostB</hostid></entry>
 		<entry><hostid role="ipaddr">192.168.173.2</hostid></entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostC</hostid></entry>
 		<entry><hostid role="ipaddr">192.168.173.3</hostid></entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostD</hostid></entry>
 		<entry><hostid role="ipaddr">192.168.173.4</hostid></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>To build a fully meshed net we need one ATM connection
 	  between each pair of machines:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <colspec colwidth="1*">
 	    <colspec colwidth="1*">
 	    <thead>
 	      <row>
 		<entry>Machines</entry>
 		<entry>VPI.VCI couple</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><hostid>hostA</hostid> - <hostid>hostB</hostid></entry>
 		<entry>0.100</entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostA</hostid> - <hostid>hostC</hostid></entry>
 		<entry>0.101</entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostA</hostid> - <hostid>hostD</hostid></entry>
 		<entry>0.102</entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostB</hostid> - <hostid>hostC</hostid></entry>
 		<entry>0.103</entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostB</hostid> - <hostid>hostD</hostid></entry>
 		<entry>0.104</entry>
 	      </row>
 
 	      <row>
 		<entry><hostid>hostC</hostid> - <hostid>hostD</hostid></entry>
 		<entry>0.105</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>The VPI and VCI values at each end of the connection may
 	  of course differ, but for simplicity we assume that they are
 	  the same.  Next we need to configure the ATM interfaces on
 	  each host:</para>
 
 	<screen>hostA&prompt.root; <userinput>ifconfig hatm0 192.168.173.1 up</userinput>
 hostB&prompt.root; <userinput>ifconfig hatm0 192.168.173.2 up</userinput>
 hostC&prompt.root; <userinput>ifconfig hatm0 192.168.173.3 up</userinput>
 hostD&prompt.root; <userinput>ifconfig hatm0 192.168.173.4 up</userinput></screen>
 
 	<para>assuming that the ATM interface is
 	  <devicename>hatm0</devicename> on all hosts.  Now the PVCs
 	  need to be configured on <hostid>hostA</hostid> (we assume that
 	  they are already configured on the ATM switches, you need to
 	  consult the manual for the switch on how to do this).</para>
 
 	<screen>hostA&prompt.root; <userinput>atmconfig natm add 192.168.173.2 hatm0 0 100 llc/snap ubr</userinput>
 hostA&prompt.root; <userinput>atmconfig natm add 192.168.173.3 hatm0 0 101 llc/snap ubr</userinput>
 hostA&prompt.root; <userinput>atmconfig natm add 192.168.173.4 hatm0 0 102 llc/snap ubr</userinput>
 
 hostB&prompt.root; <userinput>atmconfig natm add 192.168.173.1 hatm0 0 100 llc/snap ubr</userinput>
 hostB&prompt.root; <userinput>atmconfig natm add 192.168.173.3 hatm0 0 103 llc/snap ubr</userinput>
 hostB&prompt.root; <userinput>atmconfig natm add 192.168.173.4 hatm0 0 104 llc/snap ubr</userinput>
 
 hostC&prompt.root; <userinput>atmconfig natm add 192.168.173.1 hatm0 0 101 llc/snap ubr</userinput>
 hostC&prompt.root; <userinput>atmconfig natm add 192.168.173.2 hatm0 0 103 llc/snap ubr</userinput>
 hostC&prompt.root; <userinput>atmconfig natm add 192.168.173.4 hatm0 0 105 llc/snap ubr</userinput>
 
 hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.1 hatm0 0 102 llc/snap ubr</userinput>
 hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.2 hatm0 0 104 llc/snap ubr</userinput>
 hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.3 hatm0 0 105 llc/snap ubr</userinput></screen>
 
 	<para>Of course other traffic contracts than UBR can be used
 	  given the ATM adapter supports those.  In this case the name
 	  of the traffic contract is followed by the parameters of the
 	  traffic.  Help for the &man.atmconfig.8; tool can be
 	  obtained with:</para>
 
 	<screen>&prompt.root; <userinput>atmconfig help natm add</userinput></screen>
 
 	<para>or in the &man.atmconfig.8; manual page.</para>
 
 	<para>The same configuration can also be done via
 	  <filename>/etc/rc.conf</filename>.
 	  For <hostid>hostA</hostid> this would look like:</para>
 
 <programlisting>network_interfaces="lo0 hatm0"
 ifconfig_hatm0="inet 192.168.173.1 up"
 natm_static_routes="hostB hostC hostD"
 route_hostB="192.168.173.2 hatm0 0 100 llc/snap ubr"
 route_hostC="192.168.173.3 hatm0 0 101 llc/snap ubr"
 route_hostD="192.168.173.4 hatm0 0 102 llc/snap ubr"</programlisting>
 
 	<para>The current state of all <acronym>CLIP</acronym> routes
 	  can be obtained with:</para>
 
 	<screen>hostA&prompt.root; <userinput>atmconfig natm show</userinput></screen>
       </sect3>
     </sect2>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 <!--  LocalWords:  config mnt www -->
diff --git a/en_US.ISO8859-1/books/handbook/basics/chapter.sgml b/en_US.ISO8859-1/books/handbook/basics/chapter.sgml
index 52cdc23704..abb231652d 100644
--- a/en_US.ISO8859-1/books/handbook/basics/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/basics/chapter.sgml
@@ -1,2504 +1,2504 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="basics">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Chris</firstname>
 	<surname>Shumway</surname>
 	<contrib>Rewritten by </contrib>
       </author>
     </authorgroup>
     <!-- 10 Mar 2000 -->
   </chapterinfo>
 
   <title>UNIX Basics</title>
   
   <sect1 id="basics-synopsis">
     <title>Synopsis</title>
     <indexterm><primary>basics</primary></indexterm>
 
 
    <para>The following chapter will cover the basic commands and
      functionality of the FreeBSD operating system.  Much of this
      material is relevant for any &unix; like operating system.  Feel
      free to skim over this chapter if you are familiar with the
      material.  If you are new to FreeBSD, then you will definitely
      want to read through this chapter carefully.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
         <para>How to use the <quote>virtual consoles</quote> of
 	  FreeBSD.</para>
       </listitem>
       <listitem>
 	<para>How &unix; file permissions work.</para>
       </listitem>
       <listitem>
 	<para>The default &os; file system layout.</para>
       </listitem>
       <listitem>
 	<para>The &os; disk organization.</para>
       </listitem>
       <listitem>
 	<para>How to mount and unmount file systems.</para>
       </listitem>
       <listitem>
 	<para>What processes, daemons, and signals are.</para>
       </listitem>
       <listitem>
 	<para>What a shell is, and how to change your default login
 	environment.</para>
       </listitem>
       <listitem>
 	<para>How to use basic text editors.</para>
       </listitem>
       <listitem>
 	<para>What devices and device nodes are.</para>
       </listitem>
       <listitem>
 	<para>What binary format is used under &os;.</para>
       </listitem>
       <listitem>
 	<para>How to read manual pages for more information.</para>
       </listitem>
     </itemizedlist>
 
   </sect1>
 
   <sect1 id="consoles">
     <title>Virtual Consoles and Terminals</title>
     <indexterm><primary>virtual consoles</primary></indexterm>
     <indexterm><primary>terminals</primary></indexterm>
 
     <para>FreeBSD can be used in various ways.  One of them is typing commands
       to a text terminal.  A lot of the flexibility and power of a &unix;
       operating system is readily available at your hands when using FreeBSD
       this way.  This section describes what <quote>terminals</quote> and
       <quote>consoles</quote> are, and how you can use them in FreeBSD.</para>
 
     <sect2 id="consoles-intro">
       <title>The Console</title>
       <indexterm><primary>console</primary></indexterm>
 
       <para>If you have not configured FreeBSD to automatically start a
 	graphical environment during startup, the system will present you with
 	a login prompt after it boots, right after the startup scripts finish
 	running.  You will see something similar to:</para>
 
       <screen>Additional ABI support:.
 Local package initialization:.
 Additional TCP options:.
 
 Fri Sep 20 13:01:06 EEST 2002
 
 FreeBSD/i386 (pc3.example.org) (ttyv0)
 
 login:</screen>
 
       <para>The messages might be a bit different on your system, but you will
 	see something similar.  The last two lines are what we are interested
 	in right now.  The second last line reads:</para>
 
       <programlisting>FreeBSD/i386 (pc3.example.org) (ttyv0)</programlisting>
 
       <para>This line contains some bits of information about the system you
         have just booted.  You are looking at a <quote>FreeBSD</quote>
 	console, running on an Intel or compatible processor of the x86
 	architecture<footnote>
 	  <para>This is what <literal>i386</literal> means.  Note that even if
 	    you are not running FreeBSD on an Intel 386 CPU, this is going to
 	    be <literal>i386</literal>.  It is not the type of your processor,
 	    but the processor <quote>architecture</quote> that is shown
 	    here.</para>
 	</footnote>.  The name of this machine (every &unix; machine has a
 	name) is <hostid>pc3.example.org</hostid>, and you are now looking
 	at its system console&mdash;the <devicename>ttyv0</devicename>
 	terminal.</para>
 
       <para>Finally, the last line is always:</para>
 
       <programlisting>login:</programlisting>
 
       <para>This is the part where you are supposed to type in your
 	<quote>username</quote> to log into FreeBSD.  The next section
 	describes how you can do this.</para>
     </sect2>
 
     <sect2 id="consoles-login">
       <title>Logging into FreeBSD</title>
 
       <para>FreeBSD is a multiuser, multiprocessing system.  This is
 	the formal description that is usually given to a system that can be
 	used by many different people, who simultaneously run a lot of
 	programs on a single machine.</para>
 
       <para>Every multiuser system needs some way to distinguish one
 	<quote>user</quote> from the rest.  In FreeBSD (and all the
 	&unix; like operating systems), this is accomplished by requiring that
 	every user must <quote>log into</quote> the system before being able
 	to run programs.  Every user has a unique name (the
 	<quote>username</quote>) and a personal, secret key (the
 	<quote>password</quote>).  FreeBSD will ask for these two before
 	allowing a user to run any programs.</para>
 
       <indexterm><primary>startup scripts</primary></indexterm>
       <para>Right after FreeBSD boots and finishes running its startup
 	scripts<footnote>
 	  <para>Startup scripts are programs that are run automatically by
 	    FreeBSD when booting.  Their main function is to set things up for
 	    everything else to run, and start any services that you have
 	    configured to run in the background doing useful things.</para>
 	</footnote>, it will present you with a prompt and ask for a valid
 	username:</para>
 
       <screen>login:</screen>
 
       <para>For the sake of this example, let us assume that your username is
 	<username>john</username>.  Type <literal>john</literal> at this prompt and press
 	<keycap>Enter</keycap>.  You should then be presented with a prompt to
 	enter a <quote>password</quote>:</para>
 
       <screen>login: <userinput>john</userinput>
 Password:</screen>
 
       <para>Type in <username>john</username>'s password now, and press
 	<keycap>Enter</keycap>.  The password is <emphasis>not
 	echoed!</emphasis>  You need not worry about this right now.  Suffice
 	it to say that it is done for security reasons.</para>
 
       <para>If you have typed your password correctly, you should by now be
 	logged into FreeBSD and ready to try out all the available
 	commands.</para>
 
       <para>You should see the <acronym>MOTD</acronym> or message of
 	the day followed by a command prompt (a <literal>#</literal>,
 	<literal>$</literal>, or <literal>%</literal> character).  This
 	indicates you have successfully logged into FreeBSD.</para>
     </sect2>
 
     <sect2 id="consoles-virtual">
       <title>Multiple Consoles</title>
 
       <para>Running &unix; commands in one console is fine, but FreeBSD can
 	run many programs at once.  Having one console where commands can be
 	typed would be a bit of a waste when an operating system like FreeBSD
 	can run dozens of programs at the same time.  This is where
 	<quote>virtual consoles</quote> can be very helpful.</para>
 
       <para>FreeBSD can be configured to present you with many different
 	virtual consoles.  You can switch from one of them to any other
 	virtual console by pressing a couple of keys on your keyboard.  Each
 	console has its own different output channel, and FreeBSD takes care
 	of properly redirecting keyboard input and monitor output as you
 	switch from one virtual console to the next.</para>
 
       <para>Special key combinations have been reserved by FreeBSD for
 	switching consoles<footnote>
 	  <para>A fairly technical and accurate description of all the details
 	    of the FreeBSD console and keyboard drivers can be found in the
 	    manual pages of &man.syscons.4;, &man.atkbd.4;, &man.vidcontrol.1;
 	    and &man.kbdcontrol.1;.  We will not expand on the details here,
 	    but the interested reader can always consult the manual pages for
 	    a more detailed and thorough explanation of how things
 	    work.</para>
 	</footnote>.  You can use
 	<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>,
 	<keycombo><keycap>Alt</keycap><keycap>F2</keycap></keycombo>, through
 	<keycombo><keycap>Alt</keycap><keycap>F8</keycap></keycombo> to switch
 	to a different virtual console in FreeBSD.</para>
 
       <para>As you are switching from one console to the next, FreeBSD takes
 	care of saving and restoring the screen output.  The result is an
 	<quote>illusion</quote> of having multiple <quote>virtual</quote>
 	screens and keyboards that you can use to type commands for
 	FreeBSD to run.  The programs that you launch on one virtual console
 	do not stop running when that console is not visible.  They continue
 	running when you have switched to a different virtual console.</para>
     </sect2>
 
     <sect2 id="consoles-ttys">
       <title>The <filename>/etc/ttys</filename> File</title>
 
       <para>The default configuration of FreeBSD will start up with eight
         virtual consoles.  This is not a hardwired setting though, and
         you can easily customize your installation to boot with more
         or fewer virtual consoles.  The number and settings of the
         virtual consoles are configured in the
         <filename>/etc/ttys</filename> file.</para>
 
       <para>You can use the <filename>/etc/ttys</filename> file to configure
 	the virtual consoles of FreeBSD.  Each uncommented line in this file
 	(lines that do not start with a <literal>#</literal> character) contains
 	settings for a single terminal or virtual console.  The default
 	version of this file that ships with FreeBSD configures nine virtual
 	consoles, and enables eight of them.  They are the lines that start with
 	<literal>ttyv</literal>:</para>
 
       <programlisting># name  getty                           type    status          comments
 #
 ttyv0   "/usr/libexec/getty Pc"         cons25  on  secure
 # Virtual terminals
 ttyv1   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv2   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv3   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv4   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv5   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv6   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv7   "/usr/libexec/getty Pc"         cons25  on  secure
 ttyv8   "/usr/X11R6/bin/xdm -nodaemon"  xterm   off secure</programlisting>
 
       <para>For a detailed description of every column in this file and all
 	the options you can use to set things up for the virtual consoles,
 	consult the &man.ttys.5; manual page.</para>
     </sect2>
 
     <sect2 id="consoles-singleuser">
       <title>Single User Mode Console</title>
 
       <para>A detailed description of what <quote>single user mode</quote> is
 	can be found in <xref linkend="boot-singleuser">.  It is worth noting
 	that there is only one console when you are running FreeBSD in single
 	user mode.  There are no virtual consoles available.  The settings of
 	the single user mode console can also be found in the
 	<filename>/etc/ttys</filename> file.  Look for the line that starts
 	with <literal>console</literal>:</para>
 
       <programlisting># name  getty                           type    status          comments
 #
 # If console is marked "insecure", then init will ask for the root password
 # when going to single-user mode.
 console none                            unknown off secure</programlisting>
 
       <note>
         <para>As the comments above the <literal>console</literal> line
 	  indicate, you can edit this line and change <literal>secure</literal> to
 	  <literal>insecure</literal>.  If you do that, when FreeBSD boots
 	  into single user mode, it will still ask for the
 	  <username>root</username> password.</para>
 
 	<para><emphasis>Be careful when changing this to
 	  <literal>insecure</literal></emphasis>.  If you ever forget
 	  the <username>root</username> password, booting into single user
 	  mode is a bit involved.  It is still possible, but it might be a bit
 	  hard for someone who is not very comfortable with the FreeBSD
 	  booting process and the programs involved.</para>
       </note>
     </sect2>
   </sect1>
 
   <sect1 id="permissions">
     <title>Permissions</title>
     <indexterm><primary>UNIX</primary></indexterm>
 
     <para>FreeBSD, being a direct descendant of BSD &unix;, is based on
       several key &unix; concepts.  The first and
       most pronounced is that FreeBSD is a multi-user operating system.
       The system can handle several users all working simultaneously on
       completely unrelated tasks.  The system is responsible for properly
       sharing and managing requests for hardware devices, peripherals,
       memory, and CPU time fairly to each user.</para>
 
     <para>Because the system is capable of supporting multiple users,
       everything the system manages has a set of permissions governing who
       can read, write, and execute the resource.  These permissions are
       stored as three octets broken into three pieces, one for the owner of
       the file, one for the group that the file belongs to, and one for
       everyone else.  This numerical representation works like
       this:</para>
 
     <indexterm><primary>permissions</primary></indexterm>
     <indexterm>
       <primary>file permissions</primary>
     </indexterm>
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="3">
 	<thead>
 	  <row>
 	    <entry>Value</entry>
 	    <entry>Permission</entry>
 	    <entry>Directory Listing</entry>
 	  </row>
 	</thead>
 
 	<tbody>
 	  <row>
 	    <entry>0</entry>
 	    <entry>No read, no write, no execute</entry>
 	    <entry><literal>---</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>1</entry>
 	    <entry>No read, no write, execute</entry>
 	    <entry><literal>--x</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>2</entry>
 	    <entry>No read, write, no execute</entry>
 	    <entry><literal>-w-</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>3</entry>
 	    <entry>No read, write, execute</entry>
 	    <entry><literal>-wx</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>4</entry>
 	    <entry>Read, no write, no execute</entry>
 	    <entry><literal>r--</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>5</entry>
 	    <entry>Read, no write, execute</entry>
 	    <entry><literal>r-x</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>6</entry>
 	    <entry>Read, write, no execute</entry>
 	    <entry><literal>rw-</literal></entry>
 	  </row>
 
 	  <row>
 	    <entry>7</entry>
 	    <entry>Read, write, execute</entry>
 	    <entry><literal>rwx</literal></entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
     <indexterm>
       <primary><command>ls</command></primary>
     </indexterm>
     <indexterm><primary>directories</primary></indexterm>
 
     <para>You can use the <option>-l</option> command line
       argument to &man.ls.1; to view a long directory listing that
       includes a column with information about a file's permissions
       for the owner, group, and everyone else.  For example, a
       <command>ls -l</command> in an arbitrary directory may show:</para>
 
     <screen>&prompt.user; <userinput>ls -l</userinput>
 total 530
 -rw-r--r--  1 root  wheel     512 Sep  5 12:31 myfile
 -rw-r--r--  1 root  wheel     512 Sep  5 12:31 otherfile
 -rw-r--r--  1 root  wheel    7680 Sep  5 12:31 email.txt
 ...</screen>
 
     <para>Here is how the first column of <command>ls -l</command> is
       broken up:</para>
 
     <screen>-rw-r--r--</screen>
 
     <para>The first (leftmost) character
       tells if this file is a regular file, a directory, a special
       character device, a socket, or any other special
       pseudo-file device.  In this case, the <literal>-</literal>
       indicates a regular file.  The next three characters,
       <literal>rw-</literal> in this example, give the permissions for the owner of the
       file.  The next three characters, <literal>r--</literal>, give the
       permissions for the group that the file belongs to.  The final three
       characters, <literal>r--</literal>, give the permissions for the
       rest of the world.  A dash means that the permission is turned off.
       In the case of this file, the permissions are set so the owner can
       read and write to the file, the group can read the file, and the
       rest of the world can only read the file.  According to the table
       above, the permissions for this file would be
       <literal>644</literal>, where each digit represents the three parts
       of the file's permission.</para>
 
     <para>This is all well and good, but how does the system control
       permissions on devices? FreeBSD actually treats most hardware
       devices as a file that programs can open, read, and write data to
       just like any other file.  These special device files are stored on
       the <filename>/dev</filename> directory.</para>
 
     <para>Directories are also treated as files.  They have read, write,
       and execute permissions.  The executable bit for a directory has a
       slightly different meaning than that of files.  When a directory is
       marked executable, it means it can be traversed into, that is, it is
       possible to <quote>cd</quote> (change directory) into it.  This also means that
       within the directory it is possible to access files whose names are
       known (subject, of course, to the permissions on the files
       themselves).</para>
 
     <para>In particular, in order to perform a directory listing,
       read permission must be set on the directory, whilst to delete a file
       that one knows the name of, it is necessary to have write
       <emphasis>and</emphasis> execute permissions to the directory
       containing the file.</para>
 
     <para>There are more permission bits, but they are primarily used in
       special circumstances such as setuid binaries and sticky
       directories.  If you want more information on file permissions and
       how to set them, be sure to look at the &man.chmod.1; manual
       page.</para>
 
     <sect2>
       <sect2info>
 	<authorgroup>
 	  <author>
 	    <firstname>Tom</firstname>
 	    <surname>Rhodes</surname>
 	    <contrib>Contributed by </contrib>
 	  </author>
 	</authorgroup>
       </sect2info>
 
       <title>Symbolic Permissions</title>
       <indexterm><primary>Permissions</primary><secondary>symbolic</secondary></indexterm>
 
       <para>Symbolic permissions, sometimes referred to as symbolic expressions,
 	use characters in place of octal values to assign permissions to files
 	or directories.  Symbolic expressions use the syntax of (who) (action)
 	(permissions), where the following values are available:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="3">
 	  <thead>
 	    <row>
 	      <entry>Option</entry>
 	      <entry>Letter</entry>
 	      <entry>Represents</entry>
 	    </row>
 	  </thead>
 
 	<tbody>
 	  <row>
 	    <entry>(who)</entry>
 	    <entry>u</entry>
 	    <entry>User</entry>
 	  </row>
 
 	  <row>
 	    <entry>(who)</entry>
 	    <entry>g</entry>
 	    <entry>Group owner</entry>
 	  </row>
 
 	  <row>
 	    <entry>(who)</entry>
 	    <entry>o</entry>
 	    <entry>Other</entry>
 	  </row>
 
 	  <row>
 	    <entry>(who)</entry>
 	    <entry>a</entry>
 	    <entry>All (<quote>world</quote>)</entry>
 	  </row>
 
 	  <row>
 	    <entry>(action)</entry>
 	    <entry>+</entry>
 	    <entry>Adding permissions</entry>
 	  </row>
 
 	  <row>
 	    <entry>(action)</entry>
 	    <entry>-</entry>
 	    <entry>Removing permissions</entry>
 	  </row>
 
 	  <row>
 	    <entry>(action)</entry>
 	    <entry>=</entry>
 	    <entry>Explicitly set permissions</entry>
 	  </row>
 
 	  <row>
 	    <entry>(permissions)</entry>
 	    <entry>r</entry>
 	    <entry>Read</entry>
 	  </row>
 
 	  <row>
 	    <entry>(permissions)</entry>
 	    <entry>w</entry>
 	    <entry>Write</entry>
 	  </row>
 
 	  <row>
 	    <entry>(permissions)</entry>
 	    <entry>x</entry>
 	    <entry>Execute</entry>
 	  </row>
 
 	  <row>
 	    <entry>(permissions)</entry>
 	    <entry>t</entry>
 	    <entry>Sticky bit</entry>
 	  </row>
 
 	  <row>
 	    <entry>(permissions)</entry>
 	    <entry>s</entry>
 	    <entry>Set UID or GID</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <para>These values are used with the &man.chmod.1; command
       just like before, but with letters.  For an example, you could use
       the following command to block other users from accessing
       <replaceable>FILE</replaceable>:</para>
 
     <screen>&prompt.user; <userinput>chmod go= FILE</userinput></screen>
 
     <para>A comma separated list can be provided when more than one set
       of changes to a file must be made.  For example the following command
       will remove the groups and <quote>world</quote> write permission
       on <replaceable>FILE</replaceable>, then it adds the execute
       permissions for everyone:</para>
 
     <screen>&prompt.user; <userinput>chmod go-w,a+x <replaceable>FILE</replaceable></userinput></screen>
 
 <!--
     <para>Most users will not notice this, but it should be pointed out
       that using the octal method will only set or assign permissions to
       a file; it does not add or delete them.</para>
 -->
     </sect2>
   </sect1>
   
   <sect1 id="dirstructure">
     <title>Directory Structure</title>
     <indexterm><primary>directory hierarchy</primary></indexterm>
 
     <para>The FreeBSD directory hierarchy is fundamental to obtaining
       an overall understanding of the system.  The most important
       concept to grasp is that of the root directory,
       <quote>/</quote>.  This directory is the first one mounted at
       boot time and it contains the base system necessary to prepare
       the operating system for multi-user operation.  The root
       directory also contains mount points for every other file system
       that you may want to mount.</para>
 
     <para>A mount point is a directory where additional file systems can
       be grafted onto the root file system.  Standard mount points include
       <filename>/usr</filename>, <filename>/var</filename>,
       <filename>/mnt</filename>, and <filename>/cdrom</filename>.  These
       directories are usually referenced to entries in the file
       <filename>/etc/fstab</filename>.  <filename>/etc/fstab</filename> is
       a table of various file systems and mount points for reference by the
       system.  Most of the file systems in <filename>/etc/fstab</filename>
       are mounted automatically at boot time from the script &man.rc.8;
       unless they contain the <option>noauto</option> option.  Consult the
       &man.fstab.5; manual page for more information on the format of the
       <filename>/etc/fstab</filename> file and the options it
       contains.</para>
 
     <para>A complete description of the file system hierarchy is
       available in &man.hier.7;.  For now, a brief overview of the
       most common directories will suffice.</para>
 
     <para>
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Directory</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 	  <tbody>
             <row>
 	      <entry><filename class="directory">/</filename></entry>
 	      <entry>Root directory of the file system.</entry>
             </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/bin/</filename></entry>
 	      <entry>User utilities fundamental to both single-user
 	      and multi-user environments.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/boot/</filename></entry>
 	      <entry>Programs and configuration files used during
 	      operating system bootstrap.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/boot/defaults/</filename></entry>
 	      <entry>Default bootstrapping configuration files; see
 	      &man.loader.conf.5;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/dev/</filename></entry>
 	      <entry>Device nodes; see &man.intro.4;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/</filename></entry>
 	      <entry>System configuration files and scripts.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/defaults/</filename></entry>
 	      <entry>Default system configuration files; see &man.rc.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/mail/</filename></entry>
 	      <entry>Configuration files for mail transport agents such
 		as &man.sendmail.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/namedb/</filename></entry>
 	      <entry><command>named</command> configuration files; see
 	      &man.named.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/periodic/</filename></entry>
 	      <entry>Scripts that are run daily, weekly, and monthly,
 		via &man.cron.8;; see &man.periodic.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/etc/ppp/</filename></entry>
 	      <entry><command>ppp</command> configuration files; see
 	      &man.ppp.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/mnt/</filename></entry>
 	      <entry>Empty directory commonly used by system administrators as a 
 		temporary mount point.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/proc/</filename></entry>
 	      <entry>Process file system; see &man.procfs.5;,
 	      &man.mount.procfs.8;.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/root/</filename></entry>
 	      <entry>Home directory for the <username>root</username>
 	      account.</entry>
 	    </row>
 
 	    <row>
 	      <entry><filename class="directory">/sbin/</filename></entry>
 	      <entry>System programs and administration utilities fundamental to
 		both single-user and multi-user environments.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/stand/</filename></entry>
 	      <entry>Programs used in a standalone environment.</entry>
 	    </row>
 	    
 	    
 	    <row>
 	      <entry><filename class="directory">/tmp/</filename></entry>
 	      <entry>Temporary files, usually a &man.mfs.8;
 		memory-based file system (the contents of <filename
 		class="directory">/tmp</filename> are usually NOT
 		preserved across a system reboot).</entry>
 	    </row>
 	    
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/</filename></entry>
 	      <entry>The majority of user utilities and applications.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/bin/</filename></entry>
 	      <entry>Common utilities, programming tools, and applications.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/include/</filename></entry>
 	      <entry>Standard C include files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/lib/</filename></entry>
 	      <entry>Archive libraries.</entry>
 	    </row>
 	    
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/libdata/</filename></entry>
 	      <entry>Miscellaneous utility data files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/libexec/</filename></entry>
 	      <entry>System daemons & system utilities (executed by other
 		programs).</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename
 	      class="directory">/usr/local/</filename></entry>
 
 	      <entry>Local executables, libraries, etc.  Also used as
 	        the default destination for the FreeBSD ports
 	        framework.  Within <filename>/usr/local</filename>,
 	        the general layout sketched out by &man.hier.7; for
 	        <filename>/usr</filename> should be used.  Exceptions
 	        are the man directory, which is directly under
 	        <filename>/usr/local</filename> rather than under
 	        <filename>/usr/local/share</filename>, and the ports
 	        documentation is in
 	        <filename>share/doc/<replaceable>port</replaceable></filename>.
 	      </entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/obj/</filename></entry>
 	      <entry>Architecture-specific target tree produced by building
 		the <filename>/usr/src</filename> tree.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/ports</filename></entry>
 	      <entry>The FreeBSD ports collection (optional).</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/sbin/</filename></entry>
 	      <entry>System daemons & system utilities (executed by users).</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/share/</filename></entry>
 	      <entry>Architecture-independent files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/usr/src/</filename></entry>
 	      <entry>BSD and/or local source files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename
 	      class="directory">/usr/X11R6/</filename></entry>
 	      <entry>X11R6 distribution executables, libraries, etc
 	      (optional).</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/var/</filename></entry>
 	      <entry>Multi-purpose log, temporary, transient, and spool files.
 	      </entry>
 	    </row>
 	    
 	    
 	    <row>
 	      <entry><filename class="directory">/var/log/</filename></entry>
 	      <entry>Miscellaneous system log files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/var/mail/</filename></entry>
 	      <entry>User mailbox files.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/var/spool/</filename></entry>
 	      <entry>Miscellaneous printer and mail system spooling directories.
 	      </entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename class="directory">/var/tmp/</filename></entry>
 	      <entry>Temporary files that are kept between system reboots.</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><filename>/var/yp</filename></entry>
 	      <entry>NIS maps.</entry>
 	    </row>
 
 	  </tbody>
 	</tgroup>
       </informaltable>
     </para>
 
   </sect1>
 
   <sect1 id="disk-organization">
       <title>Disk Organization</title>
 
       <para>The smallest unit of organization that FreeBSD uses to find files
 	is the filename.  Filenames are case-sensitive, which means that
 	<filename>readme.txt</filename> and <filename>README.TXT</filename>
 	are two separate files.  FreeBSD does not use the extension
 	(<filename>.txt</filename>) of a file to determine whether the file is
 	program, or a document, or some other form of data.</para>
 
       <para>Files are stored in directories.  A directory may contain no
 	files, or it may contain many hundreds of files.  A directory can also
 	contain other directories, allowing you to build up a hierarchy of
 	directories within one another.  This makes it much easier to organize
 	your data.</para>
 
       <para>Files and directories are referenced by giving the file or
 	directory name, followed by a forward slash, <literal>/</literal>,
 	followed by any other directory names that are necessary.  If you have
 	directory <filename>foo</filename>, which contains directory
 	<filename>bar</filename>, which contains the file
 	<filename>readme.txt</filename>, then the full name, or
 	<firstterm>path</firstterm> to the file is
 	<filename>foo/bar/readme.txt</filename>.</para>
 
       <para>Directories and files are stored in a filesystem.  Each filesystem
 	contains exactly one directory at the very top level, called the
 	<firstterm>root directory</firstterm> for that filesystem.  This root
 	directory can then contain other directories.</para>
 
       <para>So far this is probably similar to any other operating system you
 	may have used.  There are a few differences; for example, &ms-dos; uses
 	<literal>\</literal> to separate file and directory names, while &macos;
 	uses <literal>:</literal>.</para>
 
       <para>FreeBSD does not use drive letters, or other drive names in the
 	path.  You would not write <filename>c:/foo/bar/readme.txt</filename>
 	on FreeBSD.</para>
 
       <para>Instead, one filesystem is designated the <firstterm>root
 	  filesystem</firstterm>.  The root filesystem's root directory is
 	referred to as <literal>/</literal>.  Every other filesystem is then
 	<firstterm>mounted</firstterm> under the root filesystem.  No matter
 	how many disks you have on your FreeBSD system, every directory
 	appears to be part of the same disk.</para>
 
       <para>Suppose you have three filesystems, called <literal>A</literal>,
 	<literal>B</literal>, and <literal>C</literal>.  Each filesystem has
 	one root directory, which contains two other directories, called
 	<literal>A1</literal>, <literal>A2</literal> (and likewise
 	<literal>B1</literal>, <literal>B2</literal> and
 	<literal>C1</literal>, <literal>C2</literal>).</para>
 
       <para>Call <literal>A</literal> the root filesystem.  If you used the
 	<command>ls</command> command to view the contents of this directory
 	you would see two subdirectories, <literal>A1</literal> and
 	<literal>A2</literal>.  The directory tree looks like this:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="install/example-dir1" format="EPS">
 	</imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced"> /
  |
  +--- A1
  |
  `--- A2</literallayout>
 	</textobject>
       </mediaobject>
 
       <para>A filesystem must be mounted on to a directory in another
 	filesystem.  So now suppose that you mount filesystem
 	<literal>B</literal> on to the directory <literal>A1</literal>.  The
 	root directory of <literal>B</literal> replaces <literal>A1</literal>,
 	and the directories in <literal>B</literal> appear accordingly:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="install/example-dir2" format="EPS">
 	</imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced"> /
  | 
  +--- A1
  |     |
  |     +--- B1
  |     |
  |     `--- B2
  |
  `--- A2</literallayout>
 	</textobject>
       </mediaobject>
 
       <para>Any files that are in the <literal>B1</literal> or
 	<literal>B2</literal> directories can be reached with the path
 	<filename>/A1/B1</filename> or <filename>/A1/B2</filename> as
 	necessary.  Any files that were in <filename>/A1</filename> have been
 	temporarily hidden.  They will reappear if <literal>B</literal> is
 	<firstterm>unmounted</firstterm> from A.</para>
 
       <para>If <literal>B</literal> had been mounted on <literal>A2</literal>
 	then the diagram would look like this:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="install/example-dir3" format="EPS">
 	</imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced"> /
  |
  +--- A1
  |
  `--- A2
        |
        +--- B1
        |
        `--- B2</literallayout>
 	</textobject>
       </mediaobject>
 
       <para>and the paths would be <filename>/A2/B1</filename> and
 	<filename>/A2/B2</filename> respectively.</para>
 
       <para>Filesystems can be mounted on top of one another.  Continuing the
 	last example, the <literal>C</literal> filesystem could be mounted on
 	top of the <literal>B1</literal> directory in the <literal>B</literal>
 	filesystem, leading to this arrangement:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="install/example-dir4" format="EPS">
 	</imageobject>
 	
 	<textobject>
 	  <literallayout class="monospaced"> /
  |
  +--- A1
  |
  `--- A2
        |
        +--- B1
        |     |
        |     +--- C1
        |     |
        |     `--- C2
        |
        `--- B2</literallayout>
 	</textobject>
       </mediaobject>
 
       <para>Or <literal>C</literal> could be mounted directly on to the
 	<literal>A</literal> filesystem, under the <literal>A1</literal>
 	directory:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="install/example-dir5" format="EPS">
 	</imageobject>
 
 	<textobject>
 	  <literallayout class="monospaced"> /
  |
  +--- A1
  |     |
  |     +--- C1
  |     |
  |     `--- C2
  |
  `--- A2
        |
        +--- B1
        |
        `--- B2</literallayout>
 	</textobject>
       </mediaobject>
 
       <para>If you are familiar with &ms-dos;, this is similar, although not
 	identical, to the <command>join</command> command.</para>
 
       <para>This is not normally something you need to concern yourself with.
 	Typically you create filesystems when installing FreeBSD and decide
 	where to mount them, and then never change them unless you add a new
 	disk.</para>
 
       <para>It is entirely possible to have one large root filesystem, and not
 	need to create any others.  There are some drawbacks to this approach,
 	and one advantage.</para>
 
       <itemizedlist>
 	<title>Benefits of Multiple Filesystems</title>
       
 	<listitem>
 	  <para>Different filesystems can have different <firstterm>mount
 	    options</firstterm>.  For example, with careful planning, the
 	    root filesystem can be mounted read-only, making it impossible for
 	    you to inadvertently delete or edit a critical file.  Separating
 	    user-writable filesystems, such as <filename>/home</filename>,
 	    from other filesystems also allows them to be mounted
 	    <firstterm>nosuid</firstterm>; this option prevents the
 	    <firstterm>suid</firstterm>/<firstterm>guid</firstterm> bits on
 	    executables stored on the filesystem from taking effect, possibly
 	    improving security.</para>
 	</listitem>
 
 	<listitem>
 	  <para>FreeBSD automatically optimizes the layout of files on a
 	    filesystem, depending on how the filesystem is being used.  So a
 	    filesystem that contains many small files that are written
 	    frequently will have a different optimization to one that contains
 	    fewer, larger files.  By having one big filesystem this
 	    optimization breaks down.</para>
 	</listitem>
 	
 	<listitem>
 	  <para>FreeBSD's filesystems are very robust should you lose power.
 	    However, a power loss at a critical point could still damage the
 	    structure of the filesystem.  By splitting your data over multiple
 	    filesystems it is more likely that the system will still come up,
 	    making it easier for you to restore from backup as necessary.</para>
 	</listitem>
       </itemizedlist>
 
       <itemizedlist>
 	<title>Benefit of a Single Filesystem</title>
 
 	<listitem>
 	  <para>Filesystems are a fixed size.  If you create a filesystem when
 	    you install FreeBSD and give it a specific size, you may later
 	    discover that you need to make the partition bigger.  This is not
 	    easily accomplished without backing up, recreating the filesystem
 	    with the new size, and then restoring the backed up data.</para>
 
 	  <important>
 	    <para>FreeBSD&nbsp;4.4 and later versions feature the &man.growfs.8;
 	      command, which makes it possible to increase the size of 
 	      filesystem on the fly, removing this limitation.</para>
 	  </important>
 	</listitem>
       </itemizedlist>
     
       <para>Filesystems are contained in partitions.  This does not have the
 	same meaning as the common usage of the term partition (for example, &ms-dos;
 	partition), because of &os;'s &unix; heritage.  Each partition is
 	identified by a letter from <literal>a</literal> through to
 	<literal>h</literal>.  Each partition can contain only one filesystem,
 	which means that filesystems are often described by either their
 	typical mount point in the filesystem hierarchy, or the letter of the
 	partition they are contained in.</para>
 
       <para>FreeBSD also uses disk space for <firstterm>swap
 	  space</firstterm>.  Swap space provides FreeBSD with
 	<firstterm>virtual memory</firstterm>.  This allows your computer to
 	behave as though it has much more memory than it actually does.  When
 	FreeBSD runs out of memory it moves some of the data that is not
 	currently being used to the swap space, and moves it back in (moving
 	something else out) when it needs it.</para>
 
       <para>Some partitions have certain conventions associated with
 	them.</para>
 
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="5*">
 
 	  <thead>
 	    <row>
 	      <entry>Partition</entry>
 
 	      <entry>Convention</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><literal>a</literal></entry>
 
 	      <entry>Normally contains the root filesystem</entry>
 	    </row>
 
 	    <row>
 	      <entry><literal>b</literal></entry>
 
 	      <entry>Normally contains swap space</entry>
 	    </row>
 
 	    <row>
 	      <entry><literal>c</literal></entry>
 
 	      <entry>Normally the same size as the enclosing slice.  This
 		allows utilities that need to work on the entire slice (for
 		example, a bad block scanner) to work on the
 		<literal>c</literal> partition.  You would not normally create
 		a filesystem on this partition.</entry>
 	    </row>
 
 	    <row>
 	      <entry><literal>d</literal></entry>
 
 	      <entry>Partition <literal>d</literal> used to have a special
 		meaning associated with it, although that is now gone.  To
 		this day, some tools may operate oddly if told to work on
 		partition <literal>d</literal>, so
 		<application>sysinstall</application> will not normally create
 		partition <literal>d</literal>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>Each partition-that-contains-a-filesystem is stored in what
 	FreeBSD calls a <firstterm>slice</firstterm>.  Slice is FreeBSD's term
 	for what the common call partitions, and again, this is because of
 	FreeBSD's &unix; background.  Slices are numbered, starting at 1,
 	through to 4.</para>
 
 	<indexterm><primary>slices</primary></indexterm>
 	<indexterm><primary>partitions</primary></indexterm>
 	<indexterm><primary>dangerously dedicated</primary></indexterm>
 
       <para>Slice numbers follow
 	the device name, prefixed with an <literal>s</literal>,
 	starting at 1.  So <quote>da0<emphasis>s1</emphasis></quote>
 	is the first slice on the first SCSI drive.  There can only be
 	four physical slices on a disk, but you can have logical
 	slices inside physical slices of the appropriate type.  These
 	extended slices are numbered starting at 5, so
 	<quote>ad0<emphasis>s5</emphasis></quote> is the first
 	extended slice on the first IDE disk.  These devices are used by file
 	systems that expect to occupy a slice.</para> 
 
       <para>Slices, <quote>dangerously dedicated</quote> physical
 	drives, and other drives contain
 	<firstterm>partitions</firstterm>, which are represented as
 	letters from <literal>a</literal> to <literal>h</literal>.
 	This letter is appended to the device name, so
 	<quote>da0<emphasis>a</emphasis></quote> is the a partition on
 	the first da drive, which is <quote>dangerously dedicated</quote>.
 	<quote>ad1s3<emphasis>e</emphasis></quote> is the fifth partition
 	in the third slice of the second IDE disk drive.</para>
 	
       <para>Finally, each disk on the system is identified.  A disk name
 	starts with a code that indicates the type of disk, and then a number,
 	indicating which disk it is.  Unlike slices, disk numbering starts at
 	0.  Common codes that you will see are listed in 
 	<xref linkend="basics-dev-codes">.</para>
 
       <para>When referring to a partition FreeBSD requires that you also name
 	the slice and disk that contains the partition, and when referring to
 	a slice you should also refer to the disk name.  Do this by listing
 	the disk name, <literal>s</literal>, the slice number, and then the
 	partition letter.  Examples are shown in 
 	<xref linkend="basics-disk-slice-part">.</para>
 
       <para><xref linkend="basics-concept-disk-model"> shows a conceptual
 	model of the disk layout that should help make things clearer.</para>
 
       <para>In order to install FreeBSD you must first configure the disk
 	slices, then create partitions within the slice you will use for
 	FreeBSD, and then create a filesystem (or swap space) in each
 	partition, and decide where that filesystem will be mounted.</para>
 
       <table frame="none" pgwide="1" id="basics-dev-codes">
 	<title>Disk Device Codes</title>
 
 	<tgroup cols="2">
           <colspec colwidth="1*">
           <colspec colwidth="5*">
 
 	  <thead>
 	    <row>
 	      <entry>Code</entry>
 	    
 	      <entry>Meaning</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><devicename>ad</devicename></entry>
 
 	      <entry>ATAPI (IDE) disk</entry>
 	    </row>
 
 	    <row>
 	      <entry><devicename>da</devicename></entry>
 	      
 	      <entry>SCSI direct access disk</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><devicename>acd</devicename></entry>
 	      
 	      <entry>ATAPI (IDE) CDROM</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><devicename>cd</devicename></entry>
 	      
 	      <entry>SCSI CDROM</entry>
 	    </row>
 	    
 	    <row>
 	      <entry><devicename>fd</devicename></entry>
 	      
 	      <entry>Floppy disk</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
       
       <example id="basics-disk-slice-part">
 	<title>Sample Disk, Slice, and Partition Names</title>
 	
 	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
             <colspec colwidth="1*">
             <colspec colwidth="5*">
 
 	    <thead>
 	      <row>
 		<entry>Name</entry>
 		
 		<entry>Meaning</entry>
 	      </row>
 	    </thead>
 	    
 	    <tbody>
 	      <row>
 		<entry><literal>ad0s1a</literal></entry>
 		
 		<entry>The first partition (<literal>a</literal>) on the first
 		  slice (<literal>s1</literal>) on the first IDE disk
 		  (<literal>ad0</literal>).</entry>
 	      </row>
 
 	      <row>
 		<entry><literal>da1s2e</literal></entry>
 		
 		<entry>The fifth partition (<literal>e</literal>) on the
 		  second slice (<literal>s2</literal>) on the second SCSI disk
 		  (<literal>da1</literal>).</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </example>
 
       <example id="basics-concept-disk-model">
 	<title>Conceptual Model of a Disk</title>
 
 	<para>This diagram shows FreeBSD's view of the first IDE disk attached
 	  to the system.  Assume that the disk is 4&nbsp;GB in size, and contains
 	  two 2&nbsp;GB slices (&ms-dos; partitions).  The first slice contains a &ms-dos;
 	  disk, <devicename>C:</devicename>, and the second slice contains a
 	  FreeBSD installation.  This example FreeBSD installation has three
 	  partitions, and a swap partition.</para>
 
 	<para>The three partitions will each hold a filesystem.  Partition
 	  <literal>a</literal> will be used for the root filesystem,
 	  <literal>e</literal> for the <filename>/var</filename> directory
 	  hierarchy, and <literal>f</literal> for the
 	  <filename>/usr</filename> directory hierarchy.</para>
 
         <mediaobject>
           <imageobject>
             <imagedata fileref="install/disk-layout" format="EPS">
           </imageobject>
  
           <textobject>
 	    <literallayout class="monospaced">.-----------------.  --.
 |                 |    |
 |  DOS / Windows  |    |
 :                 :     >  First slice, ad0s1
 :                 :    |
 |                 |    |
 :=================:  ==:                               --.
 |                 |    |  Partition a, mounted as /      |
 |                 |     > referred to as ad0s2a          |
 |                 |    |                                 |
 :-----------------:  ==:                                 |
 |                 |    |  Partition b, used as swap      |
 |                 |     > referred to as ad0s2b          |
 |                 |    |                                 |
 :-----------------:  ==:                                 |  Partition c, no
 |                 |    |  Partition e, used as /var       > filesystem, all 
 |                 |     > referred to as ad0s2e          |  of FreeBSD slice,
 |                 |    |                                 |  ad0s2c
 :-----------------:  ==:                                 |
 |                 |    |                                 |
 :                 :    |  Partition f, used as /usr      |
 :                 :     > referred to as ad0s2f          |
 :                 :    |                                 |
 |                 |    |                                 |
 |                 |  --'                                 |
 `-----------------'                                    --'</literallayout>
           </textobject>
         </mediaobject>
       </example>
   </sect1>
 
 
 
   <sect1 id="mount-unmount">
     <title>Mounting and Unmounting File Systems</title>
 
     <para>The file system is best visualized as a tree,
       rooted, as it were, at <filename>/</filename>.
       <filename>/dev</filename>, <filename>/usr</filename>, and the
       other directories in the root directory are branches, which may
       have their own branches, such as
       <filename>/usr/local</filename>, and so on.</para>
 
     <indexterm><primary>root file system</primary></indexterm>
     <para>There are various reasons to house some of these
       directories on separate file systems.  <filename>/var</filename>
       contains the directories <filename>log/</filename>,
       <filename>spool/</filename>,
       and various types of temporary files, and
       as such, may get filled up.  Filling up the root file system
       is not a good idea, so splitting <filename>/var</filename> from
       <filename>/</filename> is often favorable.</para>
 
     <para>Another common reason to contain certain directory trees on
       other file systems is if they are to be housed on separate
       physical disks, or are separate virtual disks, such as <link
 	linkend="network-nfs">Network File System</link> mounts, or CDROM
       drives.</para>
 
     <sect2 id="disks-fstab">
       <title>The <filename>fstab</filename> File</title>
       <indexterm>
 	<primary>file systems</primary>
 	<secondary>mounted with fstab</secondary>
       </indexterm>
 
       <para>During the <link linkend="boot">boot process</link>,
 	file systems listed in <filename>/etc/fstab</filename> are
 	automatically mounted (unless they are listed with the
 	<option>noauto</option> option).</para>
 
       <para>The <filename>/etc/fstab</filename> file contains a list
 	of lines of the following format:</para>
 
       <programlisting><replaceable>device</replaceable>       <replaceable>/mount-point</replaceable> <replaceable>fstype</replaceable>     <replaceable>options</replaceable>      <replaceable>dumpfreq</replaceable>     <replaceable>passno</replaceable></programlisting>
 
       <variablelist>
 	<varlistentry>
 	  <term><literal>device</literal></term>
 	  <listitem>
 	    <para>A device name (which should exist), as explained in
 	      <xref linkend="disks-naming">.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><literal>mount-point</literal></term>
             
 	  <listitem><para>A directory (which should exist), on which
 	      to mount the file system.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><literal>fstype</literal></term>
             
 	  <listitem><para>The file system type to pass to
 		&man.mount.8;.  The default FreeBSD file system is
 	      <literal>ufs</literal>.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><literal>options</literal></term>
             
 	  <listitem><para>Either <option>rw</option> for read-write
 	      file systems, or <option>ro</option> for read-only
 	      file systems, followed by any other options that may be
 	      needed.  A common option is <option>noauto</option> for
 	      file systems not normally mounted during the boot sequence.
 	      Other options are listed in the &man.mount.8; manual page.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><literal>dumpfreq</literal></term>
           
          <listitem><para>This is used by &man.dump.8; to determine which
              file systems require dumping.  If the field is missing,
              a value of zero is assumed.</para>
          </listitem>
        </varlistentry>
 
        <varlistentry>
          <term><literal>passno</literal></term>
 
          <listitem>
            <para>This determines the order in which file systems should
            be checked.  File systems that should be skipped should have
            their <literal>passno</literal> set to zero.  The root
            file system (which needs to be checked before everything
            else) should have its <literal>passno</literal> set to
            one, and other file systems' <literal>passno</literal>
            should be set to values greater than one.  If more than one
            file systems have the same <literal>passno</literal> then
            &man.fsck.8; will attempt to check file systems in parallel
            if possible.</para>
          </listitem>
 	</varlistentry>
       </variablelist>
     </sect2>
 
     <sect2 id="disks-mount">
       <title>The <command>mount</command> Command</title>
       <indexterm>
 	<primary>file systems</primary>
 	<secondary>mounting</secondary>
       </indexterm>
         
       <para>The &man.mount.8; command is what is ultimately used to
 	mount file systems.</para>
         
       <para>In its most basic form, you use:</para>
 
       <informalexample>
 	<screen>&prompt.root; <userinput>mount <replaceable>device</replaceable> <replaceable>mountpoint</replaceable></userinput></screen>
       </informalexample>
 
       <para>There are plenty of options, as mentioned in the
 	  &man.mount.8; manual page, but the most common are:</para>
 
       <variablelist>
 	<title>Mount Options</title>
 
 	<varlistentry>
 	  <term><option>-a</option></term>
             
 	  <listitem>
 	    <para>Mount all the file systems listed in
 	      <filename>/etc/fstab</filename>. Except those
 	      marked as <quote>noauto</quote>, excluded by the
 	      <option>-t</option> flag, or those that are already
 	      mounted.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-d</option></term>
             
 	  <listitem>
 	    <para>Do everything except for the actual mount system call.
 	      This option is useful in conjunction with the
 	      <option>-v</option> flag to determine what
 	      &man.mount.8; is actually trying to do.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-f</option></term>
 
 	  <listitem>
 	    <para>Force the mount of an unclean file system
 	      (dangerous), or forces the revocation of write access
 	      when downgrading a file system's mount status from
 	      read-write to read-only.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
           <term><option>-r</option></term>
             
 	  <listitem>
 	    <para>Mount the file system read-only.  This is identical
 	      to using the <option>rdonly</option> argument to the
 	      <option>-o</option> option.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-t</option>
 	    <replaceable>fstype</replaceable></term>
 
 	  <listitem>
 	    <para>Mount the given file system as the given file system
 	      type, or mount only file systems of the given type, if
 	      given the <option>-a</option> option.</para>
               
 	    <para><quote>ufs</quote> is the default file system
 	      type.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-u</option></term>
             
 	  <listitem>
 	    <para>Update mount options on the file system.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-v</option></term>
             
 	  <listitem>
 	    <para>Be verbose.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term><option>-w</option></term>
             
 	  <listitem>
 	    <para>Mount the file system read-write.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
         
       <para>The <option>-o</option> option takes a comma-separated list of
 	the options, including the following:</para>
         
       <variablelist>
 	<varlistentry>
 	  <term>nodev</term>
             
 	  <listitem>
 	    <para>Do not interpret special devices on the
 	      file system.  This is a useful security option.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term>noexec</term>
             
 	  <listitem>
               <para>Do not allow execution of binaries on this
 	      file system.  This is also a useful security option.</para>
 	  </listitem>
 	</varlistentry>
           
 	<varlistentry>
 	  <term>nosuid</term>
             
 	  <listitem>
 	    <para>Do not interpret setuid or setgid flags on the
 	      file system.  This is also a useful security option.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
     </sect2>
 
     <sect2 id="disks-umount">
       <title>The <command>umount</command> Command</title>
       <indexterm>
 	<primary>file systems</primary>
 	<secondary>unmounting</secondary>
       </indexterm>
         
       <para>The &man.umount.8; command takes, as a parameter, one of a
 	mountpoint, a device name, or the <option>-a</option> or
 	<option>-A</option> option.</para>
         
       <para>All forms take <option>-f</option> to force unmounting,
         and <option>-v</option> for verbosity.  Be warned that
         <option>-f</option> is not generally a good idea.  Forcibly
         unmounting file systems might crash the computer or damage data
         on the file system.</para>
         
       <para><option>-a</option> and <option>-A</option> are used to
 	unmount all mounted file systems, possibly modified by the
 	file system types listed after <option>-t</option>.
 	<option>-A</option>, however, does not attempt to unmount the
 	root file system.</para>
     </sect2>
   </sect1>
 
   <sect1 id="basics-processes">
     <title>Processes</title>
 
     <para>FreeBSD is a multi-tasking operating system.  This means that it
       seems as though more than one program is running at once.  Each program
       running at any one time is called a <firstterm>process</firstterm>.
       Every command you run will start at least one new process, and there are
       a number of system processes that run all the time, keeping the system
       functional.</para>
 
     <para>Each process is uniquely identified by a number called a
       <firstterm>process ID</firstterm>, or <firstterm>PID</firstterm>, and,
       like files, each process also has one owner and group.  The owner and
       group information is used to determine what files and devices the
       process can open, using the file permissions discussed earlier.  Most
       processes also have a parent process.  The parent process is the process
       that started them.  For example, if you are typing commands to the shell
       then the shell is a process, and any commands you run are also
       processes.  Each process you run in this way will have your shell as its
       parent process.  The exception to this is a special process called
       &man.init.8;.  <command>init</command> is always the first
       process, so its PID is always 1.  <command>init</command> is started
       automatically by the kernel when FreeBSD starts.</para>
 
     <para>Two commands are particularly useful to see the processes on the
       system, &man.ps.1; and &man.top.1;.  The <command>ps</command> command is used to
       show a static list of the currently running processes, and can show
       their PID, how much memory they are using, the command line they were
       started with, and so on.  The <command>top</command> command displays all the
       running processes, and updates the display every few seconds, so that
       you can interactively see what your computer is doing.</para>
 
     <para>By default, <command>ps</command> only shows you the commands that are running
       and are owned by you.  For example:</para>
 
     <screen>&prompt.user; <userinput>ps</userinput>
   PID  TT  STAT      TIME COMMAND
   298  p0  Ss     0:01.10 tcsh
  7078  p0  S      2:40.88 xemacs mdoc.xsl (xemacs-21.1.14)
 37393  p0  I      0:03.11 xemacs freebsd.dsl (xemacs-21.1.14)
 48630  p0  S      2:50.89 /usr/local/lib/netscape-linux/navigator-linux-4.77.bi
 48730  p0  IW     0:00.00 (dns helper) (navigator-linux-)
 72210  p0  R+     0:00.00 ps
   390  p1  Is     0:01.14 tcsh
  7059  p2  Is+    1:36.18 /usr/local/bin/mutt -y
  6688  p3  IWs    0:00.00 tcsh
 10735  p4  IWs    0:00.00 tcsh
 20256  p5  IWs    0:00.00 tcsh
   262  v0  IWs    0:00.00 -tcsh (tcsh)
   270  v0  IW+    0:00.00 /bin/sh /usr/X11R6/bin/startx -- -bpp 16
   280  v0  IW+    0:00.00 xinit /home/nik/.xinitrc -- -bpp 16
   284  v0  IW     0:00.00 /bin/sh /home/nik/.xinitrc
   285  v0  S      0:38.45 /usr/X11R6/bin/sawfish</screen>
 
     <para>As you can see in this example, the output from &man.ps.1; is
       organized into a number of columns.  <literal>PID</literal> is the
       process ID discussed earlier.  PIDs are assigned starting from 1, go up
       to 99999, and wrap around back to the beginning when you run out.
       The <literal>TT</literal> column shows the tty the program is running on, and can
       safely be ignored for the moment.  <literal>STAT</literal> shows the
       program's state, and again, can be safely ignored.
       <literal>TIME</literal> is the amount of time the program has been
       running on the CPU&mdash;this is usually not the elapsed time since
       you started the program, as most programs spend a lot of time waiting
       for things to happen before they need to spend time on the CPU.
       Finally, <literal>COMMAND</literal> is the command line that was used to
       run the program.</para>
 
     <para>&man.ps.1; supports a number of different options to change the
       information that is displayed.  One of the most useful sets is
       <literal>auxww</literal>.  <option>a</option> displays information
       about all the running processes, not just your own.  <option>u</option>
       displays the username of the process' owner, as well as memory usage.
       <option>x</option> displays information about daemon processes, and
       <option>ww</option> causes &man.ps.1; to display the full command line,
       rather than truncating it once it gets too long to fit on the
       screen.</para>
 
     <para>The output from &man.top.1; is similar.  A sample session looks like
       this:</para>
 
     <screen>&prompt.user; <userinput>top</userinput>
 last pid: 72257;  load averages:  0.13,  0.09,  0.03    up 0+13:38:33  22:39:10
 47 processes:  1 running, 46 sleeping
 CPU states: 12.6% user,  0.0% nice,  7.8% system,  0.0% interrupt, 79.7% idle
 Mem: 36M Active, 5256K Inact, 13M Wired, 6312K Cache, 15M Buf, 408K Free
 Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
 
   PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 72257 nik       28   0  1960K  1044K RUN      0:00 14.86%  1.42% top
  7078 nik        2   0 15280K 10960K select   2:54  0.88%  0.88% xemacs-21.1.14
   281 nik        2   0 18636K  7112K select   5:36  0.73%  0.73% XF86_SVGA
   296 nik        2   0  3240K  1644K select   0:12  0.05%  0.05% xterm
 48630 nik        2   0 29816K  9148K select   3:18  0.00%  0.00% navigator-linu
   175 root       2   0   924K   252K select   1:41  0.00%  0.00% syslogd
  7059 nik        2   0  7260K  4644K poll     1:38  0.00%  0.00% mutt
 ...</screen>
 
     <para>The output is split into two sections.  The header (the first five
       lines) shows the PID of the last process to run, the system load averages
       (which are a measure of how busy the system is), the system uptime (time
       since the last reboot) and the current time.  The other figures in the
       header relate to how many processes are running (47 in this case), how
       much memory and swap space has been taken up, and how much time the
       system is spending in different CPU states.</para>
 
     <para>Below that are a series of columns containing similar information
       to the output from &man.ps.1;.  As before you can see the PID, the
       username, the amount of CPU time taken, and the command that was run.
       &man.top.1; also defaults to showing you the amount of memory space
       taken by the process.  This is split into two columns, one for total
       size, and one for resident size&mdash;total size is how much memory the
       application has needed, and the resident size is how much it is actually
       using at the moment.  In this example you can see that <application>&netscape;</application> has
       required almost 30&nbsp;MB of RAM, but is currently only using 9&nbsp;MB.</para>
 
     <para>&man.top.1; automatically updates this display every two seconds;
       this can be changed with the <option>s</option> option.</para>
   </sect1>
 
   <sect1 id="basics-daemons">
     <title>Daemons, Signals, and Killing Processes</title>
 
     <para>When you run an editor it is easy to control the editor, tell it to
       load files, and so on.  You can do this because the editor provides
       facilities to do so, and because the editor is attached to a
       <firstterm>terminal</firstterm>.  Some programs are not designed to be
       run with continuous user input, and so they disconnect from the terminal
       at the first opportunity.  For example, a web server spends all day
       responding to web requests, it normally does not need any input from
       you.  Programs that transport email from site to site are another
       example of this class of application.</para>
 
     <para>We call these programs <firstterm>daemons</firstterm>.  Daemons were
       characters in Greek mythology; neither good or evil, they were little
       attendant spirits that, by and large, did useful things for mankind.
       Much like the web servers and mail servers of today do useful things.
       This is why the BSD mascot has, for a long time, been the cheerful
       looking daemon with sneakers and a pitchfork.</para>
 
     <para>There is a convention to name programs that normally run as daemons
       with a trailing <quote>d</quote>. <application>BIND</application> is the
       Berkeley Internet Name Daemon (and the actual program that executes is called
       <command>named</command>), the <application>Apache</application> web
       server program is called <command>httpd</command>, the line printer
       spooling daemon is <command>lpd</command> and so on.  This is a
       convention, not a hard and fast rule; for example, the main mail daemon
       for the <application>Sendmail</application> application is called
       <command>sendmail</command>, and not <command>maild</command>, as you
       might imagine.</para>
 
     <para>Sometimes you will need to communicate with a daemon process.  These
       communications are called <firstterm>signals</firstterm>, and you can
       communicate with a daemon (or with any other running process) by sending it a
       signal.  There are a number of different signals that you can
       send&mdash;some of them have a specific meaning, others are interpreted
       by the application, and the application's documentation will tell you
       how that application interprets signals.  You can only send a signal to
       a process that you own.  If you send a signal to someone else's
       process with &man.kill.1; or &man.kill.2; permission will be denied.
       The exception to this is the
       <username>root</username> user, who can send signals to everyone's
       processes.</para>
 
     <para>FreeBSD will also send applications signals in some cases.  If an
       application is badly written, and tries to access memory that it is not
       supposed to, FreeBSD sends the process the <firstterm>Segmentation
 	Violation</firstterm> signal (<literal>SIGSEGV</literal>).  If an
       application has used the &man.alarm.3; system call to be alerted after a
       period of time has elapsed then it will be sent the Alarm signal
       (<literal>SIGALRM</literal>), and so on.</para>
 
     <para>Two signals can be used to stop a process,
       <literal>SIGTERM</literal> and <literal>SIGKILL</literal>.
       <literal>SIGTERM</literal> is the polite way to kill a process; the
       process can <emphasis>catch</emphasis> the signal, realize that you want
       it to shut down, close any log files it may have open, and generally
       finish whatever it is doing at the time before shutting down.  In some
       cases a process may even ignore <literal>SIGTERM</literal> if it is in
       the middle of some task that can not be interrupted.</para>
 
     <para><literal>SIGKILL</literal> can not be ignored by a process.  This is
       the <quote>I do not care what you are doing, stop right now</quote>
       signal.  If you send <literal>SIGKILL</literal> to a process then
       FreeBSD will stop that process there and then<footnote>
 	<para>Not quite true&mdash;there are a few things that can not be
 	  interrupted.  For example, if the process is trying to read from a
 	  file that is on another computer on the network, and the other
 	  computer has gone away for some reason (been turned off, or the
 	  network has a fault), then the process is said to be
 	  <quote>uninterruptible</quote>.  Eventually the process will time
 	  out, typically after two minutes.  As soon as this time out occurs
 	  the process will be killed.</para>
       </footnote>.</para>
 
     <para>The other signals you might want to use are
       <literal>SIGHUP</literal>, <literal>SIGUSR1</literal>, and
       <literal>SIGUSR2</literal>.  These are general purpose signals, and
       different applications will do different things when they are
       sent.</para>
 
     <para>Suppose that you have changed your web server's configuration
       file&mdash;you would like to tell the web server to re-read its
       configuration.  You could stop and restart <command>httpd</command>, but
       this would result in a brief outage period on your web server, which may
       be undesirable.  Most daemons are written to respond to the
       <literal>SIGHUP</literal> signal by re-reading their configuration
       file.  So instead of killing and restarting <command>httpd</command> you
       would send it the <literal>SIGHUP</literal> signal.  Because there is no
       standard way to respond to these signals, different daemons will have
       different behavior, so be sure and read the documentation for the
       daemon in question.</para>
     
     <para>Signals are sent using the &man.kill.1; command, as this example
       shows.</para>
 
     <procedure>
       <title>Sending a Signal to a Process</title>
 
       <para>This example shows how to send a signal to &man.inetd.8;.  The
 	  <command>inetd</command> configuration file is
 	<filename>/etc/inetd.conf</filename>, and <command>inetd</command> will re-read
 	this configuration file when it is sent
 	<literal>SIGHUP</literal>.</para>
 
       <step>
 	<para>Find the process ID of the process you want to send the signal
 	  to.  Do this using &man.ps.1; and &man.grep.1;.  The &man.grep.1;
 	  command is used to search through output, looking for the string you
 	  specify.  This command is run as a normal user, and &man.inetd.8; is
 	  run as <username>root</username>, so the <option>ax</option> options
 	  must be given to &man.ps.1;.</para>
 
 	<screen>&prompt.user; <userinput>ps -ax | grep inetd</userinput>
   198  ??  IWs    0:00.00 inetd -wW</screen>
 
 	<para>So the &man.inetd.8; PID is 198.  In some cases the
 	  <literal>grep inetd</literal> command might also occur in this
 	  output.  This is because of the way &man.ps.1; has to find the list
 	  of running processes.</para>
       </step>
 
       <step>
 	<para>Use &man.kill.1; to send the signal.  Because &man.inetd.8; is
 	  being run by <username>root</username> you must use &man.su.1; to
 	  become <username>root</username> first.</para>
 
 	<screen>&prompt.user; <userinput>su</userinput>
 <prompt>Password:</prompt>
 &prompt.root; <userinput>/bin/kill -s HUP 198</userinput></screen>
 
 	<para>In common with most &unix; commands, &man.kill.1; will not print any
 	  output if it is successful.  If you send a signal to a
 	  process that you do not own then you will see <errorname>kill:
 	    <replaceable>PID</replaceable>: Operation not
 	    permitted</errorname>.  If you mistype the PID you will either
 	  send the signal to the wrong process, which could be bad, or, if
 	  you are lucky, you will have sent the signal to a PID that is not
 	  currently in use, and you will see <errorname>kill:
 	    <replaceable>PID</replaceable>: No such process</errorname>.</para>
 
 	<note>
 	  <title>Why Use <command>/bin/kill</command>?</title>
 
 	  <para>Many shells provide the <command>kill</command> command as a
 	    built in command; that is, the shell will send the signal
 	    directly, rather than running <filename>/bin/kill</filename>.
 	    This can be very useful, but different shells have a different
 	    syntax for specifying the name of the signal to send.  Rather than
 	    try to learn all of them, it can be simpler just to use the
 	    <command>/bin/kill <replaceable>...</replaceable></command>
 	    command directly.</para>
 	</note>
       </step>
     </procedure>
 
     <para>Sending other signals is very similar, just substitute
       <literal>TERM</literal> or <literal>KILL</literal> in the command line
       as necessary.</para>
 
     <important>
       <para>Killing random process on the system can be a bad idea.  In
 	particular, &man.init.8;, process ID 1, is very special.  Running
 	<command>/bin/kill -s KILL 1</command> is a quick way to shutdown your
 	system.  <emphasis>Always</emphasis> double check the arguments you
 	run &man.kill.1; with <emphasis>before</emphasis> you press
 	<keycap>Return</keycap>.</para>
     </important>
   </sect1>
 
   <sect1 id="shells">
     <title>Shells</title>
     <indexterm><primary>shells</primary></indexterm>
     <indexterm><primary>command line</primary></indexterm>
 
     <para>In FreeBSD, a lot of everyday work is done in a command line
       interface called a shell.  A shell's main job is to take commands
       from the input channel and execute them.  A lot of shells also have
       built in functions to help everyday tasks such as file management,
       file globbing, command line editing, command macros, and environment
       variables.  FreeBSD comes with a set of shells, such as 
       <command>sh</command>, the Bourne Shell, and <command>tcsh</command>, 
       the improved C-shell.  Many other shells are available
       from the FreeBSD Ports Collection, such as
       <command>zsh</command> and <command>bash</command>.</para>
 
     <para>Which shell do you use?  It is really a matter of taste.  If you
       are a C programmer you might feel more comfortable with a C-like shell
       such as <command>tcsh</command>.  If you have come from Linux or are new 
       to a &unix; command line interface you might try <command>bash</command>.  
       The point is that each
       shell has unique properties that may or may not work with your
       preferred working environment, and that you have a choice of what
       shell to use.</para>
 
     <para>One common feature in a shell is filename completion.  Given
       the typing of the first few letters of a command or filename, you
       can usually have the shell automatically complete the rest of the
       command or filename by hitting the <keycap>Tab</keycap> key on the keyboard.  Here is
       an example.  Suppose you have two files called
       <filename>foobar</filename> and <filename>foo.bar</filename>.  You
       want to delete <filename>foo.bar</filename>.  So what you would type
       on the keyboard is: <command>rm fo[<keycap>Tab</keycap>].[<keycap>Tab</keycap>]</command>.</para>
 
     <para>The shell would print out <command>rm
       foo[BEEP].bar</command>.</para>
 
     <para>The [BEEP] is the console bell, which is the shell telling me it
       was unable to totally complete the filename because there is more
       than one match.  Both <filename>foobar</filename> and
       <filename>foo.bar</filename> start with <literal>fo</literal>, but
       it was able to complete to <literal>foo</literal>.  If you type in
       <literal>.</literal>, then hit <keycap>Tab</keycap> again, the shell would be able to
       fill in the rest of the filename for you.</para>
     <indexterm><primary>environment variables</primary></indexterm>
 
     <para>Another feature of the shell is the use of environment variables.
       Environment variables are a variable key pair stored in the shell's
       environment space.  This space can be read by any program invoked by
       the shell, and thus contains a lot of program configuration.  Here
       is a list of common environment variables and what they mean:</para>
     <indexterm><primary>environment variables</primary></indexterm>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
 	<thead>
 	  <row>
 	    <entry>Variable</entry>
 	    <entry>Description</entry>
 	  </row>
 	</thead>
 
 	<tbody>
 	  <row>
 	    <entry><envar>USER</envar></entry>
 	    <entry>Current logged in user's name.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>PATH</envar></entry>
 	    <entry>Colon separated list of directories to search for
 	      binaries.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>DISPLAY</envar></entry>
 	    <entry>Network name of the X11 display to connect to, if
 	      available.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>SHELL</envar></entry>
 	    <entry>The current shell.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>TERM</envar></entry>
 	    <entry>The name of the user's terminal.  Used to determine the
 	      capabilities of the terminal.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>TERMCAP</envar></entry>
 	    <entry>Database entry of the terminal escape codes to perform
 	      various terminal functions.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>OSTYPE</envar></entry>
 	    <entry>Type of operating system.  e.g., FreeBSD.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>MACHTYPE</envar></entry>
 	    <entry>The CPU architecture that the system is running
 	      on.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>EDITOR</envar></entry>
 	    <entry>The user's preferred text editor.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>PAGER</envar></entry>
 	    <entry>The user's preferred text pager.</entry>
 	  </row>
 
 	  <row>
 	    <entry><envar>MANPATH</envar></entry>
 	    <entry>Colon separated list of directories to search for
 	      manual pages.</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <indexterm><primary>Bourne shells</primary></indexterm>
     <para>Setting an environment variable differs somewhat from
       shell to shell.  For example, in the C-Style shells such as
       <command>tcsh</command> and <command>csh</command>, you would use
       <command>setenv</command> to set environment variables.
       Under Bourne shells such as <command>sh</command> and
       <command>bash</command>, you would use
       <command>export</command> to set your current environment
       variables.  For example, to set or modify the
       <envar>EDITOR</envar> environment variable, under <command>csh</command> or 
       <command>tcsh</command> a
       command like this would set <envar>EDITOR</envar> to
       <filename>/usr/local/bin/emacs</filename>:</para>
 
     <screen>&prompt.user; <userinput>setenv EDITOR /usr/local/bin/emacs</userinput></screen>
 
     <para>Under Bourne shells:</para>
 
     <screen>&prompt.user; <userinput>export EDITOR="/usr/local/bin/emacs"</userinput></screen>
 
     <para>You can also make most shells expand the environment variable by
       placing a <literal>$</literal> character in front of it on the
       command line.  For example, <command>echo $TERM</command> would
       print out whatever <envar>$TERM</envar> is set to, because the shell
       expands <envar>$TERM</envar> and passes it on to <command>echo</command>.</para>
 
     <para>Shells treat a lot of special characters, called meta-characters
       as special representations of data.  The most common one is the
       <literal>*</literal> character, which represents any number of
       characters in a filename.  These special meta-characters can be used
       to do filename globbing.  For example, typing in
       <command>echo *</command> is almost the same as typing in
       <command>ls</command> because the shell takes all the files that
       match <literal>*</literal> and puts them on the command line for
       <command>echo</command> to see.</para>
 
     <para>To prevent the shell from interpreting these special characters,
       they can be escaped from the shell by putting a backslash
       (<literal>\</literal>) character in front of them.  <command>echo
       $TERM</command> prints whatever your terminal is set to.
       <command>echo \$TERM</command> prints <envar>$TERM</envar> as
       is.</para>
 
     <sect2 id="changing-shells">
       <title>Changing Your Shell</title>
 
       <para>The easiest way to change your shell is to use the
 	<command>chsh</command> command.  Running <command>chsh</command> will
 	place you into the editor that is in your <envar>EDITOR</envar>
 	environment variable; if it is not set, you will be placed in
 	<command>vi</command>.  Change the <quote>Shell:</quote> line
 	accordingly.</para>
 
       <para>You can also give <command>chsh</command> the
 	<option>-s</option> option; this will set your shell for you,
 	without requiring you to enter an editor.  
 	For example, if you wanted to
 	change your shell to <command>bash</command>, the following should do the
 	trick:</para>
 	
       <screen>&prompt.user; <userinput>chsh -s /usr/local/bin/bash</userinput></screen>
 
       <para>Running <command>chsh</command> with no parameters and editing
 	the shell from there would work also.</para>
 
       <note>
 	<para>The shell that you wish to use <emphasis>must</emphasis> be
 	  present in the <filename>/etc/shells</filename> file.  If you
 	  have installed a shell from the <link linkend="ports">ports
 	  collection</link>, then this should have been done for you
 	  already.  If you installed the shell by hand, you must do
 	  this.</para>
      
       <para>For example, if you installed <command>bash</command> by hand
 	and placed it into <filename>/usr/local/bin</filename>, you would
 	want to:</para>
 
       <screen>&prompt.root; <userinput>echo &quot;/usr/local/bin/bash&quot; &gt;&gt; /etc/shells</userinput></screen>
 
        <para>Then rerun <command>chsh</command>.</para>
      </note>
    </sect2>
   </sect1>
 
   <sect1 id="editors">
     <title>Text Editors</title>
     <indexterm><primary>text editors</primary></indexterm>
     <indexterm><primary>editors</primary></indexterm>
 
     <para>A lot of configuration in FreeBSD is done by editing text files.
       Because of this, it would be a good idea to become familiar
       with a text editor.  FreeBSD comes with a few as part of the base
       system, and many more are available in the ports collection.</para>
 
     <indexterm>
       <primary><command>ee</command></primary>
     </indexterm>
     <para>The easiest and simplest editor to learn is an editor called
       <application>ee</application>, which stands for easy editor.  To
       start <application>ee</application>, one would type at the command
       line <command>ee <replaceable>filename</replaceable></command> where
       <replaceable>filename</replaceable> is the name of the file to be edited.
       For example, to edit <filename>/etc/rc.conf</filename>, type in
       <command>ee /etc/rc.conf</command>.  Once inside of 
       <command>ee</command>, all of the
       commands for manipulating the editor's functions are listed at the
       top of the display. The caret <literal>^</literal> character represents
       the <keycap>Ctrl</keycap> key on the keyboard, so <literal>^e</literal> expands to the key combination
       <keycombo action="simul"><keycap>Ctrl</keycap><keycap>e</keycap></keycombo>.  To leave
       <application>ee</application>, hit the <keycap>Esc</keycap> key, then choose leave
       editor.  The editor will prompt you to save any changes if the file
       has been modified.</para>
 
     <indexterm>
       <primary><command>vi</command></primary>
     </indexterm>
     <indexterm>
       <primary>editors</primary>
       <secondary><command>vi</command></secondary>
     </indexterm>
     <indexterm>
       <primary><command>emacs</command></primary>
     </indexterm>
     <indexterm>
       <primary>editors</primary>
       <secondary><command>emacs</command></secondary>
     </indexterm>
     <para>FreeBSD also comes with more powerful text editors such as
       <application>vi</application> as part of the base system, while other editors, like
       <application>Emacs</application> and <application>vim</application>,
       are part of the FreeBSD Ports Collection (<filename role="package">editors/emacs</filename> and <filename role="package">editors/vim</filename>).  These editors offer much
       more functionality and power at the expense of being a little more
       complicated to learn.  However if you plan on doing a lot of text
       editing, learning a more powerful editor such as
       <application>vim</application> or <application>Emacs</application>
       will save you much more time in the long run.</para>
   </sect1>
 
   <sect1 id="basics-devices">
     <title>Devices and Device Nodes</title>
 
     <para>A device is a term used mostly for hardware-related
       activities in a system, including disks, printers, graphics
       cards, and keyboards.  When FreeBSD boots, the majority
       of what FreeBSD displays are devices being detected.
       You can look through the boot messages again by viewing
       <filename>/var/run/dmesg.boot</filename>.</para>
 
     <para>For example, <devicename>acd0</devicename> is the
       first IDE CDROM drive, while <devicename>kbd0</devicename>
       represents the keyboard.</para>
 
     <para>Most of these devices in a &unix; operating system must be
       accessed through special files called device nodes, which are
       located in the <filename>/dev</filename> directory.</para>
 
     <sect2>
       <title>Creating Device Nodes</title>
       <para>When adding a new device to your system, or compiling
 	in support for additional devices, you may need to create one or
 	more device nodes for the new devices.</para>
 
       <sect3>
 	<title>MAKEDEV Script</title>
 	<para>On systems without <literal>DEVFS</literal> (this concerns all FreeBSD versions before 5.0), device nodes are created
 	  using the &man.MAKEDEV.8; script as shown below:</para>
 
 	<screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV ad1</userinput>
 	</screen>
 
 	<para>This example would make the proper device nodes
 	  for the second IDE drive when installed.</para>
       </sect3>
 
       <sect3>
 	<title><literal>DEVFS</literal> (DEVice File System)</title>
 
 	<para> The device file system, or <literal>DEVFS</literal>, provides access to
 	  kernel's device namespace in the global file system namespace.
 	  Instead of having to create and modify device nodes,
 	  <literal>DEVFS</literal> maintains this particular file system for you.</para>
 
 	<para>See the &man.devfs.5; manual page for more
 	  information.</para>
 
 	<para><literal>DEVFS</literal> is used by default in FreeBSD&nbsp;5.0 and above.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="binary-formats">
     <title>Binary Formats</title>
 
     <para>To understand why &os; uses the &man.elf.5;
       format, you must first know a little about the three currently
       <quote>dominant</quote> executable formats for &unix;:</para>
 
     <itemizedlist>
       <listitem>
         <para>&man.a.out.5;</para>
 
         <para>The oldest and <quote>classic</quote> &unix; object
           format.  It uses a short and compact header with a magic
           number at the beginning that is often used to characterize
           the format (see &man.a.out.5; for more details).  It
           contains three loaded segments: .text, .data, and .bss plus
           a symbol table and a string table.</para>
       </listitem>
 
       <listitem>
         <para><acronym>COFF</acronym></para>
 
         <para>The SVR3 object format.  The header now comprises a
           section table, so you can have more than just .text, .data,
           and .bss sections.</para>
       </listitem>
 
       <listitem>
         <para>&man.elf.5;</para>
 
         <para>The successor to <acronym>COFF</acronym>, featuring
           multiple sections and 32-bit or 64-bit possible values.  One
           major drawback: <acronym>ELF</acronym> was also designed
           with the assumption that there would be only one ABI per
           system architecture.  That assumption is actually quite
           incorrect, and not even in the commercial SYSV world (which
           has at least three ABIs: SVR4, Solaris, SCO) does it hold
           true.</para>
 
         <para>FreeBSD tries to work around this problem somewhat by
           providing a utility for <emphasis>branding</emphasis> a
           known <acronym>ELF</acronym> executable with information
           about the ABI it is compliant with.  See the manual page for
           &man.brandelf.1; for more information.</para>
       </listitem>
     </itemizedlist>
 
     <para>FreeBSD comes from the <quote>classic</quote> camp and used
       the &man.a.out.5; format, a technology tried and proven through
       many generations of BSD releases, until the beginning of the 3.X
       branch. Though it was possible to build and run native
       <acronym>ELF</acronym> binaries (and kernels) on a FreeBSD
       system for some time before that, FreeBSD initially resisted the
       <quote>push</quote> to switch to <acronym>ELF</acronym> as the
       default format. Why?  Well, when the Linux camp made their
       painful transition to <acronym>ELF</acronym>, it was not so much
       to flee the <filename>a.out</filename> executable format as it
       was their inflexible jump-table based shared library mechanism,
       which made the construction of shared libraries very difficult
       for vendors and developers alike. Since the
       <acronym>ELF</acronym> tools available offered a solution to the
       shared library problem and were generally seen as <quote>the way
       forward</quote> anyway, the migration cost was accepted as
       necessary and the transition made.  FreeBSD's shared library
       mechanism is based more closely on Sun's
       &sunos; style shared library mechanism
       and, as such, is very easy to use.</para>
 
     <para>So, why are there so many different formats?</para>
 
     <para>Back in the dim, dark past, there was simple hardware.  This
       simple hardware supported a simple, small system. <filename>a.out</filename> was
       completely adequate for the job of representing binaries on this
       simple system (a PDP-11). As people ported &unix; from this simple
       system, they retained the <filename>a.out</filename> format because it was sufficient
       for the early ports of &unix; to architectures like the Motorola
       68k, VAXen, etc.</para>
 
     <para>Then some bright hardware engineer decided that if he could
       force software to do some sleazy tricks, then he would be able
       to shave a few gates off the design and allow his CPU core to
       run faster. While it was made to work with this new kind of
       hardware (known these days as <acronym>RISC</acronym>), <filename>a.out</filename>
       was ill-suited for this hardware, so many formats were developed
       to get to a better performance from this hardware than the
       limited, simple <filename>a.out</filename> format could
       offer. Things like <acronym>COFF</acronym>,
       <acronym>ECOFF</acronym>, and a few obscure others were invented
       and their limitations explored before things seemed to settle on
       <acronym>ELF</acronym>.</para>
 
     <para>In addition, program sizes were getting huge and disks (and
       physical memory) were still relatively small so the concept of a
       shared library was born. The VM system also became more
       sophisticated. While each one of these advancements was done
       using the <filename>a.out</filename> format, its usefulness was
       stretched more and more with each new feature.  In addition,
       people wanted to dynamically load things at run time, or to junk
       parts of their program after the init code had run to save in
       core memory and swap space. Languages became more sophisticated
       and people wanted code called before main automatically. Lots of
       hacks were done to the <filename>a.out</filename> format to
       allow all of these things to happen, and they basically worked
       for a time. In time, <filename>a.out</filename> was not up to
       handling all these problems without an ever increasing overhead
       in code and complexity. While <acronym>ELF</acronym> solved many
       of these problems, it would be painful to switch from the system
       that basically worked. So <acronym>ELF</acronym> had to wait
       until it was more painful to remain with
       <filename>a.out</filename> than it was to migrate to
       <acronym>ELF</acronym>.</para>
 
     <para>However, as time passed, the build tools that FreeBSD
       derived their build tools from (the assembler and loader
       especially) evolved in two parallel trees. The FreeBSD tree
       added shared libraries and fixed some bugs. The GNU folks that
       originally wrote these programs rewrote them and added simpler
       support for building cross compilers, plugging in different
       formats at will, and so on. Since many people wanted to build cross
       compilers targeting FreeBSD, they were out of luck since the
       older sources that FreeBSD had for <application>as</application> and <application>ld</application> were not up to the
       task. The new GNU tools chain (<application>binutils</application>) does support cross
       compiling, <acronym>ELF</acronym>, shared libraries, C++
       extensions, etc. In addition, many vendors are releasing
       <acronym>ELF</acronym> binaries, and it is a good thing for
       FreeBSD to run them.</para>
 
     <para><acronym>ELF</acronym> is more expressive than <filename>a.out</filename> and
       allows more extensibility in the base system. The
       <acronym>ELF</acronym> tools are better maintained, and offer
       cross compilation support, which is important to many people.
       <acronym>ELF</acronym> may be a little slower than <filename>a.out</filename>, but
       trying to measure it can be difficult. There are also numerous
       details that are different between the two in how they map
       pages, handle init code, etc. None of these are very important,
       but they are differences. In time support for
       <filename>a.out</filename> will be moved out of the <filename>GENERIC</filename>
       kernel, and eventually removed from the kernel once the need to
       run legacy <filename>a.out</filename> programs is past.</para>
   </sect1>
 
   <sect1 id="basics-more-information">
     <title>For More Information</title>
 
     <sect2 id="basics-man">
       <title>Manual Pages</title>
       <indexterm><primary>manual pages</primary></indexterm>
 
       <para>The most comprehensive documentation on FreeBSD is in the form
 	of manual pages. Nearly every program on the system comes with a
 	short reference manual explaining the basic operation and various
 	arguments. These manuals can be viewed with the <command>man</command> command.  Use
 	of the <command>man</command> command is simple:</para>
 
       <screen>&prompt.user; <userinput>man <replaceable>command</replaceable></userinput></screen>
 
       <para><literal>command</literal> is the name of the command you
         wish to learn about.  For example, to learn more about
 	<command>ls</command> command type:</para>
 
       <screen>&prompt.user; <userinput>man ls</userinput></screen>
 
       <para>The online manual is divided up into numbered sections:</para>
 
       <orderedlist>
 	<listitem>
 	  <para>User commands.</para>
 	</listitem>
 
 	<listitem>
 	  <para>System calls and error numbers.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Functions in the C libraries.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Device drivers.</para>
 	</listitem>
 
 	<listitem>
 	  <para>File formats.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Games and other diversions.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Miscellaneous information.</para>
 	</listitem>
 
 	<listitem>
 	  <para>System maintenance and operation commands.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Kernel developers.</para>
 	</listitem>
       </orderedlist>
 
       <para>In some cases, the same topic may appear in more than one
 	section of the online manual.  For example, there is a
 	<command>chmod</command> user command and a
 	<function>chmod()</function> system call.  In this case, you can
 	tell the <command>man</command> command which one you want by specifying the
 	section:</para>
 
       <screen>&prompt.user; <userinput>man 1 chmod</userinput></screen>
 
       <para>This will display the manual page for the user command
         <command>chmod</command>. References to a particular section of
 	the online manual are traditionally placed in parenthesis in
 	written documentation, so &man.chmod.1; refers to the
 	<command>chmod</command> user command and &man.chmod.2; refers to
 	the system call.</para>
 
       <para>This is fine if you know the name of the command and simply
 	wish to know how to use it, but what if you cannot recall the
 	command name?  You can use <command>man</command> to search for keywords in the
 	command descriptions by using the <option>-k</option>
 	switch:</para>
 
       <screen>&prompt.user; <userinput>man -k mail</userinput></screen>
 
       <para>With this command you will be presented with a list of
         commands that have the keyword <quote>mail</quote> in their
 	descriptions.  This is actually functionally equivalent to using
 	the <command>apropos</command> command.</para>
 
       <para>So, you are looking at all those fancy commands in
 	<filename>/usr/bin</filename> but do not have the faintest idea
 	what most of them actually do?  Simply do:</para>
 
 	<screen>&prompt.user; <userinput>cd /usr/bin</userinput>
 &prompt.user; <userinput>man -f *</userinput></screen>
 
 	<para>or</para>
 
 	<screen>&prompt.user; <userinput>cd /usr/bin</userinput>
 &prompt.user; <userinput>whatis *</userinput></screen>
 
 	<para>which does the same thing.</para>
     </sect2>
 
     <sect2 id="basics-info">
       <title>GNU Info Files</title>
       <indexterm><primary>Free Software Foundation</primary></indexterm>
 
       <para>FreeBSD includes many applications and utilities produced by
 	the Free Software Foundation (FSF).  In addition to manual pages,
 	these programs come with more extensive hypertext documents called
 	<literal>info</literal> files which can be viewed with the
 	<command>info</command> command or, if you installed
 	<application>emacs</application>, the info mode of
 	<application>emacs</application>.</para>
 
       <para>To use the &man.info.1; command, simply type:</para>
 
       <screen>&prompt.user; <userinput>info</userinput></screen>
 
       <para>For a brief introduction, type <literal>h</literal>.  For a
 	quick command reference, type <literal>?</literal>.</para>
     </sect2>
   </sect1>
 </chapter>
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
diff --git a/en_US.ISO8859-1/books/handbook/config/chapter.sgml b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
index 88bb051922..eb9786fdcd 100644
--- a/en_US.ISO8859-1/books/handbook/config/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
@@ -1,2990 +1,2990 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="config-tuning">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Chern</firstname>
 	<surname>Lee</surname>
 	<contrib>Written by </contrib>
       </author>
     </authorgroup>
     <authorgroup>
       <author>
         <firstname>Mike</firstname>
 	<surname>Smith</surname>
 	<contrib>Based on a tutorial written by </contrib>
       </author>
     </authorgroup>
     <authorgroup>
       <author>
         <firstname>Matt</firstname>
 	<surname>Dillon</surname>
 	<contrib>Also based on tuning(7) written by </contrib>
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Configuration and Tuning</title>
 
   <sect1 id="config-synopsis">
     <title>Synopsis</title>
 
     <indexterm><primary>system configuration</primary></indexterm>
     <indexterm><primary>system optimization</primary></indexterm>
 
     <para>One of the important aspects of &os; is system configuration.
       Correct system configuration will help prevent headaches during future upgrades.
       This chapter will explain much of the &os; configuration process,
       including some of the parameters which
       can be set to tune a &os; system.
       </para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>How to efficiently work with
 	  file systems and swap partitions.</para>
       </listitem>
       <listitem>
 	<para>The basics of <filename>rc.conf</filename> configuration and
 	  <filename>/usr/local/etc/rc.d</filename> startup systems.</para>
       </listitem>
       <listitem>
 	<para>How to configure and test a network card.</para>
       </listitem>
       <listitem>
 	<para>How to configure virtual hosts on your network devices.</para>
       </listitem>
       <listitem>
 	<para>How to use the various configuration files in
 	  <filename>/etc</filename>.</para>
       </listitem>
       <listitem>
         <para>How to tune &os; using <command>sysctl</command>
           variables.</para>
       </listitem>
       <listitem>
 	<para>How to tune disk performance and modify kernel
 	  limitations.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Understand &unix; and &os; basics (<xref
 	    linkend="basics">).</para>
       </listitem>
       <listitem>
 	<para>Be familiar with the basics of kernel configuration/compilation
 	  (<xref linkend="kernelconfig">).</para>
       </listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="configtuning-initial">
     <title>Initial Configuration</title>
 
     <sect2>
       <title>Partition Layout</title>
 
       <indexterm><primary>partition layout</primary></indexterm>
       <indexterm>
         <primary><filename>/etc</filename></primary>
       </indexterm>
       <indexterm>
         <primary><filename>/var</filename></primary>
       </indexterm>
       <indexterm>
         <primary><filename>/usr</filename></primary>
       </indexterm>
 
       <sect3>
 	<title>Base Partitions</title>
 
 	<para>When laying out file systems with &man.disklabel.8;
 	  or &man.sysinstall.8;, remember that hard
 	  drives transfer data faster from the outer
 	  tracks to the inner.
 	  Thus smaller and heavier-accessed file systems
 	  should be closer to the outside of the drive, while
 	  larger partitions like <filename>/usr</filename> should be placed
 	  toward the inner.  It is a good idea to create
 	  partitions in a similar order to: root, swap,
 	  <filename>/var</filename>, <filename>/usr</filename>.</para>
 
 	<para>The size of <filename>/var</filename>
 	  reflects the intended machine usage.
 	  <filename>/var</filename> is used to hold
 	  mailboxes, log files, and printer spools.  Mailboxes and log
 	  files can grow to unexpected sizes depending
 	  on how many users exist and how long log
 	  files are kept.  Most users would never require a gigabyte,
 	  but remember that <filename>/var/tmp</filename>
 	  must be large enough to contain packages.
 	  </para>
 
 	<para>The <filename>/usr</filename> partition holds much
 	  of the files required to support the system, the &man.ports.7;
 	  collection (recommended) and the source code (optional).  Both
 	  of which are optional at install time.
 	  At least 2 gigabytes would be recommended for this partition.</para>
 
 	<para>When selecting partition sizes, keep the space
 	  requirements in mind.  Running out of space in
 	  one partition while barely using another can be a
 	  hassle.</para>
 
 	<note><para>Some users have found that &man.sysinstall.8;'s
 	    <literal>Auto-defaults</literal> partition sizer will
 	    sometimes select smaller than adequate <filename>/var</filename>
 	    and <filename>/</filename> partitions.  Partition wisely and
 	    generously.</para></note>
 
       </sect3>
 
       <sect3 id="swap-design">
 	<title>Swap Partition</title>
 
 	<indexterm><primary>swap sizing</primary></indexterm>
 	<indexterm><primary>swap partition</primary></indexterm>
 
 	<para>As a rule of thumb, the swap partition should be
 	  about double the size of system memory (RAM).  For example,
 	  if the machine has 128&nbsp;megabytes of memory,
 	  the swap file should be 256&nbsp;megabytes.  Systems with
 	  less memory may perform better with more swap.
 	  Less than 256&nbsp;megabytes of swap is not recommended and
 	  memory expansion should be considered.
 	  The kernel's VM paging algorithms are tuned to
 	  perform best when the swap partition is at least two times the
 	  size of main memory.  Configuring too little swap can lead to
 	  inefficiencies in the VM page scanning code and might create
 	  issues later if more memory is added.</para>
 
 	<para>On larger systems with multiple SCSI disks (or
 	  multiple IDE disks operating on different controllers), it is
 	  recommend that a swap is configured on each drive (up
 	  to four drives).  The swap partitions should be
 	  approximately the same size.  The kernel can handle arbitrary
 	  sizes but internal data structures scale to 4 times the
 	  largest swap partition.  Keeping the swap partitions near the
 	  same size will allow the kernel to optimally stripe swap space
 	  across disks.
 	  Large swap sizes are fine, even if swap is not
 	  used much.  It might be easier to recover
 	  from a runaway program before being forced to reboot.</para>
       </sect3>
 
       <sect3>
 	<title>Why Partition?</title>
 
 	<para>Several users think a single large partition will be fine,
 	  but there are several reasons why this is a bad idea.
 	  First, each partition has different operational
 	  characteristics and separating them allows the file system to
 	  tune accordingly.  For example, the root
 	  and <filename>/usr</filename> partitions are read-mostly, without
 	  much writing.  While a lot of reading and writing could
 	  occur in <filename>/var</filename> and
 	  <filename>/var/tmp</filename>.</para>
 
 	<para>By properly partitioning a system, fragmentation
 	  introduced in the smaller write heavy partitions
 	  will not bleed over into the mostly-read partitions.
 	  Keeping the write-loaded partitions closer to
 	  the disk's edge,
 	  will
 	  increase I/O performance in the partitions where it occurs
 	  the most.  Now while I/O
 	  performance in the larger partitions may be needed,
 	  shifting them more toward the edge of the disk will not
 	  lead to a significant performance improvement over moving
 	  <filename>/var</filename> to the edge.
 	  Finally, there are safety concerns.  A smaller, neater root
 	  partition which is mostly read-only has a greater
 	  chance of surviving a bad crash.</para>
       </sect3>
     </sect2>
 
   </sect1>
 
   <sect1 id="configtuning-core-configuration">
     <title>Core Configuration</title>
 
     <indexterm>
       <primary>rc files</primary>
       <secondary><filename>rc.conf</filename></secondary>
     </indexterm>
 
     <para>The principal location for system configuration information
       is within <filename>/etc/rc.conf</filename>.  This file
       contains a wide range of configuration information, principally
       used at system startup to configure the system.  Its name
       directly implies this; it is configuration information for the
       <filename>rc*</filename> files.</para>
 
     <para>An administrator should make entries in the
       <filename>rc.conf</filename> file to
       override the default settings from
       <filename>/etc/defaults/rc.conf</filename>.  The defaults file
       should not be copied verbatim to <filename>/etc</filename> - it
       contains default values, not examples.  All system-specific
       changes should be made in the <filename>rc.conf</filename>
       file itself.</para>
 
     <para>A number of strategies may be applied in clustered
       applications to separate site-wide configuration from
       system-specific configuration in order to keep administration
       overhead down.  The recommended approach is to place site-wide
       configuration into another file,
       such as <filename>/etc/rc.conf.site</filename>, and then include
       this file into <filename>/etc/rc.conf</filename>, which will
       contain only system-specific information.</para>
 
     <para>As <filename>rc.conf</filename> is read by &man.sh.1; it is
       trivial to achieve this.  For example:</para>
 
     <itemizedlist>
       <listitem><para>rc.conf:</para>
 <programlisting>	. rc.conf.site
 	hostname="node15.example.com"
 	network_interfaces="fxp0 lo0"
 	ifconfig_fxp0="inet 10.1.1.1"</programlisting></listitem>
       <listitem><para>rc.conf.site:</para>
 <programlisting>	defaultrouter="10.1.1.254"
 	saver="daemon"
 	blanktime="100"</programlisting></listitem>
     </itemizedlist>
 
     <para>The <filename>rc.conf.site</filename> file can then be
       distributed to every system using <command>rsync</command> or a
       similar program, while the <filename>rc.conf</filename> file
       remains unique.</para>
 
     <para>Upgrading the system using &man.sysinstall.8;
       or <command>make world</command> will not overwrite the
       <filename>rc.conf</filename>
       file, so system configuration information will not be lost.</para>
 
   </sect1>
 
   <sect1 id="configtuning-appconfig">
     <title>Application Configuration</title>
 
     <para>Typically, installed applications have their own
       configuration files, with their own syntax, etc.  It is
       important that these files be kept separate from the base
       system, so that they may be easily located and managed by the
       package management tools.</para>
 
     <indexterm><primary>/usr/local/etc</primary></indexterm>
 
     <para>Typically, these files are installed in
       <filename>/usr/local/etc</filename>.  In the case where an
       application has a large number of configuration files, a
       subdirectory will be created to hold them.</para>
 
     <para>Normally, when a port or package is installed, sample
       configuration files are also installed.  These are usually
       identified with a <filename>.default</filename> suffix.  If there
       are no existing
       configuration files for the application, they will be created by
       copying the <filename>.default</filename> files.</para>
 
     <para>For example, consider the contents of the directory
     <filename>/usr/local/etc/apache</filename>:</para>
 
 <literallayout class="monospaced">-rw-r--r--  1 root  wheel   2184 May 20  1998 access.conf
 -rw-r--r--  1 root  wheel   2184 May 20  1998 access.conf.default
 -rw-r--r--  1 root  wheel   9555 May 20  1998 httpd.conf
 -rw-r--r--  1 root  wheel   9555 May 20  1998 httpd.conf.default
 -rw-r--r--  1 root  wheel  12205 May 20  1998 magic
 -rw-r--r--  1 root  wheel  12205 May 20  1998 magic.default
 -rw-r--r--  1 root  wheel   2700 May 20  1998 mime.types
 -rw-r--r--  1 root  wheel   2700 May 20  1998 mime.types.default
 -rw-r--r--  1 root  wheel   7980 May 20  1998 srm.conf
 -rw-r--r--  1 root  wheel   7933 May 20  1998 srm.conf.default</literallayout>
 
     <para>The file sizes show that only the <filename>srm.conf</filename>
       file has been changed.  A later update of the <application>Apache</application> port would not
       overwrite this changed file.</para>
 
   </sect1>
 
   <sect1 id="configtuning-starting-services">
     <sect1info>
       <authorgroup>
         <author>
 	<firstname>Tom</firstname>
 	<surname>Rhodes</surname>
 	<contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Starting Services</title>
 
     <indexterm><primary>services</primary></indexterm>
 
     <para>Many users choose to install third party software on &os;
       from the ports collection.  In many of these situations it
       may be necessary to configure the software in a manner which
       will allow it to be started upon system initialization.  Services,
       such as <filename role="package">mail/postfix</filename> or
       <filename role="package">www/apache13</filename> are just two
       of the many software packages which may be started during system
       initialization.  This section explains the procedures available
       for starting third party software.</para>
 
     <para>In &os;, most included services, such as &man.cron.8;, are
       started through the system start up scripts.  These scripts may
       differ depending on &os; or vendor version; however, the most
       important aspect to consider is that their start up configuration
       can be handled through simple startup scripts.</para>
 
     <para>Before the advent of rcNG, applications would drop a
       simple start up script into the
       <filename class="directory">/usr/local/etc/rc.d</filename>
       directory which would be read by the system initialization
       scripts.  These scripts would then be executed during the latter
       stages of system start up.</para>
 
     <para>While many individuals have spent hours trying to merge the
       old configuration style into the new system, the fact remains
       that some third party utilities still require a script simply
       dropped into the aforementioned directory.  The subtle differences
       in the scripts depend whether or not rcNG is being used.  Prior
       to &os;&nbsp;5.1 the old configuration style is used and in
       almost all cases a new style script would do just fine.</para>
 
     <para>While every script must meet some minimal requirements, most
       of the time these requirements are &os; version
       agnostic.  Each script must have a <filename>.sh</filename>
       extension appended to the end and every script must be
       executable by the system.  The latter may be achieved by using
       the <command>chmod</command> command and setting the unique permissions
       of <literal>755</literal>.  There should also be, at minimal,
       an option to <literal>start</literal> the application and an
       option to <literal>stop</literal> the application.</para>
 
     <para>The simplest start up script would probably look a little
       bit like this one:</para>
 
     <programlisting>#!/bin/sh
 echo -n ' utility'
 
 case "$1" in
 start)
         /usr/local/bin/utility
         ;;
 stop)
         kill -9 `cat /var/run/utility.pid`
         ;;
 *)
         echo "Usage: `basename $0` {start|stop}" >&2
         exit 64
         ;;
 esac
 
 exit 0</programlisting>
 
     <para>This script provides for a <literal>stop</literal> and
       <literal>start</literal> option for
       the application hereto referred simply as
       <literal>utility</literal>.  This application
       could then have the following line placed in
       <filename>/etc/rc.conf</filename>:</para>
 
     <programlisting>utility_enable="YES"</programlisting>
 
     <para>Could be started manually with:</para>
 
     <screen>&prompt.root; <userinput><filename>/usr/local/etc/rc.d/utility.sh</filename> start</userinput></screen>
 
     <para>While not all third party software requires the line in
       <filename>rc.conf</filename>, almost every day a new port will
       be modified to accept this configuration.  Check the final output
       of the installation for more information on a specific
       application.  Some third party software will provide start up
       scripts which permit the application to be used with
       rcNG; although, this will be discussed in the next section.</para>
 
     <sect2>
       <title>Extended Application Configuration</title>
 
       <para>Now that &os; includes rcNG, configuration of application
 	start up has become more optimal; indeed, it has become a bit
 	more in depth.  Using the key words discussed in the
 	<link linkend="configtuning-rcNG">rcNG</link> section,
 	applications may now be set to start after certain other
 	services for example <acronym>DNS</acronym>; may permit extra
 	flags to be passed through <filename>rc.conf</filename> in
 	place of hard coded flags in the start up script, etc.  A
 	basic script may look similar to the following:</para>
 
       <programlisting>#!/bin/sh
 #
 # PROVIDE: utility
 # REQUIRE: DAEMON
 # BEFORE: LOGIN
 # KEYWORD: FreeBSD shutdown
 
 #
 # DO NOT CHANGE THESE DEFAULT VALUES HERE
 # SET THEM IN THE /etc/rc.conf FILE
 #
 utility_enable=${utility_enable-"NO"}
 utility_flags=${utility_flags-""}
 utility_pidfile=${utility_pidfile-"/var/run/utility.pid"}
 
 . /etc/rc.subr
 
 name="utility"
 rcvar=`set_rcvar`
 command="/usr/local/sbin/utility"
 
 load_rc_config $name
 
 pidfile="${utility_pidfile}"
 
 start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${utility_flags} ${command_args}"
 
 run_rc_command "$1"</programlisting>
 
       <para>This script will ensure that the provided
 	<application>utility</application> will be started before the
 	<literal>login</literal> service but after the
 	<literal>daemon</literal> service.  It also provides a method
 	for setting and tracking the <acronym>PID</acronym>, or process
 	<acronym>ID</acronym> file.</para>
 
       <para>This new method also allows for easier manipulation of the
 	command line arguments, inclusion of the default functions
 	provided in <filename>/etc/rc.subr</filename>, compatibility
 	with the &man.rcorder.8; utility and provide for easier
 	configuration via the <filename>rc.conf</filename> file.  In
 	essence, this script could even be placed in
 	<filename class="directory">/etc/rc.d</filename> directory.
 	Yet, that has the potential to upset the &man.mergemaster.8;
 	utility when used in conjunction with software upgrades.</para>
     </sect2>
 
     <sect2>
       <title>Using Services to Start Services</title>
 
       <para>Other services, such as <acronym>POP</acronym>3 server
 	daemons, <acronym>IMAP</acronym>, etc. could be started using
 	the &man.inetd.8;.  This involves installing the service
 	utility from the ports collection with a configuration line
 	appended to the <filename>/etc/inetd.conf</filename> file,
 	or uncommenting one of the current configuration lines.  Working
 	with <application>inetd</application> and its configuration is
 	described in depth in the
 	<link linkend="network-inetd">inetd</link> section.</para>
 
       <para>In some cases, it may be more plausible to use the
 	&man.cron.8; daemon to start system services.  This approach
 	has a number of advantages because <command>cron</command> runs
 	these processes as the <filename>crontab</filename>'s file
 	owner.  This allows regular users to start and maintain some
 	applications.</para>
 
       <para>The <command>cron</command> utility provides a unique
 	feature, <literal>@reboot</literal>, which may be used in place
 	of the time specification.  This will cause the job to be run
 	when &man.cron.8; is started, normally during system
 	initialization.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-cron">
     <sect1info>
       <authorgroup>
         <author>
 	<firstname>Tom</firstname>
 	<surname>Rhodes</surname>
 	<contrib>Contributed by </contrib>
 	<!-- 20 May 2003 -->
 	</author>
       </authorgroup>
     </sect1info>
     <title>Configuring the <command>cron</command> Utility</title>
 
     <indexterm><primary>cron</primary>
       <secondary>configuration</secondary></indexterm>
 
     <para>One of the most useful utilities in &os; is &man.cron.8;.  The
       <command>cron</command> utility runs in the background and constantly
       checks the <filename>/etc/crontab</filename> file.  The <command>cron</command>
       utility also checks the <filename>/var/cron/tabs</filename> directory, in
       search of new <filename>crontab</filename> files.  These
       <filename>crontab</filename> files store information about specific
       functions which <command>cron</command> is supposed to perform at
       certain times.</para>
 
     <para>The <command>cron</command> utility uses two different
       types of configuration files, the system crontab and user crontabs. The
       only difference between these two formats is the sixth field.  In the
       system crontab, the sixth field is the name of a user for the command
       to run as. This gives the system crontab the ability to run commands
       as any user. In a user crontab, the sixth field is the command to run,
       and all commands run as the user who created the crontab; this is an
       important security feature.</para>
 
     <note>
       <para>User crontabs allow individual users to schedule tasks without the 
         need for <username>root</username> privileges. Commands in a user's crontab run with the 
         permissions of the user who owns the crontab.</para>
 
       <para>The <username>root</username> user can have a user crontab just like
         any other user. This one is different from
         <filename>/etc/crontab</filename> (the system crontab). Because of the
         system crontab, there is usually no need to create a user crontab
         for <username>root</username>.</para>
     </note>
 
     <para>Let us take a look at the <filename>/etc/crontab</filename> file
       (the system crontab):</para>
 
 
     <programlisting># /etc/crontab - root's crontab for &os;
 #
 # &dollar;&os;: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp &dollar;
 # <co id="co-comments">
 #
 SHELL=/bin/sh
 PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin <co id="co-env">
 HOME=/var/log
 #
 #
 #minute	hour	mday	month	wday	who	command <co id="co-field-descr">
 #
 #
 */5	*	*	*	*	root	/usr/libexec/atrun <co id="co-main">
 </programlisting>
 
     <calloutlist>
       <callout arearefs="co-comments">
 	<para>Like most &os; configuration files, the <literal>#</literal>
 	  character represents a comment.  A comment can be placed in
 	  the file as a reminder of what and why a desired action is performed.
 	  Comments cannot be on the same line as a command or else they will
 	  be interpreted as part of the command; they must be on a new line.
 	  Blank lines are ignored.</para>
       </callout>
 
       <callout arearefs="co-env">
 	<para>First, the environment must be defined.  The equals
 	  (<literal>=</literal>) character is used to define any environment
 	  settings, as with this example where it is used for the <envar>SHELL</envar>,
 	  <envar>PATH</envar>, and <envar>HOME</envar> options.  If the shell line is
 	  omitted, <command>cron</command> will use the default, which is
 	  <command>sh</command>.  If the <envar>PATH</envar> variable is
 	  omitted, no default will be used and file locations will need to
 	  be absolute.  If <envar>HOME</envar> is omitted, <command>cron</command>
 	  will use the invoking users home directory.</para>
       </callout>
 
       <callout arearefs="co-field-descr">
 	<para>This line defines a total of seven fields.  Listed here are the
 	  values <literal>minute</literal>, <literal>hour</literal>,
 	  <literal>mday</literal>, <literal>month</literal>, <literal>wday</literal>,
 	  <literal>who</literal>, and <literal>command</literal>.  These
 	  are almost all self explanatory.  <literal>minute</literal> is the time in minutes the
 	  command will be run.  <literal>hour</literal> is similar to the <literal>minute</literal> option, just in
 	  hours.  <literal>mday</literal> stands for day of the month.  <literal>month</literal> is similar to <literal>hour</literal>
 	  and <literal>minute</literal>, as it designates the month.  The <literal>wday</literal> option stands for
 	  day of the week.  All these fields must be numeric values, and follow
 	  the twenty-four hour clock.  The <literal>who</literal> field is special,
 	  and only exists in the <filename>/etc/crontab</filename> file.
 	  This field specifies which user the command should be run as.
 	  When a user installs his or her <filename>crontab</filename> file, they
 	  will not have this option. Finally, the <literal>command</literal> option is listed.
 	  This is the last field, so naturally it should designate the command
 	  to be executed.</para>
       </callout>
 
       <callout arearefs="co-main">
 	<para>This last line will define the values discussed above.  Notice here
 	  we have a <literal>*/5</literal> listing, followed by several more
 	  <literal>*</literal> characters.  These <literal>*</literal> characters
 	  mean <quote>first-last</quote>, and can be interpreted as
 	  <emphasis>every</emphasis> time.  So, judging by this line,
 	  it is apparent that the <command>atrun</command> command is to be invoked by
 	  <username>root</username> every five minutes regardless of what
 	  day or month it is.  For more information on the <command>atrun</command> command,
 	  see the &man.atrun.8; manual page.</para>
 
 	<para>Commands can have any number of flags passed to them; however,
 	  commands which extend to multiple lines need to be broken with the backslash
 	  <quote>\</quote> continuation character.</para>
       </callout>
     </calloutlist>
 
     <para>This is the basic set up for every
       <filename>crontab</filename> file, although there is one thing
       different about this one.  Field number six, where we specified
       the username, only exists in the system
       <filename>/etc/crontab</filename> file.  This field should be
       omitted for individual user <filename>crontab</filename>
       files.</para>
 
 
     <sect2 id="configtuning-installcrontab">
       <title>Installing a Crontab</title>
 
       <important>
       <para>You must not use the procedure described here to
         edit/install the system crontab. Simply use your favorite
         editor: the <command>cron</command> utility will notice that the file
         has changed and immediately begin using the updated version. 
         See
         <ulink url="&url.books.faq;/admin.html#ROOT-NOT-FOUND-CRON-ERRORS">
         this FAQ entry </ulink> for more information.</para>
       </important>
 
       <para>To install a freshly written user
 	<filename>crontab</filename>, first use your favorite editor to create
 	a file in the proper format, and then use the
 	<command>crontab</command> utility.  The most common usage
 	is:</para>
 
       <screen>&prompt.user; <userinput>crontab crontab-file</userinput></screen>
       
       <para>In this example, <filename>crontab-file</filename> is the filename
     of a <filename>crontab</filename> that was previously created.</para>
 
       <para>There is also an option to list installed
 	<filename>crontab</filename> files: just pass the
 	<option>-l</option> option to <command>crontab</command> and look
 	over the output.</para>
 
       <para>For users who wish to begin their own crontab file from scratch,
 	without the use of a template, the <command>crontab -e</command>
 	option is available.  This will invoke the selected editor
 	with an empty file.  When the file is saved, it will be
 	automatically installed by the <command>crontab</command> command.
       </para>
       
       <para>If you later want to remove your user <filename>crontab</filename>
 	completely, use <command>crontab</command> with the <option>-r</option>
 	option.
       </para>
 
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-rcNG">
     <sect1info>
       <authorgroup>
         <author>
 	 <firstname>Tom</firstname>
 	 <surname>Rhodes</surname>
 	 <contrib>Contributed by </contrib>
 	 <!-- 16 May 2003 -->
         </author>
       </authorgroup>
     </sect1info>
 
     <title>Using rc under FreeBSD 5.X</title>
 
     <indexterm><primary>rcNG</primary></indexterm>
 
     <para>&os; has recently integrated the NetBSD
       <filename>rc.d</filename> system for system initialization.
       Users should notice the files listed in the
       <filename>/etc/rc.d</filename> directory.  Many of these files
       are for basic services which can be controlled with the
       <option>start</option>, <option>stop</option>,
       and <option>restart</option> options.
       For instance, &man.sshd.8; can be restarted with the following
       command:</para>
 
     <screen>&prompt.root; <userinput>/etc/rc.d/sshd restart</userinput></screen>
 
     <para>This procedure is similar for other services.  Of course,
       services are usually started automatically as specified in
       &man.rc.conf.5;.  For example, enabling the Network Address
       Translation daemon at startup is as simple as adding the
       following line to <filename>/etc/rc.conf</filename>:</para>
 
     <programlisting>natd_enable="YES"</programlisting>
 
     <para>If a <option>natd_enable="NO"</option> line is already
        present, then simply change the <option>NO</option> to
        <option>YES</option>.  The rc scripts will automatically load
        any other dependent services during the next reboot, as
        described below.</para>
 
     <para>Since the <filename>rc.d</filename> system is primarily
       intended to start/stop services at system startup/shutdown time,
       the standard <option>start</option>,
       <option>stop</option> and <option>restart</option> options will only
       perform their action if the appropriate
       <filename>/etc/rc.conf</filename> variables are set.  For
       instance the above <command>sshd restart</command> command will
       only work if <varname>sshd_enable</varname> is set to
       <option>YES</option> in <filename>/etc/rc.conf</filename>.  To
       <option>start</option>, <option>stop</option> or
       <option>restart</option> a service regardless of the settings in
       <filename>/etc/rc.conf</filename>, the commands should be
       prefixed with <quote>force</quote>.  For instance to restart
       <command>sshd</command> regardless of the current
       <filename>/etc/rc.conf</filename> setting, execute the following
       command:</para>
 
     <screen>&prompt.root; <userinput>/etc/rc.d/sshd forcerestart</userinput></screen>
 
     <para>It is easy to check if a service is enabled in
       <filename>/etc/rc.conf</filename> by running the appropriate
       <filename>rc.d</filename> script with the option
       <option>rcvar</option>.  Thus, an administrator can check that
       <command>sshd</command> is in fact enabled in
       <filename>/etc/rc.conf</filename> by running:</para>
 
     <screen>&prompt.root; <userinput>/etc/rc.d/sshd rcvar</userinput>
 # sshd
 $sshd_enable=YES</screen>
 
     <note>
       <para>The second line (<literal># sshd</literal>) is the output
         from the <command>sshd</command> command, not a <username>root</username>
         console.</para>
     </note>
 
     <para>To determine if a service is running, a
       <option>status</option> option is available.  For instance to
       verify that <command>sshd</command> is actually started:</para>
 
     <screen>&prompt.root; <userinput>/etc/rc.d/sshd status</userinput>
 sshd is running as pid 433.</screen>
 
     <para>It is also possible to <option>reload</option> a service.
       This will attempt to send a signal to an individual service, forcing the
       service to reload its configuration files.  In most cases this
       means sending the service a <literal>SIGHUP</literal>
       signal.</para>
 
     <para>The <application>rcNG</application> structure is not only used for network services, it also
       contributes to most of the system initialization.  For
       instance, consider the <filename>bgfsck</filename> file.  When
       this script is executed, it will print out the following
       message:</para>
 
     <screen>Starting background file system checks in 60 seconds.</screen>
 
     <para>Therefore this file is used for background file system
       checks, which are done only during system initialization.</para>
 
     <para>Many system services depend on other services to function
       properly.  For example, NIS and other RPC-based services may
       fail to start until after the <command>rpcbind</command>
       (portmapper) service has started.  To resolve this issue,
       information about dependencies and other meta-data is included
       in the comments at the top of each startup script.  The
       &man.rcorder.8; program is then used to parse these comments
       during system initialization to determine the order in which
       system services should be invoked to satisfy the dependencies.
       The following words may be included at the top of each startup
       file:</para>
 
     <itemizedlist>
       <listitem>
 	<para><literal>PROVIDE</literal>: Specifies the services this file provides.</para>
       </listitem>
 
       <listitem>
 	<para><literal>REQUIRE</literal>: Lists services which are required for this
 	  service.  This file will run <emphasis>after</emphasis>
 	  the specified services.</para>
       </listitem>
 
       <listitem>
 	<para><literal>BEFORE</literal>: Lists services which depend on this service.
 	  This file will run <emphasis>before</emphasis>
 	  the specified services.</para>
       </listitem>
 
       <listitem>
 	<para>KEYWORD: &os; or NetBSD.  This is used for *BSD dependent features.</para>
       </listitem>
     </itemizedlist>
 
     <para>By using this method, an administrator can easily control system
       services without the hassle of <quote>runlevels</quote> like
       some other &unix; operating systems.</para>
 
     <para>Additional information about the &os; 5.X
       <filename>rc.d</filename> system can be found in the &man.rc.8;
       and &man.rc.subr.8; manual pages.</para>
   </sect1>
 
   <sect1 id="config-network-setup">
     <sect1info>
       <authorgroup>
         <author>
 	 <firstname>Marc</firstname>
 	 <surname>Fonvieille</surname>
 	 <contrib>Contributed by </contrib>
 	 <!-- 6 October 2002 -->
         </author>
       </authorgroup>
     </sect1info>
 
     <title>Setting Up Network Interface Cards</title>
 
     <indexterm><primary>network card configuration</primary></indexterm>
 
     <para>Nowadays we can not think about a computer without thinking
       about a network connection.  Adding and configuring a network
       card is a common task for any &os; administrator.</para>
 
     <sect2>
       <title>Locating the Correct Driver</title>
 
       <indexterm>
 	<primary>network card configuration</primary>
 	<secondary>locating the driver</secondary>
       </indexterm>
 
       <para>Before you begin, you should know the model of the card
 	you have, the chip it uses, and whether it is a PCI or ISA card.
 	&os; supports a wide variety of both PCI and ISA cards.
 	Check the Hardware Compatibility List for your release to see
 	if your card is supported.</para>
 
       <para>Once you are sure your card is supported, you need
 	to determine the proper driver for the card.  The file
 	<filename>/usr/src/sys/i386/conf/LINT</filename> will give you
 	the list of network interfaces drivers with some information
 	about the supported chipsets/cards.  If you have doubts about
 	which driver is the correct one, read the manual page of the
 	driver.  The manual page will give you more information about
 	the supported hardware and even the possible problems that
 	could occur.</para>
 
       <para>If you own a common card, most of the time you will not
 	have to look very hard for a driver.  Drivers for common
 	network cards are present in the <filename>GENERIC</filename>
 	kernel, so your card should show up during boot, like so:</para>
 
 <screen>dc0: &lt;82c169 PNIC 10/100BaseTX&gt; port 0xa000-0xa0ff mem 0xd3800000-0xd38
 000ff irq 15 at device 11.0 on pci0
 dc0: Ethernet address: 00:a0:cc:da:da:da
 miibus0: &lt;MII bus&gt; on dc0
 ukphy0: &lt;Generic IEEE 802.3u media interface&gt; on miibus0
 ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
 dc1: &lt;82c169 PNIC 10/100BaseTX&gt; port 0x9800-0x98ff mem 0xd3000000-0xd30
 000ff irq 11 at device 12.0 on pci0
 dc1: Ethernet address: 00:a0:cc:da:da:db
 miibus1: &lt;MII bus&gt; on dc1
 ukphy1: &lt;Generic IEEE 802.3u media interface&gt; on miibus1
 ukphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto</screen>
 
       <para>In this example, we see that two cards using the &man.dc.4;
 	driver are present on the system.</para>
 
       <para>To use your network card, you will need to load the proper
 	driver.  This may be accomplished in one of two ways.  The
 	easiest way is to simply load a kernel module for your network
 	card with &man.kldload.8;.  A module is not available for all
 	network card drivers (ISA cards and cards using the &man.ed.4;
 	driver, for example).  Alternatively, you may statically compile
 	the support for your card into your kernel.  Check
 	<filename>/usr/src/sys/i386/conf/LINT</filename> and the
 	manual page of the driver to know what to add in your kernel
 	configuration file.  For more information about recompiling your
 	kernel, please see <xref linkend="kernelconfig">.  If your card
 	was detected at boot by your kernel (<filename>GENERIC</filename>)
 	you do not have to build a new kernel.</para>
     </sect2>
 
     <sect2>
       <title>Configuring the Network Card</title>
 
       <indexterm>
 	<primary>network card configuration</primary>
 	<secondary>configuration</secondary>
       </indexterm>
 
       <para>Once the right driver is loaded for the network card, the
 	card needs to be configured.  As with many other things, the
 	network card may have been configured at installation time by
 	<application>sysinstall</application>.</para>
 
       <para>To display the configuration for the network interfaces on
 	your system, enter the following command:</para>
 
 <screen>&prompt.user; <userinput>ifconfig</userinput>
 dc0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
         inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
         ether 00:a0:cc:da:da:da
         media: Ethernet autoselect (100baseTX &lt;full-duplex&gt;)
         status: active
 dc1: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
         ether 00:a0:cc:da:da:db
         media: Ethernet 10baseT/UTP
         status: no carrier
 lp0: flags=8810&lt;POINTOPOINT,SIMPLEX,MULTICAST&gt; mtu 1500
 lo0: flags=8049&lt;UP,LOOPBACK,RUNNING,MULTICAST&gt; mtu 16384
         inet 127.0.0.1 netmask 0xff000000
 tun0: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500</screen>
 
       <note>
 	<para>Old versions of &os; may require the <option>-a</option>
 	  option following &man.ifconfig.8;, for more details about the
 	  correct syntax of &man.ifconfig.8;, please refer to the manual
 	  page.  Note also that entries concerning IPv6
 	  (<literal>inet6</literal> etc.) were omitted in this
 	  example.</para>
       </note>
 
       <para>In this example, the following devices were
 	displayed:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><devicename>dc0</devicename>: The first Ethernet
 	    interface</para>
 	</listitem>
 
 	<listitem>
 	  <para><devicename>dc1</devicename>: The second Ethernet
 	    interface</para>
 	</listitem>
 
 	<listitem>
 	  <para><devicename>lp0</devicename>: The parallel port
 	    interface</para>
 	</listitem>
 
 	<listitem>
 	  <para><devicename>lo0</devicename>: The loopback device</para>
 	</listitem>
 
 	<listitem>
 	  <para><devicename>tun0</devicename>: The tunnel device used by
 	    <application>ppp</application></para>
 	</listitem>
       </itemizedlist>
 
       <para>&os; uses the driver name followed by the order in
 	which one the card is detected at the kernel boot to name the
 	network card.  For example <devicename>sis2</devicename> would
 	be the third network card on the system using the &man.sis.4;
 	driver.</para>
 
       <para>In this example, the <devicename>dc0</devicename> device is
 	up and running.  The key indicators are:</para>
 
       <orderedlist>
 	<listitem>
 	  <para><literal>UP</literal> means that the card is configured
 	    and ready.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The card has an Internet (<literal>inet</literal>)
 	    address (in this case
 	    <hostid role="ipaddr">192.168.1.3</hostid>).</para>
 	</listitem>
 
 	<listitem>
 	  <para>It has a valid subnet mask (<literal>netmask</literal>;
 	    <hostid role="netmask">0xffffff00</hostid> is the same as
 	    <hostid role="netmask">255.255.255.0</hostid>).</para>
 	</listitem>
 
 	<listitem>
 	  <para>It has a valid broadcast address (in this case,
 	    <hostid role="ipaddr">192.168.1.255</hostid>).</para>
 	</listitem>
 
 	<listitem>
 	  <para>The MAC address of the card (<literal>ether</literal>)
 	    is <hostid role="mac">00:a0:cc:da:da:da</hostid></para>
 	</listitem>
 
 	<listitem>
 	  <para>The physical media selection is on autoselection mode
 	    (<literal>media: Ethernet autoselect (100baseTX
 	    &lt;full-duplex&gt;)</literal>).  We see that
 	    <devicename>dc1</devicename> was configured to run with
 	    <literal>10baseT/UTP</literal> media.  For more
 	    information on available media types for a driver, please
 	    refer to its manual page.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The status of the link (<literal>status</literal>)
 	    is <literal>active</literal>, i.e. the carrier is detected.
 	    For <devicename>dc1</devicename>, we see
 	    <literal>status: no carrier</literal>.  This is normal when
 	    an Ethernet cable is not plugged into the card.</para>
 	</listitem>
       </orderedlist>
 
       <para>If the &man.ifconfig.8; output had shown something similar
 	to:</para>
 
 <screen>dc0: flags=8843&lt;BROADCAST,SIMPLEX,MULTICAST&gt; mtu 1500
 	        ether 00:a0:cc:da:da:da</screen>
 
       <para>it would indicate the card has not been configured.</para>
 
       <para>To configure your card, you need <username>root</username>
 	privileges.  The network card configuration can be done from the
 	command line with &man.ifconfig.8; but you would have to do it
 	after each reboot of the system.  The file
 	<filename>/etc/rc.conf</filename> is where to add the network
 	card's configuration.</para>
 
       <para>Open <filename>/etc/rc.conf</filename> in your favorite
 	editor.  You need to add a line for each network card present on
 	the system, for example in our case, we added these lines:</para>
 
 <programlisting>ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
 ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"</programlisting>
 
       <para>You have to replace <devicename>dc0</devicename>,
 	<devicename>dc1</devicename>, and so on, with
 	the correct device for your cards, and the addresses with the
 	proper ones.  You should read the card driver and
 	&man.ifconfig.8; manual pages for more details about the allowed
 	options and also &man.rc.conf.5; manual page for more
 	information on the syntax of
 	<filename>/etc/rc.conf</filename>.</para>
 
       <para>If you configured the network during installation, some
 	lines about the network card(s) may be already present.  Double
 	check <filename>/etc/rc.conf</filename> before adding any
 	lines.</para>
 
       <para>You will also have to edit the file
 	<filename>/etc/hosts</filename> to add the names and the IP
 	addresses of various machines of the LAN, if they are not already
 	there.  For more information please refer to &man.hosts.5;
 	and to <filename>/usr/share/examples/etc/hosts</filename>.</para>
     </sect2>
 
     <sect2>
       <title>Testing and Troubleshooting</title>
 
       <para>Once you have made the necessary changes in
 	<filename>/etc/rc.conf</filename>, you should reboot your
 	system.  This will allow the change(s) to the interface(s) to
 	be applied, and verify that the system restarts without any
 	configuration errors.</para>
 
       <para>Once the system has been rebooted, you should test the
 	network interfaces.</para>
 
       <sect3>
 	<title>Testing the Ethernet Card</title>
 
 	<indexterm>
 	  <primary>network card configuration</primary>
 	  <secondary>testing the card</secondary>
 	</indexterm>
 
 	<para>To verify that an Ethernet card is configured correctly,
 	  you have to try two things.  First, ping the interface itself,
 	  and then ping another machine on the LAN.</para>
 
 	<para>First test the local interface:</para>
 
 <screen>&prompt.user; <userinput>ping -c5 192.168.1.3</userinput>
 PING 192.168.1.3 (192.168.1.3): 56 data bytes
 64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.082 ms
 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.074 ms
 64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.076 ms
 64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.108 ms
 64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.076 ms
 
 --- 192.168.1.3 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.074/0.083/0.108/0.013 ms</screen>
 
 	<para>Now we have to ping another machine on the LAN:</para>
 
 <screen>&prompt.user; <userinput>ping -c5 192.168.1.2</userinput>
 PING 192.168.1.2 (192.168.1.2): 56 data bytes
 64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.726 ms
 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.766 ms
 64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.700 ms
 64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.747 ms
 64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.704 ms
 
 --- 192.168.1.2 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
 
 	<para>You could also use the machine name instead of
 	  <hostid role="ipaddr">192.168.1.2</hostid> if you have set up the
 	  <filename>/etc/hosts</filename> file.</para>
       </sect3>
 
       <sect3>
 	<title>Troubleshooting</title>
 
       <indexterm>
 	<primary>network card configuration</primary>
 	<secondary>troubleshooting</secondary>
       </indexterm>
 
       <para>Troubleshooting hardware and software configurations is always
 	a pain, and a pain which can be alleviated by checking the simple
 	things first.  Is your network cable plugged in?  Have you properly
 	configured the network services?  Did you configure the firewall
 	correctly?  Is the card you are using supported by &os;?  Always
 	check the hardware notes before sending off a bug report.  Update
 	your version of &os; to the latest STABLE version.  Check the
 	mailing list archives, or perhaps search the Internet.</para>
 
       <para>If the card works, yet performance is poor, it would be
 	worthwhile to read over the &man.tuning.7; manual page.  You
 	can also check the network configuration as incorrect network
 	settings can cause slow connections.</para>
 
       <para>Some users experience one or two <errorname>device
 	timeout</errorname> messages, which is normal for some cards.  If they
 	continue, or are bothersome, you may wish to be sure the
 	device is not conflicting with another device.  Double check
 	the cable connections.  Perhaps you may just need to get
 	another card.</para>
 
       <para>At times, users see a few <errorname>watchdog timeout</errorname>
 	errors.  The first thing to do here is to check your network
 	cable. Many cards require a PCI slot which supports Bus
 	Mastering. On some old motherboards, only one PCI slot allows
 	it (usually slot 0). Check the network card and the
 	motherboard documentation to determine if that may be the
 	problem.</para>
 
       <para><errorname>No route to host</errorname> messages occur if the
 	system is unable to route a packet to the destination host.
 	This can happen if no default route is specified, or if a
 	cable is unplugged.  Check the output of <command>netstat
 	-rn</command> and make sure there is a valid route to the host
 	you are trying to reach.  If there is not, read on to <xref
 	linkend="advanced-networking">.</para>
 
       <para><errorname>ping: sendto: Permission denied</errorname> error
 	messages are often caused by a misconfigured firewall.  If
 	<command>ipfw</command> is enabled in the kernel but no rules
 	have been defined, then the default policy is to deny all
 	traffic, even ping requests!  Read on to <xref
 	linkend="firewalls"> for more information.</para>
 
       <para>Sometimes performance of the card is poor, or below average.
 	In these cases it is best to set the media selection mode
 	from <literal>autoselect</literal> to the correct media selection.
 	While this usually works for most hardware, it may not resolve
 	this issue for everyone.  Again, check all the network settings,
 	and read over the &man.tuning.7; manual page.</para>
 
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-virtual-hosts">
     <title>Virtual Hosts</title>
 
     <indexterm><primary>virtual hosts</primary></indexterm>
     <indexterm><primary>IP aliases</primary></indexterm>
 
     <para>A very common use of &os; is virtual site hosting, where
       one server appears to the network as many servers.  This is
       achieved by assigning multiple network addresses to a single
       interface.</para>
 
     <para>A given network interface has one <quote>real</quote> address,
       and may have any number of <quote>alias</quote> addresses.
       These aliases are
       normally added by placing alias entries in
       <filename>/etc/rc.conf</filename>.</para>
 
     <para>An alias entry for the interface <devicename>fxp0</devicename>
       looks like:</para>
 
 <programlisting>ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"</programlisting>
 
     <para>Note that alias entries must start with <literal>alias0</literal> and proceed
       upwards in order, (for example, <literal>_alias1</literal>, <literal>_alias2</literal>, and so on).
       The configuration process will stop at the first missing number.
     </para>
 
     <para>The calculation of alias netmasks is important, but
       fortunately quite simple.  For a given interface, there must be
       one address which correctly represents the network's netmask.
       Any other addresses which fall within this network must have a
       netmask of all <literal>1</literal>s (expressed as either
       <hostid role="netmask">255.255.255.255</hostid> or <hostid role="netmask">0xffffffff</hostid>).
       </para>
 
     <para>For example, consider the case where the
       <devicename>fxp0</devicename> interface is
       connected to two networks, the <hostid role="ipaddr">10.1.1.0</hostid>
       network with a netmask of <hostid role="netmask">255.255.255.0</hostid>
       and the <hostid role="ipaddr">202.0.75.16</hostid> network with
       a netmask of <hostid role="netmask">255.255.255.240</hostid>.
       We want the system to appear at <hostid role="ipaddr">10.1.1.1</hostid>
       through <hostid role="ipaddr">10.1.1.5</hostid> and at
       <hostid role="ipaddr">202.0.75.17</hostid> through
       <hostid role="ipaddr">202.0.75.20</hostid>.  As noted above, only the
       first address in a given network range (in this case,
       <hostid role="ipaddr">10.0.1.1</hostid> and
       <hostid role="ipaddr">202.0.75.17</hostid>) should have a real
       netmask; all the rest (<hostid role="ipaddr">10.1.1.2</hostid>
       through <hostid role="ipaddr">10.1.1.5</hostid> and
       <hostid role="ipaddr">202.0.75.18</hostid> through
       <hostid role="ipaddr">202.0.75.20</hostid>) must be configured with a
       netmask of <hostid role="netmask">255.255.255.255</hostid>.</para>
 
     <para>The following entries configure the adapter correctly for
       this arrangement:</para>
 
 <programlisting> ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
  ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
  ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
  ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
  ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
  ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
  ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
  ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
  ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"</programlisting>
 
   </sect1>
 
   <sect1 id="configtuning-configfiles">
     <title>Configuration Files</title>
 
     <sect2>
       <title><filename>/etc</filename> Layout</title>
       <para>There are a number of directories in which configuration
 	information is kept.  These include:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="2*">
 
 	  <tbody>
 	    <row>
 	      <entry><filename>/etc</filename></entry>
 	      <entry>Generic system configuration information; data here is
 		system-specific.</entry>
 	    </row>
 	    <row>
 	      <entry><filename>/etc/defaults</filename></entry>
 	      <entry>Default versions of system configuration files.</entry>
 	    </row>
 	    <row>
 	      <entry><filename>/etc/mail</filename></entry>
 	      <entry>Extra &man.sendmail.8; configuration, other
 		MTA configuration files.
 	      </entry>
 	    </row>
 	    <row>
 	      <entry><filename>/etc/ppp</filename></entry>
 	      <entry>Configuration for both user- and kernel-ppp programs.
 	      </entry>
 	    </row>
 	    <row>
 	      <entry><filename>/etc/namedb</filename></entry>
 	      <entry>Default location for &man.named.8; data.  Normally
 		<filename>named.conf</filename> and zone files are stored
                 here.</entry>
 	    </row>
 	    <row>
 	      <entry><filename>/usr/local/etc</filename></entry>
 	      <entry>Configuration files for installed applications.
 		May contain per-application subdirectories.</entry>
 	    </row>
 	    <row>
 	      <entry><filename>/usr/local/etc/rc.d</filename></entry>
 	      <entry>Start/stop scripts for installed applications.</entry>
 	    </row>
 	    <row>
 	      <entry><filename>/var/db</filename></entry>
 	      <entry>Automatically generated system-specific database files,
                  such as the package database, the locate database, and so
                  on</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect2>
 
     <sect2>
       <title>Hostnames</title>
 
       <indexterm><primary>hostname</primary></indexterm>
       <indexterm><primary>DNS</primary></indexterm>
 
       <sect3>
 	<title><filename>/etc/resolv.conf</filename></title>
 
 	<indexterm>
 	  <primary><filename>resolv.conf</filename></primary>
 	</indexterm>
 
 	<para><filename>/etc/resolv.conf</filename> dictates how &os;'s
 	  resolver accesses the Internet Domain Name System (DNS).</para>
 
 	<para>The most common entries to <filename>resolv.conf</filename> are:
 	</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="2*">
 
 	    <tbody>
 	      <row>
 		<entry><literal>nameserver</literal></entry>
 		<entry>The IP address of a name server the resolver
 		  should query.  The servers are queried in the order
 		  listed with a maximum of three.</entry>
 	      </row>
 	      <row>
 		<entry><literal>search</literal></entry>
 		<entry>Search list for hostname lookup.  This is normally
 		  determined by the domain of the local hostname.</entry>
 	      </row>
 	      <row>
 		<entry><literal>domain</literal></entry>
 		<entry>The local domain name.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>A typical <filename>resolv.conf</filename>:</para>
 
 	<programlisting>search example.com
 nameserver 147.11.1.11
 nameserver 147.11.100.30</programlisting>
 
 	<note><para>Only one of the <literal>search</literal> and
 	  <literal>domain</literal> options should be used.</para></note>
 
 	<para>If you are using DHCP, &man.dhclient.8; usually rewrites
 	  <filename>resolv.conf</filename> with information received from the
 	  DHCP server.</para>
       </sect3>
 
       <sect3>
 	<title><filename>/etc/hosts</filename></title>
 
 	<indexterm><primary>hosts</primary></indexterm>
 
 	<para><filename>/etc/hosts</filename> is a simple text
 	  database reminiscent of the old Internet.  It works in
 	  conjunction with DNS and NIS providing name to IP address
 	  mappings.  Local computers connected via a LAN can be placed
 	  in here for simplistic naming purposes instead of setting up
 	  a &man.named.8; server.  Additionally,
 	  <filename>/etc/hosts</filename> can be used to provide a
 	  local record of Internet names, reducing the need to query
 	  externally for commonly accessed names.</para>
 
 	<programlisting># &dollar;&os;&dollar;
 #
 # Host Database
 # This file should contain the addresses and aliases
 # for local hosts that share this file.
 # In the presence of the domain name service or NIS, this file may
 # not be consulted at all; see /etc/nsswitch.conf for the resolution order.
 #
 #
 ::1                     localhost localhost.my.domain myname.my.domain
 127.0.0.1               localhost localhost.my.domain myname.my.domain
 
 #
 # Imaginary network.
 #10.0.0.2               myname.my.domain myname
 #10.0.0.3               myfriend.my.domain myfriend
 #
 # According to RFC 1918, you can use the following IP networks for
 # private nets which will never be connected to the Internet:
 #
 #       10.0.0.0        -   10.255.255.255
 #       172.16.0.0      -   172.31.255.255
 #       192.168.0.0     -   192.168.255.255
 #
 # In case you want to be able to connect to the Internet, you need
 # real official assigned numbers.  PLEASE PLEASE PLEASE do not try
 # to invent your own network numbers but instead get one from your
 # network provider (if any) or from the Internet Registry (ftp to
 # rs.internic.net, directory `/templates').
 #</programlisting>
 
 	<para><filename>/etc/hosts</filename> takes on the simple format
 	  of:</para>
 
 	<programlisting>[Internet address] [official hostname] [alias1] [alias2] ...</programlisting>
 
 	<para>For example:</para>
 
 	<programlisting>10.0.0.1 myRealHostname.example.com myRealHostname foobar1 foobar2</programlisting>
 
 	<para>Consult &man.hosts.5; for more information.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Log File Configuration</title>
 
       <indexterm><primary>log files</primary></indexterm>
 
       <sect3>
 	<title><filename>syslog.conf</filename></title>
 
 	<indexterm><primary>syslog.conf</primary></indexterm>
 
 	<para><filename>syslog.conf</filename> is the configuration file
 	  for the &man.syslogd.8; program.  It indicates which types
 	  of <command>syslog</command> messages are logged to particular
 	  log files.</para>
 
 	<programlisting># &dollar;&os;&dollar;
 #
 #       Spaces ARE valid field separators in this file. However,
 #       other *nix-like systems still insist on using tabs as field
 #       separators. If you are sharing this file between systems, you
 #       may want to use only tabs as field separators here.
 #       Consult the syslog.conf(5) manual page.
 *.err;kern.debug;auth.notice;mail.crit          /dev/console
 *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
 security.*                                      /var/log/security
 mail.info                                       /var/log/maillog
 lpr.info                                        /var/log/lpd-errs
 cron.*                                          /var/log/cron
 *.err                                           root
 *.notice;news.err                               root
 *.alert                                         root
 *.emerg                                         *
 # uncomment this to log all writes to /dev/console to /var/log/console.log
 #console.info                                   /var/log/console.log
 # uncomment this to enable logging of all log messages to /var/log/all.log
 #*.*                                            /var/log/all.log
 # uncomment this to enable logging to a remote log host named loghost
 #*.*                                            @loghost
 # uncomment these if you're running inn
 # news.crit                                     /var/log/news/news.crit
 # news.err                                      /var/log/news/news.err
 # news.notice                                   /var/log/news/news.notice
 !startslip
 *.*                                             /var/log/slip.log
 !ppp
 *.*                                             /var/log/ppp.log</programlisting>
 
 	<para>Consult the &man.syslog.conf.5; manual page for more
 	  information.</para>
       </sect3>
 
       <sect3>
 	<title><filename>newsyslog.conf</filename></title>
 
 	<indexterm><primary>newsyslog.conf</primary></indexterm>
 
 	<para><filename>newsyslog.conf</filename> is the configuration
 	  file for &man.newsyslog.8;, a program that is normally scheduled
 	  to run by &man.cron.8;.  &man.newsyslog.8; determines when log
 	  files require archiving or rearranging.
 	  <filename>logfile</filename> is moved to
 	  <filename>logfile.0</filename>, <filename>logfile.0</filename>
 	  is moved to <filename>logfile.1</filename>, and so on.
 	  Alternatively, the log files may be archived in &man.gzip.1; format
 	  causing them to be named: <filename>logfile.0.gz</filename>,
 	  <filename>logfile.1.gz</filename>, and so on.</para>
 
 	<para><filename>newsyslog.conf</filename> indicates which log
 	  files are to be managed, how many are to be kept, and when
 	  they are to be touched.  Log files can be rearranged and/or
 	  archived when they have either reached a certain size, or at a
 	  certain periodic time/date.</para>
 
 	<programlisting># configuration file for newsyslog
 # &dollar;&os;&dollar;
 #
 # filename          [owner:group]    mode count size when [ZB] [/pid_file] [sig_num]
 /var/log/cron                           600  3     100  *     Z
 /var/log/amd.log                        644  7     100  *     Z
 /var/log/kerberos.log                   644  7     100  *     Z
 /var/log/lpd-errs                       644  7     100  *     Z
 /var/log/maillog                        644  7     *    @T00  Z
 /var/log/sendmail.st                    644  10    *    168   B
 /var/log/messages                       644  5     100  *     Z
 /var/log/all.log                        600  7     *    @T00  Z
 /var/log/slip.log                       600  3     100  *     Z
 /var/log/ppp.log                        600  3     100  *     Z
 /var/log/security                       600  10    100  *     Z
 /var/log/wtmp                           644  3     *    @01T05 B
 /var/log/daily.log                      640  7     *    @T00  Z
 /var/log/weekly.log                     640  5     1    $W6D0 Z
 /var/log/monthly.log                    640  12    *    $M1D0 Z
 /var/log/console.log                    640  5     100  *     Z</programlisting>
 
 	<para>Consult the &man.newsyslog.8; manual page for more
 	  information.</para>
       </sect3>
     </sect2>
 
     <sect2 id="configtuning-sysctlconf">
       <title><filename>sysctl.conf</filename></title>
 
       <indexterm><primary>sysctl.conf</primary></indexterm>
       <indexterm><primary>sysctl</primary></indexterm>
 
       <para><filename>sysctl.conf</filename> looks much like
 	<filename>rc.conf</filename>.  Values are set in a
 	<literal>variable=value</literal>
 	form.  The specified values are set after the system goes into
 	multi-user mode.  Not all variables are settable in this mode.</para>
 
       <para>A sample <filename>sysctl.conf</filename> turning off logging
 	of fatal signal exits and letting Linux programs know they are really
 	running under &os;:</para>
 
       <programlisting>kern.logsigexit=0       # Do not log fatal signal exits (e.g. sig 11)
 compat.linux.osname=&os;
 compat.linux.osrelease=4.3-STABLE</programlisting>
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-sysctl">
     <title>Tuning with sysctl</title>
 
     <indexterm><primary>sysctl</primary></indexterm>
     <indexterm>
       <primary>tuning</primary>
       <secondary>with sysctl</secondary>
     </indexterm>
 
     <para>&man.sysctl.8; is an interface that allows you to make changes
       to a running &os; system.  This includes many advanced
       options of the TCP/IP stack and virtual memory system that can
       dramatically improve performance for an experienced system
       administrator.  Over five hundred system variables can be read
       and set using &man.sysctl.8;.</para>
 
     <para>At its core, &man.sysctl.8; serves two functions: to read and
       to modify system settings.</para>
 
     <para>To view all readable variables:</para>
 
     <screen>&prompt.user; <userinput>sysctl -a</userinput></screen>
 
     <para>To read a particular variable, for example,
       <varname>kern.maxproc</varname>:</para>
 
     <screen>&prompt.user; <userinput>sysctl kern.maxproc</userinput>
 kern.maxproc: 1044</screen>
 
     <para>To set a particular variable, use the intuitive
       <replaceable>variable</replaceable>=<replaceable>value</replaceable>
       syntax:</para>
 
     <screen>&prompt.root; <userinput>sysctl kern.maxfiles=5000</userinput>
 kern.maxfiles: 2088 -> 5000</screen>
 
     <para>Settings of sysctl variables are usually either strings,
       numbers, or booleans (a  boolean being <literal>1</literal> for yes
       or a <literal>0</literal> for no).</para>
 
     <para>If you want to set automatically some variables each time
       the machine boots, add them to the
       <filename>/etc/sysctl.conf</filename> file.  For more information
       see the &man.sysctl.conf.5; manual page and the
       <xref linkend="configtuning-sysctlconf">.</para>
 
   <sect2 id="sysctl-readonly">
     <sect2info>
       <authorgroup>
         <author>
 	 <firstname>Tom</firstname>
 	 <surname>Rhodes</surname>
 	 <contrib>Contributed by </contrib>
 	 <!-- 31 January 2003 -->
         </author>
       </authorgroup>
     </sect2info>
     <title>&man.sysctl.8; Read-only</title>
 
     <para>In some cases it may be desirable to modify read-only &man.sysctl.8;
       values.  While this is not recommended, it is also sometimes unavoidable.</para>
 
     <para>For instance on some laptop models the &man.cardbus.4; device will
       not probe memory ranges, and fail with errors which look similar to:</para>
 
     <screen>cbb0: Could not map register memory
 device_probe_and_attach: cbb0 attach returned 12</screen>
 
     <para>Cases like the one above usually require the modification of some
       default &man.sysctl.8; settings which are set read only.  To overcome
       these situations a user can put &man.sysctl.8; <quote>OIDs</quote>
       in their local <filename>/boot/loader.conf</filename>.  Default
       settings are located in the <filename>/boot/defaults/loader.conf</filename>
       file.</para>
 
     <para>Fixing the problem mentioned above would require a user to set
       <option>hw.pci.allow_unsupported_io_range=1</option> in the aforementioned
       file.  Now &man.cardbus.4; will work properly.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-disk">
     <title>Tuning Disks</title>
 
     <sect2>
       <title>Sysctl Variables</title>
 
       <sect3>
 	<title><varname>vfs.vmiodirenable</varname></title>
 
 	<indexterm>
 	  <primary><varname>vfs.vmiodirenable</varname></primary>
 	</indexterm>
 
 	<para>The <varname>vfs.vmiodirenable</varname> sysctl variable
 	  may be set to either 0 (off) or 1 (on); it is 1 by default.
 	  This variable controls how directories are cached by the
 	  system.  Most directories are small, using just a single
 	  fragment (typically 1&nbsp;K) in the file system and less
 	  (typically 512&nbsp;bytes) in the buffer cache.
 	  With this variable turned off (to 0), the buffer
 	  cache will only cache a fixed number of directories even if
 	  you have a huge amount of memory.  When turned on (to 1), this sysctl
 	  allows the buffer cache to use the VM Page Cache to cache the
 	  directories, making all the memory available for caching
 	  directories.  However,
 	  the minimum in-core memory used to cache a directory is the
 	  physical page size (typically 4&nbsp;K) rather than 512&nbsp;
 	  bytes.  We recommend keeping this option on if you are running
 	  any services which manipulate large numbers of files.  Such
 	  services can include web caches, large mail systems, and news
 	  systems.  Keeping this option on will generally not reduce
 	  performance even with the wasted memory but you should
 	  experiment to find out.</para>
       </sect3>
 
      <sect3>
  	<title><varname>vfs.write_behind</varname></title>
 
  	<indexterm>
  	  <primary><varname>vfs.write_behind</varname></primary>
  	</indexterm>
 
  	<para>The <varname>vfs.write_behind</varname> sysctl variable
  	  defaults to <literal>1</literal> (on).  This tells the file system
  	  to issue media writes as full clusters are collected, which
  	  typically occurs when writing large sequential files.  The idea
  	  is to avoid saturating the buffer cache with dirty buffers when
  	  it would not benefit I/O performance.  However, this may stall
  	  processes and under certain circumstances you may wish to turn it
  	  off.</para>
        </sect3>
 
        <sect3>
  	<title><varname>vfs.hirunningspace</varname></title>
 
  	<indexterm>
  	  <primary><varname>vfs.hirunningspace</varname></primary>
  	</indexterm>
 
  	<para>The <varname>vfs.hirunningspace</varname> sysctl variable
  	  determines how much outstanding write I/O may be queued to disk
  	  controllers system-wide at any given instance.  The default is
  	  usually sufficient but on machines with lots of disks you may
  	  want to bump it up to four or five <emphasis>megabytes</emphasis>.
  	  Note that setting too high a value (exceeding the buffer cache's
  	  write threshold) can lead to extremely bad clustering
  	  performance.  Do not set this value arbitrarily high!  Higher
  	  write values may add latency to reads occurring at the same time.
  	</para>
 
  	<para>There are various other buffer-cache and VM page cache
  	  related sysctls.  We do not recommend modifying these values.  As
  	  of &os;&nbsp;4.3, the VM system does an extremely good job of
  	  automatically tuning itself.</para>
        </sect3>
 
        <sect3>
  	<title><varname>vm.swap_idle_enabled</varname></title>
 
  	<indexterm>
  	  <primary><varname>vm.swap_idle_enabled</varname></primary>
  	</indexterm>
 
  	<para>The <varname>vm.swap_idle_enabled</varname> sysctl variable
  	  is useful in large multi-user systems where you have lots of
  	  users entering and leaving the system and lots of idle processes.
  	  Such systems tend to generate a great deal of continuous pressure
  	  on free memory reserves.  Turning this feature on and tweaking
  	  the swapout hysteresis (in idle seconds) via
  	  <varname>vm.swap_idle_threshold1</varname> and
  	  <varname>vm.swap_idle_threshold2</varname> allows you to depress
  	  the priority of memory pages associated with idle processes more
  	  quickly then the normal pageout algorithm.  This gives a helping
  	  hand to the pageout daemon.  Do not turn this option on unless
  	  you need it, because the tradeoff you are making is essentially
  	  pre-page memory sooner rather than later; thus eating more swap
  	  and disk bandwidth.  In a small system this option will have a
  	  determinable effect but in a large system that is already doing
  	  moderate paging this option allows the VM system to stage whole
  	  processes into and out of memory easily.</para>
        </sect3>
 
       <sect3>
 	<title><varname>hw.ata.wc</varname></title>
 
 	<indexterm>
 	  <primary><varname>hw.ata.wc</varname></primary>
 	</indexterm>
 
 	<para>&os;&nbsp;4.3 flirted with turning off IDE write caching.
 	  This reduced write bandwidth to IDE disks but was considered
 	  necessary due to serious data consistency issues introduced
 	  by hard drive vendors.  The problem is that IDE
 	  drives lie about when a write completes.  With IDE write
 	  caching turned on, IDE hard drives not only write data
 	  to disk out of order, but will sometimes delay writing some
 	  blocks indefinitely when under heavy disk loads.  A crash or
 	  power failure may cause serious file system corruption.
 	  &os;'s default was changed to be safe.  Unfortunately, the
 	  result was such a huge performance loss that we changed
 	  write caching back to on by default after the release.  You
 	  should check the default on your system by observing the
 	  <varname>hw.ata.wc</varname> sysctl variable.  If IDE write
 	  caching is turned off, you can turn it back on by setting
 	  the kernel variable back to 1.  This must be done from the
 	  boot loader at boot time.  Attempting to do it after the
 	  kernel boots will have no effect.</para>
 
 	<para>For more information, please see &man.ata.4;.</para>
       </sect3>
 
       <sect3>
 	<title><literal>SCSI_DELAY</literal>
 	(<varname>kern.cam.scsi_delay</varname>)</title>
 
 	<indexterm>
 	  <primary><literal>SCSI_DELAY</literal></primary>
 	  <secondary><varname>kern.cam.scsi_delay</varname></secondary>
 	</indexterm>
 
 	<para>The <literal>SCSI_DELAY</literal> kernel config may be used to
 	  reduce system boot times.  The defaults are fairly high and can be
 	  responsible for <literal>15</literal> seconds of delay in the
 	  boot process.  Reducing it to <literal>5</literal> seconds usually
 	  works (especially with modern drives).  Newer versions of &os;
 	  (5.0 and higher) should use the <varname>kern.cam.scsi_delay</varname>
 	  boot time tunable.  The tunable, and kernel config option accept
 	  values in terms of <emphasis>milliseconds</emphasis> and
 	  <emphasis>not</emphasis> <emphasis>seconds</emphasis>.</para>
       </sect3>
     </sect2>
 
     <sect2 id="soft-updates">
       <title>Soft Updates</title>
 
       <indexterm><primary>Soft Updates</primary></indexterm>
       <indexterm><primary>tunefs</primary></indexterm>
 
       <para>The &man.tunefs.8; program can be used to fine-tune a
 	file system.  This program has many different options, but for
 	now we are only concerned with toggling Soft Updates on and
 	off, which is done by:</para>
 
       <screen>&prompt.root; <userinput>tunefs -n enable /filesystem</userinput>
 &prompt.root; <userinput>tunefs -n disable /filesystem</userinput></screen>
 
       <para>A filesystem cannot be modified with &man.tunefs.8; while
 	it is mounted.  A good time to enable Soft Updates is before any
 	partitions have been mounted, in single-user mode.</para>
 
       <note><para>As of &os;&nbsp;4.5, it is possible to enable Soft Updates
 	at filesystem creation time, through use of the <literal>-U</literal>
 	option to &man.newfs.8;.</para></note>
 
       <para>Soft Updates drastically improves meta-data performance, mainly
         file creation and deletion, through the use of a memory cache.  We
         recommend to use Soft Updates on all of your file systems.  There
         are two downsides to Soft Updates that you should be aware of:  First,
         Soft Updates guarantees filesystem consistency in the case of a crash
         but could very easily be several seconds (even a minute!) behind
         updating the physical disk.  If your system crashes you may lose more
         work than otherwise.  Secondly, Soft Updates delays the freeing of
         filesystem blocks.  If you have a filesystem (such as the root
 	filesystem) which is almost full, performing a major update, such as
         <command>make installworld</command>, can cause the filesystem to run
 	out of space and the update to fail.</para>
 
       <sect3>
 	<title>More Details about Soft Updates</title>
 
 	<indexterm>
 	  <primary>Soft Updates</primary>
 	  <secondary>details</secondary>
 	</indexterm>
 
 	<para>There are two traditional approaches to writing a file
 	  systems meta-data back to disk.  (Meta-data updates are
 	  updates to non-content data like inodes or
 	  directories.)</para>
 
 	<para>Historically, the default behavior was to write out
 	  meta-data updates synchronously.  If a directory had been
 	  changed, the system waited until the change was actually
 	  written to disk.  The file data buffers (file contents) were
 	  passed through the buffer cache and backed up
 	  to disk later on asynchronously.  The advantage of this
 	  implementation is that it operates safely.  If there is
 	  a failure during an update, the meta-data are always in a
 	  consistent state.  A file is either created completely
 	  or not at all.  If the data blocks of a file did not find
 	  their way out of the buffer cache onto the disk by the time
 	  of the crash, &man.fsck.8; is able to recognize this and
 	  repair the filesystem by setting the file length to
 	  0.  Additionally, the implementation is clear and simple.
 	  The disadvantage is that meta-data changes are slow.  An
 	  <command>rm -r</command>, for instance, touches all the files
 	  in a directory sequentially, but each directory
 	  change (deletion of a file) will be written synchronously
 	  to the disk.  This includes updates to the directory itself,
 	  to the inode table, and possibly to indirect blocks
 	  allocated by the file.  Similar considerations apply for
 	  unrolling large hierarchies (<command>tar -x</command>).</para>
 
 	<para>The second case is asynchronous meta-data updates.  This
   	  is the default for Linux/ext2fs and
   	  <command>mount -o async</command> for *BSD ufs.  All
   	  meta-data updates are simply being passed through the buffer
   	  cache too, that is, they will be intermixed with the updates
   	  of the file content data.  The advantage of this
   	  implementation is there is no need to wait until each
   	  meta-data update has been written to disk, so all operations
   	  which cause huge amounts of meta-data updates work much
   	  faster than in the synchronous case.  Also, the
   	  implementation is still clear and simple, so there is a low
   	  risk for bugs creeping into the code.  The disadvantage is
   	  that there is no guarantee at all for a consistent state of
   	  the filesystem.  If there is a failure during an operation
   	  that updated large amounts of meta-data (like a power
   	  failure, or someone pressing the reset button),
 	  the filesystem
   	  will be left in an unpredictable state.  There is no opportunity
   	  to examine the state of the filesystem when the system
   	  comes up again; the data blocks of a file could already have
   	  been written to the disk while the updates of the inode
   	  table or the associated directory were not.  It is actually
   	  impossible to implement a <command>fsck</command> which is
   	  able to clean up the resulting chaos (because the necessary
   	  information is not available on the disk).  If the
 	  filesystem has been damaged beyond repair, the only choice
 	  is to use &man.newfs.8; on it and restore it from backup.
 	  </para>
 
 	<para>The usual solution for this problem was to implement
 	  <emphasis>dirty region logging</emphasis>, which is also
 	  referred to as <emphasis>journaling</emphasis>, although that
 	  term is not used consistently and is occasionally applied
 	  to other forms of transaction logging as well.  Meta-data
 	  updates are still written synchronously, but only into a
 	  small region of the disk.  Later on they will be moved
 	  to their proper location.  Because the logging
 	  area is a small, contiguous region on the disk, there
 	  are no long distances for the disk heads to move, even
 	  during heavy operations, so these operations are quicker
 	  than synchronous updates.
 	  Additionally the complexity of the implementation is fairly
 	  limited, so the risk of bugs being present is low.  A disadvantage
 	  is that all meta-data are written twice (once into the
 	  logging region and once to the proper location) so for
 	  normal work, a performance <quote>pessimization</quote>
 	  might result.  On the other hand, in case of a crash, all
 	  pending meta-data operations can be quickly either rolled-back
 	  or completed from the logging area after the system comes
 	  up again, resulting in a fast filesystem startup.</para>
 
 	<para>Kirk McKusick, the developer of Berkeley FFS,
 	   solved this problem with Soft Updates: all pending
 	   meta-data updates are kept in memory and written out to disk
 	   in a sorted sequence (<quote>ordered meta-data
 	   updates</quote>).  This has the effect that, in case of
 	   heavy meta-data operations, later updates to an item
 	   <quote>catch</quote> the earlier ones if the earlier ones are still in
 	   memory and have not already been written to disk.  So all
 	   operations on, say, a directory are generally performed in
 	   memory before the update is written to disk (the data
 	   blocks are sorted according to their position so
 	   that they will not be on the disk ahead of their meta-data).
 	   If the system crashes, this causes an implicit <quote>log
 	   rewind</quote>: all operations which did not find their way
 	   to the disk appear as if they had never happened.  A
 	   consistent filesystem state is maintained that appears to
 	   be the one of 30 to 60 seconds earlier.  The
 	   algorithm used guarantees that all resources in use
 	   are marked as such in their appropriate bitmaps: blocks and inodes.
 	   After a crash, the only resource allocation error
 	   that occurs is that resources are
 	   marked as <quote>used</quote> which are actually <quote>free</quote>.
 	   &man.fsck.8; recognizes this situation,
 	   and frees the resources that are no longer used.  It is safe to
 	   ignore the dirty state of the filesystem after a crash by
 	   forcibly mounting it with <command>mount -f</command>.  In
 	   order to free resources that may be unused, &man.fsck.8;
 	   needs to be run at a later time.  This is the idea behind
 	   the <emphasis>background fsck</emphasis>: at system startup
 	   time, only a <emphasis>snapshot</emphasis> of the
 	   filesystem is recorded.  The <command>fsck</command> can be
 	   run later on.  All file systems can then be mounted
 	   <quote>dirty</quote>, so the system startup proceeds in
 	   multiuser mode.  Then, background <command>fsck</command>s
 	   will be scheduled for all file systems where this is required, to free
 	   resources that may be unused.  (File systems that do not use
 	   Soft Updates still need the usual foreground
 	   <command>fsck</command> though.)</para>
 
 	 <para>The advantage is that meta-data operations are nearly as
 	   fast as asynchronous updates (i.e. faster than with
 	   <emphasis>logging</emphasis>, which has to write the
 	   meta-data twice).  The disadvantages are the complexity of
 	   the code (implying a higher risk for bugs in an area that
 	   is highly sensitive regarding loss of user data), and a
 	   higher memory consumption.  Additionally there are some
 	   idiosyncrasies one has to get used to.
 	   After a crash, the state of the filesystem appears to be
 	   somewhat <quote>older</quote>.  In situations where
 	   the standard synchronous approach would have caused some
 	   zero-length files to remain after the
 	   <command>fsck</command>, these files do not exist at all
 	   with a Soft Updates filesystem because neither the meta-data
 	   nor the file contents have ever been written to disk.
 	   Disk space is not released until the updates have been
 	   written to disk, which may take place some time after
 	   running <command>rm</command>.  This may cause problems
 	   when installing large amounts of data on a filesystem
 	   that does not have enough free space to hold all the files
 	   twice.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="configtuning-kernel-limits">
     <title>Tuning Kernel Limits</title>
 
     <indexterm>
       <primary>tuning</primary>
       <secondary>kernel limits</secondary>
     </indexterm>
 
     <sect2 id="file-process-limits">
       <title>File/Process Limits</title>
 
       <sect3 id="kern-maxfiles">
 	<title><varname>kern.maxfiles</varname></title>
 
 	<indexterm>
 	  <primary><varname>kern.maxfiles</varname></primary>
 	</indexterm>
 
 	<para><varname>kern.maxfiles</varname> can be raised or
 	  lowered based upon your system requirements.  This variable
 	  indicates the maximum number of file descriptors on your
 	  system.  When the file descriptor table is full,
 	  <errorname>file: table is full</errorname> will show up repeatedly
 	  in the system message buffer, which can be viewed with the
 	  <command>dmesg</command> command.</para>
 
 	<para>Each open file, socket, or fifo uses one file
 	  descriptor.  A large-scale production server may easily
 	  require many thousands of file descriptors, depending on the
 	  kind and number of services running concurrently.</para>
 
 	<para><varname>kern.maxfile</varname>'s default value is
 	  dictated by the <option>MAXUSERS</option> option in your
           kernel configuration file.  <varname>kern.maxfiles</varname> grows
           proportionally to the value of <option>MAXUSERS</option>.  When
           compiling a custom kernel, it is a good idea to set this kernel
           configuration option according to the uses of your system.  From
           this number, the kernel is given most of its pre-defined limits.
           Even though a production machine may not actually have 256 users
           connected at once, the resources needed may be similar to a
           high-scale web server.</para>
 
 	<note><para>As of &os;&nbsp;4.5, setting <option>MAXUSERS</option> to
 	  <literal>0</literal> in your kernel configuration file will choose
 	  a reasonable default value based on the amount of RAM present in
 	  your system.</para></note>
 
       </sect3>
 
       <sect3>
 	<title><varname>kern.ipc.somaxconn</varname></title>
 
 	<indexterm>
 	  <primary><varname>kern.ipc.somaxconn</varname></primary>
 	</indexterm>
 
 	<para>The <varname>kern.ipc.somaxconn</varname> sysctl variable
 	  limits the size of the listen queue for accepting new TCP
 	  connections.  The default value of <literal>128</literal> is
 	  typically too low for robust handling of new connections in a
 	  heavily loaded web server environment.  For such environments, it
 	  is recommended to increase this value to <literal>1024</literal> or
 	  higher.  The service daemon may itself limit the listen queue size
 	  (e.g. &man.sendmail.8;, or <application>Apache</application>) but
 	  will often have a directive in its configuration file to adjust
 	  the queue size.  Large listen queues also do a better job of
 	  avoiding Denial of Service (<abbrev>DoS</abbrev>) attacks.</para>
       </sect3>
 
     </sect2>
     <sect2>
       <title>Network Limits</title>
 
       <para>The <literal>NMBCLUSTERS</literal> kernel configuration
 	option dictates the amount of network Mbufs available to the
 	system.  A heavily-trafficked server with a low number of Mbufs
 	will hinder &os;'s ability.  Each cluster represents
 	approximately 2&nbsp;K of memory, so a value of 1024 represents 2
 	megabytes of kernel memory reserved for network buffers.  A
 	simple calculation can be done to figure out how many are
 	needed.  If you have a web server which maxes out at 1000
 	simultaneous connections, and each connection eats a 16&nbsp;K receive
 	and 16&nbsp;K send buffer, you need approximately 32&nbsp;MB worth of
 	network buffers to cover the web server.  A good rule of thumb is
 	to multiply by 2, so 2x32&nbsp;MB&nbsp;/&nbsp;2&nbsp;KB&nbsp;=
 	64&nbsp;MB&nbsp;/&nbsp;2&nbsp;kB&nbsp;= 32768.  We recommend
 	values between 4096 and 32768 for machines with greater amounts
 	of memory.  Under no circumstances should you specify an
 	arbitrarily high value for this parameter as it could lead to a
 	boot time crash.  The <option>-m</option> option to
 	&man.netstat.1; may be used to observe network cluster
 	use.</para>
 
       <para><varname>kern.ipc.nmbclusters</varname> loader tunable should
         be used to tune this at boot time.  Only older versions of &os;
         will require you to use the <literal>NMBCLUSTERS</literal> kernel
         &man.config.8; option.</para>
 
       <para>For busy servers that make extensive use of the
 	&man.sendfile.2; system call, it may be necessary to increase
 	the number of &man.sendfile.2; buffers via the
 	<literal>NSFBUFS</literal> kernel configuration option or by
 	setting its value in <filename>/boot/loader.conf</filename>
 	(see &man.loader.8; for details).  A common indicator that
 	this parameter needs to be adjusted is when processes are seen
 	in the <literal>sfbufa</literal> state.  The sysctl
 	variable <varname>kern.ipc.nsfbufs</varname> is a read-only
 	glimpse at the kernel configured variable.  This parameter
 	nominally scales with <varname>kern.maxusers</varname>,
 	however it may be necessary to tune accordingly.</para>
 
       <important>
 	<para>Even though a socket has been marked as non-blocking,
 	  calling &man.sendfile.2; on the non-blocking socket may
 	  result in the &man.sendfile.2; call blocking until enough
 	  <literal>struct sf_buf</literal>'s are made
 	  available.</para>
       </important>
 
       <sect3>
 	<title><varname>net.inet.ip.portrange.*</varname></title>
 
 	<indexterm>
 	  <primary>net.inet.ip.portrange.*</primary>
 	</indexterm>
 
 	<para>The <varname>net.inet.ip.portrange.*</varname> sysctl
 	  variables control the port number ranges automatically bound to TCP
 	  and UDP sockets.  There are three ranges: a low range, a default
 	  range, and a high range.  Most network programs use the default
 	  range which is controlled by the
 	  <varname>net.inet.ip.portrange.first</varname> and
 	  <varname>net.inet.ip.portrange.last</varname>, which default to
 	  1024 and 5000, respectively.  Bound port ranges are used  for
 	  outgoing connections, and it is possible to run the system out of
 	  ports under certain circumstances.  This most commonly occurs
 	  when you are running a heavily loaded web proxy.  The port range
 	  is not an issue when running servers which handle mainly incoming
 	  connections, such as a normal web server, or has a limited number
 	  of outgoing connections, such as a mail relay.  For situations
 	  where you may run yourself out of ports, it is recommended to
 	  increase <varname>net.inet.ip.portrange.last</varname> modestly.
 	  A value of <literal>10000</literal>, <literal>20000</literal> or
 	  <literal>30000</literal> may be reasonable.  You should also
 	  consider firewall effects when changing the port range.  Some
 	  firewalls may block large ranges of ports (usually low-numbered
 	  ports) and expect systems to use higher ranges of ports for
 	  outgoing connections &mdash; for this reason it is recommended that
 	  <varname>net.inet.ip.portrange.first</varname> be lowered.</para>
       </sect3>
 
       <sect3>
 	<title>TCP Bandwidth Delay Product</title>
 
 	<indexterm>
 	  <primary>TCP Bandwidth Delay Product Limiting</primary>
 	  <secondary><varname>net.inet.tcp.inflight_enable</varname></secondary>
 	</indexterm>
 
 	<para>The TCP Bandwidth Delay Product Limiting is similar to
 	  TCP/Vegas in NetBSD.  It can be
 	  enabled by setting <varname>net.inet.tcp.inflight_enable</varname>
 	  sysctl variable to <literal>1</literal>.  The system will attempt
 	  to calculate the bandwidth delay product for each connection and
 	  limit the amount of data queued to the network to just the amount
 	  required to maintain optimum throughput.</para>
 
 	<para>This feature is useful if you are serving data over modems,
 	  Gigabit Ethernet, or even high speed WAN links (or any other link
 	  with a high bandwidth delay product), especially if you are also
 	  using window scaling or have configured a large send window.  If
 	  you enable this option, you should also be sure to set
 	  <varname>net.inet.tcp.inflight_debug</varname> to
 	  <literal>0</literal> (disable debugging), and for production use
 	  setting <varname>net.inet.tcp.inflight_min</varname> to at least
 	  <literal>6144</literal> may be beneficial.  However, note that
 	  setting high minimums may effectively disable bandwidth limiting
 	  depending on the link.  The limiting feature reduces the amount of
 	  data built up in intermediate route and switch packet queues as
 	  well as reduces the amount of data built up in the local host's
 	  interface queue.  With fewer packets queued up, interactive
 	  connections, especially over slow modems, will also be able to
 	  operate with lower <emphasis>Round Trip Times</emphasis>.  However,
 	  note that this feature only effects data transmission (uploading
 	  / server side).  It has no effect on data reception (downloading).
 	</para>
 
 	<para>Adjusting <varname>net.inet.tcp.inflight_stab</varname> is
 	  <emphasis>not</emphasis> recommended.  This parameter defaults to
 	  20, representing 2 maximal packets added to the bandwidth delay
 	  product window calculation.  The additional window is required to
 	  stabilize the algorithm and improve responsiveness to changing
 	  conditions, but it can also result in higher ping times over slow
 	  links (though still much lower than you would get without the
 	  inflight algorithm).  In such cases, you may wish to try reducing
 	  this parameter to 15, 10, or 5; and may also have to reduce
 	  <varname>net.inet.tcp.inflight_min</varname> (for example, to
 	  3500) to get the desired effect.  Reducing these parameters
 	  should be done as a last resort only.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="adding-swap-space">
     <title>Adding Swap Space</title>
 
     <para>No matter how well you plan, sometimes a system does not run
       as you expect.  If you find you need more swap space, it is
       simple enough to add.  You have three ways to increase swap
       space: adding a new hard drive, enabling swap over NFS, and
       creating a swap file on an existing partition.</para>
 
     <sect2 id="new-drive-swap">
       <title>Swap on a New Hard Drive</title>
 
       <para>The best way to add swap, of course, is to use this as an
 	excuse to add another hard drive.  You can always use another
 	hard drive, after all.  If you can do this, go reread the
 	discussion of swap space
 	in <xref linkend="configtuning-initial">
 	of the Handbook for some suggestions on how to best
 	arrange your swap.</para>
     </sect2>
 
     <sect2 id="nfs-swap">
       <title>Swapping over NFS</title>
 
       <para>Swapping over NFS is only recommended if you do not have a
 	local hard disk to swap to.  Swapping over NFS is slow and
 	inefficient in versions of &os; prior to 4.X.  It is
 	reasonably fast and efficient in 4.0-RELEASE and newer.  Even
 	with newer versions of &os;, NFS swapping will be limited
 	by the available network bandwidth and puts an additional
 	burden on the NFS server.</para>
     </sect2>
 
     <sect2 id="create-swapfile">
       <title>Swapfiles</title>
 
       <para>You can create a file of a specified size to use as a swap
 	file.  In our example here we will use a 64MB file called
 	<filename>/usr/swap0</filename>.  You can use any name you
 	want, of course.</para>
 
       <example>
         <title>Creating a Swapfile on &os; 4.X</title>
 
       <orderedlist>
         <listitem>
           <para>Be certain that your kernel configuration includes
             the vnode driver.  It is <emphasis>not</emphasis> in recent versions of
             <filename>GENERIC</filename>.</para>
 
           <programlisting>pseudo-device   vn 1   #Vnode driver (turns a file into a device)</programlisting>
         </listitem>
 
 	<listitem>
 	  <para>Create a vn-device:</para>
 	  <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV vn0</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Create a swapfile (<filename>/usr/swap0</filename>):</para>
 
 	  <screen>&prompt.root; <userinput>dd if=/dev/zero of=/usr/swap0 bs=1024k count=64</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Set proper permissions on (<filename>/usr/swap0</filename>):</para>
 
 	  <screen>&prompt.root; <userinput>chmod 0600 /usr/swap0</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Enable the swap file in <filename>/etc/rc.conf</filename>:</para>
 
 	  <programlisting>swapfile="/usr/swap0"   # Set to name of swapfile if aux swapfile desired.</programlisting>
 	</listitem>
 
 	<listitem>
 
           <para>Reboot the machine or to enable the swap file immediately,
             type:</para>
 
           <screen>&prompt.root; <userinput>vnconfig -e /dev/vn0b /usr/swap0 swap</userinput></screen>
         </listitem>
       </orderedlist>
 
       </example>
       <example>
 	<title>Creating a Swapfile on &os; 5.X</title>
 
       <orderedlist>
 	<listitem>
 	  <para>Be certain that your kernel configuration includes
 	    the memory disk driver (&man.md.4;).  It is default in
 	    <filename>GENERIC</filename> kernel.</para>
 
 	  <programlisting>device   md   # Memory "disks"</programlisting>
 	</listitem>
 
 	<listitem>
 	  <para>Create a swapfile (<filename>/usr/swap0</filename>):</para>
 
 	  <screen>&prompt.root; <userinput>dd if=/dev/zero of=/usr/swap0 bs=1024k count=64</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Set proper permissions on (<filename>/usr/swap0</filename>):</para>
 
 	  <screen>&prompt.root; <userinput>chmod 0600 /usr/swap0</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Enable the swap file in <filename>/etc/rc.conf</filename>:</para>
 
 	  <programlisting>swapfile="/usr/swap0"   # Set to name of swapfile if aux swapfile desired.</programlisting>
 	</listitem>
 
 	<listitem>
 
 	  <para>Reboot the machine or to enable the swap file immediately,
             type:</para>
 
 	  <screen>&prompt.root; <userinput>mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0</userinput></screen>
         </listitem>
       </orderedlist>
 
       </example>
     </sect2>
   </sect1>
 
   <sect1 id="acpi-overview">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Hiten</firstname>
 	  <surname>Pandya</surname>
 	  <contrib>Written by </contrib>
 	</author>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Power and Resource Management</title>
 
     <para>It is very important to utilize hardware resources in an
       efficient manner.  Before <acronym>ACPI</acronym> was introduced,
       it was very difficult and inflexible for operating systems to manage
       the power usage and thermal properties of a system.  The hardware was
       controlled by some sort of <acronym>BIOS</acronym> embedded
       interface, such as <emphasis>Plug and Play BIOS (PNPBIOS)</emphasis>, or
       <emphasis>Advanced Power Management (APM)</emphasis> and so on.
       Power and Resource Management is one of the key components of a modern
       operating system.  For example, you may want an operating system to
       monitor system limits (and possibly alert you) in case your system
       temperature increased unexpectedly.</para>
 
     <para>In this section of the &os; Handbook, we will provide
       comprehensive information about <acronym>ACPI</acronym>.  References
       will be provided for further reading at the end.  Please be aware
       that <acronym>ACPI</acronym> is available on &os;&nbsp;5.X and
       above systems as a default kernel module.  For &os;&nbsp;4.9,
       <acronym>ACPI</acronym> can be enabled by adding the line
       <literal>device acpica</literal> to a kernel configuration and
       rebuilding.</para>
 
     <sect2 id="acpi-intro">
       <title>What Is ACPI?</title>
 
       <para>Advanced Configuration and Power Interface
 	(<acronym>ACPI</acronym>) is a standard written by
 	an alliance of vendors to provide a standard interface for
 	hardware resources and power management (hence the name).
 	It is a key element in <emphasis>Operating System-directed
 	configuration and Power Management</emphasis>, i.e.: it provides
 	more control and flexibility to the operating system
 	(<acronym>OS</acronym>).
 	Modern systems <quote>stretched</quote> the limits of the
 	current Plug and Play interfaces (such as APM, which is used in
 	&os;&nbsp;4.X), prior to the introduction of
 	<acronym>ACPI</acronym>.  <acronym>ACPI</acronym> is the direct
 	successor to <acronym>APM</acronym>
 	(Advanced Power Management).</para>
     </sect2>
 
     <sect2 id="acpi-old-spec">
       <title>Shortcomings of Advanced Power Management (APM)</title>
 
       <para>The <emphasis>Advanced Power Management (APM)</emphasis>
       facility controls the power usage of a system based on its
       activity.  The APM BIOS is supplied by the (system) vendor and
       it is specific to the hardware platform.  An APM driver in the
       OS mediates access to the <emphasis>APM Software Interface</emphasis>,
       which allows management of power levels.</para>
 
       <para>There are four major problems in APM.  Firstly, power
       management is done by the (vendor-specific) BIOS, and the OS
       does not have any knowledge of it.  One example of this, is when
       the user sets idle-time values for a hard drive in the APM BIOS,
       that when exceeded, it (BIOS) would spin down the hard drive,
       without the consent of the OS.  Secondly, the APM logic is
       embedded in the BIOS, and it operates outside the scope of the
       OS.  This means users can only fix problems in their APM BIOS by
       flashing a new one into the ROM; which is a very dangerous
       procedure with the potential to leave the system in an
       unrecoverable state if it fails. Thirdly, APM is a vendor-specific
       technology, which means that there is a lot of parity
       (duplication of efforts) and bugs found in one vendor's BIOS,
       may not be solved in others.  Last but not the least, the APM
       BIOS did not have enough room to implement a sophisticated power
       policy, or one that can adapt very well to the purpose of the
       machine.</para>
 
       <para><emphasis>Plug and Play BIOS (PNPBIOS)</emphasis> was
       unreliable in many situations.  PNPBIOS is 16-bit technology,
       so the OS has to use 16-bit emulation in order to
       <quote>interface</quote> with PNPBIOS methods.</para>
 
       <para>The &os; <acronym>APM</acronym> driver is documented in
       the &man.apm.4; manual page.</para>
     </sect2>
 
     <sect2 id="acpi-config">
       <title>Configuring <acronym>ACPI</acronym></title>
 
       <para>The <filename>acpi.ko</filename> driver is loaded by default
 	at start up by the &man.loader.8; and should <emphasis>not</emphasis>
 	be compiled into the kernel.  The reasoning behind this is that modules
 	are easier to work with, say if switching to another <filename>acpi.ko</filename>
 	without doing a kernel rebuild.  This has the advantage of making testing easier.
 	Another reason is that starting <acronym>ACPI</acronym> after a system has been
 	brought up is not too useful, and in some cases can be fatal.  In doubt, just
 	disable <acronym>ACPI</acronym> all together. This driver should not and can not
 	be unloaded because the system bus uses it for various hardware interactions.
 	<acronym>ACPI</acronym> can be disabled with the &man.acpiconf.8; utility.
 	In fact most of the interaction with <acronym>ACPI</acronym> can be done via
 	&man.acpiconf.8;.  Basically this means, if anything about <acronym>ACPI</acronym>
 	is in the &man.dmesg.8; output, then most likely it is already running.</para>
 
       <note><para><acronym>ACPI</acronym> and <acronym>APM</acronym> cannot coexist and
 	should be used separately.  The last one to load will terminate if the driver
 	notices the other running.</para></note>
 
       <para>In the simplest form, <acronym>ACPI</acronym> can be used to put the
 	system into a sleep mode with &man.acpiconf.8;, the <option>-s</option>
 	flag, and a <literal>1-5</literal> option.  Most users will only need
 	<literal>1</literal>.  Option <literal>5</literal> will do a soft-off
 	which is the same action as:</para>
 
       <screen>&prompt.root; <userinput>halt -p</userinput></screen>
 
       <para>The other options are available.  Check out the &man.acpiconf.8;
 	manual page for more information.</para>
     </sect2>
   </sect1>
 
   <sect1 id="ACPI-debug">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Nate</firstname>
           <surname>Lawson</surname>
           <contrib>Written by </contrib>
         </author>
       </authorgroup>
       <authorgroup>
         <author>
           <firstname>Peter</firstname>
           <surname>Schultz</surname>
           <contrib>With contributions from </contrib>
         </author>
         <author>
           <firstname>Tom</firstname>
           <surname>Rhodes</surname>
         </author>
       </authorgroup>
     </sect1info>
 
     <title>Using and Debugging &os; <acronym>ACPI</acronym></title>
 
     <para><acronym>ACPI</acronym> is a fundamentally new way of
       discovering devices, managing power usage, and providing
       standardized access to various hardware previously managed
       by the <acronym>BIOS</acronym>.  Progress is being made toward
       <acronym>ACPI</acronym> working on all systems, but bugs in some
       motherboards' <firstterm><acronym>ACPI</acronym> Machine
       Language</firstterm> (<acronym>AML</acronym>) bytecode,
       incompleteness in &os;'s kernel subsystems, and bugs in the &intel;
       <acronym>ACPI-CA</acronym> interpreter continue to appear.</para>
 
     <para>This document is intended to help you assist the &os;
       <acronym>ACPI</acronym> maintainers in identifying the root cause
       of problems you observe and debugging and developing a solution.
       Thanks for reading this and we hope we can solve your system's
       problems.</para>
 
     <sect2 id="ACPI-submitdebug">
       <title>Submitting Debugging Information</title>
 
       <note>
 	<para>Before submitting a problem, be sure you are running the latest
 	  <acronym>BIOS</acronym> version and, if available, embedded
 	  controller firmware version.</para>
       </note>
 
       <para>For those of you that want to submit a problem right away,
 	please send the following information to
 	<ulink url="mailto:freebsd-acpi@FreeBSD.org">
 	freebsd-acpi@FreeBSD.org</ulink>:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Description of the buggy behavior, including system type
 	    and model and anything that causes the bug to appear.  Also,
 	    please note as accurately as possible when the bug began
 	    occurring if it is new for you.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The &man.dmesg.8; output after <command>boot
 	    -v</command>, including any error messages
 	    generated by you exercising the bug.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The &man.dmesg.8; output from <command>boot
 	    -v</command> with <acronym>ACPI</acronym>
 	    disabled, if disabling it helps fix the problem.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Output from <command>sysctl hw.acpi</command>.  This is also
 	    a good way of figuring out what features your system
 	    offers.</para>
 	</listitem>
 
 	<listitem>
 	  <para><acronym>URL</acronym> where your
 	    <firstterm><acronym>ACPI</acronym> Source Language</firstterm>
 	    (<acronym>ASL</acronym>)
 	    can be found.  Do <emphasis>not</emphasis> send the
 	    <acronym>ASL</acronym> directly to the list as it can be
 	    very large.  Generate a copy of your <acronym>ASL</acronym>
 	    by running this command:</para>
 
 	  <screen>&prompt.root; <userinput>acpidump -t -d &gt; <replaceable>name</replaceable>-<replaceable>system</replaceable>.asl</userinput></screen>
 
 	  <para>(Substitute your login name for
 	    <replaceable>name</replaceable> and manufacturer/model for
 	    <replaceable>system</replaceable>.  Example:
 	    <filename>njl-FooCo6000.asl</filename>)</para>
 	</listitem>
       </itemizedlist>
 
       <para>Most of the developers watch the &a.current;
         but please submit problems to &a.acpi.name; to be sure it is
 	seen.  Please be patient, all of us have full-time jobs
 	elsewhere.  If your bug is not immediately apparent, we will
 	probably ask you to submit a <acronym>PR</acronym> via
 	&man.send-pr.1;.  When entering a <acronym>PR</acronym>, please
 	include the same information as requested above.  This will help
 	us track the problem and resolve it.  Do not send a
 	<acronym>PR</acronym> without emailing &a.acpi.name; first as we use
 	<acronym>PR</acronym>s as reminders of existing problems, not a
 	reporting mechanism.  It is likely that your problem has been
 	reported by someone before.</para>
     </sect2>
 
     <sect2 id="ACPI-background">
       <title>Background</title>
 
       <para><acronym>ACPI</acronym> is present in all modern computers
 	that conform to the ia32 (x86), ia64 (Itanium), and amd64 (AMD)
 	architectures.  The full standard has many features including
 	<acronym>CPU</acronym> performance management, power planes
 	control, thermal zones, various battery systems, embedded
 	controllers, and bus enumeration.  Most systems implement less
 	than the full standard.  For instance, a desktop system usually
 	only implements the bus enumeration parts while a laptop might
 	have cooling and battery management support as well.  Laptops
 	also have suspend and resume, with their own associated
 	complexity.</para>
 
       <para>An <acronym>ACPI</acronym>-compliant system has various
 	components.  The <acronym>BIOS</acronym> and chipset vendors
 	provide various fixed tables (e.g., <acronym>FADT</acronym>)
 	in memory that specify things like the <acronym>APIC</acronym>
 	map (used for <acronym>SMP</acronym>), config registers, and
 	simple configuration values.  Additionally, a table of bytecode
 	(the <firstterm>Differentiated System Description Table</firstterm>
 	<acronym>DSDT</acronym>) is provided that specifies a
 	tree-like name space of devices and methods.</para>
 
       <para>The <acronym>ACPI</acronym> driver must parse the fixed
 	tables, implement an interpreter for the bytecode, and modify
 	device drivers and the kernel to accept information from the
 	<acronym>ACPI</acronym> subsystem.  For &os;, &intel; has
 	provided an interpreter (<acronym>ACPI-CA</acronym>) that is
 	shared with Linux and NetBSD.  The path to the
 	<acronym>ACPI-CA</acronym> source code is
 	<filename class="directory">src/sys/contrib/dev/acpica</filename>.
 	The glue code that allows <acronym>ACPI-CA</acronym> to work on
 	&os; is in
 	<filename>src/sys/dev/acpica/Osd</filename>.  Finally, drivers
 	that implement various <acronym>ACPI</acronym> devices are found
 	in
 	<filename class="directory">src/sys/dev/acpica</filename>.</para>
     </sect2>
 
     <sect2 id="ACPI-comprob">
       <title>Common Problems</title>
 
       <para>For <acronym>ACPI</acronym> to work correctly, all the parts
 	have to work correctly.  Here are some common problems, in order
 	of frequency of appearance, and some possible workarounds or
 	fixes.</para>
 
       <sect3>
 	<title>Suspend/Resume</title>
 
 	<para><acronym>ACPI</acronym> has three suspend to
 	  <acronym>RAM</acronym> (<acronym>STR</acronym>) states,
 	  <literal>S1</literal>-<literal>S3</literal>, and one suspend
 	  to disk state (<literal>STD</literal>), called
 	  <literal>S4</literal>.  <literal>S5</literal> is
 	  <quote>soft off</quote> and is the normal state your system
 	  is in when plugged in but not powered up.
 	  <literal>S4</literal> can actually be implemented two separate
 	  ways.  <literal>S4</literal><acronym>BIOS</acronym> is a
 	  <acronym>BIOS</acronym>-assisted suspend to disk.
 	  <literal>S4</literal><acronym>OS</acronym> is implemented
 	  entirely by the operating system.</para>
 
 	<para>Start by checking <command>sysctl hw.acpi</command>
 	  for the suspend-related items.  Here
 	  are the results for a Thinkpad:</para>
 
 	<screen>hw.acpi.supported_sleep_state: S3 S4 S5
 hw.acpi.s4bios: 0</screen>
 
 	<para>This means that we can use <command>acpiconf -s</command>
 	  to test <literal>S3</literal>,
 	  <literal>S4</literal><acronym>OS</acronym>, and
 	  <literal>S5</literal>.  If <option>s4bios</option> was one
 	  (<literal>1</literal>), we would have
 	  <literal>S4</literal><acronym>BIOS</acronym>
 	  support instead of <literal>S4</literal>
 	  <acronym>OS</acronym>.</para>
 
 	<para>When testing suspend/resume, start with
 	  <literal>S1</literal>, if supported.  This state is most
 	  likely to work since it does not require much driver support.
 	  No one has implemented <literal>S2</literal> but if you have
 	  it, it is similar to <literal>S1</literal>.  The next thing
 	  to try is <literal>S3</literal>.  This is the deepest
 	  <acronym>STR</acronym> state and requires a lot of driver
 	  support to properly reinitialize your hardware.  If you have
 	  problems resuming, feel free to email the &a.acpi.name; list but
 	  do not expect the problem to be resolved since there are a lot
 	  of drivers/hardware that need more testing and work.</para>
 
 	<para>To help isolate the problem, remove as many drivers from
 	  your kernel as possible.  If it works, you can narrow down
 	  which driver is the problem by loading drivers until it fails
 	  again.  Typically binary drivers like
 	  <filename>nvidia.ko</filename>, X11
 	  display drivers, and <acronym>USB</acronym> will have the most
 	  problems while Ethernet interfaces usually work fine.  If you
 	  can properly load/unload the drivers, you can automate this by
 	  putting the appropriate commands in
 	  <filename>/etc/rc.suspend</filename> and
 	  <filename>/etc/rc.resume</filename>.  There is a
 	  commented-out example for unloading and loading a driver.  Try
 	  setting <option>hw.acpi.reset_video</option> to zero (<literal>0</literal>) if
 	  your display is messed up after resume.  Try setting longer or
 	  shorter values for <option>hw.acpi.sleep_delay</option> to see
 	  if that helps.</para>
 
 	<para>Another thing to try is load a recent Linux distribution
 	  with <acronym>ACPI</acronym> support and test their
 	  suspend/resume support on the same hardware.  If it works
 	  on Linux, it is likely a &os; driver problem and narrowing down
 	  which driver causes the problems will help us fix the problem.
 	  Note that the <acronym>ACPI</acronym> maintainers do not
 	  usually maintain other drivers (e.g sound,
 	  <acronym>ATA</acronym>, etc.) so any work done on tracking
 	  down a driver problem should probably eventually be posted
 	  to the &a.current.name; list and mailed to the driver
 	  maintainer.  If you are feeling adventurous, go ahead and
 	  start putting some debugging &man.printf.3;s in a problematic
 	  driver to track down where in its resume function it
 	  hangs.</para>
 
 	<para>Finally, try disabling <acronym>ACPI</acronym> and
 	  enabling <acronym>APM</acronym> instead.  If suspend/resume
 	  works with <acronym>APM</acronym>, you may be better off
 	  sticking with <acronym>APM</acronym>, especially on older
 	  hardware (pre-2000).  It took vendors a while to get
 	  <acronym>ACPI</acronym> support correct and older hardware is
 	  more likely to have <acronym>BIOS</acronym> problems with
 	  <acronym>ACPI</acronym>.</para>
       </sect3>
 
       <sect3>
 	<title>System Hangs (temporary or permanent)</title>
 
 	<para>Most system hangs are a result of lost interrupts or an
 	  interrupt storm.  Chipsets have a lot of problems based on how
 	  the <acronym>BIOS</acronym> configures interrupts before boot,
 	  correctness of the <acronym>APIC</acronym>
 	  (<acronym>MADT</acronym>) table, and routing of the
 	  <firstterm>System Control Interrupt</firstterm>
 	  (<acronym>SCI</acronym>).</para>
 
 	<para>Interrupt storms can be distinguished from lost interrupts
 	  by checking the output of <command>vmstat -i</command>
 	  and looking at the line that has
 	  <literal>acpi0</literal>.  If the counter is increasing at more
 	  than a couple per second, you have an interrupt storm.  If the
 	  system appears hung, try breaking to <acronym>DDB</acronym>
 	  (<keycombo action="simul"><keycap>CTRL</keycap>
 	  <keycap>ALT</keycap><keycap>ESC</keycap></keycombo> on
 	  console) and type <literal>show interrupts</literal>.</para>
 
 	<para>Your best hope when dealing with interrupt problems is to
 	  try disabling <acronym>APIC</acronym> support with
 	  <literal>hint.apic.0.disabled="1"</literal> in
 	  <filename>loader.conf</filename>.</para>
       </sect3>
 
       <sect3>
 	<title>Panics</title>
 
 	<para>Panics are relatively rare for <acronym>ACPI</acronym> and
 	  are the top priority to be fixed.  The first step is to
 	  isolate the steps to reproduce the panic (if possible)
 	  and get a backtrace.  Follow the advice for enabling
 	  <literal>options DDB</literal> and setting up a serial console
 	  (see <xref linkend="serialconsole-ddb">)
 	  or setting up a &man.dump.8; partition.  You can get a
 	  backtrace in <acronym>DDB</acronym> with
 	  <literal>tr</literal>.  If you have to handwrite the
 	  backtrace, be sure to at least get the lowest five (5) and top
 	  five (5) lines in the trace.</para>
 
 	<para>Then, try to isolate the problem by booting with
 	  <acronym>ACPI</acronym> disabled.  If that works, you can
 	  isolate the <acronym>ACPI</acronym> subsystem by using various
 	  values of <option>debug.acpi.disable</option>.  See the
 	  &man.acpi.4; manual page for some examples.</para>
       </sect3>
 
       <sect3>
 	<title>System Powers Up After Suspend or Shutdown</title>
 	<para>First, try setting
 	  <literal>hw.acpi.disable_on_poweroff="0"</literal>
 	  in &man.loader.conf.5;.  This keeps <acronym>ACPI</acronym>
 	  from disabling various events during the shutdown process.
 	  Some systems need this value set to <literal>1</literal> (the
 	  default) for the same reason.  This usually fixes
 	  the problem of a system powering up spontaneously after a
 	  suspend or poweroff.</para>
       </sect3>
 
       <sect3>
 	<title>Other Problems</title>
 
 	<para>If you have other problems with <acronym>ACPI</acronym>
 	  (working with a docking station, devices not detected, etc.),
 	  please email a description to the mailing list as well;
 	  however, some of these issues may be related to unfinished
 	  parts of the <acronym>ACPI</acronym> subsystem so they might
 	  take a while to be implemented.  Please be patient and
 	  prepared to test patches we may send you.</para>
       </sect3>
     </sect2>
 
     <sect2 id="ACPI-aslanddump">
       <title><acronym>ASL</acronym>, <command>acpidump</command>, and
         <acronym>IASL</acronym></title>
 
       <para>The most common problem is the <acronym>BIOS</acronym>
 	vendors providing incorrect (or outright buggy!) bytecode.  This
 	is usually manifested by kernel console messages like
 	this:</para>
 
       <screen>ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\
 (Node 0xc3f6d160), AE_NOT_FOUND</screen>
 
       <para>Often, you can resolve these problems by updating your
 	<acronym>BIOS</acronym> to the latest revision.  Most console
 	messages are harmless but if you have other problems like
 	battery status not working, they're a good place to start
 	looking for problems in the <acronym>AML</acronym>.  The
 	bytecode, known as <acronym>AML</acronym>, is compiled from a
 	source language called <acronym>ASL</acronym>.  The
 	<acronym>AML</acronym> is found in the table known as the
 	<acronym>DSDT</acronym>.  To get a copy of your
 	<acronym>ASL</acronym>, use &man.acpidump.8;.  You should use
 	both the <option>-t</option> (show contents of the fixed tables)
 	and <option>-d</option> (disassemble <acronym>AML</acronym> to
 	<acronym>ASL</acronym>) options.  See the
 	<link linkend="ACPI-submitdebug">Submitting Debugging
 	Information</link> section for an example syntax.</para>
 
       <para>The simplest first check you can do is to recompile your
 	<acronym>ASL</acronym> to check for errors.  Warnings can
 	usually be ignored but errors are bugs that will usually prevent
 	<acronym>ACPI</acronym> from working correctly.  To recompile
 	your <acronym>ASL</acronym>, issue the following command:</para>
 
       <screen>&prompt.root; <userinput>iasl your.asl</userinput></screen>
     </sect2>
 
     <sect2 id="ACPI-fixasl">
       <title>Fixing Your <acronym>ASL</acronym></title>
 
       <para>In the long run, our goal is for almost everyone to have
 	<acronym>ACPI</acronym> work without any user intervention.  At
 	this point, however, we are still developing workarounds for
 	common mistakes made by the <acronym>BIOS</acronym> vendors.
 	The &microsoft; interpreter (<filename>acpi.sys</filename> and
 	<filename>acpiec.sys</filename>) does not strictly check for
 	adherence to the standard, and thus many <acronym>BIOS</acronym>
 	vendors who only test <acronym>ACPI</acronym> under &windows;
 	never fix their <acronym>ASL</acronym>.  We hope to continue to
 	identify and document exactly what non-standard behavior is
 	allowed by &microsoft;'s interpreter and replicate it so &os; can
 	work without forcing users to fix the <acronym>ASL</acronym>.
 	As a workaround and to help us identify behavior, you can fix
 	the <acronym>ASL</acronym> manually.  If this works for you,
 	please send a &man.diff.1; of the old and new
 	<acronym>ASL</acronym> so we can possibly work around the buggy
 	behavior in <acronym>ACPI-CA</acronym> and thus make your fix
 	unnecessary.</para>
 
       <para>Here is a list of common error messages, their cause, and
 	how to fix them:</para>
 
       <sect3>
 	<title>_OS dependencies</title>
 
 	<para>Some <acronym>AML</acronym> assumes the world consists of
 	  various &windows; versions.  You can tell &os; to claim it is
 	  any <acronym>OS</acronym> to see if this fixes problems you
 	  may have.  An easy way to override this is to set
 	  <literal>hw.acpi.osname="Windows 2001"</literal>
 	  in <filename>/boot/loader.conf</filename> or other similar
 	  strings you find in the <acronym>ASL</acronym>.</para>
       </sect3>
 
       <sect3>
 	<title>Missing Return statements</title>
 
 	<para>Some methods do not explicitly return a value as the
 	  standard requires.  While <acronym>ACPI-CA</acronym>
 	  does not handle this, &os; has a workaround that allows it to
 	  return the value implicitly.  You can also add explicit
 	  Return statements where required if you know what value should
 	  be returned.  To force <command>iasl</command> to compile the
 	  <acronym>ASL</acronym>, use the <option>-f</option>
 	  flag.</para>
       </sect3>
 
       <sect3>
 	<title>Overriding the Default <acronym>AML</acronym></title>
 
 	<para>After you customize <filename>your.asl</filename>, you
 	  will want to compile it, run:</para>
 
 	<screen>&prompt.root; <userinput>iasl your.asl</userinput></screen>
 
 	<para>You can add the <option>-f</option> flag to force creation
 	  of the <acronym>AML</acronym>, even if there are errors during
 	  compilation.  Remember that some errors (e.g., missing Return
 	  statements) are automatically worked around by the
 	  interpreter.</para>
 
 	<para><filename>DSDT.aml</filename> is the default output
 	  filename for <command>iasl</command>.  You can load this
 	  instead of your <acronym>BIOS</acronym>'s buggy copy (which
 	  is still present in flash memory) by editing
 	  <filename>/boot/loader.conf</filename> as
 	  follows:</para>
 
 	<programlisting>acpi_dsdt_load="YES"
 acpi_dsdt_name="/boot/DSDT.aml"</programlisting>
 
 	<para>Be sure to copy your <filename>DSDT.aml</filename> to the
 	  <filename class="directory">/boot</filename> directory.</para>
       </sect3>
     </sect2>
 
     <sect2 id="ACPI-debugoutput">
       <title>Getting Debugging Output From
 	<acronym>ACPI</acronym></title>
 
       <para>The <acronym>ACPI</acronym> driver has a very flexible
 	debugging facility.  It allows you to specify a set of subsystems
 	as well as the level of verbosity.  The subsystems you wish to
 	debug are specified as <quote>layers</quote> and are broken down
 	into <acronym>ACPI-CA</acronym> components (ACPI_ALL_COMPONENTS)
 	and <acronym>ACPI</acronym> hardware support (ACPI_ALL_DRIVERS).
 	The verbosity of debugging output is specified as the
 	<quote>level</quote> and ranges from ACPI_LV_ERROR (just report
 	errors) to ACPI_LV_VERBOSE (everything).  The
 	<quote>level</quote> is a bitmask so multiple options can be set
 	at once, separated by spaces.  In practice, you will want to use
 	a serial console to log the output if it is so long
 	it flushes the console message buffer.  A full list of the
 	individual layers and levels is found in the &man.acpi.4; manual
 	page.</para>
 
       <para>Debugging output is not enabled by default.  To enable it,
 	add <literal>options ACPI_DEBUG</literal> to your kernel configuration file
 	if <acronym>ACPI</acronym> is compiled into the kernel.  You can
 	add <literal>ACPI_DEBUG=1</literal> to your
 	<filename>/etc/make.conf</filename> to enable it globally.  If
 	it is a module, you can recompile just your
 	<filename>acpi.ko</filename> module as follows:</para>
 
       <screen>&prompt.root; <userinput>cd /sys/modules/acpi/acpi
 &amp;&amp; make clean &amp;&amp;
 make ACPI_DEBUG=1</userinput></screen>
 
       <para>Install <filename>acpi.ko</filename> in
 	<filename class="directory">/boot/kernel</filename> and add your
 	desired level and layer to <filename>loader.conf</filename>.
 	This example enables debug messages for all
 	<acronym>ACPI-CA</acronym> components and all
 	<acronym>ACPI</acronym> hardware drivers
 	(<acronym>CPU</acronym>, <acronym>LID</acronym>, etc.)  It will
 	only output error messages, the least verbose level.</para>
 
       <programlisting>debug.acpi.layer="ACPI_ALL_COMPONENTS ACPI_ALL_DRIVERS"
 debug.acpi.level="ACPI_LV_ERROR"</programlisting>
 
       <para>If the information you want is triggered by a specific event
 	(say, a suspend and then resume), you can leave out changes to
 	<filename>loader.conf</filename> and instead use
 	<command>sysctl</command> to specify the layer and level after
 	booting and preparing your system for the specific event.  The
 	<command>sysctl</command>s are named the same as the tunables
 	in <filename>loader.conf</filename>.</para>
     </sect2>
 
     <sect2 id="ACPI-References">
       <title>References</title>
 
       <para>More information about <acronym>ACPI</acronym> may be found
 	in the following locations:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>The &a.acpi;</para>
 	</listitem>
 
 	<listitem>
 	  <para>The <acronym>ACPI</acronym> Mailing List Archives
 	    <ulink url="http://lists.freebsd.org/pipermail/freebsd-acpi/"></ulink></para>
 	</listitem>
 
         <listitem>
           <para>The old <acronym>ACPI</acronym> Mailing List Archives
             <ulink url="http://home.jp.FreeBSD.org/mail-list/acpi-jp/"></ulink></para>
         </listitem>
 
 	<listitem>
 	  <para>The <acronym>ACPI</acronym> 2.0 Specification
 	    <ulink url="http://acpi.info/spec.htm"></ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para>&os; Manual pages: &man.acpi.4;,
 	    &man.acpi.thermal.4;, &man.acpidump.8;, &man.iasl.8;,
 	    &man.acpidb.8;</para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	    url="http://www.cpqlinux.com/acpi-howto.html#fix_broken_dsdt">
 	    <acronym>DSDT</acronym> debugging resource</ulink>.
 	    (Uses Compaq as an example but generally useful.)</para>
 	</listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml b/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
index d5082265e2..99ad8259ce 100644
--- a/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
@@ -1,1273 +1,1273 @@
 <!--
      The FreeBSD Documentation Project
      $FreeBSD$
 -->
 
 <chapter id="desktop">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Christophe</firstname>
         <surname>Juniet</surname>
         <contrib>Contributed by </contrib>
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Desktop Applications</title>
 
   <sect1 id="desktop-synopsis">
     <title>Synopsis</title>
 
     <para>FreeBSD can run a wide variety of desktop applications, such
       as browsers and word processors.  Most of these are available as
       packages or can be automatically built from the ports
       collection.  Many new users expect to find these kinds of
       applications on their desktop.  This chapter will show you how
       to install some popular desktop applications effortlessly,
       either from their packages or from the ports collection.</para>
 
     <para>Note that when installing programs from the ports, they are
       compiled from source.  This can take a very long time, depending
       on what you are compiling and the processing power of your
       machine(s).  If building from source takes a prohibitively long
       amount of time for you, you can install most of the programs of
       the ports collection from pre-built packages.</para>
 
     <para>As FreeBSD features Linux binary compatibility, many
       applications originally developed for Linux are available for
       your desktop.  It is strongly recommended that you read
       <xref linkend="linuxemu"> before installing any of the Linux
       applications.  Many of the ports using the Linux binary
       compatibility start with <quote>linux-</quote>.  Remember this
       when you search for a particular port, for instance with
       &man.whereis.1;.  In the following text, it is assumed that you
       have enabled Linux binary compatibility before installing any of
       the Linux applications.</para>
 
     <para>Here are the categories covered by this chapter:</para>
 
     <itemizedlist>
       <listitem>
         <para>Browsers (such as <application>Mozilla</application>,
           <application>&netscape;</application>,
           <application>Opera</application>,
           <application>Firefox</application>,
 	  <application>Konqueror</application>)</para>
       </listitem>
 
       <listitem>
         <para>Productivity (such as
           <application>KOffice</application>,
           <application>AbiWord</application>,
           <application>The GIMP</application>,
           <application>OpenOffice.org</application>)</para>
       </listitem>
 
       <listitem>
         <para>Document Viewers (such as <application>&acrobat.reader;</application>,
           <application>gv</application>,
           <application>Xpdf</application>,
           <application>GQview</application>)</para>
       </listitem>
 
       <listitem>
         <para>Finance (such as
           <application>GnuCash</application>,
           <application>Gnumeric</application>,
           <application>Abacus</application>)</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
         <para>Know how to install additional third-party software
           (<xref linkend="ports">).</para>
       </listitem>
 
       <listitem>
         <para>Know how to install additional Linux software
 	  (<xref linkend="linuxemu">).</para>
       </listitem>
     </itemizedlist>
 
     <para>For information on how to get a multimedia environment, read
       <xref linkend="multimedia">.  If you want to set up and use
       electronic mail, please refer to <xref linkend="mail">.</para>
   </sect1>
 
   <sect1 id="desktop-browsers">
     <title>Browsers</title>
 
     <para>FreeBSD does not come with a particular browser
       pre-installed.  Instead, the
       <ulink url="http://www.FreeBSD.org/ports/www.html">www</ulink>
       directory of the ports collection contains a lot of browsers
       ready to be installed.  If you do not have time to compile
       everything (this can take a very long time in some cases) many
       of them are available as packages.</para>
 
     <para><application>KDE</application> and
       <application>GNOME</application> already provide HTML browsers.
       Please refer to <xref linkend="x11-wm"> for more information on
       how to set up these complete desktops.</para>
 
     <para>If you are looking for light-weight browsers, you should
       investigate the ports collection for
       <filename role="package">www/dillo</filename>,
       <filename role="package">www/links</filename>, or
       <filename role="package">www/w3m</filename>.</para>
 
     <para>This section covers these applications:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
         <thead>
           <row>
             <entry>Application Name</entry>
             <entry>Resources Needed</entry>
             <entry>Installation from Ports</entry>
             <entry>Major Dependencies</entry>
           </row>
         </thead>
 
         <tbody>
           <row>
             <entry><application>Mozilla</application></entry>
             <entry>heavy</entry>
             <entry>heavy</entry>
             <entry><application>Gtk+</application></entry>
           </row>
 
           <row>
             <entry><application>&netscape;</application></entry>
             <entry>heavy</entry>
             <entry>light</entry>
             <entry>Linux Binary Compatibility</entry>
           </row>
 
           <row>
             <entry><application>Opera</application></entry>
             <entry>light</entry>
             <entry>light</entry>
 	    <entry>FreeBSD and Linux versions available.  The Linux
 	      version depends on the Linux Binary Compatibility and
 	      <application>linux-openmotif</application>.</entry>
           </row>
 
           <row>
             <entry><application>Firefox</application></entry>
             <entry>medium</entry>
             <entry>heavy</entry>
             <entry><application>Gtk+</application></entry>
           </row>
           
 	  <row>
 	    <entry><application>Konqueror</application></entry>
 	    <entry>medium</entry>
 	    <entry>heavy</entry>
 	    <entry><application>KDE</application> Libraries</entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
 
     <sect2>
       <title>Mozilla</title>
       <indexterm>
 	<primary><application>Mozilla</application></primary>
       </indexterm>
 
       <para><application>Mozilla</application> is perhaps the most
         suitable browser for your FreeBSD Desktop.  It is modern,
         stable, and fully ported to FreeBSD.  It features a very
         standards-compliant HTML display engine.  It provides a mail
         and news reader.  It even has a HTML composer if you plan to
         write some web pages yourself.  Users of
         <application>&netscape;</application> will recognize the
         similarities with <application>Communicator</application>
         suite, as both browsers shared the same basis.</para>
 
       <para>On slow machines, with a CPU speed less than 233MHz or
         with less than 64MB of RAM, <application>Mozilla</application>
         can be too resource-consuming to be fully usable.  You may
         want to look at the <application>Opera</application> browser
         instead, described a little later in this chapter.</para>
 
       <para>If you cannot or do not want to compile
         <application>Mozilla</application> for any reason, the FreeBSD
         GNOME team has already done this for you.  Just install the
         package from the network by:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r mozilla</userinput></screen>
 
       <para>If the package is not available, and you have enough time
         and disk space, you can get the source for
         <application>Mozilla</application>, compile it and install it
         on your system.  This is accomplished by:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/www/mozilla</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <para>The <application>Mozilla</application> port ensures a
         correct initialization by running the chrome registry setup
         with <username>root</username> privileges.  However, if you
         want to fetch some add-ons like mouse gestures, you must run
         <application>Mozilla</application> as
         <username>root</username> to get them properly
         installed.</para>
 
       <para>Once you have completed the installation of
         <application>Mozilla</application>, you do not need to be
         <username>root</username> any longer.  You can start
         <application>Mozilla</application> as a browser by typing:</para>
 
       <screen>&prompt.user; <userinput>mozilla</userinput></screen>
 
       <para>You can start it directly as a mail and news reader as
         shown below:</para>
 
       <screen>&prompt.user; <userinput>mozilla -mail</userinput></screen>
     </sect2>
     
     <sect2 id="moz-java-flash">
       <sect2info>
 	<authorgroup>
 	  <author>
 	    <firstname>Tom</firstname>
 	    <surname>Rhodes</surname>
 	    <contrib>Contributed by </contrib>
 	  </author>
 	</authorgroup>
     </sect2info>
 
       <title>Mozilla, &java;, and &macromedia; &flash;</title>
       
       <para>Installing <application>Mozilla</application> is simple, but
 	unfortunately installing <application>Mozilla</application> with
 	support for add-ons like &java; and
 	&macromedia; &flash;
 	consumes both time and disk
 	space.</para>
 
       <para>The first thing is to download the files which will be used
 	with <application>Mozilla</application>.  Take your current web
 	browser up to
 	<ulink url="http://www.sun.com/software/java2/download.html"></ulink> and
 	create an account on their website.  Remember to save the username
 	and password from here as it may be needed in the future.  Download
 	a copy of the file <filename>j2sdk-1_3_1-src.tar.gz</filename> and place this in
 	<filename>/usr/ports/distfiles/</filename> as the port will not
 	fetch it automatically.  This is due to license restrictions.  While
 	we are here, download the <quote>java environment</quote> from
 	<ulink url="http://java.sun.com/webapps/download/Display?BundleId=7905"></ulink>.
 	The filename is <filename>j2sdk-1_3_1_08-linux-i586.bin</filename> and is large (about 25
 	megabytes!).  Like before, this file must be placed into
 	<filename>/usr/ports/distfiles/</filename>.  Finally download a copy
 	of the <quote>java patchkit</quote> from
 	<ulink url="http://www.eyesbeyond.com/freebsddom/java/"></ulink>
 	and place it
 	into <filename>/usr/ports/distfiles/</filename>.</para>
       
       <para>Install the <filename role="package">java/jdk13</filename> port
 	with the standard <command>make install clean</command> and
 	then install the <filename role="package">www/flashpluginwrapper</filename>
 	port.  This port requires
 	<filename role="package">emulators/linux_base</filename> which is a
 	large port.  True that other <application>&flash;</application> plugins exist, however they have
 	not worked for me.</para>
 
       <para>Install the <filename role="package">www/mozilla</filename> port,
 	if <application>Mozilla</application> is not already installed.</para>
 
       <para>Now copy the <application>&flash;</application> plug-in files with:</para>
     
       <screen>&prompt.root; <userinput>cp /usr/local/lib/flash/libflashplayer.so \
 	/usr/X11R6/lib/browser_plugins/libflashplayer_linux.so</userinput></screen>
 
       <screen>&prompt.root; <userinput>cp /usr/local/lib/flash/ShockwaveFlash.class \
 	/usr/X11R6/lib/browser_plugins/</userinput></screen>
 
     <para>Now add the following lines to the top of (but right under
       <literal>#!/bin/sh</literal>) <application>Mozilla</application> startup script:
       <filename>/usr/X11R6/bin/mozilla</filename>.</para>
 
 <programlisting>LD_PRELOAD=/usr/local/lib/libflashplayer.so.1
 export LD_PRELOAD</programlisting>
 
       <para>This will enable the <application>&flash;</application> plug-in.</para>
 
       <para>Now just start <application>Mozilla</application> with:</para>
 
       <screen>&prompt.user; <userinput>mozilla &amp;</userinput></screen>
 
       <para>And access the <guimenuitem>About Plug-ins</guimenuitem> option from the
 	<guimenu>Help</guimenu> menu.  A list should appear with all the currently
 	available plugins.  <application>&java;</application> and
 	<application>&shockwave; &flash;</application> should both be listed.</para>
     
     </sect2>
 
     <sect2>
       <title>&netscape;</title>
       <indexterm>
 	<primary><application>Netscape</application></primary>
       </indexterm>
 
       <para>The ports collection contains several versions of the
         &netscape; browser.  Since the native FreeBSD ones contain a
         serious security bug, installing them is strongly
         discouraged.  Instead, use a more recent Linux or DIGITAL UNIX
         version.</para>
 
       <para>The latest stable release of the &netscape; browser is
         <application>&netscape; 7</application>.  It can be installed
         from the ports collection:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/www/netscape7</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <para>There are localized versions in the French, German, and
         Japanese categories.</para>
 
       <caution>
         <para><application>&netscape; 4.x</application> versions are not
           recommended because they are not compliant with today's
           standards.  However, <application>&netscape; 7.x</application>
           and newer versions are only available for the &i386;
           platform.</para>
       </caution>
     </sect2>
 
     <sect2>
       <title>Opera</title>
       <indexterm>
 	<primary><application>Opera</application></primary>
       </indexterm>
 
       <para><application>Opera</application> is a very fast,
         full-featured, and standards-compliant browser.  It comes in
         two favors: a <quote>native</quote> FreeBSD version and a
         version that runs under Linux emulation.
 	For each operating system, there is a no-cost version of the
         browser that displays advertising and an ad-free 
         version that can be purchased on the <ulink
         url="http://www.opera.com/">Opera web site</ulink>.</para>
 
       <para>To browse the Web with the FreeBSD version of <application>Opera</application>,
         install the package:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r opera</userinput></screen>
 
       <para>Some FTP sites do not have all the packages, but the same
         result can be obtained with the ports collection by
         typing:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/www/opera</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <para>To install the Linux version of
 	<application>Opera</application>, substitute
 	<literal>linux-opera</literal> in place of
 	<literal>opera</literal> in the examples above.  The Linux
 	version is useful in situations requiring the use of plug-ins
 	that are only available for Linux, such as <application>Adobe
 	&acrobat.reader;</application>.  In all other respects, the
 	FreeBSD and Linux versions appear to be functionally
 	identical.</para>
 
     </sect2>
 
     <sect2>
       <title>Firefox</title>
       <indexterm>
 	<primary><application>Firefox</application></primary>
       </indexterm>
 
       <para><application>Firefox</application> is the next-generation
          browser based on the <application>Mozilla</application>
          codebase. <application>Mozilla</application> is a complete
          suite of applications, such as a browser, a mail client, a chat
          client and much more. <application>Firefox</application> is
          just a browser, which makes it smaller and faster.</para>
 
       <para>Install the package by typing:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r firefox</userinput></screen>
 
       <para>You can also use the ports collection if you
          prefer to compile from source code:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/www/firefox</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
     <sect2>
       <title>Konqueror</title>
       <indexterm>
         <primary><application>Konqueror</application></primary>
       </indexterm>
 
       <para><application>Konqueror</application> is part of
 	<application>KDE</application> but it can also be used outside
        	of <application>KDE</application> by installing
 	<filename role="package">x11/kdebase3</filename>.
 	<application>Konqueror</application> is much more than a browser,
 	it is also a file manager and a multimedia viewer.</para>
 
       <para><application>Konqueror</application> also comes with a set of plugins,
 	available in <filename role="package">misc/konq-plugins</filename>.</para>
 
       <para><application>Konqueror</application> also supports <application>&flash;</application> and a How To
 	is available at <ulink url="http://freebsd.kde.org/howto.php"></ulink>.</para>
     </sect2>
   </sect1>
 
   <sect1 id="desktop-productivity">
     <title>Productivity</title>
 
     <para>When it comes to productivity, new users often look for a
        good office suite or a friendly word processor.  While some
        <link linkend="x11-wm">desktop environments</link> like
        <application>KDE</application> already provide an office suite,
        there is no default application.  FreeBSD provides all that is
        needed, regardless of your desktop environment.</para>
 
     <para>This section covers these applications:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
         <thead>
           <row>
             <entry>Application Name</entry>
             <entry>Resources Needed</entry>
             <entry>Installation from Ports</entry>
             <entry>Major Dependencies</entry>
           </row>
         </thead>
 
         <tbody>
           <row>
             <entry><application>KOffice</application></entry>
             <entry>light</entry>
             <entry>heavy</entry>
             <entry><application>KDE</application></entry>
           </row>
 
           <row>
             <entry><application>AbiWord</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry><application>Gtk+</application> or <application>GNOME</application></entry>
           </row>
 
           <row>
             <entry><application>The Gimp</application></entry>
             <entry>light</entry>
             <entry>heavy</entry>
             <entry><application>Gtk+</application></entry>
           </row>
 
           <row>
             <entry><application>OpenOffice.org</application></entry>
             <entry>heavy</entry>
             <entry>huge</entry>
             <entry><application>GCC 3.1</application>, <application>&jdk; 1.3</application>, <application>Mozilla</application></entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
    
     <sect2>
       <title>KOffice</title>
       <indexterm>
 	<primary><application>KOffice</application></primary>
       </indexterm>
       <indexterm>
 	<primary>office suite</primary>
 	<secondary><application>KOffice</application></secondary>
       </indexterm>
 
       <para>The KDE community has provided its desktop environment
         with an office suite which can be used outside
         <application>KDE</application>.  It includes the four standard
         components that can be found in other office suites.
         <application>KWord</application> is the word processor,
         <application>KSpread</application> is the spreadsheet program,
         <application>KPresenter</application> manages slide
         presentations, and <application>Kontour</application> lets you
         draw graphical documents.</para>
 
       <para>Before installing the latest
         <application>KOffice</application>, make sure you have an
         up-to-date version of <application>KDE</application>.</para>
 
       <para>To install <application>KOffice</application> as a
         package, issue the following command:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r koffice</userinput></screen>
 
       <para>If the package is not available, you can use the ports
         collection.  For instance, to install
         <application>KOffice</application> for
         <application>KDE3</application>, do:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/editors/koffice-kde3</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
 
     <sect2>
       <title>AbiWord</title>
       <indexterm>
 	<primary><application>AbiWord</application></primary>
       </indexterm>
 
       <para><application>AbiWord</application> is a free word
         processing program similar in look and feel to <application>&microsoft; Word</application>.
         It is suitable for typing papers, letters, reports, memos, and
         so forth.  It is very fast, contains many features, and is
         very user-friendly.</para>
 
       <para><application>AbiWord</application> can import or export
         many file formats, including some proprietary ones like
         Microsoft <filename>.doc</filename>.</para>
 
       <para><application>AbiWord</application> is available as a
         package.  You can install it by:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r AbiWord2</userinput></screen>
 
       <para>If the package is not available, it can be compiled from
         the ports collection.  The ports collection should be more
         up to date.  It can be done as follows:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/editors/AbiWord2</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
 
     <sect2>
       <title>The GIMP</title>
       <indexterm>
 	<primary><application>The GIMP</application></primary>
       </indexterm>
 
       <para>For image authoring or picture retouching,
         <application>The GIMP</application> is a very sophisticated
         image manipulation program.  It can be used as a simple paint
         program or as a quality photo retouching suite.  It supports a
         large number of plug-ins and features a scripting interface.
         <application>The GIMP</application> can read and write a wide
         range of file formats.  It supports interfaces with scanners
         and tablets.</para>
 
       <para>You can install the package by issuing this
         command:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r gimp</userinput></screen>
 
       <para>If your FTP site does not have this package, you can use
         the ports collection.  The
         <ulink url="http://www.FreeBSD.org/ports/graphics.html">graphics</ulink>
         directory of the ports collection also contains
         <application>The Gimp Manual</application>.  Here is how to
         get them installed:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/graphics/gimp</userinput>
 &prompt.root; <userinput>make install clean</userinput>
 &prompt.root; <userinput>cd /usr/ports/graphics/gimp-manual-pdf</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <note>
         <para>The
           <ulink url="http://www.FreeBSD.org/ports/graphics.html">graphics</ulink>
           directory of the ports collection holds the development
           version of <application>The GIMP</application> in
           <filename role="package">graphics/gimp-devel</filename>.
           An HTML version of
           <application>The Gimp Manual</application> is available from
           <filename role="package">graphics/gimp-manual-html</filename>.</para>
        </note>
     </sect2>
 
     <sect2>
       <title>OpenOffice.org</title>
       <indexterm>
 	<primary><application>OpenOffice.org</application></primary>
       </indexterm>
       <indexterm>
 	<primary>office suite</primary>
 	<secondary><application>OpenOffice.org</application></secondary>
       </indexterm>
 
       <para><application>OpenOffice.org</application> includes all of the
         mandatory applications in a complete office productivity
         suite: a word processor, a spreadsheet, a presentation manager,
         and a drawing program.  Its user interface is very similar
         to other office suites, and it can import and export in various
         popular file formats.  It is available in a number of
         different languages including interfaces, spell checkers, and
         dictionaries.</para>
 
       <para>The word processor of
         <application>OpenOffice.org</application> uses a native XML
         file format for increased portability and flexibility.  The
         spreadsheet program features a macro language and it can be
         interfaced with external databases.
         <application>OpenOffice.org</application> is already stable
         and runs natively on &windows;, &solaris;, Linux, FreeBSD,
         and &macos;&nbsp;X.  More
         information about <application>OpenOffice.org</application>
         can be found on the
 	<ulink url="http://www.openoffice.org/">OpenOffice web site</ulink>.
 	For FreeBSD specific information, and to directly
 	download packages use the <ulink
 	url="http://porting.openoffice.org/freebsd/">FreeBSD OpenOffice
 	Porting Team</ulink>'s web site.</para>
 
       <para>To install <application>OpenOffice.org</application>,
         do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r openoffice</userinput></screen>
 
       <para>Once the package is installed, you must run the setup
         program and choose a <option>standard workstation installation</option>.
         Run this command as the user who will use
         <application>OpenOffice.org</application>:</para>
 
       <screen>&prompt.user; <userinput>openoffice-setup</userinput></screen>
 
       <para>If the <application>OpenOffice.org</application> packages
         are not available, you still have the option to compile the
         port.  However, you must bear in mind that it requires a lot of
         disk space and a fairly long time to compile.</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/editors/openoffice-1.1</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <para>Once this is done, run the setup as the user who will use
         <application>OpenOffice.org</application> and choose a
         <option>standard workstation installation</option> by:</para>
 
       <screen>&prompt.user; <userinput>cd /usr/ports/editors/openoffice-1.1</userinput>
 &prompt.user; <userinput>make install-user</userinput></screen>
 
       <para>If you want to use a localized version, here are the available
         ports:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
           <colspec colwidth="1*">
           <colspec colwidth="2*">
           <thead>
             <row>
               <entry>Language</entry>
               <entry>Port</entry>
             </row>
           </thead>
 
           <tbody>
             <row>
               <entry>Catalan</entry>
               <entry><filename role="package">editors/openoffice-1.1-ca</filename></entry>
             </row>
 
             <row>
               <entry>Czech</entry>
               <entry><filename role="package">editors/openoffice-1.1-cs</filename></entry>
             </row>
 
             <row>
               <entry>Danish</entry>
               <entry><filename role="package">editors/openoffice-1.1-dk</filename></entry>
             </row>
 
             <row>
               <entry>Greek</entry>
               <entry><filename role="package">editors/openoffice-1.1-el</filename></entry>
             </row>
 
             <row>
               <entry>Spanish</entry>
               <entry><filename role="package">editors/openoffice-1.1-es</filename></entry>
             </row>
 
             <row>
               <entry>Estonian</entry>
               <entry><filename role="package">editors/openoffice-1.1-et</filename></entry>
             </row>
 
             <row>
               <entry>Finnish</entry>
               <entry><filename role="package">editors/openoffice-1.1-fi</filename></entry>
             </row>
 
             <row>
               <entry>Italian</entry>
               <entry><filename role="package">editors/openoffice-1.1-it</filename></entry>
             </row>
 
             <row>
               <entry>Dutch</entry>
               <entry><filename role="package">editors/openoffice-1.1-nl</filename></entry>
             </row>
 
             <row>
               <entry>Swedish</entry>
               <entry><filename role="package">editors/openoffice-1.1-se</filename></entry>
             </row>
 
             <row>
               <entry>Slovak</entry>
               <entry><filename role="package">editors/openoffice-1.1-sk</filename></entry>
             </row>
 
             <row>
               <entry>Slovenian</entry>
               <entry><filename role="package">editors/openoffice-1.1-sl_SI</filename></entry>
             </row>
 
             <row>
               <entry>Turkish</entry>
               <entry><filename role="package">editors/openoffice-1.1-tr</filename></entry>
             </row>
 
             <row>
               <entry>Arabic</entry>
               <entry><filename role="package">arabic/openoffice-1.1</filename></entry>
             </row>
 
             <row>
               <entry>Chinese (Simplified)</entry>
               <entry><filename role="package">chinese/openoffice-1.1-zh_CN</filename></entry>
             </row>
 
             <row>
               <entry>Chinese (Traditional)</entry>
               <entry><filename role="package">chinese/openoffice-1.1-zh_TW</filename></entry>
             </row>
 
             <row>
               <entry>French</entry>
               <entry><filename role="package">french/openoffice-1.1</filename></entry>
             </row>
 
             <row>
               <entry>German</entry>
               <entry><filename role="package">german/openoffice-1.1</filename></entry>
             </row>
 
             <row>
               <entry>Hungarian</entry>
               <entry><filename role="package">hungarian/openoffice-1.1</filename></entry>
             </row>
 
             <row>
               <entry>Japanese</entry>
               <entry><filename role="package">japanese/openoffice-1.1</filename></entry>
             </row>
 
             <row>
               <entry>Korean</entry>
               <entry><filename role="package">korean/openoffice-1.1</filename></entry>
             </row>
 	    
             <row>
               <entry>Polish</entry>
               <entry><filename role="package">polish/openoffice-1.1</filename></entry>
             </row>
 	    
             <row>
               <entry>Portuguese (Brazil)</entry>
               <entry><filename role="package">portuguese/openoffice-1.1-pt_BR</filename></entry>
             </row>
 
             <row>
               <entry>Portuguese</entry>
               <entry><filename role="package">portuguese/openoffice-1.1-pt_PT</filename></entry>
             </row>
 
             <row>
               <entry>Russian</entry>
               <entry><filename role="package">russian/openoffice-1.1</filename></entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
     </sect2>
   </sect1>
 
   <sect1 id="desktop-viewers">
     <title>Document Viewers</title>
 
     <para>Some new document formats have recently gained popularity.
       The standard viewers they require may not be available in the
       base system.  We will see how to install them in this
       section.</para>
 
     <para>This section covers these applications:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
         <thead>
           <row>
             <entry>Application Name</entry>
             <entry>Resources Needed</entry>
             <entry>Installation from Ports</entry>
             <entry>Major Dependencies</entry>
           </row>
         </thead>
 
         <tbody>
           <row>
             <entry><application>&acrobat.reader;</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry>Linux Binary Compatibility</entry>
           </row>
 
           <row>
             <entry><application>gv</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry><application>Xaw3d</application></entry>
           </row>
 
           <row>
             <entry><application>Xpdf</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry><application>FreeType</application></entry>
           </row>
 
           <row>
             <entry><application>GQview</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry><application>Gtk+</application> or <application>GNOME</application></entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
 
     <sect2>
       <title>&acrobat.reader;</title>
       <indexterm>
 	<primary><application>Acrobat Reader</application></primary>
       </indexterm>
       <indexterm>
 	<primary>PDF</primary>
 	<secondary>viewing</secondary>
       </indexterm>
 
       <para>Many documents are now distributed as PDF files,
         which stands for <quote>Portable Document Format</quote>.  One
         of the recommended viewers for these types of files is
         <application>&acrobat.reader;</application>, released by Adobe
         for Linux.  As FreeBSD can run Linux binaries, it is also
         available for FreeBSD.</para>
 
       <para>To install the <application>&acrobat.reader; 5</application>
         package, do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r acroread5</userinput></screen>
 
       <para>As usual, if the package is not available or you want the
         latest version, you can use the ports collection as
         well:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/print/acroread5</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <note><para><application>&acrobat.reader;</application> is
         available in several different versions.  At this time of
         writing, there are:
         <filename role="package">print/acroread</filename> (version 3.0.2),
         <filename role="package">print/acroread4</filename> (version 4.0.5), and
         <filename role="package">print/acroread5</filename> (version 5.0.6).
         They may not all have been packaged for your version of
         FreeBSD.  The ports collection will always contain
         the latest versions.</para>
       </note>
     </sect2>
 
     <sect2>
       <title>gv</title>
       <indexterm>
 	<primary><application>gv</application></primary>
       </indexterm>
       <indexterm>
 	<primary>PDF</primary>
 	<secondary>viewing</secondary>
       </indexterm>
       <indexterm>
 	<primary>PostScript</primary>
 	<secondary>viewing</secondary>
       </indexterm>
 
       <para><application>gv</application> is a &postscript; and PDF
         viewer.  It is originally based on
         <application>ghostview</application> but it has a nicer look
         thanks to the <application>Xaw3d</application> library.  It is fast and its interface is
         clean.  <application>gv</application> has many features like
         orientation, paper size, scale, or antialias.  Almost any
         operation can be done either from the keyboard or the
         mouse.</para>
 
       <para>To install <application>gv</application> as a package,
         do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r gv</userinput></screen>
 
       <para>If you cannot get the package, you can use the ports
         collection:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/print/gv</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Xpdf</title>
       <indexterm>
 	<primary><application>Xpdf</application></primary>
       </indexterm>
       <indexterm>
 	<primary>PDF</primary>
 	<secondary>viewing</secondary>
       </indexterm>
 
       <para>If you want a small FreeBSD PDF viewer,
         <application>Xpdf</application> is a light-weight and
         efficient viewer.  It requires very few resources and is
         very stable.  It uses the standard X fonts and does not
         require <application>&motif;</application> or any other X toolkit.</para>
 
       <para>To install the <application>Xpdf</application> package,
         issue this command:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r xpdf</userinput></screen>
 
       <para>If the package is not available or you prefer to use the
         ports collection, do:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/graphics/xpdf</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
       <para>Once the installation is complete, you can launch
         <application>Xpdf</application> and use the right mouse button
         to activate the menu.</para>
     </sect2>
 
     <sect2>
       <title>GQview</title>
       <indexterm>
 	<primary><application>GQview</application></primary>
       </indexterm>
 
       <para><application>GQview</application> is an image manager.
         You can view a file with a single click, launch an external
         editor, get thumbnail previews, and much more.  It also
         features a slideshow mode and some basic file operations.  You
         can manage image collections and easily find duplicates.
         <application>GQview</application> can do full screen viewing
         and supports internationalization.</para>
 
       <para>If you want to install the
         <application>GQview</application> package, do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r gqview</userinput></screen>
 
       <para>If the package is not available or you prefer to use the
         ports collection, do:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/graphics/gqview</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
   </sect1>
 
   <sect1 id="desktop-finance">
     <title>Finance</title>
 
     <para>If, for any reason, you would like to manage your personal
       finances on your FreeBSD Desktop, there are some powerful and
       easy to use applications ready to be installed.  Some of them
       are compatible with widespread file formats like those of
       <application><trademark class="registered">Quicken</trademark></application> or <application>Excel</application> documents.</para>
 
     <para>This section covers these applications:</para>
      
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
         <thead>
           <row>
             <entry>Application Name</entry>
             <entry>Resources Needed</entry>
             <entry>Installation from Ports</entry>
             <entry>Major Dependencies</entry>
           </row>
         </thead>
 
         <tbody>
           <row>
             <entry><application>GnuCash</application></entry>
             <entry>light</entry>
             <entry>heavy</entry>
             <entry><application>GNOME</application></entry>
           </row>
 
           <row>
             <entry><application>Gnumeric</application></entry>
             <entry>light</entry>
             <entry>heavy</entry>
             <entry><application>GNOME</application></entry>
           </row>
 
           <row>
             <entry><application>Abacus</application></entry>
             <entry>light</entry>
             <entry>light</entry>
             <entry><application>Tcl/Tk</application></entry>
           </row>
         </tbody>
       </tgroup>
     </informaltable>
    
     <sect2>
       <title>GnuCash</title>
       <indexterm>
 	<primary><application>GnuCash</application></primary>
       </indexterm>
 
       <para><application>GnuCash</application> is part of the
         <application>GNOME</application> effort to provide
         user-friendly yet powerful applications to end-users.  With
         <application>GnuCash</application>, you can keep track of your
         income and expenses, your bank accounts, or your stocks.  It
         features an intuitive interface while remaining very
         professional.</para>
 
       <para><application>GnuCash</application> provides a smart
         register, a hierarchical system of accounts, many keyboard
         accelerators and auto-completion methods.  It can split a
         single transaction into several more detailed pieces.
         <application>GnuCash</application> can import and merge
         <application>Quicken</application> QIF files.  It also handles most international date
         and currency formats.</para>
 
       <para>To install <application>GnuCash</application> on your
         system, do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r gnucash</userinput></screen>
 
       <para>If the package is not available, you can use the ports
         collection:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/finance/gnucash</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Gnumeric</title>
       <indexterm>
 	<primary><application>Gnumeric</application></primary>
       </indexterm>
       <indexterm>
 	<primary>spreadsheet</primary>
 	<secondary><application>Gnumeric</application></secondary>
       </indexterm>
 
       <para><application>Gnumeric</application> is a spreadsheet, part
         of the <application>GNOME</application> desktop environment.
         It features convenient automatic <quote>guessing</quote> of user
         input according to the cell format and an autofill system for
         many sequences.  It can import files in a number of popular
         formats like those of <application>Excel</application>, <application>Lotus 1-2-3</application>, or <application>Quattro Pro</application>.
         <application>Gnumeric</application> supports graphs through
         the <filename role="package">math/guppi</filename> graphing
         program.  It has a large number of built-in functions and
         allows all of the usual cell formats such as number, currency,
         date, time, and much more.</para>
 
       <para>To install <application>Gnumeric</application> as a
         package, type in:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r gnumeric</userinput></screen>
 
       <para>If the package is not available, you can use the ports
         collection by doing:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/math/gnumeric</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Abacus</title>
       <indexterm>
 	<primary><application>Abacus</application></primary>
       </indexterm>
       <indexterm>
 	<primary>spreadsheet</primary>
 	<secondary><application>Abacus</application></secondary>
       </indexterm>
 
       <para><application>Abacus</application> is a small and easy to
         use spreadsheet.  It includes many built-in functions useful
         in several domains such as statistics, finances, and
         mathematics.  It can import and export the <application>Excel</application> file format.
         <application>Abacus</application> can produce &postscript;
         output.</para>
 
       <para>To install <application>Abacus</application> from its
         package, do:</para>
 
       <screen>&prompt.root; <userinput>pkg_add -r abacus</userinput></screen>
 
       <para>If the package is not available, you can use the ports
         collection by doing:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/deskutils/abacus</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
     </sect2>
   </sect1>
 
   <sect1 id="desktop-summary">
     <title>Summary</title>
 
     <para>While FreeBSD is popular among ISPs for its performance and
       stability, it is quite ready for day-to-day use as a desktop.
       With several thousand applications available as
       <ulink url="http://www.FreeBSD.org/where.html">packages</ulink> or
       <ulink url="http://www.FreeBSD.org/ports/index.html">ports</ulink>,
       you can build a perfect desktop that suits all your needs.</para>
 
     <para>Once you have achieved the installation of your desktop, you
       may want to go one step further with
       <filename role="package">misc/instant-workstation</filename>.
       This <quote>meta-port</quote> allows you to build a typical set
       of ports for a workstation.  You can customize it by editing
       <filename>/usr/ports/misc/instant-workstation/Makefile</filename>.
       Follow the syntax used for the default set to add or remove
       ports, and build it with the usual procedure.
       Eventually, you will be able to create a big package that
       corresponds to your very own desktop and install it to your
       other workstations!</para>
 
     <para>Here is a quick review of all the desktop applications
       covered in this chapter:</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="3">
         <thead>
           <row>
             <entry>Application Name</entry>
 	    <entry>Package Name</entry>
 	    <entry>Ports Name</entry>
 	  </row>
 	</thead>
 
 	<tbody>
 	  <row>
             <entry><application>Mozilla</application></entry>
 	    <entry><literal>mozilla</literal></entry>
 	    <entry><filename role="package">www/mozilla</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>&netscape;</application></entry>
 	    <entry><literal>linux-netscape7</literal></entry>
 	    <entry><filename role="package">www/netscape7</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>Opera</application></entry>
 	    <entry><literal>opera</literal></entry>
 	    <entry><filename role="package">www/opera</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>Firefox</application></entry>
 	    <entry><literal>firefox</literal></entry>
 	    <entry><filename role="package">www/firefox</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>KOffice</application></entry>
 	    <entry><literal>koffice-kde3</literal></entry>
 	    <entry><filename role="package">editors/koffice-kde3</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>AbiWord</application></entry>
 	    <entry><literal>AbiWord-gnome</literal></entry>
 	    <entry><filename role="package">editors/AbiWord2</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>The GIMP</application></entry>
 	    <entry><literal>gimp</literal></entry>
 	    <entry><filename role="package">graphics/gimp</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>OpenOffice.org</application></entry>
 	    <entry><literal>openoffice</literal></entry>
 	    <entry><filename role="package">editors/openoffice-1.1</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>&acrobat.reader;</application></entry>
 	    <entry><literal>acroread5</literal></entry>
 	    <entry><filename role="package">print/acroread5</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>gv</application></entry>
 	    <entry><literal>gv</literal></entry>
 	    <entry><filename role="package">print/gv</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>Xpdf</application></entry>
 	    <entry><literal>xpdf</literal></entry>
 	    <entry><filename role="package">graphics/xpdf</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>GQview</application></entry>
 	    <entry><literal>gqview</literal></entry>
 	    <entry><filename role="package">graphics/gqview</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>GnuCash</application></entry>
 	    <entry><literal>gnucash</literal></entry>
 	    <entry><filename role="package">finance/gnucash</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>Gnumeric</application></entry>
 	    <entry><literal>gnumeric</literal></entry>
 	    <entry><filename role="package">math/gnumeric</filename></entry>
 	  </row>
 
 	  <row>
             <entry><application>Abacus</application></entry>
 	    <entry><literal>abacus</literal></entry>
 	    <entry><filename role="package">deskutils/abacus</filename></entry>
 	  </row>
         </tbody>
       </tgroup>
     </informaltable>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/eresources/chapter.sgml b/en_US.ISO8859-1/books/handbook/eresources/chapter.sgml
index c9a5f3aeea..36b1b87563 100644
--- a/en_US.ISO8859-1/books/handbook/eresources/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/eresources/chapter.sgml
@@ -1,1649 +1,1649 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <appendix id="eresources">
   <title>Resources on the Internet</title>
 
   <para>The rapid pace of FreeBSD progress makes print media impractical as a
     means of following the latest developments.  Electronic resources are the
     best, if not often the only, way stay informed of the latest advances.
     Since FreeBSD is a volunteer effort, the user community itself also
     generally serves as a <quote>technical support department</quote> of sorts,
     with electronic mail and  USENET news being the most effective way of
     reaching that community.</para>
 
   <para>The most important points of contact with the FreeBSD user community
     are outlined below.  If you are aware of other resources not mentioned
     here, please send them to the &a.doc; so that they may also be
     included.</para>
 
   <sect1 id="eresources-mail">
     <title>Mailing Lists</title>
 
     <para>Though many of the FreeBSD development members read USENET, we
       cannot always guarantee that we will get to your questions in a timely
       fashion (or at all) if you post them only to one of the
       <literal>comp.unix.bsd.freebsd.*</literal> groups.  By addressing your
       questions to the appropriate mailing list you will reach both us and a
       concentrated FreeBSD audience, invariably assuring a better (or at least
       faster) response.</para>
 
     <para>The charters for the various lists are given at the bottom of this
       document.  <emphasis>Please read the charter before joining or sending
 	mail to any list</emphasis>.  Most of our list subscribers now receive
       many hundreds of FreeBSD related messages every day, and by setting down
       charters and rules for proper use we are striving to keep the
       signal-to-noise ratio of the lists high. To do less would see the
       mailing lists ultimately fail as an effective communications medium for
       the project.</para>
 
     <para>Archives are kept for all of the mailing lists and can be searched
       using the <ulink url="&url.base;/search/index.html">FreeBSD World
 	Wide Web server</ulink>.  The keyword searchable archive offers an
       excellent way of finding answers to frequently asked questions and
       should be consulted before posting a question.</para>
 
     <sect2 id="eresources-summary">
       <title>List Summary</title>
 
       <para><emphasis>General lists:</emphasis> The following are general
 	lists which anyone is free (and encouraged) to join:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>List</entry>
 	      <entry>Purpose</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>&a.cvsall.name;</entry>
 	      <entry>Changes made to the FreeBSD source tree</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.advocacy.name;</entry>
 	      <entry>FreeBSD Evangelism</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.announce.name;</entry>
 	      <entry>Important events and project milestones</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.arch.name;</entry>
 	      <entry>Architecture and design discussions</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.bugbusters.name;</entry>
 	      <entry>Discussions pertaining to the maintenance of the FreeBSD
 		problem report database and related tools</entry>
 	    </row>
 
     	    <row>
 	      <entry>&a.bugs.name;</entry>
 	      <entry>Bug reports</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.chat.name;</entry>
 	      <entry>Non-technical items related to the FreeBSD
 		community</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.config.name;</entry>
 	      <entry>Development of FreeBSD installation and configuration tools</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.current.name;</entry>
 	      <entry>Discussion concerning the use of
 		&os.current;</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.isp.name;</entry>
 	      <entry>Issues for Internet Service Providers using
 		FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.jobs.name;</entry>
 	      <entry>FreeBSD employment and consulting
 		opportunities</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.newbies.name;</entry>
 	      <entry>New FreeBSD users activities and discussions</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.policy.name;</entry>
 	      <entry>FreeBSD Core team policy decisions.  Low volume, and
 		read-only</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.questions.name;</entry>
 		  <entry>User questions and technical support</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.security-notifications.name;</entry>
 	      <entry>Security notifications</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.stable.name;</entry>
 	      <entry>Discussion concerning the use of
 		&os.stable;</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.test.name;</entry>
 	      <entry>Where to send your test messages instead of one of
 		the actual lists</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para><emphasis>Technical lists:</emphasis> The following lists are for
 	technical discussion.  You should read the charter for each list
 	carefully before joining or sending mail to one as there are firm
 	guidelines for their use and content.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>List</entry>
 	      <entry>Purpose</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>&a.acpi.name;</entry>
 	      <entry>ACPI and power management development</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.afs.name;</entry>
 	      <entry>Porting AFS to FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.aic7xxx.name;</entry>
 	      <entry>Developing drivers for the &adaptec; AIC 7xxx</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.alpha.name;</entry>
 	      <entry>Porting FreeBSD to the Alpha</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.amd64.name;</entry>
 	      <entry>Porting FreeBSD to AMD64 systems</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.apache.name;</entry>
 	      <entry>Discussion about <application>Apache</application> related ports</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.arm.name;</entry>
 	      <entry>Porting FreeBSD to &arm; processors</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.atm.name;</entry>
 	      <entry>Using ATM networking with FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.audit.name;</entry>
 	      <entry>Source code audit project</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.binup.name;</entry>
 	      <entry>Design and development of the binary update system</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cluster.name;</entry>
 	      <entry>Using FreeBSD in a clustered environment</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cvsweb.name;</entry>
 	      <entry>CVSweb maintenance</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.database.name;</entry>
 	      <entry>Discussing database use and development under
 		FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.doc.name;</entry>
 	      <entry>Creating FreeBSD related documents</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.emulation.name;</entry>
 	      <entry>Emulation of other systems such as
 		Linux/DOS/&windows;</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.firewire.name;</entry>
 	      <entry>FreeBSD &firewire; (iLink, IEEE 1394) technical
 		discussion</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.fs.name;</entry>
 	      <entry>File systems</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.geom.name;</entry>
 	      <entry>GEOM-specific discussions and implementations</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.gnome.name;</entry>
 	      <entry>Porting <application>GNOME</application> and <application>GNOME</application> applications</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.hackers.name;</entry>
 	      <entry>General technical discussion</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.hardware.name;</entry>
 	      <entry>General discussion of hardware for running
 		FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.i18n.name;</entry>
 	      <entry>FreeBSD Internationalization</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ia32.name;</entry>
 	      <entry>FreeBSD on the IA-32 (&intel; x86) platform</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ia64.name;</entry>
 	      <entry>Porting FreeBSD to Intel's upcoming IA64 systems</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ipfw.name;</entry>
 	      <entry>Technical discussion concerning the redesign of the IP
 		firewall code</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.isdn.name;</entry>
 	      <entry>ISDN developers</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.java.name;</entry>
 	      <entry>&java; developers and people porting &jdk;s to
 		FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.kde.name;</entry>
 	      <entry>Porting <application>KDE</application> and <application>KDE</application> applications</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.lfs.name;</entry>
 	      <entry>Porting LFS to FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.libh.name;</entry>
 	      <entry>The second generation installation and package
 	         system</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.mips.name;</entry>
 	      <entry>Porting FreeBSD to &mips;</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.mobile.name;</entry>
 	      <entry>Discussions about mobile computing</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.mozilla.name;</entry>
 	      <entry>Porting <application>Mozilla</application> to FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.multimedia.name;</entry>
 	      <entry>Multimedia applications</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.newbus.name;</entry>
 	      <entry>Technical discussions about bus architecture</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.net.name;</entry>
 	      <entry>Networking discussion and TCP/IP source code</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.openoffice.name;</entry>
 	      <entry>Porting <application>OpenOffice.org</application> and
 		<application>&staroffice;</application> to FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.performance.name;</entry>
 	      <entry>Performance tuning questions for high
 		performance/load installations</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.perl.name;</entry>
 	      <entry>Maintenance of a number of
 		<application>perl</application>-related ports</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.pf.name;</entry>
 	      <entry>Discussion and questions about the packet filter
 		firewall system</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.platforms.name;</entry>
 	      <entry>Concerning ports to non-Intel architecture
 		platforms</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ports.name;</entry>
 	      <entry>Discussion of the ports collection</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ports-bugs.name;</entry>
 	      <entry>Discussion of the ports bugs/PRs</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.ppc.name;</entry>
 	      <entry>Porting FreeBSD to the &powerpc;</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.qa.name;</entry>
 	      <entry>Discussion of Quality Assurance, usually pending a release</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.realtime.name;</entry>
 	      <entry>Development of realtime extensions to FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.scsi.name;</entry>
 	      <entry>The SCSI subsystem</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.security.name;</entry>
 	      <entry>Security issues affecting FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.small.name;</entry>
 	      <entry>Using FreeBSD in embedded applications</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.smp.name;</entry>
 	      <entry>Design discussions for [A]Symmetric
 		MultiProcessing</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.sparc.name;</entry>
 	      <entry>Porting FreeBSD to &sparc; based systems</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.standards.name;</entry>
 	      <entry>FreeBSD's conformance to the C99 and the &posix;
 		standards</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.threads.name;</entry>
 	      <entry>Threading in FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.testing.name;</entry>
 	      <entry>FreeBSD Performance and Stability Tests</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.tokenring.name;</entry>
 	      <entry>Support Token Ring in FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.usb.name;</entry>
 	      <entry>Discussing &os; support for USB</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.vuxml.name;</entry>
 	      <entry>Discussion on VuXML infrastructure</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.x11.name;</entry>
 	      <entry>Maintenance and support of X11 on FreeBSD</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para><emphasis>Limited lists:</emphasis> The following lists are for
 	more specialized (and demanding) audiences and are probably not of
         interest to the general public.  It is also a good idea to establish a
         presence in the technical lists before joining one of these limited
         lists so that you will understand the communications etiquette involved.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>List</entry>
 	      <entry>Purpose</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>&a.hubs.name;</entry>
 	      <entry>People running mirror sites (infrastructural
 		support)</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.usergroups.name;</entry>
 	      <entry>User group coordination</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.vendors.name;</entry>
 	      <entry>Vendors pre-release coordination</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.www.name;</entry>
 	      <entry>Maintainers of <ulink url="&url.base;/index.html">www.FreeBSD.org</ulink></entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para><emphasis>Digest lists:</emphasis> All of the above lists
 	are available in a digest format.  Once subscribed to a list,
 	you can change your digest options in your account options
 	section.</para>
 
       <para><emphasis>CVS lists:</emphasis> The following lists are for people
 	interested in seeing the log messages for changes to various areas of
 	the source tree.  They are <emphasis>Read-Only</emphasis> lists and
 	should not have mail sent to them.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="3">
 	  <thead>
 	    <row>
 	      <entry>List</entry>
 	      <entry>Source area</entry>
 	      <entry>Area Description (source for)</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>&a.cvsall.name;</entry>
 	      <entry><filename>/usr/(CVSROOT|doc|ports|projects|src)</filename></entry>
 	      <entry>All changes to any place in the tree (superset of other cvs commit lists)</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cvs-doc.name;</entry>
 	      <entry><filename>/usr/(doc|www)</filename></entry>
 	      <entry>All changes to the doc and www trees</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cvs-ports.name;</entry>
 	      <entry><filename>/usr/ports</filename></entry>
 	      <entry>All changes to the ports tree</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cvs-projects.name;</entry>
 	      <entry><filename>/usr/projects</filename></entry>
 	      <entry>All changes to the projects tree</entry>
 	    </row>
 
 	    <row>
 	      <entry>&a.cvs-src.name;</entry>
 	      <entry><filename>/usr/src</filename></entry>
 	      <entry>All changes to the src tree</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect2>
 
     <sect2 id="eresources-subscribe">
       <title>How to Subscribe</title>
 
       <para>To subscribe to a list, click on the list name above or
         go to &a.mailman.lists.link;
         and click on the list that you are interested in.  The list
         page should contain all of the necessary subscription
         instructions.</para>
 
       <para>To actually post to a given list you simply send mail to
 	&lt;<replaceable>listname</replaceable>@FreeBSD.org&gt;.  It will then
 	be redistributed to mailing list members world-wide.</para>
 
       <para>To unsubscribe yourself from a list, click on the URL
 	found at the bottom of every email received from the list.  It
 	is also possible to send an email to
 	freebsd-[listname]-unsubscribe@FreeBSD.org to unsubscribe
 	yourself.</para>
 
       <para>Again, we would like to request that you keep discussion in the
 	technical mailing lists on a technical track. If you are only
 	interested in important announcements then it is suggested that
 	you join the &a.announce;, which is intended only for infrequent
 	traffic.</para>
     </sect2>
 
     <sect2 id="eresources-charters">
       <title>List Charters</title>
 
       <para><emphasis>All</emphasis> FreeBSD mailing lists have certain basic
 	rules which must be adhered to by anyone using them. Failure to comply
 	with these guidelines will result in two (2) written warnings from the
 	FreeBSD Postmaster <email>postmaster@FreeBSD.org</email>, after which,
 	on a third offense, the poster will removed from all FreeBSD mailing
 	lists and filtered from further posting to them. We regret that such
 	rules and measures are necessary at all, but today's Internet is a
 	pretty harsh environment, it would seem, and many fail to appreciate
 	just how fragile some of its mechanisms are.</para>
 
       <para>Rules of the road:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>The topic of any posting should adhere to the basic charter of
 	    the list it is posted to, e.g. if the list is about technical
 	    issues then your posting should contain technical discussion.
 	    Ongoing irrelevant chatter or flaming only detracts from the value
 	    of the mailing list for everyone on it and will not be tolerated.
 	    For free-form discussion on no particular topic, the &a.chat;
 	    is freely available and should be used instead.</para>
 	</listitem>
 
 	<listitem>
 	  <para>No posting should be made to more than 2 mailing lists, and
 	    only to 2 when a clear and obvious need to post to both lists
 	    exists.  For most lists, there is already a great deal of
 	    subscriber overlap and except for the most esoteric mixes (say
 	    <quote>-stable &amp; -scsi</quote>), there really is no reason to post to more
 	    than one list at a time.  If a message is sent to you in such a
 	    way that multiple mailing lists appear on the
 	    <literal>Cc</literal> line then the <literal>Cc</literal>
 	    line should also be trimmed before sending it out again.
 	    <emphasis>You are still responsible for your
 	      own cross-postings, no matter who the originator might have
 	      been.</emphasis></para>
 	</listitem>
 
 	<listitem>
 	  <para>Personal attacks and profanity (in the context of an argument)
 	    are not allowed, and that includes users and developers alike.
 	    Gross breaches of netiquette, like excerpting or reposting private
 	    mail when permission to do so was not and would not be
 	    forthcoming, are frowned upon but not specifically enforced.
 	    <emphasis>However</emphasis>, there are also very few cases where
 	    such content would fit within the charter of a list and it would
 	    therefore probably rate a warning (or ban) on that basis
 	    alone.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Advertising of non-FreeBSD related products or services is
 	    strictly prohibited and will result in an immediate ban if it is
 	    clear that the offender is advertising by spam.</para>
 	</listitem>
       </itemizedlist>
 
       <para><emphasis>Individual list charters:</emphasis></para>
 
       <variablelist>
 
 	<varlistentry>
 	  <term>&a.acpi.name;</term>
 
 	  <listitem>
 	    <para><emphasis>ACPI and power management
 	       development</emphasis></para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.afs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Andrew File System</emphasis></para>
 
 	    <para>This list is for discussion on porting and using AFS from
 	      CMU/Transarc</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.announce.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Important events / milestones</emphasis></para>
 
 	    <para>This is the mailing list for people interested only in
 	      occasional announcements of significant FreeBSD events. This
 	      includes announcements about snapshots and other releases.  It
 	      contains announcements of new FreeBSD capabilities.  It may
 	      contain calls for volunteers etc. This is a low volume, strictly
 	      moderated mailing list.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.arch.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Architecture and design
 		discussions</emphasis></para>
 
             <para>This list is for discussion of the FreeBSD
 	      architecture.  Messages will mostly be kept strictly
 	      technical in nature.  Examples of suitable topics
 	      are:</para>
 
 	    <itemizedlist>
 	      <listitem>
 		<para>How to re-vamp the build system to have several
 		  customized builds running at the same time.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>What needs to be fixed with VFS to make Heidemann layers
 		  work.</para>
 		</listitem>
 
 	      <listitem>
 		<para>How do we change the device driver interface to be able
 		  to use the same drivers cleanly on many buses and
 		  architectures.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>How to write a network driver.</para>
 	      </listitem>
 	    </itemizedlist>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.audit.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Source code audit project</emphasis></para>
 
 	    <para>This is the mailing list for the FreeBSD source code
 	      audit project.  Although this was originally intended for
 	      security-related changes, its charter has been expanded to
 	      review any code changes.</para>
 
 	    <para>This list is very heavy on patches, and is probably of no
 	      interest to the average FreeBSD user.  Security discussions
 	      not related to a particular code change are held on
 	      freebsd-security.  Conversely, all developers are encouraged
 	      to send their patches here for review, especially if they
 	      touch a part of the system where a bug may adversely affect
 	      the integrity of the system.</para>
 
 <!-- I can't actually find a charter for this, but there's this email: http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=223347+225804+/usr/local/www/db/text/2000/cvs-all/20001210.cvs-all -->
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.binup.name;</term>
 
 	  <listitem>
 	    <para><emphasis>FreeBSD Binary Update Project</emphasis></para>
 
 	    <para>This list exists to provide discussion for the binary
 	      update system, or <application>binup</application>.
 	      Design issues, implementation details,
 	      patches, bug reports, status reports, feature requests, commit
 	      logs, and all other things related to
 	      <application>binup</application> are fair game.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.bugbusters.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Coordination of the Problem Report handling effort</emphasis></para>
 
 	    <para>The purpose of this list is to serve as a coordination and
 	      discussion forum for the Bugmeister, his Bugbusters, and any other
 	      parties who have a genuine interest in the PR database.  This list
 	      is not for discussions about specific bugs, patches or PRs.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.bugs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Bug reports</emphasis></para>
 
 	    <para>This is the mailing list for reporting bugs in FreeBSD.
 	      Whenever possible, bugs should be submitted using the
 		&man.send-pr.1;
 	      command or the <ulink
 		url="&url.base;/send-pr.html">WEB
 		interface</ulink> to it.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.chat.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Non technical items related to the FreeBSD
 		community</emphasis></para>
 
 	    <para>This list contains the overflow from the other lists about
 	      non-technical, social information.  It includes discussion about
 	      whether Jordan looks like a toon ferret or not, whether or not
 	      to type in capitals, who is drinking too much coffee, where the
 	      best beer is brewed, who is brewing beer in their basement, and
 	      so on.  Occasional announcements of important events (such as
 	      upcoming parties, weddings, births, new jobs, etc) can be made
 	      to the technical lists, but the follow ups should be directed to
 	      this -chat list.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.core.name;</term>
 
 	  <listitem>
 	    <para><emphasis>FreeBSD core team</emphasis></para>
 
 	    <para>This is an internal mailing list for use by the core
 	      members.  Messages can be sent to it when a serious
 	      FreeBSD-related matter requires arbitration or high-level
 	      scrutiny.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.current.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussions about the use of
 		&os.current;</emphasis></para>
 
 	    <para>This is the mailing list for users of &os.current;.  It
 	      includes warnings about new features coming out in -CURRENT that
 	      will affect the users, and instructions on steps that must be
 	      taken to remain -CURRENT.  Anyone running <quote>CURRENT</quote>
 	      must subscribe to this list.  This is a technical mailing list
 	      for which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.cvsweb.name;</term>
 
 	  <listitem>
 	    <para><emphasis>FreeBSD CVSweb Project</emphasis></para>
 
 	    <para>Technical discussions about use, development and maintenance
 	      of FreeBSD-CVSweb.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.doc.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Documentation project</emphasis></para>
 
 	    <para>This mailing list is for the discussion of issues and
 	      projects related to the creation of documentation for FreeBSD.
 	      The members of this mailing list are collectively referred to as
 	      <quote>The FreeBSD Documentation Project</quote>.  It is an open
 	      list; feel free to join and contribute!</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.firewire.name;</term>
 
 	  <listitem>
 	    <para><emphasis>&firewire; (iLink, IEEE 1394)</emphasis></para>
 
 	    <para>This is a mailing list for discussion of the design
 	      and implementation of a &firewire; (aka IEEE 1394 aka
 	      iLink) subsystem for FreeBSD.  Relevant topics
 	      specifically include the standards, bus devices and
 	      their protocols, adapter boards/cards/chips sets, and
 	      the architecture and implementation of code for their
 	      proper support.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.fs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>File systems</emphasis></para>
 
 	    <para>Discussions concerning FreeBSD file systems.  This is a
 	      technical mailing list for which strictly technical content is
 	      expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.geom.name;</term>
 
 	  <listitem>
 	    <para><emphasis>GEOM</emphasis></para>
 
 	    <para>Discussions specific to GEOM and related implementations.
 	      This is a technical mailing list for which strictly technical
 	      content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.gnome.name;</term>
 
 	  <listitem>
 	    <para><emphasis>GNOME</emphasis></para>
 
 	    <para>Discussions concerning The <application>GNOME</application> Desktop Environment for
               FreeBSD systems.  This is a technical mailing list for
 	      which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.ipfw.name;</term>
 
 	  <listitem>
 	    <para><emphasis>IP Firewall</emphasis></para>
 
 	    <para>This is the forum for technical discussions concerning the
 	      redesign of the IP firewall code in FreeBSD.  This is a
 	      technical mailing list for which strictly technical content is
 	      expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.ia64.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Porting FreeBSD to IA64</emphasis></para>
 
 	    <para>This is a technical mailing list for individuals
             actively working on porting FreeBSD to the IA-64 platform
             from Intel, to bring up problems or discuss alternative
             solutions.  Individuals interested in following the
             technical discussion are also welcome.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.isdn.name;</term>
 
 	  <listitem>
 	    <para><emphasis>ISDN Communications</emphasis></para>
 
 	    <para>This is the mailing list for people discussing the
 	      development of ISDN support for FreeBSD.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.java.name;</term>
 
 	  <listitem>
 	    <para><emphasis>&java; Development</emphasis></para>
 
 	    <para>This is the mailing list for people discussing the
 	      development of significant &java; applications for FreeBSD and the
 	      porting and maintenance of &jdk;s.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry id="eresources-charters-jobs">
 	  <term>&a.jobs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Jobs offered and sought</emphasis></para>
 
 	    <para>This is a forum for posting employment notices and
 	      resumes specifically related to &os;, e.g. if you're
 	      seeking &os;-related employment or have a job involving
 	      &os; to advertise then this is the right place.  This is
 	      <emphasis>not</emphasis> a mailing list for general
 	      employment issues since adequate forums for that
 	      already exist elsewhere.</para>
 
 	    <para>Note that this list, like other FreeBSD.org mailing
 	      lists, is distributed worldwide.  Thus, you need to be
 	      clear about location and the extent to which
 	      telecommuting or assistance with relocation is
 	      available.</para>
 
 	    <para>Email should use open formats only &mdash;
 	      preferably plain text, but basic Portable Document
 	      Format (<acronym>PDF</acronym>), HTML, and a few others
 	      are acceptable to many readers.  Closed formats such as
 	      &microsoft; Word (<filename>.doc</filename>) will be
 	      rejected by the mailing list server.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.kde.name;</term>
 
 	  <listitem>
 	    <para><emphasis>KDE</emphasis></para>
 
 	    <para>Discussions concerning <application>KDE</application> on
               FreeBSD systems.  This is a technical mailing list for
 	      which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.hackers.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Technical discussions</emphasis></para>
 
 	    <para>This is a forum for technical discussions related to
 	      FreeBSD.  This is the primary technical mailing list.  It is for
 	      individuals actively working on FreeBSD, to bring up problems or
 	      discuss alternative solutions.  Individuals interested in
 	      following the technical discussion are also welcome.  This is a
 	      technical mailing list for which strictly technical content is
 	      expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.hardware.name;</term>
 
 	  <listitem>
 	    <para><emphasis>General discussion of FreeBSD
 		hardware</emphasis></para>
 
 	    <para>General discussion about the types of hardware that FreeBSD
 	      runs on, various problems and suggestions concerning what to buy
 	      or avoid.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.hubs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Mirror sites</emphasis></para>
 
 	    <para>Announcements and discussion for people who run FreeBSD
 	      mirror sites.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.isp.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Issues for Internet Service
 		Providers</emphasis></para>
 
 	    <para>This mailing list is for discussing topics relevant to
 	      Internet Service Providers (ISPs) using FreeBSD.  This is a
 	      technical mailing list for which strictly technical content is
 	      expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.newbies.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Newbies activities discussion</emphasis></para>
 
 	    <para>We cover any of the activities of newbies that are not
 	      already dealt with elsewhere, including: independent learning
 	      and problem solving techniques, finding and using resources and
 	      asking for help elsewhere, how to use mailing lists and which
 	      lists to use, general chat, making mistakes, boasting, sharing
 	      ideas, stories, moral (but not technical) support, and taking an
 	      active part in the FreeBSD community.  We take our problems and
 	      support questions to freebsd-questions, and use freebsd-newbies
 	      to meet others who are doing the same things that we do as
 	      newbies.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.openoffice.name;</term>
 
 	  <listitem>
 	    <para><emphasis>OpenOffice.org</emphasis></para>
 
 	    <para>Discussions concerning the porting and maintenance
 	      of <application>OpenOffice.org</application> and
 	      <application>&staroffice;</application>.</para>
 	   </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.performance.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussions about tuning or speeding up FreeBSD</emphasis></para>
 
 	    <para>This mailing list exists to provide a place for
 	      hackers, administrators, and/or concerned parties to
 	      discuss performance related topics pertaining to
 	      FreeBSD.  Acceptable topics includes talking about
 	      FreeBSD installations that are either under high load,
 	      are experiencing performance problems, or are pushing
 	      the limits of FreeBSD.  Concerned parties that are
 	      willing to work toward improving the performance of
 	      FreeBSD are highly encouraged to subscribe to this list.
 	      This is a highly technical list ideally suited for
 	      experienced FreeBSD users, hackers, or administrators
 	      interested in keeping FreeBSD fast, robust, and
 	      scalable.  This list is not a question-and-answer list
 	      that replaces reading through documentation, but it is a
 	      place to make contributions or inquire about unanswered
 	      performance related topics.</para>
 
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.pf.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussion and questions about the packet filter
 		firewall system</emphasis></para>
 
 	    <para>Discussion concerning the packet filter (pf) firewall
 	      system in terms of FreeBSD. Technical discussion and user
 	      questions are both welcome. This list is also a place to
 	      discuss the ALTQ QoS framework.</para>
 
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.platforms.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Porting to Non Intel platforms</emphasis></para>
 
 	    <para>Cross-platform FreeBSD issues, general discussion and
 	      proposals for non Intel FreeBSD ports.  This is a technical
 	      mailing list for which strictly technical content is
 	      expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.policy.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Core team policy decisions</emphasis></para>
 
 	    <para>This is a low volume, read-only mailing list for FreeBSD
 	      Core Team Policy decisions.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.ports.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussion of
 		<quote>ports</quote></emphasis></para>
 
 	    <para>Discussions concerning FreeBSD's <quote>ports
 	      collection</quote> (<filename>/usr/ports</filename>), ports infrastructure, and
 	      general ports coordination efforts.  This is a technical mailing list
 	      for which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.ports-bugs.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussion of
 		<quote>ports</quote> bugs</emphasis></para>
 
 	    <para>Discussions concerning problem reports for FreeBSD's <quote>ports
 	      collection</quote> (<filename>/usr/ports</filename>), proposed
 	      ports, or modifications to ports.  This is a technical mailing list
 	      for which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.questions.name;</term>
 
 	  <listitem>
 	    <para><emphasis>User questions</emphasis></para>
 
 	    <para>This is the mailing list for questions about FreeBSD.  You
 	      should not send <quote>how to</quote> questions to the technical
 	      lists unless you consider the question to be pretty
 	      technical.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.scsi.name;</term>
 
 	  <listitem>
 	    <para><emphasis>SCSI subsystem</emphasis></para>
 
 	    <para>This is the mailing list for people working on the SCSI
 	      subsystem for FreeBSD.  This is a technical mailing list for
 	      which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.security.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Security issues</emphasis></para>
 
 	    <para>FreeBSD computer security issues (DES, Kerberos, known
 	      security holes and fixes, etc).  This is a technical mailing
 	      list for which strictly technical discussion is expected. Note
 	      that this is not a question-and-answer list, but that
 	      contributions (BOTH question AND answer) to the FAQ are
 	      welcome.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.security-notifications.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Security Notifications</emphasis></para>
 
 	    <para>Notifications of FreeBSD security problems and
 	      fixes. This is not a discussion list.  The discussion
 	      list is FreeBSD-security.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.small.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Using FreeBSD in embedded
 	      applications</emphasis></para>
 
 	    <para>This list discusses topics related to unusually small and
 	      embedded FreeBSD installations.  This is a technical mailing
 	      list for which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.stable.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussions about the use of
 		&os.stable;</emphasis></para>
 
 	    <para>This is the mailing list for users of &os.stable;.  It
 	      includes warnings about new features coming out in -STABLE that
 	      will affect the users, and instructions on steps that must be
 	      taken to remain -STABLE.  Anyone running <quote>STABLE</quote>
 	      should subscribe to this list.  This is a technical mailing list
 	      for which strictly technical content is expected.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.standards.name;</term>
 
 	  <listitem>
 	    <para><emphasis>C99 &amp; POSIX Conformance</emphasis></para>
 
 	    <para>This is a forum for technical discussions related to
 	      FreeBSD Conformance to the C99 and the POSIX standards.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.usb.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Discussing &os; support for
 	      USB</emphasis></para>
 
 	    <para>This is a mailing list for technical discussions
 	      related to &os; support for USB.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.usergroups.name;</term>
 
 	  <listitem>
 	    <para><emphasis>User Group Coordination List</emphasis></para>
 
 	    <para>This is the mailing list for the coordinators from each of
 	      the  local area Users Groups to discuss matters with each other
 	      and a  designated individual from the Core Team.  This mail list
 	      should be limited to meeting synopsis and coordination of
 	      projects that span User Groups.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>&a.vendors.name;</term>
 
 	  <listitem>
 	    <para><emphasis>Vendors</emphasis></para>
 
 	    <para>Coordination discussions between The FreeBSD Project and
 	      Vendors of software and hardware for FreeBSD.</para>
 	  </listitem>
 	</varlistentry>
 
       </variablelist>
     </sect2>
     <sect2 id="eresources-mailfiltering">
       <title>Filtering on the Mailing Lists</title>
 
       <para>The &os; mailing lists are filtered in multiple ways to
         avoid the distribution of spam, viruses, and other unwanted emails.
         The filtering actions described in this section do not include all
         those used to protect the mailing lists.</para>
 
       <para>Only certain types of attachments are allowed on the
 	mailing lists.  All attachments with a MIME content type not
 	found in the list below will be stripped before an email is
 	distributed on the mailing lists.</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>application/octet-stream</para>
 	</listitem>
 
 	<listitem>
 	  <para>application/pdf</para>
 	</listitem>
 
 	<listitem>
 	  <para>application/pgp-signature</para>
 	</listitem>
 
 	<listitem>
 	  <para>application/x-pkcs7-signature</para>
 	</listitem>
 
 	<listitem>
 	  <para>message/rfc822</para>
 	</listitem>
 
 	<listitem>
 	  <para>multipart/alternative</para>
 	</listitem>
 
 	<listitem>
 	  <para>multipart/related</para>
 	</listitem>
 
 	<listitem>
 	  <para>multipart/signed</para>
 	</listitem>
 
 	<listitem>
 	  <para>text/html</para>
 	</listitem>
 
 	<listitem>
 	  <para>text/plain</para>
 	</listitem>
 
 	<listitem>
 	  <para>text/x-diff</para>
 	</listitem>
 
 	<listitem>
 	  <para>text/x-patch</para>
 	</listitem>
       </itemizedlist>
 
       <note>
 	<para>Some of the mailing lists might allow attachments of
 	  other MIME content types, but the above list should be
 	  applicable for most of the mailing lists.</para>
       </note>
 
       <para>If an email contains both an HTML and a plain text version,
 	the HTML version will be removed.  If an email contains only an
 	HTML version, it will be converted to plain text.</para>
     </sect2>
   </sect1>
 
   <sect1 id="eresources-news">
     <title>Usenet Newsgroups</title>
 
     <para>In addition to two FreeBSD specific newsgroups, there are many
       others in which FreeBSD is discussed or are otherwise relevant to
       FreeBSD users.  <ulink
 	url="http://minnie.tuhs.org/BSD-info/bsdnews_search.html">Keyword
 	searchable archives</ulink> are available for some of these newsgroups
       from courtesy of Warren Toomey <email>wkt@cs.adfa.edu.au</email>.</para>
 
     <sect2>
       <title>BSD Specific Newsgroups</title>
 
       <itemizedlist>
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.bsd.freebsd.announce">comp.unix.bsd.freebsd.announce</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.bsd.freebsd.misc">comp.unix.bsd.freebsd.misc</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:de.comp.os.unix.bsd">de.comp.os.unix.bsd</ulink> (German)</para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	    url="news:fr.comp.os.bsd">fr.comp.os.bsd</ulink> (French)</para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	    url="news:it.comp.os.freebsd">it.comp.os.freebsd</ulink> (Italian)</para>
 	</listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>Other &unix; Newsgroups of Interest</title>
 
       <itemizedlist>
 	<listitem>
 	  <para><ulink url="news:comp.unix">comp.unix</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.questions">comp.unix.questions</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.admin">comp.unix.admin</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.programmer">comp.unix.programmer</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.shell">comp.unix.shell</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.user-friendly">comp.unix.user-friendly</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.security.unix">comp.security.unix</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.sources.unix">comp.sources.unix</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.advocacy">comp.unix.advocacy</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.misc">comp.unix.misc</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.bugs.4bsd">comp.bugs.4bsd</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.bugs.4bsd.ucb-fixes">comp.bugs.4bsd.ucb-fixes</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.unix.bsd">comp.unix.bsd</ulink></para>
 	</listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>X Window System</title>
 
       <itemizedlist>
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.i386unix">comp.windows.x.i386unix</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x">comp.windows.x</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.apps">comp.windows.x.apps</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.announce">comp.windows.x.announce</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.intrinsics">comp.windows.x.intrinsics</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.motif">comp.windows.x.motif</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.windows.x.pex">comp.windows.x.pex</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="news:comp.emulators.ms-windows.wine">comp.emulators.ms-windows.wine</ulink></para>
 	</listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="eresources-web">
     <title>World Wide Web Servers</title>
 
     &chap.eresources.www.inc;
   </sect1>
 
   <sect1 id="eresources-email">
     <title>Email Addresses</title>
 
     <para>The following user groups provide FreeBSD related email addresses
       for their members.  The listed administrator reserves the right to
       revoke the address if it is abused in any way.</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
         <thead>
 	  <row>
 	    <entry>Domain</entry>
 	    <entry>Facilities</entry>
 	    <entry>User Group</entry>
 	    <entry>Administrator</entry>
           </row>
 	</thead>
 
 	<tbody>
 	  <row>
 	    <entry>ukug.uk.FreeBSD.org</entry>
 	    <entry>Forwarding only</entry>
 	    <entry><email>freebsd-users@uk.FreeBSD.org</email></entry>
 	    <entry>Lee Johnston
 	      <email>lee@uk.FreeBSD.org</email></entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
   </sect1>
 
   <sect1 id="eresources-shell">
     <title>Shell Accounts</title>
 
     <para>The following user groups provide shell accounts for people who are
       actively supporting the FreeBSD project.  The listed administrator
       reserves the right to cancel the account if it is abused in any
       way.</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="4">
 	<thead>
 	  <row>
 	    <entry>Host</entry>
 	    <entry>Access</entry>
 	    <entry>Facilities</entry>
 	    <entry>Administrator</entry>
           </row>
 	</thead>
 
 	<tbody>
 	  <row>
 	    <entry>storm.uk.FreeBSD.org</entry>
 	    <entry>SSH only</entry>
 	    <entry>Read-only cvs, personal web space, email</entry>
 	    <entry>&a.brian;</entry>
           </row>
 
 	  <row>
 	    <entry>dogma.freebsd-uk.eu.org</entry>
 	    <entry>Telnet/FTP/SSH</entry>
 	    <entry>Email, Web space, Anonymous FTP</entry>
             <entry>Lee Johnston
 		<email>lee@uk.FreeBSD.org</email></entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
   </sect1>
 </appendix>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../appendix.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "appendix")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/l10n/chapter.sgml b/en_US.ISO8859-1/books/handbook/l10n/chapter.sgml
index a0f41f69c4..c6ce089552 100644
--- a/en_US.ISO8859-1/books/handbook/l10n/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/l10n/chapter.sgml
@@ -1,962 +1,962 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="l10n">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Andrey A.</firstname>
 	<surname>Chernov</surname>
 	<contrib>Contributed by </contrib>
       </author>
     </authorgroup>
     <authorgroup>
       <author>
 	<firstname>Michael C.</firstname>
 	<surname>Wu</surname>
 	<contrib>Rewritten by </contrib>
       </author>
       <!-- 30 Nv 2000 -->
     </authorgroup>
   </chapterinfo>
 
   <title>Localization - I18N/L10N Usage and Setup</title>
 
   <sect1 id="l10n-synopsis">
     <title>Synopsis</title>
 
     <para>FreeBSD is a very distributed project with users and
       contributors located all over the world.  This chapter discusses
       the internationalization and localization features of FreeBSD
       that allow non-English speaking users to get real work done.
       There are many aspects of the i18n implementation in both the system
       and application levels, so where applicable we refer the reader
       to more specific sources of documentation.</para>
 
     <para>After reading this chapter, you will know:</para>
     <itemizedlist>
       <listitem><para>How different languages and locales are encoded
       on modern operating systems.</para></listitem>
       <listitem><para>How to set the locale for your login
       shell.</para></listitem>
       <listitem><para>How to configure your console for non-English
       languages.</para></listitem>
       <listitem><para>How to use X Window System effectively with different
       languages.</para></listitem>
       <listitem><para>Where to find more information about writing
       i18n-compliant applications.</para></listitem>
    </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem><para>Know how to install additional third-party
         applications (<xref linkend="ports">).</para></listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="l10n-basics">
     <title>The Basics</title>
 
     <sect2>
       <title>What Is I18N/L10N?</title>
     <indexterm><primary>internationalization</primary></indexterm> 
     <indexterm><primary>localization</primary></indexterm> 
 
       <para>Developers shortened internationalization into the term I18N,
 	counting the number of letters between the first and the last
 	letters of internationalization.  L10N uses the same naming
 	scheme, coming from <quote>localization</quote>.  Combined
 	together, I18N/L10N methods, protocols, and applications allow
 	users to use languages of their choice.</para>
 
       <para>I18N applications are programmed using I18N kits under
 	libraries.  It allows for developers to write a simple file and
 	translate displayed menus and texts to each language.  We strongly
 	encourage programmers to follow this convention.</para>
     </sect2>
 
     <sect2>
       <title>Why Should I Use I18N/L10N?</title>
 
       <para>I18N/L10N is used whenever you wish to either view, input, or
 	process data in non-English languages.</para>
     </sect2>
 
     <sect2>
       <title>What Languages Are Supported in the I18N Effort?</title>
 
       <para>I18N and L10N are not FreeBSD specific.  Currently, one can
 	choose from most of the major languages of the World, including
 	but not limited to:  Chinese, German, Japanese, Korean, French,
 	Russian, Vietnamese and others.</para>
     </sect2>
   </sect1>
 
   <sect1 id="using-localization">
     <title>Using Localization</title>
 
     <para>In all its splendor, I18N is not FreeBSD-specific and is a
       convention.  We encourage you to help FreeBSD in following this
       convention.</para>
     <indexterm><primary>locale</primary></indexterm>
 
     <para>Localization settings are based on three main terms:
       Language Code, Country Code, and Encoding.  Locale names are
       constructed from these parts as follows:</para>
 
     <programlisting><replaceable>LanguageCode</replaceable>_<replaceable>CountryCode</replaceable>.<replaceable>Encoding</replaceable></programlisting>
 
     <sect2>
       <title>Language and Country Codes</title>
       <indexterm><primary>language codes</primary></indexterm>
       <indexterm><primary>country codes</primary></indexterm>
 
       <para>In order to localize a FreeBSD system to a specific language
 	(or any other I18N-supporting &unix; like systems), the user needs to find out
 	the codes for the specify country and language (country
 	codes tell applications what variation of given
 	language to use).  In addition, web
 	browsers, SMTP/POP servers, web servers, etc. make decisions based on
 	them.  The following are examples of language/country codes:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Language/Country Code</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>en_US</entry>
 	      <entry>English - United States</entry>
 	    </row>
 
 	    <row>
 	      <entry>ru_RU</entry>
 	      <entry>Russian for Russia</entry>
 	    </row>
 
 	    <row>
 	      <entry>zh_TW</entry>
 	      <entry>Traditional Chinese for Taiwan</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
     </sect2>
 
     <sect2>
       <title>Encodings</title>
       <indexterm><primary>encodings</primary></indexterm>
       <indexterm><primary>ASCII</primary></indexterm>
 
       <para>Some languages use non-ASCII encodings that are 8-bit, wide
 	or multibyte characters, see &man.multibyte.3; for more
 	details. Older applications do not recognize them
 	and mistake them for control characters.  Newer applications
 	usually do recognize 8-bit characters.  Depending on the
 	implementation, users may be required to compile an application
 	with wide or multibyte characters support, or configure it correctly.
 	To be able to input and process wide or multibyte characters, the <ulink 
 	url="&url.base;/ports/index.html">FreeBSD Ports collection</ulink> has provided
 	each language with different programs.  Refer to the I18N
 	documentation in the respective FreeBSD Port.</para>
 
       <para>Specifically, the user needs to look at the application
 	documentation to decide on how to configure it correctly or to
 	pass correct values into the configure/Makefile/compiler.</para>
 
       <para>Some things to keep in mind are:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Language specific single C chars character sets
 	  (see &man.multibyte.3;), e.g.
 	    ISO-8859-1, ISO-8859-15, KOI8-R, CP437.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Wide or multibyte encodings, e.g. EUC, Big5.</para>
 	</listitem>
       </itemizedlist>
 
       <para>You can check the active list of character sets at the
 	<ulink
 	url="http://www.iana.org/assignments/character-sets">IANA Registry</ulink>.</para>
 
       <note>
       <para>FreeBSD versions 4.5 and up use X11-compatible locale
 	encodings instead.</para>
       </note>
 
     </sect2>
 
     <sect2>
       <title>I18N Applications</title>
 
       <para>In the FreeBSD Ports and Package system, I18N applications
 	have been named with <literal>I18N</literal> in their names for
 	easy identification.  However, they do not always support the
 	language needed.</para>
     </sect2>
 
     <sect2 id="setting-locale">
       <title>Setting Locale</title>
 
       <para>Usually it is sufficient to export the value of the locale name
         as <envar>LANG</envar> in the login shell.  This could be done in
 	the user's <filename>~/.login_conf</filename> file or in the
 	startup file of the user's shell (<filename>~/.profile</filename>,
 	<filename>~/.bashrc</filename>, <filename>~/.cshrc</filename>).
 	There is no need to set the locale subsets such as
 	<envar>LC_CTYPE</envar>, <envar>LC_CTIME</envar>.  Please
 	refer to language-specific FreeBSD documentation for more
 	information.</para>
 
       <para>You should set the following two environment variables in your configuration
 	files:</para>
 
       <itemizedlist>
         <indexterm><primary>POSIX</primary></indexterm>
         <listitem>
 	  <para><envar>LANG</envar> for &posix; &man.setlocale.3; family
 	    functions</para>
 	</listitem>
 
         <indexterm><primary>MIME</primary></indexterm>
 	<listitem>
 	  <para><envar>MM_CHARSET</envar> for applications' MIME character
 	    set</para>
 	</listitem>
       </itemizedlist>
 
       <para>This includes the user shell configuration, the specific application
         configuration, and the X11 configuration.</para>
 
       <sect3>
 	<title>Setting Locale Methods</title>
         <indexterm><primary>locale</primary></indexterm>
         <indexterm><primary>login class</primary></indexterm>
 
 	<para>There are two methods for setting locale, and both are
 	  described below.  The first (recommended one) is by assigning
 	  the environment variables in <link linkend="login-class">login
 	  class</link>, and the second is by adding the environment
 	  variable assignments to the system's shell <link
 	  linkend="startup-file">startup file</link>.</para>
 
 	<sect4 id="login-class">
 	  <title>Login Classes Method</title>
 
 	  <para>This method allows environment variables needed for locale
 	    name and MIME character sets to be assigned once for every
 	    possible shell instead of adding specific shell assignments to
 	    each shell's startup file.  <link linkend="usr-setup">User
 	    Level Setup</link> can be done by an user himself and <link
 	    linkend="adm-setup">Administrator Level Setup</link> require
 	    superuser privileges.</para>
 
 	  <sect5 id="usr-setup">
 	    <title>User Level Setup</title>
 
 	    <para>Here is a minimal example of a
 	      <filename>.login_conf</filename> file in user's home
 	      directory which has both variables set for Latin-1
 	      encoding:</para>
 
 	    <programlisting>me:\
 	:charset=ISO-8859-1:\
 	:lang=de_DE.ISO8859-1:</programlisting>
 
 	    <indexterm><primary>Traditional Chinese</primary><secondary>BIG-5 encoding</secondary></indexterm>
 	    <para>Here is an example of a 
 	       <filename>.login_conf</filename> that sets the variables
 	       for Traditional Chinese in BIG-5 encoding.  Notice the many
 	       more variables set because some software does not respect
 	       locale variables correctly for Chinese, Japanese, and Korean.</para>
 
 	    <programlisting>#Users who do not wish to use monetary units or time formats
 #of Taiwan can manually change each variable
 me:\
 	:lang=zh_TW.Big5:\
 	:lc_all=zh_TW.Big:\
 	:lc_collate=zh_TW.Big5:\ 
 	:lc_ctype=zh_TW.Big5:\
 	:lc_messages=zh_TW.Big5:\
 	:lc_monetary=zh_TW.Big5:\
 	:lc_numeric=zh_TW.Big5:\
 	:lc_time=zh_TW.Big5:\
 	:charset=big5:\
 	:xmodifiers="@im=xcin": #Setting the XIM Input Server</programlisting> 
 
 	    <para>See <link linkend="adm-setup">Administrator Level
 	      Setup</link> and &man.login.conf.5; for more details.</para>
 	  </sect5>
 
 	  <sect5 id="adm-setup">
 	    <title>Administrator Level Setup</title>
 
 	    <para>Verify that the user's login class in
 	      <filename>/etc/login.conf</filename> sets the correct
 	      language.  Make sure these settings
 	      appear in <filename>/etc/login.conf</filename>:</para>
 
 	    <programlisting><replaceable>language_name</replaceable>:<replaceable>accounts_title</replaceable>:\
 	:charset=<replaceable>MIME_charset</replaceable>:\
 	:lang=<replaceable>locale_name</replaceable>:\
 	:tc=default:</programlisting>
 
 	    <para>So sticking with our previous example using Latin-1, it
 	      would look like this:</para>
 
 	    <programlisting>german:German Users Accounts:\
 	:charset=ISO-8859-1:\
 	:lang=de_DE.ISO8859-1:\
 	:tc=default:</programlisting>
 
 	    <bridgehead renderas=sect4>Changing Login Classes with &man.vipw.8;</bridgehead>
 
 	    <indexterm>
         <primary><command>vipw</command></primary>
       </indexterm>
 	    <para>Use <command>vipw</command> to add new users, and make
 	      the entry look like this:</para>
 
 	    <programlisting>user:password:1111:11:<replaceable>language</replaceable>:0:0:User Name:/home/user:/bin/sh</programlisting>
 
 	    <bridgehead renderas=sect4>Changing Login Classes with &man.adduser.8;</bridgehead>
 
 	    <indexterm>
         <primary><command>adduser</command></primary>
       </indexterm>
 	    <indexterm><primary>login class</primary></indexterm>
 	    <para>Use <command>adduser</command> to add new users, and do
 	      the following:</para>
 
 	    <itemizedlist>
 	      <listitem>
 		<para>Set <literal>defaultclass =
 		  <replaceable>language</replaceable></literal> in
 		  <filename>/etc/adduser.conf</filename>.  Keep in mind
 		  you must enter a <literal>default</literal> class for
 		  all users of other languages in this case.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>An alternative variant is answering the specified
 		  language each time that 
 <screen><prompt>Enter login class: default []: </prompt></screen>
 		  appears from &man.adduser.8;.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>Another alternative is to use the following for each
 		  user of a different language that you wish to
 		  add:</para>
 
 		<screen>&prompt.root; <userinput>adduser -class <replaceable>language</replaceable></userinput></screen>
 	      </listitem>
 	    </itemizedlist>
 
 	    <bridgehead renderas=sect4>Changing Login Classes with &man.pw.8;</bridgehead>
 	    <indexterm>
         <primary><command>pw</command></primary>
       </indexterm>
 	    <para>If you use &man.pw.8; for adding new users, call it in
 	      this form:</para>
 
 	    <screen>&prompt.root; <userinput>pw useradd <replaceable>user_name</replaceable> -L <replaceable>language</replaceable></userinput></screen>
 	  </sect5>
 	</sect4>
 
 	<sect4 id="startup-file">
 	  <title>Shell Startup File Method</title>
 
 	  <note>
 	    <para>This method is not recommended because it requires a
 	      different setup for each possible shell program chosen.  Use
 	      the <link linkend="login-class">Login Class Method</link>
 	      instead.</para>
 	  </note>
 
 	  <indexterm><primary>MIME</primary></indexterm>
 	  <indexterm><primary>locale</primary></indexterm>
 	  <para>To add the locale name and MIME character set, just set
 	    the two environment variables shown below in the
 	    <filename>/etc/profile</filename> and/or
 	    <filename>/etc/csh.login</filename> shell startup files.  We
 	    will use the German language as an example below:</para>
 
 	  <para>In <filename>/etc/profile</filename>:</para>
 
 	  <programlisting><envar>LANG=de_DE.ISO8859-1; export LANG</envar>
 <envar>MM_CHARSET=ISO-8859-1; export MM_CHARSET</envar></programlisting>
 
 	  <para>Or in <filename>/etc/csh.login</filename>:</para>
 
 	  <programlisting><envar>setenv LANG de_DE.ISO8859-1</envar>
 <envar>setenv MM_CHARSET ISO-8859-1</envar></programlisting>
 
 	  <para>Alternatively, you can add the above instructions to
 	    <filename>/usr/share/skel/dot.profile</filename> (similar to
 	    what was used in <filename>/etc/profile</filename> above), or
 	    <filename>/usr/share/skel/dot.login</filename> (similar to
 	    what was used in <filename>/etc/csh.login</filename>
 	    above).</para>
 
 	  <para>For X11:</para>
 
 	  <para>In <filename>$HOME/.xinitrc</filename>:</para>
 
 	  <programlisting><envar>LANG=de_DE.ISO8859-1; export LANG</envar></programlisting>
 
 	  <para>Or:</para>
 
 	  <programlisting><envar>setenv LANG de_DE.ISO8859-1</envar></programlisting>
 
 	  <para>Depending on your shell (see above).</para>
 
 	</sect4>
       </sect3>
     </sect2>
 
     <sect2 id="setting-console">
       <title>Console Setup</title>
 
       <para>For all single C chars character sets, set the correct
 	console fonts in <filename>/etc/rc.conf</filename> for the
 	language in question with:</para>
 
       <programlisting>font8x16=<replaceable>font_name</replaceable>
 font8x14=<replaceable>font_name</replaceable>
 font8x8=<replaceable>font_name</replaceable></programlisting>
 
       <para>The <replaceable>font_name</replaceable> here is taken from
         the <filename>/usr/share/syscons/fonts</filename> directory,
 	without the <filename>.fnt</filename> suffix.</para>
 
       <indexterm>
         <primary><application>sysinstall</application></primary>
       </indexterm>
       <indexterm><primary>keymap</primary></indexterm>
       <indexterm><primary>screenmap</primary></indexterm>
       <para>Also be sure to set the correct keymap and screenmap for your
 	single C chars character set through
 	<filename>/stand/sysinstall</filename>.
 	Once inside <application>sysinstall</application>, choose <guimenuitem>Configure</guimenuitem>, then
 	<guimenuitem>Console</guimenuitem>.  Alternatively, you can add the
 	following to <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>scrnmap=<replaceable>screenmap_name</replaceable>
 keymap=<replaceable>keymap_name</replaceable>
 keychange="<replaceable>fkey_number sequence</replaceable>"</programlisting>
 	
       <para>The <replaceable>screenmap_name</replaceable> here is taken
         from the <filename>/usr/share/syscons/scrnmaps</filename>
 	directory, without the <filename>.scm</filename> suffix.  A
 	screenmap with a corresponding mapped font is usually needed as a
 	workaround for expanding bit 8 to bit 9 on a VGA adapter's font
 	character matrix in pseudographics area, i.e., to move letters out
 	of that area if screen font uses a bit 8 column.</para>
 
       <para>If you have the <application>moused</application> daemon
 	enabled by setting the following
 	in your <filename>/etc/rc.conf</filename>:</para>
 
 <programlisting>moused_enable="YES"</programlisting>
 
       <para>then examine the mouse cursor information in the next
 	paragraph.</para>
 
       <indexterm>
         <primary><application>moused</application></primary>
       </indexterm>
       <para>By default the mouse cursor of the &man.syscons.4; driver occupies the
 	0xd0-0xd3 range in the character set.  If your language uses this
 	range, you need to move the cursor's range outside of it.  To enable
 	the workaround for FreeBSD versions before 5.0, insert the following
 	line into your kernel configuration:</para>
 
       <programlisting>options		SC_MOUSE_CHAR=0x03</programlisting>
 
       <para>For FreeBSD versions 4.4 and up insert the following line
 	into <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>mousechar_start=3</programlisting>
 
       <para>The <replaceable>keymap_name</replaceable> here is taken from
         the <filename>/usr/share/syscons/keymaps</filename> directory,
 	without the <filename>.kbd</filename> suffix.  If you're
 	uncertain which keymap to use, you use can &man.kbdmap.1; to test
 	keymaps without rebooting.</para>
 
       <para>The <literal>keychange</literal> is usually needed to program
         function keys to match the selected terminal type because
 	function key sequences cannot be defined in the key map.</para>
 
       <para>Also be sure to set the correct console terminal type in
         <filename>/etc/ttys</filename> for all <literal>ttyv*</literal>
 	entries.  Current pre-defined correspondences are:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Character Set</entry>
 	      <entry>Terminal Type</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>ISO-8859-1 or ISO-8859-15</entry>
 	      <entry><literal>cons25l1</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>ISO-8859-2</entry>
 	      <entry><literal>cons25l2</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>ISO-8859-7</entry>
 	      <entry><literal>cons25l7</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>KOI8-R</entry>
 	      <entry><literal>cons25r</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>KOI8-U</entry>
 	      <entry><literal>cons25u</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>CP437 (VGA default)</entry>
 	      <entry><literal>cons25</literal></entry>
 	    </row>
 
 	    <row>
 	      <entry>US-ASCII</entry>
 	      <entry><literal>cons25w</literal></entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>For wide or multibyte characters languages, use the correct
 	FreeBSD port in your
 	<filename>/usr/ports/<replaceable>language</replaceable></filename>
 	directory.  Some ports appear as console while the system sees it
 	as serial vtty's, hence you must reserve enough vtty's for both
 	X11 and the pseudo-serial console.  Here is a partial list of
 	applications for using other languages in console:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Language</entry>
 	      <entry>Location</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>Traditional Chinese (BIG-5)</entry>
 	      <entry><filename role="package">chinese/big5con</filename></entry>
 	    </row>
 
 	    <row>
 	      <entry>Japanese</entry>
 	      <entry><filename role="package">japanese/kon2-16dot</filename> or
 	        <filename role="package">japanese/mule-freewnn</filename></entry>
 	    </row>
 
 	    <row>
 	      <entry>Korean</entry>
 	      <entry><filename role="package">korean/han</filename></entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
     </sect2>
 
     <sect2>
       <title>X11 Setup</title>
 
       <para>Although X11 is not part of the FreeBSD Project, we have
 	included some information here for FreeBSD users.  For more
 	details, refer to the <ulink url="http://www.xfree86.org/">&xfree86;
 	web site</ulink> or whichever X11 Server you use.</para>
 
       <para>In <filename>~/.Xresources</filename>, you can additionally
 	tune application specific I18N settings (e.g., fonts, menus,
 	etc.).</para>
 
       <sect3>
 	<title>Displaying Fonts</title>
 	<indexterm><primary>X11 True Type font server</primary></indexterm>
 	<para>Install <application>&xorg;</application> server
 	  (<filename role="package">x11-servers/xorg-server</filename>)
 	  or <application>&xfree86;</application> server
 	  (<filename role="package">x11-servers/XFree86-4-Server</filename>),
 	  then install the language &truetype; fonts.  Setting the correct
 	  locale should allow you to view your selected language in menus
 	  and such.</para>
       </sect3>
 
       <sect3>
 	<title>Inputting Non-English Characters</title>
 	<indexterm><primary>X11 Input Method (XIM)</primary></indexterm>
 	<para>The X11 Input Method (XIM) Protocol is a new standard for
 	  all X11 clients.  All X11 applications should be written as XIM
 	  clients that take input from XIM Input servers.  There are
 	  several XIM servers available for different languages.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Printer Setup</title>
 
       <para>Some single C chars character sets are usually hardware
 	coded into printers. Wide or multibyte
 	character sets require special setup and we recommend using
 	<application>apsfilter</application>.  You may also convert the
 	document to &postscript; or PDF formats using language specific
 	converters.</para>
     </sect2>
 
     <sect2>
       <title>Kernel and File Systems</title>
 
       <para>The FreeBSD fast filesystem (FFS) is 8-bit clean, so it can be used
 	with any single C chars character set (see &man.multibyte.3;),
 	but there is no character set
 	name stored in the filesystem; i.e., it is raw 8-bit and does not
 	know anything about encoding order.  Officially, FFS does not
 	support any form of wide or multibyte character sets yet.  However, some
 	wide or multibyte character sets have independent patches for FFS
 	enabling such support.  They are only temporary unportable
 	solutions or hacks and we have decided to not include them in the
 	source tree.  Refer to respective languages' web sites for more
 	informations and the patch files.</para>
 
       <indexterm><primary>DOS</primary></indexterm>
       <indexterm><primary>Unicode</primary></indexterm>
       <para>The FreeBSD &ms-dos; filesystem has the configurable ability to
 	convert between &ms-dos;, Unicode character sets and chosen
 	FreeBSD filesystem character sets.  See &man.mount.msdos.8; for
 	details.</para>
     </sect2>
   </sect1>
 
   <sect1 id="l10n-compiling">
     <title>Compiling I18N Programs</title>
 
     <para>Many FreeBSD Ports have been ported with I18N support.  Some
       of them are marked with -I18N in the port name.  These and many
       other programs have built in support for I18N and need no special
       consideration.</para>
 
     <indexterm>
       <primary><application>MySQL</application></primary>
     </indexterm>
     <para>However, some applications such as 
       <application>MySQL</application> need to be have the
       <filename>Makefile</filename> configured with the specific
       charset.  This is usually done in the
       <filename>Makefile</filename> or done by passing a value to
       <application>configure</application> in the source.</para>
   </sect1>
 
   <sect1 id="lang-setup">	
     <title>Localizing FreeBSD to Specific Languages</title>
 
     <sect2 id="ru-localize">
       <sect2info>
 	<authorgroup>
 	  <author>
 	    <firstname>Andrey A.</firstname>
 	    <surname>Chernov</surname>
 	    <contrib>Originally contributed by </contrib>
 	  </author>
 	</authorgroup>
       </sect2info>
       <title>Russian Language (KOI8-R Encoding)</title>
       <indexterm>
 	<primary>localization</primary>
 	<secondary>Russian</secondary>
       </indexterm>
 
       <para>For more information about KOI8-R encoding, see the <ulink
 	url="http://koi8.pp.ru/">KOI8-R References
 	(Russian Net Character Set)</ulink>.</para>
 
       <sect3>
 	<title>Locale Setup</title>
 
 	<para>Put the following lines into your
 	  <filename>~/.login_conf</filename> file:</para>
 
 	<programlisting>me:My Account:\
 	:charset=KOI8-R:\
 	:lang=ru_RU.KOI8-R:</programlisting>
 
 	<para>See earlier in this chapter for examples of setting up the
 	  <link linkend="setting-locale">locale</link>.</para>
       </sect3>
 
       <sect3>
 	<title>Console Setup</title>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>For the FreeBSD versions before 5.0 add the following line
 	      to your kernel configuration file:</para>
 
 	    <programlisting>options		SC_MOUSE_CHAR=0x03</programlisting>
 
 	    <para>For FreeBSD versions 4.4 and up insert the following
 	      line into <filename>/etc/rc.conf</filename>:</para>
 
 	    <programlisting>mousechar_start=3</programlisting>
 	  </listitem>
 
 	  <listitem>
 	    <para>Use following settings in
 	      <filename>/etc/rc.conf</filename>:</para>
 
 	    <programlisting>keymap="ru.koi8-r"
 scrnmap="koi8-r2cp866"
 font8x16="cp866b-8x16"
 font8x14="cp866-8x14"
 font8x8="cp866-8x8"</programlisting>
 
 	  </listitem>
 
 	  <listitem>
 	    <para>For each <literal>ttyv*</literal> entry in
 	      <filename>/etc/ttys</filename>, use
 	      <literal>cons25r</literal> as the terminal type.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>See earlier in this chapter for examples of setting up the
 	  <link linkend="setting-console">console</link>.</para>
       </sect3>
 
       <sect3>
 	<title>Printer Setup</title>
 	<indexterm><primary>printers</primary></indexterm>
 	<para>Since most printers with Russian characters come with
 	  hardware code page CP866, a special output filter is needed
 	  to convert from KOI8-R to CP866.  Such a filter is installed by
 	  default as <filename>/usr/libexec/lpr/ru/koi2alt</filename>.
 	  A Russian printer <filename>/etc/printcap</filename> entry
 	  should look like:</para>
 
 	<programlisting>lp|Russian local line printer:\
 	:sh:of=/usr/libexec/lpr/ru/koi2alt:\
 	:lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:</programlisting>
 
 	<para>See &man.printcap.5; for a detailed description.</para>
       </sect3>
 
       <sect3>
 	<title>&ms-dos; FS and Russian Filenames</title>
 
 	<para>The following example &man.fstab.5; entry enables support
 	  for Russian filenames in mounted &ms-dos; filesystems:</para>
 
 	<programlisting>/dev/ad0s2      /dos/c  msdos   rw,-Wkoi2dos,-Lru_RU.KOI8-R 0 0</programlisting>
 
 	<para>The option <option>-L</option> selects the locale name
 	  used, and <option>-W</option> sets the character conversion
 	  table.  To use the <option>-W</option> option, be sure to
 	  mount <filename>/usr</filename> before the &ms-dos; partition
 	  because the conversion tables are located in
 	  <filename>/usr/libdata/msdosfs</filename>.  For more
 	  informations, see the &man.mount.msdos.8; manual
 	  page.</para>
       </sect3>
 
       <sect3>
 	<title>X11 Setup</title>
 
 	<orderedlist>
 	  <listitem>
 	    <para>Do <link linkend="setting-locale">non-X locale
 	      setup</link> first as described.</para>
 
 	    <note>
 	      <para><anchor id="russian-note">The Russian KOI8-R locale
 		may not work with old <application>&xfree86;</application> releases (lower than 3.3).
 		<application>&xfree86; 4.X</application> is now the default
 		version of the X Window System on FreeBSD.
 		This should not be an
 		issue unless you are using an old version of
 		FreeBSD.</para>
 	    </note>
 	  </listitem>
 
 	  <listitem>
 	    <para>Go to the
 	      <filename role="package">russian/X.language</filename> directory
 	      and issue the following command:</para>
 
 	    <screen>&prompt.root; <userinput>make install</userinput></screen>
       
 	    <para>The above port installs the latest version of the KOI8-R
 	      fonts.  <application>&xfree86; 3.3</application> already has some KOI8-R fonts, but these
 	      are scaled better.</para>
 
 	    <para>Check the <literal>"Files"</literal> section
 	      in your <filename>/etc/XF86Config</filename> file.
 	      The following
 	      lines must be added <emphasis>before</emphasis> any other
 	      <literal>FontPath</literal> entries:</para>
 
 	    <programlisting>FontPath   "/usr/X11R6/lib/X11/fonts/cyrillic/misc"
 FontPath   "/usr/X11R6/lib/X11/fonts/cyrillic/75dpi"
 FontPath   "/usr/X11R6/lib/X11/fonts/cyrillic/100dpi"</programlisting>
 
 	    <para>If you use a high resolution video mode, swap the 75 dpi
 	      and 100 dpi lines.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>To activate a Russian keyboard, add the following to the
 	      <literal>"Keyboard"</literal> section of your
 	      <filename>XF86Config</filename> file.</para>
 
 	    <para>For <application>&xfree86; 3.X</application>:</para>
 
 	    <programlisting>XkbLayout  "ru"
 XkbOptions "grp:caps_toggle"</programlisting>
 
 	    <para>For <application>&xfree86; 4.X</application>:</para>
 
 	    <programlisting>Option "XkbLayout"   "ru"
 Option "XkbOptions"  "grp:caps_toggle"</programlisting>
 
 	    <para>Also make sure that <literal>XkbDisable</literal> is
 	      turned off (commented out) there.</para>
 
 	    <para>The RUS/LAT switch will be <keycap>CapsLock</keycap>.
 	    The old <keycap>CapsLock</keycap> function is still
 	    available via <keycombo action="simul"><keycap>Shift</keycap><keycap>CapsLock</keycap></keycombo> (in LAT mode
 	      only).</para>
 
 	    <para>If you have <quote>&windows;</quote> keys on your keyboard,
 	      and notice that some non-alphabetical keys are mapped
 	      incorrectly in RUS mode, add the following line in your
 	      <filename>XF86Config</filename> file.</para>
 
 	    <para>For <application>&xfree86; 3.X</application>:</para>
 
 	<programlisting>XkbVariant "winkeys"</programlisting>
 
 	    <para>For <application>&xfree86; 4.X</application>:</para>
 
 	<programlisting>Option "XkbVariant" "winkeys"</programlisting>
 
 	    <note>
 	      <para>The Russian XKB keyboard may not work with old <application>&xfree86;</application>
 		versions, see the <link linkend="russian-note">above
 		note</link> for more information.  The Russian XKB
 		keyboard may also not work with non-localized
 		applications as well.  Minimally localized applications
 		should call a <function>XtSetLanguageProc (NULL, NULL,
 		NULL);</function> function early in the program.
 		See <ulink
 		url="http://koi8.pp.ru/xwin.html">
 		KOI8-R for X Window</ulink> for more instructions on
 		localizing X11 applications.</para>
 	    </note>
 	  </listitem>
 	</orderedlist>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Traditional Chinese Localization for Taiwan</title>
       <indexterm>
 	<primary>localization</primary>
 	<secondary>Traditional Chinese</secondary>
       </indexterm>
       <para>The FreeBSD-Taiwan Project has an Chinese HOWTO for
 	FreeBSD at <ulink url="http://netlab.cse.yzu.edu.tw/~statue/freebsd/zh-tut/"></ulink>
 	using many Chinese ports.
 	Current editor for the <literal>FreeBSD Chinese HOWTO</literal> is
         Shen Chuan-Hsing <email>statue@freebsd.sinica.edu.tw</email>.
       </para>
 
       <para>Chuan-Hsing Shen <email>statue@freebsd.sinica.edu.tw</email> has
 	created the <ulink url="http://netlab.cse.yzu.edu.tw/~statue/cfc/">
 	Chinese FreeBSD Collection (CFC)</ulink> using FreeBSD-Taiwan's
 	<literal>zh-L10N-tut</literal>.  The packages and the script files
 	are available at <ulink url="ftp://freebsd.csie.nctu.edu.tw/pub/taiwan/CFC/"></ulink>.</para>
     </sect2>
 
     <sect2>
       <title>German Language Localization (for All ISO 8859-1
 	Languages)</title>
       <indexterm>
 	<primary>localization</primary>
 	<secondary>German</secondary>
       </indexterm>
 
       <para>Slaven Rezic <email>eserte@cs.tu-berlin.de</email> wrote a
 	tutorial how to use umlauts on a FreeBSD machine.  The tutorial
 	is written in German and available at
 	<ulink url="http://www.de.FreeBSD.org/de/umlaute/"></ulink>.</para>
     </sect2>
 
     <sect2>
       <title>Japanese and Korean Language Localization</title>
       <indexterm>
 	<primary>localization</primary>
 	<secondary>Japanese</secondary>
       </indexterm>
       <indexterm>
 	<primary>localization</primary>
 	<secondary>Korean</secondary>
       </indexterm>
       <para>For Japanese, refer to
         <ulink url="http://www.jp.FreeBSD.org/"></ulink>,
 	and for Korean, refer to
 	<ulink url="http://www.kr.FreeBSD.org/"></ulink>.</para>
     </sect2>
 
     <sect2>
       <title>Non-English FreeBSD Documentation</title>
 
       <para>Some FreeBSD contributors have translated parts of FreeBSD to
 	other languages.  They are available through links on the <ulink
 	url="&url.base;/index.html">main site</ulink> or in
 	<filename>/usr/share/doc</filename>.</para>
     </sect2>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml b/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
index d940f062f8..f66db4ec57 100644
--- a/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/linuxemu/chapter.sgml
@@ -1,3349 +1,3349 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="linuxemu">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Jim</firstname>
 	<surname>Mock</surname>
 	<contrib>Restructured and parts updated by </contrib>
       </author>
       <!-- 22 Mar 2000 -->
     </authorgroup>
     <authorgroup>
       <author>
 	<firstname>Brian N.</firstname>
 	<surname>Handy</surname>
 	<contrib>Originally contributed by </contrib>
       </author>
       <author>
 	<firstname>Rich</firstname>
 	<surname>Murphey</surname>
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Linux Binary Compatibility</title>
 
   <sect1 id="linuxemu-synopsis">
     <title>Synopsis</title>
     <indexterm><primary>Linux binary compatibility</primary></indexterm>
     <indexterm>
       <primary>binary compatibility</primary>
       <secondary>Linux</secondary>
     </indexterm>
 
     <para>FreeBSD provides binary compatibility with several other
       &unix; like operating systems, including Linux.  At this point,
       you may be asking yourself why exactly, does
       FreeBSD need to be able to run Linux binaries?  The answer to that
       question is quite simple.  Many companies and developers develop
       only for Linux, since it is the latest <quote>hot thing</quote> in
       the computing world.  That leaves the rest of us FreeBSD users
       bugging these same companies and developers to put out native
       FreeBSD versions of their applications.  The problem is, that most
       of these companies do not really realize how many people would use
       their product if there were FreeBSD versions too, and most continue
       to only develop for Linux.  So what is a FreeBSD user to do?  This
       is where the Linux binary compatibility of FreeBSD comes into
       play.</para>
 
     <para>In a nutshell, the compatibility allows FreeBSD users to run
       about 90% of all Linux applications without modification.  This
       includes applications such as <application>&staroffice;</application>,
       the Linux version of <application>&netscape;</application>,
       <application>&adobe;&nbsp;&acrobat;</application>,
       <application><trademark class="registered">RealPlayer</trademark></application>
       5 and 7, <application><trademark>VMware</trademark></application>,
       <application>&oracle;</application>,
       <application><trademark class="registered">WordPerfect</trademark></application>, <application>Doom</application>,
       <application>Quake</application>, and more.  It is also reported
       that in some situations, Linux binaries perform better on FreeBSD
       than they do under Linux.</para>
     <indexterm>
       <primary>Linux</primary>
       <secondary><filename>/proc</filename> file system</secondary>
     </indexterm>
 
     <para>There are, however, some Linux-specific operating system
       features that are not supported under FreeBSD.  Linux binaries will
       not work on FreeBSD if they overly use the Linux
       <filename>/proc</filename> file system (which is different from
       FreeBSD's <filename>/proc</filename> file system), or &i386; specific
       calls, such as enabling virtual 8086 mode.</para>
 
     <para>After reading this chapter, you will know:</para>
     <itemizedlist>
       <listitem>
 	<para>How to enable Linux binary compatibility on your system.</para>
       </listitem>
 
       <listitem>
 	<para>How to install additional Linux shared
 	  libraries.</para>
 	</listitem>
 
       <listitem>
 	<para>How to install Linux applications on your FreeBSD system.</para>
       </listitem>
 
       <listitem>
 	<para>The implementation details of Linux compatibility in FreeBSD.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Know how to install additional third-party
         software (<xref linkend="ports">).</para>
       </listitem>
     </itemizedlist>
 
   </sect1>
 
   <sect1 id="linuxemu-lbc-install">
     <title>Installation</title>
 
     <indexterm><primary>KLD (kernel loadable object)</primary></indexterm>
 
     <para>Linux binary compatibility is not turned on by default.  The
       easiest way to enable this functionality is to load the
       <literal>linux</literal> KLD object (<quote>Kernel LoaDable
       object</quote>).  You can load this module by simply typing
       <command>linux</command> at the command prompt.</para>
 
     <para>If you would like Linux compatibility to always be enabled,
       then you should add the following line to
       <filename>/etc/rc.conf</filename>:</para>
 
     <programlisting>linux_enable="YES"</programlisting>
 
     <para>The &man.kldstat.8; command can be used to verify that the
       KLD is loaded:</para>
 
     <screen>&prompt.user; <userinput>kldstat</userinput>
 Id Refs Address    Size     Name
  1    2 0xc0100000 16bdb8   kernel
  7    1 0xc24db000 d000     linux.ko</screen>
     <indexterm>
       <primary>kernel options</primary>
       <secondary>LINUX</secondary>
     </indexterm>
 
     <para>If for some reason you do not want to or cannot load the KLD,
       then you may statically link Linux binary compatibility into the kernel
       by adding <literal>options COMPAT_LINUX</literal> to your kernel
       configuration file.  Then install your new kernel as described in
       <xref linkend="kernelconfig">.</para>
 
     <sect2>
       <title>Installing Linux Runtime Libraries</title>
       <indexterm>
 	<primary>Linux</primary>
 	<secondary>installing Linux libraries</secondary>
       </indexterm>
 
       <para>This can be done one of two ways, either by using the
 	<link linkend="linuxemu-libs-port">linux_base</link> port, or
 	by installing them <link
 	linkend="linuxemu-libs-manually">manually</link>.</para>
 
       <sect3 id="linuxemu-libs-port">
 	<title>Installing Using the linux_base Port</title>
 	<indexterm><primary>ports collection</primary></indexterm>
 
 	<para>This is by far the easiest method to use when installing the
 	  runtime libraries.  It is just like installing any other port
 	  from the <ulink type="html" url="file://localhost/usr/ports/">ports collection</ulink>.
 	  Simply do the following:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/ports/emulators/linux_base</userinput>
 &prompt.root; <userinput>make install distclean</userinput></screen>
 
 	<para>You should now have working Linux binary compatibility.
 	  Some programs may complain about incorrect minor versions of the
 	  system libraries.  In general, however, this does not seem to be
 	  a problem.</para>
 
 	<note><para>There may be multiple versions of the <filename
 	  role="package">emulators/linux_base</filename> port available,
 	  corresponding to different versions of various Linux distributions.
 	  You should install the port most closely resembling the
 	  requirements of the Linux applications you would like to
 	  install.</para></note>
 
       </sect3>
 
       <sect3 id="linuxemu-libs-manually">
 	<title>Installing Libraries Manually</title>
 
 	<para>If you do not have the <quote>ports</quote> collection
 	  installed, you can install the libraries by hand instead.  You
 	  will need the Linux shared libraries that the program depends on
 	  and the runtime linker.  Also, you will need to create a
 	  <quote>shadow root</quote> directory,
 	  <filename>/compat/linux</filename>, for Linux libraries on your
 	  FreeBSD system.  Any shared libraries opened by Linux programs
 	  run under FreeBSD will look in this tree first.  So, if a Linux
 	  program loads, for example, <filename>/lib/libc.so</filename>,
 	  FreeBSD will first try to open
 	  <filename>/compat/linux/lib/libc.so</filename>, and if that does
 	  not exist, it will then try <filename>/lib/libc.so</filename>.
 	  Shared libraries should be installed in the shadow tree
 	  <filename>/compat/linux/lib</filename> rather than the paths
 	  that the Linux <command>ld.so</command> reports.</para>
 
 	<para>Generally, you will need to look for the shared libraries
 	  that Linux binaries depend on only the first few times that you
 	  install a Linux program on your FreeBSD system.  After a while,
 	  you will have a sufficient set of Linux shared libraries on your
 	  system to be able to run newly imported Linux binaries without
 	  any extra work.</para>
       </sect3>
 
       <sect3>
 	<title>How to Install Additional Shared Libraries</title>
 	<indexterm><primary>shared libraries</primary></indexterm>
 
 	<para>What if you install the <filename>linux_base</filename> port
 	  and your application still complains about missing shared
 	  libraries?  How do you know which shared libraries Linux
 	  binaries need, and where to get them?  Basically, there are 2
 	  possibilities (when following these instructions you will need
 	  to be <username>root</username> on your FreeBSD system).</para>
 
 	<para>If you have access to a Linux system, see what shared
 	  libraries the application needs, and copy them to your FreeBSD
 	  system.  Look at the following example:</para>
 
 	<informalexample>
 	  <para>Let us assume you used FTP to get the Linux binary of
 	    <application>Doom</application>, and put it on a Linux system you have access to.  You
 	    then can check which shared libraries it needs by running
 	    <command>ldd linuxdoom</command>, like so:</para>
 
 	  <screen>&prompt.user; <userinput>ldd linuxdoom</userinput>
 libXt.so.3 (DLL Jump 3.1) =&gt; /usr/X11/lib/libXt.so.3.1.0
 libX11.so.3 (DLL Jump 3.1) =&gt; /usr/X11/lib/libX11.so.3.1.0
 libc.so.4 (DLL Jump 4.5pl26) =&gt; /lib/libc.so.4.6.29</screen>
 
 	  <indexterm><primary>symbolic links</primary></indexterm>
 	  <para>You would need to get all the files from the last column,
 	    and put them under <filename>/compat/linux</filename>, with
 	    the names in the first column as symbolic links pointing to
 	    them.  This means you eventually have these files on your
 	    FreeBSD system:</para>
 
 	  <screen>/compat/linux/usr/X11/lib/libXt.so.3.1.0
 /compat/linux/usr/X11/lib/libXt.so.3 -&gt; libXt.so.3.1.0
 /compat/linux/usr/X11/lib/libX11.so.3.1.0
 /compat/linux/usr/X11/lib/libX11.so.3 -&gt; libX11.so.3.1.0
 /compat/linux/lib/libc.so.4.6.29
 /compat/linux/lib/libc.so.4 -&gt; libc.so.4.6.29</screen>
 
 	  <blockquote>
 	    <note>
 	      <para>Note that if you already have a Linux shared library
 		with a matching major revision number to the first column
 		of the <command>ldd</command> output, you will not need to
 		copy the file named in the last column to your system, the
 		one you already have should work.  It is advisable to copy
 		the shared library anyway if it is a newer version,
 		though.  You can remove the old one, as long as you make
 		the symbolic link point to the new one.  So, if you have
 		these libraries on your system:</para>
 
 	      <screen>/compat/linux/lib/libc.so.4.6.27
 /compat/linux/lib/libc.so.4 -&gt; libc.so.4.6.27</screen>
 
 	      <para>and you find a new binary that claims to require a
 		later version according to the output of
 		<command>ldd</command>:</para>
 
 	      <screen>libc.so.4 (DLL Jump 4.5pl26) -&gt; libc.so.4.6.29</screen>
 
 	      <para>If it is only one or two versions out of date in the
 		in the trailing digit then do not worry about copying
 		<filename>/lib/libc.so.4.6.29</filename> too, because the
 		program should work fine with the slightly older version.
 		However, if you like, you can decide to replace the
 		<filename>libc.so</filename> anyway, and that should leave
 		you with:</para>
 
 	      <screen>/compat/linux/lib/libc.so.4.6.29
 /compat/linux/lib/libc.so.4 -&gt; libc.so.4.6.29</screen>
 	    </note>
 	  </blockquote>
 
 	  <blockquote>
 	    <note>
 	      <para>The symbolic link mechanism is
 		<emphasis>only</emphasis> needed for Linux binaries.  The
 		FreeBSD runtime linker takes care of looking for matching
 		major revision numbers itself and you do not need to worry
 		about it.</para>
 	    </note>
 	  </blockquote>
 	</informalexample>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Installing Linux ELF Binaries</title>
       <indexterm>
 	<primary>Linux</primary>
 	<secondary>ELF binaries</secondary>
       </indexterm>
 
       <para>ELF binaries sometimes require an extra step of
 	<quote>branding</quote>.  If you attempt to run an unbranded ELF
 	binary, you will get an error message like the following:</para>
 
       <screen>&prompt.user; <userinput>./my-linux-elf-binary</userinput>
 ELF binary type not known
 Abort</screen>
 
       <para>To help the FreeBSD kernel distinguish between a FreeBSD ELF
 	binary from a Linux binary, use the &man.brandelf.1;
 	utility.</para>
 
       <screen>&prompt.user; <userinput>brandelf -t Linux my-linux-elf-binary</userinput></screen>
 
       <indexterm><primary>GNU toolchain</primary></indexterm>
       <para>The GNU toolchain now places the appropriate branding
 	information into ELF binaries automatically, so this step
 	should become increasingly unnecessary in the future.</para>
     </sect2>
 
     <sect2>
       <title>Configuring the Hostname Resolver</title>
 
       <para>If DNS does not work or you get this message:</para>
 
       <screen>resolv+: "bind" is an invalid keyword resolv+:
 "hosts" is an invalid keyword</screen>
 
       <para>You will need to configure a
 	<filename>/compat/linux/etc/host.conf</filename> file
 	containing:</para>
 
       <programlisting>order hosts, bind
 multi on</programlisting>
 
       <para>The order here specifies that <filename>/etc/hosts</filename>
 	is searched first and DNS is searched second.  When
 	<filename>/compat/linux/etc/host.conf</filename> is not
 	installed, Linux applications find FreeBSD's
 	<filename>/etc/host.conf</filename> and complain about the
 	incompatible FreeBSD syntax.  You should remove
 	<literal>bind</literal> if you have not configured a name server
 	using the <filename>/etc/resolv.conf</filename> file.</para>
     </sect2>
   </sect1>
 
   <sect1 id="linuxemu-mathematica">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Murray</firstname>
 	  <surname>Stokely</surname>
 	  <contrib>Updated for Mathematica 4.X by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Bojan</firstname>
 	  <surname>Bistrovic</surname>
 	  <contrib>Merged with work by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Installing &mathematica;</title>
 
     <indexterm>
       <primary>applications</primary>
       <secondary><application>Mathematica</application></secondary>
     </indexterm>
 
     <para>This document describes the process of installing the Linux
       version of <application>&mathematica; 4.X</application> onto
       a FreeBSD system.</para>
 
     <para>The Linux version of <application>&mathematica;</application>
       runs perfectly under FreeBSD
       however the binaries shipped by Wolfram need to be branded so that
       FreeBSD knows to use the Linux ABI to execute them.</para>
 
     <para>The Linux version of <application>&mathematica;</application>
       or <application>&mathematica; for Students</application> can
       be ordered directly from Wolfram at
       <ulink url="http://www.wolfram.com/"></ulink>.</para>
 
     <sect2>
       <title>Branding the Linux Binaries</title>
 
       <para>The Linux binaries are located in the <filename>Unix</filename>
 	directory of the <application>&mathematica;</application> CDROM
 	distributed by Wolfram.  You
 	need to copy this directory tree to your local hard drive so that
 	you can brand the Linux binaries with &man.brandelf.1; before
 	running the installer:</para>
 
       <screen>&prompt.root; <userinput>mount /cdrom</userinput>
 &prompt.root; <userinput>cp -rp /cdrom/Unix/ /localdir/</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/Kernel/Binaries/Linux/*</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/FrontEnd/Binaries/Linux/*</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/Installation/Binaries/Linux/*</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/Graphics/Binaries/Linux/*</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/Converters/Binaries/Linux/*</userinput>
 &prompt.root; <userinput>brandelf -t Linux /localdir/Files/SystemFiles/LicenseManager/Binaries/Linux/mathlm</userinput>
 &prompt.root; <userinput>cd /localdir/Installers/Linux/</userinput>
 &prompt.root; <userinput>./MathInstaller</userinput></screen>
 
       <para>Alternatively, you can simply set the default ELF brand
 	to Linux for all unbranded binaries with the command:</para>
       <screen>&prompt.root; <userinput>sysctl kern.fallback_elf_brand=3</userinput></screen>
       <para>This will make FreeBSD assume that unbranded ELF binaries
 	use the Linux ABI and so you should be able to run the
 	installer straight from the CDROM.</para>
     </sect2>
 
     <sect2>
       <title>Obtaining Your &mathematica; Password</title>
 
       <para>Before you can run <application>&mathematica;</application>
 	you will have to obtain a
 	password from Wolfram that corresponds to your <quote>machine
 	ID</quote>.</para>
       <indexterm>
 	<primary>Ethernet</primary>
 	<secondary>MAC address</secondary>
       </indexterm>
 
       <para>Once you have installed the Linux compatibility runtime
 	libraries and unpacked <application>&mathematica;</application>
 	you can obtain the
 	<quote>machine ID</quote> by running the program
 	<command>mathinfo</command> in the installation directory.  This
 	machine ID is based solely on the MAC address of your first
 	Ethernet card.</para>
 
       <screen>&prompt.root; <userinput>cd /localdir/Files/SystemFiles/Installation/Binaries/Linux</userinput>
 &prompt.root; <userinput>mathinfo</userinput>
 disco.example.com 7115-70839-20412</screen>
 
       <para>When you register with Wolfram, either by email, phone or fax,
 	you will give them the <quote>machine ID</quote> and they will
 	respond with a corresponding password consisting of groups of
 	numbers.  You can then enter this information when you attempt to
 	run <application>&mathematica;</application> for the first time
 	exactly as you would for any other
 	<application>&mathematica;</application> platform.</para>
     </sect2>
 
     <sect2>
       <title>Running the &mathematica; Frontend over a Network</title>
 
       <para><application>&mathematica;</application> uses some special
 	fonts to display characters not
 	present in any of the standard font sets (integrals, sums, Greek
 	letters, etc.).  The X protocol requires these fonts to be install
 	<emphasis>locally</emphasis>.  This means you will have to copy
 	these fonts from the CDROM or from a host with
 	<application>&mathematica;</application>
 	installed to your local machine.  These fonts are normally stored
 	in <filename>/cdrom/Unix/Files/SystemFiles/Fonts</filename> on the
 	CDROM, or
 	<filename>/usr/local/mathematica/SystemFiles/Fonts</filename> on
 	your hard drive.  The actual fonts are in the subdirectories
 	<filename>Type1</filename> and <filename>X</filename>.  There are
 	several ways to use them, as described below.</para>
 
       <para>The first way is to copy them into one of the existing font
 	directories in <filename>/usr/X11R6/lib/X11/fonts</filename>.
 	This will require editing the <filename>fonts.dir</filename> file,
 	adding the font names to it, and changing the number of fonts on
 	the first line.  Alternatively, you should also just be able to
 	run &man.mkfontdir.1; in the directory you have copied
 	them to.</para>
 
       <para>The second way to do this is to copy the directories to
 	<filename>/usr/X11R6/lib/X11/fonts</filename>:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/X11R6/lib/X11/fonts</userinput>
 &prompt.root; <userinput>mkdir X</userinput>
 &prompt.root; <userinput>mkdir MathType1</userinput>
 &prompt.root; <userinput>cd /cdrom/Unix/Files/SystemFiles/Fonts</userinput>
 &prompt.root; <userinput>cp X/* /usr/X11R6/lib/X11/fonts/X</userinput>
 &prompt.root; <userinput>cp Type1/* /usr/X11R6/lib/X11/fonts/MathType1</userinput>
 &prompt.root; <userinput>cd /usr/X11R6/lib/X11/fonts/X</userinput>
 &prompt.root; <userinput>mkfontdir</userinput>
 &prompt.root; <userinput>cd ../MathType1</userinput>
 &prompt.root; <userinput>mkfontdir</userinput></screen>
 
       <para>Now add the new font directories to your font path:</para>
 
       <screen>&prompt.root; <userinput>xset fp+ /usr/X11R6/lib/X11/fonts/X</userinput>
 &prompt.root; <userinput>xset fp+ /usr/X11R6/lib/X11/fonts/MathType1</userinput>
 &prompt.root; <userinput>xset fp rehash</userinput></screen>
 
       <para>If you are using the <application>&xfree86;</application> server, you can have these font
 	directories loaded automatically by adding them to your
 	<filename>XF86Config</filename> file.</para>
       <indexterm><primary>fonts</primary></indexterm>
 
       <para>If you <emphasis>do not</emphasis> already have a directory
 	called <filename>/usr/X11R6/lib/X11/fonts/Type1</filename>, you
 	can change the name of the <filename>MathType1</filename>
 	directory in the example above to
 	<filename>Type1</filename>.</para>
     </sect2>
   </sect1>
 
   <sect1 id="linuxemu-maple">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Aaron</firstname>
 	  <surname>Kaplan</surname>
 <!--	  <address><email>aaron@lo-res.org</email></address>-->
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Robert</firstname>
 	  <surname>Getschmann</surname>
 <!--	  <address><email>rob@getschmann.org</email></address>-->
 	  <contrib>Thanks to </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Installing &maple;</title>
 
     <indexterm>
       <primary>applications</primary>
       <secondary><application>Maple</application></secondary>
     </indexterm>
 
     <para><application>&maple;</application> is a commercial mathematics program similar to
       <application>&mathematica;</application>.  You must purchase this software from <ulink
       url="http://www.maplesoft.com/"></ulink> and then register there
       for a license file.  To install this software on FreeBSD, please
       follow these simple steps.</para>
 
       <procedure>
 	<step><para>Execute the <filename>INSTALL</filename> shell
 	  script from the product distribution.  Choose the
 	  <quote>RedHat</quote> option when prompted by the
 	  installation program.  A typical installation directory
 	  might be <filename
 	  class="directory">/usr/local/maple</filename>.</para></step>
 
         <step><para>If you have not done so, order a license for <application>&maple;</application>
 	  from Maple Waterloo Software (<ulink url="http://register.maplesoft.com/"></ulink>)
 	  and copy it to
 	  <filename>/usr/local/maple/license/license.dat</filename>.</para></step>
 
         <step><para>Install the <application>FLEXlm</application>
 	  license manager by running the
 	  <filename>INSTALL_LIC</filename> install shell script that
 	  comes with <application>&maple;</application>.  Specify the
 	  primary hostname for your machine for the license
 	  server.</para></step>
 
         <step><para>Patch the
           <filename>/usr/local/maple/bin/maple.system.type</filename>
           file with the following:</para>
 <programlisting>   ----- snip ------------------
 *** maple.system.type.orig      Sun Jul  8 16:35:33 2001
 --- maple.system.type   Sun Jul  8 16:35:51 2001
 ***************
 *** 72,77 ****
 --- 72,78 ----
           # the IBM RS/6000 AIX case
           MAPLE_BIN="bin.IBM_RISC_UNIX"
           ;;
 +     "FreeBSD"|\
       "Linux")
           # the Linux/x86 case
         # We have two Linux implementations, one for Red Hat and
    ----- snip end of patch -----</programlisting>
 
 	<para>Please note that after the <literal>"FreeBSD"|\</literal> no other
 	  whitespace should be present.</para>
 
 	<para>This patch instructs <application>&maple;</application> to
 	  recognize <quote>FreeBSD</quote> as a type of Linux system.
 	  The <filename>bin/maple</filename> shell script calls the
 	  <filename>bin/maple.system.type</filename> shell script
 	  which in turn calls <command>uname -a</command> to find out the operating
 	  system name. Depending on the OS name it will find out which
 	  binaries to use.</para></step>
 
       <step><para>Start the license server.</para>
 
 	<para>The following script, installed as
 	  <filename>/usr/local/etc/rc.d/lmgrd.sh</filename> is a
 	  convenient way to start up <command>lmgrd</command>:</para>
 
 	<programlisting>   ----- snip ------------
 
 #! /bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
 PATH=${PATH}:/usr/local/maple/bin:/usr/local/maple/FLEXlm/UNIX/LINUX
 export PATH
 
 LICENSE_FILE=/usr/local/maple/license/license.dat
 LOG=/var/log/lmgrd.log
 
 case "$1" in
 start)
 	lmgrd -c ${LICENSE_FILE} 2>> ${LOG} 1>&2
 	echo -n " lmgrd"
 	;;
 stop)
 	lmgrd -c ${LICENSE_FILE} -x lmdown 2>> ${LOG} 1>&2
 	;;
 *)
 	echo "Usage: `basename $0` {start|stop}" 1>&2
 	exit 64
 	;;
 esac
 
 exit 0
    ----- snip ------------</programlisting></step>
 
 
       <step><para>Test-start <application>&maple;</application>:</para>
 	<screen>&prompt.user; <userinput>cd /usr/local/maple/bin</userinput>
 &prompt.user; <userinput>./xmaple</userinput></screen>
 
 	<para>You should be up and running. Make sure to write
 	  Maplesoft to let them know you would like a native FreeBSD
 	  version!</para></step>
     </procedure>
 
     <sect2>
       <title>Common Pitfalls</title>
 
       <itemizedlist>
 	<listitem><para>The <application>FLEXlm</application> license manager can be a difficult
 	  tool to work with.  Additional documentation on the subject
 	  can be found at <ulink
 	  url="http://www.globetrotter.com/"></ulink>.</para></listitem>
 
 	<listitem><para><command>lmgrd</command> is known to be very picky
 	  about the license file and to core dump if there are any
 	  problems.  A correct license file should look like this:</para>
 
 <programlisting># =======================================================
 # License File for UNIX Installations ("Pointer File")
 # =======================================================
 SERVER chillig ANY
 #USE_SERVER
 VENDOR maplelmg
 
 FEATURE Maple maplelmg 2000.0831 permanent 1 XXXXXXXXXXXX \
          PLATFORMS=i86_r ISSUER="Waterloo Maple Inc." \
          ISSUED=11-may-2000 NOTICE=" Technische Universitat Wien" \
          SN=XXXXXXXXX</programlisting>
 
 	  <note><para>Serial number and key 'X''ed out. <hostid>chillig</hostid> is a
 	    hostname.</para></note>
 
   	  <para>Editing the license file works as long as you do not
  	    touch the <quote>FEATURE</quote> line (which is protected by the
  	    license key).</para></listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="linuxemu-matlab">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Dan</firstname>
 	  <surname>Pelleg</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
 	<!-- daniel+handbook@pelleg.org -->
       </authorgroup>
     </sect1info>
     <title>Installing &matlab;</title>
 
     <indexterm>
       <primary>applications</primary>
       <secondary><application>MATLAB</application></secondary>
     </indexterm>
 
     <para>This document describes the process of installing the Linux
       version of <application>&matlab; version 6.5</application> onto
       a &os; system.  It works quite well, with the exception of the
       <application>&java.virtual.machine;</application> (see
       <xref linkend="matlab-jre">).</para>
 
     <para>The Linux version of <application>&matlab;</application> can be
       ordered directly from The MathWorks at <ulink
       url="http://www.mathworks.com"></ulink>.  Make sure you also get
       the license file or instructions how to create it.  While you
       are there, let them know you would like a native &os;
       version of their software.</para>
 
     <sect2>
       <title>Installing &matlab;</title>
 
       <para>To install <application>&matlab;</application>, do the 
 	following:</para>
 
       <procedure>
 	<step>
 	  <para>Insert the installation CD and mount it.
 	    Become <username>root</username>, as recommended by the
 	    installation script.  To start the installation script
 	    type:</para>
 
 	  <screen>&prompt.root; <userinput>/compat/linux/bin/sh /cdrom/install</userinput></screen>
 
 	  <tip>
 	    <para>The installer is graphical.  If you get errors about
 	      not being able to open a display, type
 	      <command>setenv HOME ~<replaceable>USER</replaceable></command>,
 	      where <replaceable>USER</replaceable> is the user you did a
 	      &man.su.1; as.</para>
 	  </tip>
 	</step>
 
 	<step>
 	  <para>
 	    When asked for the <application>&matlab;</application> root
 	    directory, type:
 	    <userinput>/compat/linux/usr/local/matlab</userinput>.</para>
 
 	  <tip>
 	    <para>For easier typing on the rest of the installation
 	      process, type this at your shell prompt:
 	      <command>set MATLAB=/compat/linux/usr/local/matlab</command></para>
 	  </tip>
 	</step>
 
 	<step>
 	  <para>Edit the license file as instructed when
 	    obtaining the <application>&matlab;</application> license.</para>
 
 	  <tip>
 	    <para>You can prepare this file in advance using your
 	      favorite editor, and copy it to
 	      <filename>$MATLAB/license.dat</filename> before the
 	      installer asks you to edit it.</para>
 	  </tip>
 	</step>
 
 	<step>
 	  <para>Complete the installation process.</para>
 	</step>
       </procedure>
 
       <para>At this point your <application>&matlab;</application>
 	installation is complete.  The following steps apply
 	<quote>glue</quote> to connect it to your &os; system.</para>
     </sect2>
 
     <sect2>
       <title>License Manager Startup</title>
       <procedure>
 	<step>
 	  <para>Create symlinks for the license manager scripts:</para>
 
 	  <screen>&prompt.root; <userinput>ln -s $MATLAB/etc/lmboot /usr/local/etc/lmboot_TMW</userinput>
 &prompt.root; <userinput>ln -s $MATLAB/etc/lmdown /usr/local/etc/lmdown_TMW</userinput></screen>
 	</step>
 	
 	<step>
 	  <para>Create a startup file at
 	    <filename>/usr/local/etc/rc.d/flexlm.sh</filename>.  The
 	    example below is a modified version of the distributed
 	    <filename>$MATLAB/etc/rc.lm.glnx86</filename>.  The changes
 	    are file locations, and startup of the license manager
 	    under Linux emulation.</para>
 
 	  <programlisting>#!/bin/sh
 case "$1" in
   start)
         if [ -f /usr/local/etc/lmboot_TMW ]; then
               /compat/linux/bin/sh /usr/local/etc/lmboot_TMW -u <replaceable>username</replaceable> &amp;&amp; echo 'MATLAB_lmgrd'
         fi
         ;;
   stop)
 	if [ -f /usr/local/etc/lmdown_TMW ]; then
             /compat/linux/bin/sh /usr/local/etc/lmdown_TMW  &gt; /dev/null 2&gt;&amp;1
 	fi
         ;;
   *)
 	echo "Usage: $0 {start|stop}"
 	exit 1
 	;;
 esac
 
 exit 0</programlisting>
 
 	  <important>
 	    <para>The file must be made executable:</para>
 
 	    <screen>&prompt.root; <userinput>chmod +x /usr/local/etc/rc.d/flexlm.sh</userinput></screen>
 
 	    <para>You must also replace
 	      <replaceable>username</replaceable> above with the name
 	      of a valid user on your system (and not
 	      <username>root</username>).</para>
 	  </important>
 	</step>
 
 	<step>
 	  <para>Start the license manager with the command:</para>
 
 	  <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/flexlm.sh start</userinput></screen>
 	</step>
       </procedure>
     </sect2>
 
     <sect2 id="matlab-jre">
       <title>Linking the &java; Runtime Environment</title>
 
       <para>Change the <application>&java;</application> Runtime
 	Environment (JRE) link to one working under &os;:</para>
 
       <screen>&prompt.root; <userinput>cd $MATLAB/sys/java/jre/glnx86/</userinput>
 &prompt.root; <userinput>unlink jre; ln -s ./jre1.1.8 ./jre</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Creating a &matlab; Startup Script</title>
 
       <procedure>
 	<step>
 	  <para>Place the following startup script in
 	    <filename>/usr/local/bin/matlab</filename>:
 	  </para>
 
 	  <programlisting>#!/bin/sh
 /compat/linux/bin/sh /compat/linux/usr/local/matlab/bin/matlab "$@"</programlisting>
 	</step>
 
 	<step>
 	  <para>Then type the command
 	    <command>chmod +x /usr/local/bin/matlab</command>.</para>
 	</step>
       </procedure>
 
       <tip>
 	<para>Depending on your version of
 	  <filename role="package">emulators/linux_base</filename>, you
 	  may run into errors when running this script.  To avoid that,
 	  edit the file
 	  <filename>/compat/linux/usr/local/matlab/bin/matlab</filename>,
 	  and change the line that says:</para>
 
 	<programlisting>if [ `expr "$lscmd" : '.*-&gt;.*'` -ne 0 ]; then</programlisting>
 
 	<para>(in version 13.0.1 it is on line 410) to this
 	  line:</para>
 
 	<programlisting>if test -L $newbase; then</programlisting>
       </tip>
     </sect2>
 
     <sect2>
       <title>Creating a &matlab; Shutdown Script</title>
 
       <para>The following is needed to solve a problem with &matlab;
 	not exiting correctly.</para>
 
       <procedure>
 	<step>
 	  <para>Create a file
 	    <filename>$MATLAB/toolbox/local/finish.m</filename>, and
 	    in it put the single line:</para>
 
 	  <programlisting>! $MATLAB/bin/finish.sh</programlisting>
 
 	  <note><para>The <literal>$MATLAB</literal> is
 	    literal.</para></note>
 
 	  <tip>
 	    <para>In the same directory, you will find the files
 	      <filename>finishsav.m</filename> and
 	      <filename>finishdlg.m</filename>, which let you save
 	      your workspace before quitting.  If you use either of
 	      them, insert the line above immediately after the
 	      <literal>save</literal> command.</para></tip>
 	</step>
 
 	<step>
 	  <para>Create a file
 	    <filename>$MATLAB/bin/finish.sh</filename>, which will
 	    contain the following:</para>
 
 	  <programlisting>#!/usr/compat/linux/bin/sh
 (sleep 5; killall -1 matlab_helper) &
 exit 0</programlisting>
 	</step>
 
 	<step>
 	  <para>Make the file executable:</para>
 
 	  <screen>&prompt.root; <userinput>chmod +x $MATLAB/bin/finish.sh</userinput></screen>
 	</step>
       </procedure>
     </sect2>
 
     <sect2 id="matlab-using">
       <title>Using &matlab;</title>
 
       <para>At this point you are ready to type
 	<command>matlab</command> and start using it.</para>
     </sect2>
   </sect1>
 
   <sect1 id="linuxemu-oracle">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Marcel</firstname>
 	  <surname>Moolenaar</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
 	<!-- marcel@cup.hp.com -->
       </authorgroup>
     </sect1info>
     <title>Installing &oracle;</title>
 
     <indexterm>
       <primary>applications</primary>
       <secondary><application>Oracle</application></secondary>
     </indexterm>
 
     <sect2>
       <title>Preface</title>
       <para>This document describes the process of installing <application>&oracle; 8.0.5</application> and
 	<application>&oracle; 8.0.5.1 Enterprise Edition</application> for Linux onto a FreeBSD
 	machine.</para>
     </sect2>
 
     <sect2>
       <title>Installing the Linux Environment</title>
 
       <para>Make sure you have both <filename role='package'>emulators/linux_base</filename> and
 	<filename role='package'>devel/linux_devtools</filename> from the ports collection
 	installed.  If you run into difficulties with these ports,
 	you may have to use
 	the packages or older versions available in the ports collection.</para>
 
       <para>If you want to run the intelligent agent, you will
 	also need to install the Red Hat Tcl package:
 	<filename>tcl-8.0.3-20.i386.rpm</filename>.  The general command
 	for installing packages with the official <application>RPM</application> port (<filename role='package'>archivers/rpm</filename>) is:</para>
 
       <screen>&prompt.root; <userinput>rpm -i --ignoreos --root /compat/linux --dbpath /var/lib/rpm <replaceable>package</replaceable></userinput></screen>
 
       <para>Installation of the <replaceable>package</replaceable> should not generate any errors.</para>
     </sect2>
 
     <sect2>
       <title>Creating the &oracle; Environment</title>
 
       <para>Before you can install <application>&oracle;</application>, you need to set up a proper
 	environment.  This document only describes what to do
 	<emphasis>specially</emphasis> to run <application>&oracle;</application> for Linux on FreeBSD, not
 	what has been described in the <application>&oracle;</application> installation guide.</para>
 
       <sect3 id="linuxemu-kernel-tuning">
         <title>Kernel Tuning</title>
 	<indexterm><primary>kernel tuning</primary></indexterm>
 
 	<para>As described in the <application>&oracle;</application> installation guide, you need to set
 	  the maximum size of shared memory.  Do not use
 	  <literal>SHMMAX</literal> under FreeBSD. <literal>SHMMAX</literal>
 	  is merely calculated out of <literal>SHMMAXPGS</literal> and
 	  <literal>PGSIZE</literal>.  Therefore define
 	  <literal>SHMMAXPGS</literal>.  All other options can be used as
 	  described in the guide.  For example:</para>
 
 	<programlisting>options SHMMAXPGS=10000
 options SHMMNI=100
 options SHMSEG=10
 options SEMMNS=200
 options SEMMNI=70
 options SEMMSL=61</programlisting>
 
 	<para>Set these options to suit your intended use of <application>&oracle;</application>.</para>
 
 	<para>Also, make sure you have the following options in your kernel
 	  configuration file:</para>
 
 <programlisting>options SYSVSHM #SysV shared memory
 options SYSVSEM #SysV semaphores
 options SYSVMSG #SysV interprocess communication</programlisting>
       </sect3>
 
       <sect3 id="linuxemu-oracle-account">
 
         <title>&oracle; Account</title>
 
 	<para>Create an <username>oracle</username> account just as you would create any other
 	  account. The  <username>oracle</username> account is special only that you need to give
 	  it a Linux shell.  Add <literal>/compat/linux/bin/bash</literal> to
 	  <filename>/etc/shells</filename> and set the shell for the <username>oracle</username>
 	  account to <filename>/compat/linux/bin/bash</filename>.</para>
       </sect3>
 
       <sect3 id="linuxemu-environment">
         <title>Environment</title>
 
 	<para>Besides the normal <application>&oracle;</application> variables, such as
 	  <envar>ORACLE_HOME</envar> and <envar>ORACLE_SID</envar> you must
 	  set the following environment variables:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
           <colspec colwidth="1*">
           <colspec colwidth="2*">
 	    <thead>
 	      <row>
 		<entry>Variable</entry>
 
 		<entry>Value</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><envar>LD_LIBRARY_PATH</envar></entry>
 
 		<entry><literal>$ORACLE_HOME/lib</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><envar>CLASSPATH</envar></entry>
 
 		<entry><literal>$ORACLE_HOME/jdbc/lib/classes111.zip</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><envar>PATH</envar></entry>
 
 		<entry><literal>/compat/linux/bin
 /compat/linux/sbin
 /compat/linux/usr/bin
 /compat/linux/usr/sbin
 /bin
 /sbin
 /usr/bin
 /usr/sbin
 /usr/local/bin
 $ORACLE_HOME/bin</literal></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
         <para>It is advised to set all the environment variables in
 	  <filename>.profile</filename>.  A complete example is:</para>
 
 <programlisting>ORACLE_BASE=/oracle; export ORACLE_BASE
 ORACLE_HOME=/oracle; export ORACLE_HOME
 LD_LIBRARY_PATH=$ORACLE_HOME/lib
 export LD_LIBRARY_PATH
 ORACLE_SID=ORCL; export ORACLE_SID
 ORACLE_TERM=386x; export ORACLE_TERM
 CLASSPATH=$ORACLE_HOME/jdbc/lib/classes111.zip
 export CLASSPATH
 PATH=/compat/linux/bin:/compat/linux/sbin:/compat/linux/usr/bin
 PATH=$PATH:/compat/linux/usr/sbin:/bin:/sbin:/usr/bin:/usr/sbin
 PATH=$PATH:/usr/local/bin:$ORACLE_HOME/bin
 export PATH</programlisting>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Installing &oracle;</title>
 
       <para>Due to a slight inconsistency in the Linux emulator, you need to
 	create a directory named <filename>.oracle</filename> in
 	<filename>/var/tmp</filename> before you start the installer.  Either
 	make it world writable or let it be owned by the <username>oracle</username> user.  You
 	should be able to install <application>&oracle;</application> without any problems.  If you have
 	problems, check your <application>&oracle;</application> distribution and/or configuration first!
 	After you have installed <application>&oracle;</application>, apply the patches described in the
 	next two subsections.</para>
 
       <para>A frequent problem is that the TCP protocol adapter is not
 	installed right. As a consequence, you cannot start any TCP listeners.
 	The following actions help solve this problem:</para>
 
       <screen>&prompt.root; <userinput>cd $ORACLE_HOME/network/lib</userinput>
 &prompt.root; <userinput>make -f ins_network.mk ntcontab.o</userinput>
 &prompt.root; <userinput>cd $ORACLE_HOME/lib</userinput>
 &prompt.root; <userinput>ar r libnetwork.a ntcontab.o</userinput>
 &prompt.root; <userinput>cd $ORACLE_HOME/network/lib</userinput>
 &prompt.root; <userinput>make -f ins_network.mk install</userinput></screen>
 
       <para>Do not forget to run <filename>root.sh</filename> again!</para>
 
     <sect3 id="linuxemu-patch-root">
       <title>Patching root.sh</title>
 
 	<para>When installing <application>&oracle;</application>, some actions, which need to be performed
 	  as <username>root</username>, are recorded in a shell script called
 	  <filename>root.sh</filename>.  This script is
 	  written in the <filename>orainst</filename> directory.  Apply the
 	  following patch to <filename>root.sh</filename>, to have it use to proper location of
 	  <command>chown</command> or alternatively run the script under a
 	  Linux native shell.</para>
 
 	<programlisting>*** orainst/root.sh.orig Tue Oct 6 21:57:33 1998
 --- orainst/root.sh Mon Dec 28 15:58:53 1998
 ***************
 *** 31,37 ****
 # This is the default value for CHOWN
 # It will redefined later in this script for those ports
 # which have it conditionally defined in ss_install.h
 ! CHOWN=/bin/chown
 #
 # Define variables to be used in this script
 --- 31,37 ----
 # This is the default value for CHOWN
 # It will redefined later in this script for those ports
 # which have it conditionally defined in ss_install.h
 ! CHOWN=/usr/sbin/chown
 #
 # Define variables to be used in this script</programlisting>
 
 	<para>When you do not install <application>&oracle;</application> from CD, you can patch the source
 	  for <filename>root.sh</filename>.  It is called
 	  <filename>rthd.sh</filename> and is located in the
 	  <filename>orainst</filename> directory in the source tree.</para>
       </sect3>
 
       <sect3 id="linuxemu-patch-tcl">
 	<title>Patching genclntsh</title>
 
 	<para>The script <command>genclntsh</command> is used to create
 	  a single shared client
 	  library.  It is used when building the demos.  Apply the following
 	  patch to comment out the definition of <envar>PATH</envar>:</para>
 
 	<programlisting>*** bin/genclntsh.orig Wed Sep 30 07:37:19 1998
 --- bin/genclntsh Tue Dec 22 15:36:49 1998
 ***************
 *** 32,38 ****
 #
 # Explicit path to ensure that we're using the correct commands
 #PATH=/usr/bin:/usr/ccs/bin export PATH
 ! PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin export PATH
 #
 # each product MUST provide a $PRODUCT/admin/shrept.lst
 --- 32,38 ----
 #
 # Explicit path to ensure that we're using the correct commands
 #PATH=/usr/bin:/usr/ccs/bin export PATH
 ! #PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin export PATH
 #
 # each product MUST provide a $PRODUCT/admin/shrept.lst</programlisting>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Running &oracle;</title>
 
       <para>When you have followed the instructions, you should be able to run
 	<application>&oracle;</application> as if it was run on Linux
 	itself.</para>
     </sect2>
   </sect1>
 
   <sect1 id="sapr3">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Holger</firstname>
 	  <surname>Kipp</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <!-- holger.kipp@alogis.com -->
       <authorgroup>
 	<author>
 	  <firstname>Valentino</firstname>
 	  <surname>Vaschetto</surname>
 	  <contrib>Original version converted to SGML by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Installing &sap.r3;</title>
 
     <indexterm>
       <primary>applications</primary>
       <secondary><application>SAP R/3</application></secondary>
     </indexterm>
 
     <para>Installations of <application>&sap;</application> Systems using FreeBSD will not be
       supported by the &sap; support team &mdash; they only offer support
       for certified platforms.</para>
 
     <sect2 id="preface">
       <title>Preface</title>
 
       <para>This document describes a possible way of installing a
 	<application>&sap.r3; System</application>
 	with <application>&oracle; Database</application>
 	for Linux onto a FreeBSD machine, including the installation
 	of FreeBSD and <application>&oracle;</application>. Two different
 	configurations will be described:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><application>&sap.r3; 4.6B (IDES)</application> with
 	  <application>&oracle; 8.0.5</application> on FreeBSD 4.3-STABLE</para>
 	</listitem>
 
 	<listitem>
 	  <para><application>&sap.r3; 4.6C</application> with
 	  <application>&oracle; 8.1.7</application> on FreeBSD 4.5-STABLE</para>
 	</listitem>
       </itemizedlist>
 
       <para>Even though this document tries to describe all important
         steps in a greater detail, it is not intended as a replacement
         for the <application>&oracle;</application> and
 	<application>&sap.r3;</application> installation guides.</para>
 
       <para>Please see the documentation that comes with the
 	<application>&sap.r3;</application>
 	Linux edition for <application>&sap;</application> and
 	<application>&oracle;</application> specific questions, as well
 	as resources from <application>&oracle;</application> and
 	<application>&sap; OSS</application>.</para>
     </sect2>
 
     <sect2 id="software">
       <title>Software</title>
 
       <para>The following CD-ROMs have been used for <application>&sap;</application> installations:</para>
 
       <sect3 id="software-46b">
 	<title>&sap.r3; 4.6B, &oracle; 8.0.5</title>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols=3>
 	  <thead>
 	    <row>
 	      <entry>Name</entry> <entry>Number</entry> <entry>Description</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry>KERNEL</entry> <entry>51009113</entry> <entry>SAP Kernel Oracle /
 		Installation / AIX, Linux, Solaris</entry>
 	    </row>
 
 	    <row>
 	      <entry>RDBMS</entry> <entry>51007558</entry> <entry>Oracle / RDBMS 8.0.5.X /
 		Linux</entry>
 	    </row>
 
 	    <row>
 	      <entry>EXPORT1</entry> <entry>51010208</entry> <entry>IDES / DB-Export /
 		Disc 1 of 6</entry>
 	    </row>
 
 	    <row>
 	      <entry>EXPORT2</entry> <entry>51010209</entry> <entry>IDES / DB-Export /
 		Disc 2 of 6</entry>
 	    </row>
 
 	    <row>
 	      <entry>EXPORT3</entry> <entry>51010210</entry> <entry>IDES / DB-Export /
 		Disc 3 of 6</entry>
 	    </row>
    
 	    <row>
 	      <entry>EXPORT4</entry> <entry>51010211</entry> <entry>IDES / DB-Export /
 		Disc 4 of 6</entry>
 	    </row>
 
 	    <row>
 	      <entry>EXPORT5</entry> <entry>51010212</entry> <entry>IDES / DB-Export /
 		Disc 5 of 6</entry>
 	    </row>
 
 	    <row>
 	      <entry>EXPORT6</entry> <entry>51010213</entry> <entry>IDES / DB-Export /
 		Disc 6 of 6</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>Additionally, we used the <application>&oracle; 8
 	Server</application> (Pre-production version 8.0.5 for Linux,
 	Kernel Version 2.0.33) CD which is not really necessary, and
 	FreeBSD 4.3-STABLE (it was only a few days past 4.3
 	RELEASE).</para>
 
       </sect3>
       <sect3 id="software-46c">
 	<title>&sap.r3; 4.6C SR2, &oracle; 8.1.7</title>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols=3>
 	    <thead>
 	      <row>
 		<entry>Name</entry> <entry>Number</entry> <entry>Description</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry>KERNEL</entry> <entry>51014004</entry> <entry>SAP Kernel Oracle /
 		  SAP Kernel Version 4.6D / DEC, Linux</entry>
 	      </row>
 
 	      <row>
 		<entry>RDBMS</entry> <entry>51012930</entry> <entry>Oracle 8.1.7/ RDBMS /
 		  Linux</entry>
 	      </row>
 
 	      <row>
 		<entry>EXPORT1</entry> <entry>51013953</entry> <entry>Release 4.6C SR2 / Export
 		  / Disc 1 of 4</entry>
 	      </row>
 
 	      <row>
 		<entry>EXPORT1</entry> <entry>51013953</entry> <entry>Release 4.6C SR2 / Export
 		  / Disc 2 of 4</entry>
 	      </row>
 
 	      <row>
 		<entry>EXPORT1</entry> <entry>51013953</entry> <entry>Release 4.6C SR2 / Export
 		  / Disc 3 of 4</entry>
 	      </row>
 
 	      <row>
 		<entry>EXPORT1</entry> <entry>51013953</entry> <entry>Release 4.6C SR2 / Export
 		  / Disc 4 of 4</entry>
 	      </row>
 
 	      <row>
 		<entry>LANG1</entry> <entry>51013954</entry> <entry>Release 4.6C SR2 /
 		  Language / DE, EN, FR / Disc 1 of 3</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
         <para>Depending on the languages you would like to install, additional
 	  language CDs might be necessary. Here we are just using DE and EN, so
 	  the first language CD is the only one needed. As a little note, the
 	  numbers for all four EXPORT CDs are identical. All three language CDs
 	  also have the same number (this is different from the 4.6B IDES
 	  release CD numbering). At the time of writing this installation is
 	  running on FreeBSD 4.5-STABLE (20.03.2002).</para>
       </sect3>
     </sect2>
 
     <sect2 id="sap-notes">
       <title>&sap; Notes</title>
 
       <para>The following notes should be read before installing
 	<application>&sap.r3;</application> and proved to be useful
 	during installation:</para>
 
       <sect3 id="sap-notes-46b">
 	<title>&sap.r3; 4.6B, &oracle; 8.0.5</title>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Number</entry>
 		<entry>Title</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 
 	      <row>
 		<entry>0171356</entry> <entry>SAP Software on Linux: Essential
 		  Comments</entry>
 	      </row>
 
 	      <row>
 		<entry>0201147</entry> <entry>INST: 4.6C R/3 Inst. on UNIX -
 		  Oracle</entry>
 	      </row>
 
 	      <row>
 		<entry>0373203</entry> <entry>Update / Migration Oracle 8.0.5 --&gt;
 		  8.0.6/8.1.6 LINUX</entry>
 	      </row>
 
 	      <row>
 		<entry>0072984</entry> <entry>Release of Digital UNIX 4.0B for
 		  Oracle</entry>
 	      </row>
 
 	      <row>
 		<entry>0130581</entry> <entry>R3SETUP step DIPGNTAB terminates</entry>
 	      </row>
 
 	      <row>
 		<entry>0144978</entry> <entry>Your system has not been installed
 		  correctly</entry>
 	      </row>
 
 	      <row>
 		<entry>0162266</entry> <entry>Questions and tips for R3SETUP on Windows
 		  NT / W2K</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
 
       <sect3 id="sap-notes-46c">
 	<title>&sap.r3; 4.6C, &oracle; 8.1.7</title>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Number</entry>
 		<entry>Title</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry>0015023</entry> <entry>Initializing table TCPDB (RSXP0004)
 		  (EBCDIC)</entry>
 	      </row>
 
 	      <row>
 		<entry>0045619</entry> <entry>R/3 with several languages or
 		  typefaces</entry>
 	      </row>
 
 	      <row>
 		<entry>0171356</entry> <entry>SAP Software on Linux: Essential
 		  Comments</entry>
 	      </row>
 
 	      <row>
 		<entry>0195603</entry> <entry>RedHat 6.1 Enterprise version:
 		  Known problems</entry>
 	      </row>
 
 	      <row>
 		<entry>0212876</entry> <entry>The new archiving tool SAPCAR</entry>
 	      </row>
 
 	      <row>
 		<entry>0300900</entry> <entry>Linux: Released DELL Hardware</entry>
 	      </row>
 
 	      <row>
 		<entry>0377187</entry> <entry>RedHat 6.2: important remarks</entry>
 	      </row>
 
 	      <row>
 		<entry>0387074</entry> <entry>INST: R/3 4.6C SR2 Installation on
 		  UNIX</entry>
 	      </row>
 
 	      <row>
 		<entry>0387077</entry> <entry>INST: R/3 4.6C SR2 Inst. on UNIX -
 		  Oracle</entry>
 	      </row>
 
 	      <row>
 		<entry>0387078</entry> <entry>SAP Software on UNIX: OS Dependencies
 		  4.6C SR2</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
     </sect2>
 
     <sect2 id="hardware-requirements">
       <title>Hardware Requirements</title>
 
       <para>The following equipment is sufficient for the installation
 	of a <application>&sap.r3; System</application>. For production
 	use, a more exact sizing is of course needed:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="3">
 	  <thead>
 	    <row>
 	      <entry>Component</entry>
 	      <entry>4.6B</entry>
 	      <entry>4.6C</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry>Processor</entry>
 	      <entry>2 x 800MHz &pentium; III</entry>
 	      <entry>2 x 800MHz &pentium; III</entry>
 	    </row>
 
 	    <row>
 	      <entry>Memory</entry>
 	      <entry>1GB ECC</entry>
 	      <entry>2GB ECC</entry>
 	    </row>
 
 	    <row>
 	      <entry>Hard Disk Space</entry>
 	      <entry>50-60GB (IDES)</entry>
 	      <entry>50-60GB (IDES)</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>For use in production, &xeon; Processors with large cache,
 	high-speed disk access (SCSI, RAID hardware controller), USV
 	and ECC-RAM is recommended.  The large amount of hard disk
 	space is due to the preconfigured IDES System, which creates
 	27&nbsp;GB of database files during installation. This space is
 	also sufficient for initial production systems and application
 	data.</para>
 
       <sect3 id="hardware-46b">
 	<title>&sap.r3; 4.6B, &oracle; 8.0.5</title>
 
       <para>The following off-the-shelf hardware was used: a dual processor
 	board with 2 800&nbsp;MHz &pentium;&nbsp;III processors, &adaptec; 29160 Ultra160
 	SCSI adapter (for accessing a 40/80&nbsp;GB DLT tape drive and CDROM),
 	&mylex; &acceleraid; (2 channels, firmware 6.00-1-00 with 32&nbsp;MB RAM).
 	To the &mylex; RAID controller are attached two 17&nbsp;GB hard disks
 	(mirrored) and four 36&nbsp;GB hard disks (RAID level 5).</para>
       </sect3>
 
       <sect3 id="hardware-46c">
 	<title>&sap.r3; 4.6C, &oracle; 8.1.7</title>
 
       <para>For this installation a &dell; &poweredge; 2500 was used: a
 	dual processor board with two 1000&nbsp;MHz &pentium;&nbsp;III processors
 	(256&nbsp;kB Cache), 2&nbsp;GB PC133 ECC SDRAM, PERC/3 DC PCI RAID Controller
 	with 128&nbsp;MB, and an EIDE DVD-ROM drive. To the RAID controller are
 	attached two 18&nbsp;GB hard disks (mirrored) and four 36&nbsp;GB hard disks
 	(RAID level 5).</para>
       </sect3>
     </sect2>
 
     <sect2 id="installation">
       <title>Installation of FreeBSD</title>
 
       <para>First you have to install FreeBSD. There are several ways to do
 	this (FreeBSD&nbsp;4.3 was installed via FTP, FreeBSD&nbsp;4.5 directly from
 	the RELEASE CD) for more informations read the <xref
 	linkend="install-diff-media">.</para>
 
       <sect3 id="disk-layout">
 	<title>Disk Layout</title>
 
 	<para>To keep it simple, the same disk layout both for the
 	  <application>&sap.r3; 46B</application> and <application>&sap.r3; 46C
 	  SR2</application> installation was used. Only the device names
 	  changed, as the installations were on different hardware (<filename>/dev/da</filename>
 	  and <filename>/dev/amr</filename> respectively, so if using an AMI &megaraid;, one will see
 	  <filename>/dev/amr0s1a</filename> instead of <filename>/dev/da0s1a</filename>):</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="4">
 	    <thead>
 	      <row>
 		<entry>File system</entry>
 		<entry>Size (1k-blocks)</entry>
 		<entry>Size (GB)</entry>
 		<entry>Mounted on</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><filename>/dev/da0s1a</filename></entry>
 		<entry>1.016.303</entry>
 		<entry>1</entry>
 		<entry><filename>/</filename></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da0s1b</filename></entry>
 		<entry> </entry>
 		<entry>6</entry>
 		<entry>swap</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da0s1e</filename></entry>
 		<entry>2.032.623</entry>
 		<entry>2</entry>
 		<entry><filename>/var</filename></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da0s1f</filename></entry>
 		<entry>8.205.339</entry>
 		<entry>8</entry>
 		<entry><filename>/usr</filename></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da1s1e</filename></entry>
 		<entry>45.734.361</entry>
 		<entry>45</entry>
 		<entry><filename>/compat/linux/oracle</filename></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da1s1f</filename></entry>
 		<entry>2.032.623</entry>
 		<entry>2</entry>
 		<entry><filename>/compat/linux/sapmnt</filename></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/dev/da1s1g</filename></entry>
 		<entry>2.032.623</entry>
 		<entry>2</entry>
 		<entry><filename>/compat/linux/usr/sap</filename></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>Configure and initialize the two logical drives
 	  with the &mylex; or PERC/3 RAID software beforehand.
 	  The software can be started during the
 	  <acronym>BIOS</acronym> boot phase.</para>
 
 	<para> Please note that this disk layout differs slightly from
 	  the &sap; recommendations, as &sap; suggests mounting the
 	  <application>&oracle;</application> subdirectories (and some others) separately &mdash; we
 	  decided to just create them as real subdirectories for
 	  simplicity.</para>
       </sect3>
 
       <sect3 id="makeworldandnewkernel">
 	<title><command>make world</command> and a New Kernel</title>
 
 	<para>Download the latest -STABLE sources. Rebuild world and your
 	  custom kernel after configuring your kernel configuration file.
 	  Here you should also include the
 	  <link linkend="kerneltuning">kernel parameters</link>
 	  which are required for both <application>&sap.r3;</application>
 	  and <application>&oracle;</application>.</para>
       </sect3>
     </sect2>
 
     <sect2 id="installingthelinuxenviornment">
       <title>Installing the Linux Environment</title>
 
       <sect3 id="installinglinuxbase-system">
 	<title>Installing the Linux Base System</title>
 
 	<para>First the <link linkend="linuxemu-libs-port">linux_base</link>
 	  port needs to be installed (as <username>root</username>):</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/ports/emulators/linux_base</userinput>
 &prompt.root; <userinput>make install distclean</userinput></screen>
 
       </sect3>
 
 
       <sect3 id="installinglinuxdevelopment">
 	<title>Installing Linux Development Environment</title>
 
 	<para>The Linux development environment is needed, if you want to install
 	  <application>&oracle;</application> on FreeBSD according to the
 	  <xref linkend="linuxemu-oracle">:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/ports/devel/linux_devtools</userinput>
 &prompt.root; <userinput>make install distclean</userinput></screen>
 
 	<para>The Linux development environment has only been installed for the <application>&sap.r3;
 	  46B IDES</application> installation. It is not needed, if
 	  the <application>&oracle; DB</application> is not relinked on the
 	  FreeBSD system. This is the case if you are using the
 	  <application>&oracle;</application> tarball from a Linux system.</para>
 
       </sect3>
 
 
       <sect3 id="installingnecessaryrpms">
 	<title>Installing the Necessary RPMs</title>
 	<indexterm><primary>RPMs</primary></indexterm>
 
 	<para>To start the <command>R3SETUP</command> program, PAM support is needed.
 	  During the first <application>&sap;</application> Installation on FreeBSD 4.3-STABLE we
 	  tried to install PAM with all the required packages and
 	  finally forced the installation of the PAM package, which
 	  worked. For <application>&sap.r3; 4.6C SR2</application> we
 	  directly forced the installation of the PAM RPM, which also
 	  works, so it seems the dependent packages are not needed:</para>
 
 
 <screen>&prompt.root; <userinput>rpm -i --ignoreos --nodeps --root /compat/linux --dbpath /var/lib/rpm \
 pam-0.68-7.i386.rpm</userinput></screen>
 
 	<para>For <application>&oracle; 8.0.5</application> to run the
 	  intelligent agent, we also had to install the RedHat Tcl package
 	  <filename>tcl-8.0.5-30.i386.rpm</filename> (otherwise the
 	  relinking during <application>&oracle;</application> installation
 	  will not work).  There are some other issues regarding
 	  relinking of <application>&oracle;</application>, but that is
 	  a <application>&oracle;</application> Linux issue, not FreeBSD specific.</para>
 
       </sect3>
 
       <sect3 id="linuxprocandfallbackelfbrand">
 	<title>Some Additional Hints</title>
 
 	<para>It might also be a good idea to add <literal>linprocfs</literal>
 	  to <filename>/etc/fstab</filename>, for more informations, see the &man.linprocfs.5; manual page.
 	  Another parameter to set is <literal>kern.fallback_elf_brand=3</literal>
 	  which is done in the file <filename>/etc/sysctl.conf</filename>.</para>
       </sect3>
     </sect2>
 
     <sect2 id="creatingsapr3env">
       <title>Creating the &sap.r3; Environment</title>
 
       <sect3 id="filesystemsandmountpoints">
 	<title>Creating the Necessary File Systems and Mountpoints</title>
 
 	<para>For a simple installation, it is sufficient to create the
           following file systems:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>mount point</entry>
 		<entry>size in GB</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry><filename>/compat/linux/oracle</filename></entry>
 		<entry>45 GB</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/compat/linux/sapmnt</filename></entry>
 		<entry>2 GB</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>/compat/linux/usr/sap</filename></entry>
 		<entry>2 GB</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>It is also necessary to created some links. Otherwise
 	  the <application>&sap;</application> Installer will complain, as it is checking the
 	  created links:</para>
 
 	<screen>&prompt.root; <userinput>ln -s /compat/linux/oracle /oracle</userinput>
 &prompt.root; <userinput>ln -s /compat/linux/sapmnt /sapmnt</userinput>
 &prompt.root; <userinput>ln -s /compat/linux/usr/sap /usr/sap</userinput></screen>
 
 	<para>Possible error message during installation (here with
 	  System <emphasis>PRD</emphasis> and the
 	  <application>&sap.r3; 4.6C SR2</application>
 	  installation):</para>
 
 	<screen>INFO 2002-03-19 16:45:36 R3LINKS_IND_IND SyLinkCreate:200
     Checking existence of symbolic link /usr/sap/PRD/SYS/exe/dbg to
     /sapmnt/PRD/exe. Creating if it does not exist...
 
 WARNING 2002-03-19 16:45:36 R3LINKS_IND_IND SyLinkCreate:400
     Link /usr/sap/PRD/SYS/exe/dbg exists but it points to file
     /compat/linux/sapmnt/PRD/exe instead of /sapmnt/PRD/exe. The
     program cannot go on as long as this link exists at this
     location. Move the link to another location.
 
 ERROR 2002-03-19 16:45:36 R3LINKS_IND_IND Ins_SetupLinks:0
     can not setup link '/usr/sap/PRD/SYS/exe/dbg' with content
     '/sapmnt/PRD/exe'</screen>
       </sect3>
 
       <sect3 id="creatingusersanddirectories">
 	<title>Creating Users and Directories</title>
 
 	<para><application>&sap.r3;</application> needs two users and
 	  three groups. The user names depend on the
 	  <application>&sap;</application> system ID (SID) which consists
 	  of three letters. Some of these SIDs are reserved
 	  by <application>&sap;</application> (for example
 	  <literal>SAP</literal> and <literal>NIX</literal>. For a
 	  complete list please see the <application>&sap;</application> documentation).  For the IDES
 	  installation we used <literal>IDS</literal>, for the
 	  4.6C SR2 installation <literal>PRD</literal>, as that system
 	  is intended for production use.  We have
 	  therefore the following groups (group IDs might differ, these
 	  are just the values we used with our installation):</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
           <thead>
           <row>
             <entry>group ID</entry>
             <entry>group name</entry>
             <entry>description</entry>
           </row>
           </thead>
           <tbody>
           <row>
             <entry>100</entry>
             <entry>dba</entry>
             <entry>Data Base Administrator</entry>
           </row>
           <row>
             <entry>101</entry>
             <entry>sapsys</entry>
             <entry>&sap; System</entry>
           </row>
           <row>
             <entry>102</entry>
             <entry>oper</entry>
             <entry>Data Base Operator</entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
 
         <para>For a default <application>&oracle;</application> installation, only group
           <groupname>dba</groupname> is used. As
           <groupname>oper</groupname> group, one also uses group
           <groupname>dba</groupname> (see <application>&oracle;</application> and
           <application>&sap;</application> documentation for further information).</para>
 
         <para>We also need the following users:</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="6">
           <thead>
           <row>
             <entry>user ID</entry>
             <entry>user name</entry>
             <entry>generic name</entry>
             <entry>group</entry>
             <entry>additional groups</entry>
             <entry>description</entry>
           </row>
           </thead>
           <tbody>
           <row>
             <entry>1000</entry>
             <entry>idsadm/prdadm</entry>
             <entry><replaceable>sid</replaceable>adm</entry>
             <entry>sapsys</entry>
             <entry>oper</entry>
             <entry>&sap; Administrator</entry>
           </row>
           <row>
             <entry>1002</entry>
             <entry>oraids/oraprd</entry>
             <entry>ora<replaceable>sid</replaceable></entry>
             <entry>dba</entry>
             <entry>oper</entry>
             <entry>&oracle; Administrator</entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
 
         <para>Adding the users with &man.adduser.8;
           requires the following (please note shell and home
           directory) entries for <quote>&sap; Administrator</quote>:</para>
 
         <programlisting>Name: <replaceable>sid</replaceable>adm
 Password: ******
 Fullname: SAP Administrator <replaceable>SID</replaceable>
 Uid: 1000
 Gid: 101 (sapsys)
 Class:
 Groups: sapsys dba
 HOME: /home/<replaceable>sid</replaceable>adm
 Shell: bash  (/compat/linux/bin/bash)</programlisting>
 
         <para>and for <quote>&oracle; Administrator</quote>:</para>
 
         <programlisting>Name: ora<replaceable>sid</replaceable> 
 Password: ****** 
 Fullname: Oracle Administrator <replaceable>SID</replaceable>
 Uid: 1002 
 Gid: 100 (dba) 
 Class: 
 Groups: dba 
 HOME: /oracle/<replaceable>sid</replaceable> 
 Shell: bash  (/compat/linux/bin/bash)</programlisting>
 
         <para>This should also include group
           <groupname>oper</groupname> in case you are using both
           groups <groupname>dba</groupname> and
           <groupname>oper</groupname>.</para>
 
       </sect3>
 
       <sect3 id="creatingdirectories">
         <title>Creating Directories</title>
 
         <para>These directories are usually created as separate
           file systems.  This depends entirely on your requirements.  We
           choose to create them as simple directories, as they are all
           located on the same RAID 5 anyway:</para>
 
         <para>First we will set owners and rights of some directories (as
           user <username>root</username>):</para>
 
         <screen>&prompt.root; <userinput>chmod 775 /oracle</userinput>
 &prompt.root; <userinput>chmod 777 /sapmnt</userinput>
 &prompt.root; <userinput>chown root:dba /oracle</userinput>
 &prompt.root; <userinput>chown <replaceable>sid</replaceable>adm:sapsys /compat/linux/usr/sap</userinput>
 &prompt.root; <userinput>chmod 775 /compat/linux/usr/sap</userinput></screen>
 
         <para>Second we will create directories as user 
 	  <username>ora<replaceable>sid</replaceable></username>. These
           will all be subdirectories of 
 	  <filename>/oracle/<replaceable>SID</replaceable></filename>:</para>
 
         <screen>&prompt.root; <userinput>su - ora<replaceable>sid</replaceable></userinput>
 &prompt.root; <userinput>cd /oracle/<replaceable>SID</replaceable></userinput>
 &prompt.root; <userinput>mkdir mirrlogA mirrlogB origlogA origlogB</userinput>
 &prompt.root; <userinput>mkdir sapdata1 sapdata2 sapdata3 sapdata4 sapdata5 sapdata6</userinput>
 &prompt.root; <userinput>mkdir saparch sapreorg</userinput>
 &prompt.root; <userinput>exit</userinput></screen>
 
 	<para>For the <application>&oracle; 8.1.7</application> installation
 	  some additional directories are needed:</para>
 
 	<screen>&prompt.root; <userinput>su - ora<replaceable>sid</replaceable></userinput>
 &prompt.root; <userinput>cd /oracle</userinput>
 &prompt.root; <userinput>mkdir 805_32</userinput>
 &prompt.root; <userinput>mkdir client stage</userinput>
 &prompt.root; <userinput>mkdir client/80x_32</userinput>
 &prompt.root; <userinput>mkdir stage/817_32</userinput>
 &prompt.root; <userinput>cd /oracle/<replaceable>SID</replaceable></userinput>
 &prompt.root; <userinput>mkdir 817_32</userinput></screen>
 
 	<note><para>The directory <filename>client/80x_32</filename> is used
 	  with exactly this name. Do not replace the <emphasis>x</emphasis>
 	  with some number or anything.</para></note>
 
         <para>In the third step we create directories as user 
 	  <username><replaceable>sid</replaceable>adm</username>:</para>
 
         <screen>&prompt.root; <userinput>su - <replaceable>sid</replaceable>adm</userinput>
 &prompt.root; <userinput>cd /usr/sap</userinput>
 &prompt.root; <userinput>mkdir <replaceable>SID</replaceable></userinput>
 &prompt.root; <userinput>mkdir trans</userinput>
 &prompt.root; <userinput>exit</userinput></screen>
       </sect3>
 
       <sect3 id="entriesinslashetcslashservices">
         <title>Entries in <filename>/etc/services</filename></title>
 
         <para><application>&sap.r3;</application> requires some entries in file
           <filename>/etc/services</filename>, which will not be set
           correctly during installation under FreeBSD.  Please add the
           following entries (you need at least those entries
           corresponding to the instance number &mdash; in this case,
           <literal>00</literal>.  It will do no harm adding all
           entries from <literal>00</literal> to
           <literal>99</literal> for <literal>dp</literal>,
           <literal>gw</literal>, <literal>sp</literal> and
           <literal>ms</literal>). If you are going to use a <application>SAProuter</application>
 	  or need to access <application>&sap;</application> OSS, you also need <literal>99</literal>,
 	  as port 3299 is usually used for the <application>SAProuter</application> process on the
 	  target system:</para>
 
         <programlisting>
 sapdp00    3200/tcp # SAP Dispatcher.      3200 + Instance-Number
 sapgw00  3300/tcp # SAP Gateway.         3300 + Instance-Number
 sapsp00  3400/tcp #                      3400 + Instance-Number
 sapms00  3500/tcp #                      3500 + Instance-Number
 sapms<replaceable>SID</replaceable> 3600/tcp # SAP Message Server.  3600 + Instance-Number
 sapgw00s   4800/tcp # SAP Secure Gateway   4800 + Instance-Number</programlisting>
       </sect3>
 
       <sect3 id="necessarylocales">
         <title>Necessary Locales</title>
 	<indexterm><primary>locale</primary></indexterm>
 
         <para><application>&sap;</application> requires at least two locales that are not part of
           the default RedHat installation. &sap; offers the required
           RPMs as download from their FTP server (which is only
           accessible if you are a customer with OSS access).  See note
           0171356 for a list of RPMs you need.</para>
 
         <para>It is also possible to just create appropriate links
           (for example from <emphasis>de_DE</emphasis> and
           <emphasis>en_US</emphasis> ), but we would not recommend this
           for a production system (so far it worked with the IDES
           system without any problems, though).  The following locales
           are needed:</para>
 
         <programlisting>de_DE.ISO-8859-1
 en_US.ISO-8859-1</programlisting>
 
 	<para>Create the links like this:</para>
 
 	<screen>&prompt.root; <userinput>cd /compat/linux/usr/share/locale</userinput>
 &prompt.root; <userinput>ln -s de_DE de_DE.ISO-8859-1</userinput>
 &prompt.root; <userinput>ln -s en_US en_US.ISO-8859-1</userinput></screen>
 
         <para>If they are not present, there will be some problems
           during the installation.  If these are then subsequently
           ignored (by setting the <literal>STATUS</literal> of the offending steps to
           <literal>OK</literal> in file <filename>CENTRDB.R3S</filename>), it will be impossible to log onto
           the <application>&sap;</application> system without some additional effort.</para>
       </sect3>
 
       <sect3 id="kerneltuning">
         <title>Kernel Tuning</title>
 	<indexterm><primary>kernel tuning</primary></indexterm>
 
         <para><application>&sap.r3;</application> systems need a lot of resources.  We therefore
         added the following parameters to the kernel configuration file:</para>
 
         <programlisting># Set these for memory pigs (SAP and Oracle):
 options MAXDSIZ="(1024*1024*1024)"
 options DFLDSIZ="(1024*1024*1024)"
 # System V options needed.
 options SYSVSHM #SYSV-style shared memory
 options SHMMAXPGS=262144 #max amount of shared mem. pages
 #options SHMMAXPGS=393216 #use this for the 46C inst.parameters
 options SHMMNI=256 #max number of shared memory ident if.
 options SHMSEG=100 #max shared mem.segs per process
 options SYSVMSG #SYSV-style message queues 
 options MSGSEG=32767 #max num. of mes.segments in system 
 options MSGSSZ=32 #size of msg-seg. MUST be power of 2
 options MSGMNB=65535 #max char. per message queue
 options MSGTQL=2046 #max amount of msgs in system
 options SYSVSEM #SYSV-style semaphores 
 options SEMMNU=256 #number of semaphore UNDO structures
 options SEMMNS=1024 #number of semaphores in system
 options SEMMNI=520 #number of semaphore identifiers
 options SEMUME=100       #number of UNDO keys</programlisting>
 
         <para>The minimum values are specified in the documentation that
           comes from &sap;.  As there is no description for Linux, see the
           HP-UX section (32-bit) for further information. As the system
 	  for the 4.6C SR2 installation has more main memory, the shared
 	  segments can be larger both for <application>&sap;</application>
 	  and <application>&oracle;</application>, therefore choose a larger
 	  number of shared memory pages.</para>
 
 	<note><para>With the default installation of FreeBSD&nbsp;4.5 on &i386;,
 	  leave <literal>MAXDSIZ</literal> and <literal>DFLDSIZ</literal> at 1&nbsp;GB maximum. Otherwise, strange 
 	  errors like <errorname>ORA-27102: out of memory</errorname> and 
           <errorname>Linux Error: 12: Cannot allocate memory</errorname>
           might happen.</para></note>
       </sect3>
     </sect2>
 
     <sect2 id="installingsapr3">
       <title>Installing &sap.r3;</title>
 
       <sect3 id="preparingsapcdroms">
         <title>Preparing &sap; CDROMs</title>
 
         <para>There are many CDROMs to mount and unmount during the
           installation.  Assuming you have enough CDROM drives, you
           can just mount them all.  We decided to copy the CDROMs
           contents to corresponding directories:</para>
 
 	<programlisting>/oracle/<replaceable>SID</replaceable>/sapreorg/<replaceable>cd-name</replaceable></programlisting>
 
         <para>where <replaceable>cd-name</replaceable> was one of <filename>KERNEL</filename>, 
 	  <filename>RDBMS</filename>, <filename>EXPORT1</filename>,
 	  <filename>EXPORT2</filename>, <filename>EXPORT3</filename>,
 	  <filename>EXPORT4</filename>, <filename>EXPORT5</filename> and 
 	  <filename>EXPORT6</filename> for the 4.6B/IDES installation, and
 	  <filename>KERNEL</filename>, <filename>RDBMS</filename>,
 	  <filename>DISK1</filename>, <filename>DISK2</filename>,
 	  <filename>DISK3</filename>, <filename>DISK4</filename> and
 	  <filename>LANG</filename> for the 4.6C SR2 installation. All the
 	  filenames on the mounted CDs should be in capital letters,
 	  otherwise use the <option>-g</option> option for mounting. So use the following
 	  commands:</para>
 
         <screen>&prompt.root; <userinput>mount_cd9660 -g /dev/cd0a /mnt</userinput>
 &prompt.root; <userinput>cp -R /mnt/* /oracle/<replaceable>SID</replaceable>/sapreorg/<replaceable>cd-name</replaceable></userinput>
 &prompt.root; <userinput>umount /mnt</userinput></screen>
       </sect3>
 
       <sect3 id="runningtheinstall-script">
         <title>Running the Installation Script</title>
 
 	<para>First you have to prepare an <filename class="directory">install</filename> directory:</para>
 
 	<screen>&prompt.root; <userinput>cd /oracle/<replaceable>SID</replaceable>/sapreorg</userinput>
 &prompt.root; <userinput>mkdir install</userinput>
 &prompt.root; <userinput>cd install</userinput></screen>
 
         <para>Then the installation script is started, which will copy nearly
           all the relevant files into the <filename class="directory">install</filename> directory:</para>
 
 	<screen>&prompt.root; <userinput>/oracle/<replaceable>SID</replaceable>/sapreorg/KERNEL/UNIX/INSTTOOL.SH</userinput></screen>
 
 	<para>The IDES installation (4.6B) comes with a fully customized
 	  &sap.r3; demonstration system, so there are six instead of just three
           EXPORT CDs.  At this point the installation template
 	  <filename>CENTRDB.R3S</filename> is for installing a standard
 	  central instance (<application>&r3;</application> and database), not the IDES central
 	  instance, so one needs to copy the corresponding <filename>CENTRDB.R3S</filename>
 	  from the <filename class="directory">EXPORT1</filename> directory, otherwise <command>R3SETUP</command> will only ask
 	  for three EXPORT CDs.</para>
 
 	<para>The newer <application>&sap; 4.6C SR2</application> release
 	  comes with four EXPORT CDs. The parameter file that controls
 	  the installation steps is <filename>CENTRAL.R3S</filename>.
 	  Contrary to earlier releases there are no separate installation
 	  templates for a central instance with or without database.
 	  <application>&sap;</application> is using a separate template for database installation. To restart
 	  the installation later it is however sufficient to restart with
 	  the original file.</para>
 
 	<para>During and after installation, <application>&sap;</application> requires
 	  <command>hostname</command> to return the computer name
 	  only, not the fully qualified domain name. So either
 	  set the hostname accordingly, or set an alias with
 	  <command>alias hostname='hostname -s'</command> for
 	  both <username>ora<replaceable>sid</replaceable></username> and 
 	  <username><replaceable>sid</replaceable>adm</username> (and for
 	  <username>root</username> at least during installation
 	  steps performed as <username>root</username>). It is also 
 	  possible to adjust the installed <filename>.profile</filename> and <filename>.login</filename> files of
 	  both users that are installed during 
 	  <application>&sap;</application> installation.</para>
       </sect3>
 
       <sect3 id="startr3setup-46B">
         <title>Start <command>R3SETUP</command> 4.6B</title>
 
         <para>Make sure <envar>LD_LIBRARY_PATH</envar> is set correctly:</para>
 
         <screen>&prompt.root; <userinput>export LD_LIBRARY_PATH=/oracle/IDS/lib:/sapmnt/IDS/exe:/oracle/805_32/lib</userinput></screen>
 
         <para>Start <command>R3SETUP</command> as <username>root</username> from 
 	  installation directory:</para>
 
         <screen>&prompt.root; <userinput>cd /oracle/IDS/sapreorg/install</userinput>
 &prompt.root; <userinput>./R3SETUP -f CENTRDB.R3S</userinput></screen>
 
         <para>The script then asks some questions (defaults in brackets,
         followed by actual input):</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
           <thead>
           <row>
             <entry>Question</entry>
             <entry>Default</entry>
             <entry>Input</entry>
           </row>
           </thead>
           <tbody>
           <row>
             <entry>Enter SAP System ID</entry>
             <entry>[C11]</entry>
             <entry>IDS<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter SAP Instance Number</entry>
             <entry>[00]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter SAPMOUNT Directory</entry>
             <entry>[/sapmnt]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter name of SAP central host</entry>
             <entry>[troubadix.domain.de]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter name of SAP db host</entry>
             <entry>[troubadix]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Select character set</entry>
             <entry>[1] (WE8DEC)</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Oracle server version (1) Oracle 8.0.5, (2) Oracle 8.0.6, (3) Oracle 8.1.5, (4) Oracle 8.1.6</entry>
             <entry> </entry>
             <entry>1<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Extract Oracle Client archive</entry>
             <entry>[1] (Yes, extract)</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to KERNEL CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/KERNEL</entry>
           </row>
           <row>
             <entry>Enter path to RDBMS CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/RDBMS</entry>
           </row>
           <row>
             <entry>Enter path to EXPORT1 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT1</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT1 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD4_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to EXPORT2 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT2</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT2 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD5_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to EXPORT3 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT3</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT3 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD6_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to EXPORT4 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT4</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT4 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD7_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to EXPORT5 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT5</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT5 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD8_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter path to EXPORT6 CD</entry>
             <entry>[/sapcd]</entry>
             <entry>/oracle/IDS/sapreorg/EXPORT6</entry>
           </row>
           <row>
             <entry>Directory to copy EXPORT6 CD</entry>
             <entry>[/oracle/IDS/sapreorg/CD9_DIR]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter amount of RAM for SAP + DB</entry>
             <entry> </entry>
             <entry>850<keycap>Enter</keycap> (in Megabytes)</entry>
           </row>
           <row>
             <entry>Service Entry Message Server</entry>
             <entry>[3600]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Group-ID of sapsys</entry>
             <entry>[101]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Group-ID of oper</entry>
             <entry>[102]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Group-ID of dba</entry>
             <entry>[100]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter User-ID of <replaceable>sid</replaceable>adm</entry>
             <entry>[1000]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter User-ID of ora<replaceable>sid</replaceable></entry>
             <entry>[1002]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Number of parallel procs</entry>
             <entry>[2]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
       
         <para>If you had not copied the CDs to the different locations,
           then the <application>&sap;</application> installer cannot find the CD needed (identified
           by the <filename>LABEL.ASC</filename> file on the CD) and would
           then ask you to insert and mount the CD and confirm or enter
           the mount path.</para>
    
         <para>The <filename>CENTRDB.R3S</filename> might not be
           error free. In our case, it requested EXPORT4 CD again but
           indicated the correct key (6_LOCATION, then 7_LOCATION
           etc.), so one can just continue with entering the correct
           values.</para>
 
         <para>Apart from some problems mentioned below, everything
           should go straight through up to the point where the &oracle;
           database software needs to be installed.</para>
       </sect3>
 
       <sect3 id="startr3setup-46C">
 	<title>Start <command>R3SETUP</command> 4.6C SR2</title>
 
 	<para>Make sure <envar>LD_LIBRARY_PATH</envar> is set correctly. This is a
 	  different value from the 4.6B installation with
 	  <application>&oracle; 8.0.5</application>:</para>
 
 	<screen>&prompt.root; <userinput>export LD_LIBRARY_PATH=/sapmnt/PRD/exe:/oracle/PRD/817_32/lib</userinput></screen>
 
 	<para>Start <command>R3SETUP</command> as user <username>root</username> from installation directory:</para>
 
 	<screen>&prompt.root; <userinput>cd /oracle/PRD/sapreorg/install</userinput>
 &prompt.root; <userinput>./R3SETUP -f CENTRAL.R3S</userinput></screen>
 
 	<para>The script then asks some questions (defaults in brackets,
 	  followed by actual input):</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	  <thead>
 	  <row>
 	    <entry>Question</entry>
 	    <entry>Default</entry>
 	    <entry>Input</entry>
 	  </row>
 	  </thead>
 	  <tbody>
 	  <row>
 	    <entry>Enter SAP System ID</entry>
 	    <entry>[C11]</entry>
 	    <entry>PRD<keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter SAP Instance Number</entry>
 	    <entry>[00]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter SAPMOUNT Directory</entry>
 	    <entry>[/sapmnt]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter name of SAP central host</entry>
 	    <entry>[majestix]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter Database System ID</entry>
 	    <entry>[PRD]</entry>
 	    <entry>PRD<keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter name of SAP db host</entry>
 	    <entry>[majestix]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Select character set</entry>
 	    <entry>[1] (WE8DEC)</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter Oracle server version (2) Oracle 8.1.7</entry>
 	    <entry> </entry>
 	    <entry>2<keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Extract Oracle Client archive</entry>
 	    <entry>[1] (Yes, extract)</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter path to KERNEL CD</entry>
 	    <entry>[/sapcd]</entry>
 	    <entry>/oracle/PRD/sapreorg/KERNEL</entry>
 	  </row>
 	  <row>
 	    <entry>Enter amount of RAM for SAP + DB</entry>
 	    <entry>2044</entry>
 	    <entry>1800<keycap>Enter</keycap> (in Megabytes)</entry>
 	  </row>
 	  <row>
 	    <entry>Service Entry Message Server</entry>
 	    <entry>[3600]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
 	    <entry>Enter Group-ID of sapsys</entry>
 	    <entry>[100]</entry>
 	    <entry><keycap>Enter</keycap></entry>
 	  </row>
 	  <row>
             <entry>Enter Group-ID of oper</entry>
             <entry>[101]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Group-ID of dba</entry>
             <entry>[102]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter User-ID of <username>oraprd</username></entry>
             <entry>[1002]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter User-ID of <username>prdadm</username></entry>
             <entry>[1000]</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>LDAP support</entry>
             <entry> </entry>
             <entry>3<keycap>Enter</keycap> (no support)</entry>
           </row>
           <row>
             <entry>Installation step completed</entry>
             <entry>[1] (continue)</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Choose installation service</entry>
             <entry>[1] (DB inst,file)</entry>
             <entry><keycap>Enter</keycap></entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
       
         <para>So far, creation of users gives an error during
 	  installation in phases OSUSERDBSID_IND_ORA (for creating
 	  user <username>ora<replaceable>sid</replaceable></username>) and 
 	  OSUSERSIDADM_IND_ORA (creating user 
 	  <username><replaceable>sid</replaceable>adm</username>).</para>
    
         <para>Apart from some problems mentioned below, everything
           should go straight through up to the point where the &oracle;
           database software needs to be installed.</para>
       </sect3>
     </sect2>
 
     <sect2 id="installingoracle805">
       <title>Installing &oracle; 8.0.5</title>
 
       <para>Please see the corresponding &sap; Notes and &oracle; <filename>Readme</filename>s
         regarding Linux and <application>&oracle; DB</application> for possible problems. Most if
         not all problems stem from incompatible libraries.</para>
 
       <para>For more information on installing <application>&oracle;</application>, refer to <link
 	  linkend="linuxemu-oracle">the Installing &oracle;
 	  chapter.</link></para>
 
 
       <sect3 id="installingtheoracle805withorainst">
         <title>Installing the &oracle; 8.0.5 with <command>orainst</command></title>
 
         <para>If <application>&oracle; 8.0.5</application> is to be
           used, some additional libraries are needed for successfully
           relinking, as <application>&oracle; 8.0.5</application> was linked with an old glibc
           (RedHat 6.0), but RedHat 6.1 already uses a new glibc. So
           you have to install the following additional packages to
           ensure that linking will work:</para>
 
         <para><filename>compat-libs-5.2-2.i386.rpm</filename></para>
         <para><filename>compat-glibc-5.2-2.0.7.2.i386.rpm</filename></para>
         <para><filename>compat-egcs-5.2-1.0.3a.1.i386.rpm</filename></para>
         <para><filename>compat-egcs-c++-5.2-1.0.3a.1.i386.rpm</filename></para>
         <para><filename>compat-binutils-5.2-2.9.1.0.23.1.i386.rpm</filename></para>
 
         <para>See the corresponding &sap; Notes or &oracle; <filename>Readme</filename>s for
           further information.  If this is no option (at the time of
           installation we did not have enough time to check this), one
           could use the original binaries, or use the relinked
           binaries from an original RedHat system.</para>
 
         <para>For compiling the intelligent agent, the RedHat Tcl
           package must be installed.  If you cannot get
           <filename>tcl-8.0.3-20.i386.rpm</filename>, a newer one like
           <filename>tcl-8.0.5-30.i386.rpm</filename> for RedHat 6.1
           should also do.</para>
 
         <para>Apart from relinking, the installation is
           straightforward:</para>
 
         <screen>&prompt.root; <userinput>su - oraids</userinput>
 &prompt.root; <userinput>export TERM=xterm</userinput>
 &prompt.root; <userinput>export ORACLE_TERM=xterm</userinput>
 &prompt.root; <userinput>export ORACLE_HOME=/oracle/IDS</userinput>
 &prompt.root; <userinput>cd $ORACLE_HOME/orainst_sap</userinput>
 &prompt.root; <userinput>./orainst</userinput></screen>
 
         <para>Confirm all screens with <keycap>Enter</keycap> until the software is
           installed, except that one has to deselect the
           <emphasis>&oracle; On-Line Text Viewer</emphasis>, as this is
           not currently available for Linux. <application>&oracle;</application> then wants to
           relink with <command>i386-glibc20-linux-gcc</command>
           instead of the available <command>gcc</command>,
           <command>egcs</command> or <command>i386-redhat-linux-gcc
           </command>.</para>
 
         <para>Due to time constrains we decided to use the binaries
           from an <application>&oracle; 8.0.5 PreProduction</application>
 	  release, after the first
           attempt at getting the version from the RDBMS CD working,
           failed, and finding and accessing the correct RPMs was a
           nightmare at that time.</para>
 
       </sect3>
 
       <sect3 id="installingtheoracle805preproduction">
         <title>Installing the &oracle; 8.0.5 Pre-production Release for
           Linux (Kernel 2.0.33)</title>
 
         <para>This installation is quite easy. Mount the CD, start the
           installer.  It will then ask for the location of the &oracle;
           home directory, and copy all binaries there. We did not
           delete the remains of our previous RDBMS installation tries,
           though.</para>
 
         <para>Afterwards, <application>&oracle;</application> Database could be started with no
           problems.</para>
       </sect3>
     </sect2>
 
     <sect2 id="installingoracle817">
       <title>Installing the &oracle; 8.1.7 Linux Tarball</title>
       <para>Take the tarball <filename>oracle81732.tgz</filename> you
 	produced from the installation directory on a Linux system
 	and untar it to <filename>/oracle/<replaceable>SID</replaceable>/817_32/</filename>.</para>
     </sect2>
 
     <sect2 id="continuewithsapr4installation">
       <title>Continue with &sap.r3; Installation</title>
 
       <para>First check the environment settings of users 
 	<username>idsamd</username>
         (<replaceable>sid</replaceable>adm) and 
 	<username>oraids</username> (ora<replaceable>sid</replaceable>). They should now
         both have the files <filename>.profile</filename>,
         <filename>.login</filename> and <filename>.cshrc</filename>
         which are all using <command>hostname</command>. In case the
         system's hostname is the fully qualified name, you need to
         change <command>hostname</command> to <command>hostname
         -s</command> within all three files.</para>
 
       <sect3 id="databaseload">
         <title>Database Load</title>
 
         <para>Afterwards, <command>R3SETUP</command> can either be restarted or continued
           (depending on whether exit was chosen or not). <command>R3SETUP</command> then
 	  creates the tablespaces and loads the data (for 46B IDES, from 
 	  EXPORT1 to EXPORT6, for 46C from DISK1 to DISK4) with <command>R3load</command>
 	  into the database.</para>
 
         <para>When the database load is finished (might take a few
           hours), some passwords are requested. For test
           installations, one can use the well known default passwords
           (use different ones if security is an issue!):</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="2">
           <thead>
           <row>
             <entry>Question</entry>
             <entry>Input</entry>
           </row>
           </thead>
           <tbody>
           <row>
             <entry>Enter Password for sapr3</entry>
             <entry>sap<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Confirum Password for sapr3</entry>
             <entry>sap<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Password for sys</entry>
             <entry>change_on_install<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Confirm Password for sys</entry>
             <entry>change_on_install<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Enter Password for system</entry>
             <entry>manager<keycap>Enter</keycap></entry>
           </row>
           <row>
             <entry>Confirm Password for system</entry>
             <entry>manager<keycap>Enter</keycap></entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
 
         <para>At this point We had a few problems with 
 	  <command>dipgntab</command> during the 4.6B
 	  installation.</para>
       </sect3>
 
       <sect3 id="listener">
         <title>Listener</title>
 
         <para>Start the <application>&oracle;</application> Listener as user 
 	  <username>ora<replaceable>sid</replaceable></username> as follows:</para>
 
         <screen>&prompt.user; <userinput>umask 0; lsnrctl start</userinput></screen>
 
         <para>Otherwise you might get the error <errorcode>ORA-12546</errorcode> as the sockets will not
         have the correct permissions. See &sap; Note 072984.</para>
       </sect3>
 
       <sect3 id="mnlstables">
 	<title>Updating MNLS Tables</title>
 	<para>If you plan to import non-Latin-1 languages into the <application>&sap;</application> system,
 	  you have to update the Multi National Language Support tables.
 	  This is described in the &sap; OSS Notes 15023 and 45619. Otherwise,
 	  you can skip this question during <application>&sap;</application> installation.</para>
 	<note><para>If you do not need MNLS, it is still necessary to check
 	  the table TCPDB and initializing it if this has not been done. See
 	  &sap; note 0015023 and 0045619 for further information.</para></note>
       </sect3>
     </sect2>
 
     <sect2 id="postinstallationsteps">
       <title>Post-installation Steps</title>
 
       <sect3 id="requestsapr3licensekey">
         <title>Request &sap.r3; License Key</title>
 
         <para>You have to request your <application>&sap.r3;</application> License Key. This is needed,
 	  as the temporary license that was installed during installation
 	  is only valid for four weeks. First get the hardware key.  Log 
 	  on as user <username>idsadm</username> and call 
 	  <command>saplicense</command>:</para>
 
         <screen>&prompt.root; <userinput>/sapmnt/IDS/exe/saplicense -get</userinput></screen>
 
 	<para>Calling <command>saplicense</command> without parameters gives 
 	  a list of options.  Upon receiving the license key, it can be 
 	  installed using:</para>
 
         <screen>&prompt.root; <userinput>/sapmnt/IDS/exe/saplicense -install</userinput></screen>
 
         <para>You are then required to enter the following values:</para>
 
         <programlisting>SAP SYSTEM ID   = <replaceable>SID, 3 chars</replaceable>
 CUSTOMER KEY    = <replaceable>hardware key, 11 chars</replaceable>
 INSTALLATION NO = <replaceable>installation, 10 digits</replaceable>
 EXPIRATION DATE = <replaceable>yyyymmdd, usually "99991231"</replaceable>
 LICENSE KEY     = <replaceable>license key, 24 chars</replaceable></programlisting>
       </sect3>
 
       <sect3 id="creatingusers">
         <title>Creating Users</title>
 
         <para>Create a user within client 000 (for some tasks required
         to be done within client 000, but with a user different from
         users <username>sap*</username> and
         <username>ddic</username>). As a user name, We usually choose
         <username>wartung</username> (or
         <username>service</username> in English).  Profiles
         required are <literal>sap_new</literal> and
         <literal>sap_all</literal>. For additional safety the
         passwords of default users within all clients should be
         changed (this includes users <username>sap*</username> and
         <username>ddic</username>).</para>
       </sect3>
 
       <sect3 id="configtranssysprofileopermodesetc">
         <title>Configure Transport System, Profile, Operation Modes, Etc.</title>
 
         <para>Within client 000, user different from <username>ddic</username>
 	  and <username>sap*</username>, do at least the following:</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="2">
           <thead>
           <row>
             <entry>Task</entry>
             <entry>Transaction</entry>
           </row>
           </thead>
           <tbody>
           <row>
             <entry>Configure Transport System, e.g. as <emphasis>Stand-Alone
             Transport Domain Entity</emphasis></entry>
 	    <entry>STMS</entry>
           </row>
           <row>
             <entry>Create / Edit Profile for System</entry>
             <entry>RZ10</entry>
           </row>
           <row>
             <entry>Maintain Operation Modes and Instances</entry>
             <entry>RZ04</entry>
           </row>
           </tbody>
           </tgroup>
         </informaltable>
 
         <para>These and all the other post-installation steps are
           thoroughly described in <application>&sap;</application> installation guides.</para>
       </sect3>
 
       <sect3 id="editintsidsap">
         <title>Edit <filename>init<replaceable>sid</replaceable>.sap</filename> (<filename>initIDS.sap</filename>)</title>
 
 	<para>The file <filename>/oracle/IDS/dbs/initIDS.sap</filename>
 	  contains the <application>&sap;</application> backup profile.  Here the size of the tape to 
 	  be used, type of compression and so on need to be defined. To 
           get this running with <command>sapdba</command> /
 	  <command>brbackup</command>, we changed the following values:</para>
 
         <programlisting>compress = hardware
 archive_function = copy_delete_save
 cpio_flags = "-ov --format=newc --block-size=128 --quiet"
 cpio_in_flags = "-iuv --block-size=128 --quiet"
 tape_size = 38000M
 tape_address = /dev/nsa0
 tape_address_rew = /dev/sa0</programlisting>
 
         <para>Explanations:</para>
 
         <para><varname>compress</varname>: The tape we use is a HP DLT1
         which does hardware compression.</para>
 
         <para><varname>archive_function</varname>: This defines the
         default behavior for saving &oracle; archive logs: new logfiles
         are saved to tape, already saved logfiles are saved again and
         are then deleted.  This prevents lots of trouble if you need to
         recover the database, and one of the archive-tapes has gone
         bad.</para>
 
         <para><varname>cpio_flags</varname>: Default is to use <option>-B</option> which
         sets block size to 5120&nbsp;Bytes. For DLT Tapes, HP recommends at
         least 32&nbsp;K block size, so we used <option>--block-size=128</option> for
         64&nbsp;K. <option>--format=newc</option> is needed because we have inode numbers greater than
         65535. The last option <option>--quiet</option> is needed as otherwise 
 	<command>brbackup</command>
         complains as soon as <command>cpio</command> outputs the 
 	numbers of blocks saved.</para>
 
         <para><varname>cpio_in_flags</varname>: Flags needed for
         loading data back from tape. Format is recognized
         automatically.</para>
 
         <para><varname>tape_size</varname>: This usually gives the raw
         storage capability of the tape. For security reason (we use
         hardware compression), the value is slightly lower than the
         actual value.</para>
 
         <para><varname>tape_address</varname>: The non-rewindable
         device to be used with <command>cpio</command>.</para>
 
         <para><varname>tape_address_rew</varname>: The rewindable device to be
         used with <command>cpio</command>.</para>
       </sect3>
 
       <sect3>
 	<title>Configuration Issues after Installation</title>
 
 	<para>The following <application>&sap;</application> parameters should be tuned after
 	  installation (examples for IDES 46B, 1&nbsp;GB memory):</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Name</entry>
 		<entry>Value</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry>ztta/roll_extension</entry>
 		<entry>250000000</entry>
 	      </row>
 	      <row>
 		<entry>abap/heap_area_dia</entry>
                 <entry>300000000</entry>
 	      </row>
 	      <row>
 		<entry>abap/heap_area_nondia</entry>
 		<entry>400000000</entry>
 	      </row>
 	      <row>
 		<entry>em/initial_size_MB</entry>
 		<entry>256</entry>
 	      </row>
 	      <row>
 		<entry>em/blocksize_kB</entry>
 		<entry>1024</entry>
 	      </row>
 	      <row>
 		<entry>ipc/shm_psize_40</entry>
 		<entry>70000000</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>&sap; Note 0013026:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Name</entry>
 		<entry>Value</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry>ztta/dynpro_area</entry>
 		<entry>2500000</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>&sap; Note 0157246:</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Name</entry>
 		<entry>Value</entry>
 	      </row>
 	    </thead>
 	    <tbody>
 	      <row>
 		<entry>rdisp/ROLL_MAXFS</entry>
 		<entry>16000</entry>
 	      </row>
 	      <row>
 		<entry>rdisp/PG_MAXFS</entry>
 		<entry>30000</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<note>
 	  <para>With the above parameters, on a system with 1&nbsp;gigabyte
 	    of memory, one may find memory consumption similar to:</para>
 
 	  <programlisting>Mem: 547M Active, 305M Inact, 109M Wired, 40M Cache, 112M Buf, 3492K Free</programlisting>
 	</note>
       </sect3>
     </sect2>
 
     <sect2 id="problemsduringinstallation">
       <title>Problems during Installation</title>
 
       <sect3 id="restartr3setup">
 	<title>Restart <command>R3SETUP</command> after Fixing a Problem</title>
 
 	<para><command>R3SETUP</command> stops if it encounters an error. If you have
 	  looked at the corresponding logfiles and fixed the error,
 	  you have to start <command>R3SETUP</command> again, usually selecting REPEAT
 	  as option for the last step <command>R3SETUP</command> complained about.</para>
 
 	<para>To restart <command>R3SETUP</command>, just start it with the corresponding
 	  <filename>R3S</filename> file:</para>
 
 	  <screen>&prompt.root; <userinput>./R3SETUP -f CENTRDB.R3S</userinput></screen>
 
 	  <para>for 4.6B, or with</para>
 
 	  <screen>&prompt.root; <userinput>./R3SETUP -f CENTRAL.R3S</userinput></screen>
 
 	  <para>for 4.6C, no matter whether the error occurred
 	  with <filename>CENTRAL.R3S</filename> or
 	  <filename>DATABASE.R3S</filename>.</para>
 
 	<note><para>At some stages, <command>R3SETUP</command> assumes that both database
 	    and <application>&sap;</application> processes are up and running (as those were steps it
 	    already completed). Should errors occur and for example the 
 	    database could not be started, you have to start both database 
 	    and <application>&sap;</application> by hand after you fixed the errors and before starting 
 	    <command>R3SETUP</command> again.</para>
 	  <para>Do not forget to also start the <application>&oracle;</application> listener again (as 
 	    <username>ora<replaceable>sid</replaceable></username> with
 	    <command>umask 0; lsnrctl start</command>) if it was also
 	    stopped (for example due to a necessary reboot of the 
 	    system).</para>
 	</note>
       </sect3>
 
       <sect3 id="indoraduringduringr3setup">
         <title>OSUSERSIDADM_IND_ORA during <command>R3SETUP</command></title>
 
         <para>If <command>R3SETUP</command> complains at this stage, edit the
 	  template file <command>R3SETUP</command> used at that time
           (<filename>CENTRDB.R3S</filename> (4.6B) or either
 	  <filename>CENTRAL.R3S</filename> or
 	  <filename>DATABASE.R3S</filename> (4.6C)).
 	  Locate <literal>[OSUSERSIDADM_IND_ORA]</literal> or search for the
 	  only <literal>STATUS=ERROR</literal> entry
 	  and edit the following values:</para>
 
         <programlisting>HOME=/home/<replaceable>sid</replaceable>adm (was empty)
 STATUS=OK (had status ERROR)
         </programlisting>
 
         <para>Then you can restart <command>R3SETUP</command> again.</para>
       </sect3>
 
       <sect3 id="indoraduringr3setup">
         <title>OSUSERDBSID_IND_ORA during <command>R3SETUP</command></title>
 
         <para>Possibly <command>R3SETUP</command> also complains at this stage. The error
 	  here is similar to the one in phase OSUSERSIDADM_IND_ORA. 
 	  Just edit
 	  the template file <command>R3SETUP</command> used at that time
           (<filename>CENTRDB.R3S</filename> (4.6B) or either
 	  <filename>CENTRAL.R3S</filename> or
 	  <filename>DATABASE.R3S</filename> (4.6C)).
 	  Locate <literal>[OSUSERDBSID_IND_ORA]</literal> or search for the
 	  only <literal>STATUS=ERROR</literal> entry
 	  and edit the following value in that section:</para>
 
         <programlisting>STATUS=OK</programlisting>
 
         <para>Then restart <command>R3SETUP</command>.</para>
       </sect3>
 
       <sect3 id="oraviewvrffilenotfound">
         <title><errorname>oraview.vrf FILE NOT FOUND</errorname> during &oracle; Installation</title>
 
         <para>You have not deselected <emphasis>&oracle; On-Line Text Viewer</emphasis>
           before starting the installation. This is marked for installation even
           though this option is currently not available for Linux. Deselect this
           product inside the <application>&oracle;</application> installation menu and restart installation.</para>
       </sect3>
 
       <sect3 id="textenvincalid">
         <title><errorname>TEXTENV_INVALID</errorname> during <command>R3SETUP</command>, RFC or SAPgui Start</title>
 
         <para>If this error is encountered, the correct locale is
 	  missing.  &sap; Note 0171356 lists the necessary RPMs that need
 	  be installed (e.g. <filename>saplocales-1.0-3</filename>,
 	  <filename>saposcheck-1.0-1</filename> for RedHat 6.1). In case
 	  you ignored all the related errors and set the corresponding
 	  <literal>STATUS</literal> from <literal>ERROR</literal> to <literal>OK</literal> (in <filename>CENTRDB.R3S</filename>) every time <command>R3SETUP</command>
 	  complained and just restarted <command>R3SETUP</command>, the <application>&sap;</application> system will not
 	  be properly configured and you will then not be able to
 	  connect to the system with a
 	  <application>SAPgui</application>, even though the system
 	  can be started. Trying to connect with the old Linux
 	  <application>SAPgui</application> gave the following
 	  messages:</para>
 
         <programlisting>Sat May 5 14:23:14 2001
 *** ERROR => no valid userarea given [trgmsgo. 0401]
 Sat May 5 14:23:22 2001
 *** ERROR => ERROR NR 24 occured [trgmsgi. 0410]
 *** ERROR => Error when generating text environment. [trgmsgi. 0435]
 *** ERROR => function failed [trgmsgi. 0447]
 *** ERROR => no socket operation allowed [trxio.c 3363]
 Speicherzugriffsfehler</programlisting>
 
         <para>This behavior is due to <application>&sap.r3;</application> being unable to correctly
 	  assign a locale and also not being properly configured itself
 	  (missing entries in some database tables). To be able to connect
 	  to <application>&sap;</application>, add the following entries to file 
 	  <filename>DEFAULT.PFL</filename> (see Note 0043288):</para>
 
 	<programlisting>abap/set_etct_env_at_new_mode = 0
 install/collate/active = 0
 rscp/TCP0B = TCP0B</programlisting>
 
         <para>Restart the <application>&sap;</application> system. Now you can connect to the
           system, even though country-specific language settings might
           not work as expected.  After correcting country settings
           (and providing the correct locales), these entries can be
           removed from <filename>DEFAULT.PFL</filename> and the <application>&sap;</application>
 	  system can be restarted.</para>
 
       </sect3>
 
       <sect3 id="ora-00001">
 	<title><errorcode>ORA-00001</errorcode></title>
 	<para>This error only happened with 
 	  <application>&oracle; 8.1.7</application> on FreeBSD&nbsp;4.5.
 	  The reason was that the <application>&oracle;</application> database could not initialize itself
 	  properly and crashed, leaving semaphores and shared memory on the
 	  system. The next try to start the database then returned
 	  <errorcode>ORA-00001</errorcode>.</para>
 
 	<para>Find them with <command>ipcs -a</command> and remove them
 	  with <command>ipcrm</command>.</para>
       </sect3>
 
       <sect3 id="ora-00445pmon">
 	<title><errorcode>ORA-00445</errorcode> (Background Process PMON Did Not Start)</title>
 	<para>This error happened with <application>&oracle; 8.1.7</application>.
 	  This error is reported if the database is started with
 	  the usual <command>startsap</command> script (for example
 	  <command>startsap_majestix_00</command>) as user 
 	  <username>prdadm</username>.</para>
 
 	<para>A possible workaround is to start the database as user 
 	  <username>oraprd</username> instead
 	  with <command>svrmgrl</command>:</para>
 
 	<screen>&prompt.user; <userinput>svrmgrl</userinput>
 SVRMGR&gt; <userinput>connect internal;</userinput>
 SVRMGR&gt; <userinput>startup</userinput>;
 SVRMGR&gt; <userinput>exit</userinput></screen>
 
       </sect3>
 
       <sect3 id="ora-12546">
         <title><errorcode>ORA-12546</errorcode> (Start Listener with Correct Permissions)</title>
 
         <para>Start the <application>&oracle;</application> listener as user
           <username>oraids</username> with the following commands:</para>
 
         <screen>&prompt.root; <userinput>umask 0; lsnrctl start</userinput></screen>
 
         <para>Otherwise you might get <errorcode>ORA-12546</errorcode> as the sockets will not
           have the correct permissions. See &sap; Note 0072984.</para>
       </sect3>
 
       <sect3 id="ora-27102">
 	<title><errorcode>ORA-27102</errorcode> (Out of Memory)</title>
 
 	<para>This error happened whilst trying to use values for
 	  <literal>MAXDSIZ</literal> and <literal>DFLDSIZ</literal>
 	  greater than 1&nbsp;GB (1024x1024x1024). Additionally, we got 
 	  <errorname>Linux Error 12: Cannot allocate memory</errorname>.</para>
       </sect3>
 
       <sect3 id="dipgntabindind">
         <title>[DIPGNTAB_IND_IND] during <command>R3SETUP</command></title>
 
         <para>In general, see &sap; Note 0130581 (<command>R3SETUP</command> step 
 	  <literal>DIPGNTAB</literal> terminates).  During the
 	  IDES-specific installation, for some reasons the installation
 	  process was not using the proper <application>&sap;</application> system name <quote>IDS</quote>, but
 	  the empty string <literal>""</literal> instead. This lead to some minor problems
 	  with accessing directories, as the paths are generated
 	  dynamically using <replaceable>SID</replaceable> (in this case IDS).  So instead
 	  of accessing:</para>
 
         <programlisting>/usr/sap/IDS/SYS/...
 /usr/sap/IDS/DVMGS00</programlisting>
 
         <para>the following paths were used:</para>
 
         <programlisting>/usr/sap//SYS/...
 /usr/sap/D00</programlisting>
 
         <para>To continue with the installation, we created a link and an
           additional directory:</para>
 
         <screen>&prompt.root; <userinput>pwd</userinput>
 /compat/linux/usr/sap
 &prompt.root; <userinput>ls -l</userinput>
 total 4
 drwxr-xr-x 3  idsadm sapsys 512 May 5 11:20 D00
 drwxr-x--x 5  idsadm sapsys 512 May 5 11:35 IDS
 lrwxr-xr-x 1  root   sapsys 7 May 5 11:35 SYS -> IDS/SYS
 drwxrwxr-x 2  idsadm sapsys 512 May 5 13:00 tmp
 drwxrwxr-x 11 idsadm sapsys 512 May 4 14:20 trans</screen>
    
         <para>We also found &sap; Notes (0029227 and 0008401) describing
         this behavior. We did not encounter any of these problems with
 	the <application>&sap; 4.6C</application> installation.</para>
       </sect3>
 
       <sect3 id="rfcrswboiniindind">
         <title>[RFCRSWBOINI_IND_IND] during <command>R3SETUP</command></title>
 
 	<para>During installation of <application>&sap; 4.6C</application>,
           this error was just the result of another error happening
 	  earlier during installation. In this case, you have to look
 	  through the corresponding logfiles and correct the real
 	  problem.</para>
 
         <para>If after looking through the logfiles this error is
 	  indeed the correct one (check the &sap; Notes), you can set 
 	  <literal>STATUS</literal> of the offending step from <literal>ERROR</literal> to <literal>OK</literal> (file
 	  <filename>CENTRDB.R3S</filename>) and restart <command>R3SETUP</command>. After
 	  installation, you have to execute the report
 	  <literal>RSWBOINS</literal> from transaction SE38. See &sap;
 	  Note 0162266 for additional information about phase
 	  <literal>RFCRSWBOINI</literal> and
 	  <literal>RFCRADDBDIF</literal>.</para>
       </sect3>
 
       <sect3 id="rfcraddbdifindind">
         <title>[RFCRADDBDIF_IND_IND] during <command>R3SETUP</command></title>
 	<para>Here the same restrictions apply: make sure by looking
 	  through the logfiles, that this error is not caused by some
 	  previous problems.</para>
 
         <para>If you can confirm that &sap; Note 0162266 applies, just 
 	  set <literal>STATUS</literal> of the offending step from <literal>ERROR</literal> to <literal>OK</literal> (file
 	  <filename>CENTRDB.R3S</filename>) and restart <command>R3SETUP</command>. After
 	  installation, you have to execute the report
 	  <literal>RADDBDIF</literal> from transaction SE38.</para>
       </sect3>
 
       <sect3 id="sigactionsig31">
         <title><errorcode>sigaction sig31: File size limit exceeded</errorcode></title>
 
 	<para>This error occurred during start of <application>&sap;</application> processes
 	  <emphasis>disp+work</emphasis>. If starting <application>&sap;</application> with the
 	  <command>startsap</command> script, subprocesses are then started which
 	  detach and do the dirty work of starting all other <application>&sap;</application>
           processes. As a result, the script itself will not notice
 	  if something goes wrong.</para>
 
 	<para>To check whether the <application>&sap;</application> processes did start properly,
 	  have a look at the process status with 
 	  <command>ps ax | grep <replaceable>SID</replaceable></command>, which will give
 	  you a list of all <application>&oracle;</application> and <application>&sap;</application> processes. If it looks like
 	  some processes are missing or if you cannot connect to the <application>&sap;</application> system,
 	  look at the corresponding logfiles which can be found
 	  at <filename>/usr/sap/<replaceable>SID</replaceable>/DVEBMGS<replaceable>nr</replaceable>/work/</filename>.
 	  The files to look at are <filename>dev_ms</filename> and 
 	  <filename>dev_disp</filename>.</para>
 
 	<para>Signal 31 happens here if the amount of shared memory used by
 	  <application>&oracle;</application> and <application>&sap;</application> exceed the one defined within the kernel configuration
 	  file and could be resolved by using a larger value:</para>
 
         <programlisting># larger value for 46C production systems:
 options SHMMAXPGS=393216
 # smaller value sufficient for 46B:
 #options SHMMAXPGS=262144</programlisting>
 	  
       </sect3>
 
       <sect3 id="saposcolfails">
         <title>Start of <command>saposcol</command> Failed</title>
 	<para>There are some problems with the program <command>saposcol</command> (version 4.6D).
 	  The <application>&sap;</application> system is using <command>saposcol</command> to collect data about the 
 	  system performance. This program is not needed to use the <application>&sap;</application> system,
 	  so this problem can be considered a minor one. The older versions
 	  (4.6B) does work, but does not collect all the data (many calls will
 	  just return 0, for example for CPU usage).</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="linuxemu-advanced">
     <title>Advanced Topics</title>
 
     <para>If you are curious as to how the Linux binary compatibility
       works, this is the section you want to read.  Most of what follows
       is based heavily on an email written to &a.chat; by Terry Lambert
       <email>tlambert@primenet.com</email> (Message ID:
       <literal>&lt;199906020108.SAA07001@usr09.primenet.com&gt;</literal>).</para>
 
     <sect2>
       <title>How Does It Work?</title>
       <indexterm><primary>execution class loader</primary></indexterm>
 
       <para>FreeBSD has an abstraction called an <quote>execution class
 	loader</quote>.  This is a wedge into the &man.execve.2; system
 	call.</para>
 
       <para>What happens is that FreeBSD has a list of loaders, instead of
 	a single loader with a fallback to the <literal>#!</literal>
 	loader for running any shell interpreters or shell scripts.</para>
 
       <para>Historically, the only loader on the &unix; platform examined
 	the magic number (generally the first 4 or 8 bytes of the file) to
 	see if it was a binary known to the system, and if so, invoked the
 	binary loader.</para>
 
       <para>If it was not the binary type for the system, the
 	&man.execve.2; call returned a failure, and the shell attempted to
 	start executing it as shell commands.</para>
 
       <para>The assumption was a default of <quote>whatever the current
 	shell is</quote>.</para>
 
       <para>Later, a hack was made for &man.sh.1; to examine the first two
 	characters, and if they were <literal>:\n</literal>, then it
 	invoked the &man.csh.1; shell instead (we believe SCO first made
 	this hack).</para>
 
       <para>What FreeBSD does now is go through a list of loaders, with a
 	generic <literal>#!</literal> loader that knows about interpreters
 	as the characters which follow to the next whitespace next to
 	last, followed by a fallback to
 	<filename>/bin/sh</filename>.</para>
       <indexterm><primary>ELF</primary></indexterm>
 
       <para>For the Linux ABI support, FreeBSD sees the magic number as an
 	ELF binary (it makes no distinction between FreeBSD, &solaris;,
 	Linux, or any other OS which has an ELF image type, at this
 	point).</para>
       <indexterm><primary>Solaris</primary></indexterm>
 
       <para>The ELF loader looks for a specialized
 	<emphasis>brand</emphasis>, which is a comment section in the ELF
 	image, and which is not present on SVR4/&solaris; ELF
 	binaries.</para>
 
       <para>For Linux binaries to function, they must be
 	<emphasis>branded</emphasis> as type <literal>Linux</literal>
 	from &man.brandelf.1;:</para>
 
       <screen>&prompt.root; <userinput>brandelf -t Linux file</userinput></screen>
 
       <para>When this is done, the ELF loader will see the
 	<literal>Linux</literal> brand on the file.</para>
       <indexterm>
         <primary>ELF</primary>
 	<secondary>branding</secondary>
       </indexterm>
 
       <para>When the ELF loader sees the <literal>Linux</literal> brand,
 	the loader replaces a pointer in the <literal>proc</literal>
 	structure.  All system calls are indexed through this pointer (in
 	a traditional &unix; system, this would be the
 	<literal>sysent[]</literal> structure array, containing the system
 	calls).  In addition, the process is flagged for special handling of
 	the trap vector for the signal trampoline code, and several other
 	(minor) fix-ups that are handled by the Linux kernel
 	module.</para>
 
       <para>The Linux system call vector contains, among other things, a
 	list of <literal>sysent[]</literal> entries whose addresses reside
 	in the kernel module.</para>
 
       <para>When a system call is called by the Linux binary, the trap
 	code dereferences the system call function pointer off the
 	<literal>proc</literal> structure, and gets the Linux, not the
 	FreeBSD, system call entry points.</para>
 
       <para>In addition, the Linux mode dynamically
 	<emphasis>reroots</emphasis> lookups; this is, in effect, what the
 	<option>union</option> option to file system mounts
 	(<emphasis>not</emphasis> the <literal>unionfs</literal> file system type!) does.  First, an attempt
 	is made to lookup the file in the
 	<filename>/compat/linux/<replaceable>original-path</replaceable></filename>
 	directory, <emphasis>then</emphasis> only if that fails, the
 	lookup is done in the
 	<filename>/<replaceable>original-path</replaceable></filename>
 	directory.  This makes sure that binaries that require other
 	binaries can run (e.g., the Linux toolchain can all run under
 	Linux ABI support).  It also means that the Linux binaries can
 	load and execute FreeBSD binaries, if there are no corresponding
 	Linux binaries present, and that you could place a &man.uname.1;
 	command in the <filename>/compat/linux</filename> directory tree
 	to ensure that the Linux binaries could not tell they were not
 	running on Linux.</para>
 
       <para>In effect, there is a Linux kernel in the FreeBSD kernel; the
 	various underlying functions that implement all of the services
 	provided by the kernel are identical to both the FreeBSD system
 	call table entries, and the Linux system call table entries: file
 	system operations, virtual memory operations, signal delivery,
 	System V IPC, etc&hellip;  The only difference is that FreeBSD
 	binaries get the FreeBSD <emphasis>glue</emphasis> functions, and
 	Linux binaries get the Linux <emphasis>glue</emphasis> functions
 	(most older OS's only had their own <emphasis>glue</emphasis>
 	functions: addresses of functions in a static global
 	<literal>sysent[]</literal> structure array, instead of addresses
 	of functions dereferenced off a dynamically initialized pointer in
 	the <literal>proc</literal> structure of the process making the
 	call).</para>
 
       <para>Which one is the native FreeBSD ABI?  It does not matter.
 	Basically the only difference is that (currently; this could
 	easily be changed in a future release, and probably will be after
 	this) the FreeBSD <emphasis>glue</emphasis> functions are
 	statically linked into the kernel, and the Linux <emphasis>glue</emphasis> functions
 	can be statically linked, or they can be accessed via a kernel
 	module.</para>
 
       <para>Yeah, but is this really emulation?  No.  It is an ABI
 	implementation, not an emulation.  There is no emulator (or
 	simulator, to cut off the next question) involved.</para>
 
       <para>So why is it sometimes called <quote>Linux emulation</quote>?
 	To make it hard to sell FreeBSD!  Really, it
 	is because the historical implementation was done at a time when
 	there was really no word other than that to describe what was
 	going on; saying that FreeBSD ran Linux binaries was not true, if
 	you did not compile the code in or load a module, and there needed
 	to be a word to describe what was being loaded&mdash;hence
 	<quote>the Linux emulator</quote>.</para>
     </sect2>
   </sect1>
 </chapter>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
index d23caf576f..9bcfd58b57 100644
--- a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
@@ -1,2295 +1,2295 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="mail">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Bill</firstname>
 	<surname>Lloyd</surname>
 	<contrib>Original work by </contrib>
       </author>
     </authorgroup>
     <authorgroup>
       <author>
 	<firstname>Jim</firstname>
 	<surname>Mock</surname>
 	<contrib>Rewritten by </contrib>
 	<!-- 2 Dec 1999 -->
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Electronic Mail</title>
 
   <sect1 id="mail-synopsis">
     <title>Synopsis</title>
     <indexterm><primary>email</primary></indexterm>
     <indexterm><primary>electronic mail</primary></indexterm>
 
     <para><quote>Electronic Mail</quote>, better known as email, is one of the
       most widely used forms of communication today.  This chapter provides
       a basic introduction to running a mail server on &os;, as well as an
       introduction to sending and receiving email using &os;; however,
       it is not a complete reference and in fact many important
       considerations are omitted.  For more complete coverage of the
       subject, the reader is referred to the many excellent books listed
       in <xref linkend="bibliography">.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>What software components are involved in sending and receiving
 	  electronic mail.</para>
       </listitem>
 
       <listitem>
 	<para>Where basic <application>sendmail</application> configuration
 	  files are located in FreeBSD.</para>
       </listitem>
 
       <listitem>
         <para>The difference between remote and
 	  local mailboxes.</para>
       </listitem>
 
       <listitem>
 	<para>How to block spammers from illegally using your mail server as a
 	  relay.</para>
       </listitem>
 
       <listitem>
 	<para>How to install and configure an alternate Mail Transfer Agent on
 	  your system, replacing <application>sendmail</application>.</para>
       </listitem>
 
       <listitem>
 	<para>How to troubleshoot common mail server problems.</para>
       </listitem>
 
       <listitem>
 	<para>How to use SMTP with UUCP.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up the system to send mail only.</para>
       </listitem>
 
       <listitem>
 	<para>How to use mail with a dialup connection.</para>
       </listitem>
 
       <listitem>
         <para>How to configure SMTP Authentication for added security.</para>
       </listitem>
 
       <listitem>
         <para>How to install and use a Mail User Agent, such as
 	  <application>mutt</application> to send and receive email.</para>
       </listitem>
 
       <listitem>
 
         <para>How to download your mail from a remote <acronym>POP</acronym>
 	  or <acronym>IMAP</acronym> server.</para>
       </listitem>
 
       <listitem>
         <para>How to automatically apply filters and rules to incoming
 	  email.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Properly set up your network connection
 	  (<xref linkend="advanced-networking">).</para>
       </listitem>
 
       <listitem>
 	<para>Properly set up the DNS information for your mail host
 	  (<xref linkend="network-servers">).</para>
       </listitem>
 
       <listitem>
 	<para>Know how to install additional third-party software
 	  (<xref linkend="ports">).</para></listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="mail-using">
     <title>Using Electronic Mail</title>
     <indexterm><primary>POP</primary></indexterm>
     <indexterm><primary>IMAP</primary></indexterm>
     <indexterm><primary>DNS</primary></indexterm>
 
     <para>There are five major parts involved in an email exchange.  They
       are: <link linkend="mail-mua">the user program</link>, <link
       linkend="mail-mta">the server daemon</link>, <link
       linkend="mail-dns">DNS</link>, <link linkend="mail-receive">a
       remote or local mailbox</link>, and of course, <link linkend="mail-host">the
       mailhost itself</link>.</para>
 
     <sect2 id="mail-mua">
       <title>The User Program</title>
 
       <para>This includes command line programs such as
 	<application>mutt</application>,
 	<application>pine</application>, <application>elm</application>,
 	and <command>mail</command>, and <acronym>GUI</acronym> programs such as
 	<application>balsa</application>,
 	<application>xfmail</application> to name a few, and something
 	more <quote>sophisticated</quote> like a WWW browser.  These
 	programs simply pass off the email transactions to the local
 	<link linkend="mail-host"><quote>mailhost</quote></link>, either
 	by calling one of the <link linkend="mail-mta">server
 	daemons</link> available, or delivering it over <acronym>TCP</acronym>.</para>
 	</sect2>
 
     <sect2 id="mail-mta">
       <title>Mailhost Server Daemon</title>
       <indexterm>
         <primary>mail server daemons</primary>
         <secondary><application>sendmail</application></secondary>
       </indexterm>
       <indexterm>
         <primary>mail server daemons</primary>
         <secondary><application>postfix</application></secondary>
       </indexterm>
       <indexterm>
         <primary>mail server daemons</primary>
         <secondary><application>qmail</application></secondary>
       </indexterm>
       <indexterm>
         <primary>mail server daemons</primary>
         <secondary><application>exim</application></secondary>
       </indexterm>
 
       <para>&os; ships with <application>sendmail</application> by
 	default, but also support numerous other mail server daemons,
 	just some of which include:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><application>exim</application>;</para>
 	</listitem>
 
 	<listitem>
 	  <para><application>postfix</application>;</para>
 	</listitem>
 
 	<listitem>
 	  <para><application>qmail</application>.</para>
 	</listitem>
       </itemizedlist>
 
       <para>The server daemon usually has two functions&mdash;it is responsible
 	for receiving incoming mail as well as delivering outgoing mail.  It is
 	<emphasis>not</emphasis> responsible for the collection of mail using protocols
 	such as <acronym>POP</acronym> or <acronym>IMAP</acronym> to
 	read your email, nor does it allow connecting to local
 	<filename>mbox</filename> or Maildir mailboxes.  You may require
 	an additional <link linkend="mail-receive">daemon</link> for
 	that.</para>
 
       <warning>
 	<para>Older versions of <application>sendmail</application>
 	  have some serious security issues which may result in an
 	  attacker gaining local and/or remote access to your machine.
 	  Make sure that you are running a current version to avoid
 	  these problems.  Optionally, install an alternative
 	  <acronym>MTA</acronym> from the <link linkend="ports">&os;
 	  Ports Collection</link>.</para>
       </warning>
     </sect2>
 
     <sect2 id="mail-dns">
       <title>Email and DNS</title>
 
       <para>The Domain Name System (DNS) and its daemon
         <command>named</command> play a large role in the delivery of
 	email.  In order to deliver mail from your site to another, the
 	server daemon will look up the remote site in the DNS to determine the
 	host that will receive mail for the destination.  This process
 	also occurs when mail is sent from a remote host to your mail
 	server.</para>
 
       <indexterm>
 	<primary>MX record</primary>
       </indexterm>
 
       <para><acronym>DNS</acronym> is responsible for mapping
 	hostnames to IP addresses, as well as for storing information
 	specific to mail delivery, known as MX records.  The MX (Mail
 	eXchanger) record specifies which host, or hosts, will receive
 	mail for a particular domain.  If you do not have an MX record
 	for your hostname or domain, the mail will be delivered
 	directly to your host provided you have an A record pointing
 	your hostname to your IP address.</para>
 
       <para>You may view the MX records for any domain by using the
 	&man.host.1; command, as seen in the example below:</para>
 
       <screen>&prompt.user; <userinput>host -t mx FreeBSD.org</userinput>
 FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
     </sect2>
 
     <sect2 id="mail-receive">
       <title>Receiving Mail</title>
       <indexterm>
         <primary>email</primary>
         <secondary>receiving</secondary>
       </indexterm>
 
       <para>Receiving mail for your domain is done by the mail host.  It
 	will collect all mail sent to your domain and store it
 	either in <filename>mbox</filename> (the default method for storing mail) or Maildir format, depending
 	on your configuration.
 	Once mail has been stored, it may either be read locally using
 	applications such as &man.mail.1; or
 	<application>mutt</application>, or remotely accessed and
 	collected using protocols such as 
 	<acronym>POP</acronym> or <acronym>IMAP</acronym>.
 	This means that should you only
 	wish to read mail locally, you are not required to install a
 	<acronym>POP</acronym> or <acronym>IMAP</acronym> server.</para>
 
       <sect3 id="pop-and-imap">
         <title>Accessing remote mailboxes using <acronym>POP</acronym> and <acronym>IMAP</acronym></title>
 
         <indexterm><primary>POP</primary></indexterm>
         <indexterm><primary>IMAP</primary></indexterm>
 	<para>In order to access mailboxes remotely, you are required to
 	  have access to a <acronym>POP</acronym> or <acronym>IMAP</acronym>
 	  server.  These protocols allow users to connect to their mailboxes from
 	  remote locations with ease.  Though both
 	  <acronym>POP</acronym> and <acronym>IMAP</acronym> allow users
 	  to remotely access mailboxes, <acronym>IMAP</acronym> offers
 	  many advantages, some of which are:</para>
 
         <itemizedlist>
           <listitem>
 	    <para><acronym>IMAP</acronym> can store messages on a remote
 	      server as well as fetch them.</para>
           </listitem>
 
           <listitem>
 	    <para><acronym>IMAP</acronym> supports concurrent updates.</para>
           </listitem>
 
           <listitem>
 	    <para><acronym>IMAP</acronym> can be extremely useful over
 	      low-speed links as it allows users to fetch the structure
 	      of messages without downloading them; it can also
 	      perform tasks such as searching on the server in
 	      order to minimize data transfer between clients and
 	      servers.</para>
           </listitem>
 
         </itemizedlist>
 
         <para>In order to install a <acronym>POP</acronym> or
 	  <acronym>IMAP</acronym> server, the following steps should be
 	  performed:</para>
 
         <procedure>
 	  <step>
 	    <para>Choose an <acronym>IMAP</acronym> or
 	      <acronym>POP</acronym> server that best suits your needs.
 	      The following <acronym>POP</acronym> and
 	      <acronym>IMAP</acronym> servers are well known and serve
 	      as some good examples:</para>
 
 	      <itemizedlist>
 	        <listitem>
 		  <para><application>qpopper</application>;</para>
 	        </listitem>
 
 	        <listitem>
 		  <para><application>teapop</application>;</para>
 	        </listitem>
 
 	        <listitem>
 		  <para><application>imap-uw</application>;</para>
 	        </listitem>
 
 	        <listitem>
 		  <para><application>courier-imap</application>;</para>
 	        </listitem>
 	      </itemizedlist>
 
 	  </step>
 
           <step>
 	    <para>Install the <acronym>POP</acronym> or
 	      <acronym>IMAP</acronym> daemon of your choosing from the
 	      ports
 	      collection.</para>
 	  </step>
 
 	  <step>
 	    <para>Where required, modify <filename>/etc/inetd.conf</filename>
 	      to load the <acronym>POP</acronym> or
 	      <acronym>IMAP</acronym> server.</para>
 	  </step>
         </procedure>
 
 	<warning>
 	  <para>It should be noted that both <acronym>POP</acronym> and
 	    <acronym>IMAP</acronym> transmit information, including
 	    username and password credentials in clear-text.  This means
 	    that if you wish to secure the transmission of information
 	    across these protocols, you should consider tunneling
 	    sessions over &man.ssh.1;.  Tunneling sessions is
 	    described in <xref linkend="security-ssh-tunneling">.</para>
         </warning>
       </sect3>
 
       <sect3 id="local">
         <title>Accessing local mailboxes</title>
 
 	<para>Mailboxes may be accessed locally by directly utilizing
 	  <acronym>MUA</acronym>s on the server on which the mailbox
 	  resides.  This can be done using applications such as
 	  <application>mutt</application> or &man.mail.1;.
 	</para>
       </sect3>
     </sect2>
 
     <sect2 id="mail-host">
       <title>The Mail Host</title>
       <indexterm><primary>mail host</primary></indexterm>
 
       <para>The mail host is the name given to a server that is
         responsible for delivering and receiving mail for your host, and
 	possibly your network.</para>
     </sect2>
   </sect1>
 
   <sect1 id="sendmail">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Christopher</firstname>
           <surname>Shumway</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title><application>sendmail</application> Configuration</title>
 
     <indexterm>
       <primary><application>sendmail</application></primary>
     </indexterm>
 
     <para>&man.sendmail.8; is the default Mail Transfer Agent (MTA) in
       FreeBSD.  <application>sendmail</application>'s job is to accept
       mail from Mail User Agents (<acronym>MUA</acronym>) and deliver it
       to the appropriate mailer as defined by its configuration file.
       <application>sendmail</application> can also accept network
       connections and deliver mail to local mailboxes or deliver it to
       another program.</para>
 
     <para><application>sendmail</application> uses the following
       configuration files:</para>
 
     <indexterm>
       <primary><filename>/etc/mail/access</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/aliases</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/local-host-names</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/mailer.conf</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/mailertable</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/sendmail.cf</filename></primary>
     </indexterm>
     <indexterm>
       <primary><filename>/etc/mail/virtusertable</filename></primary>
     </indexterm>
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
 	<thead>
 	  <row>
 	    <entry>Filename</entry>
 	    <entry>Function</entry>
 	  </row>
 	</thead>
 	<tbody>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/access</filename>
 	    </entry>
 	    <entry><application>sendmail</application> access database
  	      file</entry>
 	  </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/aliases</filename>
 	    </entry>
 	    <entry>Mailbox aliases</entry>
 	  </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/local-host-names</filename>
 	    </entry>
 	    <entry>Lists of hosts <application>sendmail</application>
 	    accepts mail for</entry>
     </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/mailer.conf</filename>
 	    </entry>
 	    <entry>Mailer program configuration</entry>
 	  </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/mailertable</filename>
 	    </entry>
 	    <entry>Mailer delivery table</entry>
 	  </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/sendmail.cf</filename>
 	    </entry>
 	    <entry><application>sendmail</application> master
 	    configuration file</entry>
 	  </row>
 	  <row>
 	    <entry>
 	      <filename>/etc/mail/virtusertable</filename>
 	    </entry>
 	    <entry>Virtual users and domain tables</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
   <sect2>
     <title><filename>/etc/mail/access</filename></title>
 
     <para>The access database defines what host(s) or IP addresses
       have access to the local mail server and what kind of access
       they have.  Hosts can be listed as <option>OK</option>,
       <option>REJECT</option>, <option>RELAY</option> or simply passed
       to <application>sendmail</application>'s error handling routine with a given mailer error.
       Hosts that are listed as <option>OK</option>, which is the
       default, are allowed to send mail to this host as long as the
       mail's final destination is the local machine.  Hosts that are
       listed as <option>REJECT</option> are rejected for all mail
       connections.  Hosts that have the <option>RELAY</option> option
       for their hostname are allowed to send mail for any destination
       through this mail server.</para>
 
       <example>
 	<title>Configuring the <application>sendmail</application>
   	  Access Database</title>
 
     <programlisting>cyberspammer.com                550 We don't accept mail from spammers
 FREE.STEALTH.MAILER@            550 We don't accept mail from spammers
 another.source.of.spam          REJECT
 okay.cyberspammer.com           OK
 128.32                          RELAY</programlisting>
       </example>
 
    <para>In this example we have five entries.  Mail senders that
      match the left hand side of the table are affected by the action
      on the right side of the table.  The first two examples give an
      error code to <application>sendmail</application>'s error
      handling routine.  The message is printed to the remote host when
      a mail matches the left hand side of the table.  The next entry
      rejects mail from a specific host on the Internet,
      <hostid>another.source.of.spam</hostid>.  The next entry accepts
      mail connections from a host
      <hostid role="fqdn">okay.cyberspammer.com</hostid>, which is more exact than
      the <hostid role="domainname">cyberspammer.com</hostid> line above.  More specific
      matches override less exact matches.  The last entry allows
      relaying of electronic mail from hosts with an IP address that
      begins with <hostid>128.32</hostid>.  These hosts would be able
      to send mail through this mail server that are destined for other
      mail servers.</para>
 
    <para>When this file is updated, you need to run
      <command>make</command> in <filename>/etc/mail/</filename> to
      update the database.</para>
 
    </sect2>
    <sect2>
     <title><filename>/etc/mail/aliases</filename></title>
 
     <para>The aliases database contains a list of virtual mailboxes
       that are expanded to other user(s), files, programs or other
       aliases.  Here are a few examples that can be used in
       <filename>/etc/mail/aliases</filename>:</para>
 
       <example>
 	<title>Mail Aliases</title>
     <programlisting>root: localuser
 ftp-bugs: joe,eric,paul
 bit.bucket:  /dev/null
 procmail: "|/usr/local/bin/procmail"</programlisting>
       </example>
 
       <para>The file format is simple; the mailbox name on the left
 	side of	the colon is expanded to the target(s) on the right.
 	The
 	first example simply expands the mailbox <username>root</username>
 	to the mailbox <username>localuser</username>, which is then
 	looked up again in the aliases database.  If no match is found,
 	then the message is delivered to the local user
 	<username>localuser</username>.  The next example shows a mail
 	list.  Mail to the mailbox <username>ftp-bugs</username> is
 	expanded to the three local mailboxes <username>joe</username>,
 	<username>eric</username>, and <username>paul</username>.  Note
 	that a remote mailbox could be specified as <literal>user@example.com</literal>.  The
 	next example shows writing mail to a file, in this case
 	<filename>/dev/null</filename>.  The last example shows sending
 	mail to a program, in this case the mail message is written to the
 	standard input of <filename>/usr/local/bin/procmail</filename>
 	through a &unix; pipe.</para>
 
    <para>When this file is updated, you need to run
    <command>make</command> in <filename>/etc/mail/</filename> to
    update the database.</para>
   </sect2>
   <sect2>
     <title><filename>/etc/mail/local-host-names</filename></title>
 
     <para>This is a list of hostnames &man.sendmail.8; is to accept as
       the local host name.  Place any domains or hosts that
       <application>sendmail</application> is to be receiving mail for.
       For example, if this mail server was to accept mail for the
       domain <hostid role="domainname">example.com</hostid> and the host
       <hostid role="fqdn">mail.example.com</hostid>, its
       <filename>local-host-names</filename> might look something like
       this:</para>
 
     <programlisting>example.com
 mail.example.com</programlisting>
 
     <para>When this file is updated, &man.sendmail.8; needs to be
     restarted to read the changes.</para>
 
   </sect2>
 
   <sect2>
     <title><filename>/etc/mail/sendmail.cf</filename></title>
 
     <para><application>sendmail</application>'s master configuration
       file, <filename>sendmail.cf</filename> controls the overall
       behavior of <application>sendmail</application>, including everything
       from rewriting e-mail addresses to printing rejection messages to
       remote mail servers.  Naturally, with such a diverse role, this
       configuration file is quite complex and its details are a bit
       out of the scope of this section.  Fortunately, this file rarely
       needs to be changed for standard mail servers.</para>
 
     <para>The master <application>sendmail</application> configuration
       file can be built from &man.m4.1; macros that define the features
       and behavior of <application>sendmail</application>.  Please see
       <filename>/usr/src/contrib/sendmail/cf/README</filename> for
       some of the details.</para>
 
     <para>When changes to this file are made,
       <application>sendmail</application> needs to be restarted for
       the changes to take effect.</para>
 
   </sect2>
   <sect2>
     <title><filename>/etc/mail/virtusertable</filename></title>
 
     <para>The <filename>virtusertable</filename> maps mail addresses for
       virtual domains and
       mailboxes to real mailboxes.  These mailboxes can be local,
       remote, aliases defined in
       <filename>/etc/mail/aliases</filename> or files.</para>
 
     <example>
 	<title>Example Virtual Domain Mail Map</title>
 
     <programlisting>root@example.com                root
 postmaster@example.com          postmaster@noc.example.net
 @example.com                    joe</programlisting>
       </example>
 
     <para>In the above example, we have a mapping for a domain
       <hostid role="domainname">example.com</hostid>.  This file is processed in a
       first match order down the file.  The first item maps
       <literal>root@example.com</literal> to the local mailbox <username>root</username>.  The next entry maps
       <literal>postmaster@example.com</literal> to the mailbox <username>postmaster</username> on the host
       <hostid role="fqdn">noc.example.net</hostid>.  Finally, if nothing from <hostid role="domainname">example.com</hostid> has
       matched so far, it will match the last mapping, which matches
       every other mail message addressed to someone at
       <hostid role="domainname">example.com</hostid>.
       This will be mapped to the local mailbox <username>joe</username>.</para>
 
   </sect2>
   </sect1>
 
   <sect1 id="mail-changingmta">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Andrew</firstname>
           <surname>Boothman</surname>
           <contrib>Written by </contrib>
         </author>
       </authorgroup>
       <authorgroup>
         <author>
           <firstname>Gregory</firstname>
           <surname>Neil Shapiro</surname>
           <contrib>Information taken from e-mails written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Changing Your Mail Transfer Agent</title>
     <indexterm>
       <primary>email</primary>
       <secondary>change mta</secondary>
     </indexterm>
 
     <para>As already mentioned, FreeBSD comes with
       <application>sendmail</application> already installed as your
       MTA (Mail Transfer Agent).  Therefore by default it is
       in charge of your outgoing and incoming mail.</para>
 
     <para>However, for a variety of reasons, some system
       administrators want to change their system's MTA.  These
       reasons range from simply wanting to try out another MTA to
       needing a specific feature or package which relies on another
       mailer.  Fortunately, whatever the reason, FreeBSD makes it
       easy to make the change.</para>
 
     <sect2>
       <title>Install a New MTA</title>
 
       <para>You have a wide choice of MTAs available.  A good
 	starting point is the
 	<link linkend="ports">FreeBSD Ports Collection</link> where
 	you will be able to find many.  Of course you are free to use
 	any MTA you want from any location, as long as you can make
 	it run under FreeBSD.</para>
 
       <para>Start by installing your new MTA.  Once it is installed
 	it gives you a chance to decide if it really fulfills your
 	needs, and also gives you the opportunity to configure your
 	new software before getting it to take over from
 	<application>sendmail</application>.  When doing this, you
 	should be sure that installing the new software will not attempt
 	to overwrite system binaries such as
 	<filename>/usr/bin/sendmail</filename>.  Otherwise, your new
 	mail software has essentially been put into service before
 	you have configured it.</para>
 
       <para>Please refer to your chosen MTA's documentation for
 	information on how to configure the software you have
 	chosen.</para>
     </sect2>
 
     <sect2>
       <title>Disable <application>sendmail</application></title>
 
       <para>The procedure used to start
 	<application>sendmail</application> changed significantly
 	between 4.5-RELEASE and 4.6-RELEASE.  Therefore, the procedure
 	used to disable it is subtly different.</para>
 
       <sect3>
 	<title>FreeBSD 4.5-STABLE before 2002/4/4 and Earlier
 	  (Including 4.5-RELEASE and Earlier)</title>
 
 	<para>Enter:</para>
 
 	  <programlisting>sendmail_enable="NO"</programlisting>
 
 	  <para>into <filename>/etc/rc.conf</filename>.  This will disable
 	  <application>sendmail</application>'s incoming mail service,
 	  but if <filename>/etc/mail/mailer.conf</filename> (see below)
 	  is not changed, <application>sendmail</application> will
 	  still be used to send e-mail.</para>
       </sect3>
 
       <sect3>
 	<title>FreeBSD 4.5-STABLE after 2002/4/4
 	  (Including 4.6-RELEASE and Later)</title>
 
 	<para>In order to completely disable
 	  <application>sendmail</application> you must use</para>
 
 	  <programlisting>sendmail_enable="NONE"</programlisting>
 
 	  <para>in <filename>/etc/rc.conf.</filename></para>
 
 	<warning>
 	  <para>If you disable <application>sendmail</application>'s
 	    outgoing mail service in this way, it is important that you
 	    replace it with a fully working alternative mail delivery
 	    system.  If you choose not to, system functions such as
 	    &man.periodic.8; will be unable to deliver their results by
 	    e-mail as they would normally expect to.  Many parts of your
 	    system may expect to have a functional
 	    <application>sendmail</application>-compatible system.  If
 	    applications continue to use
 	    <application>sendmail</application>'s binaries to try to send
 	    e-mail after you have disabled them, mail could go into an
 	    inactive <application>sendmail</application> queue, and never be delivered.</para>
 	</warning>
 
 	<para>If you only want to disable
 	  <application>sendmail</application>'s incoming mail service,
 	  you should set</para>
 
 	  <programlisting>sendmail_enable="NO"</programlisting>
 
 	<para>in <filename>/etc/rc.conf</filename>.  More information on
 	  <application>sendmail</application>'s startup options is
 	  available from the &man.rc.sendmail.8; manual page.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Running Your New MTA on Boot</title>
 
       <para>You may have a choice of two methods for running your
 	new MTA on boot, again depending on what version of FreeBSD
 	you are running.</para>
 
       <sect3>
 	<title>FreeBSD 4.5-STABLE before 2002/4/11
 	  (Including 4.5-RELEASE and Earlier)</title>
 
 	<para>Add a script to
 	  <filename>/usr/local/etc/rc.d/</filename> that
 	  ends in <filename>.sh</filename> and is executable by
 	  <username>root</username>.  The script should accept <literal>start</literal> and
 	  <literal>stop</literal> parameters.  At startup time the
 	  system scripts will execute the command</para>
 
 	<programlisting>/usr/local/etc/rc.d/supermailer.sh start</programlisting>
 
 	<para>which you can also use to manually start the server.  At
 	  shutdown time, the system scripts will use the
 	  <literal>stop</literal> option, running the command</para>
 
 	<programlisting>/usr/local/etc/rc.d/supermailer.sh stop</programlisting>
 
 	<para>which you can also use to manually stop the server
 	  while the system is running.</para>
 
       </sect3>
 
       <sect3>
 	<title>FreeBSD 4.5-STABLE after 2002/4/11
 	  (Including 4.6-RELEASE and Later)</title>
 
 	<para>With later versions of FreeBSD, you can use the
 	  above method or you can set</para>
 
 	<programlisting>mta_start_script="filename"</programlisting>
 
 	<para>in <filename>/etc/rc.conf</filename>, where
 	  <replaceable>filename</replaceable> is the name of some
 	  script that you want executed at boot to start your
 	  MTA.</para>
       </sect3>
 
     </sect2>
 
     <sect2>
       <title>Replacing <application>sendmail</application> as
        the System's Default Mailer</title>
 
       <para>The program <application>sendmail</application> is so ubiquitous
 	as standard software on &unix; systems that some software
 	just assumes it is already installed and configured.
 	For this reason, many alternative MTA's provide their own compatible
 	implementations of the <application>sendmail</application>
 	command-line interface; this facilitates using them as
 	<quote>drop-in</quote> replacements for <application>sendmail</application>.</para>
 
       <para>Therefore, if you are using an alternative mailer,
 	you will need to make sure that software trying to execute
 	standard <application>sendmail</application> binaries such as
 	<filename>/usr/bin/sendmail</filename> actually executes
 	your chosen mailer instead.  Fortunately, FreeBSD provides
 	a system called &man.mailwrapper.8; that does this job for
 	you.</para>
 
       <para>When <application>sendmail</application> is operating as installed, you will
 	find something like the following
 	in <filename>/etc/mail/mailer.conf</filename>:</para>
 
 <programlisting>sendmail	 /usr/libexec/sendmail/sendmail
 send-mail	/usr/libexec/sendmail/sendmail
 mailq		/usr/libexec/sendmail/sendmail
 newaliases	/usr/libexec/sendmail/sendmail
 hoststat	/usr/libexec/sendmail/sendmail
 purgestat	/usr/libexec/sendmail/sendmail</programlisting>
 
       <para>This means that when any of these common commands
 	(such as <filename>sendmail</filename> itself) are run,
 	the system actually invokes a copy of mailwrapper named <filename>sendmail</filename>, which
 	checks <filename>mailer.conf</filename> and
 	executes <filename>/usr/libexec/sendmail/sendmail</filename>
 	instead.  This system makes it easy to change what binaries
 	are actually executed when these default <filename>sendmail</filename> functions
 	are invoked.</para>
 
       <para>Therefore if you wanted
 	<filename>/usr/local/supermailer/bin/sendmail-compat</filename>
 	to be run instead of <application>sendmail</application>, you could change
 	<filename>/etc/mail/mailer.conf</filename> to read:</para>
 
 <programlisting>sendmail	 /usr/local/supermailer/bin/sendmail-compat
 send-mail	/usr/local/supermailer/bin/sendmail-compat
 mailq		/usr/local/supermailer/bin/mailq-compat
 newaliases	/usr/local/supermailer/bin/newaliases-compat
 hoststat	/usr/local/supermailer/bin/hoststat-compat
 purgestat	/usr/local/supermailer/bin/purgestat-compat</programlisting>
 
 	</sect2>
 
 	<sect2>
 	  <title>Finishing</title>
 
 	<para>Once you have everything configured the way you want it, you should
 	  either kill the <application>sendmail</application> processes that
 	  you no longer need and start the processes belonging to your new
 	  software, or simply reboot.  Rebooting will also
 	  give you the opportunity to ensure that you have correctly
 	  configured your system to start your new MTA automatically on boot.</para>
 
       </sect2>
     </sect1>
 
   <sect1 id="mail-trouble">
     <title>Troubleshooting</title>
     <indexterm>
       <primary>email</primary>
       <secondary>troubleshooting</secondary>
     </indexterm>
 
     <qandaset>
       <qandaentry>
         <question>
 	<para>Why do I have to use the FQDN for hosts on my site?</para>
 	</question>
 
 	<answer>
 	<para>You will probably find that the host is actually in a
 	  different domain; for example, if you are in
 	  <hostid role="fqdn">foo.bar.edu</hostid> and you wish to reach
 	  a host called <hostid>mumble</hostid> in the <hostid
 	  role="domainname">bar.edu</hostid> domain, you will have to
 	  refer to it by the fully-qualified domain name, <hostid
 	  role="fqdn">mumble.bar.edu</hostid>, instead of just
 	  <hostid>mumble</hostid>.</para>
 
 	<indexterm><primary>BIND</primary></indexterm>
 	<para>Traditionally, this was allowed by BSD BIND resolvers.
 	  However the current version of <application>BIND</application>
 	  that ships with FreeBSD no longer provides default abbreviations
 	  for non-fully qualified domain names other than the domain you
 	  are in. So an unqualified host <hostid>mumble</hostid> must
 	  either be found as <hostid
 	  role="fqdn">mumble.foo.bar.edu</hostid>, or it will be searched
 	  for in the root domain.</para>
 
         <para>This is different from the previous behavior, where the
 	  search continued across <hostid
 	  role="domainname">mumble.bar.edu</hostid>, and <hostid
 	  role="domainname">mumble.edu</hostid>. Have a look at RFC 1535
 	  for why this was considered bad practice, or even a security
 	  hole.</para>
 
         <para>As a good workaround, you can place the line:
 
           <programlisting>search foo.bar.edu bar.edu</programlisting>
 
           instead of the previous:
 
           <programlisting>domain foo.bar.edu</programlisting>
 
           into your <filename>/etc/resolv.conf</filename>.  However, make
 	  sure that the search order does not go beyond the
 	  <quote>boundary between local and public administration</quote>,
 	  as RFC 1535 calls it.</para>
 	</answer>
       </qandaentry>
 
       <indexterm>
 	<primary>MX record</primary>
       </indexterm>
 
       <qandaentry>
 	<question>
 	<para><application>sendmail</application> says <errorname>mail
 	  loops back to myself</errorname></para>
 	</question>
 
 	<answer>
 	<para>This is answered in the
 	<application>sendmail</application> FAQ as follows:</para>
 
         <programlisting>I'm getting these error messages:
 
 553 MX list for domain.net points back to relay.domain.net
 554 &lt;user@domain.net&gt;... Local configuration error
 
 How can I solve this problem?
 
 You have asked mail to the domain (e.g., domain.net) to be
 forwarded to a specific host (in this case, relay.domain.net)
 by using an MX record, but the relay machine does not recognize
 itself as domain.net. Add domain.net to /etc/mail/local-host-names
 [known as /etc/sendmail.cw prior to version 8.10]
 (if you are using FEATURE(use_cw_file)) or add <quote>Cw domain.net</quote>
 to /etc/mail/sendmail.cf.</programlisting>
 
         <para>The <application>sendmail</application> FAQ can be found at
 	  <ulink url="http://www.sendmail.org/faq/"></ulink> and is
 	  recommended reading if you want to do any
 	  <quote>tweaking</quote> of your mail setup.</para>
 	</answer>
       </qandaentry>
 
       <indexterm><primary>PPP</primary></indexterm>
       <qandaentry>
         <question>
 	<para>How can I run a mail server on a dial-up PPP host?</para>
 	</question>
 
 	<answer>
 	<para>You want to connect a FreeBSD box on a LAN to the
 	  Internet.  The FreeBSD box will be a mail gateway for the LAN.
 	  The PPP connection is non-dedicated.</para>
 
 	<indexterm><primary>UUCP</primary></indexterm>
 	<indexterm>
 	  <primary>MX record</primary>
 	</indexterm>
 
 	<para>There are at least two ways to do this.  One way is to use
 	  UUCP.</para>
 
 	<para>Another way is to get a full-time Internet server to provide secondary MX
 	  services for your domain.  For example, if your company's domain is
 	  <hostid role="domainname">example.com</hostid> and your Internet service provider has
 	  set <hostid role="domainname">example.net</hostid> up to provide secondary MX services
 	  to your domain:</para>
 
 	<programlisting>example.com.          MX        10      example.com.
                       MX        20      example.net.</programlisting>
 
 	<para>Only one host should be specified as the final recipient
 	  (add <literal>Cw example.com</literal> in
 	  <filename>/etc/mail/sendmail.cf</filename> on <hostid role="domainname">example.com</hostid>).</para>
 
 	<para>When the sending <command>sendmail</command> is trying to
 	  deliver the mail it will try to connect to you (<hostid role="domainname">example.com</hostid>) over the modem
 	  link.  It will most likely time out because you are not online.
 	  The program <application>sendmail</application> will automatically deliver it to the
 	  secondary MX site, i.e. your Internet provider (<hostid role="domainname">example.net</hostid>).  The secondary MX
 	  site will then periodically try to connect to
 	  your host and deliver the mail to the primary MX host (<hostid role="domainname">example.com</hostid>).</para>
 
 	<para>You might want to use something like this as a login
 	  script:</para>
 
 	<programlisting>#!/bin/sh
 # Put me in /usr/local/bin/pppmyisp
 ( sleep 60 ; /usr/sbin/sendmail -q ) &amp;
 /usr/sbin/ppp -direct pppmyisp</programlisting>
 
 	<para>If you are going to create a separate login script for a
 	  user you could use <command>sendmail -qRexample.com</command>
 	  instead in the script above. This will force all mail in your
 	  queue for <hostid role="domainname">example.com</hostid> to be processed immediately.</para>
 
 	<para>A further refinement of the situation is as follows:</para>
 
 	<para>Message stolen from the &a.isp;.</para>
 
 	<programlisting>&gt; we provide the secondary MX for a customer. The customer connects to
 &gt; our services several times a day automatically to get the mails to
 &gt; his primary MX (We do not call his site when a mail for his domains
 &gt; arrived). Our sendmail sends the mailqueue every 30 minutes. At the
 &gt; moment he has to stay 30 minutes online to be sure that all mail is
 &gt; gone to the primary MX.
 &gt;
 &gt; Is there a command that would initiate sendmail to send all the mails
 &gt; now? The user has not root-privileges on our machine of course.
 
 In the <quote>privacy flags</quote> section of sendmail.cf, there is a
 definition Opgoaway,restrictqrun
 
 Remove restrictqrun to allow non-root users to start the queue processing.
 You might also like to rearrange the MXs. We are the 1st MX for our
 customers like this, and we have defined:
 
 # If we are the best MX for a host, try directly instead of generating
 # local config error.
 OwTrue
 
 That way a remote site will deliver straight to you, without trying
 the customer connection.  You then send to your customer.  Only works for
 <quote>hosts</quote>, so you need to get your customer to name their mail
 machine <quote>customer.com</quote> as well as
 <quote>hostname.customer.com</quote> in the DNS.  Just put an A record in
 the DNS for <quote>customer.com</quote>.</programlisting>
         </answer>
       </qandaentry>
 
       <qandaentry>
         <question>
 	  <para>Why do I keep getting <errorname>Relaying
 	    Denied</errorname> errors when sending mail from other
 	    hosts?</para>
 	</question>
 
 	<answer>
 	  <para>In default FreeBSD installations,
  	    <application>sendmail</application> is configured to only
  	    send mail from the host it is running on.  For example, if
 	    a <acronym>POP</acronym> server is available, then users
 	    will be able to check mail from school, work, or other
 	    remote locations but they still will not be able to send
 	    outgoing emails from outside locations.  Typically, a few
 	    moments after the attempt, an email will be sent from
 	    <application>MAILER-DAEMON</application> with a
 	    <errorname>5.7 Relaying Denied</errorname> error
 	    message.</para>
 
 	  <para>There are several ways to get around this.  The most
  	    straightforward solution is to put your ISP's address in
  	    a relay-domains file at
  	    <filename>/etc/mail/relay-domains</filename>.  A quick way
  	    to do this would be:</para>
 
 	  <screen>&prompt.root; <userinput>echo "your.isp.example.com" &gt; /etc/mail/relay-domains</userinput></screen>
 
 	  <para>After creating or editing this file you must restart
   	    <application>sendmail</application>.  This works great if
   	    you are a server administrator and do not wish to send mail
   	    locally, or would like to use a point and click
   	    client/system on another machine or even another ISP.  It
   	    is also very useful if you only have one or two email
   	    accounts set up.  If there is a large number of addresses
   	    to add, you can simply open this file in your favorite
   	    text editor and then add the domains, one per line:</para>
 
 	  <programlisting>your.isp.example.com
 other.isp.example.net
 users-isp.example.org
 www.example.org</programlisting>
 
 	  <para>Now any mail sent through your system, by any host in
 	    this list (provided the user has an account on your
 	    system), will succeed.  This is a very nice way to allow
 	    users to send mail from your system remotely without
 	    allowing people to send SPAM through your system.</para>
 
 	</answer>
       </qandaentry>
     </qandaset>
   </sect1>
 
   <sect1 id="mail-advanced">
     <title>Advanced Topics</title>
 
     <para>The following section covers more involved topics such as mail
       configuration and setting up mail for your entire domain.</para>
 
     <sect2 id="mail-config">
       <title>Basic Configuration</title>
       <indexterm>
         <primary>email</primary>
         <secondary>configuration</secondary>
       </indexterm>
 
       <para>Out of the box, you should be able to send email to external
         hosts as long as you have set up
 	<filename>/etc/resolv.conf</filename> or are running your own
 	name server.  If you would like to have mail for your host
 	delivered to the MTA (e.g., <application>sendmail</application>) on your own FreeBSD host, there are two methods:</para>
 
       <itemizedlist>
         <listitem>
           <para>Run your own name server and have your own domain.  For
 	    example, <hostid
 	    role="domainname">FreeBSD.org</hostid></para>
         </listitem>
 
         <listitem>
           <para>Get mail delivered directly to your host.  This is done by
 	    delivering mail directly to the current DNS name for your
 	    machine.  For example, <hostid
 	    role="fqdn">example.FreeBSD.org</hostid>.</para>
         </listitem>
       </itemizedlist>
 
       <indexterm><primary>SMTP</primary></indexterm>
       <para>Regardless of which of the above you choose, in order to have
         mail delivered directly to your host, it must have a permanent
         static IP address (not a dynamic address, as with most PPP dial-up configurations).  If you are behind a
         firewall, it must pass SMTP traffic on to you.  If you want to
         receive mail directly at your host, you need to be sure of either of two
         things:</para>
 
       <itemizedlist>
         <indexterm><primary>MX record</primary></indexterm>
         <listitem>
           <para>Make sure that the (lowest-numbered) MX record in your DNS points to your
 	    host's IP address.</para>
         </listitem>
 
         <listitem>
           <para>Make sure there is no MX entry in your DNS for your
 	    host.</para>
         </listitem>
       </itemizedlist>
 
       <para>Either of the above will allow you to receive mail directly at
         your host.</para>
 
       <para>Try this:</para>
 
       <screen>&prompt.root; <userinput>hostname</userinput>
 example.FreeBSD.org
 &prompt.root; <userinput>host example.FreeBSD.org</userinput>
 example.FreeBSD.org has address 204.216.27.XX</screen>
 
       <para>If that is what you see, mail directly to
         <email>yourlogin@example.FreeBSD.org</email> should work without
         problems (assuming <application>sendmail</application> is
         running correctly on <hostid role="fqdn">example.FreeBSD.org</hostid>).</para>
 
       <para>If instead you see something like this:</para>
 
       <screen>&prompt.root; <userinput>host example.FreeBSD.org</userinput>
 example.FreeBSD.org has address 204.216.27.XX
 example.FreeBSD.org mail is handled (pri=10) by hub.FreeBSD.org</screen>
 
       <para>All mail sent to your host (<hostid
         role="fqdn">example.FreeBSD.org</hostid>) will end up being
 	collected on <hostid>hub</hostid> under the same username instead
 	of being sent directly to your host.</para>
 
       <para>The above information is handled by your DNS server.  The DNS
         record that carries mail routing information is the
         <emphasis>M</emphasis>ail e<emphasis>X</emphasis>change entry.  If
         no MX record exists, mail will be delivered directly to the host by
         way of its IP address.</para>
 
       <para>The MX entry for <hostid
         role="fqdn">freefall.FreeBSD.org</hostid> at one time looked like
         this:</para>
 
       <programlisting>freefall		MX	30	mail.crl.net
 freefall		MX	40	agora.rdrop.com
 freefall		MX	10	freefall.FreeBSD.org
 freefall		MX	20	who.cdrom.com</programlisting>
 
       <para>As you can see, <hostid>freefall</hostid> had many MX entries.
         The lowest MX number is the host that receives mail directly if
         available; if it is not accessible for some reason, the others
         (sometimes called <quote>backup MXes</quote>) accept messages
         temporarily, and pass it along when a lower-numbered host becomes
         available, eventually to the lowest-numbered host.</para>
 
       <para>Alternate MX sites should have separate Internet connections
         from your own in order to be most useful.  Your ISP or another
         friendly site should have no problem providing this service for
         you.</para>
     </sect2>
 
     <sect2 id="mail-domain">
       <title>Mail for Your Domain</title>
 
       <para>In order to set up a <quote>mailhost</quote> (a.k.a. mail
         server) you need to have any mail sent to various workstations
 	directed to it.  Basically, you want to <quote>claim</quote> any
 	mail for any hostname in your domain (in this case <hostid
 	role="fqdn">*.FreeBSD.org</hostid>) and divert it to your mail
 	server so your users can receive their mail on
 	the master mail server.</para>
 
       <indexterm><primary>DNS</primary></indexterm>
       <para>To make life easiest, a user account with the same
         <emphasis>username</emphasis> should exist on both machines.  Use
 	&man.adduser.8; to do this.</para>
 
       <para>The mailhost you will be using must be the designated mail
         exchanger for each workstation on the network.  This is done in
 	your DNS configuration like so:</para>
 
       <programlisting>example.FreeBSD.org	A	204.216.27.XX		; Workstation
 			MX	10 hub.FreeBSD.org	; Mailhost</programlisting>
 
       <para>This will redirect mail for the workstation to the mailhost no
         matter where the A record points.  The mail is sent to the MX
 	host.</para>
 
       <para>You cannot do this yourself unless you are running a DNS
         server.  If you are not, or cannot run your own DNS server, talk
 	to your ISP or whoever provides your DNS.</para>
 
       <para>If you are doing virtual email hosting, the following
         information will come in handy.  For this example, we
 	will assume you have a customer with his own domain, in this
 	case <hostid role="domainname">customer1.org</hostid>, and you want
 	all the mail for <hostid role="domainname">customer1.org</hostid>
 	sent to your mailhost, <hostid
 	role="fqdn">mail.myhost.com</hostid>.  The entry in your DNS
 	should look like this:</para>
 
       <programlisting>customer1.org		MX	10	mail.myhost.com</programlisting>
 
       <para>You do <emphasis>not</emphasis> need an A record for <hostid role="domainname">customer1.org</hostid> if you only
         want to handle email for that domain.</para>
 
       <note>
 	<para>Be aware that pinging <hostid
 	  role="domainname">customer1.org</hostid> will not work unless
 	  an A record exists for it.</para>
       </note>
 
       <para>The last thing that you must do is tell
         <application>sendmail</application> on your mailhost what domains
 	and/or hostnames it should be accepting mail for.  There are a few
 	different ways this can be done.  Either of the following will
 	work:</para>
 
       <itemizedlist>
         <listitem>
 	  <para>Add the hosts to your
 	  <filename>/etc/mail/local-host-names</filename> file if you are using the
 	  <literal>FEATURE(use_cw_file)</literal>.  If you are using
 	  a version of <application>sendmail</application> earlier than 8.10, the file is
 	  <filename>/etc/sendmail.cw</filename>.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Add a <literal>Cwyour.host.com</literal> line to your
 	    <filename>/etc/sendmail.cf</filename> or
 	    <filename>/etc/mail/sendmail.cf</filename> if you are using
 	    <application>sendmail</application> 8.10 or higher.</para>
 	</listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="SMTP-UUCP">
   <title>SMTP with UUCP</title>
 
     <para>The <application>sendmail</application> configuration that ships with FreeBSD is
       designed for sites that connect directly to the Internet.  Sites
       that wish to exchange their mail via UUCP must install another
       <application>sendmail</application> configuration file.</para>
 
     <para>Tweaking <filename>/etc/mail/sendmail.cf</filename> manually
       is an advanced topic. <application>sendmail</application> version 8 generates config files
       via &man.m4.1; preprocessing, where the actual configuration
       occurs on a higher abstraction level. The &man.m4.1;
       configuration files can be found under
       <filename>/usr/src/usr.sbin/sendmail/cf</filename>.</para>
 
     <para>If you did not install your system with full sources, the
       <application>sendmail</application> configuration set has been broken out into a separate source
       distribution tarball. Assuming you have your FreeBSD source code
       CDROM mounted, do:</para>
 
     <screen>&prompt.root; <userinput>cd /cdrom/src</userinput>
 &prompt.root; <userinput>cat scontrib.?? | tar xzf - -C /usr/src/contrib/sendmail</userinput></screen>
 
     <para>This extracts to only a few hundred kilobytes.  The file
       <filename>README</filename> in the <filename>cf</filename>
       directory can serve as a basic introduction to &man.m4.1;
       configuration.</para>
 
     <para>The best way to support UUCP delivery is to use the
       <literal>mailertable</literal> feature.  This creates a database
       that <application>sendmail</application> can use to make routing decisions.</para>
 
     <para>First, you have to create your <filename>.mc</filename>
       file.  The directory
       <filename>/usr/src/usr.sbin/sendmail/cf/cf</filename> contains a
       few examples.  Assuming you have named your file
       <filename>foo.mc</filename>, all you need to do in order to
       convert it into a valid <filename>sendmail.cf</filename>
       is:</para>
 
     <screen>&prompt.root; <userinput>cd /usr/src/usr.sbin/sendmail/cf/cf</userinput>
 &prompt.root; <userinput>make foo.cf</userinput>
 &prompt.root; <userinput>cp foo.cf /etc/mail/sendmail.cf</userinput></screen>
 
     <para>A typical <filename>.mc</filename> file might look
         like:</para>
 
     <programlisting>VERSIONID(`<replaceable>Your version number</replaceable>') OSTYPE(bsd4.4)
 
 FEATURE(accept_unresolvable_domains)
 FEATURE(nocanonify)
 FEATURE(mailertable, `hash -o /etc/mail/mailertable')
 
 define(`UUCP_RELAY', <replaceable>your.uucp.relay</replaceable>)
 define(`UUCP_MAX_SIZE', 200000)
 define(`confDONT_PROBE_INTERFACES')
 
 MAILER(local)
 MAILER(smtp)
 MAILER(uucp)
 
 Cw    <replaceable>your.alias.host.name</replaceable>
 Cw    <replaceable>youruucpnodename.UUCP</replaceable></programlisting>
 
     <para>The lines containing
       <literal>accept_unresolvable_domains</literal>,
       <literal>nocanonify</literal>, and
       <literal>confDONT_PROBE_INTERFACES</literal> features will
       prevent any usage of the DNS during mail delivery.  The
       <literal>UUCP_RELAY</literal> clause is needed to support UUCP
       delivery.  Simply put an Internet hostname there that is able to
       handle .UUCP pseudo-domain addresses; most likely, you will
       enter the mail relay of your ISP there.</para>
 
     <para>Once you have this, you need an
       <filename>/etc/mail/mailertable</filename> file.  If you have
       only one link to the outside that is used for all your mails,
       the following file will suffice:</para>
 
     <programlisting>#
 # makemap hash /etc/mail/mailertable.db &lt; /etc/mail/mailertable
 .                             uucp-dom:<replaceable>your.uucp.relay</replaceable></programlisting>
 
     <para>A more complex example might look like this:</para>
 
     <programlisting>#
 # makemap hash /etc/mail/mailertable.db &lt; /etc/mail/mailertable
 #
 horus.interface-business.de   uucp-dom:horus
 .interface-business.de        uucp-dom:if-bus
 interface-business.de         uucp-dom:if-bus
 .heep.sax.de                  smtp8:%1
 horus.UUCP                    uucp-dom:horus
 if-bus.UUCP                   uucp-dom:if-bus
 .                             uucp-dom:</programlisting>
 
 
     <para>The first three lines handle special cases where
       domain-addressed mail should not be sent out to the default
       route, but instead to some UUCP neighbor in order to
       <quote>shortcut</quote> the delivery path. The next line handles
       mail to the local Ethernet domain that can be delivered using
       SMTP. Finally, the UUCP neighbors are mentioned in the .UUCP
       pseudo-domain notation, to allow for a
       <literal><replaceable>uucp-neighbor
       </replaceable>!<replaceable>recipient</replaceable></literal>
       override of the default rules. The last line is always a single
       dot, matching everything else, with UUCP delivery to a UUCP
       neighbor that serves as your universal mail gateway to the
       world. All of the node names behind the
       <literal>uucp-dom:</literal> keyword must be valid UUCP
       neighbors, as you can verify using the command
       <literal>uuname</literal>.</para>
 
     <para>As a reminder that this file needs to be converted into a
       DBM database file before use.  The command line to accomplish
       this is best placed as a comment at the top of the <filename>mailertable</filename> file.
       You always have to execute this command each time you change
       your <filename>mailertable</filename> file.</para>
 
     <para>Final hint: if you are uncertain whether some particular
       mail routing would work, remember the <option>-bt</option>
       option to <application>sendmail</application>. It starts <application>sendmail</application> in <emphasis>address test
       mode</emphasis>; simply enter <literal>3,0</literal>, followed
       by the address you wish to test for the mail routing.  The last
       line tells you the used internal mail agent, the destination
       host this agent will be called with, and the (possibly
       translated) address. Leave this mode by typing <keycombo
       action="simul"><keycap>Ctrl</keycap><keycap>D</keycap></keycombo>.</para>
 
     <screen>&prompt.user; <userinput>sendmail -bt</userinput>
 ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
 Enter &lt;ruleset&gt; &lt;address&gt;
 <prompt>&gt;</prompt> <userinput>3,0 foo@example.com</userinput>
 canonify           input: foo @ example . com
 ...
 parse            returns: $# uucp-dom $@ <replaceable>your.uucp.relay</replaceable> $: foo &lt; @ example . com . &gt;
 <prompt>&gt;</prompt> <userinput>^D</userinput></screen>
   </sect1>
 
   <sect1 id="outgoing-only">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Bill</firstname>
           <surname>Moran</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
 
     <title>Setting Up to Send Only</title>
 
     <para>There are many instances where you may only want to send
       mail through a relay.  Some examples are:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Your computer is a desktop machine, but you want
 	  to use programs such as &man.send-pr.1;.  To do so, you should use
 	  your ISP's mail relay.</para>
       </listitem>
 
       <listitem>
 	<para>The computer is a server that does not handle mail
 	  locally, but needs to pass off all mail to a relay for
 	  processing.</para>
       </listitem>
     </itemizedlist>
 
     <para>Just about any <acronym>MTA</acronym> is capable of filling
       this particular niche.  Unfortunately, it can be very difficult
       to properly configure a full-featured <acronym>MTA</acronym>
       just to handle offloading mail.  Programs such as
       <application>sendmail</application> and
       <application>postfix</application> are largely overkill for
       this use.</para>
 
     <para>Additionally, if you are using a typical Internet access
       service, your agreement may forbid you from running a
       <quote>mail server</quote>.</para>
 
     <para>The easiest way to fulfill those needs is to install the
       <filename role="package">mail/ssmtp</filename> port.  Execute
       the following commands as <username>root</username>:</para>
 
     <screen>&prompt.root; <userinput>cd /usr/ports/mail/ssmtp</userinput>
 &prompt.root; <userinput>make install replace clean</userinput></screen>
 
     <para>Once installed,
       <filename role="package">mail/ssmtp</filename> can be configured
       with a four-line file located at
       <filename>/usr/local/etc/ssmtp/ssmtp.conf</filename>:</para>
 
     <programlisting>root=yourrealemail@example.com
 mailhub=mail.example.com
 rewriteDomain=example.com
 hostname=_HOSTNAME_</programlisting>
 
     <para>Make sure you use your real email address for
       <username>root</username>.  Enter your ISP's outgoing mail relay
       in place of <hostid role="fqdn">mail.example.com</hostid> (some ISPs call
       this the <quote>outgoing mail server</quote> or
       <quote>SMTP server</quote>).</para>
 
     <para>Make sure you disable <application>sendmail</application> by
       setting <literal>sendmail_enable="NONE"</literal>
       in <filename>/etc/rc.conf</filename>.</para>
 
     <para><filename role="package">mail/ssmtp</filename> has some
       other options available.  See the example configuration file in
       <filename>/usr/local/etc/ssmtp</filename> or the manual page of
       <application>ssmtp</application> for some examples and more
       information.</para>
 
     <para>Setting up <application>ssmtp</application> in this manner
       will allow any software on your computer that needs to send
       mail to function properly, while not violating your ISP's usage
       policy or allowing your computer to be hijacked for spamming.</para>
   </sect1>
 
   <sect1 id="SMTP-dialup">
     <title>Using Mail with a Dialup Connection</title>
 
     <para>If you have a static IP address, you should not need to
       adjust anything from the defaults.  Set your host name to your
       assigned Internet name and <application>sendmail</application> will do the rest.</para>
 
     <para>If you have a dynamically assigned IP number and use a
       dialup PPP connection to the Internet, you will probably have a
       mailbox on your ISPs mail server. Let's assume your ISP's domain
       is <hostid role="domainname">example.net</hostid>, and that your
       user name is <username>user</username>, you have called your
       machine <hostid role="fqdn">bsd.home</hostid>, and your ISP has
       told you that you may use <hostid
       role="fqdn">relay.example.net</hostid> as a mail relay.</para>
 
     <para>In order to retrieve mail from your mailbox, you must
       install a retrieval agent.  The
       <application>fetchmail</application> utility is a good choice as
       it supports many different protocols.  This program is available
       as a package or from the ports collection (<filename
       role="package">mail/fetchmail</filename>).  Usually, your <acronym>ISP</acronym> will
       provide <acronym>POP</acronym>. If you are using user <acronym>PPP</acronym>, you can
       automatically fetch your mail when an Internet connection is
       established with the following entry in
       <filename>/etc/ppp/ppp.linkup</filename>:</para>
 
     <programlisting>MYADDR:
 !bg su user -c fetchmail</programlisting>
 
     <para>If you are using <application>sendmail</application> (as
       shown below) to deliver mail to non-local accounts, you probably
       want to have <application>sendmail</application> process your
       mailqueue as soon as your Internet connection is established.
       To do this, put this command after the
       <command>fetchmail</command> command in
       <filename>/etc/ppp/ppp.linkup</filename>:</para>
 
     <programlisting>  !bg su user -c "sendmail -q"</programlisting>
 
     <para>Assume that you have an account for
       <username>user</username> on <hostid
       role="fqdn">bsd.home</hostid>. In the home directory of
       <username>user</username> on <hostid
       role="fqdn">bsd.home</hostid>, create a
       <filename>.fetchmailrc</filename> file:</para>
 
     <programlisting>poll example.net protocol pop3 fetchall pass MySecret</programlisting>
 
     <para>This file should not be readable by anyone except
       <username>user</username> as it contains the password
       <literal>MySecret</literal>.</para>
 
     <para>In order to send mail with the correct
       <literal>from:</literal> header, you must tell
       <application>sendmail</application> to use
       <literal>user@example.net</literal> rather than
       <literal>user@bsd.home</literal>. You may also wish to tell
       <application>sendmail</application> to send all mail via <hostid
       role="fqdn">relay.example.net</hostid>, allowing quicker mail
       transmission.</para>
 
     <para>The following <filename>.mc</filename> file should
       suffice:</para>
 
     <programlisting>VERSIONID(`bsd.home.mc version 1.0')
 OSTYPE(bsd4.4)dnl
 FEATURE(nouucp)dnl
 MAILER(local)dnl
 MAILER(smtp)dnl
 Cwlocalhost
 Cwbsd.home
 MASQUERADE_AS(`example.net')dnl
 FEATURE(allmasquerade)dnl
 FEATURE(masquerade_envelope)dnl
 FEATURE(nocanonify)dnl
 FEATURE(nodns)dnl
 define(`SMART_HOST', `relay.example.net')
 Dmbsd.home
 define(`confDOMAIN_NAME',`bsd.home')dnl
 define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
 
     <para>Refer to the previous section for details of how to turn
       this <filename>.mc</filename> file into a
       <filename>sendmail.cf</filename> file.  Also, do not forget to
       restart <application>sendmail</application> after updating
       <filename>sendmail.cf</filename>.</para>
   </sect1>
 
   <sect1 id="SMTP-Auth">
     <sect1info>
     <authorgroup>
       <author>
         <firstname>James</firstname>
         <surname>Gorham</surname>
         <contrib>Written by </contrib>
       </author>
     </authorgroup>
     </sect1info>
 
     <title>SMTP Authentication</title>
 
     <para>Having <acronym>SMTP</acronym> Authentication in place on
       your mail server has a number of benefits.
       <acronym>SMTP</acronym> Authentication can add another layer
       of security to <application>sendmail</application>, and has the benefit of giving mobile
       users who switch hosts the ability to use the same mail server
       without the need to reconfigure their mail client settings
       each time.</para>
 
     <procedure>
       <step>
 	<para>Install <filename role="package">security/cyrus-sasl</filename>
 	  from the ports. You can find this port in
 	  <filename role="package">security/cyrus-sasl</filename>.
 	  <filename role="package">security/cyrus-sasl</filename> has
 	  a number of compile time options to choose from and, for
 	  the method we will be using here, make sure to select the
 	  <option>pwcheck</option> option.</para>
       </step>
 
 
       <step>
 	<para>After installing <filename role="package">security/cyrus-sasl</filename>,
 	  edit <filename>/usr/local/lib/sasl/Sendmail.conf</filename>
 	  (or create it if it does not exist) and add the following
 	  line:</para>
 
 	<programlisting>pwcheck_method: passwd</programlisting>
 
 	<para>This method will enable <application>sendmail</application>
 	  to authenticate against your FreeBSD <filename>passwd</filename>
 	  database.  This saves the trouble of creating a new set of usernames
 	  and passwords for each user that needs to use
 	  <acronym>SMTP</acronym> authentication, and keeps the login
 	  and mail password the same.</para>
       </step>
 
       <step>
 	<para>Now edit <filename>/etc/make.conf</filename> and add the
 	  following lines:</para>
 
 	<programlisting>SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
 SENDMAIL_LDFLAGS=-L/usr/local/lib
 SENDMAIL_LDADD=-lsasl</programlisting>
 
 	<para>These lines will give <application>sendmail</application>
 	the proper configuration options for linking
 	to <filename role="package">cyrus-sasl</filename> at compile time.
 	Make sure that <filename role="package">cyrus-sasl</filename>
 	has been installed before recompiling
 	<application>sendmail</application>.</para>
       </step>
 
       <step>
 	<para>Recompile <application>sendmail</application> by executing the following commands:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/src/usr.sbin/sendmail</userinput>
 &prompt.root; <userinput>make cleandir</userinput>
 &prompt.root; <userinput>make obj</userinput>
 &prompt.root; <userinput>make</userinput>
 &prompt.root; <userinput>make install</userinput></screen>
 
 	<para>The compile of <application>sendmail</application> should not have any problems
 	  if <filename>/usr/src</filename> has not been changed extensively
 	  and the shared libraries it needs are available.</para>
       </step>
 
       <step>
 	<para>After <application>sendmail</application> has been compiled
 	  and reinstalled, edit your <filename>/etc/mail/freebsd.mc</filename>
 	  file (or whichever file you use as your <filename>.mc</filename> file. Many administrators
 	  choose to use the output from &man.hostname.1; as the <filename>.mc</filename> file for
 	  uniqueness).  Add these lines to it:</para>
 
 	<programlisting>dnl set SASL options
 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl</programlisting>
 
 	<para>These options configure the different methods available to
 	<application>sendmail</application> for authenticating users.
 	If you would like to use a method other than
 	<application>pwcheck</application>, please see the
 	included documentation.</para>
       </step>
 
       <step>
 	<para>Finally, run &man.make.1; while in <filename>/etc/mail</filename>.
 	  That will run your new <filename>.mc</filename> file and create a <filename>.cf</filename> file named
 	  <filename>freebsd.cf</filename> (or whatever name you have used
 	  for your <filename>.mc</filename> file).  Then use the
 	  command <command>make install restart</command>, which will
 	  copy the file to <filename>sendmail.cf</filename>, and will
 	  properly restart <application>sendmail</application>.
 	  For more information about this process, you should refer
 	  to <filename>/etc/mail/Makefile</filename>.</para>
       </step>
     </procedure>
 
     <para>If all has gone correctly, you should be able to enter your login
       information into the mail client and send a test message.
       For further investigation, set the <option>LogLevel</option> of
       <application>sendmail</application> to 13 and watch
       <filename>/var/log/maillog</filename> for any errors.</para>
 
     <para>You may wish to add the following lines to <filename>/etc/rc.conf</filename>
       so this service will be available after every system boot:</para>
 
     <programlisting>sasl_pwcheck_enable="YES"
 sasl_pwcheck_program="/usr/local/sbin/pwcheck"</programlisting>
 
     <para>This will ensure the initialization of <acronym>SMTP_AUTH</acronym> upon system
       boot.</para>
 
     <para>For more information, please see the <application>sendmail</application>
       page regarding
       <ulink url="http://www.sendmail.org/~ca/email/auth.html">
       <acronym>SMTP</acronym> authentication</ulink>.</para>
 
   </sect1>
 
   <sect1 id="mail-agents">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Marc</firstname>
 	  <surname>Silver</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Mail User Agents</title>
 
     <indexterm>
       <primary>Mail User Agents</primary>
     </indexterm>
 
     <para>A Mail User Agent (<acronym>MUA</acronym>) is an application
       that is used to send and receive email.  Furthermore, as email
       <quote>evolves</quote> and becomes more complex,
       <acronym>MUA</acronym>'s are becoming increasingly powerful in the
       way they interact with email; this gives users increased
       functionality and flexibility.  &os; contains support for
       numerous mail user agents, all of which can be easily installed
       using the <link linkend="ports">FreeBSD Ports Collection</link>.
       Users may choose between graphical email clients such as
       <application>evolution</application> or
       <application>balsa</application>, console based clients such as
       <application>mutt</application>, <application>pine</application>
       or <command>mail</command>, or the web interfaces used by some
       large organizations.</para>
 
     <sect2 id="mail-command">
       <title>mail</title>
 
       <para>&man.mail.1; is the default Mail User Agent
 	(<acronym>MUA</acronym>) in &os;.  It is a
 	console based <acronym>MUA</acronym> that offers all the basic
 	functionality required to send and receive text-based email,
 	though it is limited in interaction abilities with attachments
 	and can only support local mailboxes.</para>
 
       <para>Although <command>mail</command> does not natively support
 	interaction with <acronym>POP</acronym> or
 	<acronym>IMAP</acronym> servers, these mailboxes may be
 	downloaded to a local <filename>mbox</filename> file using an
 	application such as <application>fetchmail</application>, which
 	will be discussed later in this chapter (<xref
 	linkend="mail-fetchmail">).</para>
 
       <para>In order to send and receive email, simply invoke the
 	<command>mail</command> command as per the following
 	example:</para>
 
       <screen>&prompt.user; <userinput>mail</userinput></screen>
 
       <para>The contents of the user mailbox in
 	<filename class="directory">/var/mail</filename> are
 	automatically read by the <command>mail</command> utility.
 	Should the mailbox be empty, the utility exits with a
 	message indicating that no mails could be found.  Once the
 	mailbox has been read, the application interface is started, and
 	a list of messages will be displayed.  Messages are automatically
 	numbered, as can be seen in the following example:</para>
 
       <screen>Mail version 8.1 6/6/93.  Type ? for help.
 "/var/mail/marcs": 3 messages 3 new
 >N  1 root@localhost        Mon Mar  8 14:05  14/510   "test"
  N  2 root@localhost        Mon Mar  8 14:05  14/509   "user account"
  N  3 root@localhost        Mon Mar  8 14:05  14/509   "sample"</screen>
 
       <para>Messages can now be read by using the <keycap>t</keycap>
 	<command>mail</command> command, suffixed by the message number
 	that should be displayed.  In this example, we will read the
 	first email:</para>
 
       <screen>& <userinput>t 1</userinput>
 Message 1:
 From root@localhost  Mon Mar  8 14:05:52 2004
 X-Original-To: marcs@localhost
 Delivered-To: marcs@localhost
 To: marcs@localhost
 Subject: test
 Date: Mon,  8 Mar 2004 14:05:52 +0200 (SAST)
 From: root@localhost (Charlie Root)
 
 This is a test message, please reply if you receive it.</screen>
 
       <para>As can be seen in the example above, the <keycap>t</keycap>
 	key will cause the message to be displayed with full headers.
 	To display the list of messages again, the <keycap>h</keycap>
 	key should be used.</para>
 
       <para>If the email requires a response, you may use
 	<command>mail</command> to reply, by using either the
 	<keycap>R</keycap> or <keycap>r</keycap> <command>mail</command>
 	keys.  The <keycap>R</keycap> key instructs
 	<command>mail</command> to reply only to the sender of the
 	email, while <keycap>r</keycap> replies not only to the sender,
 	but also to other recipients of the message.  You may also
 	suffix these commands with the mail number which you would like
 	make a reply to.  Once this has been done, the response should
 	be entered, and the end of the message should be marked by a
 	single <keycap>.</keycap> on a new line.  An example can be seen
 	below:</para>
 
       <screen>& <userinput>R 1</userinput>
 To: root@localhost
 Subject: Re: test
 
 <userinput>Thank you, I did get your email.
 .</userinput>
 EOT</screen>
 
       <para>In order to send new email, the <keycap>m</keycap>
 	key should be used, followed by the
 	recipient email address.  Multiple recipients may also be
 	specified by separating each address with the <keycap>,</keycap>
 	delimiter.  The subject of the message may then be entered,
 	followed by the message contents.  The end of the message should
 	be specified by putting a single <keycap>.</keycap> on a new
 	line.</para>
 
       <screen>& <userinput>mail root@localhost</userinput>
 Subject: <userinput>I mastered mail
 
 Now I can send and receive email using mail ... :)
 .</userinput>
 EOT</screen>
 
       <para>While inside the <command>mail</command> utility, the
 	<keycap>?</keycap> command may be used to display help at any
 	time, the &man.mail.1; manual page should also be consulted for
 	more help with <command>mail</command>.</para>
 
       <note>
         <para>As previously mentioned, the &man.mail.1; command was not
 	  originally designed to handle attachments, and thus deals with
 	  them very poorly.  Newer <acronym>MUA</acronym>s such as
 	  <application>mutt</application> handle attachments in a much
 	  more intelligent way.  But should you still wish to use the
 	  <command>mail</command> command, the <filename
 	  role="package">converters/mpack</filename> port may be of
 	  considerable use.</para>
       </note>
     </sect2>
 
     <sect2 id="mutt-command">
       <title>mutt</title>
 
       <para><application>mutt</application> is a small yet very
 	 powerful Mail User Agent, with excellent features,
 	 just some of which include:</para>
 
       <itemizedlist>
         <listitem>
 	  <para>The ability to thread messages;</para>
         </listitem>
 
         <listitem>
 	  <para>PGP support for digital signing and encryption of
 	    email;</para>
         </listitem>
 
         <listitem>
 	  <para>MIME Support;</para>
         </listitem>
 
         <listitem>
 	  <para>Maildir Support;</para>
         </listitem>
 
         <listitem>
 	  <para>Highly customizable.</para>
         </listitem>
       </itemizedlist>
 
       <para>All of these features help to make
 	<application>mutt</application> one of the most advanced mail
 	user agents available.  See <ulink
 	url="http://www.mutt.org"></ulink> for more
 	information on <application>mutt</application>.</para>
 
       <para>The stable version of <application>mutt</application> may be
 	installed using the <filename
 	role="package">mail/mutt</filename> port, while the current
 	development version may be installed via the <filename
 	role="package">mail/mutt-devel</filename> port.  After the port
 	has been installed, <application>mutt</application> can be
 	started by issuing the following command:</para>
 
       <screen>&prompt.user; <userinput>mutt</userinput></screen>
 
       <para><application>mutt</application> will automatically read the
 	contents of the user mailbox in <filename
 	class="directory">/var/mail</filename> and display the contents
 	if applicable.  If no mails are found in the user mailbox, then
 	<application>mutt</application> will wait for commands from the
 	user.  The example below shows <application>mutt</application>
 	displaying a list of messages:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/mutt1" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>In order to read an email, simply select it using the cursor
 	keys, and press the <keycap>Enter</keycap> key.  An example of
 	<application>mutt</application> displaying email can be seen
 	below:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/mutt2" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>As with the &man.mail.1; command,
 	<application>mutt</application> allows users to reply only to
 	the sender of the message as well as to all recipients.  To
 	reply only to the sender of the email, use the
 	<keycap>r</keycap> keyboard shortcut.  To send a group reply,
 	which will be sent to the original sender as well as all the
 	message recipients, use the <keycap>g</keycap> shortcut.</para>
 
       <note>
 	<para><application>mutt</application> makes use of the
 	  &man.vi.1; command as an editor for creating and replying to
 	  emails.  This may be customized by the user by creating or
 	  editing their own <filename>.muttrc</filename> file in their home directory and setting the
 	  <literal>editor</literal> variable.</para>
       </note>
 
       <para>In order to compose a new mail message, press
 	<keycap>m</keycap>.  After a valid subject has been given,
 	<application>mutt</application> will start &man.vi.1; and the
 	mail can be written.  Once the contents of the mail are
 	complete, save and quit from <command>vi</command> and
 	<application>mutt</application> will resume, displaying a
 	summary screen of the mail that is to be delivered.  In order to
 	send the mail, press <keycap>y</keycap>.  An example of the
 	summary screen can be seen below:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/mutt3" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para><application>mutt</application> also contains extensive
 	help, which can be accessed from most of the menus by pressing
 	the <keycap>?</keycap> key.  The top line also displays the
 	keyboard shortcuts where appropriate.</para>
     </sect2>
 
     <sect2 id="pine-command">
       <title>pine</title>
 
       <para><application>pine</application> is aimed at a beginner
 	user, but also includes some advanced features.</para>
 
       <warning>
 	<para>The <application>pine</application> software has had several remote vulnerabilities
 	  discovered in the past, which allowed remote attackers to
 	  execute arbitrary code as users on the local system, by the
 	  action of sending a specially-prepared email. All such
 	  <emphasis>known</emphasis> problems have been fixed, but the
 	  <application>pine</application> code is written in a very insecure style and the &os;
 	  Security Officer believes there are likely to be other
 	  undiscovered vulnerabilities. You install
 	  <application>pine</application> at your own risk.</para>
       </warning>
 
       <para>The current version of <application>pine</application> may
 	be installed using the <filename
 	role="package">mail/pine4</filename> port.  Once the port has
 	installed, <application>pine</application> can be started by
 	issuing the following command:</para>
 
       <screen>&prompt.user; <userinput>pine</userinput></screen>
 
       <para>The first time that <application>pine</application> is run
 	it displays a greeting page with a brief introduction, as well
 	as a request from the <application>pine</application>
 	development team to send an anonymous email message allowing
 	them to judge how many users are using their client.  To send
 	this anonymous message, press <keycap>Enter</keycap>, or
 	alternatively press <keycap>E</keycap> to exit the greeting
 	without sending an anonymous message.  An example of the
 	greeting page can be seen below:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/pine1" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>Users are then presented with the main menu, which can be
 	easily navigated using the cursor keys.  This main menu provides
 	shortcuts for the composing new mails, browsing of mail directories,
 	and even the administration of address book entries.  Below the
 	main menu, relevant keyboard shortcuts to perform functions
 	specific to the task at hand are shown.</para>
 
       <para>The default directory opened by <application>pine</application>
 	is the <filename class="directory">inbox</filename>.  To view the message index, press
 	<keycap>I</keycap>, or select the <guimenuitem>MESSAGE INDEX</guimenuitem>
 	option as seen below:</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/pine2" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>The message index shows messages in the current directory,
 	and can be navigated by using the cursor keys.  Highlighted
 	messages can be read by pressing the
 	<keycap>Enter</keycap> key.</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/pine3" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>In the screenshot below, a sample message is displayed by
 	<application>pine</application>.  Keyboard shortcuts are
 	displayed as a reference at the bottom of the screen.  An
 	example of one of these shortcuts is the <keycap>r</keycap> key,
 	which tells the <acronym>MUA</acronym> to reply to the current
 	message being displayed.</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/pine4" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>Replying to an email in <application>pine</application> is
 	done using the <application>pico</application> editor, which is
 	installed by default with <application>pine</application>.
 	The <application>pico</application> utility makes it easy to
 	navigate around the message and is slightly more forgiving on
 	novice users than &man.vi.1; or &man.mail.1;.  Once the reply
 	is complete, the message can be sent by pressing
 	<keycombo action="simul"><keycap>Ctrl</keycap><keycap>X</keycap>
 	</keycombo>. The <application>pine</application> application
 	will ask for confirmation.</para>
 
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="mail/pine5" format="PNG">
 	</imageobject>
       </mediaobject>
 
       <para>The <application>pine</application> application can be
 	customized using the <guimenuitem>SETUP</guimenuitem> option from the main
 	menu.  Consult <ulink url="http://www.washington.edu/pine/"></ulink>
 	for more information.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="mail-fetchmail">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Marc</firstname>
 	  <surname>Silver</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Using fetchmail</title>
 
     <indexterm>
       <primary>Using fetchmail</primary>
     </indexterm>
 
     <para><application>fetchmail</application> is a full-featured
       <acronym>IMAP</acronym> and <acronym>POP</acronym> client which
       allows users to automatically download mail from remote
       <acronym>IMAP</acronym> and <acronym>POP</acronym> servers and
       save it into local mailboxes; there it can be accessed more easily.
       <application>fetchmail</application> can be installed using the
       <filename role="package">mail/fetchmail</filename> port, and
       offers various features, some of which include:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Support of <acronym>POP3</acronym>,
 	  <acronym>APOP</acronym>, <acronym>KPOP</acronym>,
 	  <acronym>IMAP</acronym>, <acronym>ETRN</acronym> and
 	  <acronym>ODMR</acronym> protocols.</para>
       </listitem>
 
       <listitem>
 	<para>Ability to forward mail using <acronym>SMTP</acronym>, which
 	  allows filtering, forwarding, and aliasing to function
 	  normally.</para>
       </listitem>
 
       <listitem>
 	<para>May be run in daemon mode to check periodically for new
 	  messages.</para>
       </listitem>
 
       <listitem>
 	<para>Can retrieve multiple mailboxes and forward them based
 	  on configuration, to different local users.</para>
       </listitem>
     </itemizedlist>
 
     <para>While it is outside the scope of this document to explain
       all of <application>fetchmail</application>'s features, some
       basic features will be explained.  The
       <application>fetchmail</application> utility requires a
       configuration file known as <filename>.fetchmailrc</filename>,
       in order to run correctly.  This file includes server information
       as well as login credentials.  Due to the sensitive nature of the
       contents of this file, it is advisable to make it readable only by the owner,
       with the following command:</para>
 
     <screen>&prompt.user; <userinput>chmod 600 .fetchmailrc</userinput></screen>
 
     <para>The following <filename>.fetchmailrc</filename> serves as an
       example for downloading a single user mailbox using
       <acronym>POP</acronym>.  It tells
       <application>fetchmail</application> to connect to <hostid
       role="fqdn">example.com</hostid> using a username of
       <username>joesoap</username> and a password of
       <literal>XXX</literal>.  This example assumes that the user
       <username>joesoap</username> is also a user on the local
       system.</para>
 
     <programlisting>poll example.com protocol pop3 username "joesoap" password "XXX"</programlisting>
 
     <para>The next example connects to multiple <acronym>POP</acronym>
       and <acronym>IMAP</acronym> servers and redirects to different
       local usernames where applicable:</para>
 
     <programlisting>poll example.com proto pop3:
 user "joesoap", with password "XXX", is "jsoap" here;
 user "andrea", with password "XXXX";
 poll example2.net proto imap:
 user "john", with password "XXXXX", is "myth" here;</programlisting>
 
     <para>The <application>fetchmail</application> utility can be run in daemon
       mode by running it with the <option>-d</option> flag, followed
       by the interval (in seconds) that
       <application>fetchmail</application> should poll servers listed
       in the <filename>.fetchmailrc</filename> file.  The following
       example would cause <application>fetchmail</application> to poll
       every 60 seconds:</para>
 
     <screen>&prompt.user; <userinput>fetchmail -d 60</userinput></screen>
 
     <para>More information on <application>fetchmail</application> can
       be found at <ulink
       url="http://www.catb.org/~esr/fetchmail/"></ulink>.</para>
   </sect1>
 
   <sect1 id="mail-procmail">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Marc</firstname>
 	  <surname>Silver</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Using procmail</title>
 
     <indexterm>
       <primary>Using procmail</primary>
     </indexterm>
 
     <para>The <application>procmail</application> utility is an
       incredibly powerful application used to filter incoming mail.
       It allows users to define <quote>rules</quote> which can be
       matched to incoming mails to perform specific functions or to
       reroute mail to alternative mailboxes and/or email addresses.
       <application>procmail</application> can be installed using the
       <filename role="package">mail/procmail</filename> port.  Once
       installed, it can be directly integrated into most
       <acronym>MTA</acronym>s; consult your <acronym>MTA</acronym>
       documentation for more information.  Alternatively,
       <application>procmail</application> can be integrated by adding
       the following line to a <filename>.forward</filename> in the home
       directory of the user utilizing
       <application>procmail</application> features:</para>
 
     <programlisting>"|exec /usr/local/bin/procmail || exit 75"</programlisting>
 
     <para>The following section will display some basic
       <application>procmail</application> rules, as well as brief
       descriptions on what they do.  These rules, and others must be
       inserted into a <filename>.procmailrc</filename> file, which
       must reside in the user's home directory.</para>
 
     <para>The majority of these rules can also be found in the
       &man.procmailex.5; manual page.</para>
 
     <para>Forward all mail from <literal>user@example.com</literal> to an
       external address of <literal>goodmail@example2.com</literal>:</para>
 
     <programlisting>:0
 * ^From.*user@example.com
 ! goodmail@example2.com</programlisting>
 
     <para>Forward all mails shorter than 1000 bytes to an external
       address of <literal>goodmail@example2.com</literal>:</para>
 
     <programlisting>:0
 * < 1000
 ! goodmail@example2.com</programlisting>
 
     <para>Send all mail sent to <literal>alternate@example.com</literal>
       into a mailbox called <filename>alternate</filename>:</para>
 
     <programlisting>:0
 * ^TOalternate@example.com
 alternate</programlisting>
 
     <para>Send all mail with a subject of <quote>Spam</quote> to
       <filename>/dev/null</filename>:</para>
 
     <programlisting>:0
 ^Subject:.*Spam
 /dev/null</programlisting>
 
     <para>A useful recipe that parses incoming <hostid role="domainname">&os;.org</hostid> mailing lists
       and places each list in its own mailbox:</para>
 
     <programlisting>:0
 * ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
 {
 	LISTNAME=${MATCH}
 	:0
 	* LISTNAME??^\/[^@]+
 	FreeBSD-${MATCH}
 }</programlisting>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
index b9bb250f56..e3d2e05253 100644
--- a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
@@ -1,1858 +1,1858 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="multimedia">
  <chapterinfo>
   <authorgroup>
    <author>
     <firstname>Ross</firstname>
     <surname>Lippert</surname>
     <contrib>Edited by </contrib>
    </author>
   </authorgroup>
  </chapterinfo>
 
  <title>Multimedia</title>
   <sect1 id="multimedia-synopsis">
   <title>Synopsis</title>
 
     <para>FreeBSD supports a wide variety of sound cards, allowing you
       to enjoy high fidelity output from your computer.  This includes
       the ability to record and playback audio in the MPEG Audio Layer
       3 (MP3), WAV, and Ogg Vorbis formats as well as many other
       formats.  The FreeBSD Ports Collection also contains
       applications allowing you to edit your recorded audio, add sound
       effects, and control attached MIDI devices.</para>
 
     <para>With some willingness to experiment, FreeBSD can support
       playback of video files and DVD's.  The number of applications
       to encode, convert, and playback various video media is more
       limited than the number of sound applications.  For example as
       of this writing, there is no good re-encoding application in the
       FreeBSD Ports Collection, which could be use to convert
       between formats, as there is with <filename
       role="package">audio/sox</filename>.  However, the software
       landscape in this area is changing rapidly.</para>
 
     <para>This chapter will describe the necessary steps to configure
       your sound card.  The configuration and installation of X11
       (<xref linkend="x11">) has already taken care of the
       hardware issues for your video card, though there may be some
       tweaks to apply for better playback.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
         <para>How to configure your system so that your sound card is
           recognized.</para>
       </listitem>
 
       <listitem>
         <para>Methods to test that your card is working using
           sample applications.</para>
       </listitem>
 
       <listitem>
         <para>How to troubleshoot your sound setup.</para>
       </listitem>
 
       <listitem>
         <para>How to playback and encode MP3s and other audio.</para>
       </listitem>
 
       <listitem>
         <para>How video is supported by the X server.</para>
       </listitem>
 
       <listitem>
         <para>Some video player/encoder ports which give good results.</para>
       </listitem>
 
       <listitem>
         <para>How to playback DVD's, <filename>.mpg</filename> and <filename>.avi</filename> files.</para>
       </listitem>
 
       <listitem>
         <para>How to rip CD and DVD information into files.</para>
       </listitem>
 
       <listitem>
 	<para>How to configure a TV card.</para>
       </listitem>
 
       <listitem>
 	<para>How to configure an image scanner.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem><para>Know how to configure and install a new kernel (<xref
         linkend="kernelconfig">).</para></listitem>
     </itemizedlist>
 
     <warning>
       <para>Trying to mount audio CDs
         with the &man.mount.8; command will
         result in an error, at least, and a <emphasis>kernel
         panic</emphasis>, at worst.  These media have specialized
         encodings which differ from the usual ISO-filesystem.</para>
     </warning>
 
   </sect1>
 
   <sect1 id="sound-setup">
     <sect1info>
       <authorgroup>
         <author>
 	 <firstname>Moses</firstname>
 	 <surname>Moore</surname>
 	 <contrib>Contributed by </contrib>
 	 <!-- 20 November 2000 -->
         </author>
       </authorgroup>
       <authorgroup>
         <author>
 	 <firstname>Marc</firstname>
 	 <surname>Fonvieille</surname>
 	 <contrib>Enhanced for &os;&nbsp;5.X by </contrib>
 	 <!-- 13 September 2004 -->
         </author>
       </authorgroup>
     </sect1info>
 
     <title>Setting Up the Sound Card</title>
     
   <sect2 id="sound-device">
     <title>Configuring the System</title>
 
     <indexterm><primary>PCI</primary></indexterm>
     <indexterm><primary>ISA</primary></indexterm>
     <indexterm><primary>sound cards</primary></indexterm>
     <para>Before you begin, you should know the model of the card you
       have, the chip it uses, and whether it is a PCI or ISA card.
       FreeBSD supports a wide variety of both PCI and ISA cards.
       Check the supported audio devices list of the <ulink
       url="&rel.current.hardware;">Hardware Notes</ulink> to see if
       your card is supported.  This document will also mention which
       driver supports your card.</para>
 
     <indexterm>
       <primary>kernel</primary>
       <secondary>configuration</secondary>
     </indexterm>
 
     <para>To use your sound device, you will need to load the proper
       device driver.  This may be accomplished in one of two ways.
       The easiest way is to simply load a kernel module for your sound
       card with &man.kldload.8; which can either be done from the
       command line:</para>
 
     <screen>&prompt.root; <userinput>kldload snd_emu10k1</userinput></screen>
 
     <para>or by adding the appropriate line to the file
       <filename>/boot/loader.conf</filename> like this:</para>
 
     <programlisting>snd_emu10k1_load="YES"</programlisting>
 
     <para>These examples are for a Creative &soundblaster; Live! sound
       card.  Other available loadable sound modules are listed in
       <filename>/boot/defaults/loader.conf</filename>.
       If you are not sure which driver to use, you may try to load
       the <filename>snd_driver</filename> module:</para>
 
     <screen>&prompt.root; <userinput>kldload snd_driver</userinput></screen>
 
     <para>This is a metadriver loading the most common device drivers
       at once.  This speeds up the search for the correct driver.  It
       is also possible to load all sound drivers via the
       <filename>/boot/loader.conf</filename> facility.</para>
 
     <note>
       <para>Under &os;&nbsp;4.X, to load all sound drivers, you have
 	to load the <filename>snd</filename> module instead of
 	<filename>snd_driver</filename>.</para>
     </note>
 
     <para>A second method is to statically
       compile in support for your sound card in your kernel.  The
       section below provides the information you need to add support
       for your hardware in this manner.  For more information about
       recompiling your kernel, please see <xref
       linkend="kernelconfig">.</para>
 
     <sect3>
       <title>Configuring a Custom Kernel with Sound Support</title>
 
       <para>The first thing to do is adding the generic audio driver
 	&man.sound.4; to the kernel, for that you will need to
 	add the following line to the kernel configuration file:</para>
 
       <programlisting>device sound</programlisting>
 
       <para>Under &os;&nbsp;4.X, you would use the following
 	line:</para>
 
       <programlisting>device pcm</programlisting>
 
       <para>Then we have to add the support for our sound card.
 	Therefore, we need to know which driver supports the card.
 	Check the supported audio devices list of the <ulink
 	url="&rel.current.hardware;">Hardware Notes</ulink>, to
 	determine the correct driver for your sound card.  For
 	example, a Creative &soundblaster; Live! sound card is
 	supported by the &man.snd.emu10k1.4; driver.  To add the support
 	for this card, use the following:</para>
 
       <programlisting>device "snd_emu10k1"</programlisting>
 
       <para>Be sure to read the manual page of the driver for the
 	syntax to use.  Information regarding the syntax of sound
 	drivers in the kernel configuration can also be found in the
 	<filename>/usr/src/sys/conf/NOTES</filename> file
 	(<filename>/usr/src/sys/i386/conf/LINT</filename> for
 	&os;&nbsp;4.X).</para>
 
       <para>Non-PnP ISA cards may require you to provide the kernel
 	with information on the sound card settings (IRQ, I/O port,
 	etc).  This is done via the
 	<filename>/boot/device.hints</filename> file.  At system boot,
 	the &man.loader.8; will read this file and pass the settings
 	to the kernel.  For example, an old
 	Creative &soundblaster; 16 ISA non-PnP card will use the
 	&man.snd.sbc.4; driver, with the following line added to
 	the kernel configuration file:</para>
 
       <programlisting>device sbc</programlisting>
 
       <para>as well as the following in
 	<filename>/boot/device.hints</filename>:</para>
 
       <programlisting>hint.sbc.0.at="isa"
 hint.sbc.0.port="0x220"
 hint.sbc.0.irq="5"
 hint.sbc.0.drq="1"
 hint.sbc.0.flags="0x15"</programlisting>
 
       <para>In this case, the card uses the <literal>0x220</literal>
 	I/O port and the IRQ <literal>5</literal>.</para>
 
       <para>The syntax used in the
 	<filename>/boot/device.hints</filename> file is covered in the
 	sound driver manual page.  On &os;&nbsp;4.X, these settings
 	are directly written in the kernel configuration file.  In the
 	case of our ISA card, we would only use this line:</para>
 
       <programlisting>device sbc0 at isa? port 0x220 irq 5 drq 1 flags 0x15</programlisting>
 
       <para>The settings shown above are the defaults.  In some
 	cases, you may need to change the IRQ or the other settings to
 	match your card.  See the &man.snd.sbc.4; manual page for more
 	information.</para>
 
       <note>
 	<para>Under &os;&nbsp;4.X, some systems with built-in
 	  motherboard sound devices may require the following option in
 	  the kernel configuration:</para>
 
 	<programlisting>options PNPBIOS</programlisting>
       </note>
     </sect3>
   </sect2>
 
   <sect2 id="sound-testing">
     <title>Testing the Sound Card</title>
 
     <para>After rebooting with the modified kernel, or after loading
       the required module, the sound card should appear in your system
       message buffer (&man.dmesg.8;) as something like:</para>
 
     <screen>pcm0: &lt;Intel ICH3 (82801CA)&gt; port 0xdc80-0xdcbf,0xd800-0xd8ff irq 5 at device 31.5 on pci0
 pcm0: [GIANT-LOCKED]
 pcm0: &lt;Cirrus Logic CS4205 AC97 Codec&gt;</screen>
 
     <para>The status of the sound card may be checked via the
       <filename>/dev/sndstat</filename> file:</para>
 
     <screen>&prompt.root; <userinput>cat /dev/sndstat</userinput>
 FreeBSD Audio Driver (newpcm)
 Installed devices:
 pcm0: &lt;Intel ICH3 (82801CA)&gt; at io 0xd800, 0xdc80 irq 5 bufsz 16384
 kld snd_ich (1p/2r/0v channels duplex default)</screen>
 
     <para>The output from your system may vary.  If no
       <devicename>pcm</devicename> devices show up, go back and review
       what was done earlier.  Go through your kernel
       configuration file again and make sure the correct
       device is chosen.  Common problems are listed in <xref
       linkend="troubleshooting">.</para>
 
     <para>If all goes well, you should now have a functioning sound
       card.  If your CD-ROM or DVD-ROM drive is properly coupled to
       your sound card, you can put a CD in the drive and play it
       with &man.cdcontrol.1;:</para>
 
       <screen>&prompt.user; <userinput>cdcontrol -f /dev/acd0 play 1</userinput></screen>
 
     <para>Various applications, such as <filename
       role="package">audio/workman</filename> can provide a friendlier
       interface.  You may want to install an application such as
       <filename role="package">audio/mpg123</filename> to listen to
       MP3 audio files.  A quick way to test the card is sending data
       to the <filename>/dev/dsp</filename>, like this:</para>
 
     <screen>&prompt.user; <userinput>cat <replaceable>filename</replaceable> &gt; /dev/dsp</userinput></screen>
 
     <para>where <replaceable>filename</replaceable> can be any file.
       This command line should produce some noise, confirming the
       sound card is actually working.</para>
 
     <note>
       <para>&os;&nbsp;4.X users need to create the sound card device
 	nodes before being able to use it.  If the card showed up in
 	message buffer as <devicename>pcm0</devicename>, you will have
 	to run the following as <username>root</username>:</para>
 
       <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV snd0</userinput></screen>
 
       <para>If the card detection returned <devicename>pcm1</devicename>,
 	follow the same steps as shown above, replacing
 	<devicename>snd0</devicename> with
 	<devicename>snd1</devicename>.</para>
 
       <para><command>MAKEDEV</command> will create a group of device
 	nodes that will be used by the different sound related
 	applications.</para>
     </note>
 
     <para>Sound card mixer levels can be changed via the &man.mixer.8;
       command.  More details can be found in the &man.mixer.8; manual
       page.</para>
 
     <sect3 id="troubleshooting">
       <title>Common Problems</title>
 
       <indexterm><primary>device nodes</primary></indexterm>
       <indexterm><primary>I/O port</primary></indexterm>
       <indexterm><primary>IRQ</primary></indexterm>
       <indexterm><primary>DSP</primary></indexterm>
 
-      <informaltable frame="none">
-        <tgroup cols="2">
+      <informaltable frame="none" pgwide="1">
+         <tgroup cols="2">
   	  <thead>
 	    <row>
 	     <entry>Error</entry>
 	      <entry>Solution</entry>
 	    </row>
           </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><errorname>unsupported subdevice XX</errorname></entry>
 	      <entry><para>One or more of the device nodes was not created
 	        correctly.  Repeat the steps above.</para></entry>
             </row>
 
             <row>
               <entry><errorname>sb_dspwr(XX) timed out</errorname></entry>
               <entry><para>The I/O port is not set correctly.</para></entry>
             </row>
 
             <row>
               <entry><errorname>bad irq XX</errorname></entry>
 	      <entry><para>The IRQ is set incorrectly.  Make sure that
   	        the set IRQ and the sound IRQ are the same.</para></entry>
             </row>
 
             <row>
               <entry><errorname>xxx: gus pcm not attached, out of memory</errorname></entry>
               <entry><para>There is not enough available memory to use
                 the device.</para></entry>
             </row>
 
             <row>
               <entry><errorname>xxx: can't open /dev/dsp!</errorname></entry>
               <entry><para>Check with <command>fstat | grep dsp</command>
                 if another application is holding the device open.
                 Noteworthy troublemakers are <application>esound</application> and <application>KDE</application>'s sound
                 support.</para></entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
     </sect3>
   </sect2>
 
   <sect2>
     <sect2info>
      <authorgroup>
       <author>
        <firstname>Munish</firstname>
        <surname>Chopra</surname>
        <contrib>Contributed by </contrib>
       </author>
      </authorgroup>
     </sect2info>
     <title>Utilizing Multiple Sound Sources</title>
 
     <para>It is often desirable to have multiple sources of sound that
       are able to play simultaneously, such as when
       <application>esound</application> or
       <application>artsd</application> do not support sharing of the
       sound device with a certain application.</para>
 
     <para>FreeBSD lets you do this through <emphasis>Virtual Sound
       Channels</emphasis>, which can be set with the &man.sysctl.8;
       facility.  Virtual channels allow you to multiplex your sound
       card's playback channels by mixing sound in the kernel.</para>
 
     <para>To set the number of virtual channels, there are two sysctl
       knobs which, if you are the <username>root</username> user, can
       be set like this:</para>
     <screen>&prompt.root; <userinput>sysctl hw.snd.pcm0.vchans=4</userinput>
 &prompt.root; <userinput>sysctl hw.snd.maxautovchans=4</userinput></screen>
 
     <para>The above example allocates four virtual channels, which is a
       practical number for everyday use.  <varname>hw.snd.pcm0.vchans</varname>
       is the number of virtual channels <devicename>pcm0</devicename> has, and is configurable
       once a device has been attached.
       <literal>hw.snd.maxautovchans</literal> is the number of virtual channels
       a new audio device is given when it is attached using
       &man.kldload.8;.  Since the <devicename>pcm</devicename> module
       can be loaded independently of the hardware drivers,
       <varname>hw.snd.maxautovchans</varname> can store how many
       virtual channels any devices which are attached later will be
       given.</para>
 
     <para>If you are not using &man.devfs.5;, you will have to point
       your applications at <filename>/dev/dsp0</filename>.<replaceable>x</replaceable>, where
       <replaceable>x</replaceable> is 0 to 3 if <varname>hw.snd.pcm.0.vchans</varname> is set
       to 4 as in the above example.  On a system using &man.devfs.5;, the above will automatically be
       allocated transparently to the user.</para>
    </sect2>
 
   <sect2>
     <sect2info>
       <authorgroup>
 	<author>
 	  <firstname>Josef</firstname>
 	  <surname>El-Rayes</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect2info>
 
     <title>Setting Default Values for Mixer Channels</title>
 
     <para>The default values for the different mixer channels are
       hardcoded in the sourcecode of the &man.pcm.4; driver.  There are
       a lot of different applications and daemons that allow
       you to set values for the mixer they remember and set
       each time they are started, but this is not a clean
       solution, we want to have default values at the driver
       level.  This is accomplished by defining the appropriate
       values in <filename>/boot/device.hints</filename>. E.g.:</para>
 <programlisting>hint.pcm.0.vol="100"</programlisting>
 
     <para>This will set the volume channel to a default value of
       100, as soon as the &man.pcm.4; module gets loaded.</para>
 
     <note><para>Only &os; 5.3 and above support this.</para></note>
   </sect2>
 </sect1>
 
   <sect1 id="sound-mp3">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Chern</firstname>
 	  <surname>Lee</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <!-- 11 Sept 2001 -->
     </sect1info>
 
     <title>MP3 Audio</title>
 
     <para>MP3 (MPEG Layer 3 Audio) accomplishes near CD-quality sound,
       leaving no reason to let your FreeBSD workstation fall short of
       its offerings.</para>
 
     <sect2 id="mp3-players">
       <title>MP3 Players</title>
 
       <para>By far, the most popular <application>&xfree86;</application> MP3 player is
 	<application>XMMS</application> (X Multimedia System).  
 	<application>Winamp</application>
 	skins can be used with <application>XMMS</application> since the
 	GUI is almost identical to that of Nullsoft's 
 	<application>Winamp</application>.
 	<application>XMMS</application> also has native plug-in
 	support.</para>
 
       <para><application>XMMS</application> can be installed from the
 	<filename role="package">multimedia/xmms</filename> port or package.</para>
 
       <para><application>XMMS'</application> interface is intuitive,
 	with a playlist, graphic equalizer, and more.  Those familiar
 	with <application>Winamp</application> will find
 	<application>XMMS</application> simple to use.</para>
 
       <para>The <filename role="package">audio/mpg123</filename> port is an alternative,
 	command-line MP3 player.</para>
 
       <para><application>mpg123</application> can be run by specifying
 	the sound device and the MP3 file on the command line, as
 	shown below:</para>
 
       <screen>&prompt.root; <userinput>mpg123 -a <replaceable>/dev/dsp1.0</replaceable> Foobar-GreatestHits.mp3</userinput>
 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
 Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
 Uses code from various people. See 'README' for more!
 THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
 
 
 
 
 
 Playing MPEG stream from Foobar-GreatestHits.mp3 ...
 MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
 </screen>
 
       <para><literal>/dev/dsp1.0</literal> should be replaced with the
 	<devicename>dsp</devicename> device entry on your system.</para>
 
     </sect2>
 
     <sect2 id="rip-cd">
       <title>Ripping CD Audio Tracks</title>
 
       <para>Before encoding a CD or CD track to MP3, the audio data on
 	the CD must be ripped onto the hard drive.  This is done by
 	copying the raw CDDA (CD Digital Audio) data to WAV
 	files.</para>
 
       <para>The <command>cdda2wav</command> tool, which is a part of
 	the <filename role="package">sysutils/cdrtools</filename>
 	suite, is used for ripping audio information from CDs and the
 	information associated with them.</para>
 
       <para>With the audio CD in the drive, the following command can
 	be issued (as <username>root</username>) to rip an entire CD
 	into individual (per track) WAV files:</para>
 
       <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -B</userinput></screen>
 
       <para><application>cdda2wav</application> will support
 	ATAPI (IDE) CDROM drives.  To rip from an IDE drive, specify
 	the device name in place of the SCSI unit numbers.  For
 	example, to rip track 7 from an IDE drive:</para>
 
       <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>/dev/acd0a</replaceable> -t 7</userinput></screen>
 
       <para>The <option>-D <replaceable>0,1,0</replaceable></option>
 	indicates the SCSI device <devicename>0,1,0</devicename>,
 	which corresponds to the output of <command>cdrecord
 	-scanbus</command>.</para>
 
       <para>To rip individual tracks, make use of the
 	<option>-t</option> option as shown:</para>
 
       <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -t 7</userinput></screen>
 
       <para>This example rips track seven of the audio CDROM.  To rip
 	a range of tracks, for example, track one to seven, specify a
 	range:</para>
 
       <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -t 1+7</userinput></screen>
 
       <para>The utility &man.dd.1; can also be used to extract audio tracks
 	on ATAPI drives, read <xref linkend="duplicating-audiocds">
 	for more information on that possibility.</para>
 
     </sect2>
 
     <sect2 id="mp3-encoding">
       <title>Encoding MP3s</title>
 
       <para>Nowadays, the mp3 encoder of choice is
 	<application>lame</application>.
 	<application>Lame</application> can be found at
 	<filename role="package">audio/lame</filename> in the ports tree.</para>
 
       <para>Using the ripped WAV files, the following command will
 	convert <filename>audio01.wav</filename> to
 	<filename>audio01.mp3</filename>:</para>
 
       <screen>&prompt.root; <userinput>lame -h -b <replaceable>128</replaceable> \
 --tt "<replaceable>Foo Song Title</replaceable>" \
 --ta "<replaceable>FooBar Artist</replaceable>" \
 --tl "<replaceable>FooBar Album</replaceable>" \
 --ty "<replaceable>2001</replaceable>" \
 --tc "<replaceable>Ripped and encoded by Foo</replaceable>" \
 --tg "<replaceable>Genre</replaceable>" \
 <replaceable>audio01.wav audio01.mp3</replaceable></userinput></screen>
 
       <para>128&nbsp;kbits seems to be the standard MP3 bitrate in use.
 	Many enjoy the higher quality 160, or 192.  The higher the
 	bitrate, the more disk space the resulting MP3 will
 	consume--but the quality will be higher.  The
 	<option>-h</option> option turns on the <quote>higher quality
 	but a little slower</quote> mode.  The options beginning with
 	<option>--t</option> indicate ID3 tags, which usually contain
 	song information, to be embedded within the MP3 file.
 	Additional encoding options can be found by consulting the
 	lame man page.</para>
     </sect2>
 
     <sect2 id="mp3-decoding">
       <title>Decoding MP3s</title>
 
       <para>In order to burn an audio CD from MP3s, they must be
 	converted to a non-compressed WAV format.  Both
 	<application>XMMS</application> and
 	<application>mpg123</application> support the output of MP3 to
 	an uncompressed file format.</para>
 
       <para>Writing to Disk in <application>XMMS</application>:</para>
 
       <procedure>
 	<step>
 	  <para>Launch <application>XMMS</application>.</para>
 	</step>
 
 	<step>
 	  <para>Right-click on the window to bring up the
 	    <application>XMMS</application> menu.</para>
 	</step>
 
 	<step>
 	  <para>Select <literal>Preference</literal> under
 	    <literal>Options</literal>.</para>
 	</step>
 
 	<step>
 	  <para>Change the Output Plugin to <quote>Disk Writer
 	      Plugin</quote>.</para>
 	</step>
 
 	<step>
 	  <para>Press <literal>Configure</literal>.</para>
 	</step>
 
 	<step>
 	  <para>Enter (or choose browse) a directory to write the
 	    uncompressed files to.</para>
 	</step>
 
 	<step>
 	  <para>Load the MP3 file into <application>XMMS</application>
 	    as usual, with volume at 100% and EQ settings turned
 	    off.</para>
 	</step>
 
 	<step>
 	  <para>Press <literal>Play</literal> &mdash;
 	    <application>XMMS</application> will appear as if it is
 	    playing the MP3, but no music will be heard.  It is
 	    actually playing the MP3 to a file.</para>
 	</step>
 
 	<step>
 	  <para>Be sure to set the default Output Plugin back to what
 	    it was before in order to listen to MP3s again.</para>
 	</step>
       </procedure>
 
       <para>Writing to stdout in <application>mpg123</application>:</para>
 
       <procedure>
 	<step>
 	  <para>Run <command>mpg123 -s <replaceable>audio01.mp3</replaceable>
 	    &gt; audio01.pcm</command></para>
 	</step>
       </procedure>
 
       <para><application>XMMS</application> writes a file in the WAV
 	format, while <application>mpg123</application> converts the
 	MP3 into raw PCM audio data.  Both of these formats can be
 	used with <application>cdrecord</application> to create audio CDs.
 	You have to use raw PCM with &man.burncd.8;.
 	If you use WAV files, you will notice a small tick sound at the
 	beginning of each track, this sound is the header of the WAV
 	file.  You can simply remove the header of a WAV file with the
 	utility <application>SoX</application> (it can be installed from
 	the <filename role="package">audio/sox</filename> port or
 	package):</para>
 
       <screen>&prompt.user; <userinput>sox -t wav -r 44100 -s -w -c 2 <replaceable>track.wav track.raw</replaceable></userinput></screen>
 
       <para>Read <xref linkend="creating-cds"> for more information on using a
 	  CD burner in FreeBSD.</para>
     </sect2>
  </sect1>
 
  <sect1 id="video-playback">
   <sect1info>
     <authorgroup>
       <author>
         <firstname>Ross</firstname>
 	<surname>Lippert</surname>
 	<contrib>Contributed by </contrib>
       </author>
     </authorgroup>
     <!-- 5 June 2002 -->
   </sect1info>
 
   <title>Video Playback</title>
 
     <para>Video playback is a very new and rapidly developing application
       area.  Be patient.  Not everything is going to work as smoothly as
       it did with sound.</para>
 
     <para>Before you begin, you should know the model of the video
       card you have and the chip it uses.  While <application>&xorg;</application> and <application>&xfree86;</application> support a
       wide variety of video cards, fewer give good playback
       performance.  To obtain a list of extensions supported by the
       X server using your card use the command &man.xdpyinfo.1; while
       X11 is running.</para>
 
     <para>It is a good idea to have a short MPEG file which can be
       treated as a test file for evaluating various players and
       options.  Since some DVD players will look for DVD media in
       <filename>/dev/dvd</filename> by default, or have this device
       name hardcoded in them, you might find it useful to make
       symbolic links to the proper devices:</para>
 
       <screen>&prompt.root; <userinput>ln -sf /dev/acd0c /dev/dvd</userinput>
 &prompt.root; <userinput>ln -sf /dev/racd0c /dev/rdvd</userinput></screen>
 
     <para>On FreeBSD&nbsp;5.X, which uses &man.devfs.5; there
         is a slightly different set of recommended links:</para>
 
       <screen>&prompt.root; <userinput>ln -sf /dev/acd0 /dev/dvd</userinput>
 &prompt.root; <userinput>ln -sf /dev/acd0 /dev/rdvd</userinput></screen>
 
     <para>Note that due to the nature of &man.devfs.5;,
       manually created links like these will not persist if you reboot
       your system.  In order to create the symbolic links
       automatically whenever you boot your system, add the following
       lines to <filename>/etc/devfs.conf</filename>:</para>
 
     <programlisting>link acd0 dvd
 link acd0 rdvd</programlisting>
 
     <para>Additionally, DVD decryption, which requires invoking
       special DVD-ROM functions, requires write permission on the DVD
       devices.</para>
 
     <indexterm>
       <primary>kernel options</primary>
       <secondary>options CPU_ENABLE_SSE</secondary>
     </indexterm>
     <indexterm>
       <primary>kernel options</primary>
       <secondary>options USER_LDT</secondary>
     </indexterm>
 
     <para>Some of the ports discussed rely on the following kernel
       options to build correctly.  Before attempting to build, add
       these options to the kernel configuration file, build a new kernel, and reboot:</para>
 
       <programlisting>option CPU_ENABLE_SSE
 option USER_LDT</programlisting>
 
     <note>
       <para><literal>option USER_LDT</literal> does not exist on
 	&os;&nbsp;5.X.</para>
     </note>
 
     <para>To enhance the shared memory X11 interface, it is
       recommended that the values of some &man.sysctl.8; variables
       should be increased:</para>
 
       <programlisting>kern.ipc.shmmax=67108864
 kern.ipc.shmall=32768</programlisting>
 
   <sect2 id="video-interface">
     <title>Determining Video Capabilities</title>
 
     <indexterm><primary>XVideo</primary></indexterm>
     <indexterm><primary>SDL</primary></indexterm>
     <indexterm><primary>DGA</primary></indexterm>
 
     <para>There are several possible ways to display video under X11.
       What will really work is largely hardware dependent.  Each
       method described below will have varying quality across
       different hardware.  Secondly, the rendering of video in X11 is
       a topic receiving a lot of attention lately, and with each
       version of <application>&xorg;</application>, or of <application>&xfree86;</application>, there may be significant improvement.</para>
 
     <para>A list of common video interfaces:</para>
 
     <orderedlist>
     <listitem>
       <para>X11: normal X11 output using shared memory.</para>
     </listitem>
     <listitem>
       <para>XVideo: an extension to the X11
       interface which supports video in any X11 drawable.</para>
     </listitem>
     <listitem>
       <para>SDL: the Simple Directmedia Layer.</para>
     </listitem>
     <listitem>
       <para>DGA: the Direct Graphics Access.</para>
     </listitem>
     <listitem>
       <para>SVGAlib: low level console graphics layer.</para>
     </listitem>
     </orderedlist>
 
     <sect3 id="video-interface-xvideo">
     <title>XVideo</title>
 
       <para><application>&xorg;</application> and <application>&xfree86; 4.X</application> have an extension called
         <emphasis>XVideo</emphasis> (aka Xvideo, aka Xv, aka xv) which
         allows video to be directly displayed in drawable objects
         through a special acceleration.  This extension provides very
         good quality playback even on low-end machines.</para>
 
       <para>To check whether the extension is running,
       use <command>xvinfo</command>:</para>
 
         <screen>&prompt.user; <userinput>xvinfo</userinput></screen>
 
       <para>XVideo is supported for your card if the result looks like:</para>
 <screen>X-Video Extension version 2.2
 screen #0
   Adaptor #0: "Savage Streams Engine"
     number of ports: 1
     port base: 43
     operations supported: PutImage 
     supported visuals:
       depth 16, visualID 0x22
       depth 16, visualID 0x23
     number of attributes: 5
       "XV_COLORKEY" (range 0 to 16777215)
               client settable attribute
               client gettable attribute (current value is 2110)
       "XV_BRIGHTNESS" (range -128 to 127)
               client settable attribute
               client gettable attribute (current value is 0)
       "XV_CONTRAST" (range 0 to 255)
               client settable attribute
               client gettable attribute (current value is 128)
       "XV_SATURATION" (range 0 to 255)
               client settable attribute
               client gettable attribute (current value is 128)
       "XV_HUE" (range -180 to 180)
               client settable attribute
               client gettable attribute (current value is 0)
     maximum XvImage size: 1024 x 1024
     Number of image formats: 7
       id: 0x32595559 (YUY2)
         guid: 59555932-0000-0010-8000-00aa00389b71
         bits per pixel: 16
         number of planes: 1
         type: YUV (packed)
       id: 0x32315659 (YV12)
         guid: 59563132-0000-0010-8000-00aa00389b71
         bits per pixel: 12
         number of planes: 3
         type: YUV (planar)
       id: 0x30323449 (I420)
         guid: 49343230-0000-0010-8000-00aa00389b71
         bits per pixel: 12
         number of planes: 3
         type: YUV (planar)
       id: 0x36315652 (RV16)
         guid: 52563135-0000-0000-0000-000000000000
         bits per pixel: 16
         number of planes: 1
         type: RGB (packed)
         depth: 0
         red, green, blue masks: 0x1f, 0x3e0, 0x7c00
       id: 0x35315652 (RV15)
         guid: 52563136-0000-0000-0000-000000000000
         bits per pixel: 16
         number of planes: 1
         type: RGB (packed)
         depth: 0
         red, green, blue masks: 0x1f, 0x7e0, 0xf800
       id: 0x31313259 (Y211)
         guid: 59323131-0000-0010-8000-00aa00389b71
         bits per pixel: 6
         number of planes: 3
         type: YUV (packed)
       id: 0x0
         guid: 00000000-0000-0000-0000-000000000000
         bits per pixel: 0
         number of planes: 0
         type: RGB (packed)
         depth: 1
         red, green, blue masks: 0x0, 0x0, 0x0</screen>
 
     <para>Also note that the formats listed (YUV2, YUV12, etc) are not
      present with every implementation of XVideo and their absence may
      hinder some players.</para>
 
     <para>If the result looks like:</para>
 <screen>X-Video Extension version 2.2
 screen #0
 no adaptors present</screen>
 
     <para>Then XVideo is probably not supported for your card.</para>
 
     <para>If XVideo is not supported for your card, this only means
       that it will be more difficult for your display to meet the
       computational demands of rendering video.  Depending on your
       video card and processor, though, you might still be able to
       have a satisfying experience.  You should probably read about
       ways of improving performance in the advanced reading <xref
       linkend="video-further-reading">.</para>
 
     </sect3>
 
     <sect3 id="video-interface-SDL">
     <title>Simple Directmedia Layer</title>
 
     <para>The Simple Directmedia Layer, SDL, was intended to be a
       porting layer between &microsoft.windows;, BeOS, and &unix;,
       allowing cross-platform applications to be developed which made
       efficient use of sound and graphics.  The SDL layer provides a
       low-level abstraction to the hardware which can sometimes be
       more efficient than the X11 interface.</para>
 
     <para>The SDL can be found at <filename role="package">devel/sdl12</filename>.</para>
 
     </sect3>
 
     <sect3 id="video-interface-DGA">
     <title>Direct Graphics Access</title>
 
     <para>Direct Graphics Access is an <application>&xfree86;</application> extension which allows
       a program to bypass the X server and directly alter the
       framebuffer.  Because it relies on a low level memory mapping to
       effect this sharing, programs using it must be run as
       <username>root</username>.</para>
 
     <para>The DGA extension can be tested and benchmarked by
       &man.dga.1;.  When <command>dga</command> is running, it
       changes the colors of the display whenever a key is pressed.  To
       quit, use <keycap>q</keycap>.</para>
 
     </sect3>
 
   </sect2>
 
   <sect2 id="video-ports">
     <title>Ports and Packages Dealing with Video</title>
 
     <indexterm><primary>video ports</primary></indexterm>
     <indexterm><primary>video packages</primary></indexterm>
 
     <para>This section discusses the software available from the
       FreeBSD Ports Collection which can be used for video playback.
       Video playback is a very active area of software development,
       and the capabilities of various applications are bound to
       diverge somewhat from the descriptions given here.</para>
 
     <para>Firstly, it is important to know that many of the video
       applications which run on FreeBSD were developed as Linux
       applications.  Many of these applications are still
       beta-quality.  Some of the problems that you may encounter with
       video packages on FreeBSD include:</para>
 
       <orderedlist>
 
       <listitem>
         <para>An application cannot playback a file which another
           application produced.</para>
       </listitem> 
 
       <listitem>
         <para>An application cannot playback a file which the
           application itself produced.</para>
       </listitem>
 
       <listitem>
         <para>The same application on two different machines,
           rebuilt on each machine for that machine, plays back the same
           file differently.</para>
       </listitem>
 
       <listitem>
         <para>A seemingly trivial filter like rescaling of the image
           size results in very bad artifacts from a buggy rescaling
           routine.</para>
       </listitem>
 
       <listitem>
         <para>An application frequently dumps core.</para>
       </listitem>
 
       <listitem>
         <para>Documentation is not installed with the port and can be
           found either on the web or under the port's <filename class='directory'>work</filename>
           directory.</para>
       </listitem>
 
       </orderedlist>
 
     <para>Many of these applications may also exhibit
       <quote>Linux-isms</quote>.  That is, there may be
       issues resulting from the way some standard libraries are
       implemented in the Linux distributions, or some features of the
       Linux kernel which have been assumed by the authors of the
       applications.  These issues are not always noticed and worked around
       by the port maintainers, which can lead to problems like
       these:</para>
        
       <orderedlist>
 
       <listitem>
         <para>The use of <filename>/proc/cpuinfo</filename> to detect
           processor characteristics.</para>
       </listitem>
 
       <listitem>
         <para>A misuse of threads which causes a program to hang upon
           completion instead of truly terminating.</para>
       </listitem>
 
       <listitem>
         <para>Software not yet in the FreeBSD Ports Collection
 	  which is commonly used in conjunction with the application.</para>
       </listitem>
 
       </orderedlist>
 
       <para>So far, these application developers have been cooperative with
         port maintainers to minimize the work-arounds needed for
         port-ing.</para>
 
     <sect3 id="video-mplayer">
       <title>MPlayer</title>
 
       <para><application>MPlayer</application> is a recently developed and rapidly developing
         video player.  The goals of the <application>MPlayer</application> team are speed and
         flexibility on Linux and other Unices.  The project was
         started when the team founder got fed up with bad playback
         performance on then available players.  Some would say that
         the graphical interface has been sacrificed for a streamlined
         design.  However, once
         you get used to the command line options and the key-stroke
         controls, it works very well.</para>
 
       <sect4 id="video-mplayer-building">
         <title>Building MPlayer</title>
         <indexterm><primary>MPlayer</primary>
 	           <secondary>making</secondary></indexterm>
 
 	<para><application>MPlayer</application> resides in <filename
 	  role="package">multimedia/mplayer</filename>.
 	  <application>MPlayer</application> performs a variety of
 	  hardware checks during the build process, resulting in a
 	  binary which will not be portable from one system to
 	  another.  Therefore, it is important to build it from
 	  ports and not to use a binary package.  Additionally, a
 	  number of options can be specified in the <command>make</command>
 	  command line, as described in the <filename>Makefile</filename> and at the start of the build:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/ports/multimedia/mplayer</userinput>
 &prompt.root; <userinput>make</userinput>
 N - O - T - E
 
 Take a careful look into the Makefile in order
 to learn how to tune mplayer towards you personal preferences!
 For example,
 make WITH_GTK1
 builds MPlayer with GTK1-GUI support.
 If you want to use the GUI, you can either install
 /usr/ports/multimedia/mplayer-skins
 or download official skin collections from
 http://www.mplayerhq.hu/homepage/dload.html
 </screen>
 
 	<para>The default port options should be sufficient for most
 	  users.  However, if you need the XviD codec, you have to
 	  specify the <makevar>WITH_XVID</makevar> option in the
 	  command line.  The default DVD device can also be defined
 	  with the <makevar>WITH_DVD_DEVICE</makevar> option, by
 	  default <filename>/dev/acd0</filename> will be used.</para>
 
         <para>As of this writing, the <application>MPlayer</application> port will build its HTML
           documentation and two executables,
           <command>mplayer</command>, and
           <command>mencoder</command>, which is a tool for
           re-encoding video.</para>
 
         <para>The HTML documentation for <application>MPlayer</application> is very informative.
           If the reader finds the information on video hardware and
           interfaces in this chapter lacking, the <application>MPlayer</application> documentation
           is a very thorough supplement.  You should definitely take
           the time to read the <application>MPlayer</application>
           documentation if you are looking for information about video
           support in &unix;.</para>
 
       </sect4>
 
       <sect4 id="video-mplayer-using">
         <title>Using MPlayer</title>
         <indexterm><primary>MPlayer</primary>
 	           <secondary>use</secondary></indexterm>
 
         <para>Any user of <application>MPlayer</application> must set up a
           <filename>.mplayer</filename> subdirectory of her
           home directory.  To create this necessary subdirectory,
 	  you can type the following:</para>
 
 <screen>&prompt.user; <userinput>cd /usr/ports/multimedia/mplayer</userinput>
 &prompt.user; <userinput>make install-user</userinput></screen>
 
 	<para>The command options for <command>mplayer</command> are
 	  listed in the manual page.  For even more detail there is HTML
 	  documentation.  In this section, we will describe only a few
 	  common uses.</para>
 
 	<para>To play a file, such as
 	  <filename><replaceable>testfile.avi</replaceable></filename>,
 	  through one of the various video interfaces set the
 	  <option>-vo</option> option:</para>
 
 	  <screen>&prompt.user; <userinput>mplayer -vo xv testfile.avi</userinput></screen>
 	  <screen>&prompt.user; <userinput>mplayer -vo sdl testfile.avi</userinput></screen>
 	  <screen>&prompt.user; <userinput>mplayer -vo x11 testfile.avi</userinput></screen>
 	  <screen>&prompt.root; <userinput>mplayer -vo dga testfile.avi</userinput></screen>
 	  <screen>&prompt.root; <userinput>mplayer -vo 'sdl:dga' testfile.avi</userinput></screen>
 
 	<para>It is worth trying all of these options, as their relative
 	  performance depends on many factors and will vary significantly
 	  with hardware.</para>
 
 	<para>To play from a DVD, replace the
 	 <filename>testfile.avi</filename> with <option>dvd://<replaceable>N</replaceable> -dvd-device
 	 <replaceable>DEVICE</replaceable></option> where <replaceable>N</replaceable> is
 	 the title number to play and
 	 <filename><replaceable>DEVICE</replaceable></filename> is the
 	 device node for the DVD-ROM.  For example, to play title 3
 	 from <filename>/dev/dvd</filename>:</para>
 
 	<screen>&prompt.root; <userinput>mplayer -vo xv dvd://3 -dvd-device /dev/dvd</userinput></screen>
 
 	<note>
 	  <para>The default DVD device can be defined during the build
 	    of the <application>MPlayer</application> port via the
 	    <makevar>WITH_DVD_DEVICE</makevar> option.  By default,
 	    this device is <filename>/dev/acd0</filename>.  More
 	    details can be found in the port
 	    <filename>Makefile</filename>.</para>
 	</note>
 
 	<para>To stop, pause, advance and so on, consult the
 	  keybindings, which are output by running <command>mplayer
 	  -h</command> or read the manual page.</para>
 
         <para>Additional important options for playback are:
           <option>-fs -zoom</option> which engages the fullscreen mode
           and <option>-framedrop</option> which helps performance.</para>
 
 	<para>In order for the mplayer command line to not become too
 	  large, the user can create a file
 	  <filename>.mplayer/config</filename> and set default options
 	  there:</para>
 <programlisting>vo=xv
 fs=yes
 zoom=yes</programlisting>
 
 	<para>Finally, <command>mplayer</command> can be used to rip a
 	  DVD title into a <filename>.vob</filename> file.  To dump
 	  out the second title from a DVD, type this:</para>
 
 	  <screen>&prompt.root; <userinput>mplayer -dumpstream -dumpfile out.vob dvd://2 -dvd-device /dev/dvd</userinput></screen>
 
         <para>The output file, <filename>out.vob</filename>, will be
 	  MPEG and can be manipulated by the other packages described
 	  in this section.</para>
 
       </sect4>
       <sect4 id="video-mencoder">
         <title>mencoder</title>
         <indexterm>
 	  <primary>mencoder</primary>
 	</indexterm>
 
 	<para>Before using
          <command>mencoder</command> it is a good idea to
 	 familiarize yourself with the options from the HTML
 	 documentation.  There is a manual page, but it is not very
 	 useful without the HTML documentation.  There are innumerable ways to
 	 improve quality, lower bitrate, and change formats, and some
 	 of these tricks may make the difference between good
 	 or bad performance.  Here are a couple of examples to get
 	 you going.  First a simple copy:</para>
 
 	 <screen>&prompt.user; <userinput>mencoder input.avi -oac copy -ovc copy -o output.avi</userinput></screen>
 
          <para>Improper combinations of command line options can yield
 	 output files that are
 	 unplayable even by <command>mplayer</command>.  Thus, if you
 	 just want to rip to a file, stick to the <option>-dumpfile</option>
 	 in <command>mplayer</command>.</para>
 
 	 <para>To convert <filename>input.avi</filename> to the MPEG4
 	 codec with MPEG3 audio encoding (<filename role="package">audio/lame</filename> is required):</para>
 
 	 <screen>&prompt.user; <userinput>mencoder input.avi -oac mp3lame -lameopts br=192 \
 	 -ovc lavc -lavcopts vcodec=mpeg4:vhq -o output.avi</userinput></screen>
 
 	 <para>This has produced output playable by <command>mplayer</command>
 	 and <command>xine</command>.</para>
 
 	 <para><filename>input.avi</filename> can be replaced with
 	   <option>dvd://1 -dvd-device /dev/dvd</option> and run as
 	   <username>root</username> to re-encode a DVD title
 	   directly.  Since you are likely to be dissatisfied with
 	   your results the first time around, it is recommended you
 	   dump the title to a file and work on the file.</para>
       </sect4>
 
     </sect3>
 
     <sect3 id="video-xine">
     <title>The xine Video Player</title>
 
     <para>The <application>xine</application> video player is a project of wide scope aiming not only at being an
      all in one video solution, but also in producing a reusable base
      library and a modular executable which can be extended with
      plugins.  It comes both as a package and as a port, <filename
      role="package">multimedia/xine</filename>.</para>
 
     <para>The <application>xine</application> player
      is still very rough around the edges, but it is clearly off to a
      good start.  In practice, <application>xine</application> requires either a fast CPU with a
      fast video card, or support for the XVideo extension.  The GUI is
      usable, but a bit clumsy.</para>
 
     <para>As of this writing, there is no input module shipped with
      <application>xine</application> which will play CSS encoded DVD's.  There are third party
      builds which do have modules for this built in them, but none
      of these are in the FreeBSD Ports Collection.</para>
 
     <para>Compared to <application>MPlayer</application>, <application>xine</application> does more for the user, but at the
       same time, takes some of the more fine-grained control away from
       the user.  The <application>xine</application> video player
       performs best on XVideo interfaces.</para>
      
     <para>By default, <application>xine</application> player will
     start up in a graphical user interface.  The menus can then be
     used to open a specific file:</para>
 
       <screen>&prompt.user; <userinput>xine</userinput></screen>
 
     <para>Alternatively, it may be invoked to play a file immediately
       without the GUI with the command:</para>
 
       <screen>&prompt.user; <userinput>xine -g -p mymovie.avi</userinput></screen>
 
     </sect3>
 
     <sect3 id="video-ports-transcode">
     <title>The transcode Utilities</title>
 
     <para>The software <application>transcode</application> is not a player, but a suite of tools for
       re-encoding <filename>.avi</filename> and <filename>.mpg</filename> files.  With <application>transcode</application>, one has the
       ability to merge video files, repair broken files, using command
       line tools with <filename>stdin/stdout</filename> stream
       interfaces.</para>
 
     <para>Like <application>MPlayer</application>, <application>transcode</application> is very experimental software which
       must be build from the port <filename
       role="package">multimedia/transcode</filename>.  Using a great
       many options to the <command>make</command> command.  We
       recommend:</para>
 
       <screen>&prompt.root; <userinput>make WITH_LIBMPEG2=yes</userinput></screen>
 
     <para>If you plan to install <filename
       role="package">multimedia/avifile</filename>, then add the
       <literal>WITH_AVIFILE</literal> option to your
       <command>make</command> command line, as shown here:</para>
 
       <screen>&prompt.root; <userinput>make WITH_AVIFILE=yes WITH_LIBMPEG2=yes</userinput></screen>
 
     <para>Here are two examples of using <command>transcode</command>
       for video conversion which produce rescaled output.  The first
       encodes the output to an openDIVX AVI file, while the second
       encodes to the much more portable MPEG format.</para>
 
       <screen>&prompt.user; <userinput>transcode -i input.vob -x vob -V -Z 320x240 \
 -y opendivx -N 0x55 -o output.avi</userinput></screen>
 
       <screen>&prompt.user; <userinput>transcode -i input.vob -x vob -V -Z 320x240 \
 -y mpeg -N 0x55 -o output.tmp</userinput>
 &prompt.user; <userinput>tcmplex -o output.mpg -i output.tmp.m1v -p output.tmp.mpa -m 1</userinput></screen>
 
     <para>There is a manual page for <command>transcode</command>, but
       there is little documentation for the various <command>tc*</command> utilities (such as
       <command>tcmplex</command>) which are also installed.
       However, the <option>-h</option> command line option can
       always be given to get curt usage instructions for a
       command.</para>
 
     <para>In comparison, <command>transcode</command> runs
       significantly slower than <command>mencoder</command>, but it
       has a better chance of producing a more widely playable file.
       MPEGs created by <command>transcode</command> have been known to
       play on
       <application>&windows.media; Player</application> and Apple's <application>&quicktime;</application>, for example.</para>
 
     </sect3>
 
   </sect2>
 
   <sect2 id="video-further-reading">
     <title>Further Reading</title>
 
     <para>The various video software packages for FreeBSD are
       developing rapidly.  It is quite possible that in the near
       future many of the problems discussed here will have been
       resolved.  In the mean time, those who
      want to get the very most out of FreeBSD's A/V capabilities will
      have to cobble together knowledge from several FAQs and tutorials
      and use a few different applications.  This section exists to
       give the reader pointers to such additional information.</para>
 
     <para>The 
       <ulink url="http://www.mplayerhq.hu/DOCS/">MPlayer documentation</ulink>
       is very technically informative.
       These documents should probably be consulted by anyone wishing
       to obtain a high level of expertise with &unix; video.  The
       <application>MPlayer</application> mailing list is hostile to anyone who has not bothered
       to read the documentation, so if you plan on making bug reports
       to them, RTFM.</para>
 
     <para>The
       <ulink url="http://dvd.sourceforge.net/xine-howto/en_GB/html/howto.html">      xine HOWTO</ulink>
       contains a chapter on performance improvement
       which is general to all players.</para>
 
     <para>Finally, there are some other promising applications which
     the reader may try:</para>
 
     <itemizedlist>
 
        <listitem>
          <para><ulink
 	   url="http://avifile.sourceforge.net/">Avifile</ulink> which
 	   is also a port <filename
 	   role='package'>multimedia/avifile</filename>.</para>
        </listitem>
 
        <listitem>
          <para><ulink
 	   url="http://www.dtek.chalmers.se/groups/dvd/">Ogle</ulink>
 	   which is also a port <filename
 	   role='package'>multimedia/ogle</filename>.</para>
        </listitem>
 
        <listitem>
          <para><ulink url="http://xtheater.sourceforge.net/">Xtheater</ulink></para>
        </listitem>
 
 	<listitem>
          <para><filename
            role="package">multimedia/dvdauthor</filename>, an open
            source package for authoring DVD content.</para>
         </listitem>
 
     </itemizedlist>
 
   </sect2>
  </sect1>
 
   <sect1 id="tvcard">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Josef</firstname>
 	  <surname>El-Rayes</surname>
 	  <contrib>Original contribution by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Marc</firstname>
 	  <surname>Fonvieille</surname>
 	  <contrib>Enhanced and adapted by </contrib>
 	  <!-- 02 January 2004 -->
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Setting Up TV Cards</title>
     <indexterm>
       <primary>TV cards</primary>
     </indexterm>
 
     <sect2>
       <title>Introduction</title>
 
       <para>TV cards allow you to watch broadcast or cable TV on your
 	computer.  Most of them accept composite video via an RCA or
 	S-video input and some of these cards come with a FM
 	radio tuner.</para>
 
       <para>&os; provides support for PCI-based TV cards using a
 	Brooktree Bt848/849/878/879 or a Conexant CN-878/Fusion 878a
 	Video Capture Chip with the &man.bktr.4; driver.  You must
 	also ensure the board comes with a supported tuner, consult
 	the &man.bktr.4; manual page for a list of supported
 	tuners.</para>
     </sect2>
 
     <sect2>
       <title>Adding the Driver</title>
 
       <para>To use your card, you will need to load the &man.bktr.4;
 	driver, this can be done by adding the following line to the
 	<filename>/boot/loader.conf</filename> file like this:</para>
 
       <programlisting>bktr_load="YES"</programlisting>
 
       <para>Alternatively, you may statically compile the support for
 	the TV card in your kernel, in that case add the following
 	lines to your kernel configuration:</para>
 	
       <programlisting>device	 bktr
 device	iicbus
 device	iicbb
 device	smbus</programlisting>
 
       <para>These additional device drivers are necessary because of the
 	card components being interconnected via an I2C bus.  Then build
 	and install a new kernel.</para>
 
       <para>Once the support was added to your system, you have to
 	reboot your machine.  During the boot process, your TV card
 	should show up, like this:</para>
 
       <programlisting>bktr0: &lt;BrookTree 848A&gt; mem 0xd7000000-0xd7000fff irq 10 at device 10.0 on pci0
 iicbb0: &lt;I2C bit-banging driver&gt; on bti2c0
 iicbus0: &lt;Philips I2C bus&gt; on iicbb0 master-only
 iicbus1: &lt;Philips I2C bus&gt; on iicbb0 master-only
 smbus0: &lt;System Management Bus&gt; on bti2c0
 bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
 
       <para>Of course these messages can differ according to your
 	hardware.  However you should check if the tuner is correctly
 	detected; it is still possible to override some of the
 	detected parameters with &man.sysctl.8; MIBs and kernel
 	configuration file options.  For example, if you want to force
 	the tuner to a Philips SECAM tuner, you should add the
 	following line to your kernel configuration file:</para>
 
       <programlisting>options OVERRIDE_TUNER=6</programlisting>
 
       <para>or you can directly use &man.sysctl.8;:</para>
 
       <screen>&prompt.root; <userinput>sysctl hw.bt848.tuner=6</userinput></screen>
 
       <para>See the &man.bktr.4; manual page and the
 	<filename>/usr/src/sys/conf/NOTES</filename> file for more
 	details on the available options. (If you are under
 	&os;&nbsp;4.X, <filename>/usr/src/sys/conf/NOTES</filename> is
 	replaced with
 	<filename>/usr/src/sys/i386/conf/LINT</filename>.)</para>
     </sect2>
 
     <sect2>
       <title>Useful Applications</title>
 
       <para>To use your TV card you need to install one of the
 	following applications:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><filename role="package">multimedia/fxtv</filename>
 	    provides TV-in-a-window and image/audio/video capture
 	    capabilities.</para>
 	</listitem>
 	<listitem>
 	  <para><filename role="package">multimedia/xawtv</filename>
 	    is also a TV application, with the same features as
 	    <application>fxtv</application>.</para>
 	</listitem>
 	<listitem>
 	  <para><filename role="package">misc/alevt</filename> decodes
 	    and displays Videotext/Teletext.</para>
 	</listitem>
 	<listitem>
 	  <para><filename role="package">audio/xmradio</filename>, an
 	    application to use the FM radio tuner coming with some
 	    TV cards.</para>
 	</listitem>
 	<listitem>
 	  <para><filename role="package">audio/wmtune</filename>, a handy
 	    desktop application for radio tuners.</para>
 	</listitem>
       </itemizedlist>
 
       <para>More applications are available in the &os; Ports
 	Collection.</para>
     </sect2>
 
     <sect2>
       <title>Troubleshooting</title>
 
       <para>If you encounter any problem with your TV card, you should
 	check at first if the video capture chip and the tuner are
 	really supported by the &man.bktr.4; driver and if you used the right
 	configuration options.  For more support and various questions
 	about your TV card you may want to contact and use the
 	archives of the &a.multimedia.name; mailing list.</para>
     </sect2>
   </sect1>
 
   <sect1 id="scanners">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Marc</firstname>
 	  <surname>Fonvieille</surname>
 	  <contrib>Written by </contrib>
 	  <!-- 04 August 2004 -->
 	</author>
       </authorgroup>
     </sect1info>
 
     <title>Image Scanners</title>
     <indexterm>
       <primary>image scanners</primary>
     </indexterm>
 
     <sect2>
       <title>Introduction</title>
 
       <para>&os;, like any modern operating system, allows the use of
 	image scanners.  Standardized access to scanners is provided
 	by the <application>SANE</application> (Scanner Access Now
 	Easy) <acronym role="Application Programming
 	Interface">API</acronym> available through the &os; Ports
 	Collection.  <application>SANE</application> will also use
 	some &os; devices drivers to access to the scanner
 	hardware.</para>
 
       <para>&os; supports both SCSI and USB scanners.  Be sure your
 	scanner is supported by <application>SANE</application> prior
 	to performing any configuration.
 	<application>SANE</application> has a <ulink
 	url="http://sane-project.org/sane-supported-devices.html">supported
 	devices</ulink> list that can provide you with information
 	about the support for a scanner and its status.  The
 	&man.uscanner.4; manual page also provides a list of supported
 	USB scanners.</para>
     </sect2>
 
     <sect2>
       <title>Kernel Configuration</title>
 
       <para>As mentioned above both SCSI and USB interfaces are
 	supported.  According to your scanner interface, different
 	device drivers are required.</para>
 
       <sect3 id="scanners-kernel-usb">
 	<title>USB Interface</title>
 
 	<para>The <filename>GENERIC</filename> kernel by default
 	  includes the device drivers needed to support USB scanners.
 	  Should you decide to use a custom kernel, be sure that the
 	  following lines are present in your kernel configuration
 	  file:</para>
 
 	<programlisting>device usb
 device uhci
 device ohci
 device uscanner</programlisting>
 
 	<para>Depending upon the USB chipset on your motherboard, you
 	  will only need either <literal>device uhci</literal> or
 	  <literal>device ohci</literal>, however having both in the
 	  kernel configuration file is harmless.</para>
 
 	<para>If you do not want to rebuild your kernel and your
 	  kernel is not the <filename>GENERIC</filename> one, you can
 	  directly load the &man.uscanner.4; device driver module with
 	  the &man.kldload.8; command:</para>
 
 	<screen>&prompt.root; <userinput>kldload uscanner</userinput></screen>
 
 	<para>To load this module at each system startup, add the
 	  following line to
 	  <filename>/boot/loader.conf</filename>:</para>
 
 	<programlisting>uscanner_load="YES"</programlisting>
 
 	<para>After rebooting with the correct kernel, or after
 	  loading the required module, plug in your USB scanner.  The
 	  scanner should appear in your system message buffer
 	  (&man.dmesg.8;) as something like:</para>
 
 	<screen>uscanner0: EPSON EPSON Scanner, rev 1.10/3.02, addr 2</screen>
 
 	<para>This shows that our scanner is using the
 	  <filename>/dev/uscanner0</filename> device node.</para>
 
 	<note>
 	  <para>On &os;&nbsp;4.X, the USB daemon (&man.usbd.8;) must
 	    be running to be able to see some USB devices.  To enable
 	    this, add <literal>usbd_enable="YES"</literal> to your
 	    <filename>/etc/rc.conf</filename> file and reboot the
 	    machine.</para>
 	  </note>
       </sect3>
 
       <sect3>
 	<title>SCSI Interface</title>
 
 	<para>If your scanner comes with a SCSI interface, it is
 	  important to know which SCSI controller board you will use.
 	  According to the SCSI chipset used, you will have to tune
 	  your kernel configuration file.  The
 	  <filename>GENERIC</filename> kernel supports the most common
 	  SCSI controllers.  Be sure to read the
 	  <filename>NOTES</filename> file (<filename>LINT</filename>
 	  under &os;&nbsp;4.X) and add the correct line to your kernel
 	  configuration file.  In addition to the SCSI adapter driver,
 	  you need to have the following lines in your kernel
 	  configuration file:</para>
 
 	<programlisting>device scbus
 device pass</programlisting>
 
 	<para>Once your kernel has been properly compiled, you should
 	  be able to see the devices in your system message buffer,
 	  when booting:</para>
 
 	<screen>pass2 at aic0 bus 0 target 2 lun 0
 pass2: &lt;AGFA SNAPSCAN 600 1.10&gt; Fixed Scanner SCSI-2 device
 pass2: 3.300MB/s transfers</screen>
 
 	<para>If your scanner was not powered-on at system boot, it is
 	  still possible to manually force the detection by performing
 	  a SCSI bus scan with the &man.camcontrol.8; command:</para>
 
 	<screen>&prompt.root; <userinput>camcontrol rescan all</userinput>
 Re-scan of bus 0 was successful
 Re-scan of bus 1 was successful
 Re-scan of bus 2 was successful
 Re-scan of bus 3 was successful</screen>
 
 	<para>Then the scanner will appear in the SCSI devices
 	  list:</para>
 
 	<screen>&prompt.root; <userinput>camcontrol devlist</userinput>
 &lt;IBM DDRS-34560 S97B&gt;              at scbus0 target 5 lun 0 (pass0,da0)
 &lt;IBM DDRS-34560 S97B&gt;              at scbus0 target 6 lun 0 (pass1,da1)
 &lt;AGFA SNAPSCAN 600 1.10&gt;           at scbus1 target 2 lun 0 (pass3)
 &lt;PHILIPS CDD3610 CD-R/RW 1.00&gt;     at scbus2 target 0 lun 0 (pass2,cd0)</screen>
 
 	<para>More details about SCSI devices, are available in the
 	  &man.scsi.4; and &man.camcontrol.8; manual pages.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>SANE Configuration</title>
 
       <para>The <application>SANE</application> system has been
 	splitted in two parts: the backends (<filename
 	role="package">graphics/sane-backends</filename>) and the
 	frontends (<filename
 	role="package">graphics/sane-frontends</filename>).  The
 	backends part provides access to the scanner itself.  The
 	<application>SANE</application>'s <ulink
 	url="http://sane-project.org/sane-supported-devices.html">supported
 	devices</ulink> list specifies which backend will support your
 	image scanner.  It is mandatory to determine the correct
 	backend for your scanner if you want to be able to use your
 	device.  The frontends part provides the graphical scanning
 	interface (<application>xscanimage</application>).</para>
 
       <para>The first thing to do is install the <filename
 	role="package">graphics/sane-backends</filename> port or
 	package.  Then, use the <command>sane-find-scanner</command>
 	command to check the scanner detection by the
 	<application>SANE</application> system:</para>
 
       <screen>&prompt.root; <userinput>sane-find-scanner -q</userinput>
 found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3</screen>
 
       <para>The output will show the interface type of the scanner and
 	the device node used to attach the scanner to the system.  The
 	vendor and the product model may not appear, it is not
 	important.</para>
 
       <note>
 	<para>Some USB scanners require you to load a firmware, this
 	  is explained in the backend manual page.  You should also read
 	  &man.sane-find-scanner.1; and &man.sane.7; manual
 	  pages.</para>
       </note>
 
       <para>Now we have to check if the scanner will be identified by
 	a scanning frontend.  By default, the
 	<application>SANE</application> backends comes with a command
 	line tool called &man.scanimage.1;.  This command allows you
 	to list the devices and to perform an image acquisition from
 	the command line.  The <option>-L</option> option is used to
 	list the scanner device:</para>
 
       <screen>&prompt.root; <userinput>scanimage -L</userinput>
 device `snapscan:/dev/pass3' is a AGFA SNAPSCAN 600 flatbed scanner</screen>
 
       <para>No output or a message saying that no scanners were
 	identified indicates that &man.scanimage.1; is unable to
 	identify the scanner.  If this happens, you will need to edit
 	the backend configuration file and define the scanner device
 	used.  The <filename
 	class="directory">/usr/local/etc/sane.d/</filename> directory
 	contains all backends configuration files.  This
 	identification problem does appear with certain USB
 	scanners.</para>
 
       <para>For example, with the USB scanner used in the <xref
 	linkend="scanners-kernel-usb">,
 	<command>sane-find-scanner</command> gives us the following
 	information:</para>
 
       <screen>&prompt.root; <userinput>sane-find-scanner -q</userinput>
 found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0</screen>
       <para>The scanner is correctly detected, it uses the USB
 	interface and is attached to the
 	<filename>/dev/uscanner0</filename> device node.  We can now
 	check if the scanner is correctly identified:</para>
 
       <screen>&prompt.root; <userinput>scanimage -L</userinput>
 
 No scanners were identified. If you were expecting something different,
 check that the scanner is plugged in, turned on and detected by the
 sane-find-scanner tool (if appropriate). Please read the documentation
 which came with this software (README, FAQ, manpages).</screen>
 
       <para>Since the scanner is not identified, we will need to edit
 	the <filename>/usr/local/etc/sane.d/epson.conf</filename>
 	file.  The scanner model used was the &epson.perfection; 1650,
 	so we know the scanner will use the <literal>epson</literal>
 	backend.  Be sure to read the help comments in the backends
 	configuration files.  Line changes are quite simple: comment
 	out all lines that have the wrong interface for your scanner
 	(in our case, we will comment out all lines starting with the
 	word <literal>scsi</literal> as our scanner uses the USB
 	interface), then add at the end of the file a line specifying
 	the interface and the device node used.  In this case, we add
 	the following line:</para>
 
       <programlisting>usb /dev/uscanner0</programlisting>
 
       <para>Please be sure to read the comments provided in the
 	backend configuration file as well as the backend manual page
 	for more details and correct syntax to use.  We can now verify
 	if the scanner is identified:</para>
 
       <screen>&prompt.root; <userinput>scanimage -L</userinput>
 device `epson:/dev/uscanner0' is a Epson GT-8200 flatbed scanner</screen>
 
       <para>Our USB scanner has been identified.  It is not important
 	if the brand and the model do not match.  The key item to be
 	concerned with is the
 	<literal>`epson:/dev/uscanner0'</literal> field, which give us
 	the right backend name and the right device node.</para>
 
       <para>Once the <command>scanimage -L</command> command is able
 	to see the scanner, the configuration is complete.  The device
 	is now ready to scan.</para>
 
       <para>While &man.scanimage.1; does allow us to perform an
 	image acquisition from the command line, it is preferable to
 	use a graphical user interface to perform image scanning.
 	<application>SANE</application> offers a simple but efficient
 	graphical interface: <application>xscanimage</application>
 	(<filename
 	role="package">graphics/sane-frontends</filename>).</para>
 
       <para><application>Xsane</application> (<filename
 	role="package">graphics/xsane</filename>) is another popular
 	graphical scanning frontend.  This frontend offers advanced
 	features such as various scanning mode (photocopy, fax, etc.),
 	color correction, batch scans, etc.  Both of these applications
 	are useable as a <application>GIMP</application>
 	plugin.</para>
     </sect2>
 
     <sect2>
       <title>Allowing Scanner Access to Other Users</title>
 
       <para>All previous operations have been done with
 	<username>root</username> privileges.  You may however, need
 	other users to have access
 	to the scanner.  The user will need read and write
 	permissions to the device node used by the scanner.  As an
 	example, our USB scanner uses the device node
 	<filename>/dev/uscanner0</filename> which is owned by the
 	<groupname>operator</groupname> group.  Adding the user
 	<username>joe</username> to the
 	<groupname>operator</groupname> group will allow him to use
 	the scanner:</para>
 
       <screen>&prompt.root; <userinput>pw groupmod operator -m <replaceable>joe</replaceable></userinput></screen>
 
       <para>For more details read the &man.pw.8; manual page.  You
 	also have to set the correct write permissions (0660 or 0664)
 	on the <filename>/dev/uscanner0</filename> device node, by
 	default the <groupname>operator</groupname> group can only
 	read the device node.  This is done by adding the following
 	lines to the <filename>/etc/devfs.rules</filename> file:</para>
 
       <programlisting>[system=5]
 add path uscanner0 mode 660</programlisting>
 
       <para>Then add the following to
 	<filename>/etc/rc.conf</filename> and reboot the
 	machine:</para>
 
       <programlisting>devfs_system_ruleset="system"</programlisting>
 
       <para>More information regarding these lines can be found in the
 	&man.devfs.8; manual page.  Under &os;&nbsp;4.X, the
 	<groupname>operator</groupname> group has, by default, read
 	and write permissions to
 	<filename>/dev/uscanner0</filename>.</para>
 
       <note>
 	<para>Of course, for security reasons, you should think twice
 	  before adding a user to any group, especially the
 	  <groupname>operator</groupname> group.</para>
       </note>
     </sect2>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
index e007df6db7..24e7979f11 100644
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
@@ -1,5100 +1,5100 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="network-servers">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Murray</firstname>
 	<surname>Stokely</surname>
 	<contrib>Reorganized by </contrib>
       </author>
     </authorgroup>
     <!-- 23 July 2004 -->
   </chapterinfo>
 
   <title>Network Servers</title>
 
   <sect1 id="network-servers-synopsis">
     <title>Synopsis</title>
 
     <para>This chapter will cover some of the more frequently used
       network services on &unix; systems.  We will cover how to
       install, configure, test, and maintain many different types of
       network services.  Example configuration files are included
       throughout this chapter for you to benefit from.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
 
       <listitem>
 	<para>How to manage the <application>inetd</application>
 	  daemon.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up a network filesystem.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up a network information server for sharing
 	  user accounts.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up automatic network settings using DHCP.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up a domain name server.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up the <application>Apache</application> HTTP Server.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up a File Transfer Protocol (FTP) Server.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up a file and print server for &windows;
 	  clients using <application>Samba</application>.</para>
       </listitem>
 
       <listitem>
 	<para>How to synchronize the time and date, and set up a
 	  time server, with the NTP protocol.</para>
       </listitem>
 
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Understand the basics of the
 	  <filename>/etc/rc</filename> scripts.</para>
       </listitem>
 
       <listitem>
 	<para>Be familiar with basic network terminology.</para>
       </listitem>
 
       <listitem>
       <para>Know how to install additional third-party
         software (<xref linkend="ports">).</para>
       </listitem>
 
     </itemizedlist>
   </sect1>
 
   <sect1 id="network-inetd">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Chern</firstname>
           <surname>Lee</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
 
     <title>The <application>inetd</application> <quote>Super-Server</quote></title>
 
     <sect2 id="network-inetd-overview">
       <title>Overview</title>
 
       <para>&man.inetd.8; is referred to as the <quote>Internet
 	Super-Server</quote> because it manages connections for
 	several services.  When a
 	connection is received by <application>inetd</application>, it
 	determines which program the connection is destined for, spawns
 	the particular process and delegates the socket to it (the program
 	is invoked with the service socket as its standard input, output
 	and error descriptors).  Running
 	one instance of <application>inetd</application> reduces the
 	overall system load as compared to running each daemon
 	individually in stand-alone mode.</para>
 
       <para>Primarily, <application>inetd</application> is used to
 	spawn other daemons, but several trivial protocols are handled
 	directly, such as <application>chargen</application>,
 	<application>auth</application>, and
 	<application>daytime</application>.</para>
 
       <para>This section will cover the basics in configuring
 	<application>inetd</application> through its command-line
 	options and its configuration file,
 	<filename>/etc/inetd.conf</filename>.</para>
     </sect2>
 
     <sect2 id="network-inetd-settings">
       <title>Settings</title>
 
       <para><application>inetd</application> is initialized through
 	the <filename>/etc/rc.conf</filename> system.  The
 	<literal>inetd_enable</literal> option is set to
 	<literal>NO</literal> by default, but is often times turned on
 	by <application>sysinstall</application> with the medium
 	security profile.  Placing:
 	<programlisting>inetd_enable="YES"</programlisting> or
 	<programlisting>inetd_enable="NO"</programlisting> into
 	<filename>/etc/rc.conf</filename> can enable or disable
 	<application>inetd</application> starting at boot time.</para>
 
       <para>Additionally, different command-line options can be passed
 	to <application>inetd</application> via the
 	<literal>inetd_flags</literal> option.</para>
     </sect2>
 
     <sect2 id="network-inetd-cmdline">
       <title>Command-Line Options</title>
 
       <para><application>inetd</application> synopsis:</para>
 
       <para><option>     inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
            [-p filename] [-R rate] [configuration file]</option></para>
 
       <variablelist>
 	<varlistentry>
 	  <term>-d</term>
 
 	  <listitem>
 	    <para>Turn on debugging.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-l</term>
 
 	  <listitem>
 	    <para>Turn on logging of successful connections.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-w</term>
 
 	  <listitem>
 	    <para>Turn on TCP Wrapping for external services (on by
 	      default).</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-W</term>
 
 	  <listitem>
 	    <para>Turn on TCP Wrapping for internal services which are
 	      built into <application>inetd</application> (on by
 	      default).</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-c maximum</term>
 
 	  <listitem>
 	    <para>Specify the default maximum number of simultaneous
 	      invocations of each service; the default is unlimited.
 	      May be overridden on a per-service basis with the
 	      <option>max-child</option> parameter.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-C rate</term>
 
 	  <listitem>
 	    <para>Specify the default maximum number of times a
 	      service can be invoked from a single IP address in one
 	      minute; the default is unlimited.  May be overridden on a
 	      per-service basis with the
 	      <option>max-connections-per-ip-per-minute</option>
 	      parameter.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-R rate</term>
 
 	  <listitem>
 	    <para>Specify the maximum number of times a service can be
 	      invoked in one minute; the default is 256.  A rate of 0
 	      allows an unlimited number of invocations.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-a</term>
 
 	  <listitem>
 	    <para>Specify one specific IP address to bind to.
 	      Alternatively, a hostname can be specified, in which case
 	      the IPv4 or IPv6 address which corresponds to that
 	      hostname is used.  Usually a hostname is specified when
 	      <application>inetd</application> is run inside a
 	      &man.jail.8;, in which case the hostname corresponds to
 	      the &man.jail.8; environment.</para>
 
 	    <para>When hostname specification is used and both IPv4
 	      and IPv6 bindings are desired, one entry with the
 	      appropriate protocol type for each binding is required
 	      for each service in
 	      <filename>/etc/inetd.conf</filename>.  For example, a
 	      TCP-based service would need two entries, one using
 	      <literal>tcp4</literal> for the protocol and the other
 	      using <literal>tcp6</literal>.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>-p</term>
 
 	  <listitem>
 	    <para>Specify an alternate file in which to store the
 	      process ID.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
 
       <para>These options can be passed to
 	<application>inetd</application> using the
 	<literal>inetd_flags</literal> option in
 	<filename>/etc/rc.conf</filename>.  By default,
 	<literal>inetd_flags</literal> is set to
 	<literal>-wW</literal>, which turns on TCP wrapping for
 	<application>inetd</application>'s internal and external
 	services.  For novice users, these parameters usually do not
 	need to be modified or even entered in
 	<filename>/etc/rc.conf</filename>.</para>
 
       <note>
 	<para>An external service is a daemon outside of
 	  <application>inetd</application>, which is invoked when a
 	  connection is received for it.  On the other hand, an
 	  internal service is one that
 	  <application>inetd</application> has the facility of
 	  offering within itself.</para>
       </note>
 
     </sect2>
 
     <sect2 id="network-inetd-conf">
       <title><filename>inetd.conf</filename></title>
 
       <para>Configuration of <application>inetd</application> is
 	controlled through the <filename>/etc/inetd.conf</filename>
 	file.</para>
 
       <para>When a modification is made to
 	<filename>/etc/inetd.conf</filename>,
 	<application>inetd</application> can be forced to re-read its
 	configuration file by sending a HangUP signal to the
 	<application>inetd</application> process as shown:</para>
 
       <example id="network-inetd-hangup">
 	<title>Sending <application>inetd</application> a HangUP Signal</title>
 
 	<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
       </example>
 
       <para>Each line of the configuration file specifies an
 	individual daemon.  Comments in the file are preceded by a
 	<quote>#</quote>.  The format of
 	<filename>/etc/inetd.conf</filename> is as follows:</para>
 
       <programlisting>service-name
 socket-type
 protocol
 {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
 user[:group][/login-class]
 server-program
 server-program-arguments</programlisting>
 
       <para>An example entry for the <application>ftpd</application> daemon
 	using IPv4:</para>
 
       <programlisting>ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l</programlisting>
 
       <variablelist>
 	<varlistentry>
 	  <term>service-name</term>
 
 	  <listitem>
 	    <para>This is the service name of the particular daemon.
 	      It must correspond to a service listed in
 	      <filename>/etc/services</filename>.  This determines
 	      which port <application>inetd</application> must listen
 	      to.  If a new service is being created, it must be
 	      placed in <filename>/etc/services</filename>
 	      first.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>socket-type</term>
 
 	  <listitem>
 	    <para>Either <literal>stream</literal>,
 	      <literal>dgram</literal>, <literal>raw</literal>, or
 	      <literal>seqpacket</literal>.  <literal>stream</literal>
 	      must be used for connection-based, TCP daemons, while
 	      <literal>dgram</literal> is used for daemons utilizing
 	      the <acronym>UDP</acronym> transport protocol.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>protocol</term>
 
 	  <listitem>
 	    <para>One of the following:</para>
 
-	    <informaltable frame="none">
+	    <informaltable frame="none" pgwide="1">
 	      <tgroup cols="2">
 		<thead>
 		  <row>
 		    <entry>Protocol</entry>
 		    <entry>Explanation</entry>
 		  </row>
 		</thead>
 		<tbody>
 		  <row>
 		    <entry>tcp, tcp4</entry>
 		    <entry>TCP IPv4</entry>
 		  </row>
 		  <row>
 		    <entry>udp, udp4</entry>
 		    <entry>UDP IPv4</entry>
 		  </row>
 		  <row>
 		    <entry>tcp6</entry>
 		    <entry>TCP IPv6</entry>
 		  </row>
 		  <row>
 		    <entry>udp6</entry>
 		    <entry>UDP IPv6</entry>
 		  </row>
 		  <row>
 		    <entry>tcp46</entry>
 		    <entry>Both TCP IPv4 and v6</entry>
 		  </row>
 		  <row>
 		    <entry>udp46</entry>
 		    <entry>Both UDP IPv4 and v6</entry>
 		  </row>
 		</tbody>
 	      </tgroup>
 	    </informaltable>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
 
 	  <listitem>
 	    <para><option>wait|nowait</option> indicates whether the
 	      daemon invoked from <application>inetd</application> is
 	      able to handle its own socket or not.
 	      <option>dgram</option> socket types must use the
 	      <option>wait</option> option, while stream socket
 	      daemons, which are usually multi-threaded, should use
 	      <option>nowait</option>.  <option>wait</option> usually
 	      hands off multiple sockets to a single daemon, while
 	      <option>nowait</option> spawns a child daemon for each
 	      new socket.</para>
 
 	    <para>The maximum number of child daemons
 	      <application>inetd</application> may spawn can be set
 	      using the <option>max-child</option> option.  If a limit
 	      of ten instances of a particular daemon is needed, a
 	      <literal>/10</literal> would be placed after
 	      <option>nowait</option>.</para>
 
 	    <para>In addition to <option>max-child</option>, another
 	      option limiting the maximum connections from a single
 	      place to a particular daemon can be enabled.
 	      <option>max-connections-per-ip-per-minute</option> does
 	      just this.  A value of ten here would limit any particular
 	      IP address connecting to a particular service to ten
 	      attempts per minute.  This is useful to prevent
 	      intentional or unintentional resource consumption and
 	      Denial of Service (DoS) attacks to a machine.</para>
 
 	    <para>In this field, <option>wait</option> or
 	      <option>nowait</option> is mandatory.
 	      <option>max-child</option> and
 	      <option>max-connections-per-ip-per-minute</option> are
 	      optional.</para>
 
 	    <para>A stream-type multi-threaded daemon without any
 	      <option>max-child</option> or
 	      <option>max-connections-per-ip-per-minute</option> limits
 	      would simply be: <literal>nowait</literal>.</para>
 
 	    <para>The same daemon with a maximum limit of ten daemons
 	      would read: <literal>nowait/10</literal>.</para>
 
 	    <para>Additionally, the same setup with a limit of twenty
 	      connections per IP address per minute and a maximum
 	      total limit of ten child daemons would read:
 	      <literal>nowait/10/20</literal>.</para>
 
 	    <para>These options are all utilized by the default
 	      settings of the <application>fingerd</application> daemon,
 	      as seen here:</para>
 
 	    <programlisting>finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>user</term>
 
 	  <listitem>
 	    <para>This is the username that the particular daemon
 	      should run as.  Most commonly, daemons run as the
 	      <username>root</username> user.  For security purposes, it is
 	      common to find some servers running as the
 	      <username>daemon</username> user, or the least privileged
 	      <username>nobody</username> user.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>server-program</term>
 
 	  <listitem>
 	    <para>The full path of the daemon to be executed when a
 	      connection is received.  If the daemon is a service
 	      provided by <application>inetd</application> internally,
 	      then <option>internal</option> should be
 	      used.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>server-program-arguments</term>
 
 	  <listitem>
 	    <para>This works in conjunction with
 	      <option>server-program</option> by specifying the
 	      arguments, starting with <literal>argv[0]</literal>,
 	      passed to the daemon on invocation.  If
 	      <command>mydaemon -d</command> is the command line,
 	      <literal>mydaemon -d</literal> would be the value of
 	      <option>server-program-arguments</option>.  Again, if
 	      the daemon is an internal service, use
 	      <option>internal</option> here.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
     </sect2>
 
     <sect2 id="network-inetd-security">
       <title>Security</title>
 
       <para>Depending on the security profile chosen at install, many
 	of <application>inetd</application>'s daemons may be enabled
 	by default.  If there is no apparent need for a particular
 	daemon, disable it!  Place a <quote>#</quote> in front of the
 	daemon in question in <filename>/etc/inetd.conf</filename>,
 	and then send a <link linkend="network-inetd-hangup">hangup
 	signal to inetd</link>.  Some daemons, such as
 	<application>fingerd</application>, may not be desired at all
 	because they provide an attacker with too much
 	information.</para>
 
       <para>Some daemons are not security-conscious and have long, or
 	non-existent timeouts for connection attempts.  This allows an
 	attacker to slowly send connections to a particular daemon,
 	thus saturating available resources.  It may be a good idea to
 	place <option>max-connections-per-ip-per-minute</option> and
 	<option>max-child</option> limitations on certain
 	daemons.</para>
 
       <para>By default, TCP wrapping is turned on.  Consult the
 	&man.hosts.access.5; manual page for more information on placing
 	TCP restrictions on various <application>inetd</application>
 	invoked daemons.</para>
     </sect2>
 
     <sect2 id="network-inetd-misc">
       <title>Miscellaneous</title>
 
       <para><application>daytime</application>,
 	<application>time</application>,
 	<application>echo</application>,
 	<application>discard</application>,
 	<application>chargen</application>, and
 	<application>auth</application> are all internally provided
 	services of <application>inetd</application>.</para>
 
       <para>The <application>auth</application> service provides
 	identity (<application>ident</application>,
 	<application>identd</application>) network services, and is
 	configurable to a certain degree.</para>
 
       <para>Consult the &man.inetd.8; manual page for more in-depth
 	information.</para>
     </sect2>
   </sect1>
 
   <sect1 id="network-nfs">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Tom</firstname>
           <surname>Rhodes</surname>
           <contrib>Reorganized and enhanced by </contrib>
         </author>
       </authorgroup>
       <authorgroup>
         <author>
           <firstname>Bill</firstname>
       	  <surname>Swingle</surname>
 	  <contrib>Written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Network File System (NFS)</title>
 
     <indexterm><primary>NFS</primary></indexterm>
     <para>Among the many different filesystems that FreeBSD supports
       is the Network File System, also known as <acronym role="Network
       File System">NFS</acronym>.  <acronym role="Network File
       System">NFS</acronym> allows a system to share directories and
       files with others over a network.  By using <acronym
       role="Network File System">NFS</acronym>, users and programs can
       access files on remote systems almost as if they were local
       files.</para>
 
     <para>Some of the most notable benefits that
       <acronym>NFS</acronym> can provide are:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Local workstations use less disk space because commonly
 	  used data can be stored on a single machine and still remain
 	  accessible to others over the network.</para>
       </listitem>
 
       <listitem>
 	<para>There is no need for users to have separate home
 	  directories on every network machine.  Home directories
 	  could be set up on the <acronym>NFS</acronym> server and
 	  made available throughout the network.</para>
       </listitem>
 
       <listitem>
 	<para>Storage devices such as floppy disks, CDROM drives, and
 	  &iomegazip; drives can be used by other machines on the network.
 	  This may reduce the number of removable media drives
 	  throughout the network.</para>
       </listitem>
     </itemizedlist>
 
     <sect2>
       <title>How <acronym>NFS</acronym> Works</title>
 
       <para><acronym>NFS</acronym> consists of at least two main
         parts: a server and one or more clients.  The client remotely
         accesses the data that is stored on the server machine.  In
         order for this to function properly a few processes have to be
         configured and running.</para>
 
       <note><para>In &os; 5.X, the <application>portmap</application>
 	utility has been replaced with the
 	<application>rpcbind</application> utility.  Thus, in &os; 5.X
 	the user is required to replace every instance of
 	<application>portmap</application> with
 	<application>rpcbind</application> in the forthcoming
 	examples.</para></note>
 
       <para>The server has to be running the following daemons:</para>
       <indexterm>
         <primary>NFS</primary>
         <secondary>server</secondary>
       </indexterm>
       <indexterm>
         <primary>file server</primary>
         <secondary>unix clients</secondary>
       </indexterm>
 
       <indexterm>
         <primary><application>portmap</application></primary>
       </indexterm>
       <indexterm>
         <primary><application>mountd</application></primary>
       </indexterm>
       <indexterm>
         <primary><application>nfsd</application></primary>
       </indexterm>
 
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="3*">
 
 	  <thead>
 	    <row>
 	      <entry>Daemon</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry><application>nfsd</application></entry>
 	      <entry>The <acronym>NFS</acronym> daemon which services
 	      requests from the <acronym>NFS</acronym>
 	      clients.</entry>
 	    </row>
 	    <row>
 	      <entry><application>mountd</application></entry>
 	      <entry>The <acronym>NFS</acronym> mount daemon which carries out
 		the requests that &man.nfsd.8; passes on to it.</entry>
 	    </row>
 	    <row>
 	      <entry><application>portmap</application></entry>
 	      <entry> The portmapper daemon allows
 	      <acronym>NFS</acronym> clients to discover which port
 	      the <acronym>NFS</acronym> server is using.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>The client can also run a daemon, known as
         <application>nfsiod</application>.  The
         <application>nfsiod</application> daemon services the requests
         from the <acronym>NFS</acronym> server.  This is optional, and
         improves performance, but is not required for normal and
         correct operation.  See the &man.nfsiod.8; manual page for
         more information.
       </para>
     </sect2>
 
     <sect2 id="network-configuring-nfs">
       <title>Configuring <acronym>NFS</acronym></title>
       <indexterm>
         <primary>NFS</primary>
         <secondary>configuration</secondary>
       </indexterm>
 
       <para><acronym>NFS</acronym> configuration is a relatively
         straightforward process.  The processes that need to be
         running can all start at boot time with a few modifications to
         your <filename>/etc/rc.conf</filename> file.</para>
 
       <para>On the <acronym>NFS</acronym> server, make sure that the
         following options are configured in the
         <filename>/etc/rc.conf</filename> file:</para>
 
       <programlisting>portmap_enable="YES"
 nfs_server_enable="YES"
 mountd_flags="-r"</programlisting>
 
       <para><application>mountd</application> runs automatically
         whenever the <acronym>NFS</acronym> server is enabled.</para>
 
       <para>On the client, make sure this option is present in
         <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>nfs_client_enable="YES"</programlisting>
 
       <para>The <filename>/etc/exports</filename> file specifies which
         filesystems <acronym>NFS</acronym> should export (sometimes
         referred to as <quote>share</quote>).  Each line in
         <filename>/etc/exports</filename> specifies a filesystem to be
         exported and which machines have access to that filesystem.
         Along with what machines have access to that filesystem,
         access options may also be specified.  There are many such
         options that can be used in this file but only a few will be
         mentioned here.  You can easily discover other options by
         reading over the &man.exports.5; manual page.</para>
 
       <para>Here are a few example <filename>/etc/exports</filename>
 	entries:</para>
 
       <indexterm>
         <primary>NFS</primary>
         <secondary>export examples</secondary>
       </indexterm>
 
       <para>The following examples give an idea of how to export
         filesystems, although the settings may be different depending
         on your environment and network configuration.  For instance,
         to export the <filename>/cdrom</filename> directory to three
         example machines that have the same domain name as the server
         (hence the lack of a domain name for each) or have entries in
         your <filename>/etc/hosts</filename> file.  The
         <option>-ro</option> flag makes the exported filesystem
         read-only.  With this flag, the remote system will not be able
         to write any changes to the exported filesystem.</para>
 
       <programlisting>/cdrom -ro host1 host2 host3</programlisting>
 
       <para>The following line exports <filename>/home</filename> to
 	three hosts by IP address.  This is a useful setup if you have
 	a private network without a <acronym>DNS</acronym> server
 	configured.  Optionally the <filename>/etc/hosts</filename>
 	file could be configured for internal hostnames; please review
 	&man.hosts.5; for more information.  The
 	<option>-alldirs</option> flag allows the subdirectories to be
 	mount points.  In other words, it will not mount the
 	subdirectories but permit the client to mount only the
 	directories that are required or needed.</para>
 
       <programlisting>/home  -alldirs  10.0.0.2 10.0.0.3 10.0.0.4</programlisting>
 
       <para>The following line exports <filename>/a</filename> so that
 	two clients from different domains may access the filesystem.
 	The <option>-maproot=root</option> flag allows the
 	<username>root</username> user on the remote system to write
 	data on the exported filesystem as <username>root</username>.
 	If the <literal>-maproot=root</literal> flag is not specified,
 	then even if a user has <username>root</username> access on
 	the remote system, he will not be able to modify files on
 	the exported filesystem.</para>
 
       <programlisting>/a  -maproot=root  host.example.com box.example.org</programlisting>
 
       <para>In order for a client to access an exported filesystem,
 	the client must have permission to do so.  Make sure the
 	client is listed in your <filename>/etc/exports</filename>
 	file.</para>
 
       <para>In <filename>/etc/exports</filename>, each line represents
 	the export information for one filesystem to one host.  A
 	remote host can only be specified once per filesystem, and may
 	only have one default entry.  For example, assume that
 	<filename>/usr</filename> is a single filesystem.  The
 	following <filename>/etc/exports</filename> would be
 	invalid:</para>
 
       <programlisting># Invalid when /usr is one file system
 /usr/src   client
 /usr/ports client</programlisting>
 
       <para>One filesystem, <filename>/usr</filename>, has two lines
 	specifying exports to the same host, <hostid>client</hostid>.
         The correct format for this situation is:</para>
 
       <programlisting>/usr/src /usr/ports  client</programlisting>
 
       <para>The properties of one filesystem exported to a given host
 	must all occur on one line.  Lines without a client specified
 	are treated as a single host.  This limits how you can export
 	filesystems, but for most people this is not an issue.</para>
 
       <para>The following is an example of a valid export list, where
 	<filename>/usr</filename> and <filename>/exports</filename>
 	are local filesystems:</para>
 
       <programlisting># Export src and ports to client01 and client02, but only
 # client01 has root privileges on it
 /usr/src /usr/ports -maproot=root    client01
 /usr/src /usr/ports               client02
 # The client machines have root and can mount anywhere
 # on /exports. Anyone in the world can mount /exports/obj read-only
 /exports -alldirs -maproot=root      client01 client02
 /exports/obj -ro</programlisting>
 
       <para>You must restart
         <application>mountd</application> whenever you modify
         <filename>/etc/exports</filename> so the changes can take effect.
         This can be accomplished by sending the HUP signal
         to the <command>mountd</command> process:</para>
 
       <screen>&prompt.root; <userinput>kill -HUP `cat /var/run/mountd.pid`</userinput></screen>
 
       <para>Alternatively, a reboot will make FreeBSD set everything
         up properly.  A reboot is not necessary though.
         Executing the following commands as <username>root</username>
         should start everything up.</para>
 
       <para>On the <acronym>NFS</acronym> server:</para>
 
       <screen>&prompt.root; <userinput>portmap</userinput>
 &prompt.root; <userinput>nfsd -u -t -n 4</userinput>
 &prompt.root; <userinput>mountd -r</userinput></screen>
 
       <para>On the <acronym>NFS</acronym> client:</para>
 
       <screen>&prompt.root; <userinput>nfsiod -n 4</userinput></screen>
 
       <para>Now everything should be ready to actually mount a remote file
 	system.  In these examples the
 	server's name will be <hostid>server</hostid> and the client's
 	name will be <hostid>client</hostid>.  If you only want to
 	temporarily mount a remote filesystem or would rather test the
 	configuration, just execute a command like this as <username>root</username> on the
         client:</para>
       <indexterm>
         <primary>NFS</primary>
         <secondary>mounting</secondary>
       </indexterm>
       <screen>&prompt.root; <userinput>mount server:/home /mnt</userinput></screen>
 
       <para>This will mount the <filename>/home</filename> directory
 	on the server at <filename>/mnt</filename> on the client.  If
 	everything is set up correctly you should be able to enter
 	<filename>/mnt</filename> on the client and see all the files
         that are on the server.</para>
 
       <para>If you want to automatically mount a remote filesystem
 	each time the computer boots, add the filesystem to the
 	<filename>/etc/fstab</filename> file.  Here is an example:</para>
 
       <programlisting>server:/home	/mnt	nfs	rw	0	0</programlisting>
 
       <para>The &man.fstab.5; manual page lists all the available
         options.</para>
     </sect2>
 
     <sect2>
       <title>Practical Uses</title>
 
       <para><acronym>NFS</acronym> has many practical uses.  Some of
         the more common ones are listed below:</para>
 
       <indexterm>
         <primary>NFS</primary>
         <secondary>uses</secondary>
       </indexterm>
       <itemizedlist>
         <listitem>
 	  <para>Set several machines to share a CDROM or other media
 	    among them.  This is cheaper and often a more convenient
 	    method to install software on multiple machines.</para>
 	</listitem>
 
 	<listitem>
 	  <para>On large networks, it might be more convenient to
 	    configure a central <acronym>NFS</acronym> server in which
 	    to store all the user home directories.  These home
 	    directories can then be exported to the network so that
 	    users would always have the same home directory,
 	    regardless of which workstation they log in to.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Several machines could have a common
             <filename>/usr/ports/distfiles</filename> directory.  That
             way, when you need to install a port on several machines,
             you can quickly access the source without downloading it
             on each machine.</para>
 	</listitem>
       </itemizedlist>
     </sect2>
 
     <sect2 id="network-amd">
       <sect2info>
 	<authorgroup>
 	  <author>
 	    <firstname>Wylie</firstname>
 	    <surname>Stilwell</surname>
 	    <contrib>Contributed by </contrib>
 	  </author>
 	</authorgroup>
 	<authorgroup>
 	  <author>
 	    <firstname>Chern</firstname>
 	    <surname>Lee</surname>
 	    <contrib>Rewritten by </contrib>
 	  </author>
 	</authorgroup>
       </sect2info>
       <title>Automatic Mounts with <application>amd</application></title>
 
       <indexterm><primary>amd</primary></indexterm>
       <indexterm><primary>automatic mounter daemon</primary></indexterm>
 
       <para>&man.amd.8; (the automatic mounter daemon)
 	automatically mounts a
 	remote filesystem whenever a file or directory within that
 	filesystem is accessed.  Filesystems that are inactive for a
 	period of time will also be automatically unmounted by
 	<application>amd</application>.  Using
 	<application>amd</application> provides a simple alternative
 	to permanent mounts, as permanent mounts are usually listed in
         <filename>/etc/fstab</filename>.</para>
 
       <para><application>amd</application> operates by attaching
 	itself as an NFS server to the <filename>/host</filename> and
 	<filename>/net</filename> directories.  When a file is accessed
 	within one of these directories, <application>amd</application>
 	looks up the corresponding remote mount and automatically mounts
 	it.  <filename>/net</filename> is used to mount an exported
 	filesystem from an IP address, while <filename>/host</filename>
 	is used to mount an export from a remote hostname.</para>
 
       <para>An access to a file within
 	<filename>/host/foobar/usr</filename> would tell
 	<application>amd</application> to attempt to mount the
 	<filename>/usr</filename> export on the host
 	<hostid>foobar</hostid>.</para>
 
       <example>
 	<title>Mounting an Export with <application>amd</application></title>
 
 	<para>You can view the available mounts of a remote host with
 	  the <command>showmount</command> command.  For example, to
 	  view the mounts of a host named <hostid>foobar</hostid>, you
 	  can use:</para>
 
 	<screen>&prompt.user; <userinput>showmount -e foobar</userinput>
 Exports list on foobar:
 /usr                               10.10.10.0
 /a                                 10.10.10.0
 &prompt.user; <userinput>cd /host/foobar/usr</userinput></screen>
       </example>
 
       <para>As seen in the example, the <command>showmount</command> shows
 	<filename>/usr</filename> as an export.  When changing directories to
 	<filename>/host/foobar/usr</filename>, <application>amd</application>
 	attempts to resolve the hostname <hostid>foobar</hostid> and
 	automatically mount the desired export.</para>
 
       <para><application>amd</application> can be started by the
 	startup scripts by placing the following lines in
 	<filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>amd_enable="YES"</programlisting>
 
       <para>Additionally, custom flags can be passed to
       <application>amd</application> from the
       <varname>amd_flags</varname> option.  By default,
       <varname>amd_flags</varname> is set to:</para>
 
       <programlisting>amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"</programlisting>
 
       <para>The <filename>/etc/amd.map</filename> file defines the
 	default options that exports are mounted with.  The
 	<filename>/etc/amd.conf</filename> file defines some of the more
 	advanced features of <application>amd</application>.</para>
 
       <para>Consult the &man.amd.8; and &man.amd.conf.5; manual pages for more
 	information.</para>
     </sect2>
 
     <sect2 id="network-nfs-integration">
       <sect2info>
         <authorgroup>
           <author>
             <firstname>John</firstname>
             <surname>Lind</surname>
             <contrib>Contributed by </contrib>
           </author>
         </authorgroup>
       </sect2info>
       <title>Problems Integrating with Other Systems</title>
 
       <para>Certain Ethernet adapters for ISA PC systems have limitations
 	which can lead to serious network problems, particularly with NFS.
 	This difficulty is not specific to FreeBSD, but FreeBSD systems
 	are affected by it.</para>
 
       <para>The problem nearly always occurs when (FreeBSD) PC systems are
 	networked with high-performance workstations, such as those made
 	by Silicon Graphics, Inc., and Sun Microsystems, Inc.  The NFS
 	mount will work fine, and some operations may succeed, but
 	suddenly the server will seem to become unresponsive to the
 	client, even though requests to and from other systems continue to
 	be processed.  This happens to the client system, whether the
 	client is the FreeBSD system or the workstation.  On many systems,
 	there is no way to shut down the client gracefully once this
 	problem has manifested itself.  The only solution is often to
 	reset the client, because the NFS situation cannot be
 	resolved.</para>
 
       <para>Though the <quote>correct</quote> solution is to get a
 	higher performance and capacity Ethernet adapter for the
 	FreeBSD system, there is a simple workaround that will allow
 	satisfactory operation.  If the FreeBSD system is the
 	<emphasis>server</emphasis>, include the option
 	<option>-w=1024</option> on the mount from the client.  If the
 	FreeBSD system is the <emphasis>client</emphasis>, then mount
 	the NFS filesystem with the option <option>-r=1024</option>.
 	These options may be specified using the fourth field of the
 	<filename>fstab</filename> entry on the client for automatic
 	mounts, or by using the <option>-o</option> parameter of the
 	&man.mount.8; command for manual mounts.</para>
 
       <para>It should be noted that there is a different problem,
 	sometimes mistaken for this one, when the NFS servers and
 	clients are on different networks.  If that is the case, make
 	<emphasis>certain</emphasis> that your routers are routing the
 	necessary <acronym>UDP</acronym> information, or you will not get anywhere, no
 	matter what else you are doing.</para>
 
       <para>In the following examples, <hostid>fastws</hostid> is the host
 	(interface) name of a high-performance workstation, and
 	<hostid>freebox</hostid> is the host (interface) name of a FreeBSD
 	system with a lower-performance Ethernet adapter.  Also,
 	<filename>/sharedfs</filename> will be the exported NFS
 	filesystem (see &man.exports.5;), and
 	<filename>/project</filename> will be the mount point on the
 	client for the exported filesystem.  In all cases, note that
 	additional options, such as <option>hard</option> or
 	<option>soft</option> and <option>bg</option> may be desirable in
 	your application.</para>
 
       <para>Examples for the FreeBSD system (<hostid>freebox</hostid>)
 	as the client in <filename>/etc/fstab</filename> on
 	<hostid>freebox</hostid>:</para>
 
       <programlisting>fastws:/sharedfs /project nfs rw,-r=1024 0 0</programlisting>
 
       <para>As a manual mount command on <hostid>freebox</hostid>:</para>
 
       <screen>&prompt.root; <userinput>mount -t nfs -o -r=1024 fastws:/sharedfs /project</userinput></screen>
 
       <para>Examples for the FreeBSD system as the server in
 	<filename>/etc/fstab</filename> on
 	<hostid>fastws</hostid>:</para>
 
       <programlisting>freebox:/sharedfs /project nfs rw,-w=1024 0 0</programlisting>
 
       <para>As a manual mount command on <hostid>fastws</hostid>:</para>
 
       <screen>&prompt.root; <userinput>mount -t nfs -o -w=1024 freebox:/sharedfs /project</userinput></screen>
 
       <para>Nearly any 16-bit Ethernet adapter will allow operation
 	without the above restrictions on the read or write size.</para>
 
       <para>For anyone who cares, here is what happens when the
 	failure occurs, which also explains why it is unrecoverable.
 	NFS typically works with a <quote>block</quote> size of
 	8&nbsp;K (though it may do fragments of smaller sizes).  Since
 	the maximum Ethernet packet is around 1500&nbsp;bytes, the NFS
 	<quote>block</quote> gets split into multiple Ethernet
 	packets, even though it is still a single unit to the
 	upper-level code, and must be received, assembled, and
 	<emphasis>acknowledged</emphasis> as a unit.  The
 	high-performance workstations can pump out the packets which
 	comprise the NFS unit one right after the other, just as close
 	together as the standard allows.  On the smaller, lower
 	capacity cards, the later packets overrun the earlier packets
 	of the same unit before they can be transferred to the host
 	and the unit as a whole cannot be reconstructed or
 	acknowledged.  As a result, the workstation will time out and
 	try again, but it will try again with the entire 8&nbsp;K
 	unit, and the process will be repeated, ad infinitum.</para>
 
       <para>By keeping the unit size below the Ethernet packet size
 	limitation, we ensure that any complete Ethernet packet
 	received can be acknowledged individually, avoiding the
 	deadlock situation.</para>
 
       <para>Overruns may still occur when a high-performance
 	workstations is slamming data out to a PC system, but with the
 	better cards, such overruns are not guaranteed on NFS
 	<quote>units</quote>.  When an overrun occurs, the units
 	affected will be retransmitted, and there will be a fair
 	chance that they will be received, assembled, and
 	acknowledged.</para>
     </sect2>
   </sect1>
 
   <sect1 id="network-nis">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Bill</firstname>
       	  <surname>Swingle</surname>
 	  <contrib>Written by </contrib>
          </author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Eric</firstname>
 	  <surname>Ogren</surname>
 	  <contrib>Enhanced by </contrib>
 	</author>
 	<author>
 	  <firstname>Udo</firstname>
 	  <surname>Erdelhoff</surname>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Network Information System (NIS/YP)</title>
 
     <sect2>
       <title>What Is It?</title>
       <indexterm><primary>NIS</primary></indexterm>
       <indexterm><primary>Solaris</primary></indexterm>
       <indexterm><primary>HP-UX</primary></indexterm>
       <indexterm><primary>AIX</primary></indexterm>
       <indexterm><primary>Linux</primary></indexterm>
       <indexterm><primary>NetBSD</primary></indexterm>
       <indexterm><primary>OpenBSD</primary></indexterm>
 
       <para><acronym role="Network Information System">NIS</acronym>,
         which stands for Network Information Services, was developed
         by Sun Microsystems to centralize administration of &unix;
         (originally &sunos;) systems.  It has now essentially become
         an industry standard; all major &unix; like systems
         (&solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, FreeBSD,
         etc) support <acronym role="Network Information
         System">NIS</acronym>.</para>
 
       <indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
 
       <para><acronym role="Network Information System">NIS</acronym>
 	was formerly known as Yellow Pages, but because of trademark
 	issues, Sun changed the name.  The old term (and yp) is still
 	often seen and used.</para>
 
       <indexterm>
         <primary>NIS</primary>
         <secondary>domains</secondary>
       </indexterm>
 
       <para>It is a RPC-based client/server system that allows a group
 	of machines within an NIS domain to share a common set of
 	configuration files.  This permits a system administrator to
 	set up NIS client systems with only minimal configuration data
 	and add, remove or modify configuration data from a single
 	location.</para>
 
       <indexterm><primary>Windows NT</primary></indexterm>
 
       <para>It is similar to the &windowsnt; domain system; although
         the internal implementation of the two are not at all similar,
         the basic functionality can be compared.</para>
     </sect2>
 
     <sect2>
       <title>Terms/Processes You Should Know</title>
 
       <para>There are several terms and several important user
         processes that you will come across when attempting to
         implement NIS on FreeBSD, whether you are trying to create an
         NIS server or act as an NIS client:</para>
 
       <indexterm>
 	<primary><application>portmap</application></primary>
       </indexterm>
 
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	<colspec colwidth="1*">
 	<colspec colwidth="3*">
 
 	  <thead>
 	    <row>
 	      <entry>Term</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry>NIS domainname</entry>
 
 	      <entry>An NIS master server and all of its clients
 		(including its slave servers) have a NIS domainname.
 		Similar to an &windowsnt; domain name, the NIS
 		domainname does not have anything to do with
 		<acronym>DNS</acronym>.</entry>
 	    </row>
 	    <row>
 	      <entry><application>portmap</application></entry>
 
 	      <entry>Must be running in order to enable
 		<acronym>RPC</acronym> (Remote Procedure Call, a
 		network protocol used by NIS).  If
 		<application>portmap</application> is not running, it
 		will be impossible to run an NIS server, or to act as
 		an NIS client.</entry>
 	    </row>
 	    <row>
 	      <entry><application>ypbind</application></entry>
 
 	      <entry><quote>Binds</quote> an NIS client to its NIS
 		server.  It will take the NIS domainname from the
 		system, and using <acronym>RPC</acronym>, connect to
 		the server.  <application>ypbind</application> is the
 		core of client-server communication in an NIS
 		environment; if <application>ypbind</application> dies
 		on a client machine, it will not be able to access the
 		NIS server.</entry>
 	    </row>
 	    <row>
 	      <entry><application>ypserv</application></entry>
 	      <entry>Should only be running on NIS servers; this is
 		the NIS server process itself.  If &man.ypserv.8;
 		dies, then the server will no longer be able to
 		respond to NIS requests (hopefully, there is a slave
 		server to take over for it).  There are some
 		implementations of NIS (but not the FreeBSD one), that
 		do not try to reconnect to another server if the
 		server it used before dies.  Often, the only thing
 		that helps in this case is to restart the server
 		process (or even the whole server) or the
 		<application>ypbind</application> process on the
 		client.
 	      </entry>
 	    </row>
 	    <row>
 	      <entry><application>rpc.yppasswdd</application></entry>
 	      <entry>Another process that should only be running on
 		NIS master servers; this is a daemon that will allow NIS
 		clients to change their NIS passwords.  If this daemon
 		is not running, users will have to login to the NIS
 		master server and change their passwords there.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
       <!-- XXX Missing: rpc.ypxfrd (not important, though) May only run
       on the master -->
 
     </sect2>
 
     <sect2>
       <title>How Does It Work?</title>
 
       <para>There are three types of hosts in an NIS environment:
 	master servers, slave servers, and clients.  Servers act as a
 	central repository for host configuration information.  Master
 	servers hold the authoritative copy of this information, while
 	slave servers mirror this information for redundancy.  Clients
 	rely on the servers to provide this information to
 	them.</para>
 
       <para>Information in many files can be shared in this manner.
 	The <filename>master.passwd</filename>,
 	<filename>group</filename>, and <filename>hosts</filename>
 	files are commonly shared via NIS.  Whenever a process on a
 	client needs information that would normally be found in these
 	files locally, it makes a query to the NIS server that it is
 	bound to instead.</para>
 
       <sect3>
         <title>Machine Types</title>
 
         <itemizedlist>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>master server</secondary>
 	  </indexterm>
           <listitem>
             <para>A <emphasis>NIS master server</emphasis>.  This
               server, analogous to a &windowsnt; primary domain
               controller, maintains the files used by all of the NIS
               clients.  The <filename>passwd</filename>,
               <filename>group</filename>, and other various files used
               by the NIS clients live on the master server.</para>
 
             <note><para>It is possible for one machine to be an NIS
               master server for more than one NIS domain.  However,
               this will not be covered in this introduction, which
               assumes a relatively small-scale NIS
               environment.</para></note>
           </listitem>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>slave server</secondary>
 	  </indexterm>
           <listitem>
             <para><emphasis>NIS slave servers</emphasis>.  Similar to
               the &windowsnt; backup domain controllers, NIS slave
               servers maintain copies of the NIS master's data files.
               NIS slave servers provide the redundancy, which is
               needed in important environments.  They also help to
               balance the load of the master server: NIS Clients
               always attach to the NIS server whose response they get
               first, and this includes slave-server-replies.</para>
           </listitem>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>client</secondary>
 	  </indexterm>
           <listitem>
             <para><emphasis>NIS clients</emphasis>.  NIS clients, like
               most &windowsnt; workstations, authenticate against the
               NIS server (or the &windowsnt; domain controller in the
               &windowsnt; workstations case) to log on.</para>
           </listitem>
         </itemizedlist>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Using NIS/YP</title>
 
       <para>This section will deal with setting up a sample NIS
         environment.</para>
 
       <note><para>This section assumes that you are running
         FreeBSD&nbsp;3.3 or later.  The instructions given here will
         <emphasis>probably</emphasis> work for any version of FreeBSD
         greater than 3.0, but there are no guarantees that this is
         true.</para></note>
 
 
       <sect3>
         <title>Planning</title>
 
         <para>Let us assume that you are the administrator of a small
           university lab.  This lab, which consists of 15 FreeBSD
           machines, currently has no centralized point of
           administration; each machine has its own
           <filename>/etc/passwd</filename> and
           <filename>/etc/master.passwd</filename>.  These files are
           kept in sync with each other only through manual
           intervention; currently, when you add a user to the lab, you
           must run <command>adduser</command> on all 15 machines.
           Clearly, this has to change, so you have decided to convert
           the lab to use NIS, using two of the machines as
           servers.</para>
 
         <para>Therefore, the configuration of the lab now looks something
           like:</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="3">
             <thead>
               <row>
                 <entry>Machine name</entry>
                 <entry>IP address</entry>
                 <entry>Machine role</entry>
               </row>
             </thead>
             <tbody>
               <row>
                 <entry><hostid>ellington</hostid></entry>
                 <entry><hostid role="ipaddr">10.0.0.2</hostid></entry>
                 <entry>NIS master</entry>
               </row>
               <row>
                 <entry><hostid>coltrane</hostid></entry>
                 <entry><hostid role="ipaddr">10.0.0.3</hostid></entry>
                 <entry>NIS slave</entry>
               </row>
               <row>
                 <entry><hostid>basie</hostid></entry>
                 <entry><hostid role="ipaddr">10.0.0.4</hostid></entry>
                 <entry>Faculty workstation</entry>
               </row>
               <row>
                 <entry><hostid>bird</hostid></entry>
                 <entry><hostid role="ipaddr">10.0.0.5</hostid></entry>
                 <entry>Client machine</entry>
               </row>
               <row>
                 <entry><hostid>cli[1-11]</hostid></entry>
                 <entry><hostid role="ipaddr">10.0.0.[6-17]</hostid></entry>
                 <entry>Other client machines</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
         <para>If you are setting up a NIS scheme for the first time, it
 	  is a good idea to think through how you want to go about it.  No
 	  matter what the size of your network, there are a few decisions
 	  that need to be made.</para>
 
         <sect4>
           <title>Choosing a NIS Domain Name</title>
 
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>domainname</secondary>
 	  </indexterm>
           <para>This might not be the <quote>domainname</quote> that
 	    you are used to.  It is more accurately called the
 	    <quote>NIS domainname</quote>.  When a client broadcasts
 	    its requests for info, it includes the name of the NIS
 	    domain that it is part of.  This is how multiple servers
 	    on one network can tell which server should answer which
 	    request.  Think of the NIS domainname as the name for a
 	    group of hosts that are related in some way.</para>
 
 	  <para>Some organizations choose to use their Internet
 	    domainname for their NIS domainname.  This is not
 	    recommended as it can cause confusion when trying to debug
 	    network problems.  The NIS domainname should be unique
 	    within your network and it is helpful if it describes the
 	    group of machines it represents.  For example, the Art
 	    department at Acme Inc. might be in the
 	    <quote>acme-art</quote> NIS domain.  For this example,
 	    assume you have chosen the name
 	    <literal>test-domain</literal>.</para>
 
 	  <indexterm><primary>SunOS</primary></indexterm>
           <para>However, some operating systems (notably &sunos;) use
           their NIS domain name as their Internet domain name.  If one
           or more machines on your network have this restriction, you
           <emphasis>must</emphasis> use the Internet domain name as
           your NIS domain name.</para>
         </sect4>
 
         <sect4>
           <title>Physical Server Requirements</title>
 
 	  <para>There are several things to keep in mind when choosing
 	    a machine to use as a NIS server.  One of the unfortunate
 	    things about NIS is the level of dependency the clients
 	    have on the server.  If a client cannot contact the server
 	    for its NIS domain, very often the machine becomes
 	    unusable.  The lack of user and group information causes
 	    most systems to temporarily freeze up.  With this in mind
 	    you should make sure to choose a machine that will not be
 	    prone to being rebooted regularly, or one that might be
 	    used for development.  The NIS server should ideally be a
 	    stand alone machine whose sole purpose in life is to be an
 	    NIS server.  If you have a network that is not very
 	    heavily used, it is acceptable to put the NIS server on a
 	    machine running other services, just keep in mind that if
 	    the NIS server becomes unavailable, it will affect
 	    <emphasis>all</emphasis> of your NIS clients
 	    adversely.</para>
         </sect4>
       </sect3>
 
       <sect3>
         <title>NIS Servers</title>
 
 	<para> The canonical copies of all NIS information are stored
 	  on a single machine called the NIS master server.  The
 	  databases used to store the information are called NIS maps.
 	  In FreeBSD, these maps are stored in
 	  <filename>/var/yp/[domainname]</filename> where
 	  <filename>[domainname]</filename> is the name of the NIS
 	  domain being served.  A single NIS server can support
 	  several domains at once, therefore it is possible to have
 	  several such directories, one for each supported domain.
 	  Each domain will have its own independent set of
 	  maps.</para>
 
 	<para>NIS master and slave servers handle all NIS requests
 	  with the <command>ypserv</command> daemon.
 	  <command>ypserv</command> is responsible for receiving
 	  incoming requests from NIS clients, translating the
 	  requested domain and map name to a path to the corresponding
 	  database file and transmitting data from the database back
 	  to the client.</para>
 
         <sect4>
 	  <title>Setting Up a NIS Master Server</title>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>server configuration</secondary>
 	  </indexterm>
 	  <para>Setting up a master NIS server can be relatively
 	    straight forward, depending on your needs.  FreeBSD comes
 	    with support for NIS out-of-the-box.  All you need is to
 	    add the following lines to
 	    <filename>/etc/rc.conf</filename>, and FreeBSD will do the
 	    rest for you.</para>
 
           <procedure>
             <step>
               <para><programlisting>nisdomainname="test-domain"</programlisting>
                 This line will set the NIS domainname to
                 <literal>test-domain</literal>
                 upon network setup (e.g. after reboot).</para>
             </step>
             <step>
               <para><programlisting>nis_server_enable="YES"</programlisting>
                 This will tell FreeBSD to start up the NIS server processes
                 when the networking is next brought up.</para>
             </step>
             <step>
               <para><programlisting>nis_yppasswdd_enable="YES"</programlisting>
                 This will enable the <command>rpc.yppasswdd</command>
                 daemon which, as mentioned above, will allow users to
                 change their NIS password from a client machine.</para>
             </step>
           </procedure>
 
           <note>
             <para>Depending on your NIS setup, you may need to add
               further entries.  See the <link
               linkend="network-nis-server-is-client">section about NIS
               servers that are also NIS clients</link>, below, for
               details.</para>
           </note>
 
           <para>Now, all you have to do is to run the command
             <command>/etc/netstart</command> as superuser.  It will
             set up everything for you, using the values you defined in
             <filename>/etc/rc.conf</filename>.</para>
         </sect4>
 
         <sect4>
           <title>Initializing the NIS Maps</title>
           <indexterm>
             <primary>NIS</primary>
             <secondary>maps</secondary>
           </indexterm>
           <para>The <emphasis>NIS maps</emphasis> are database files,
             that are kept in the <filename>/var/yp</filename>
             directory.  They are generated from configuration files in
             the <filename>/etc</filename> directory of the NIS master,
             with one exception: the
             <filename>/etc/master.passwd</filename> file.  This is for
             a good reason, you do not want to propagate passwords to
             your <username>root</username> and other administrative
             accounts to all the servers in the NIS domain.  Therefore,
             before we initialize the NIS maps, you should:</para>
 
           <screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput>
 &prompt.root; <userinput>cd /var/yp</userinput>
 &prompt.root; <userinput>vi master.passwd</userinput></screen>
 
           <para>You should remove all entries regarding system
             accounts (<username>bin</username>,
             <username>tty</username>, <username>kmem</username>,
             <username>games</username>, etc), as well as any accounts
             that you do not want to be propagated to the NIS clients
             (for example <username>root</username> and any other UID 0
             (superuser) accounts).</para>
 
           <note><para>Make sure the
             <filename>/var/yp/master.passwd</filename> is neither group
             nor world readable (mode 600)!  Use the
             <command>chmod</command> command, if appropriate.</para></note>
 
 	  <indexterm><primary>Tru64 UNIX</primary></indexterm>
 
           <para>When you have finished, it is time to initialize the
             NIS maps!  FreeBSD includes a script named
             <command>ypinit</command> to do this for you (see its
             manual page for more information).  Note that this script
             is available on most &unix; Operating Systems, but not on
             all.  On Digital UNIX/Compaq Tru64 UNIX it is called
             <command>ypsetup</command>.  Because we are generating
             maps for an NIS master, we are going to pass the
             <option>-m</option> option to <command>ypinit</command>.
             To generate the NIS maps, assuming you already performed
             the steps above, run:</para>
 
           <screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput>
 Server Type: MASTER Domain: test-domain
 Creating an YP server will require that you answer a few questions.
 Questions will all be asked at the beginning of the procedure.
 Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput>
 Ok, please remember to go back and redo manually whatever fails.
 If you don't, something might not work.
 At this point, we have to construct a list of this domains YP servers.
 rod.darktech.org is already known as master server.
 Please continue to add any slave servers, one per line. When you are
 done with the list, type a &lt;control D&gt;.
 master server   :  ellington
 next host to add:  <userinput>coltrane</userinput>
 next host to add:  <userinput>^D</userinput>
 The current list of NIS servers looks like this:
 ellington
 coltrane
 Is this correct?  [y/n: y] <userinput>y</userinput>
 
 [..output from map generation..]
 
 NIS Map update completed.
 ellington has been setup as an YP master server without any errors.</screen>
 
           <para><command>ypinit</command> should have created
             <filename>/var/yp/Makefile</filename> from
             <filename>/var/yp/Makefile.dist</filename>.
             When created, this file assumes that you are operating
             in a single server NIS environment with only FreeBSD
             machines.  Since <literal>test-domain</literal> has
             a slave server as well, you must edit
             <filename>/var/yp/Makefile</filename>:</para>
 
           <screen>ellington&prompt.root; <userinput>vi /var/yp/Makefile</userinput></screen>
 
 	  <para>You should comment out the line that says</para>
 
 	  <programlisting>NOPUSH = "True"</programlisting>
 
 	  <para>(if it is not commented out already).</para>
         </sect4>
 
         <sect4>
 	  <title>Setting up a NIS Slave Server</title>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>slave server</secondary>
 	  </indexterm>
 	  <para>Setting up an NIS slave server is even more simple than
 	    setting up the master.  Log on to the slave server and edit the
             file <filename>/etc/rc.conf</filename> as you did before.
             The only difference is that we now must use the
             <option>-s</option> option when running <command>ypinit</command>.
             The <option>-s</option> option requires the name of the NIS
             master be passed to it as well, so our command line looks
             like:</para>
 
   <screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput>
 
 Server Type: SLAVE Domain: test-domain Master: ellington
 
 Creating an YP server will require that you answer a few questions.
 Questions will all be asked at the beginning of the procedure.
 
 Do you want this procedure to quit on non-fatal errors? [y/n: n]  <userinput>n</userinput>
 
 Ok, please remember to go back and redo manually whatever fails.
 If you don't, something might not work.
 There will be no further questions. The remainder of the procedure
 should take a few minutes, to copy the databases from ellington.
 Transferring netgroup...
 ypxfr: Exiting: Map successfully transferred
 Transferring netgroup.byuser...
 ypxfr: Exiting: Map successfully transferred
 Transferring netgroup.byhost...
 ypxfr: Exiting: Map successfully transferred
 Transferring master.passwd.byuid...
 ypxfr: Exiting: Map successfully transferred
 Transferring passwd.byuid...
 ypxfr: Exiting: Map successfully transferred
 Transferring passwd.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring group.bygid...
 ypxfr: Exiting: Map successfully transferred
 Transferring group.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring services.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring rpc.bynumber...
 ypxfr: Exiting: Map successfully transferred
 Transferring rpc.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring protocols.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring master.passwd.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring networks.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring networks.byaddr...
 ypxfr: Exiting: Map successfully transferred
 Transferring netid.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring hosts.byaddr...
 ypxfr: Exiting: Map successfully transferred
 Transferring protocols.bynumber...
 ypxfr: Exiting: Map successfully transferred
 Transferring ypservers...
 ypxfr: Exiting: Map successfully transferred
 Transferring hosts.byname...
 ypxfr: Exiting: Map successfully transferred
 
 coltrane has been setup as an YP slave server without any errors.
 Don't forget to update map ypservers on ellington.</screen>
 
 	  <para>You should now have a directory called
 	    <filename>/var/yp/test-domain</filename>.  Copies of the NIS
 	    master server's maps should be in this directory.  You will
 	    need to make sure that these stay updated.  The following
 	    <filename>/etc/crontab</filename> entries on your slave
 	    servers should do the job:</para>
 
 	  <programlisting>20      *       *       *       *       root   /usr/libexec/ypxfr passwd.byname
 21      *       *       *       *       root   /usr/libexec/ypxfr passwd.byuid</programlisting>
 
 	  <para>These two lines force the slave to sync its maps with
 	    the maps on the master server.  Although these entries are
 	    not mandatory, since the master server attempts to ensure
 	    any changes to its NIS maps are communicated to its slaves
 	    and because password information is vital to systems
 	    depending on the server, it is a good idea to force the
 	    updates.  This is more important on busy networks where map
 	    updates might not always complete.</para>
 
           <para>Now, run the command <command>/etc/netstart</command> on the
             slave server as well, which again starts the NIS server.</para>
 	</sect4>
       </sect3>
 
       <sect3>
         <title>NIS Clients</title>
 
 	<para> An NIS client establishes what is called a binding to a
 	  particular NIS server using the
 	  <command>ypbind</command> daemon.
 	  <command>ypbind</command> checks the system's default
 	  domain (as set by the <command>domainname</command> command),
 	  and begins broadcasting RPC requests on the local network.
 	  These requests specify the name of the domain for which
 	  <command>ypbind</command> is attempting to establish a binding.
 	  If a server that has been configured to serve the requested
 	  domain receives one of the broadcasts, it will respond to
 	  <command>ypbind</command>,  which will record the server's
 	  address.  If there are several servers available (a master and
 	  several slaves, for example), <command>ypbind</command> will
 	  use the address of the first one to respond.  From that point
 	  on, the client system will direct all of its NIS requests to
 	  that server.  <command>ypbind</command> will
 	  occasionally <quote>ping</quote> the server to make sure it is
 	  still up and running.  If it fails to receive a reply to one of
 	  its pings within a reasonable amount of time,
 	  <command>ypbind</command> will mark the domain as unbound and
 	  begin broadcasting again in the hopes of locating another
 	  server.</para>
 
 	<sect4>
 	  <title>Setting Up a NIS Client</title>
 	  <indexterm>
 	    <primary>NIS</primary>
 	    <secondary>client configuration</secondary>
 	  </indexterm>
 	  <para>Setting up a FreeBSD machine to be a NIS client is fairly
 	    straightforward.</para>
 
 	  <procedure>
 	    <step>
 	      <para>Edit the file <filename>/etc/rc.conf</filename> and
                 add the following lines in order to set the NIS domainname
                 and start <command>ypbind</command> upon network
                 startup:</para>
 
 	      <programlisting>nisdomainname="test-domain"
 nis_client_enable="YES"</programlisting>
 	    </step>
 
 	    <step>
 	      <para>To import all possible password entries from the NIS
 		server, remove all user accounts from your
 		<filename>/etc/master.passwd</filename> file and use
 		<command>vipw</command> to add the following line to
                 the end of the file:</para>
 
 	      <programlisting>+:::::::::</programlisting>
 
 	      <note>
 		<para>This line will afford anyone with a valid account in
 		  the NIS server's password maps an account.  There are
 		  many ways to configure your NIS client by changing this
 		  line.  See the <link linkend="network-netgroups">netgroups
 		  section</link> below for more information.
                   For more detailed reading see O'Reilly's book on
 		  <literal>Managing NFS and NIS</literal>.</para>
 	      </note>
 
               <note>
                 <para>You should keep at least one local account (i.e.
                   not imported via NIS) in your
                   <filename>/etc/master.passwd</filename> and this
                   account should also be a member of the group
                   <groupname>wheel</groupname>.  If there is something
                   wrong with NIS, this account can be used to log in
                   remotely, become <username>root</username>, and fix things.</para>
               </note>
             </step>
 
 	    <step>
 	      <para>To import all possible group entries from the NIS
 		server, add this line to your
 		<filename>/etc/group</filename> file:</para>
 
 	      <programlisting>+:*::</programlisting>
 	    </step>
 	  </procedure>
 
 	  <para>After completing these steps, you should be able to run
 	    <command>ypcat passwd</command> and see the NIS server's
 	    passwd map.</para>
 	</sect4>
       </sect3>
     </sect2>
 
     <sect2>
       <title>NIS Security</title>
 
       <para>In general, any remote user can issue an RPC to
 	&man.ypserv.8; and retrieve the contents of your NIS maps,
 	provided the remote user knows your domainname.  To prevent
 	such unauthorized transactions, &man.ypserv.8; supports a
 	feature called <quote>securenets</quote> which can be used to
 	restrict access to a given set of hosts.  At startup,
 	&man.ypserv.8; will attempt to load the securenets information
 	from a file called
 	<filename>/var/yp/securenets</filename>.</para>
 
       <note>
 	<para>This path varies depending on the path specified with the
 	  <option>-p</option> option.  This file contains entries that
 	  consist of a network specification and a network mask separated
 	  by white space.  Lines starting with <quote>#</quote> are
 	  considered to be comments.  A sample securenets file might look
 	  like this:</para>
       </note>
 
       <programlisting># allow connections from local host -- mandatory
 127.0.0.1     255.255.255.255
 # allow connections from any host
 # on the 192.168.128.0 network
 192.168.128.0 255.255.255.0
 # allow connections from any host
 # between 10.0.0.0 to 10.0.15.255
 # this includes the machines in the testlab
 10.0.0.0      255.255.240.0</programlisting>
 
       <para>If &man.ypserv.8; receives a request from an address that
 	matches one of these rules, it will process the request
 	normally.  If the address fails to match a rule, the request
 	will be ignored and a warning message will be logged.  If the
 	<filename>/var/yp/securenets</filename> file does not exist,
 	<command>ypserv</command> will allow connections from any
 	host.</para>
 
       <para>The <command>ypserv</command> program also has support for
 	Wietse Venema's <application>tcpwrapper</application> package.
 	This allows the administrator to use the
 	<application>tcpwrapper</application> configuration files for
 	access control instead of
 	<filename>/var/yp/securenets</filename>.</para>
 
       <note>
         <para>While both of these access control mechanisms provide some
           security, they, like the privileged port test, are
           vulnerable to <quote>IP spoofing</quote> attacks.  All
           NIS-related traffic should be blocked at your firewall.</para>
 
         <para>Servers using <filename>/var/yp/securenets</filename>
           may fail to serve legitimate NIS clients with archaic TCP/IP
           implementations.  Some of these implementations set all
           host bits to zero when doing broadcasts and/or fail to
           observe the subnet mask when calculating the broadcast
           address.  While some of these problems can be fixed by
           changing the client configuration, other problems may force
           the retirement of the client systems in question or the
           abandonment of <filename>/var/yp/securenets</filename>.</para>
 
         <para>Using <filename>/var/yp/securenets</filename> on a
           server with such an archaic implementation of TCP/IP is a
           really bad idea and will lead to loss of NIS functionality
           for large parts of your network.</para>
 
 	<indexterm><primary>tcpwrapper</primary></indexterm>
         <para>The use of the <application>tcpwrapper</application>
           package increases the latency of your NIS server.  The
           additional delay may be long enough to cause timeouts in
           client programs, especially in busy networks or with slow
           NIS servers.  If one or more of your client systems
           suffers from these symptoms, you should convert the client
           systems in question into NIS slave servers and force them
           to bind to themselves.</para>
       </note>
     </sect2>
 
     <sect2>
       <title>Barring Some Users from Logging On</title>
 
       <para>In our lab, there is a machine <hostid>basie</hostid> that
         is supposed to be a faculty only workstation.  We do not want
         to take this machine out of the NIS domain, yet the
         <filename>passwd</filename> file on the master NIS server
         contains accounts for both faculty and students.  What can we
         do?</para>
 
       <para>There is a way to bar specific users from logging on to a
         machine, even if they are present in the NIS database.  To do
         this, all you must do is add
         <literal>-<replaceable>username</replaceable></literal> to the
         end of the <filename>/etc/master.passwd</filename> file on the
         client machine, where <replaceable>username</replaceable> is
         the username of the user you wish to bar from logging in.
         This should preferably be done using <command>vipw</command>,
         since <command>vipw</command> will sanity check your changes
         to <filename>/etc/master.passwd</filename>, as well as
         automatically rebuild the password database when you finish
         editing.  For example, if we wanted to bar user
         <username>bill</username> from logging on to
         <hostid>basie</hostid> we would:</para>
 
         <screen>basie&prompt.root; <userinput>vipw</userinput>
 <userinput>[add -bill to the end, exit]</userinput>
 vipw: rebuilding the database...
 vipw: done
 
 basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
 
 root:[password]:0:0::0:0:The super-user:/root:/bin/csh
 toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
 daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
 operator:*:2:5::0:0:System &:/:/sbin/nologin
 bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
 tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
 kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
 games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
 news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
 man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
 bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
 uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
 xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
 +:::::::::
 -bill
 
 basie&prompt.root;</screen>
     </sect2>
 
     <sect2 id="network-netgroups">
       <sect2info>
         <authorgroup>
           <author>
             <firstname>Udo</firstname>
             <surname>Erdelhoff</surname>
             <contrib>Contributed by </contrib>
           </author>
         </authorgroup>
       </sect2info>
 
       <title>Using Netgroups</title>
       <indexterm><primary>netgroups</primary></indexterm>
 
       <para>The method shown in the previous section works reasonably
         well if you need special rules for a very small number of
         users and/or machines.  On larger networks, you
         <emphasis>will</emphasis> forget to bar some users from logging
         onto sensitive machines, or you may even have to modify each
         machine separately, thus losing the main benefit of NIS:
         <emphasis>centralized</emphasis> administration.</para>
 
       <para>The NIS developers' solution for this problem is called
         <emphasis>netgroups</emphasis>.  Their purpose and semantics
         can be compared to the normal groups used by &unix; file
         systems.  The main differences are the lack of a numeric ID
         and the ability to define a netgroup by including both user
         accounts and other netgroups.</para>
 
       <para>Netgroups were developed to handle large, complex networks
         with hundreds of users and machines.  On one hand, this is
         a Good Thing if you are forced to deal with such a situation.
         On the other hand, this complexity makes it almost impossible to
         explain netgroups with really simple examples.  The example
         used in the remainder of this section demonstrates this
         problem.</para>
 
       <para>Let us assume that your successful introduction of NIS in
         your laboratory caught your superiors' interest.  Your next
         job is to extend your NIS domain to cover some of the other
         machines on campus.  The two tables contain the names of the
         new users and new machines as well as brief descriptions of
         them.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
           <thead>
             <row>
               <entry>User Name(s)</entry>
               <entry>Description</entry>
             </row>
           </thead>
 
           <tbody>
             <row>
               <entry><username>alpha</username>, <username>beta</username></entry>
               <entry>Normal employees of the IT department</entry>
             </row>
 
             <row>
               <entry><username>charlie</username>, <username>delta</username></entry>
               <entry>The new apprentices of the IT department</entry>
             </row>
 
             <row>
               <entry><username>echo</username>, <username>foxtrott</username>, <username>golf</username>, ...</entry>
               <entry>Ordinary employees</entry>
             </row>
 
             <row>
               <entry><username>able</username>, <username>baker</username>, ...</entry>
               <entry>The current interns</entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
           <thead>
             <row>
               <entry>Machine Name(s)</entry>
               <entry>Description</entry>
             </row>
           </thead>
 
           <tbody>
             <row>
               <!--  Names taken from "Good Omens" by Neil Gaiman and Terry
                     Pratchett.  Many thanks for a brilliant book.  -->
 
               <entry><hostid>war</hostid>, <hostid>death</hostid>,
               <hostid>famine</hostid>,
               <hostid>pollution</hostid></entry>
               <entry>Your most important servers.  Only the IT
                 employees are allowed to log onto these
                 machines.</entry>
             </row>
             <row>
               <!-- gluttony was omitted because it was too fat -->
 
               <entry><hostid>pride</hostid>, <hostid>greed</hostid>,
               <hostid>envy</hostid>, <hostid>wrath</hostid>,
               <hostid>lust</hostid>, <hostid>sloth</hostid></entry>
               <entry>Less important servers.  All members of the IT
               department are allowed to login onto these
               machines.</entry>
             </row>
 
             <row>
               <entry><hostid>one</hostid>, <hostid>two</hostid>,
                 <hostid>three</hostid>, <hostid>four</hostid>,
                 ...</entry>
 
               <entry>Ordinary workstations.  Only the
                 <emphasis>real</emphasis> employees are allowed to use
                 these machines.</entry>
             </row>
 
             <row>
               <entry><hostid>trashcan</hostid></entry>
               <entry>A very old machine without any critical data.
                 Even the intern is allowed to use this box.</entry>
             </row>
           </tbody>
         </tgroup>
       </informaltable>
 
       <para>If you tried to implement these restrictions by separately
         blocking each user, you would have to add one
         <literal>-<replaceable>user</replaceable></literal> line to
         each system's <filename>passwd</filename> for each user who is
         not allowed to login onto that system.  If you forget just one
         entry, you could be in trouble.  It may be feasible to do this
         correctly during the initial setup, however you
         <emphasis>will</emphasis> eventually forget to add the lines
         for new users during day-to-day operations.  After all, Murphy
         was an optimist.</para>
 
       <para>Handling this situation with netgroups offers several
         advantages.  Each user need not be handled separately; you
         assign a user to one or more netgroups and allow or forbid
         logins for all members of the netgroup.  If you add a new
         machine, you will only have to define login restrictions for
         netgroups.  If a new user is added, you will only have to add
         the user to one or more netgroups.  Those changes are
         independent of each other: no more <quote>for each combination
         of user and machine do...</quote> If your NIS setup is planned
         carefully, you will only have to modify exactly one central
         configuration file to grant or deny access to machines.</para>
 
       <para>The first step is the initialization of the NIS map
         netgroup.  FreeBSD's &man.ypinit.8; does not create this map by
         default, but its NIS implementation will support it once it has
         been created.  To create an empty map, simply type</para>
 
       <screen>ellington&prompt.root; <userinput>vi /var/yp/netgroup</userinput></screen>
 
       <para>and start adding content.  For our example, we need at
          least four netgroups: IT employees, IT apprentices, normal
          employees and interns.</para>
 
       <programlisting>IT_EMP  (,alpha,test-domain)    (,beta,test-domain)
 IT_APP  (,charlie,test-domain)  (,delta,test-domain)
 USERS   (,echo,test-domain)     (,foxtrott,test-domain) \
         (,golf,test-domain)
 INTERNS (,able,test-domain)     (,baker,test-domain)</programlisting>
 
       <para><literal>IT_EMP</literal>, <literal>IT_APP</literal> etc.
         are the names of the netgroups.  Each bracketed group adds
         one or more user accounts to it.  The three fields inside a
         group are:</para>
 
       <orderedlist>
         <listitem>
           <para>The name of the host(s) where the following items are
             valid.  If you do not specify a hostname, the entry is
             valid on all hosts.  If you do specify a hostname, you
             will enter a realm of darkness, horror and utter confusion.</para>
         </listitem>
 
         <listitem>
           <para>The name of the account that belongs to this
             netgroup.</para>
         </listitem>
 
         <listitem>
           <para>The NIS domain for the account.  You can import
             accounts from other NIS domains into your netgroup if you
             are one of the unlucky fellows with more than one NIS
             domain.</para>
         </listitem>
       </orderedlist>
 
       <para>Each of these fields can contain wildcards.  See
         &man.netgroup.5; for details.</para>
 
       <note>
         <indexterm><primary>netgroups</primary></indexterm>
         <para>Netgroup names longer than 8 characters should not be
           used, especially if you have machines running other
           operating systems within your NIS domain.  The names are
           case sensitive; using capital letters for your netgroup
           names is an easy way to distinguish between user, machine
           and netgroup names.</para>
 
         <para>Some NIS clients (other than FreeBSD) cannot handle
           netgroups with a large number of entries.  For example, some
           older versions of &sunos; start to cause trouble if a netgroup
           contains more than 15 <emphasis>entries</emphasis>.  You can
           circumvent this limit by creating several sub-netgroups with
           15 users or less and a real netgroup that consists of the
           sub-netgroups:</para>
 
         <programlisting>BIGGRP1  (,joe1,domain)  (,joe2,domain)  (,joe3,domain) [...]
 BIGGRP2  (,joe16,domain)  (,joe17,domain) [...]
 BIGGRP3  (,joe31,domain)  (,joe32,domain)
 BIGGROUP  BIGGRP1 BIGGRP2 BIGGRP3</programlisting>
 
         <para>You can repeat this process if you need more than 225
           users within a single netgroup.</para>
       </note>
 
       <para>Activating and distributing your new NIS map is
         easy:</para>
 
       <screen>ellington&prompt.root; <userinput>cd /var/yp</userinput>
 ellington&prompt.root; <userinput>make</userinput></screen>
 
       <para>This will generate the three NIS maps
         <filename>netgroup</filename>,
         <filename>netgroup.byhost</filename> and
         <filename>netgroup.byuser</filename>.  Use &man.ypcat.1; to
         check if your new NIS maps are available:</para>
 
       <screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput>
 ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput>
 ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
 
       <para>The output of the first command should resemble the
         contents of <filename>/var/yp/netgroup</filename>.  The second
         command will not produce output if you have not specified
         host-specific netgroups.  The third command can be used to
         get the list of netgroups for a user.</para>
 
       <para>The client setup is quite simple.  To configure the server
         <hostid>war</hostid>, you only have to start
         &man.vipw.8; and replace the line</para>
 
       <programlisting>+:::::::::</programlisting>
 
       <para>with</para>
 
       <programlisting>+@IT_EMP:::::::::</programlisting>
 
       <para>Now, only the data for the users defined in the netgroup
         <literal>IT_EMP</literal> is imported into
         <hostid>war</hostid>'s password database and only
         these users are allowed to login.</para>
 
       <para>Unfortunately, this limitation also applies to the
 	<literal>~</literal> function of the shell and all routines
 	converting between user names and numerical user IDs.  In
 	other words, <command>cd
 	~<replaceable>user</replaceable></command> will not work,
 	<command>ls -l</command> will show the numerical ID instead of
 	the username and <command>find . -user joe -print</command>
 	will fail with <errorname>No such user</errorname>.  To fix
 	this, you will have to import all user entries
 	<emphasis>without allowing them to login onto your
 	servers</emphasis>.</para>
 
       <para>This can be achieved by adding another line to
         <filename>/etc/master.passwd</filename>.  This line should
         contain:</para>
 
       <para><literal>+:::::::::/sbin/nologin</literal>, meaning
         <quote>Import all entries but replace the shell with
         <filename>/sbin/nologin</filename> in the imported
         entries</quote>.  You can replace any field in the
         <literal>passwd</literal> entry by placing a default value in
         your <filename>/etc/master.passwd</filename>.</para>
 
       <!-- Been there, done that, got the scars to prove it - ue -->
       <warning>
         <para>Make sure that the line
         <literal>+:::::::::/sbin/nologin</literal> is placed after
         <literal>+@IT_EMP:::::::::</literal>.  Otherwise, all user
         accounts imported from NIS will have <filename>/sbin/nologin</filename> as their
         login shell.</para>
       </warning>
 
       <para>After this change, you will only have to change one NIS
         map if a new employee joins the IT department.  You could use
         a similar approach for the less important servers by replacing
         the old <literal>+:::::::::</literal> in their local version
         of <filename>/etc/master.passwd</filename> with something like
         this:</para>
 
       <programlisting>+@IT_EMP:::::::::
 +@IT_APP:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
       <para>The corresponding lines for the normal workstations
         could be:</para>
 
       <programlisting>+@IT_EMP:::::::::
 +@USERS:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
       <para>And everything would be fine until there is a policy
         change a few weeks later: The IT department starts hiring
         interns.  The IT interns are allowed to use the normal
         workstations and the less important servers; and the IT
         apprentices are allowed to login onto the main servers.  You
         add a new netgroup <literal>IT_INTERN</literal>, add the new
         IT interns to this netgroup and start to change the
         configuration on each and every machine...  As the old saying
         goes: <quote>Errors in centralized planning lead to global
         mess</quote>.</para>
 
       <para>NIS' ability to create netgroups from other netgroups can
         be used to prevent situations like these.  One possibility
         is the creation of role-based netgroups.  For example, you
         could create a netgroup called
         <literal>BIGSRV</literal> to define the login
         restrictions for the important servers, another netgroup
         called <literal>SMALLSRV</literal> for the less
         important servers and a third netgroup called
         <literal>USERBOX</literal> for the normal
         workstations.  Each of these netgroups contains the netgroups
         that are allowed to login onto these machines.  The new
         entries for your NIS map netgroup should look like this:</para>
 
       <programlisting>BIGSRV    IT_EMP  IT_APP
 SMALLSRV  IT_EMP  IT_APP  ITINTERN
 USERBOX   IT_EMP  ITINTERN USERS</programlisting>
 
       <para>This method of defining login restrictions works
         reasonably well if you can define groups of machines with
         identical restrictions.  Unfortunately, this is the exception
         and not the rule.  Most of the time, you will need the ability
         to define login restrictions on a per-machine basis.</para>
 
       <para>Machine-specific netgroup definitions are the other
         possibility to deal with the policy change outlined above.  In
         this scenario, the <filename>/etc/master.passwd</filename> of
         each box contains two lines starting with <quote>+</quote>.
         The first of them adds a netgroup with the accounts allowed to
         login onto this machine, the second one adds all other
         accounts with <filename>/sbin/nologin</filename> as shell.  It
         is a good idea to use the <quote>ALL-CAPS</quote> version of
         the machine name as the name of the netgroup.  In other words,
         the lines should look like this:</para>
 
       <programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
       <para>Once you have completed this task for all your machines,
         you will not have to modify the local versions of
         <filename>/etc/master.passwd</filename> ever again.  All
         further changes can be handled by modifying the NIS map.  Here
         is an example of a possible netgroup map for this
         scenario with some additional goodies:</para>
 
       <programlisting># Define groups of users first
 IT_EMP    (,alpha,test-domain)    (,beta,test-domain)
 IT_APP    (,charlie,test-domain)  (,delta,test-domain)
 DEPT1     (,echo,test-domain)     (,foxtrott,test-domain)
 DEPT2     (,golf,test-domain)     (,hotel,test-domain)
 DEPT3     (,india,test-domain)    (,juliet,test-domain)
 ITINTERN  (,kilo,test-domain)     (,lima,test-domain)
 D_INTERNS (,able,test-domain)     (,baker,test-domain)
 #
 # Now, define some groups based on roles
 USERS     DEPT1   DEPT2     DEPT3
 BIGSRV    IT_EMP  IT_APP
 SMALLSRV  IT_EMP  IT_APP    ITINTERN
 USERBOX   IT_EMP  ITINTERN  USERS
 #
 # And a groups for a special tasks
 # Allow echo and golf to access our anti-virus-machine
 SECURITY  IT_EMP  (,echo,test-domain)  (,golf,test-domain)
 #
 # machine-based netgroups
 # Our main servers
 WAR       BIGSRV
 FAMINE    BIGSRV
 # User india needs access to this server
 POLLUTION  BIGSRV  (,india,test-domain)
 #
 # This one is really important and needs more access restrictions
 DEATH     IT_EMP
 #
 # The anti-virus-machine mentioned above
 ONE       SECURITY
 #
 # Restrict a machine to a single user
 TWO       (,hotel,test-domain)
 # [...more groups to follow]</programlisting>
 
       <para>If you are using some kind of database to manage your user
         accounts, you should be able to create the first part of the
         map with your database's report tools.  This way, new users
         will automatically have access to the boxes.</para>
 
       <para>One last word of caution: It may not always be advisable
         to use machine-based netgroups.  If you are deploying a couple of
         dozen or even hundreds of identical machines for student labs,
         you should use role-based netgroups instead of machine-based
         netgroups to keep the size of the NIS map within reasonable
         limits.</para>
     </sect2>
 
     <sect2>
       <title>Important Things to Remember</title>
 
       <para>There are still a couple of things that you will need to do
         differently now that you are in an NIS environment.</para>
 
       <itemizedlist>
         <listitem>
           <para>Every time you wish to add a user to the lab, you
             must add it to the master NIS server <emphasis>only</emphasis>,
             and <emphasis>you must remember to rebuild the NIS
             maps</emphasis>.  If you forget to do this, the new user will
             not be able to login anywhere except on the NIS master.
             For example, if we needed to add a new user
             <username>jsmith</username> to the lab, we would:</para>
 
           <screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
 &prompt.root; <userinput>cd /var/yp</userinput>
 &prompt.root; <userinput>make test-domain</userinput></screen>
 
           <para>You could also run <command>adduser jsmith</command> instead
             of <command>pw useradd jsmith</command>.</para>
         </listitem>
         <listitem>
           <para><emphasis>Keep the administration accounts out of the
             NIS maps</emphasis>.  You do not want to be propagating
             administrative accounts and passwords to machines that
             will have users that should not have access to those
             accounts.</para>
         </listitem>
         <listitem>
           <para><emphasis>Keep the NIS master and slave secure, and
             minimize their downtime</emphasis>.  If somebody either
             hacks or simply turns off these machines, they have
             effectively rendered many people without the ability to
             login to the lab.</para>
 
           <para>This is the chief weakness of any centralized administration
             system.  If you do
             not protect your NIS servers, you will have a lot of angry
             users!</para>
         </listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>NIS v1 Compatibility</title>
 
       <para> FreeBSD's <application>ypserv</application> has some
 	support for serving NIS v1 clients.  FreeBSD's NIS
 	implementation only uses the NIS v2 protocol, however other
 	implementations include support for the v1 protocol for
 	backwards compatibility with older systems.  The
 	<application>ypbind</application> daemons supplied with these
 	systems will try to establish a binding to an NIS v1 server
 	even though they may never actually need it (and they may
 	persist in broadcasting in search of one even after they
 	receive a response from a v2 server).  Note that while support
 	for normal client calls is provided, this version of
 	<application>ypserv</application> does not handle v1 map
 	transfer requests; consequently, it cannot be used as a master
 	or slave in conjunction with older NIS servers that only
 	support the v1 protocol.  Fortunately, there probably are not
 	any such servers still in use today.</para>
     </sect2>
 
     <sect2 id="network-nis-server-is-client">
       <title>NIS Servers That Are Also NIS Clients</title>
 
       <para> Care must be taken when running
 	<application>ypserv</application> in a multi-server domain
 	where the server machines are also NIS clients.  It is
 	generally a good idea to force the servers to bind to
 	themselves rather than allowing them to broadcast bind
 	requests and possibly become bound to each other.  Strange
 	failure modes can result if one server goes down and others
 	are dependent upon it.  Eventually all the clients will time
 	out and attempt to bind to other servers, but the delay
 	involved can be considerable and the failure mode is still
 	present since the servers might bind to each other all over
 	again.</para>
 
       <para>You can force a host to bind to a particular server by running
 	<command>ypbind</command> with the <option>-S</option>
 	flag.  If you do not want to do this manually each time you
         reboot your NIS server, you can add the following lines to
         your <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>nis_client_enable="YES"	# run client stuff as well
 nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting>
 
       <para>See &man.ypbind.8; for further information.</para>
     </sect2>
 
     <sect2>
       <title>Password Formats</title>
       <indexterm>
         <primary>NIS</primary>
 	<secondary>password formats</secondary>
       </indexterm>
       <para>One of the most common issues that people run into when trying
 	to implement NIS is password format compatibility.  If your NIS
 	server is using DES encrypted passwords, it will only support
 	clients that are also using DES.  For example, if you have
 	&solaris; NIS clients in your network, then you will almost certainly
 	need to use DES encrypted passwords.</para>
 
       <para>To check which format your servers
 	and clients are using, look at <filename>/etc/login.conf</filename>.
 	If the host is configured to use DES encrypted passwords, then the
 	<literal>default</literal> class will contain an entry like this:</para>
 
       <programlisting>default:\
 	:passwd_format=des:\
 	:copyright=/etc/COPYRIGHT:\
 	[Further entries elided]</programlisting>
 
       <para>Other possible values for the <literal>passwd_format</literal>
 	capability include <literal>blf</literal> and <literal>md5</literal>
 	(for Blowfish and MD5 encrypted passwords, respectively).</para>
 
       <para>If you have made changes to
 	<filename>/etc/login.conf</filename>, you will also need to
 	rebuild the login capability database, which is achieved by
 	running the following command as
 	<username>root</username>:</para>
 
       <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
 
       <note><para>The format of passwords already in
 	<filename>/etc/master.passwd</filename> will not be updated
 	until a user changes his password for the first time
 	<emphasis>after</emphasis> the login capability database is
 	rebuilt.</para></note>
 
       <para>Next, in order to ensure that passwords are encrypted with
 	the format that you have chosen, you should also check that
 	the <literal>crypt_default</literal> in
 	<filename>/etc/auth.conf</filename> gives precedence to your
 	chosen password format.  To do this, place the format that you
 	have chosen first in the list.  For example, when using DES
 	encrypted passwords, the entry would be:</para>
 
       <programlisting>crypt_default	=	des blf md5</programlisting>
 
       <para>Having followed the above steps on each of the &os; based
 	NIS servers and clients, you can be sure that they all agree
 	on which password format is used within your network.  If you
 	have trouble authenticating on an NIS client, this is a pretty
 	good place to start looking for possible problems.  Remember:
 	if you want to deploy an NIS server for a heterogenous
 	network, you will probably have to use DES on all systems
 	because it is the lowest common standard.</para>
     </sect2>
   </sect1>
 
   <sect1 id="network-dhcp">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Greg</firstname>
       	  <surname>Sutter</surname>
 	  <contrib>Written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Automatic Network Configuration (DHCP)</title>
 
     <sect2>
       <title>What Is DHCP?</title>
       <indexterm>
         <primary>Dynamic Host Configuration Protocol</primary>
         <see>DHCP</see>
       </indexterm>
       <indexterm>
         <primary>Internet Software Consortium (ISC)</primary>
       </indexterm>
 
       <para>DHCP, the Dynamic Host Configuration Protocol, describes
         the means by which a system can connect to a network and obtain the
         necessary information for communication upon that network.  FreeBSD
         uses the ISC (Internet Software Consortium) DHCP implementation, so
         all implementation-specific information here is for use with the ISC
         distribution.</para>
     </sect2>
 
     <sect2>
       <title>What This Section Covers</title>
 
       <para>This section describes both the client-side and
         server-side components of the ISC DHCP system.  The
         client-side program, <command>dhclient</command>, comes
         integrated within FreeBSD, and the server-side portion is
         available from the <filename
         role="package">net/isc-dhcp3-server</filename> port.  The
         &man.dhclient.8;, &man.dhcp-options.5;, and
         &man.dhclient.conf.5; manual pages, in addition to the
         references below, are useful resources.</para>
     </sect2>
 
     <sect2>
       <title>How It Works</title>
       <indexterm><primary>UDP</primary></indexterm>
       <para>When <command>dhclient</command>, the DHCP client, is
 	executed on the client machine, it begins broadcasting
 	requests for configuration information.  By default, these
 	requests are on UDP port 68.  The server replies on UDP 67,
 	giving the client an IP address and other relevant network
 	information such as netmask, router, and DNS servers.  All of
 	this information comes in the form of a DHCP
 	<quote>lease</quote> and is only valid for a certain time
 	(configured by the DHCP server maintainer).  In this manner,
 	stale IP addresses for clients no longer connected to the
 	network can be automatically reclaimed.</para>
 
       <para>DHCP clients can obtain a great deal of information from
         the server.  An exhaustive list may be found in
         &man.dhcp-options.5;.</para>
     </sect2>
 
     <sect2>
       <title>FreeBSD Integration</title>
 
       <para>FreeBSD fully integrates the ISC DHCP client,
         <command>dhclient</command>.  DHCP client support is provided
         within both the installer and the base system, obviating the need
         for detailed knowledge of network configurations on any network
         that runs a DHCP server.  <command>dhclient</command> has been
         included in all FreeBSD distributions since 3.2.</para>
         <indexterm>
           <primary><application>sysinstall</application></primary>
         </indexterm>
 
         <para>DHCP is supported by
           <application>sysinstall</application>.  When configuring a
           network interface within
           <application>sysinstall</application>, the first question
           asked is: <quote>Do you want to try DHCP configuration of
           this interface?</quote>. Answering affirmatively will
           execute <command>dhclient</command>, and if successful, will
           fill in the network configuration information
           automatically.</para>
 
         <para>There are two things you must do to have your system use
 	  DHCP upon startup:</para>
         <indexterm>
           <primary>DHCP</primary>
           <secondary>requirements</secondary>
         </indexterm>
 	<itemizedlist>
 	  <listitem>
             <para>Make sure that the <devicename>bpf</devicename>
 	      device is compiled into your kernel.  To do this, add
 	      <literal>device bpf</literal> (<literal>pseudo-device
 	      bpf</literal> under &os;&nbsp;4.X) to your kernel
 	      configuration file, and rebuild the kernel.  For more
 	      information about building kernels, see <xref
 	      linkend="kernelconfig">.</para> <para>The
 	      <devicename>bpf</devicename> device is already part of
 	      the <filename>GENERIC</filename> kernel that is supplied
 	      with FreeBSD, so if you do not have a custom kernel, you
 	      should not need to create one in order to get DHCP
 	      working.</para>
 	    <note>
 	      <para>For those who are particularly security conscious,
 	        you should be warned that <devicename>bpf</devicename>
 		is also the device that allows packet sniffers to work
 		correctly (although they still have to be run as
 		<username>root</username>).  <devicename>bpf</devicename>
 		<emphasis>is</emphasis> required to use DHCP, but if
 		you are very sensitive about security, you probably
 		should not add <devicename>bpf</devicename> to your
 		kernel in the expectation that at some point in the
 		future you will be using DHCP.</para>
 	    </note>
 	  </listitem>
           <listitem>
             <para>Edit your <filename>/etc/rc.conf</filename> to
 	      include the following:</para>
 
             <programlisting>ifconfig_fxp0="DHCP"</programlisting>
 
             <note>
               <para>Be sure to replace <literal>fxp0</literal> with the
                 designation for the interface that you wish to dynamically
                  configure, as described in
 		 <xref linkend="config-network-setup">.</para>
             </note>
 
             <para>If you are using a different location for
               <command>dhclient</command>, or if you wish to pass additional
               flags to <command>dhclient</command>, also include the
               following (editing as necessary):</para>
 
             <programlisting>dhcp_program="/sbin/dhclient"
 dhcp_flags=""</programlisting>
           </listitem>
         </itemizedlist>
 
         <indexterm>
           <primary>DHCP</primary>
           <secondary>server</secondary>
         </indexterm>
         <para>The DHCP server, <application>dhcpd</application>, is included
           as part of the <filename
           role="package">net/isc-dhcp3-server</filename> port in the ports
           collection.  This port contains the ISC DHCP server and
           documentation.</para>
     </sect2>
 
     <sect2>
       <title>Files</title>
       <indexterm>
         <primary>DHCP</primary>
         <secondary>configuration files</secondary>
       </indexterm>
       <itemizedlist>
         <listitem><para><filename>/etc/dhclient.conf</filename></para>
           <para><command>dhclient</command> requires a configuration file,
             <filename>/etc/dhclient.conf</filename>.  Typically the file
             contains only comments, the defaults being reasonably sane.  This
             configuration file is described by the &man.dhclient.conf.5;
             manual page.</para>
         </listitem>
 
         <listitem><para><filename>/sbin/dhclient</filename></para>
           <para><command>dhclient</command> is statically linked and
             resides in <filename>/sbin</filename>.  The &man.dhclient.8;
             manual page gives more information about
             <command>dhclient</command>.</para>
         </listitem>
 
         <listitem><para><filename>/sbin/dhclient-script</filename></para>
           <para><command>dhclient-script</command> is the FreeBSD-specific
             DHCP client configuration script.  It is described in
             &man.dhclient-script.8;, but should not need any user
             modification to function properly.</para>
         </listitem>
 
         <listitem><para><filename>/var/db/dhclient.leases</filename></para>
           <para>The DHCP client keeps a database of valid leases in this
             file, which is written as a log.  &man.dhclient.leases.5;
             gives a slightly longer description.</para>
         </listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>Further Reading</title>
 
       <para>The DHCP protocol is fully described in
         <ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC 2131</ulink>.
         An informational resource has also been set up at
         <ulink url="http://www.dhcp.org/"></ulink>.</para>
     </sect2>
 
     <sect2 id="network-dhcp-server">
 	<title>Installing and Configuring a DHCP Server</title>
 
 	<sect3>
 	  <title>What This Section Covers</title>
 
 	  <para>This section provides information on how to configure
 	    a FreeBSD system to act as a DHCP server using the ISC
 	    (Internet Software Consortium) implementation of the DHCP
 	    suite.</para>
 
 	  <para>The server portion of the suite is not provided as part of
 	    FreeBSD, and so you will need to install the
 	    <filename role="package">net/isc-dhcp3-server</filename>
 	    port to provide this service.  See <xref linkend="ports"> for
 	    more information on using the ports collection.</para>
 	</sect3>
 
 	<sect3>
 	  <title>DHCP Server Installation</title>
 	  <indexterm>
 	    <primary>DHCP</primary>
 	    <secondary>installation</secondary>
 	  </indexterm>
 	  <para>In order to configure your FreeBSD system as a DHCP
 	    server, you will need to ensure that the &man.bpf.4;
 	    device is compiled into your kernel.  To do this, add
 	    <literal>device bpf</literal> (<literal>pseudo-device
 	    bpf</literal> under &os;&nbsp;4.X) to your kernel
 	    configuration file, and rebuild the kernel.  For more
 	    information about building kernels, see <xref
 	    linkend="kernelconfig">.</para>
 
 	  <para>The <devicename>bpf</devicename> device is already
 	    part of the <filename>GENERIC</filename> kernel that is
 	    supplied with FreeBSD, so you do not need to create a custom
 	    kernel in order to get DHCP working.</para>
 
 	    <note>
 	      <para>Those who are particularly security conscious
 	        should note that <devicename>bpf</devicename>
 		is also the device that allows packet sniffers to work
 		correctly (although such programs still need privileged
 		access).  <devicename>bpf</devicename>
 		<emphasis>is</emphasis> required to use DHCP, but if
 		you are very sensitive about security, you probably
 		should not include <devicename>bpf</devicename> in your
 		kernel purely because you expect to use DHCP at some
 		point in the future.</para>
 	    </note>
 
 	  <para>The next thing that you will need to do is edit the sample
 	    <filename>dhcpd.conf</filename> which was installed by the
 	    <filename role="package">net/isc-dhcp3-server</filename> port.
 	    By default, this will be
 	    <filename>/usr/local/etc/dhcpd.conf.sample</filename>, and you
 	    should copy this to
 	    <filename>/usr/local/etc/dhcpd.conf</filename> before proceeding
 	    to make changes.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Configuring the DHCP Server</title>
 	  <indexterm>
 	    <primary>DHCP</primary>
 	    <secondary>dhcpd.conf</secondary>
 	  </indexterm>
 	  <para><filename>dhcpd.conf</filename> is
 	    comprised of declarations regarding subnets and hosts, and is
 	    perhaps most easily explained using an example :</para>
 
 	  <programlisting>option domain-name "example.com";<co id="domain-name">
 option domain-name-servers 192.168.4.100;<co id="domain-name-servers">
 option subnet-mask 255.255.255.0;<co id="subnet-mask">
 
 default-lease-time 3600;<co id="default-lease-time">
 max-lease-time 86400;<co id="max-lease-time">
 ddns-update-style none;<co id="ddns-update-style">
 
 subnet 192.168.4.0 netmask 255.255.255.0 {
   range 192.168.4.129 192.168.4.254;<co id="range">
   option routers 192.168.4.1;<co id="routers">
 }
 
 host mailhost {
   hardware ethernet 02:03:04:05:06:07;<co id="hardware">
   fixed-address mailhost.example.com;<co id="fixed-address">
 }</programlisting>
 
 	  <calloutlist>
 	    <callout arearefs="domain-name">
 	      <para>This option specifies the domain that will be provided
 		to clients as the default search domain.  See
 		&man.resolv.conf.5; for more information on what this
 		means.</para>
 	    </callout>
 
 	    <callout arearefs="domain-name-servers">
 	      <para>This option specifies a comma separated list of DNS
 		servers that the client should use.</para>
 	    </callout>
 
 	    <callout arearefs="subnet-mask">
 	      <para>The netmask that will be provided to clients.</para>
 	    </callout>
 
 	    <callout arearefs="default-lease-time">
 	      <para>A client may request a specific length of time that a
 		lease will be valid.  Otherwise the server will assign
 		a lease with this expiry value (in seconds).</para>
 	    </callout>
 
 	    <callout arearefs="max-lease-time">
 	      <para>This is the maximum length of time that the server will
 		lease for.  Should a client request a longer lease, a lease
 		will be issued, although it will only be valid for
 		<literal>max-lease-time</literal> seconds.</para>
 	    </callout>
 
 	    <callout arearefs="ddns-update-style">
 	      <para>This option specifies whether the DHCP server should
 		attempt to update DNS when a lease is accepted or released.
 		In the ISC implementation, this option is
 		<emphasis>required</emphasis>.</para>
 	    </callout>
 
 	    <callout arearefs="range">
 	      <para>This denotes which IP addresses should be used in
 		the pool reserved for allocating to clients.  IP
 		addresses between, and including, the ones stated are
 		handed out to clients.</para>
 	    </callout>
 
 	    <callout arearefs="routers">
 	      <para>Declares the default gateway that will be provided to
 		clients.</para>
 	    </callout>
 
 	    <callout arearefs="hardware">
 	      <para>The hardware MAC address of a host (so that the DHCP server
 		can recognize a host when it makes a request).</para>
 	    </callout>
 
 	    <callout arearefs="fixed-address">
 	      <para>Specifies that the host should always be given the
 		same IP address.  Note that using a hostname is
 		correct here, since the DHCP server will resolve the
 		hostname itself before returning the lease
 		information.</para>
 	    </callout>
 	  </calloutlist>
 
 	  <para>Once you have finished writing your
 	    <filename>dhcpd.conf</filename>, you can proceed to start the
 	    server by issuing the following command:</para>
 
 	  <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/isc-dhcpd.sh start</userinput></screen>
 
 	  <para>Should you need to make changes to the configuration of your
 	    server in the future, it is important to note that sending a
 	    <literal>SIGHUP</literal> signal to
 	    <application>dhcpd</application> does <emphasis>not</emphasis>
 	    result in the configuration being reloaded, as it does with most
 	    daemons.  You will need to send a <literal>SIGTERM</literal>
 	    signal to stop the process, and then restart it using the command
 	    above.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Files</title>
 	  <indexterm>
 	    <primary>DHCP</primary>
 	    <secondary>configuration files</secondary>
 	  </indexterm>
 	  <itemizedlist>
 	    <listitem><para><filename>/usr/local/sbin/dhcpd</filename></para>
 	      <para><application>dhcpd</application> is statically linked and
 		resides in <filename>/usr/local/sbin</filename>.  The
 		&man.dhcpd.8; manual page installed with the
 		port gives more information about
 		<application>dhcpd</application>.</para>
 	    </listitem>
 
 	    <listitem><para><filename>/usr/local/etc/dhcpd.conf</filename></para>
 	      <para><application>dhcpd</application> requires a configuration
 		file, <filename>/usr/local/etc/dhcpd.conf</filename> before it
 		will start providing service to clients.  This file needs to
 		contain all the information that should be provided to clients
 		that are being serviced, along with information regarding the
 		operation of the server.  This configuration file is described
 		by the &man.dhcpd.conf.5; manual page installed
 		by the port.</para>
 	    </listitem>
 
 	    <listitem><para><filename>/var/db/dhcpd.leases</filename></para>
 	      <para>The DHCP server keeps a database of leases it has issued
 		in this file, which is written as a log.  The manual page
 		&man.dhcpd.leases.5;, installed by the port
 		gives a slightly longer description.</para>
 	    </listitem>
 
 	    <listitem><para><filename>/usr/local/sbin/dhcrelay</filename></para>
 	      <para><application>dhcrelay</application> is used in advanced
 		environments where one DHCP server forwards a request from a
 		client to another DHCP server on a separate network.  If you
 		require this functionality, then install the <filename
 		role="package">net/isc-dhcp3-relay</filename> port.  The
 		&man.dhcrelay.8; manual page provided with the
 		port contains more detail.</para>
 	    </listitem>
 	  </itemizedlist>
 	</sect3>
 
       </sect2>
 
   </sect1>
 
   <sect1 id="network-dns">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Chern</firstname>
           <surname>Lee</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Domain Name System (DNS)</title>
 
     <sect2>
       <title>Overview</title>
       <indexterm><primary>BIND</primary></indexterm>
 
       <para>FreeBSD utilizes, by default, a version of BIND (Berkeley
         Internet Name Domain), which is the most common implementation
         of the DNS protocol.  DNS is the protocol through which names
         are mapped to IP addresses, and vice versa.  For example, a
         query for <hostid role="fqdn">www.FreeBSD.org</hostid> will
         receive a reply with the IP address of The FreeBSD Project's
         web server, whereas, a query for <hostid
         role="fqdn">ftp.FreeBSD.org</hostid> will return the IP
         address of the corresponding FTP machine.  Likewise, the
         opposite can happen.  A query for an IP address can resolve
         its hostname.  It is not necessary to run a name server to
         perform DNS lookups on a system.
       </para>
 
       <indexterm><primary>DNS</primary></indexterm>
       <para>DNS is coordinated across the Internet through a somewhat
         complex system of authoritative root name servers, and other
         smaller-scale name servers who host and cache individual domain
         information.
       </para>
 
       <para>
         This document refers to BIND 8.x, as it is the stable version
 	used in FreeBSD.  BIND 9.x in FreeBSD can be installed through
 	the <filename role="package">net/bind9</filename> port.
       </para>
 
       <para>
         RFC1034 and RFC1035 dictate the DNS protocol.
       </para>
 
       <para>
         Currently, BIND is maintained by the
         Internet Software Consortium <ulink url="http://www.isc.org/"></ulink>.
       </para>
     </sect2>
 
     <sect2>
       <title>Terminology</title>
 
       <para>To understand this document, some terms related to DNS must be
 	understood.</para>
 
       <indexterm><primary>resolver</primary></indexterm>
       <indexterm><primary>reverse DNS</primary></indexterm>
       <indexterm><primary>root zone</primary></indexterm>
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <colspec colwidth="1*">
 	  <colspec colwidth="3*">
 
 	  <thead>
 	    <row>
 	      <entry>Term</entry>
 	      <entry>Definition</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>Forward DNS</entry>
 	      <entry>Mapping of hostnames to IP addresses</entry>
 	    </row>
 
 	    <row>
 	      <entry>Origin</entry>
 	      <entry>Refers to the domain covered in a particular zone
 		file</entry>
 	    </row>
 
 	    <row>
 	      <entry><application>named</application>, BIND, name server</entry>
 	      <entry>Common names for the BIND name server package within
 		FreeBSD</entry>
 	    </row>
 
 	    <row>
 	      <entry>Resolver</entry>
 	      <entry>A system process through which a
 		machine queries a name server for zone information</entry>
 	    </row>
 
 	    <row>
 	      <entry>Reverse DNS</entry>
 	      <entry>The opposite of forward DNS; mapping of IP addresses to
 		hostnames</entry>
 	    </row>
 
 	    <row>
 	      <entry>Root zone</entry>
 
 	      <entry>The beginning of the Internet zone hierarchy.
 		All zones fall under the root zone, similar to how
 		all files in a file system fall under the root directory.</entry>
 	    </row>
 
 	    <row>
 	      <entry>Zone</entry>
 	      <entry>An individual domain, subdomain, or portion of the DNS administered by
 		the same authority</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <indexterm>
 	<primary>zones</primary>
 	<secondary>examples</secondary>
       </indexterm>
 
       <para>Examples of zones:
       </para>
       <itemizedlist>
         <listitem>
           <para><hostid>.</hostid> is the root zone</para>
         </listitem>
         <listitem>
           <para><hostid>org.</hostid> is a zone under the root zone</para>
         </listitem>
         <listitem>
           <para><hostid role="domainname">example.org</hostid> is a
           zone under the <hostid>org.</hostid> zone</para>
         </listitem>
         <listitem>
           <para><hostid role="domainname">foo.example.org.</hostid> is
             a subdomain, a zone under the <hostid
             role="domainname">example.org.</hostid> zone</para>
         </listitem>
         <listitem>
           <para>
             <hostid>1.2.3.in-addr.arpa</hostid> is a zone referencing
 	    all IP addresses which fall under the <hostid
 	    role="ipaddr">3.2.1.*</hostid> IP space.
           </para>
         </listitem>
       </itemizedlist>
 
       <para>As one can see, the more specific part of a hostname
         appears to its left.  For example, <hostid
         role="domainname">example.org.</hostid> is more specific than
         <hostid>org.</hostid>, as <hostid>org.</hostid> is more
         specific than the root zone.  The layout of each part of a
         hostname is much like a filesystem: the
         <filename>/dev</filename> directory falls within the root, and
         so on.</para>
 
 
     </sect2>
 
     <sect2>
       <title>Reasons to Run a Name Server</title>
 
       <para>Name servers usually come in two forms: an authoritative
 	name server, and a caching name server.</para>
 
       <para>An authoritative name server is needed when:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>one wants to serve DNS information to the
 	    world, replying authoritatively to queries.</para>
 	</listitem>
 	<listitem>
 	  <para>a domain, such as <hostid role="domainname">example.org</hostid>, is
 	    registered and IP addresses need to be assigned to hostnames
 	    under it.</para>
 	</listitem>
 	<listitem>
 	  <para>an IP address block requires reverse DNS entries (IP to
 	    hostname).</para>
 	</listitem>
 	<listitem>
 	  <para>a backup name server, called a slave, must reply to queries
 	    when the primary is down or inaccessible.</para>
 	  </listitem>
       </itemizedlist>
 
       <para>A caching name server is needed when:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>a local DNS server may cache and respond more quickly
 	    than querying an outside name server.</para>
 	</listitem>
 	<listitem>
 	  <para>a reduction in overall network traffic is desired (DNS
 	    traffic has been measured to account for 5% or more of total
 	    Internet traffic).</para>
 	</listitem>
       </itemizedlist>
 
       <para>When one queries for <hostid
 	role="fqdn">www.FreeBSD.org</hostid>, the resolver usually
 	queries the uplink ISP's name server, and retrieves the reply.
 	With a local, caching DNS server, the query only has to be
 	made once to the outside world by the caching DNS server.
 	Every additional query will not have to look to the outside of
 	the local network, since the information is cached
 	locally.</para>
 
     </sect2>
 
     <sect2>
       <title>How It Works</title>
       <para>In FreeBSD, the BIND daemon is called
 	<application>named</application> for obvious reasons.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>File</entry>
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><application>named</application></entry>
 	      <entry>the BIND daemon</entry>
 	    </row>
 
 	    <row>
 	      <entry><command>ndc</command></entry>
 	      <entry>name daemon control program</entry>
 	    </row>
 
 	    <row>
 	      <entry><filename>/etc/namedb</filename></entry>
 	      <entry>directory where BIND zone information resides</entry>
 	    </row>
 
 	    <row>
 	      <entry><filename>/etc/namedb/named.conf</filename></entry>
 	      <entry>daemon configuration file</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>
         Zone files are usually contained within the
         <filename>/etc/namedb</filename>
         directory, and contain the DNS zone information
 	served by the name server.
       </para>
     </sect2>
 
     <sect2>
       <title>Starting BIND</title>
       <indexterm>
         <primary>BIND</primary>
 	<secondary>starting</secondary>
       </indexterm>
       <para>
         Since BIND is installed by default, configuring it all is
         relatively simple.
       </para>
       <para>
         To ensure the <application>named</application> daemon is
          started at boot, put the following line in
          <filename>/etc/rc.conf</filename>:
       </para>
       <programlisting>named_enable="YES"</programlisting>
       <para>To start the daemon manually (after configuring it):</para>
       <screen>&prompt.root; <userinput>ndc start</userinput></screen>
     </sect2>
 
     <sect2>
       <title>Configuration Files</title>
       <indexterm>
         <primary>BIND</primary>
 	<secondary>configuration files</secondary>
       </indexterm>
       <sect3>
         <title>Using <command>make-localhost</command></title>
         <para>Be sure to:
         </para>
         <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
 &prompt.root; <userinput>sh make-localhost</userinput></screen>
         <para>to properly create the local reverse DNS zone file in
           <filename>/etc/namedb/localhost.rev</filename>.
         </para>
       </sect3>
 
       <sect3>
         <title><filename>/etc/namedb/named.conf</filename></title>
 
         <programlisting>// &dollar;FreeBSD$
 //
 // Refer to the named(8) manual page for details.  If you are ever going
 // to setup a primary server, make sure you've understood the hairy
 // details of how DNS is working.  Even with simple mistakes, you can
 // break connectivity for affected parties, or cause huge amount of
 // useless Internet traffic.
 
 options {
         directory "/etc/namedb";
 
 // In addition to the "forwarders" clause, you can force your name
 // server to never initiate queries of its own, but always ask its
 // forwarders only, by enabling the following line:
 //
 //      forward only;
 
 // If you've got a DNS server around at your upstream provider, enter
 // its IP address here, and enable the line below.  This will make you
 // benefit from its cache, thus reduce overall DNS traffic in the
 Internet.
 /*
         forwarders {
                 127.0.0.1;
         };
 */</programlisting>
 
         <para>
 	  Just as the comment says, to benefit from an uplink's cache,
           <literal>forwarders</literal> can be enabled here.  Under normal
           circumstances, a name server will recursively query the Internet
           looking at certain name servers until it finds the answer it is
           looking for.  Having this enabled will have it query the uplink's
           name server (or name server provided) first, taking advantage of
           its cache.  If the uplink name server in question is a heavily
           trafficked, fast name server, enabling this may be worthwhile.
         </para>
 
 	<warning><para><hostid role="ipaddr">127.0.0.1</hostid>
             will <emphasis>not</emphasis> work here.
             Change this IP address to a name server at your uplink.</para>
         </warning>
 
         <programlisting>        /*
          * If there is a firewall between you and name servers you want
          * to talk to, you might need to uncomment the query-source
          * directive below.  Previous versions of BIND always asked
          * questions using port 53, but BIND 8.1 uses an unprivileged
          * port by default.
          */
         // query-source address * port 53;
 
         /*
          * If running in a sandbox, you may have to specify a different
          * location for the dumpfile.
          */
         // dump-file "s/named_dump.db";
 };
 
 // Note: the following will be supported in a future release.
 /*
 host { any; } {
         topology {
                 127.0.0.0/8;
         };
 };
 */
 
 // Setting up secondaries is way easier and the rough picture for this
 // is explained below.
 //
 // If you enable a local name server, don't forget to enter 127.0.0.1
 // into your /etc/resolv.conf so this server will be queried first.
 // Also, make sure to enable it in /etc/rc.conf.
 
 zone "." {
         type hint;
         file "named.root";
 };
 
 zone "0.0.127.IN-ADDR.ARPA" {
         type master;
         file "localhost.rev";
 };
 
 zone
 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
         type master;
         file "localhost.rev";
 };
 
 // NB: Do not use the IP addresses below, they are faked, and only
 // serve demonstration/documentation purposes!
 //
 // Example secondary config entries.  It can be convenient to become
 // a secondary at least for the zone where your own domain is in.  Ask
 // your network administrator for the IP address of the responsible
 // primary.
 //
 // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
 // (This is the first bytes of the respective IP address, in reverse
 // order, with ".IN-ADDR.ARPA" appended.)
 //
 // Before starting to setup a primary zone, better make sure you fully
 // understand how DNS and BIND works, however.  There are sometimes
 // unobvious pitfalls.  Setting up a secondary is comparably simpler.
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
 //
 // NOTE!!! FreeBSD runs BIND in a sandbox (see named_flags in rc.conf).
 // The directory containing the secondary zones must be write accessible
 // to BIND.  The following sequence is suggested:
 //
 //      mkdir /etc/namedb/s
 //      chown bind:bind /etc/namedb/s
 //      chmod 750 /etc/namedb/s</programlisting>
 
 	<para>For more information on running BIND in a sandbox, see
 	  <link linkend="network-named-sandbox">Running named in a sandbox</link>.
 	</para>
 
 	<programlisting>/*
 zone "example.com" {
         type slave;
         file "s/example.com.bak";
         masters {
                 192.168.1.1;
         };
 };
 
 zone "0.168.192.in-addr.arpa" {
         type slave;
         file "s/0.168.192.in-addr.arpa.bak";
         masters {
                 192.168.1.1;
         };
 };
 */</programlisting>
         <para>In <filename>named.conf</filename>, these are examples of slave
 	  entries for a forward and reverse zone.</para>
 
         <para>For each new zone served, a new zone entry must be added to
 	  <filename>named.conf</filename>.</para>
 
         <para>For example, the simplest zone entry for
 	  <hostid role="domainname">example.org</hostid> can look like:</para>
 
         <programlisting>zone "example.org" {
 	type master;
 	file "example.org";
 };</programlisting>
 
 	<para>The zone is a master, as indicated by the <option>type</option>
 	  statement, holding its zone information in
 	  <filename>/etc/namedb/example.org</filename> indicated by
 	  the <option>file</option> statement.</para>
 
         <programlisting>zone "example.org" {
 	type slave;
 	file "example.org";
 };</programlisting>
 
         <para>In the slave case, the zone information is transferred from
 	  the master name server for the particular zone, and saved in the
 	  file specified.  If and when the master server dies or is
 	  unreachable, the slave name server will have the transferred
 	  zone information and will be able to serve it.</para>
       </sect3>
 
       <sect3>
         <title>Zone Files</title>
         <para>
           An example master zone file for <hostid
 	  role="domainname">example.org</hostid> (existing within
 	  <filename>/etc/namedb/example.org</filename>) is as follows:
         </para>
 
         <programlisting>$TTL 3600
 
 example.org. IN SOA ns1.example.org. admin.example.org. (
                         5               ; Serial
                         10800           ; Refresh
                         3600            ; Retry
                         604800          ; Expire
                         86400 )         ; Minimum TTL
 
 ; DNS Servers
 @       IN NS           ns1.example.org.
 @       IN NS           ns2.example.org.
 
 ; Machine Names
 localhost       IN A    127.0.0.1
 ns1             IN A    3.2.1.2
 ns2             IN A    3.2.1.3
 mail            IN A    3.2.1.10
 @               IN A    3.2.1.30
 
 ; Aliases
 www             IN CNAME        @
 
 ; MX Record
 @               IN MX   10      mail.example.org.</programlisting>
 
         <para>
           Note that every hostname ending in a <quote>.</quote> is an
           exact hostname, whereas everything without a trailing
           <quote>.</quote> is referenced to the origin.  For example,
           <literal>www</literal> is translated into
           <literal>www.<replaceable>origin</replaceable></literal>.
           In our fictitious zone file, our origin is
           <hostid>example.org.</hostid>, so <literal>www</literal>
           would translate to <hostid>www.example.org.</hostid>
         </para>
 
         <para>
           The format of a zone file follows:
         </para>
         <programlisting>recordname      IN recordtype   value</programlisting>
 
 	<indexterm>
 	  <primary>DNS</primary>
 	  <secondary>records</secondary>
 	</indexterm>
         <para>
           The most commonly used DNS records:
         </para>
 
 	<variablelist>
 	  <varlistentry>
 	    <term>SOA</term>
 
 	    <listitem><para>start of zone authority</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term>NS</term>
 
 	    <listitem><para>an authoritative name server</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term>A</term>
 
 	    <listitem><para>a host address</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term>CNAME</term>
 
 	    <listitem><para>the canonical name for an alias</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term>MX</term>
 
 	    <listitem><para>mail exchanger</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term>PTR</term>
 
 	    <listitem><para>a domain name pointer (used in reverse DNS)
 	      </para></listitem>
 	  </varlistentry>
 	</variablelist>
 
         <programlisting>
 example.org. IN SOA ns1.example.org. admin.example.org. (
                         5               ; Serial
                         10800           ; Refresh after 3 hours
                         3600            ; Retry after 1 hour
                         604800          ; Expire after 1 week
                         86400 )         ; Minimum TTL of 1 day</programlisting>
 
 
 
 	<variablelist>
 	  <varlistentry>
 	    <term><hostid role="domainname">example.org.</hostid></term>
 
 	    <listitem><para>the domain name, also the origin for this
 		zone file.</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><hostid role="fqdn">ns1.example.org.</hostid></term>
 
 	    <listitem><para>the primary/authoritative name server for this
 		zone.</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>admin.example.org.</literal></term>
 
 	    <listitem><para>the responsible person for this zone,
 		email address with <quote>@</quote>
           replaced.  (<email>admin@example.org</email> becomes
 		<literal>admin.example.org</literal>)</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>5</literal></term>
 
 	      <listitem><para>the serial number of the file.  This
 		  must be incremented each time the zone file is
 		  modified.  Nowadays, many admins prefer a
 		  <literal>yyyymmddrr</literal> format for the serial
 		  number.  <literal>2001041002</literal> would mean
 		  last modified 04/10/2001, the latter
 		  <literal>02</literal> being the second time the zone
 		  file has been modified this day.  The serial number
 		  is important as it alerts slave name servers for a
 		  zone when it is updated.</para>
 	      </listitem>
 	  </varlistentry>
 	</variablelist>
 
         <programlisting>
 @       IN NS           ns1.example.org.</programlisting>
 
         <para>
           This is an NS entry.  Every name server that is going to reply
           authoritatively for the zone must have one of these entries.
 	  The <literal>@</literal> as seen here could have been
 	  <hostid role="domainname">example.org.</hostid>
 	  The <literal>@</literal> translates to the origin.
         </para>
 
         <programlisting>
 localhost       IN A    127.0.0.1
 ns1             IN A    3.2.1.2
 ns2             IN A    3.2.1.3
 mail            IN A    3.2.1.10
 @               IN A    3.2.1.30</programlisting>
 
         <para>
           The A record indicates machine names.  As seen above,
           <hostid role="fqdn">ns1.example.org</hostid> would resolve
           to <hostid role="ipaddr">3.2.1.2</hostid>.  Again, the
           origin symbol, <literal>@</literal>, is used here, thus
           meaning <hostid role="domainname">example.org</hostid> would
           resolve to <hostid role="ipaddr">3.2.1.30</hostid>.
         </para>
 
         <programlisting>
 www             IN CNAME        @</programlisting>
 
         <para>
           The canonical name record is usually used for giving aliases
           to a machine.  In the example, <hostid>www</hostid> is
           aliased to the machine addressed to the origin, or
           <hostid role="domainname">example.org</hostid>
           (<hostid role="ipaddr">3.2.1.30</hostid>).
           CNAMEs can be used to provide alias
           hostnames, or round robin one hostname among multiple
           machines.
         </para>
 
 	<indexterm>
 	  <primary>MX record</primary>
 	</indexterm>
 
         <programlisting>
 @               IN MX   10      mail.example.org.</programlisting>
 
         <para>
           The MX record indicates which mail
           servers are responsible for handling incoming mail for the
           zone.  <hostid role="fqdn">mail.example.org</hostid> is the
           hostname of the mail server, and 10 being the priority of
           that mail server.
         </para>
 
         <para>
           One can have several mail servers, with priorities of 3, 2,
           1.  A mail server attempting to deliver to <hostid
           role="domainname">example.org</hostid> would first try the
           highest priority MX, then the second highest, etc, until the
           mail can be properly delivered.
         </para>
 
         <para>
           For in-addr.arpa zone files (reverse DNS), the same format is
           used, except with PTR entries instead of
 	  A or CNAME.
         </para>
 
         <programlisting>$TTL 3600
 
 1.2.3.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
                         5               ; Serial
                         10800           ; Refresh
                         3600            ; Retry
                         604800          ; Expire
                         3600 )          ; Minimum
 
 @       IN NS   ns1.example.org.
 @       IN NS   ns2.example.org.
 
 2       IN PTR  ns1.example.org.
 3       IN PTR  ns2.example.org.
 10      IN PTR  mail.example.org.
 30      IN PTR  example.org.</programlisting>
 
         <para>This file gives the proper IP address to hostname
           mappings of our above fictitious domain.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Caching Name Server</title>
       <indexterm>
         <primary>BIND</primary>
         <secondary>caching name server</secondary>
       </indexterm>
 
       <para>A caching name server is a name server that is not
         authoritative for any zones.  It simply asks queries of its
         own, and remembers them for later use.  To set one up, just
         configure the name server as usual, omitting any inclusions of
         zones.</para>
     </sect2>
 
     <sect2 id="network-named-sandbox">
       <title>Running <application>named</application> in a Sandbox</title>
       <indexterm>
         <primary>BIND</primary>
         <secondary>running in a sandbox</secondary>
       </indexterm>
 
       <indexterm>
         <primary><command>chroot</command></primary>
       </indexterm>
       <para>For added security you may want to run &man.named.8; as an
 	unprivileged user, and configure it to &man.chroot.8; into a
 	sandbox directory.  This makes everything outside of the
 	sandbox inaccessible to the <application>named</application>
 	daemon.  Should <application>named</application> be
 	compromised, this will help to reduce the damage that can be
 	caused.  By default, FreeBSD has a user and a group called
 	<groupname>bind</groupname>, intended for this use.</para>
 
       <note><para>Various people would recommend that instead of configuring
 	<application>named</application> to <command>chroot</command>, you
 	should run <application>named</application> inside a &man.jail.8;.
 	This section does not attempt to cover this situation.</para>
       </note>
 
       <para>Since <application>named</application> will not be able to
 	access anything outside of the sandbox (such as shared
 	libraries, log sockets, and so on), there are a number of steps
 	that need to be followed in order to allow
 	<application>named</application> to function correctly.  In the
 	following checklist, it is assumed that the path to the sandbox
 	is <filename>/etc/namedb</filename> and that you have made no
 	prior modifications to the contents of this directory.  Perform
 	the following steps as <username>root</username>:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Create all directories that <application>named</application>
 	    expects to see:</para>
 
 	  <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
 &prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
 &prompt.root; <userinput>chown bind:bind slave var/*</userinput><co id="chown-slave"></screen>
 
 
 
 	  <calloutlist>
 	    <callout arearefs="chown-slave">
 	      <para><application>named</application> only needs write access to
 		these directories, so that is all we give it.</para>
 	    </callout>
 	  </calloutlist>
 	</listitem>
 
 	<listitem>
 	  <para>Rearrange and create basic zone and configuration files:</para>
 	  <screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co id="localtime">
 &prompt.root; <userinput>mv named.conf etc && ln -sf etc/named.conf</userinput>
 &prompt.root; <userinput>mv named.root master</userinput>
 <!-- I don't like this next bit -->
 &prompt.root; <userinput>sh make-localhost && mv localhost.rev localhost-v6.rev master</userinput>
 &prompt.root; <userinput>cat > master/named.localhost
 $ORIGIN localhost.
 $TTL 6h
 @	IN	SOA	localhost. postmaster.localhost. (
 			1	; serial
 			3600	; refresh
 			1800	; retry
 			604800	; expiration
 			3600 )	; minimum
 	IN	NS	localhost.
 	IN	A		127.0.0.1
 ^D</userinput></screen>
 
 	  <calloutlist>
 	    <callout arearefs="localtime">
 	      <para>This allows <application>named</application> to log the
 		correct time to &man.syslogd.8;.</para>
 	    </callout>
 	  </calloutlist>
 	</listitem>
 
 	<listitem>
 
         <indexterm><primary>syslog</primary></indexterm>
         <indexterm><primary>logs</primary>
 	  <secondary>DNS</secondary></indexterm>
 
 	  <para>If you are running a version of &os; prior to 4.9-RELEASE, build a statically linked copy of
 	    <application>named-xfer</application>, and copy it into the sandbox:</para>
 
 	      <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc</userinput>
 &prompt.root; <userinput>make cleandir && make cleandir && make depend && make all</userinput>
 &prompt.root; <userinput>cd /usr/src/lib/libbind</userinput>
 &prompt.root; <userinput>make cleandir && make cleandir && make depend && make all</userinput>
 &prompt.root; <userinput>cd /usr/src/libexec/named-xfer</userinput>
 &prompt.root; <userinput>make cleandir && make cleandir && make depend && make NOSHARED=yes all</userinput>
 &prompt.root; <userinput>cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer</userinput><co id="clean-cruft"></screen>
 
 	  <para>After your statically linked
 	    <command>named-xfer</command> is installed some cleaning up
 	    is required, to avoid leaving stale copies of libraries or
 	    programs in your source tree:</para>
 
 	  <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc</userinput>
 &prompt.root; <userinput>make cleandir</userinput>
 &prompt.root; <userinput>cd /usr/src/lib/libbind</userinput>
 &prompt.root; <userinput>make cleandir</userinput>
 &prompt.root; <userinput>cd /usr/src/libexec/named-xfer</userinput>
 &prompt.root; <userinput>make cleandir</userinput></screen>
 
 	  <calloutlist>
 	    <callout arearefs="clean-cruft">
 	      <para>This step has been reported to fail occasionally.  If this
 		happens to you, then issue the command:</para>
 
 	      <screen>&prompt.root; <userinput>cd /usr/src && make cleandir && make cleandir</userinput></screen>
 
 	      <para>and delete your <filename>/usr/obj</filename> tree:</para>
 
 	      <screen>&prompt.root; <userinput>rm -fr /usr/obj && mkdir /usr/obj</userinput></screen>
 
 		<para>This will clean out any <quote>cruft</quote> from your
 		  source tree, and retrying the steps above should then work.</para>
 	    </callout>
 	  </calloutlist>
 
 	  <para>If you are running &os; version 4.9-RELEASE or later,
 	    then the copy of <command>named-xfer</command> in
 	    <filename>/usr/libexec</filename> is statically linked by
 	    default, and you can simply use &man.cp.1; to copy it into
 	    your sandbox.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Make a <filename>dev/null</filename> that
 	    <application>named</application> can see and write to:</para>
 
 	  <screen>&prompt.root; <userinput>cd /etc/namedb/dev && mknod null c 2 2</userinput>
 &prompt.root; <userinput>chmod 666 null</userinput></screen>
 	</listitem>
 
 	<listitem>
 	  <para>Symlink <filename> /var/run/ndc</filename> to
 	    <filename>/etc/namedb/var/run/ndc</filename>:</para>
 
 	  <screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>
 
 	  <note>
 	    <para>This simply avoids having to specify the
 	      <option>-c</option> option to &man.ndc.8; every time you
 	      run it.  Since the contents of
 	      <filename>/var/run</filename> are deleted on boot, if
 	      this is something that you find useful you may wish to
 	      add this command to <username>root</username>'s
 	      <filename>crontab</filename>, making use of the
 	      <option>@reboot</option> option.  See &man.crontab.5;
 	      for more information regarding this.</para>
 	  </note>
 
 	</listitem>
 
 	<listitem>
 
         <indexterm><primary>syslog</primary></indexterm>
         <indexterm><primary>logs</primary>
 	  <secondary>named</secondary></indexterm>
 
 	  <para>Configure &man.syslogd.8; to create an extra
 	    <devicename>log</devicename> socket that
 	    <application>named</application> can write to.  To do this,
 	    add <literal>-l /etc/namedb/dev/log</literal> to the
 	    <varname>syslogd_flags</varname> variable in
 	    <filename>/etc/rc.conf</filename>.</para>
 	</listitem>
 
 	<listitem>
 
           <indexterm><primary><command>chroot</command></primary></indexterm>
 
 	  <para>Arrange to have <application>named</application> start
 	    and <command>chroot</command> itself to the sandbox by
 	    adding the following to
 	    <filename>/etc/rc.conf</filename>:</para>
 
 	  <programlisting>named_enable="YES"
 named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
 
 	  <note>
 	    <para>Note that the configuration file
 	    <replaceable>/etc/named.conf</replaceable> is denoted by a full
 	    pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
 	    the line above, the file referred to is actually
 	    <filename>/etc/namedb/etc/named.conf</filename>.</para>
 	  </note>
 	</listitem>
       </itemizedlist>
 
       <para>The next step is to edit
 	<filename>/etc/namedb/etc/named.conf</filename> so that
 	<application>named</application> knows which zones to load and
 	where to find them on the disk.  There follows a commented
 	example (anything not specifically commented here is no
 	different from the setup for a DNS server not running in a
 	sandbox):</para>
 
 	<programlisting>options {
         directory "/";<co id="directory">
         named-xfer "/bin/named-xfer";<co id="named-xfer">
         version "";		// Don't reveal BIND version
         query-source address * port 53;
 };
 // ndc control socket
 controls {
         unix "/var/run/ndc" perm 0600 owner 0 group 0;
 };
 // Zones follow:
 zone "localhost" IN {
         type master;
         file "master/named.localhost";<co id="master">
         allow-transfer { localhost; };
         notify no;
 };
 zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "master/localhost.rev";
         allow-transfer { localhost; };
         notify no;
 };
 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
 	type master;
 	file "master/localhost-v6.rev";
 	allow-transfer { localhost; };
 	notify no;
 };
 zone "." IN {
         type hint;
         file "master/named.root";
 };
 zone "private.example.net" in {
         type master;
         file "master/private.example.net.db";
 	allow-transfer { 192.168.10.0/24; };
 };
 zone "10.168.192.in-addr.arpa" in {
         type slave;
         masters { 192.168.10.2; };
         file "slave/192.168.10.db";<co id="slave">
 };</programlisting>
 
       <calloutlist>
 	<callout arearefs="directory">
 	  <para>The
 	    <literal>directory</literal> statement is specified as
 	    <filename>/</filename>, since all files that
 	    <application>named</application> needs are within this
 	    directory (recall that this is equivalent to a
 	    <quote>normal</quote> user's
 	    <filename>/etc/namedb</filename>).</para>
 	</callout>
 
 	<callout arearefs="named-xfer">
 	  <para>Specifies the full path
 	    to the <command>named-xfer</command> binary (from
 	    <application>named</application>'s frame of reference).  This
 	    is necessary since <application>named</application> is
 	    compiled to look for <command>named-xfer</command> in
 	    <filename>/usr/libexec</filename> by default.</para>
 	</callout>
 	<callout arearefs="master"><para>Specifies the filename (relative
 	  to the <literal>directory</literal> statement above) where
 	  <application>named</application> can find the zone file for this
 	  zone.</para>
 	</callout>
 	<callout arearefs="slave"><para>Specifies the filename
 	    (relative to the <literal>directory</literal> statement above)
 	    where <application>named</application> should write a copy of
 	    the zone file for this zone after successfully transferring it
 	    from the master server.  This is why we needed to change the
 	    ownership of the directory <filename>slave</filename> to
 	    <groupname>bind</groupname> in the setup stages above.</para>
 	</callout>
       </calloutlist>
 
       <para>After completing the steps above, either reboot your
 	server or restart &man.syslogd.8; and start &man.named.8;, making
 	sure to use the new options specified in
 	<varname>syslogd_flags</varname> and
 	<varname>named_flags</varname>.  You should now be running a
 	sandboxed copy of <application>named</application>!</para>
 
     </sect2>
 
     <sect2>
       <title>Security</title>
 
       <para>Although BIND is the most common implementation of DNS,
         there is always the issue of security.  Possible and
         exploitable security holes are sometimes found.
       </para>
 
       <para>
         It is a good idea to read <ulink
         url="http://www.cert.org/">CERT</ulink>'s security advisories and
 	to subscribe to the &a.security-notifications;
         to stay up to date with the current Internet and FreeBSD security
         issues.
       </para>
 
       <tip><para>If a problem arises, keeping sources up to date and
         having a fresh build of <application>named</application> would
         not hurt.</para></tip>
     </sect2>
 
     <sect2>
       <title>Further Reading</title>
 
       <para>BIND/<application>named</application> manual pages:
       &man.ndc.8; &man.named.8; &man.named.conf.5;</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><ulink
 	      url="http://www.isc.org/products/BIND/">Official ISC BIND
 	      Page</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	  url="http://www.nominum.com/getOpenSourceResource.php?id=6">
 	  BIND FAQ</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink url="http://www.oreilly.com/catalog/dns4/">O'Reilly
          DNS and BIND 4th Edition</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="ftp://ftp.isi.edu/in-notes/rfc1034.txt">RFC1034
 	      - Domain Names - Concepts and Facilities</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink
 	      url="ftp://ftp.isi.edu/in-notes/rfc1035.txt">RFC1035
 	      - Domain Names - Implementation and Specification</ulink></para>
 	</listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="network-bind9">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Written by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title><acronym>BIND</acronym>9 and &os;</title>
 
 <!-- This section is here to get users up with BIND9 configurations!  It
   does not cover the terminology, theoretical discussion (why run a name
   server) or the further reading which is still in the previous section.
   I did things this way to avoid repetition of content and obviously we
   cannot just remove the previous section since other supported releases
   use it.  When the previous section is removed then those comments
   should be moved here.  // Tom Rhodes -->
 
     <indexterm><primary>bind9</primary>
       <secondary>setting up</secondary></indexterm>
 
     <para>The release of &os;&nbsp;5.3 brought the
       <acronym>BIND</acronym>9 <acronym>DNS</acronym> server software
       into the distribution.  New security features, a new file system
       layout and automated &man.chroot.8; configuration came with the
       import.  This section has been written in two parts, the first
       will discuss new features and their configuration; the latter
       will cover upgrades to aid in move to &os;&nbsp;5.3.  From this
       moment on, the server will be referred to simply as
       &man.named.8; in place of <acronym>BIND</acronym>.  This section
       skips over the terminology described in the previous section as
       well as some of the theoretical discussions; thus, it is
       recommended that the previous section be consulted before reading
       any further here.</para>
 
     <para>Configuration files for <command>named</command> currently
       reside in
       <filename class="directory">/var/named/etc/namedb/</filename> and
       will need modification before use.  This is where most of the
       configuration will be performed.</para>
 
     <sect2>
       <title>Configuration of a Master Zone</title>
 
       <para>To configure a master zone visit
 	<filename class="directory">/var/named/etc/namedb/</filename>
 	and run the following command:</para>
 
       <screen>&prompt.root; <userinput>sh make-localhost</userinput></screen>
 
       <para>If all went well a new file should exist in the
 	<filename class="directory">master</filename> directory.  The
 	filenames should be <filename>localhost.rev</filename> for
 	the local domain name and <filename>localhost-v6.rev</filename>
 	for <acronym>IPv6</acronym> configurations.  As the default
 	configuration file, configuration for its use will already
 	be present in the <filename>named.conf</filename> file.</para>
     </sect2>
 
     <sect2>
       <title>Configuration of a Slave Zone</title>
 
       <para>Configuration for extra domains or sub domains may be
 	done properly by setting them as a slave zone.  In most cases,
 	the <filename>master/localhost.rev</filename> could just be
 	copied over into the <filename class="directory">slave</filename>
 	directory and modified.  Once completed, the files need
 	to be properly added in <filename>named.conf</filename> such
 	as in the following configuration for
 	<hostid role="fqdn">example.com</hostid>:</para>
 
       <programlisting>zone "example.com" {
         type slave;
         file "slave/example.com";
         masters {
                 10.0.0.1;
         };
 };
 
 zone "0.168.192.in-addr.arpa" {
         type slave;
         file "slave/0.168.192.in-addr.arpa";
         masters {
                 10.0.0.1;
         };
 };</programlisting>
 
       <para>Note well that in this example, the master
 	<acronym>IP</acronym> address is the primary domain server
 	from which the zones are transferred; it does not necessary serve
 	as <acronym>DNS</acronym> server itself.</para>
     </sect2>
 
     <sect2>
       <title>System Initialization Configuration</title>
 
       <para>In order for the <command>named</command> daemon to start
 	when the system is booted, the following option must be present
 	in the <filename>rc.conf</filename> file:</para>
 
       <programlisting>named_enable="YES"</programlisting>
 
       <para>While other options exist, this is the bare minimal
 	requirement.  Consult the &man.rc.conf.5; manual page for
 	a list of the other options.  If nothing is entered in the
 	<filename>rc.conf</filename> file then <command>named</command>
 	may be started on the command line by invoking:</para>
 
       <screen>&prompt.root; <userinput>/etc/rc.d/named start</userinput></screen>
     </sect2>
 
     <sect2>
       <title><acronym>BIND</acronym>9 Security</title>
 
       <para>While &os automatically drops <command>named</command>
 	into a &man.chroot.8; environment; there are several other
 	security mechanisms in place which could help to lure off
 	possible <acronym>DNS</acronym> service attacks.</para>
 
       <sect3>
 	<title>Query Access Control Lists</title>
 
 	<para>A query access control list can be used to restrict
 	  queries against the zones.  The configuration works by
 	  defining the network inside of the <literal>acl</literal>
 	  token and then listing <acronym>IP</acronym> addresses in
 	  the zone configuration.  To permit domains to query the
 	  example host, just define it like this:</para>
 
 	<programlisting>acl "example.com" {
         192.168.0.0/24;
 };
 
 zone "example.com" {
         type slave;
         file "slave/example.com";
         masters {
                 10.0.0.1;
         };
 	allow-query { example.com; };
 };
 
 zone "0.168.192.in-addr.arpa" {
         type slave;
         file "slave/0.168.192.in-addr.arpa";
         masters {
                 10.0.0.1;
         };
 	allow-query { example.com; };
 };</programlisting>
       </sect3>
 
       <sect3>
 	<title>Restrict Version</title>
 
 	<para>Permitting version lookups on the <acronym>DNS</acronym>
 	  server could be opening the doors for an attacker.  A
 	  malicious user may use this information to hunt up known
 	  exploits or bugs to utilize against the host.  A false version
 	  string can be placed the <literal>options</literal> section of
 	  <filename>named.conf</filename>:</para>
 
 	<programlisting>options {
         directory       "/etc/namedb";
         pid-file        "/var/run/named/pid";
         dump-file       "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";
 	version		"None of your business";</programlisting>
       </sect3>
 <!-- Here is where I stopped for now
       <sect3>
         <title>Authentication</title>
 
 	<para> ... </para>
 
 -->
     </sect2>
   </sect1>
 
 
   <sect1 id="network-apache">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Murray</firstname>
 	  <surname>Stokely</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Apache HTTP Server</title>
 
     <indexterm><primary>web server</primary>
       <secondary>setting up</secondary></indexterm>
     <indexterm><primary>Apache</primary></indexterm>
 
     <sect2>
       <title>Overview</title>
 
       <para>&os; is used to run some of the busiest web sites in the
         world.  The majority of web servers on the Internet are using
         the <application>Apache HTTP Server</application>.
         <application>Apache</application> software packages should be
         included on your FreeBSD installation media.  If you did not
         install <application>Apache</application> when you first
         installed FreeBSD, then you can install it from the <filename
         role="package">www/apache13</filename> or <filename
         role="package">www/apache2</filename> port.</para>
 
       <para>Once <application>Apache</application> has been installed
         successfully, it must be configured.</para>
 
       <note><para>This section covers version 1.3.X of the
         <application>Apache HTTP Server</application> as that is the
         most widely used version for &os;.  <application>Apache&nbsp;2.X</application> introduces many
         new technologies but they are not discussed here.  For more
         information about <application>Apache&nbsp;2.X</application>, please see <ulink
         url="http://httpd.apache.org/"></ulink>.</para></note>
 
     </sect2>
 
     <sect2>
       <title>Configuration</title>
 
       <indexterm><primary>Apache</primary>
 	<secondary>configuration file</secondary></indexterm>
 
       <para>The main <application>Apache HTTP Server</application> configuration file is
 	installed as
 	<filename>/usr/local/etc/apache/httpd.conf</filename> on &os;.
 	This file is a typical &unix; text configuration file with
 	comment lines beginning with the <literal>#</literal>
 	character.  A comprehensive description of all possible
 	configuration options is outside the scope of this book, so
 	only the most frequently modified directives will be described
 	here.</para>
 
       <variablelist>
 	<varlistentry>
 	  <term><literal>ServerRoot "/usr/local"</literal></term>
 
 	  <listitem>
 	    <para>This specifies the default directory hierarchy for
 	    the <application>Apache</application> installation.  Binaries are stored in the
 	    <filename class="directory">bin</filename> and 
 	    <filename class="directory">sbin</filename> subdirectories
 	    of the server root, and configuration files are stored in
 	    <filename class="directory">etc/apache</filename>.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><literal>ServerAdmin you@your.address</literal></term>
 
 	  <listitem>
 	    <para>The address to which problems with the server should
 	      be emailed.  This address appears on some
 	      server-generated pages, such as error documents.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><literal>ServerName www.example.com</literal></term>
 
 	  <listitem>
 	    <para><literal>ServerName</literal> allows you to set a host name which is
 	      sent back to clients for your server if it is different
 	      to the one that the host is configured with (i.e., use <hostid>www</hostid>
 	      instead of the host's real name).</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><literal>DocumentRoot "/usr/local/www/data"</literal></term>
 
 	  <listitem>
 	    <para><literal>DocumentRoot</literal>: The directory out of which you will
 	      serve your documents. By default, all requests are taken
 	      from this directory, but symbolic links and aliases may
 	      be used to point to other locations.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
 
       <para>It is always a good idea to make backup copies of your
 	<application>Apache</application> configuration file before making changes.  Once you are
 	satisfied with your initial configuration you are ready to
 	start running <application>Apache</application>.</para>
 
 <!-- sect3 for performance tuning directives?  maxservers minservers -->
 <!-- etc..?? -->
 
 <!-- Advanced configuration section.
 
 Performance tuning directives.
 
 Log file format -->
 
     </sect2>
 
     <sect2>
       <title>Running <application>Apache</application></title>
 
       <indexterm><primary>Apache</primary>
 	<secondary>starting or stopping</secondary></indexterm>
 
       <para><application>Apache</application> does not run from the
         <application>inetd</application> super server as many other
         network servers do.  It is configured to run standalone for
         better performance for incoming HTTP requests from client web
         browsers.  A shell script wrapper is included to make
         starting, stopping, and restarting the server as simple as
         possible.  To start up <application>Apache</application> for
         the first time, just run:</para>
 
       <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl start</userinput></screen>
 
       <para>You can stop the server at any time by typing :</para>
 
       <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl stop</userinput></screen>
 
       <para>After making changes to the configuration file for any
       reason, you will need to restart the server:</para>
 
       <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl restart</userinput></screen>
 
       <para>To launch <application>Apache</application> at system
         startup, add the following line to
         <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>apache_enable="YES"</programlisting>
 
       <para>If you would like to supply additional command line
 	options for the <application>Apache</application>
 	<command>httpd</command> program started at system boot, you
 	may specify them with an additional line in
 	<filename>rc.conf</filename>:</para>
 
       <programlisting>apache_flags=""</programlisting>
 
       <para>Now that the web server is running, you can view your web
         site by pointing a web browser to
         <literal>http://localhost/</literal>.  The default web page
         that is displayed is
         <filename>/usr/local/www/data/index.html</filename>.</para>
 
     </sect2>
 
     <sect2>
       <title>Virtual Hosting</title>
 
       <para><application>Apache</application> supports two different
 	types of Virtual Hosting. The first method is Name-based
 	Virtual Hosting. Name-based virtual hosting uses the clients
 	HTTP/1.1 headers to figure out the hostname. This allows many
 	different domains to share the same IP address.</para>
 
       <para>To setup <application>Apache</application> to use
         Name-based Virtual Hosting add an entry like the following to
         your <filename>httpd.conf</filename>:</para>
 
       <programlisting>NameVirtualHost *</programlisting>
 
       <para>If your webserver was named <hostid role="fqdn">www.domain.tld</hostid> and
         you wanted to setup a virtual domain for
         <hostid role="fqdn">www.someotherdomain.tld</hostid> then you would add
         the following entries to
         <filename>httpd.conf</filename>:</para>
 
       <screen>&lt;VirtualHost *&gt;
 ServerName www.domain.tld
 DocumentRoot /www/domain.tld
 &lt;VirtualHost&gt;
 
 &lt;VirtualHost *&gt;
 ServerName www.someotherdomain.tld
 DocumentRoot /www/someotherdomain.tld
 &lt;/VirtualHost&gt;</screen>
 
       <para>Replace the addresses with the addresses you want to use
         and the path to the documents with what you are using.</para>
 
       <para>For more information about setting up virtual hosts,
         please consult the official <application>Apache</application>
         documentation at: <ulink
         url="http://httpd.apache.org/docs/vhosts/"></ulink></para>
 
     </sect2>
 
     <sect2>
       <title>Apache Modules</title>
 
       <indexterm><primary>Apache</primary>
 	<secondary>modules</secondary></indexterm>
 
       <para>There are many different <application>Apache</application> modules available to add
         functionality to the basic server.  The FreeBSD Ports
         Collection provides an easy way to install
         <application>Apache</application> together with some of the
         more popular add-on modules.</para>
 
       <sect3>
         <title>mod_ssl</title>
 
 	<indexterm><primary>web server</primary>
           <secondary>secure</secondary></indexterm>
 	<indexterm><primary>SSL</primary></indexterm>
 	<indexterm><primary>cryptography</primary></indexterm>
 
         <para>The <application>mod_ssl</application> module uses the OpenSSL library to provide
           strong cryptography via the Secure Sockets Layer (SSL v2/v3)
           and Transport Layer Security (TLS v1) protocols.  This
           module provides everything necessary to request a signed
           certificate from a trusted certificate signing authority so
           that you can run a secure web server on &os;.</para>
 
 	<para>If you have not yet installed
 	  <application>Apache</application>, then a version of <application>Apache</application>
 	  1.3.X that includes <application>mod_ssl</application> may be installed with the <filename
 	  role="package">www/apache13-modssl</filename> port.  SSL
 	  support is also available for Apache 2.X in the
 	  <filename role="package">www/apache2</filename> port,
 	  where it is enabled by default.</para>
 
 <!-- XXX add more information about configuring mod_ssl here. -->
 <!-- Generating keys, getting the key signed, setting up your secure -->
 <!-- web server! -->
       </sect3>
 
       <sect3>
         <title>mod_perl</title>
 
 	<indexterm><primary>Perl</primary></indexterm>
 
         <para>The <application>Apache</application>/Perl integration project brings together the
 	  full power of the Perl programming language and the <application>Apache
 	  HTTP Server</application>.  With the <application>mod_perl</application> module it is possible to
 	  write <application>Apache</application> modules entirely in Perl.  In addition, the
 	  persistent interpreter embedded in the server avoids the
 	  overhead of starting an external interpreter and the penalty
 	  of Perl start-up time.</para>
 
 	<para>If you have not yet installed
 	  <application>Apache</application>, then a version of <application>Apache</application>
 	  that includes <application>mod_perl</application> may be installed with the <filename
 	  role="package">www/apache13-modperl</filename> port.</para>
       </sect3>
 
       <sect3>
         <title>PHP</title>
 
 	<indexterm><primary>PHP</primary></indexterm>
 
         <para>PHP, which stands for <quote>PHP: Hypertext
 	  Preprocessor</quote> is a widely-used Open Source
 	  general-purpose scripting language that is especially suited
 	  for Web development and can be embedded into HTML.  Its
 	  syntax draws upon C, &java;, and Perl, and is easy to learn.
 	  The main goal of the language is to allow web developers to
 	  write dynamically generated webpages quickly, but you can do
 	  much more with PHP.</para>
 
 	<para>PHP may be installed from the <filename
 	  role="package">lang/php5</filename> port.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="network-ftp">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Murray</firstname>
 	  <surname>Stokely</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>File Transfer Protocol (FTP)</title>
 
     <indexterm><primary>FTP server</primary></indexterm>
 
     <sect2>
       <title>Overview</title>
 
       <para>The File Transfer Protocol (FTP) provides users with a
 	simple way to transfer files to and from an <acronym
 	role="File Transfer Protocol">FTP</acronym> server.  &os;
 	includes <acronym role="File Transfer Protocol">FTP</acronym>
 	server software, <application>ftpd</application>, in the base
 	system.  This makes setting up and administering an <acronym
 	role="File Transfer Protocol">FTP</acronym> server on FreeBSD
 	very straightforward.</para>
     </sect2>
 
     <sect2>
       <title>Configuration</title>
 
       <para>The most important configuration step is deciding which
 	accounts will be allowed access to the FTP server.  A normal
 	FreeBSD system has a number of system accounts used for
 	various daemons, but unknown users should not be allowed to
 	log in with these accounts.  The
 	<filename>/etc/ftpusers</filename> file is a list of users
 	disallowed any FTP access.  By default, it includes the
 	aforementioned system accounts, but it is possible to add
 	specific users here that should not be allowed access to
 	FTP.</para>
 
       <para>You may want to restrict the access of some users without
 	preventing them completely from using FTP.  This can be
 	accomplished with the <filename>/etc/ftpchroot</filename>
 	file.  This file lists users and groups subject to FTP access
 	restrictions.  The &man.ftpchroot.5; manual page has all of
 	the details so it will not be described in detail here.</para>
 
       <para>If you would like to enable anonymous FTP access to your
 	server, then you must create a user named
 	<username>ftp</username> on your &os; system.  Users will then
 	be able to log on to your FTP server with a username of
 	<username>ftp</username> or <username>anonymous</username> and
 	with any password (by convention an email address for the user
 	should be used as the password).  The FTP server will call
 	&man.chroot.2; when an anonymous user logs in, to restrict
 	access to only the home directory of the
 	<username>ftp</username> user.</para>
 
       <para>There are two text files that specify welcome messages to
 	be displayed to FTP clients.  The contents of the file
 	<filename>/etc/ftpwelcome</filename> will be displayed to
 	users before they reach the login prompt.  After a successful
 	login, the contents of the file
 	<filename>/etc/ftpmotd</filename> will be displayed.  Note
 	that the path to this file is relative to the login environment, so the
 	file <filename>~ftp/etc/ftpmotd</filename> would be displayed
 	for anonymous users.</para>
 
       <para>Once the FTP server has been configured properly, it must
         be enabled in <filename>/etc/inetd.conf</filename>.  All that
         is required here is to remove the comment symbol
         <quote>#</quote> from in front of the existing
         <application>ftpd</application> line :</para>
 
       <programlisting>ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -l</programlisting>
 
       <para>As explained in <xref linkend="network-inetd-hangup">, a
         HangUP Signal must be sent to <application>inetd</application>
         after this configuration file is changed.</para>
 
       <para>You can now log on to your FTP server by typing:</para>
 
       <screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
 
     </sect2>
 
     <sect2>
       <title>Maintaining</title>
 
       <indexterm><primary>syslog</primary></indexterm>
       <indexterm><primary>logs</primary>
 	<secondary>FTP</secondary></indexterm>
 
       <para>The <application>ftpd</application> daemon uses
         &man.syslog.3; to log messages.  By default, the system log
         daemon will put messages related to FTP in the
         <filename>/var/log/xferlog</filename> file.  The location of
         the FTP log can be modified by changing the following line in
         <filename>/etc/syslog.conf</filename>:</para>
 
       <programlisting>ftp.info      /var/log/xferlog</programlisting>
 
       <para>Be aware of the potential problems involved with running
         an anonymous FTP server.  In particular, you should think
         twice about allowing anonymous users to upload files.  You may
         find that your FTP site becomes a forum for the trade of
         unlicensed commercial software or worse.  If you do need to
         allow anonymous FTP uploads, then you should set up the
         permissions so that these files can not be read by other
         anonymous users until they have been reviewed.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="network-samba">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Murray</firstname>
 	  <surname>Stokely</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>File and Print Services for &microsoft.windows; clients (Samba)</title>
 
     <indexterm><primary>Samba server</primary></indexterm>
     <indexterm><primary>Microsoft Windows</primary></indexterm>
     <indexterm>
       <primary>file server</primary>
       <secondary>Windows clients</secondary>
     </indexterm>
     <indexterm>
       <primary>print server</primary>
       <secondary>Windows clients</secondary>
     </indexterm>
 
     <sect2>
       <title>Overview</title>
 
       <para><application>Samba</application> is a popular open source
         software package that provides file and print services for
         &microsoft.windows; clients.  Such clients can connect to and
         use FreeBSD filespace as if it was a local disk drive, or
         FreeBSD printers as if they were local printers.</para>
 
       <para><application>Samba</application> software packages should
         be included on your FreeBSD installation media.  If you did
         not install <application>Samba</application> when you first
         installed FreeBSD, then you can install it from the <filename
         role="package">net/samba3</filename> port or package.</para>
 
 <!-- mention LDAP, Active Directory, WinBIND, ACL, Quotas, PAM, .. -->
 
     </sect2>
 
     <sect2>
       <title>Configuration</title>
 
       <para>A default <application>Samba</application> configuration
         file is installed as
         <filename>/usr/local/etc/smb.conf.default</filename>.  This
         file must be copied to
         <filename>/usr/local/etc/smb.conf</filename> and customized
         before <application>Samba</application> can be used.</para>
 
       <para>The <filename>smb.conf</filename> file contains runtime
         configuration information for
         <application>Samba</application>, such as definitions of the
         printers and <quote>filesystem shares</quote> that you would
         like to share with &windows; clients.  The
         <application>Samba</application> package includes a web based
         tool called <application>swat</application> which provides a
         simple way of configuring the <filename>smb.conf</filename>
         file.</para>
 
       <sect3>
 	<title>Using the Samba Web Administration Tool (SWAT)</title>
 
 	<para>The Samba Web Administration Tool (SWAT) runs as a
 	  daemon from <application>inetd</application>.  Therefore, the
 	  following line in <filename>/etc/inetd.conf</filename>
 	  should be uncommented before <application>swat</application> can be
 	  used to configure <application>Samba</application>:</para>
 
 	<programlisting>swat   stream  tcp     nowait/400      root    /usr/local/sbin/swat</programlisting>
         <para>As explained in <xref linkend="network-inetd-hangup">, a
           HangUP Signal must be sent to
           <application>inetd</application> after this configuration
           file is changed.</para>
 
 	<para>Once <application>swat</application> has been enabled in
 	  <filename>inetd.conf</filename>, you can use a browser to
 	  connect to <ulink url="http://localhost:901"></ulink>.  You will
 	  first have to log on with the system <username>root</username> account.</para>
 
 <!-- XXX screenshots go here, loader is creating them -->
 
 	<para>Once you have successfully logged on to the main
 	  <application>Samba</application> configuration page, you can
 	  browse the system documentation, or begin by clicking on the
 	  <guimenu>Globals</guimenu> tab.  The <guimenu>Globals</guimenu> section corresponds to the
 	  variables that are set in the <literal>[global]</literal>
 	  section of
 	  <filename>/usr/local/etc/smb.conf</filename>.</para>
       </sect3>
 
       <sect3>
 	<title>Global Settings</title>
 
 	<para>Whether you are using <application>swat</application> or
 	  editing <filename>/usr/local/etc/smb.conf</filename>
 	  directly, the first directives you are likely to encounter
 	  when configuring <application>Samba</application>
 	  are:</para>
 
         <variablelist>
 	  <varlistentry>
 	    <term><literal>workgroup</literal></term>
 
 	    <listitem>
 	      <para>NT Domain-Name or Workgroup-Name for the computers
 	        that will be accessing this server.</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>netbios name</literal></term>
 	    <indexterm><primary>NetBIOS</primary></indexterm>
 
 	    <listitem>
 	      <para>This sets the NetBIOS name by which a <application>Samba</application> server
 		is known. By default it is the same as the first
 		component of the host's DNS name.</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>server string</literal></term>
 
 	    <listitem>
 	      <para>This sets the string that will be displayed with
 		the <command>net view</command> command and some other
 		networking tools that seek to display descriptive text
 		about the server.</para>
 	    </listitem>
 	  </varlistentry>
         </variablelist>
       </sect3>
 
       <sect3>
 	<title>Security Settings</title>
 
 	<para>Two of the most important settings in
 	  <filename>/usr/local/etc/smb.conf</filename> are the
 	  security model chosen, and the backend password format for
 	  client users.  The following directives control these
 	  options:</para>
 
         <variablelist>
 	  <varlistentry>
 	    <term><literal>security</literal></term>
 
 	    <listitem>
 	      <para>The two most common options here are
 	        <literal>security = share</literal> and <literal>security
 	        = user</literal>.  If your clients use usernames that
 	        are the same as their usernames on your &os; machine
 	        then you will want to use user level security.  This
 	        is the default security policy and it requires clients
 	        to first log on before they can access shared
 	        resources.</para>
 
 	      <para>In share level security, client do not need to log
 	        onto the server with a valid username and password
 	        before attempting to connect to a shared resource.
 	        This was the default security model for older versions
 	        of <application>Samba</application>.</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>passdb backend</literal></term>
 
 	    <indexterm><primary>NIS+</primary></indexterm>
 	    <indexterm><primary>LDAP</primary></indexterm>
 	    <indexterm><primary>SQL database</primary></indexterm>
 
 	    <listitem>
 	      <para><application>Samba</application> has several
 	        different backend authentication models.  You can
 	        authenticate clients with LDAP, NIS+, a SQL database,
 	        or a modified password file.  The default
 	        authentication method is <literal>smbpasswd</literal>,
 	        and that is all that will be covered here.</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
 
 	<para>Assuming that the default <literal>smbpasswd</literal>
 	  backend is used, the
 	  <filename>/usr/local/private/smbpasswd</filename> file must
 	  be created to allow <application>Samba</application> to
 	  authenticate clients.  If you would like to give all of
 	  your &unix; user accounts access from &windows; clients, use the
 	  following command:</para>
 
 	<screen>&prompt.root; <userinput>grep -v "^#" /etc/passwd | make_smbpasswd &gt; /usr/local/private/smbpasswd</userinput>
 &prompt.root; <userinput>chmod 600 /usr/local/private/smbpasswd</userinput></screen>
 
 	<para>Please see the <application>Samba</application>
 	  documentation for additional information about configuration
 	  options.  With the basics outlined here, you should have
 	  everything you need to start running
 	  <application>Samba</application>.</para>
       </sect3>
 
     </sect2>
     <sect2>
       <title>Starting <application>Samba</application></title>
 
       <para>To enable <application>Samba</application> when your
         system boots, add the following line to
         <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>samba_enable="YES"</programlisting>
 
       <para>You can then start <application>Samba</application> at any
         time by typing:</para>
 
       <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/samba.sh start</userinput>
 Starting SAMBA: removing stale tdbs :
 Starting nmbd.
 Starting smbd.</screen>
 
       <para><application>Samba</application> actually consists of
         three separate daemons.  You should see that both the
         <application>nmbd</application> and <application>smbd</application> daemons
         are started by the <filename>samba.sh</filename> script.  If
         you enabled winbind name resolution services in
         <filename>smb.conf</filename>, then you will also see that
         the <application>winbindd</application> daemon is started.</para>
 
       <para>You can stop <application>Samba</application> at any time
         by typing :</para>
 
       <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/samba.sh stop</userinput></screen>
 
       <para><application>Samba</application> is a complex software
         suite with functionality that allows broad integration with
         &microsoft.windows; networks.  For more information about
         functionality beyond the basic installation described here,
         please see <ulink url="http://www.samba.org"></ulink>.</para>
     </sect2>
 
   </sect1>
 
   <sect1 id="network-ntp">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Hukins</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Clock Synchronization with NTP</title>
 
     <indexterm><primary>NTP</primary></indexterm>
 
     <sect2>
       <title>Overview</title>
 
       <para>Over time, a computer's clock is prone to drift.  The
 	Network Time Protocol (NTP) is one way to ensure your clock stays
 	accurate.</para>
 
       <para>Many Internet services rely on, or greatly benefit from,
 	computers' clocks being accurate.  For example, a web server
 	may receive requests to send a file if it has been modified since a
 	certain time.  In a local area network environment, it is
 	essential that computers sharing files from the same file
 	server have synchronized clocks so that file timestamps stay
 	consistent.  Services such as &man.cron.8; also rely on
 	an accurate system clock to run commands at the specified
 	times.</para>
 
       <indexterm>
 	<primary>NTP</primary>
 	<secondary>ntpd</secondary>
       </indexterm>
       <para>FreeBSD ships with the &man.ntpd.8; <acronym role="Network
 	Time Protocol">NTP</acronym> server which can be used to query
 	other <acronym role="Network Time Protocol">NTP</acronym>
 	servers to set the clock on your machine or provide time
 	services to others.</para>
     </sect2>
 
     <sect2>
       <title>Choosing Appropriate NTP Servers</title>
 
       <indexterm>
 	<primary>NTP</primary>
 	<secondary>choosing servers</secondary>
       </indexterm>
 
       <para>In order to synchronize your clock, you will need to find
 	one or more <acronym role="Network Time
 	Protocol">NTP</acronym> servers to use.  Your network
 	administrator or ISP may have set up an NTP server for this
 	purpose&mdash;check their documentation to see if this is the
 	case.  There is an <ulink
 	url="http://ntp.isc.org/bin/view/Servers/WebHome">online
 	list of publicly accessible NTP servers</ulink> which you can
 	use to find an NTP server near to you.  Make sure you are
 	aware of the policy for any servers you choose, and ask for
 	permission if required.</para>
 
       <para>Choosing several unconnected NTP servers is a good idea in
 	case one of the servers you are using becomes unreachable or
 	its clock is unreliable.  &man.ntpd.8; uses the responses it
 	receives from other servers intelligently&mdash;it will favor
 	unreliable servers less than reliable ones.</para>
     </sect2>
 
     <sect2>
       <title>Configuring Your Machine</title>
 
       <indexterm>
 	<primary>NTP</primary>
 	<secondary>configuration</secondary>
       </indexterm>
 
       <sect3>
 	<title>Basic Configuration</title>
 	<indexterm><primary>ntpdate</primary></indexterm>
 
 	<para>If you only wish to synchronize your clock when the
 	  machine boots up, you can use &man.ntpdate.8;.  This may be
 	  appropriate for some desktop machines which are frequently
 	  rebooted and only require infrequent synchronization, but
 	  most machines should run &man.ntpd.8;.</para>
 
 	<para>Using &man.ntpdate.8; at boot time is also a good idea
 	  for machines that run &man.ntpd.8;.  The &man.ntpd.8;
 	  program changes the clock gradually, whereas &man.ntpdate.8;
 	  sets the clock, no matter how great the difference between a
 	  machine's current clock setting and the correct time.</para>
 
 	<para>To enable &man.ntpdate.8; at boot time, add
 	  <literal>ntpdate_enable="YES"</literal> to
 	  <filename>/etc/rc.conf</filename>.  You will also need to
 	  specify all servers you wish to synchronize with and any
 	  flags to be passed to &man.ntpdate.8; in
 	  <varname>ntpdate_flags</varname>.</para>
       </sect3>
 
       <sect3>
 	<indexterm>
 	  <primary>NTP</primary>
 	  <secondary>ntp.conf</secondary>
 	</indexterm>
 
 	<title>General Configuration</title>
 
 	<para>NTP is configured by the
 	  <filename>/etc/ntp.conf</filename> file in the format
 	  described in &man.ntp.conf.5;.  Here is a simple
 	  example:</para>
 
 	<programlisting>server ntplocal.example.com prefer
 server timeserver.example.org
 server ntp2a.example.net
 
 driftfile /var/db/ntp.drift</programlisting>
 
 	<para>The <literal>server</literal> option specifies which
 	  servers are to be used, with one server listed on each line.
 	  If a server is specified with the <literal>prefer</literal>
 	  argument, as with <hostid
 	  role="fqdn">ntplocal.example.com</hostid>, that server is
 	  preferred over other servers.  A response from a preferred
 	  server will be discarded if it differs significantly from
 	  other servers' responses, otherwise it will be used without
 	  any consideration to other responses.  The
 	  <literal>prefer</literal> argument is normally used for NTP
 	  servers that are known to be highly accurate, such as those
 	  with special time monitoring hardware.</para>
 
 	<para>The <literal>driftfile</literal> option specifies which
 	  file is used to store the system clock's frequency offset.
 	  The &man.ntpd.8; program uses this to automatically
 	  compensate for the clock's natural drift, allowing it to
 	  maintain a reasonably correct setting even if it is cut off
 	  from all external time sources for a period of time.</para>
 
 	<para>The <literal>driftfile</literal> option specifies which
 	  file is used to store information about previous responses
 	  from the NTP servers you are using.  This file contains
 	  internal information for NTP.  It should not be modified by
 	  any other process.</para>
       </sect3>
 
       <sect3>
 	<title>Controlling Access to Your Server</title>
 
 	<para>By default, your NTP server will be accessible to all
 	  hosts on the Internet.  The <literal>restrict</literal>
 	  option in <filename>/etc/ntp.conf</filename> allows you to
 	  control which machines can access your server.</para>
 
 	<para>If you want to deny all machines from accessing your NTP
 	  server, add the following line to
 	  <filename>/etc/ntp.conf</filename>:</para>
 
         <programlisting>restrict default ignore</programlisting>
 
         <para>If you only want to allow machines within your own
 	  network to synchronize their clocks with your server, but
 	  ensure they are not allowed to configure the server or used
 	  as peers to synchronize against, add</para>
 
         <programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
 
 	<para>instead, where <hostid role="ipaddr">192.168.1.0</hostid> is
 	  an IP address on your network and <hostid
 	  role="netmask">255.255.255.0</hostid> is your network's
 	  netmask.</para>
 
 	<para><filename>/etc/ntp.conf</filename> can contain multiple
 	  <literal>restrict</literal> options.  For more details, see
 	  the <literal>Access Control Support</literal> subsection of
 	  &man.ntp.conf.5;.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Running the NTP Server</title>
 
       <para>To ensure the NTP server is started at boot time, add the
 	line <literal>xntpd_enable="YES"</literal> to
 	<filename>/etc/rc.conf</filename>.  If you wish to pass
 	additional flags to &man.ntpd.8;, edit the
 	<varname>xntpd_flags</varname> parameter in
 	<filename>/etc/rc.conf</filename>.</para>
 
       <para>To start the server without rebooting your machine, run
 	<command>ntpd</command> being sure to specify any additional
 	parameters from <varname>xntpd_flags</varname> in
 	<filename>/etc/rc.conf</filename>.  For example:</para>
 
       <screen>&prompt.root; <userinput>ntpd -p /var/run/ntpd.pid</userinput></screen>
 
       <note>
 	<para>Under &os;&nbsp;5.X, various options in
 	  <filename>/etc/rc.conf</filename> have been renamed.  Thus,
 	  you have to replace every instance of <literal>xntpd</literal>
 	  with <literal>ntpd</literal> in the options above.</para></note>
     </sect2>
 
     <sect2>
       <title>Using ntpd with a Temporary Internet
 	Connection</title>
 
       <para>The &man.ntpd.8; program does not need a permanent
 	connection to the Internet to function properly.  However, if
 	you have a temporary connection that is configured to dial out
 	on demand, it is a good idea to prevent NTP traffic from
 	triggering a dial out or keeping the connection alive.  If you
 	are using user PPP, you can use <literal>filter</literal>
 	directives in <filename>/etc/ppp/ppp.conf</filename>.  For
 	example:</para>
 
       <programlisting> set filter dial 0 deny udp src eq 123
  # Prevent NTP traffic from initiating dial out
  set filter dial 1 permit 0 0
  set filter alive 0 deny udp src eq 123
  # Prevent incoming NTP traffic from keeping the connection open
  set filter alive 1 deny udp dst eq 123
  # Prevent outgoing NTP traffic from keeping the connection open
  set filter alive 2 permit 0/0 0/0</programlisting>
 
       <para>For more details see the <literal>PACKET
 	FILTERING</literal> section in &man.ppp.8; and the examples in
 	<filename>/usr/share/examples/ppp/</filename>.</para>
 
       <note>
 	<para>Some Internet access providers block low-numbered ports,
 	  preventing NTP from functioning since replies never
 	  reach your machine.</para>
       </note>
     </sect2>
 
     <sect2>
       <title>Further Information</title>
 
       <para>Documentation for the NTP server can be found in
 	<filename>/usr/share/doc/ntp/</filename> in HTML
 	format.</para>
     </sect2>
   </sect1>
 
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 <!--  LocalWords:  config mnt www -->
diff --git a/en_US.ISO8859-1/books/handbook/ports/chapter.sgml b/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
index 3b4ed08b19..d681942e68 100644
--- a/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
@@ -1,1312 +1,1312 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="ports">
   <title>Installing Applications: Packages and Ports</title>
 
   <sect1 id="ports-synopsis">
     <title>Synopsis</title>
 
     <indexterm><primary>ports</primary></indexterm>
     <indexterm><primary>packages</primary></indexterm>
     <para>FreeBSD is bundled with a rich collection of system tools as
       part of the base system.  However, there is only so much one can
       do before needing to install an additional third-party
       application to get real work done.  FreeBSD provides two
       complementary technologies for installing third party software
       on your system: the FreeBSD Ports Collection, and binary
       software packages.  Either system may be used to install the
       newest version of your favorite applications from local media or
       straight off the network.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>How to install third-party binary software packages.</para>
       </listitem>
       <listitem>
 	<para>How to build third-party software from the ports
 	collection.</para>
       </listitem>
       <listitem>
 	<para>How to remove previously installed packages or ports.</para>
       </listitem>
       <listitem>
 	<para>How to override the default values that the ports
 	  collection uses.</para>
       </listitem>
       <listitem>
 	<para>How to find the appropriate software package.</para>
       </listitem>
       <listitem>
 	<para>How to upgrade your ports.</para>
       </listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="ports-overview">
     <title>Overview of Software Installation</title>
 
     <para>If you have used a &unix; system before you will know that
       the typical procedure for installing third party software goes
       something like this:</para>
 
     <procedure>
       <step>
 	<para>Download the software, which might be distributed in
 	  source code format, or as a binary.</para>
       </step>
 
       <step>
 	<para>Unpack the software from its distribution format
 	  (typically a tarball compressed with &man.compress.1;,
 	  &man.gzip.1;, or &man.bzip2.1;).</para>
       </step>
 
       <step>
 	<para>Locate the documentation (perhaps an
 	  <filename>INSTALL</filename> or <filename>README</filename>
 	  file, or some files in a <filename>doc/</filename>
 	  subdirectory) and read up on how to install the
 	  software.</para>
       </step>
 
       <step>
 	<para>If the software was distributed in source format,
 	  compile it.  This may involve editing a
 	  <filename>Makefile</filename>, or running a
 	  <command>configure</command> script, and other work.</para>
       </step>
 
       <step>
 	<para>Test and install the software.</para>
       </step>
     </procedure>
 
     <para>And that is only if everything goes well.  If you are
       installing a software package that was not deliberately ported
       to FreeBSD you may even have to go in and edit the code to make
       it work properly.</para>
 
     <para>Should you want to, you can continue to install software the
       <quote>traditional</quote> way with FreeBSD.  However, FreeBSD
       provides two technologies which can save you a lot of effort:
       packages and ports.  At the time of writing, over &os.numports;
       third party applications have been made available in this
       way.</para>
 
     <para>For any given application, the FreeBSD package for that
       application is a single file which you must download.  The
       package contains pre-compiled copies of all the commands for the
       application, as well as any configuration files or
       documentation.  A downloaded package file can be manipulated
       with FreeBSD package management commands, such as
       &man.pkg.add.1;, &man.pkg.delete.1;, &man.pkg.info.1;, and so
       on.  Installing a new application can be carried out with a
       single command.</para>
 
     <para>A FreeBSD port for an application is a collection of files
       designed to automate the process of compiling an application
       from source code.</para>
 
     <para>Remember that there are a number of steps you would normally
       carry out if you compiled a program yourself (downloading,
       unpacking, patching, compiling, installing).  The files that
       make up a port contain all the necessary information to allow
       the system to do this for you.  You run a handful of simple
       commands and the source code for the application is
       automatically downloaded, extracted, patched, compiled, and
       installed for you.</para>
 
     <para>In fact, the ports system can also be used to generate packages
       which can later be manipulated with <command>pkg_add</command>
       and the other package management commands that will be introduced
       shortly.</para>
 
     <para>Both packages and ports understand
       <emphasis>dependencies</emphasis>.  Suppose you want to install
       an application that depends on a specific library being
       installed.  Both the application and the library have been made
       available as FreeBSD ports and packages.  If you use the
       <command>pkg_add</command> command or the ports system to add
       the application, both will notice that the library has not been
       installed, and automatically install the library first.</para>
 
     <para>Given that the two technologies are quite similar, you might
       be wondering why FreeBSD bothers with both.  Packages and ports
       both have their own strengths, and which one you use will depend
       on your own preference.</para>
 
     <itemizedlist>
       <title>Package Benefits</title>
       
       <listitem>
 	<para>A compressed package tarball is typically smaller than
 	  the compressed tarball containing the source code for the
 	  application.</para>
       </listitem>
 
       <listitem>
 	<para>Packages do not require any additional compilation.  For
 	  large applications, such as
 	  <application>Mozilla</application>,
 	  <application>KDE</application>, or
 	  <application>GNOME</application> this can be important,
 	  particularly if you are on a slow system.</para>
       </listitem>
 
       <listitem>
 	<para>Packages do not require any understanding of the process
 	  involved in compiling software on FreeBSD.</para>
       </listitem>
     </itemizedlist>
 
     <itemizedlist>
       <title>Ports Benefits</title>
       
       <listitem>
 	<para>Packages are normally compiled with conservative options,
 	  because they have to run on the maximum number of systems.  By
 	  installing from the port, you can tweak the compilation options to
 	  (for example) generate code that is specific to a Pentium
 	  IV or Athlon processor.</para>
       </listitem>
 
       <listitem>
 	<para>Some applications have compile time options relating to
 	  what they can and cannot do.  For example,
 	  <application>Apache</application> can be configured with a
 	  wide variety of different built-in options.  By building
 	  from the port you do not have to accept the default options,
 	  and can set them yourself.</para>
 
 	<para>In some cases, multiple packages will exist for the same
 	  application to specify certain settings.  For example,
 	  <application>Ghostscript</application> is available as a
 	  <filename>ghostscript</filename> package and a
 	  <filename>ghostscript-nox11</filename> package, depending on
 	  whether or not you have installed an X11 server.  This sort
 	  of rough tweaking is possible with packages, but rapidly
 	  becomes impossible if an application has more than one or
 	  two different compile time options.</para>
       </listitem>
 
       <listitem>
 	<para>The licensing conditions of some software distributions forbid
 	  binary distribution.  They must be distributed as source
 	  code.</para>
       </listitem>
 
       <listitem>
 	<para>Some people do not trust binary distributions.  At least
 	  with source code, you can (in theory) read through it and
 	  look for potential problems yourself.</para>
       </listitem>
 
       <listitem>
 	<para>If you have local patches, you will need the source in order to
 	  apply them.</para>
       </listitem>
 
       <listitem>
 	<para>Some people like having code around, so they can read it
 	  if they get bored, hack it, borrow from it (license
 	  permitting, of course), and so on.</para>
       </listitem>
     </itemizedlist>
 
     <para>To keep track of updated ports, subscribe to the
       &a.ports; and the &a.ports-bugs;.</para>
 
     <warning>
       <para>Before installing any application, you should check <ulink
 	url="http://vuxml.freebsd.org/"></ulink> for security issues
 	related to your application.</para>
 
       <para>You can also install <filename
 	role="package">security/portaudit</filename> which will
 	automatically check all installed applications for known
 	vulnerabilities; a check will be also performed before any port
 	build.  Meanwhile, you can use the command <command>portaudit
 	-F -a</command> after you have installed some
 	packages.</para>
     </warning>
 
     <para>The remainder of this chapter will explain how to use
       packages and ports to install and manage third party software on
       FreeBSD.</para>
   </sect1>
 
   <sect1 id="ports-finding-applications">
     <title>Finding Your Application</title>
 
     <para>Before you can install any applications you need to know what you
       want, and what the application is called.</para>
 
     <para>FreeBSD's list of available applications is growing all the
       time.  Fortunately, there are a number of ways to find what you
       want:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The FreeBSD web site maintains an up-to-date searchable
 	  list of all the available applications, at <ulink
 	  url="&url.base;/ports/index.html">http://www.FreeBSD.org/ports/</ulink>.
 	  The ports are divided into categories, and you may either
 	  search for an application by name (if you know it), or see
 	  all the applications available in a category.</para>
       </listitem>
 
       <indexterm><primary>FreshPorts</primary></indexterm>
 
       <listitem>
 	<para>Dan Langille maintains FreshPorts, at <ulink
 	  url="http://www.FreshPorts.org/"></ulink>.  FreshPorts
 	  tracks changes to the applications in the ports tree as they
 	  happen, allows you to <quote>watch</quote> one or more
 	  ports, and can send you email when they are updated.</para>
       </listitem>
 
       <indexterm><primary>FreshMeat</primary></indexterm>
 
       <listitem>
 	<para>If you do not know the name of the application you want,
 	  try using a site like FreshMeat (<ulink
 	  url="http://www.freshmeat.net/"></ulink>) to find an
 	  application, then check back at the FreeBSD site to see if
 	  the application has been ported yet.</para>
       </listitem>
 
       <listitem>
 	<para>If you know the exact name of the port, but just need to
         find out which category it is in, you can use the
         &man.whereis.1; command.
 	Simply type <command>whereis
         <replaceable>file</replaceable></command>, where
         <replaceable>file</replaceable> is the program you want to
         install.  If it is found on your system, you will be told
         where it is, as follows:</para>
 
       <screen>&prompt.root; <userinput>whereis lsof</userinput>
 lsof: /usr/ports/sysutils/lsof</screen>
 
       <para>This tells us that <command>lsof</command> (a system
 	utility) can be found in the
 	<filename>/usr/ports/sysutils/lsof</filename>
 	directory.</para></listitem>
 
       <listitem>
 	<para>Yet another way to find a particular port is by using the
         ports collection's built-in search mechanism.  To use the
         search feature, you will need to be in the
         <filename>/usr/ports</filename> directory.  Once in that
         directory, run <command>make search
         name=<replaceable>program-name</replaceable></command> where
         <replaceable>program-name</replaceable> is the name of the
         program you want to find.  For example, if you were looking
         for <command>lsof</command>:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports</userinput>
 &prompt.root; <userinput>make search name=lsof</userinput>
 Port:   lsof-4.56.4
 Path:   /usr/ports/sysutils/lsof
 Info:   Lists information about open files (similar to fstat(1))
 Maint:  obrien@FreeBSD.org
 Index:  sysutils
 B-deps: 
 R-deps: </screen>
 
       <para>The part of the output you want to pay particular
         attention to is the <quote>Path:</quote> line, since that
         tells you where to find the port.  The other information
         provided is not needed in order to install the port, so it
         will not be covered here.</para>
 
       <para>For more in-depth searching you can also use <command>make
        search key=<replaceable>string</replaceable></command> where
        <replaceable>string</replaceable> is some text to search for.
        This searches port names, comments, descriptions and
        dependencies and can be used to find ports which relate to a
        particular subject if you don't know the name of the program
        you are looking for.</para>
 
       <para>In both of these cases, the search string is case-insensitive.
        Searching for <quote>LSOF</quote> will yield the same results as 
        searching for <quote>lsof</quote>.</para>
       </listitem>
 
     </itemizedlist>
   </sect1>
 
   <sect1 id="packages-using">
     <sect1info>    
       <authorgroup>
         <author>
           <firstname>Chern</firstname>
 	  <surname>Lee</surname>
 	  <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     <!-- 30 Mar 2001 -->
     </sect1info>
 
     <title>Using the Packages System</title>
 
     <sect2>
       <title>Installing a Package</title>
       <indexterm>
         <primary>packages</primary>
         <secondary>installing</secondary>
       </indexterm>
     
       <indexterm>
         <primary><command>pkg_add</command></primary>
       </indexterm>
       <para>You can use the &man.pkg.add.1; utility to install a
 	FreeBSD software package from a local file or from a server on
 	the network.</para>
 
       <example>
         <title>Downloading a Package Manually and Installing It Locally</title>
 
         <screen>&prompt.root; <userinput>ftp -a <replaceable>ftp2.FreeBSD.org</replaceable></userinput>
 Connected to ftp2.FreeBSD.org.
 220 ftp2.FreeBSD.org FTP server (Version 6.00LS) ready.
 331 Guest login ok, send your email address as password.
 230-
 230-     This machine is in Vienna, VA, USA, hosted by Verio.
 230-         Questions? E-mail freebsd@vienna.verio.net.
 230-
 230-
 230 Guest login ok, access restrictions apply.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 <prompt>ftp></prompt> <userinput>cd /pub/FreeBSD/ports/packages/sysutils/</userinput>
 250 CWD command successful.
 <prompt>ftp></prompt> <userinput>get lsof-4.56.4.tgz</userinput>
 local: lsof-4.56.4.tgz remote: lsof-4.56.4.tgz
 200 PORT command successful.
 150 Opening BINARY mode data connection for 'lsof-4.56.4.tgz' (92375 bytes).
 100% |**************************************************| 92375       00:00 ETA
 226 Transfer complete.
 92375 bytes received in 5.60 seconds (16.11 KB/s)
 <prompt>ftp></prompt> <userinput>exit</userinput>
 &prompt.root; <userinput>pkg_add <replaceable>lsof-4.56.4.tgz</replaceable></userinput></screen>
       </example>
 
       <para>If you do not have a source of local packages (such as a
         FreeBSD CD-ROM set) then it will probably be easier to use the
         <option>-r</option> option to &man.pkg.add.1;.  This will
         cause the utility to automatically determine the correct
         object format and release and then fetch and install the
         package from an FTP site.
       </para>
 
       <indexterm>
         <primary><command>pkg_add</command></primary></indexterm>
       <screen>&prompt.root; <userinput>pkg_add -r <replaceable>lsof</replaceable></userinput></screen>
 
       <para>The example above would download the correct package and
 	add it without any further user intervention.
 	If you want to specify an alternative &os; Packages Mirror,
 	instead of the main distribution site, you have to set
 	<envar>PACKAGESITE</envar> accordingly, to
 	override the default settings.  &man.pkg.add.1;
 	uses &man.fetch.3; to download the files, which honors various
 	environment variables, including
 	<envar>FTP_PASSIVE_MODE</envar>, <envar>FTP_PROXY</envar>, and
 	<envar>FTP_PASSWORD</envar>.  You may need to set one or more
 	of these if you are behind a firewall, or need to use an
 	FTP/HTTP proxy.  See &man.fetch.3; for the complete list.
 	Note that in the example above
 	<literal>lsof</literal> is used instead of
 	<literal>lsof-4.56.4</literal>.  When the remote fetching
 	feature is used, the version number of the package must be
 	removed.  &man.pkg.add.1; will automatically fetch the latest
 	version of the application.</para>
 
       <note>
 	<para>&man.pkg.add.1; will download the latest version of
 	  your application if you are using &os.current; or
 	  &os.stable;.  If you run a -RELEASE version, it will grab
 	  the version of the package that was built with your
 	  release.  It is possible to change this behavior by
 	  overriding the <envar>PACKAGESITE</envar> environment
 	  variable.</para>
       </note>
 
       <para>Package files are distributed in <filename>.tgz</filename>
           and <filename>.tbz</filename> formats.  You can find them at <ulink
           url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/packages/"></ulink>,
           or on the FreeBSD CD-ROM distribution.  Every CD on the
           FreeBSD 4-CD set (and the PowerPak, etc.) contains packages
           in the <filename>/packages</filename> directory.  The layout
           of the packages is similar to that of the
           <filename>/usr/ports</filename> tree.  Each category has its
           own directory, and every package can be found within the
           <filename>All</filename> directory.
       </para>
 
       <para>The directory structure of the package system matches the
         ports layout; they work with each other to form the entire
         package/port system.
       </para>
 
     </sect2>
 
     <sect2>
       <title>Managing Packages</title>
 
       <indexterm>
         <primary>packages</primary>
         <secondary>managing</secondary>
       </indexterm>
       <para>&man.pkg.info.1; is a utility that lists and describes 
         the various packages installed.
       </para>
 
       <indexterm>
         <primary><command>pkg_info</command></primary>
       </indexterm>
       <screen>&prompt.root; <userinput>pkg_info</userinput>
 cvsup-16.1          A general network file distribution system optimized for CV
 docbook-1.2         Meta-port for the different versions of the DocBook DTD
 ...</screen>
       <para>&man.pkg.version.1; is a utility that summarizes the
         versions of all installed packages.  It compares the package 
         version to the current version found in the ports tree.
       </para> 
       <indexterm>
         <primary><command>pkg_version</command></primary>
       </indexterm>
         <screen>&prompt.root; <userinput>pkg_version</userinput>
 cvsup                       =
 docbook                     =
 ...</screen>
 
       <para>The symbols in the second column indicate the relative age
         of the installed version and the version available in the
         local ports tree.</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
         <tgroup cols="2">
 	  <thead>
             <row>
               <entry>Symbol</entry>
               <entry>Meaning</entry>
             </row>
           </thead>
 
  	  <tbody>
   	    <row>
 	    <entry>=</entry> <entry>The version of the
 	    installed package matches the one found in the
 	    local ports tree.</entry>
   	    </row>
  
         <row><entry>&lt;</entry>
 	<entry>The installed version is older than the one available
 	in the ports tree.</entry>
 	</row>
 
         <row><entry>&gt;</entry><entry>The installed version is newer
           than the one found in the local ports tree. (The local ports
           tree is probably out of date.)</entry></row>
 
         <row><entry>?</entry><entry>The installed package cannot be
 	  found in the ports index.  (This can happen, for instance, if an
 	  installed port is removed from the ports collection or
 	  renamed.)</entry></row>
 
         <row><entry>*</entry><entry>There are multiple versions of the
         package.</entry></row>
 
 	</tbody>
 	</tgroup>
     </informaltable>
     </sect2>
 
     <sect2>
       <title>Deleting a Package</title>
       <indexterm>
         <primary><command>pkg_delete</command></primary>
       </indexterm>
       <indexterm>
         <primary>packages</primary>
         <secondary>deleting</secondary>
       </indexterm>
       <para>To remove a previously installed software package, use the
 	&man.pkg.delete.1; utility.
       </para>
 
       <screen>&prompt.root; <userinput>pkg_delete <replaceable>xchat-1.7.1</replaceable></userinput></screen>
     </sect2>
 
     <sect2>
       <title>Miscellaneous</title>
       <para>All package information is stored within the 
         <filename>/var/db/pkg</filename> directory.  The installed
 	file list and descriptions of each package can be found within 
         files in this directory.
       </para>
     </sect2>
   </sect1>
   
   <sect1 id="ports-using">
     <title>Using the Ports Collection</title>
 
     <para>The following sections provide basic instructions on using the
       ports collection to install or remove programs from your
       system.</para>
 
     <sect2 id="ports-tree">
       <title>Obtaining the Ports Collection</title>
 
       <para>Before you can install ports, you must first obtain the
 	ports collection&mdash;which is essentially a set of
 	<filename>Makefiles</filename>, patches, and description files
 	placed in <filename>/usr/ports</filename>.
       </para>
 
       <para>When installing your FreeBSD system,
 	<application>sysinstall</application> asked if you would like
 	to install the ports collection.  If you chose no, you can
 	follow these instructions to obtain the ports
 	collection:</para>
 
       <procedure>
 	<title>Sysinstall Method</title>
 
 	<para>This method involves using
 	  <application>sysinstall</application> again to manually
 	  install the ports collection.</para>
 
 	<step>
 	  <para>As <username>root</username>, run
 	    <command>/stand/sysinstall</command> as shown
 	    below:</para>
 
 	  <screen>&prompt.root; <userinput>/stand/sysinstall</userinput></screen>
 	</step>
 
 	<step>
 	  <para>Scroll down and select <guimenuitem>Configure</guimenuitem>,
 	    press <keycap>Enter</keycap>.</para>
 	</step>
 
 	<step>
 	  <para>Scroll down and select
 	    <guimenuitem>Distributions</guimenuitem>, press
 	    <keycap>Enter</keycap>.</para>
 	</step>
 
 	<step>
 	  <para>Scroll down to <guimenuitem>ports</guimenuitem>, press
 	    <keycap>Space</keycap>.</para>
 	</step>
 
 	<step>
 	  <para>Scroll up to <guimenuitem>Exit</guimenuitem>, press
 	    <keycap>Enter</keycap>.</para>
 	</step>
 
 	<step>
 	  <para>Select your desired installation media, such as CDROM,
 	    FTP, and so on.</para>
 	</step>
 
 	<step>
 	  <para>Scroll up to <guimenuitem>Exit</guimenuitem> and press
 	    <keycap>Enter</keycap>.</para>
 	</step>
 
 	<step>
 	  <para>Press <keycap>X</keycap> to exit
 	    <application>sysinstall</application>.</para>
 	</step>
       </procedure>
 
       <para>The alternative method to obtain and keep your ports
 	collection up to date is by using
 	<application>CVSup</application>.  Look at the ports
 	<application>CVSup</application> file,
 	<filename>/usr/share/examples/cvsup/ports-supfile</filename>.
 	See <link linkend="cvsup">Using CVSup</link> (<xref
 	  linkend="cvsup">) for more information on using
 	<application>CVSup</application> and this file.</para>
 
       <procedure>
 	<title>CVSup Method</title>
 
 	<para>This is a quick method for getting the ports collection
 	  using <application>CVSup</application>.  If you want to keep
 	  your ports tree up to date, or learn more about
 	  <application>CVSup</application>, read the previously
 	  mentioned sections.</para>
 
 	<step>
 	  <para>Install the <filename
 	      role="package">net/cvsup</filename> port.  See <link
 	      linkend="cvsup-install">CVSup Installation</link> (<xref
 	      linkend="cvsup-install">) for more details.</para>
 	</step>
 
 	<step>
 	  <para>As <username>root</username>, copy
 	    <filename>/usr/share/examples/cvsup/ports-supfile</filename>
 	    to a new location, such as <filename>/root</filename> or your
 	      home directory.</para>
 	</step>
 
 	<step>
 	  <para>Edit <filename>ports-supfile</filename>.</para>
 	</step>
 
 	<step>
 	  <para>Change
 	    <replaceable>CHANGE_THIS.FreeBSD.org</replaceable> to a
 	    <application>CVSup</application> server near you.  See
 	    <link linkend="cvsup-mirrors">CVSup Mirrors</link> (<xref
 	    linkend="cvsup-mirrors">) for a complete listing of mirror
 	    sites.</para>
 	</step>
 
 	<step>
 	  <para>Run <command>cvsup</command>:</para>
 
 	  <screen>&prompt.root; <userinput>cvsup -g -L 2 <replaceable>/root/ports-supfile</replaceable></userinput></screen>
 	</step>
 
 	<step>
 	  <para>Running this command later will download and apply all
 	    the recent changes to your ports collection, except
 	    actually rebuilding the ports for your own system.</para>
 	</step>
       </procedure>
     </sect2>
 
     <sect2 id="ports-skeleton">
       <title>Installing Ports</title>
 
       <indexterm>
         <primary>ports</primary>
         <secondary>installing</secondary>
       </indexterm>
       <para>The first thing that should be explained when it comes to
         the ports collection is what is actually meant by a
         <quote>skeleton</quote>.  In a nutshell, a port skeleton is a
         minimal set of files that tell your FreeBSD system how to
         cleanly compile and install a program.  Each port skeleton
         includes:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>A <filename>Makefile</filename>.  The
 	    <filename>Makefile</filename> contains various statements
 	    that specify how the application should be compiled and
 	    where it should be installed on your system.</para>
 	</listitem>
 
 	<listitem>
 	  <para>A <filename>distinfo</filename> file.  This file
 	    contains information about the files that must be
 	    downloaded to build the port and their checksums, to
 	    verify that files have not been corrupted during the
 	    download using &man.md5.1;.</para>
 	</listitem>
 	
 	<listitem>
 	  <para>A <filename>files</filename> directory.  This
 	    directory contains patches to make the program compile and
 	    install on your FreeBSD system.  Patches are basically
 	    small files that specify changes to particular files.
 	    They are in plain text format, and basically say
 	    <quote>Remove line 10</quote> or <quote>Change line 26 to
 	    this ...</quote>.  Patches are also known as
 	    <quote>diffs</quote> because they are generated by the
 	    &man.diff.1; program.</para>
 
 	  <para>This directory may also contain other files used to build
 	    the port.</para>
 	</listitem>
 
 	<listitem>
 	  <para>A <filename>pkg-descr</filename> file.  This is a more
 	    detailed, often multiple-line, description of the program.</para>
 	</listitem>
 	
 	<listitem>
 	  <para>A <filename>pkg-plist</filename> file.  This is a list
 	    of all the files that will be installed by the port.  It
 	    also tells the ports system what files to remove upon
 	    deinstallation.</para>
 	</listitem>
       </itemizedlist>
 
       <para>Some ports have other files, such as
         <filename>pkg-message</filename>.  The ports system uses these
         files to handle special situations.  If you want more details
         on these files, and on ports in general, check out the <ulink
         url="&url.books.porters-handbook;/index.html">FreeBSD Porter's
         Handbook</ulink>.</para>
 
       <para>The port includes instructions on how to build source
         code, but does not include the actual source code.  You can
         get the source code from a CD-ROM or from the Internet.
         Source code is distributed in whatever manner the software
         author desires.  Frequently this is a tarred and gzipped file,
         but it might be compressed with some other tool or even
         uncompressed.  The program source code, whatever form it comes
         in, is called a <quote>distfile</quote>.  The two methods for
         installing a &os; port are described below.</para>
 
       <note>
         <para>You must be logged in as <username>root</username> to
           install ports.</para>
       </note>
 
       <warning>
 	<para>Before installing any port, you should be sure to have
 	  an up-to-date ports collection and you should check <ulink
 	  url="http://vuxml.freebsd.org/"></ulink> for security issues
 	  related to your port.</para>
 
 	<para>A security vulnerabilities check can be automatically
 	  done by <application>portaudit</application> before any new
 	  application installation.  This tool can be found in the
 	  ports collection (<filename
 	  role="package">security/portaudit</filename>).  Consider
 	  running <command>portaudit -F</command> before installing a
 	  new port, to fetch the current vulnerabilities database.  A
 	  security audit and an update of the database will be
 	  performed during the daily security system check.  For more
 	  informations read the &man.portaudit.1; and &man.periodic.8;
 	  manual pages.</para>
       </warning>
 
       <sect3 id="ports-cd">
         <title>Installing Ports from a CD-ROM</title>
 
         <indexterm>
           <primary>ports</primary>
           <secondary>installing from CD-ROM</secondary>
         </indexterm>
         <para>The FreeBSD Project's official CD-ROM images no longer
 	  include distfiles.  They take up a lot of room that is
 	  better used for precompiled packages.  CD-ROM products such as
 	  the FreeBSD PowerPak do include distfiles, and you can
 	  order these sets from a vendor such as the <ulink
 	  url="http://www.freebsdmall.com/">FreeBSD Mall</ulink>.
 	  This section assumes you have such a FreeBSD CD-ROM
 	  set.</para>
 
         <para>Place your FreeBSD CD-ROM in the drive.  Mount it on
 	  <filename>/cdrom</filename>.  (If you use a different mount
 	  point, the install will not work.)  To begin, change to the
 	  directory for the port you want to install:</para>
 
         <screen>&prompt.root; <userinput>cd /usr/ports/sysutils/lsof</userinput></screen>
 
         <para>Once inside the <filename>lsof</filename> directory, you
 	  will see the port skeleton.  The next step is to compile, or
 	  <quote>build</quote>, the port.  This is done by simply
 	  typing <command>make</command> at the prompt.  Once you have
 	  done so, you should see something like this:</para>
 
         <screen>&prompt.root; <userinput>make</userinput>
 &gt;&gt; lsof_4.57D.freebsd.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
 &gt;&gt; Attempting to fetch from file:/cdrom/ports/distfiles/.
 ===&gt;  Extracting for lsof-4.57
 ...
 [extraction output snipped]
 ...
 &gt;&gt; Checksum OK for lsof_4.57D.freebsd.tar.gz.
 ===&gt;  Patching for lsof-4.57
 ===&gt;  Applying FreeBSD patches for lsof-4.57
 ===&gt;  Configuring for lsof-4.57
 ...
 [configure output snipped]
 ...
 ===&gt;  Building for lsof-4.57
 ...
 [compilation output snipped]
 ...
 &prompt.root;</screen>
 
         <para>Notice that once the compile is complete you are
 	  returned to your prompt.  The next step is to install the
 	  port.  In order to install it, you simply need to tack one word
 	  onto the <command>make</command> command, and that word is
 	  <command>install</command>:</para>
 
         <screen>&prompt.root; <userinput>make install</userinput>
 ===&gt;  Installing for lsof-4.57
 ...
 [installation output snipped]
 ...
 ===&gt;   Generating temporary packing list
 ===&gt;   Compressing manual pages for lsof-4.57
 ===&gt;   Registering installation for lsof-4.57
 ===&gt;  SECURITY NOTE: 
       This port has installed the following binaries which execute with
       increased privileges.
 &prompt.root;</screen>
 
         <para>Once you are returned to your prompt, you should be able to
           run the application you just installed.  Since 
 	  <command>lsof</command> is a
 	  program that runs with increased privileges, a security
 	  warning is shown.  During the building and installation of
 	  ports, you should take heed of any other warnings that
 	  may appear.</para>
 
         <note>
           <para>You can save an extra step by just running <command>make
             install</command> instead of <command>make</command> and
 	    <command>make install</command> as two separate steps.</para>
 	</note>
 
 	<note>
 	  <para>Some shells keep a cache of the commands that are
 	    available in the directories listed in the
 	    <envar>PATH</envar> environment variable, to speed up
 	    lookup operations for the executable file of these
 	    commands.  If you are using one of these shells, you might
 	    have to use the <command>rehash</command> command after
 	    installing a port, before the newly installed commands can
 	    be used.  This is true for both shells that are part of
 	    the base-system (such as <command>tcsh</command>) and
 	    shells that are available as ports (for instance,
 	    <filename role="package">shells/zsh</filename>).</para>
 	</note>
 
         <note>
           <para>Please be aware that the licenses of a few ports do
             not allow for inclusion on the CD-ROM.  This could be
             because a registration form needs to be filled out before
             downloading or redistribution is not allowed, or for
             another reason.  If you wish to install a port not
             included on the CD-ROM, you will need to be online in
             order to do so (see the <link linkend="ports-inet">next
             section</link>).</para>
 	</note>
       </sect3>
 
       <sect3 id="ports-inet">
       <title>Installing Ports from the Internet</title>
 
         <para>As with the last section, this section makes an
           assumption that you have a working Internet connection.  If
           you do not, you will need to perform the <link
           linkend="ports-cd">CD-ROM installation</link>, or put a copy
           of the distfile into
           <filename>/usr/ports/distfiles</filename> manually.</para>
 
         <para>Installing a port from the Internet is done exactly the
 	  same way as it would be if you were installing from a
 	  CD-ROM.  The only difference between the two is that the
 	  distfile is downloaded from the Internet instead of read
 	  from the CD-ROM.</para>
 
         <para>The steps involved are identical:</para>
 
         <screen>&prompt.root; <userinput>make install</userinput>
 &gt;&gt; lsof_4.57D.freebsd.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
 &gt;&gt; Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
 Receiving lsof_4.57D.freebsd.tar.gz (439860 bytes): 100%
 439860 bytes transferred in 18.0 seconds (23.90 kBps)
 ===&gt;  Extracting for lsof-4.57
 ...
 [extraction output snipped]
 ...
 &gt;&gt; Checksum OK for lsof_4.57D.freebsd.tar.gz.
 ===&gt;  Patching for lsof-4.57
 ===&gt;  Applying FreeBSD patches for lsof-4.57
 ===&gt;  Configuring for lsof-4.57
 ...
 [configure output snipped]
 ...
 ===&gt;  Building for lsof-4.57
 ...
 [compilation output snipped]
 ...
 ===&gt;  Installing for lsof-4.57
 ...
 [installation output snipped]
 ...
 ===&gt;   Generating temporary packing list
 ===&gt;   Compressing manual pages for lsof-4.57
 ===&gt;   Registering installation for lsof-4.57
 ===&gt;  SECURITY NOTE: 
       This port has installed the following binaries which execute with
       increased privileges.
 &prompt.root;</screen>
 
         <para>As you can see, the only difference is the line that tells
 	  you where the system is fetching the port distfile from.</para>
 
 	<para>The ports system uses &man.fetch.1; to download the
 	  files, which honors various environment variables, including
 	  <envar>FTP_PASSIVE_MODE</envar>, <envar>FTP_PROXY</envar>,
 	  and <envar>FTP_PASSWORD</envar>.  You may need to set one or
 	  more of these if you are behind a firewall, or need to use
 	  an FTP/HTTP proxy.  See &man.fetch.3; for the complete
 	  list.</para>
 
 	<para>For users which cannot be connected all the time, the
 	  <command>make <maketarget>fetch</maketarget></command> option is
 	  provided.  Just run this command at the top level directory
 	  (<filename>/usr/ports</filename>) and the required files
 	  will be downloaded for you.  This command will also work in
 	  the lower level categories, for example:
 	  <filename>/usr/ports/net</filename>.
 	  Note that if a port depends on libraries or other ports this will
 	  <emphasis>not</emphasis> fetch the distfiles of those ports too.
 	  Replace <maketarget>fetch</maketarget> with
 	  <maketarget>fetch-recursive</maketarget>
 	  if you want to fetch all the dependencies of a port too.</para>
 
 	<note><para>You can build all the ports in a category or as a
 	  whole by running <command>make</command> in the top level
 	  directory, just like the aforementioned <command>make
 	  <makevar>fetch</makevar></command> method.  This is
 	  dangerous, however, as some ports cannot co-exist.  In other
 	  cases, some ports can install two different files with the
 	  same filename.</para></note>
 
 	<para>In some rare cases, users may need to acquire the
 	  tarballs from a site other than the
 	  <makevar>MASTER_SITES</makevar> (the location where files
 	  are downloaded from).  You can override the
 	  <makevar>MASTER_SITES</makevar> option with the following
 	  command:</para>
 
 	<screen>&prompt.root; <userinput>cd /usr/ports/<replaceable>directory</replaceable></userinput>
 &prompt.root; <userinput>make MASTER_SITE_OVERRIDE= \
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ fetch</userinput></screen>
 
 	<para>In this example we change the
 	  <makevar>MASTER_SITES</makevar> option to <hostid
 	  role="fqdn">ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/</hostid>.</para>
 
 	<note><para>Some ports allow (or even require) you to provide
 	  build options which can enable/disable parts of the
 	  application which are unneeded, certain security options,
 	  and other customizations.  A few which come to mind are
 	  <filename role="package">www/mozilla</filename>, <filename
 	  role="package">security/gpgme</filename>, and <filename
 	  role="package">mail/sylpheed-claws</filename>.  A message
 	  will be displayed when options such as these are
 	  available.</para></note>
       </sect3>
 
       <sect3>
         <title>Overriding the Default Ports Directories</title>
 
 	<para>Sometimes it is useful (or mandatory) to use a different
 	  distfiles and ports directory.  The
 	  <makevar>PORTSDIR</makevar> and <makevar>PREFIX</makevar>
 	  variables can override the default directories.  For
 	  example:</para>
 
 	<screen>&prompt.root; <userinput>make PORTSDIR=/usr/home/example/ports install</userinput></screen>
 
 	<para>will compile the port in
 	    <filename>/usr/home/example/ports</filename> and install
 	    everything under <filename>/usr/local</filename>.</para>
 
 	<screen>&prompt.root; <userinput>make PREFIX=/usr/home/example/local install</userinput></screen>
 
 	<para>will compile it in <filename>/usr/ports</filename> and
 	  install it in
 	  <filename>/usr/home/example/local</filename>.</para>
 
 	<para>And of course,</para>
 
 	<screen>&prompt.root; <userinput>make PORTSDIR=../ports PREFIX=../local install</userinput></screen>
 
 	<para>will combine the two (it is too long to completely write
 	  on this page, but it should give you the general
 	  idea).</para>
 
 	<para>Alternatively, these variables can also be set as part
 	  of your environment.  Read the manual page for your shell
 	  for instructions on doing so.</para>
       </sect3>
 
       <sect3>
 	<title>Dealing with <command>imake</command></title>
 
 	<para>Some ports that use <command>imake</command> (a part of
 	  the X Window System) do not work well with
 	  <makevar>PREFIX</makevar>, and will insist on installing
 	  under <filename>/usr/X11R6</filename>.  Similarly, some Perl
 	  ports ignore <makevar>PREFIX</makevar> and install in the
 	  Perl tree.  Making these ports respect
 	  <makevar>PREFIX</makevar> is a difficult or impossible
 	  job.</para>
 
       </sect3>
     </sect2>
 
     <sect2 id="ports-removing">
       <title>Removing Installed Ports</title>
 
       <indexterm>
         <primary>ports</primary>
         <secondary>removing</secondary>
       </indexterm>
       <para>Now that you know how to install ports, you are probably
         wondering how to remove them, just in case you install one and
 	later on decide that you installed the wrong port.  
         We will remove our previous example (which was 
 	<command>lsof</command> for
         those of you not paying attention).  As with installing ports,
 	the first thing you must do is change to the port directory,
 	<filename>/usr/ports/sysutils/lsof</filename>.  After you change
 	directories, you are ready to uninstall <command>lsof</command>.
 	This is done with
 	the <command>make deinstall</command> command:</para>
 
       <screen>&prompt.root; <userinput>cd /usr/ports/sysutils/lsof</userinput>
 &prompt.root; <userinput>make deinstall</userinput>
 ===&gt;  Deinstalling for lsof-4.57</screen>
 
       <para>That was easy enough.  You have removed
 	<command>lsof</command>
         from your system.  If you would like to reinstall it, you can do
 	so by running <command>make reinstall</command> from the
         <filename>/usr/ports/sysutils/lsof</filename> directory.</para>
 
       <para>The <command>make deinstall</command> and <command>make
         reinstall</command> sequence does not work once you have run
         <command>make clean</command>.  If you want to deinstall a
         port after cleaning, use &man.pkg.delete.1; as
         discussed in the <link linkend="packages-using">Packages
         section of the Handbook</link>.</para>
     </sect2>
 
     <sect2 id="ports-disk-space">
       <title>Ports and Disk Space</title>
 
       <indexterm>
         <primary>ports</primary>
         <secondary>disk-space</secondary>
       </indexterm>
       <para>Using the ports collection can defiantly eat up your disk
 	space.  For this reason you should always remember to clean up
 	the work directories using the <command>make
 	<makevar>clean</makevar></command> option.  This will remove
 	the <filename>work</filename> directory after a port has been
 	built, and installed.  You can also remove the tar files from
 	the <filename>distfiles</filename> directory, and remove the
 	installed ports when their use has delimited.</para>
 
       <para>Some users choose to limit the port categories by placing an entry
 	in the <filename>refuse</filename> file.  This way when they run the
 	<application>CVSup</application> application, it will not download the
 	files in that category.  More information regarding the
 	<filename>refuse</filename> file can be found in <xref
 	linkend="cvsup-refuse-file">.</para>
     </sect2>
 
     <sect2 id="ports-upgrading">
       <title>Upgrading Ports</title>
 
       <indexterm>
 	<primary>portupgrade</primary>
       </indexterm>
       <indexterm>
 	<primary>ports</primary>
 	<secondary>upgrading</secondary>
       </indexterm>
       <note>
 	<para>Once you updated your ports collection, before
 	  attempting a port upgrade, you should check the
 	  <filename>/usr/ports/UPDATING</filename> file.  This file
 	  describes various issues and additional steps users may
 	  encounter and need to perform when updating a port.</para>
       </note>
 
       <para>Keeping your ports up to date can be a tedious job.  For
 	instance, to upgrade a port you would go to the ports
 	directory, build the port, deinstall the old port, install the
 	new port, and then clean up after the build.  Imagine doing
 	that for five ports, tedious right?  This was a large problem
 	for system administrators to deal with, and now we have
 	utilities which do this for us.  For instance the <filename
 	role="package">sysutils/portupgrade</filename> utility will do
 	everything for you!  Just install it like you would any other
 	port, using the <command>make <makevar>install
 	clean</makevar></command> command.</para>
 
       <para>Now create a database with the <command>pkgdb -F</command>
 	command.  This will read the list of installed ports and
 	create a database file in the <filename>/var/db/pkg</filename>
 	directory.  Now when you run <command>portupgrade
 	-a</command>, it will read this and the ports
 	<filename>INDEX</filename> file.  Finally,
 	<application>portupgrade</application> will begin to download, build,
 	backup, install, and clean the ports which have been updated.
 	<application>portupgrade</application> comes with a lot of options
 	for different use cases, the most important ones will be presented
 	below.</para>
 
       <para>If you want to upgrade only a certain application, not the
 	complete database, use <command>portupgrade
 	<replaceable>pkgname</replaceable></command>, 
 	include the flags <option>-r</option> if
 	<application>portupgrade</application> should act on all
 	those packages depending on the given package as well, and
 	<option>-R</option> to act on all packages required by
 	the given packages.
 	To use packages instead of ports for installation, provide
 	<option>-P</option> and to just fetch distfiles without
 	building or installing anything, use <option>-F</option>.
 	For further information see &man.portupgrade.1;.</para>
 
       <note>
 	<para>It is important to regularly update the package database using
 	  <command>pkgdb -F</command> to fix inconsistencies, especially when 
 	  <application>portupgrade</application> asks you to.  Do not abort
 	  <application>portupgrade</application> while it is updating the
 	  package database, this will leave you an inconsistent
 	  database.</para>
       </note>
 
       <para>Other utilities exist which will do this, check out the
 	<filename>ports/sysutils</filename> directory and see what you
 	come up with.</para>
     </sect2>
   </sect1>
 
   <sect1 id="ports-nextsteps">
     <title>Post-installation Activities</title>
 
     <para>After installing a new application you will normally want to
       read any documentation it may have included, edit any
       configuration files that are required, ensure that the
       application starts at boot time (if it is a daemon), and so
       on.</para>
 
     <para>The exact steps you need to take to configure each
       application will obviously be different.  However, if you have
       just installed a new application and are wondering <quote>What
       now?</quote> these tips might help:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Use &man.pkg.info.1; to find out which files were installed,
 	  and where.  For example, if you have just
 	  installed FooPackage version 1.0.0, then this command</para>
 
 	<screen>&prompt.root; <userinput>pkg_info -L foopackage-1.0.0 | less</userinput></screen>
 
 	<para>will show all the files installed by the package.  Pay
 	  special attention to files in <filename>man/</filename>
 	  directories, which will be manual pages,
 	  <filename>etc/</filename> directories, which will be
 	  configuration files, and <filename>doc/</filename>, which
 	  will be more comprehensive documentation.</para>
 
 	<para>If you are not sure which version of the application was
 	  just installed, a command like this</para>
 
 	<screen>&prompt.root; <userinput>pkg_info | grep -i <replaceable>foopackage</replaceable></userinput></screen>
 
 	<para>will find all the installed packages that have
 	  <replaceable>foopackage</replaceable> in the package name.
 	  Replace <replaceable>foopackage</replaceable> in your
 	  command line as necessary.</para>
       </listitem>
 
       <listitem>
 	<para>Once you have identified where the application's manual
 	  pages have been installed, review them using &man.man.1;.
 	  Similarly, look over the sample configuration files, and any
 	  additional documentation that may have been provided.</para>
       </listitem>
 
       <listitem>
 	<para>If the application has a web site, check it for
 	  additional documentation, frequently asked questions, and so
 	  forth.  If you are not sure of the web site address it may
 	  be listed in the output from</para>
 
 	<screen>&prompt.root; <userinput>pkg_info <replaceable>foopackage-1.0.0</replaceable></userinput></screen>
 	
 	<para>A <literal>WWW:</literal> line, if present, should provide a URL
 	  for the application's web site.</para>
       </listitem>
 
       <listitem>
 	<para>Ports that should start at boot (such as Internet
 	  servers) will usually install a sample script in
 	  <filename>/usr/local/etc/rc.d</filename>.  You should
 	  review this script for correctness and edit or rename it if
 	  needed.  See <link
 	  linkend="configtuning-starting-services">Starting
 	  Services</link> for more information.</para>
       </listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="ports-broken">
     <title>Dealing with Broken Ports</title>
 
       <para>If you come across a port that does not work for you,
         there are a few things you can do, including:</para>
 
       <orderedlist>
         <listitem>
 	  <para>Fix it!  The <ulink
 	    url="&url.books.porters-handbook;/index.html">Porter's
 	    Handbook</ulink> includes detailed information on the
 	    <quote>Ports</quote> infrastructure so that you can fix the occasional
 	    broken port or even submit your own!</para>
 	</listitem>
 
 	<listitem>
 	  <para>Gripe&mdash;<emphasis>by email only</emphasis>!  Send
 	    email to the maintainer of the port first.  Type
 	    <command>make maintainer</command> or read the
 	    <filename>Makefile</filename> to find the maintainer's
 	    email address.  Remember to include the name and version
 	    of the port (send the <literal>&dollar;FreeBSD:</literal>
 	    line from the <filename>Makefile</filename>) and the
 	    output leading up to the error when you email the
 	    maintainer.  If you do not get a response from the
 	    maintainer, you can use &man.send-pr.1; to submit a bug
 	    report.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Grab the package from an FTP site near you.  The
 	    <quote>master</quote> package collection is on <hostid
 	    role="fqdn">ftp.FreeBSD.org</hostid> in the <ulink
 	    url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/packages/">packages
 	    directory</ulink>, but be sure to check your local mirror
 	    <emphasis>first</emphasis>!  These are more likely to work
 	    than trying to compile from source and are a lot faster as
 	    well.  Use the &man.pkg.add.1; program to install the
 	    package on your system.</para>
 	</listitem>
       </orderedlist>
   </sect1>
 
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
index cfc1f2272b..72b03657bf 100644
--- a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
@@ -1,4949 +1,4949 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="printing">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Sean</firstname>
 	<surname>Kelly</surname>
 	<contrib>Contributed by </contrib>
       </author>
       <!-- 30 Sept 1995 -->
     </authorgroup>
     <authorgroup>
       <author>
 	<firstname>Jim</firstname>
 	<surname>Mock</surname>
 	<contrib>Restructured and updated by </contrib>
 	<!-- Mar 2000 -->
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Printing</title>
 
   <sect1 id="printing-synopsis">
     <title>Synopsis</title>
     <indexterm><primary>LPD spooling system</primary></indexterm>
     <indexterm><primary>printing</primary></indexterm>
 
     <para>FreeBSD can be used to print to a wide variety of printers, from the
       oldest impact printer to the latest laser printers, and everything in
       between, allowing you to produce high quality printed output from the
       applications you run.</para>
 
     <para>FreeBSD can also be configured to act as a print server on a
       network; in this capacity FreeBSD can receive print jobs from a variety
       of other computers, including other FreeBSD computers, &windows; and &macos;
       hosts.  FreeBSD will ensure that one job at a time is printed, and can
       keep statistics on which users and machines are doing the most printing,
       produce <quote>banner</quote> pages showing who's printout is who's, and
       more.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>How to configure the FreeBSD print spooler.</para>
       </listitem>
 
       <listitem>
 	<para>How to install print filters, to handle special print jobs
 	  differently, including converting incoming documents to print
 	  formats that your printers understand.</para>
       </listitem>
 
       <listitem>
 	<para>How to enable header, or banner pages on your printout.</para>
       </listitem>
 
       <listitem>
 	<para>How to print to printers connected to other computers.</para>
       </listitem>
 
       <listitem>
 	<para>How to print to printers connected directly to the
 	  network.</para>
       </listitem>
 
       <listitem>
 	<para>How to control printer restrictions, including limiting the size
 	  of print jobs, and preventing certain users from printing.</para>
       </listitem>
 
       <listitem>
 	<para>How to keep printer statistics, and account for printer
 	  usage.</para>
       </listitem>
 
       <listitem>
 	<para>How to troubleshoot printing problems.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Know how to configure and install a new kernel 
 	  (<xref linkend="kernelconfig">).</para>
       </listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="printing-intro-spooler">
     <title>Introduction</title>
 
     <para>In order to use printers with FreeBSD, you will need to set
       them up to work with the Berkeley line printer spooling system,
       also known as the <application>LPD</application> spooling system.
       It is the standard printer control system in FreeBSD.  This
       chapter introduces the <application>LPD</application> spooling
       system, often simply called <application>LPD</application>, and
       will guide you through its configuration.</para>
 
     <para>If you are already familiar with 
       <application>LPD</application> or another printer spooling
       system, you may wish to skip to section <link
       linkend="printing-intro-setup">Setting up the spooling
       system</link>.</para>
 
     <para><application>LPD</application> controls everything about a 
       host's printers.  It is responsible for a number of things:</para>
 
     <itemizedlist>
       <listitem>
 	<para>It controls access to attached printers and printers
 	  attached to other hosts on the network.</para>
       </listitem>
 
       <indexterm><primary>print jobs</primary></indexterm>
       <listitem>
 	<para>It enables users to submit files to be printed; these
 	  submissions are known as <emphasis>jobs</emphasis>.</para>
       </listitem>
 
       <listitem>
 	<para>It prevents multiple users from accessing a printer at the
 	  same time by maintaining a <emphasis>queue</emphasis> for each
 	  printer.</para>
       </listitem>
 
       <listitem>
 	<para>It can print <emphasis>header pages</emphasis> (also known
 	  as <emphasis>banner</emphasis> or <emphasis>burst</emphasis>
 	  pages) so users can easily find jobs they have printed in a
 	  stack of printouts.</para>
       </listitem>
 
       <listitem>
 	<para>It takes care of communications parameters for printers
 	  connected on serial ports.</para>
       </listitem>
 
       <listitem>
 	<para>It can send jobs over the network to a 
 	  <application>LPD</application> spooler on another host.</para>
       </listitem>
 
       <listitem>
 	<para>It can run special filters to format jobs to be printed for
 	  various printer languages or printer capabilities.</para>
       </listitem>
 
       <listitem>
 	<para>It can account for printer usage.</para>
       </listitem>
     </itemizedlist>
 
     <para>Through a configuration file
       (<filename>/etc/printcap</filename>), and by providing the special
       filter programs, you can enable the <application>LPD</application>
       system to do all or some
       subset of the above for a great variety of printer hardware.</para>
 
     <sect2 id="printing-intro-why">
       <title>Why You Should Use the Spooler</title>
 
       <para>If you are the sole user of your system, you may be wondering
         why you should bother with the spooler when you do not need access
 	control, header pages, or printer accounting.  While it is
 	possible to enable direct access to a printer, you should use the
 	spooler anyway since:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><application>LPD</application> prints jobs in the background;
 	    you do not have to wait
 	    for data to be copied to the printer.</para>
 	</listitem>
 
 	<indexterm><primary>&tex;</primary></indexterm>
 	<listitem>
 	  <para><application>LPD</application> can conveniently run a job 
 	    to be printed through
 	    filters to add date/time headers or convert a special file
 	    format (such as a &tex; DVI file) into a format the printer will
 	    understand.  You will not have to do these steps
 	    manually.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Many free and commercial programs that provide a print
 	    feature usually expect to talk to the spooler on your system.
 	    By setting up the spooling system, you will more easily
 	    support other software you may later add or already
 	    have.</para>
 	</listitem>
       </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="printing-intro-setup">
     <title>Basic Setup</title>
 
     <para>To use printers with the <application>LPD</application> spooling
       system, you will need to
       set up both your printer hardware and the 
       <application>LPD</application> software.  This
       document describes two levels of setup:</para>
 
     <itemizedlist>
       <listitem>
 	<para>See section <link linkend="printing-simple">Simple Printer
 	  Setup</link> to learn how to connect a printer, tell 
 	  <application>LPD</application> how to
 	  communicate with it, and print plain text files to the
 	  printer.</para>
       </listitem>
 
       <listitem>
 	<para>See section <link linkend="printing-advanced">Advanced
 	  Printer Setup</link> to find out how to print a variety of
 	  special file formats, to print header pages, to print across a
 	  network, to control access to printers, and to do printer
 	  accounting.</para>
       </listitem>
     </itemizedlist>
 
     <sect2 id="printing-simple">
       <title>Simple Printer Setup</title>
 
       <para>This section tells how to configure printer hardware and the
 	<application>LPD</application> software to use the printer.  
 	It teaches the basics:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Section <link linkend="printing-hardware">Hardware
 	    Setup</link> gives some hints on connecting the printer to a
 	    port on your computer.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Section <link linkend="printing-software">Software
 	    Setup</link> shows how to set up the 
 	    <application>LPD</application> spooler configuration
 	    file (<filename>/etc/printcap</filename>).</para>
 	</listitem>
       </itemizedlist>
 
       <para>If you are setting up a printer that uses a network protocol
 	to accept data to print instead of a serial or parallel interface,
 	see <link linkend="printing-advanced-network-net-if">Printers With
 	Networked Data Stream Interfaces</link>.</para>
 
       <para>Although this section is called <quote>Simple Printer
 	Setup</quote>, it is actually fairly complex.  Getting the printer
 	to work with your computer and the <application>LPD</application>
 	spooler is the hardest
 	part.  The advanced options like header pages and accounting are
 	fairly easy once you get the printer working.</para>
 
       <sect3 id="printing-hardware">
 	<title>Hardware Setup</title>
 
 	<para>This section tells about the various ways you can connect a
 	  printer to your PC.  It talks about the kinds of ports and
 	  cables, and also the kernel configuration you may need to enable
 	  FreeBSD to speak to the printer.</para>
 
 	<para>If you have already connected your printer and have
 	  successfully printed with it under another operating system, you
 	  can probably skip to section <link
 	  linkend="printing-software">Software Setup</link>.</para>
 
 	<sect4 id="printing-ports">
 	  <title>Ports and Cables</title>
 
 	  <para>Printers sold for use on PC's today generally come
 	    with one or more of the following three interfaces:</para>
 
 	  <itemizedlist>
 	    <indexterm>
         <primary>printers</primary>
         <secondary>serial</secondary>
       </indexterm>
 	    <listitem>
 	      <para><emphasis>Serial</emphasis> interfaces, also known
 		as RS232C or RS232D, or COM ports, use a serial port
 		on your computer to send data to the printer.  Serial
 		interfaces are common in the computer industry and cables
 		are readily available and also easy to construct.  Serial
 		interfaces sometimes need special cables and might require
 		you to configure somewhat complex communications
 		options.  Most PC serial ports have a maximum
 	        transmission rate of 115200&nbsp;bps, which makes printing
 	        large graphic print jobs with them impractical.</para>
 	    </listitem>
 
 	    <indexterm>
         <primary>printers</primary>
         <secondary>parallel</secondary>
       </indexterm>
 	    <listitem>
 	      <para><emphasis>Parallel</emphasis> interfaces use a
 		parallel port on your computer to send data to the
 		printer.  Parallel interfaces are common in the PC market
 		and are faster than RS232 serial.
 		Cables are readily available but more difficult to
 		construct by hand.  There are usually no communications
 		options with parallel interfaces, making their
 		configuration exceedingly simple.</para>
 
 	      <indexterm>
 	        <primary>centronics</primary>
 		<see>parallel printers</see>
 	      </indexterm>
 	      <para>Parallel interfaces are sometimes known as
 		<quote>Centronics</quote> interfaces, named after the
 		connector type on the printer.</para>
 	    </listitem>
 
 	    <indexterm>
         <primary>printers</primary>
         <secondary>USB</secondary>
 	</indexterm>
 	    <listitem>
 	      <para>USB interfaces, named for the Universal Serial
 	        Bus, can run at even faster speeds than parallel or
 	        RS232 serial interfaces.  Cables are simple and cheap.
 	        USB is superior to RS232 Serial and to Parallel for
 	        printing, but it is not as well supported under &unix;
 	        systems.  A way to avoid this problem is to purchase a
 	        printer that has both a USB interface and a Parallel
 	        interface, as many printers do.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para>In general, Parallel interfaces usually offer just
 	    one-way communication (computer to printer) while serial
 	    and USB gives you two-way. Newer parallel ports (EPP and
 	    ECP) and printers
 	    can communicate in both directions under FreeBSD when a
 	    IEEE1284 compliant cable is used.</para>
 
 	  <indexterm><primary>PostScript</primary></indexterm>
 
 	  <para>Two-way communication to the printer over a parallel
 	    port is generally done in one of two ways.  The first method
 	    uses a custom built printer driver for FreeBSD that speaks
 	    the proprietary language used by the printer.  This is
 	    common with inkjet printers and can be used for reporting
 	    ink levels and other status information.  The second
 	    method is used when the printer supports
 	    &postscript;.</para>
 
 	  <para>&postscript; jobs are
 	    actually programs sent to the printer; they need not produce
 	    paper at all and may return results directly to the computer.
 	    &postscript; also uses two-way communication to tell the
 	    computer about problems, such as errors in the &postscript;
 	    program or paper jams.  Your users may be appreciative of such
 	    information.  Furthermore, the best way to do effective
 	    accounting with a &postscript; printer requires two-way
 	    communication: you ask the printer for its page count (how
 	    many pages it has printed in its lifetime), then send the
 	    user's job, then ask again for its page count.  Subtract the
 	    two values and you know how much paper to charge the
 	    user.</para>
 	</sect4>
 	  
 	<sect4 id="printing-parallel">
 	  <title>Parallel Ports</title>
 
 	  <para>To hook up a printer using a parallel interface, connect
 	    the Centronics cable between the printer and the computer.
 	    The instructions that came with the printer, the computer, or
 	    both should give you complete guidance.</para>
 
 	  <para>Remember which parallel port you used on the computer.
 	    The first parallel port is <filename>/dev/ppc0</filename> to
 	    FreeBSD; the second is <filename>/dev/ppc1</filename>, and so
 	    on.  The printer device name uses the same scheme:
 	    <filename>/dev/lpt0</filename> for the printer on the first
 	    parallel ports etc.</para>
 	</sect4>
 
 	<sect4 id="printing-serial">
 	  <title>Serial Ports</title>
 
 	  <para>To hook up a printer using a serial interface, connect the
 	    proper serial cable between the printer and the computer.  The
 	    instructions that came with the printer, the computer, or both
 	    should give you complete guidance.</para>
 
 	  <para>If you are unsure what the <quote>proper serial
 	    cable</quote> is, you may wish to try one of the following
 	    alternatives:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>A <emphasis>modem</emphasis> cable connects each pin
 		of the connector on one end of the cable straight through
 		to its corresponding pin of the connector on the other
 		end.  This type of cable is also known as a
 		<quote>DTE-to-DCE</quote> cable.</para>
 	    </listitem>
 
 	    <indexterm><primary>null-modem cable</primary></indexterm>
 	    <listitem>
 	      <para>A <emphasis>null-modem</emphasis> cable connects some
 		pins straight through, swaps others (send data to receive
 		data, for example), and shorts some internally in each
 		connector hood.  This type of cable is also known as a
 		<quote>DTE-to-DTE</quote> cable.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>A <emphasis>serial printer</emphasis> cable, required
 		for some unusual printers, is like the null-modem cable,
 		but sends some signals to their counterparts instead of
 		being internally shorted.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <indexterm><primary>baud rate</primary></indexterm>
 	  <indexterm><primary>parity</primary></indexterm>
 	  <indexterm><primary>flow control protocol</primary></indexterm>
 	  <para>You should also set up the communications parameters for
 	    the printer, usually through front-panel controls or DIP
 	    switches on the printer.  Choose the highest
 	    <literal>bps</literal> (bits per second, sometimes
 	    <emphasis>baud rate</emphasis>) rate that both your computer
 	    and the printer can support.  Choose 7 or 8 data bits; none,
 	    even, or odd parity; and 1 or 2 stop bits.  Also choose a flow
 	    control protocol:  either none, or XON/XOFF (also known as
 	    <quote>in-band</quote> or <quote>software</quote>) flow control.
 	    Remember these settings for the software configuration that
 	    follows.</para>
 	</sect4>
       </sect3>
 
       <sect3 id="printing-software">
 	<title>Software Setup</title>
 
 	<para>This section describes the software setup necessary to print
 	  with the <application>LPD</application> spooling system in FreeBSD.
 	</para>
 
 	<para>Here is an outline of the steps involved:</para>
 
 	<procedure>
 	  <step>
 	    <para>Configure your kernel, if necessary, for the port you
 	      are using for the printer; section <link
 	      linkend="printing-kernel">Kernel Configuration</link> tells
 	      you what you need to do.</para>
 	  </step>
 
 	  <step>
 	    <para>Set the communications mode for the parallel port, if
 	      you are using a parallel port; section <link
 	      linkend="printing-parallel-port-mode">Setting the
 	      Communication Mode for the Parallel Port</link> gives
 	      details.</para>
 	  </step>
 
 	  <step>
 	    <para>Test if the operating system can send data to the printer.
 	      Section <link linkend="printing-testing">Checking Printer
 	      Communications</link> gives some suggestions on how to do
 	      this.</para>
 	  </step>
 
 	  <step>
 	    <para>Set up <application>LPD</application> for the printer by 
 	      modifying the file
 	      <filename>/etc/printcap</filename>.  You will find out how
 	      to do this later in this chapter.</para>
 	  </step>
 	</procedure>
 
 	<sect4 id="printing-kernel">
 	  <title>Kernel Configuration</title>
 
 	  <para>The operating system kernel is compiled to work with a
 	    specific set of devices.  The serial or parallel interface for
 	    your printer is a part of that set.  Therefore, it might be
 	    necessary to add support for an additional serial or parallel
 	    port if your kernel is not already configured for one.</para>
 
 	  <para>To find out if the kernel you are currently using supports
 	    a serial interface, type:</para>
 
 	  <screen>&prompt.root; <userinput>grep sio<replaceable>N</replaceable> /var/run/dmesg.boot</userinput></screen>
 
 	  <para>Where <replaceable>N</replaceable> is the number of the
 	    serial port, starting from zero.  If you see output similar to
 	    the following:</para>
 
 	  <screen>sio2 at port 0x3e8-0x3ef irq 5 on isa
 sio2: type 16550A</screen>
 
 	  <para>then the kernel supports the port.</para>
 
 	  <para>To find out if the kernel supports a parallel interface,
 	    type:</para>
 
 	  <screen>&prompt.root; <userinput>grep ppc<replaceable>N</replaceable> /var/run/dmesg.boot</userinput></screen>
 
 	  <para>Where <replaceable>N</replaceable> is the number of the
 	    parallel port, starting from zero.  If you see output similar
 	    to the following:</para>
 	    
 	    <screen>ppc0: &lt;Parallel port&gt; at port 0x378-0x37f irq 7 on isa0
 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
 ppc0: FIFO with 16/16/8 bytes threshold</screen>
 	    
 	    <para>then the kernel supports the port.</para>
 
 	  <para>You might have to reconfigure your kernel in order for the
 	    operating system to recognize and use the parallel or serial
 	    port you are using for the printer.</para>
 
 	  <para>To add support for a serial port, see the section on
 	    kernel configuration.  To add support for a parallel port, see
 	    that section <emphasis>and</emphasis> the section that
 	    follows.</para>
 	</sect4>
       </sect3>
 
       <sect3 id="printing-dev-ports">
 	<title>Adding <filename>/dev</filename> Entries for the
 	  Ports</title>
 
 	<note><para>FreeBSD&nbsp;5.0 includes the <literal>devfs</literal>
 	  filesystem which automatically creates device nodes as
 	  needed.  If you are running a version of FreeBSD with
 	  <literal>devfs</literal> enabled then you can safely skip
 	  this section.</para></note>
 
 	<para>Even though the kernel may support communication along a
 	  serial or parallel port, you will still need a software
 	  interface through which programs running on the system can
 	  send and receive data.  That is what entries in the
 	  <filename>/dev</filename> directory are for.</para>
 
 	<para><emphasis>To add a <filename>/dev</filename> entry for a
 	  port:</emphasis></para>
 
 	<procedure>
 	  <step>
 	    <para>Become <username>root</username> with the &man.su.1; command.
 	       Enter the <username>root</username> password when prompted.</para>
 	  </step>
 
 	  <step>
 	    <para>Change to the <filename>/dev</filename>
 	      directory:</para>
 
 	    <screen>&prompt.root; <userinput>cd /dev</userinput></screen>
 	  </step>
 
 	  <step>
 	    <para>Type:</para>
 
 	    <screen>&prompt.root; <userinput>./MAKEDEV <replaceable>port</replaceable></userinput></screen>
 
 	    <para>Where <replaceable>port</replaceable> is the device
 	      entry for the port you want to make.  Use
 	      <literal>lpt0</literal> for the printer on the first parallel port,
 	      <literal>lpt1</literal> for the printer on the second port, and so on; use
 	      <literal>ttyd0</literal> for the first serial port,
 	      <literal>ttyd1</literal> for the second, and so on.</para>
 	  </step>
 
 	  <step>
 	    <para>Type:</para>
 
 	    <screen>&prompt.root; <userinput>ls -l <replaceable>port</replaceable></userinput></screen>
 
 	    <para>to make sure the device entry got created.</para>
 	  </step>
 	</procedure>
 
 	<sect4 id="printing-parallel-port-mode">
 	  <title>Setting the Communication Mode for the Parallel
 	    Port</title>
 
 	  <para>When you are using the parallel interface, you can choose
 	    whether FreeBSD should use interrupt-driven or polled
 	    communication with the printer.  The generic printer
 	    device driver (&man.lpt.4;) on FreeBSD&nbsp;4.X and 5.X
 	    uses the &man.ppbus.4; system, which controls the port
 	    chipset with the &man.ppc.4; driver.</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>The <emphasis>interrupt-driven</emphasis> method is
 		the default with the GENERIC kernel.  With this method,
 		the operating system uses an IRQ line to determine when
 		the printer is ready for data.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>The <emphasis>polled</emphasis> method directs the
 		operating system to repeatedly ask the printer if it is
 		ready for more data.  When it responds ready, the kernel
 		sends more data.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para>The interrupt-driven method is usually somewhat faster
 	    but uses up a precious IRQ line.  Some newer HP printers
 	    are claimed not to work correctly in interrupt mode,
 	    apparently due to some (not yet exactly understood) timing
 	    problem.  These printers need polled mode.  You should use
 	    whichever one works.  Some printers will work in both
 	    modes, but are painfully slow in interrupt mode.</para>
 
 	  <para>You can set the communications mode in two ways: by
 	    configuring the kernel or by using the &man.lptcontrol.8;
 	    program.</para>
 
 	  <para><emphasis>To set the communications mode by configuring
 	    the kernel:</emphasis></para>
 
 	  <procedure>
 	    <step>
 	      <para>Edit your kernel configuration file.  Look for
 		an <literal>ppc0</literal> entry.  If you are setting up
 		the second parallel port, use <literal>ppc1</literal>
 		instead.  Use <literal>ppc2</literal> for the third port,
 		and so on.</para>
 
 	      <itemizedlist>
 		<listitem>
 		  <para>If you want interrupt-driven mode, for FreeBSD&nbsp;4.X add the
 		    <literal>irq</literal> specifier:</para>
 
 		  <programlisting>device ppc0 at isa? irq <replaceable>N</replaceable></programlisting>
 
 		  <para>Where <replaceable>N</replaceable> is the IRQ
 		    number for your computer's parallel port.</para>
 
 		  <para>For FreeBSD&nbsp;5.X, edit the following line:</para>
 
 		  <programlisting>hint.ppc.0.irq="<replaceable>N</replaceable>"</programlisting>
 
 		  <para>in the <filename>/boot/device.hints</filename> file
 		    and replace <replaceable>N</replaceable> with the right
 		    IRQ number.  The kernel configuration file must
 		    also contain the &man.ppc.4; driver:</para>
 
 		  <screen>device ppc</screen>
 
 		</listitem>
 
 		<listitem>
 		  <para>If you want polled mode, do not add the
 		    <literal>irq</literal> specifier:</para>
 
 		  <para>For FreeBSD&nbsp;4.X, use the following line in
 		    your kernel configuration file:</para>
 
 		  <programlisting>device ppc0 at isa?</programlisting>
 
 		  <para>For FreeBSD&nbsp;5.X, simply remove in your
 		    <filename>/boot/device.hints</filename> file, the
 		    following line:</para>
 
 		  <programlisting>hint.ppc.0.irq="<replaceable>N</replaceable>"</programlisting>
 
 		  <para>In some cases, this is not enough to put the
 		    port in polled mode under FreeBSD&nbsp;5.X.  Most of
 		    time it comes from &man.acpi.4; driver, this latter
 		    is able to probe and attach devices, and therefore,
 		    control the access mode to the printer port.  You
 		    should check your &man.acpi.4; configuration to
 		    correct this problem.</para>
 		</listitem>
 	      </itemizedlist>
 	    </step>
 
 	    <step>
 	      <para>Save the file.  Then configure, build, and install the
 		kernel, then reboot.  See <link
 		linkend="kernelconfig">kernel configuration</link> for
 		more details.</para>
 	    </step>
 	  </procedure>
 
 	  <para><emphasis>To set the communications mode with</emphasis>
 	    &man.lptcontrol.8;:</para>
 
 	  <procedure>
 	    <step>
 	      <para>Type:</para>
 
 	      <screen>&prompt.root; <userinput>lptcontrol -i -d /dev/lpt<replaceable>N</replaceable></userinput></screen>
 
 	      <para>to set interrupt-driven mode for
 		<literal>lpt<replaceable>N</replaceable></literal>.</para>
 	    </step>
 
 	    <step>
 	      <para>Type:</para>
 
 	      <screen>&prompt.root; <userinput>lptcontrol -p -d /dev/lpt<replaceable>N</replaceable></userinput></screen>
 
 	      <para>to set polled-mode for
 		<literal>lpt<replaceable>N</replaceable></literal>.</para>
 	    </step>
 	  </procedure>
 
 	  <para>You could put these commands in your
 	    <filename>/etc/rc.local</filename> file to set the mode each
 	    time your system boots.  See &man.lptcontrol.8; for more
 	    information.</para>
 	</sect4>
 
 	<sect4 id="printing-testing">
 	  <title>Checking Printer Communications</title>
 
 	  <para>Before proceeding to configure the spooling system, you
 	    should make sure the operating system can successfully send
 	    data to your printer.  It is a lot easier to debug printer
 	    communication and the spooling system separately.</para>
 
 	  <para>To test the printer, we will send some text to it.  For
 	    printers that can immediately print characters sent to them,
 	    the program  &man.lptest.1; is perfect: it generates all 96
 	    printable ASCII characters in 96 lines.</para>
 
 	  <indexterm><primary>PostScript</primary></indexterm>
 	  <para>For a &postscript; (or other language-based) printer, we
 	    will need a more sophisticated test.  A small &postscript;
 	    program, such as the following, will suffice:</para>
 
 	  <programlisting>%!PS
 100 100 moveto 300 300 lineto stroke
 310 310 moveto /Helvetica findfont 12 scalefont setfont
 (Is this thing working?) show
 showpage</programlisting>
 
 	  <para>The above &postscript; code can be placed into a file and
 	    used as shown in the examples appearing in the following
 	    sections.</para>
 
 	  <indexterm><primary>PCL</primary></indexterm>
 	  <note>
 	    <para>When this document refers to a printer language, it is
 	      assuming a language like &postscript;, and not Hewlett
 	      Packard's PCL.  Although PCL has great functionality, you
 	      can intermingle plain text with its escape sequences.
 	      &postscript; cannot directly print plain text, and that is the
 	      kind of printer language for which we must make special
 	      accommodations.</para>
 	  </note>
 
 	  <sect5 id="printing-checking-parallel">
 	    <title>Checking a Parallel Printer</title>
 
 	    <indexterm>
         <primary>printers</primary>
         <secondary>parallel</secondary>
       </indexterm>
 	    <para>This section tells you how to check if FreeBSD can
 	      communicate with a printer connected to a parallel
 	      port.</para>
 
 	    <para><emphasis>To test a printer on a parallel
 	      port:</emphasis></para>
 
 	    <procedure>
 	      <step>
 		<para>Become <username>root</username> with  &man.su.1;.</para>
 	      </step>
 
 	      <step>
 		<para>Send data to the printer.</para>
 
 		<itemizedlist>
 		  <listitem>
 		    <para>If the printer can print plain text, then use
 		      &man.lptest.1;.  Type:</para>
 
 		    <screen>&prompt.root; <userinput>lptest &gt; /dev/lpt<replaceable>N</replaceable></userinput></screen>
 
 		    <para>Where <replaceable>N</replaceable> is the number
 		      of the parallel port, starting from zero.</para>
 		  </listitem>
 
 		  <listitem>
 		    <para>If the printer understands &postscript; or other
 		      printer language, then send a small program to the
 		      printer.  Type:</para>
 
 		    <screen>&prompt.root; <userinput>cat &gt; /dev/lpt<replaceable>N</replaceable></userinput></screen>
 
 		    <para>Then, line by line, type the program
 		      <emphasis>carefully</emphasis> as you cannot edit a
 		      line once you have pressed <literal>RETURN</literal>
 		      or <literal>ENTER</literal>.  When you have finished
 		      entering the program, press
 		      <literal>CONTROL+D</literal>, or whatever your end
 		      of file key is.</para>
 
 		    <para>Alternatively, you can put the program in a file
 		      and type:</para>
 
 		    <screen>&prompt.root; <userinput>cat <replaceable>file</replaceable> &gt; /dev/lpt<replaceable>N</replaceable></userinput></screen>
 
 		    <para>Where <replaceable>file</replaceable> is the
 		      name of the file containing the program you want to
 		      send to the printer.</para>
 		  </listitem>
 		</itemizedlist>
 	      </step>
 	    </procedure>
 
 	    <para>You should see something print.  Do not worry if the
 	      text does not look right; we will fix such things
 	      later.</para>
 	  </sect5>
 
 	  <sect5 id="printing-checking-serial">
 	    <title>Checking a Serial Printer</title>
 
 	    <indexterm>
         <primary>printers</primary>
         <secondary>serial</secondary>
       </indexterm>
 	    <para>This section tells you how to check if FreeBSD can
 	      communicate with a printer on a serial port.</para>
 
 	    <para><emphasis>To test a printer on a serial
 	      port:</emphasis></para>
 
 	    <procedure>
 	      <step>
 		<para>Become <username>root</username> with &man.su.1;.</para>
 	      </step>
 
 	      <step>
 		<para>Edit the file <filename>/etc/remote</filename>.  Add
 		  the following entry:</para>
 
 		<programlisting>printer:dv=/dev/<replaceable>port</replaceable>:br#<replaceable>bps-rate</replaceable>:pa=<replaceable>parity</replaceable></programlisting>
 
 		<indexterm><primary>bits-per-second</primary></indexterm>
 		<indexterm><primary>serial port</primary></indexterm>
 		<indexterm><primary>parity</primary></indexterm>
 		<para>Where <replaceable>port</replaceable> is the device
 		  entry for the serial port (<literal>ttyd0</literal>,
 		  <literal>ttyd1</literal>, etc.),
 		  <replaceable>bps-rate</replaceable> is the
 		  bits-per-second rate at which the printer communicates,
 		  and <replaceable>parity</replaceable> is the parity
 		  required by the printer (either <literal>even</literal>,
 		  <literal>odd</literal>, <literal>none</literal>, or
 		  <literal>zero</literal>).</para>
 
 		<para>Here is a sample entry for a printer connected via
 		  a serial line to the third serial port at 19200&nbsp;bps with
 		  no parity:</para>
 
 		<programlisting>printer:dv=/dev/ttyd2:br#19200:pa=none</programlisting>
 	      </step>
 
 	      <step>
 		<para>Connect to the printer with &man.tip.1;.
 		  Type:</para>
 
 		<screen>&prompt.root; <userinput>tip printer</userinput></screen>
 
 		<para>If this step does not work, edit the file
 		  <filename>/etc/remote</filename> again and try using
 		  <filename>/dev/cuaa<replaceable>N</replaceable></filename>
 		  instead of
 		  <filename>/dev/ttyd<replaceable>N</replaceable></filename>.</para>
 	      </step>
 
 	      <step>
 		<para>Send data to the printer.</para>
 
 		<itemizedlist>
 		  <listitem>
 		    <para>If the printer can print plain text, then use
 		      &man.lptest.1;.  Type:</para>
 
 		    <screen>&prompt.user; <userinput>$lptest</userinput></screen>
 		  </listitem>
 
 		  <listitem>
 		    <para>If the printer understands &postscript; or other
 		      printer language, then send a small program to the
 		      printer.  Type the program, line by line,
 		      <emphasis>very carefully</emphasis> as backspacing
 		      or other editing keys may be significant to the
 		      printer.  You may also need to type a special
 		      end-of-file key for the printer so it knows it
 		      received the whole program.  For &postscript;
 		      printers, press <literal>CONTROL+D</literal>.</para>
 
 		    <para>Alternatively, you can put the program in a file
 		      and type:</para>
 
 		    <screen>&prompt.user; <userinput>&gt;<replaceable>file</replaceable></userinput></screen>
 
 		    <para>Where <replaceable>file</replaceable> is the
 		      name of the file containing the program.  After
 		      &man.tip.1; sends the file, press any required
 		      end-of-file key.</para>
 		  </listitem>
 		</itemizedlist>
 	      </step>
 	    </procedure>
 
 	    <para>You should see something print.  Do not worry if the
 	      text does not look right; we will fix that later.</para>
 	  </sect5>
 	</sect4>
       </sect3>
 
       <sect3 id="printing-printcap">
 	<title>Enabling the Spooler: the <filename>/etc/printcap</filename>
 	  File</title>
 
 	<para>At this point, your printer should be hooked up, your kernel
 	  configured to communicate with it (if necessary), and you have
 	  been able to send some simple data to the printer.  Now, we are
 	  ready to configure <application>LPD</application> to control access
 	  to your printer.</para>
 
 	<para>You configure <application>LPD</application> by editing the file
 	  <filename>/etc/printcap</filename>.  The 
 	  <application>LPD</application> spooling system
 	  reads this file each time the spooler is used, so updates to the
 	  file take immediate effect.</para>
 
 	<indexterm>
     <primary>printers</primary>
     <secondary>capabilities</secondary>
   </indexterm>
 	<para>The format of the &man.printcap.5; file is straightforward.
 	  Use your favorite text editor to make changes to
 	  <filename>/etc/printcap</filename>.  The format is identical to
 	  other capability files like
 	  <filename>/usr/share/misc/termcap</filename> and
 	  <filename>/etc/remote</filename>.  For complete information
 	  about the format, see the &man.cgetent.3;.</para>
 
 	<para>The simple spooler configuration consists of the following
 	  steps:</para>
 
 	<procedure>
 	  <step>
 	    <para>Pick a name (and a few convenient aliases) for the
 	      printer, and put them in the
 	      <filename>/etc/printcap</filename> file; see the 
 	      <link linkend="printing-naming">Naming the Printer</link>
 	      section for more information on naming.</para>
 	  </step>
 
 	  <indexterm><primary>header pages</primary></indexterm>
 	  <step>
 	    <para>Turn off header pages (which are on by default) by
 	      inserting the <literal>sh</literal> capability; see the
 	      <link linkend="printing-no-header-pages">Suppressing Header
 	      Pages</link> section for more information.</para>
 	  </step>
 
 	  <step>
 	    <para>Make a spooling directory, and specify its location with
 	      the <literal>sd</literal> capability; see the <link
 	      linkend="printing-spooldir">Making the Spooling
 	      Directory</link> section for more information.</para>
 	  </step>
 
 	  <step>
 	    <para>Set the <filename>/dev</filename> entry to use for the
 	      printer, and note it in <filename>/etc/printcap</filename>
 	      with the <literal>lp</literal> capability; see the <link
 	      linkend="printing-device">Identifying the Printer
 	      Device</link> for more information.  Also, if the printer is
 	      on a serial port, set up the communication parameters with
 	      the <literal>ms#</literal> capability which is discussed in the <link
 	      linkend="printing-commparam">Configuring Spooler
 	      Communications Parameters</link> section.</para>
 	  </step>
 
 	  <step>
 	    <para>Install a plain text input filter; see the <link
 	    linkend="printing-textfilter">Installing the Text
 	    Filter</link> section for details.</para>
 	  </step>
 
 	  <step>
 	    <para>Test the setup by printing something with the
 	      &man.lpr.1; command.  More details are available in the
 	      <link linkend="printing-trying">Trying It Out</link> and
 	      <link
 	      linkend="printing-troubleshooting">Troubleshooting</link>
 	      sections.</para>
 	  </step>
 	</procedure>
 
 	<note>
 	  <para>Language-based printers, such as &postscript; printers,
 	    cannot directly print plain text.  The simple setup outlined
 	    above and described in the following sections assumes that if
 	    you are installing such a printer you will print only files
 	    that the printer can understand.</para>
 	</note>
 
 	<para>Users often expect that they can print plain text to any of
 	  the printers installed on your system.  Programs that interface
 	  to <application>LPD</application> to do their printing usually
 	  make the same assumption.
 	  If you are installing such a printer and want to be able to
 	  print jobs in the printer language <emphasis>and</emphasis>
 	  print plain text jobs, you are strongly urged to add an
 	  additional step to the simple setup outlined above: install an
 	  automatic plain-text-to-&postscript; (or other printer language)
 	  conversion program.  The section entitled <link
 	  linkend="printing-advanced-if-conversion">Accommodating Plain
 	  Text Jobs on &postscript; Printers</link> tells how to do
 	  this.</para>
 
 	<sect4 id="printing-naming">
 	  <title>Naming the Printer</title>
 
 	  <para>The first (easy) step is to pick a name for your printer
 	    It really does not matter whether you choose functional or
 	    whimsical names since you can also provide a number of aliases
 	    for the printer.</para>
 
 	  <para>At least one of the printers specified in the
 	    <filename>/etc/printcap</filename> should have the alias
 	    <literal>lp</literal>.  This is the default printer's name.
 	    If users do not have the <envar>PRINTER</envar> environment
 	    variable nor specify a printer name on the command line of any
 	    of the <application>LPD</application> commands, 
 	    then <literal>lp</literal> will be the
 	    default printer they get to use.</para>
 
 	  <para>Also, it is common practice to make the last alias for a
 	    printer be a full description of the printer, including make
 	    and model.</para>
 
 	  <para>Once you have picked a name and some common aliases, put
 	    them in the <filename>/etc/printcap</filename> file.  The name
 	    of the printer should start in the leftmost column.  Separate
 	    each alias with a vertical bar and put a colon after the last
 	    alias.</para>
 
 	  <para>In the following example, we start with a skeletal
 	    <filename>/etc/printcap</filename> that defines two printers
 	    (a Diablo 630 line printer and a Panasonic KX-P4455 &postscript;
 	    laser printer):</para>
 
 	  <programlisting>#
 #  /etc/printcap for host rose
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:</programlisting>
 
 	  <para>In this example, the first printer is named
 	    <literal>rattan</literal> and has as aliases
 	    <literal>line</literal>, <literal>diablo</literal>,
 	    <literal>lp</literal>, and <literal>Diablo 630 Line
 	    Printer</literal>.  Since it has the alias
 	    <literal>lp</literal>, it is also the default printer.  The
 	    second is named <literal>bamboo</literal>, and has as aliases
 	    <literal>ps</literal>, <literal>PS</literal>,
 	    <literal>S</literal>, <literal>panasonic</literal>, and
 	    <literal>Panasonic KX-P4455 PostScript v51.4</literal>.</para>
 	</sect4>
 
 	<sect4 id="printing-no-header-pages">
 	  <title>Suppressing Header Pages</title>
 	  <indexterm>
       <primary>printing</primary>
       <secondary>header pages</secondary>
     </indexterm>
 
 	  <para>The <application>LPD</application> spooling system will 
 	    by default print a
 	    <emphasis>header page</emphasis> for each job.  The header
 	    page contains the user name who requested the job, the host
 	    from which the job came, and the name of the job, in nice
 	    large letters.  Unfortunately, all this extra text gets in the
 	    way of debugging the simple printer setup, so we will suppress
 	    header pages.</para>
 
 	  <para>To suppress header pages, add the <literal>sh</literal>
 	    capability to the entry for the printer in
 	    <filename>/etc/printcap</filename>.  Here is an example
 	    <filename>/etc/printcap</filename> with <literal>sh</literal>
 	    added:</para>
 
 	  <programlisting>#
 #  /etc/printcap for host rose - no header pages anywhere
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:</programlisting>
 
 	  <para>Note how we used the correct format: the first line starts
 	    in the leftmost column, and subsequent lines are indented with
 	    a single TAB.  Every line in an entry except the last ends in
 	    a backslash character.</para>
 	</sect4>
 
 	<sect4 id="printing-spooldir">
 	  <title>Making the Spooling Directory</title>
 	  <indexterm><primary>printer spool</primary></indexterm>
 	  <indexterm><primary>print jobs</primary></indexterm>
 
 	  <para>The next step in the simple spooler setup is to make a
 	    <emphasis>spooling directory</emphasis>, a directory where
 	    print jobs reside until they are printed, and where a number
 	    of other spooler support files live.</para>
 
 	  <para>Because of the variable nature of spooling directories, it
 	    is customary to put these directories under
 	    <filename>/var/spool</filename>.  It is not necessary to
 	    backup the contents of spooling directories, either.
 	    Recreating them is as simple as running &man.mkdir.1;.</para>
 
 	  <para>It is also customary to make the directory with a name
 	    that is identical to the name of the printer, as shown
 	    below:</para>
 
 	  <screen>&prompt.root; <userinput>mkdir /var/spool/<replaceable>printer-name</replaceable></userinput></screen>
 
 	  <para>However, if you have a lot of printers on your network,
 	    you might want to put the spooling directories under a single
 	    directory that you reserve just for printing with 
 	    <application>LPD</application>.  We
 	    will do this for our two example printers
 	    <literal>rattan</literal> and
 	    <literal>bamboo</literal>:</para>
 
 	  <screen>&prompt.root; <userinput>mkdir /var/spool/lpd</userinput>
 &prompt.root; <userinput>mkdir /var/spool/lpd/rattan</userinput>
 &prompt.root; <userinput>mkdir /var/spool/lpd/bamboo</userinput></screen>
 
 	  <note>
 	    <para>If you are concerned about the privacy of jobs that
 	      users print, you might want to protect the spooling
 	      directory so it is not publicly accessible.  Spooling
 	      directories should be owned and be readable, writable, and
 	      searchable by user daemon and group daemon, and no one else.
 	      We will do this for our example printers:</para>
 
 	    <screen>&prompt.root; <userinput>chown daemon:daemon /var/spool/lpd/rattan</userinput>
 &prompt.root; <userinput>chown daemon:daemon /var/spool/lpd/bamboo</userinput>
 &prompt.root; <userinput>chmod 770 /var/spool/lpd/rattan</userinput>
 &prompt.root; <userinput>chmod 770 /var/spool/lpd/bamboo</userinput></screen>
 	  </note>
 
 	  <para>Finally, you need to tell <application>LPD</application>
 	    about these directories
 	    using the <filename>/etc/printcap</filename> file.  You
 	    specify the pathname of the spooling directory with the
 	    <literal>sd</literal> capability:</para>
 
 	  <programlisting>#
 #  /etc/printcap for host rose - added spooling directories
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:</programlisting>
 
 	  <para>Note that the name of the printer starts in the first
 	    column but all other entries describing the printer should be
 	    indented with a tab and each line escaped with a
 	    backslash.</para>
 
 	  <para>If you do not specify a spooling directory with
 	    <literal>sd</literal>, the spooling system will use
 	    <filename>/var/spool/lpd</filename> as a default.</para>
 	</sect4>
 
 	<sect4 id="printing-device">
 	  <title>Identifying the Printer Device</title>
 
 	  <para>In the <link linkend="printing-dev-ports">Adding
 	    <filename>/dev</filename> Entries for the Ports</link>
 	    section, we identified which entry in the
 	    <filename>/dev</filename> directory FreeBSD will use to
 	    communicate with the printer.  Now, we tell 
 	    <application>LPD</application> that
 	    information.  When the spooling system has a job to print, it
 	    will open the specified device on behalf of the filter program
 	    (which is responsible for passing data to the printer).</para>
 
 	  <para>List the <filename>/dev</filename> entry pathname in the
 	    <filename>/etc/printcap</filename> file using the
 	    <literal>lp</literal> capability.</para>
 
 	  <para>In our running example, let us assume that
 	    <literal>rattan</literal> is on the first parallel port, and
 	    <literal>bamboo</literal> is on a sixth serial port; here are
 	    the additions to <filename>/etc/printcap</filename>:</para>
 
 	  <programlisting>#
 #  /etc/printcap for host rose - identified what devices to use
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:\
         :lp=/dev/ttyd5:</programlisting>
 
 	  <para>If you do not specify the <literal>lp</literal> capability
 	    for a printer in your <filename>/etc/printcap</filename> file,
 	    <application>LPD</application> uses <filename>/dev/lp</filename>
 	    as a default.
 	    <filename>/dev/lp</filename> currently does not exist in
 	    FreeBSD.</para>
 
 	  <para>If the printer you are installing is connected to a
 	    parallel port, skip to the section entitled, <link
 	    linkend="printing-textfilter">Installing the Text
 	    Filter</link>.  Otherwise, be sure to follow the instructions
 	    in the next section.</para>
 	</sect4>
 
 	<sect4 id="printing-commparam">
 	  <title>Configuring Spooler Communication Parameters</title>
 	  <indexterm>
       <primary>printers</primary>
       <secondary>serial</secondary>
     </indexterm>
 
 	  <para>For printers on serial ports, <application>LPD</application>
 	    can set up the bps rate,
 	    parity, and other serial communication parameters on behalf of
 	    the filter program that sends data to the printer.  This is
 	    advantageous since:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>It lets you try different communication parameters by
 		simply editing the <filename>/etc/printcap</filename>
 		file; you do not have to recompile the filter
 		program.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>It enables the spooling system to use the same filter
 		program for multiple printers which may have different
 		serial communication settings.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para>The following <filename>/etc/printcap</filename>
 	    capabilities control serial communication parameters of the
 	    device listed in the <literal>lp</literal> capability:</para>
 
 	  <variablelist>
 	    <varlistentry>
 	      <term><literal>br#<replaceable>bps-rate</replaceable></literal></term>
 
 	      <listitem>
 		<para>Sets the communications speed of the device to
 		  <replaceable>bps-rate</replaceable>, where
 		  <replaceable>bps-rate</replaceable> can be 50, 75, 110,
 		  134, 150, 200, 300, 600, 1200, 1800, 2400, 4800, 9600,
 		  19200, 38400, 57600, or 115200 bits-per-second.</para>
 	      </listitem>
 	    </varlistentry>
 
 	    <varlistentry>
 	      <term><literal>ms#<replaceable>stty-mode</replaceable></literal></term>
 
 	      <listitem>
 		<para>Sets the options for the terminal device after
 		  opening the device.  &man.stty.1; explains the
 		  available options.</para>
 	      </listitem>
 	    </varlistentry>
 	  </variablelist>
 
 	  <para>When <application>LPD</application> opens the device
 	    specified by the <literal>lp</literal> capability, it sets
 	    the characteristics of the device to those specified with
 	    the <literal>ms#</literal> capability.  Of particular
 	    interest will be the <literal>parenb</literal>,
 	    <literal>parodd</literal>, <literal>cs5</literal>,
 	    <literal>cs6</literal>, <literal>cs7</literal>,
 	    <literal>cs8</literal>, <literal>cstopb</literal>,
 	    <literal>crtscts</literal>, and <literal>ixon</literal>
 	    modes, which are explained in the &man.stty.1;
 	    manual page.</para>
 
 	  <para>Let us add to our example printer on the sixth serial
 	    port.  We will set the bps rate to 38400.  For the mode,
 	    we will set no parity with <literal>-parenb</literal>,
 	    8-bit characters with <literal>cs8</literal>,
 	    no modem control with <literal>clocal</literal> and
 	    hardware flow control with <literal>crtscts</literal>:</para>
 
 	  <programlisting>bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:</programlisting>
 	</sect4>
 
 	<sect4 id="printing-textfilter">
 	  <title>Installing the Text Filter</title>
 	  <indexterm>
 	    <primary>printing</primary>
 	    <secondary>filters</secondary>
 	  </indexterm>
 
 	  <para>We are now ready to tell <application>LPD</application>
 	    what text filter to use to
 	    send jobs to the printer.  A <emphasis>text filter</emphasis>,
 	    also known as an <emphasis>input filter</emphasis>, is a
 	    program that <application>LPD</application> runs when it 
 	    has a job to print.  When <application>LPD</application>
 	    runs the text filter for a printer, it sets the filter's
 	    standard input to the job to print, and its standard output to
 	    the printer device specified with the <literal>lp</literal>
 	    capability.  The filter is expected to read the job from
 	    standard input, perform any necessary translation for the
 	    printer, and write the results to standard output, which will
 	    get printed.  For more information on the text filter, see
 	    the <link linkend="printing-advanced-filters">Filters</link>
 	    section.</para>
 
 	  <para>For our simple printer setup, the text filter can be a
 	    small shell script that just executes
 	    <command>/bin/cat</command> to send the job to the printer.
 	    FreeBSD comes with another filter called
 	    <filename>lpf</filename> that handles backspacing and
 	    underlining for printers that might not deal with such
 	    character streams well.  And, of course, you can use any other
 	    filter program you want.  The filter <command>lpf</command> is
 	    described in detail in section entitled <link
 	    linkend="printing-advanced-lpf">lpf: a Text
 	    Filter</link>.</para>
 
 	  <para>First, let us make the shell script
 	    <filename>/usr/local/libexec/if-simple</filename> be a simple
 	    text filter.  Put the following text into that file with your
 	    favorite text editor:</para>
 
 	  <programlisting>#!/bin/sh
 #
 # if-simple - Simple text input filter for lpd
 # Installed in /usr/local/libexec/if-simple
 #
 # Simply copies stdin to stdout.  Ignores all filter arguments.
 
 /bin/cat &amp;&amp; exit 0
 exit 2</programlisting>
 
 	  <para>Make the file executable:</para>
 
 	  <screen>&prompt.root; <userinput>chmod 555 /usr/local/libexec/if-simple</userinput></screen>
 
 	  <para>And then tell LPD to use it by specifying it with the
 	    <literal>if</literal> capability in
 	    <filename>/etc/printcap</filename>.  We will add it to the two
 	    printers we have so far in the example
 	    <filename>/etc/printcap</filename>:</para>
 
 	  <programlisting>#
 #  /etc/printcap for host rose - added text filter
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\ :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:\
         :if=/usr/local/libexec/if-simple:</programlisting>
 
 	  <note>
 	    <para>A copy of the <filename>if-simple</filename> script
 	      can be found in the <filename
 	      class="directory">/usr/share/examples/printing</filename>
 	      directory.</para>
 	  </note>
 	</sect4>
 
 	<sect4>
 	  <title>Turn on <application>LPD</application></title>
 
 	  <para>&man.lpd.8; is run from <filename>/etc/rc</filename>,
 	    controlled by the <literal>lpd_enable</literal> variable.  This
 	    variable defaults to <literal>NO</literal>.  If you have not done
 	    so already, add the line:</para>
 
 	  <programlisting>lpd_enable="YES"</programlisting>
 
 	  <para>to <filename>/etc/rc.conf</filename>, and then either restart
 	    your machine, or just run &man.lpd.8;.</para>
 
 	  <screen>&prompt.root; <userinput>lpd</userinput></screen>
 	</sect4>
 	
 	<sect4 id="printing-trying">
 	  <title>Trying It Out</title>
 
 	  <para>You have reached the end of the simple 
 	    <application>LPD</application> setup.
 	    Unfortunately, congratulations are not quite yet in order,
 	    since we still have to test the setup and correct any
 	    problems.  To test the setup, try printing something.  To
 	    print with the <application>LPD</application> system, you 
 	    use the command &man.lpr.1;,
 	    which submits a job for printing.</para>
 
 	  <para>You can combine &man.lpr.1; with the &man.lptest.1;
 	    program, introduced in section <link
 	    linkend="printing-testing">Checking Printer
 	    Communications</link> to generate some test text.</para>
 
 	  <para><emphasis>To test the simple <application>LPD</application>
 	      setup:</emphasis></para>
 
 	  <para>Type:</para>
 
 	  <screen>&prompt.root; <userinput>lptest 20 5 | lpr -P<replaceable>printer-name</replaceable></userinput></screen>
 	  
 	  <para>Where <replaceable>printer-name</replaceable> is a the
 	    name of a printer (or an alias) specified in
 	    <filename>/etc/printcap</filename>.  To test the default
 	    printer, type &man.lpr.1; without any <option>-P</option>
 	    argument.  Again, if you are testing a printer that expects
 	    &postscript;, send a &postscript; program in that language instead
 	    of using &man.lptest.1;.  You can do so by putting the program
 	    in a file and typing <command>lpr 
 	    <replaceable>file</replaceable></command>.</para>
 
 	  <para>For a &postscript; printer, you should get the results of
 	    the program.  If you are using &man.lptest.1;, then your
 	    results should look like the following:</para>
 
 	  <programlisting>!"#$%&amp;'()*+,-./01234
 "#$%&amp;'()*+,-./012345
 #$%&amp;'()*+,-./0123456
 $%&amp;'()*+,-./01234567
 %&amp;'()*+,-./012345678</programlisting>
 
 	  <para>To further test the printer, try downloading larger
 	    programs (for language-based printers) or running
 	    &man.lptest.1; with different arguments.  For example,
 	    <command>lptest 80 60</command> will produce 60 lines of 80
 	    characters each.</para>
 
 	  <para>If the printer did not work, see the <link
 	    linkend="printing-troubleshooting">Troubleshooting</link>
 	    section.</para>
 	</sect4>
       </sect3>
     </sect2>
   </sect1>
   
   <sect1 id="printing-advanced">
     <title>Advanced Printer Setup</title>
     
     <para>This section describes filters for printing specially formatted
       files, header pages, printing across networks, and restricting and
       accounting for printer usage.</para>
 
     <sect2 id="printing-advanced-filter-intro">
       <title>Filters</title>
       <indexterm>
 	<primary>printing</primary>
 	<secondary>filters</secondary>
       </indexterm>
       
       <para>Although <application>LPD</application> handles network protocols,
 	queuing, access control,
         and other aspects of printing, most of the <emphasis>real</emphasis>
         work happens in the <emphasis>filters</emphasis>.  Filters are
         programs that communicate with the printer and handle its device
         dependencies and special requirements.  In the simple printer setup,
         we installed a plain text filter&mdash;an extremely simple one that
         should work with most printers (section <link
           linkend="printing-textfilter">Installing the Text
           Filter</link>).</para>
           
       <para>However, in order to take advantage of format conversion, printer
         accounting, specific printer quirks, and so on, you should understand
         how filters work.  It will ultimately be the filter's responsibility
         to handle these aspects.  And the bad news is that most of the time
         <emphasis>you</emphasis> have to provide filters yourself.  The good
         news is that many are generally available; when they are not, they are
         usually easy to write.</para>
           
       <para>Also, FreeBSD comes with one,
         <filename>/usr/libexec/lpr/lpf</filename>, that works with many
         printers that can print plain text.  (It handles backspacing and tabs
         in the file, and does accounting, but that is about all it does.)
         There are also several filters and filter components in the FreeBSD
         Ports Collection.</para>
           
       <para>Here is what you will find in this section:</para>
       
       <itemizedlist>
         <listitem>
           <para>Section <link linkend="printing-advanced-filters">How Filters
               Work</link>, tries to give an overview of a filter's role in the
             printing process.  You should read this section to get an
             understanding of what is happening <quote>under the hood</quote>
             when <application>LPD</application> uses filters.  This knowledge
 	    could help you anticipate
             and debug problems you might encounter as you install more and
             more filters on each of your printers.</para>
         </listitem>
               
         <listitem>
           <para><application>LPD</application> expects every printer to be 
 	    able to print plain text by
             default.  This presents a problem for &postscript; (or other
             language-based printers) which cannot directly print plain text.
             Section <link
               linkend="printing-advanced-if-conversion">Accommodating
               Plain Text Jobs on &postscript; Printers</link> tells you what you
             should do to overcome this problem.  You should read this
             section if you have a &postscript; printer.</para>
         </listitem>
 
         <listitem>
           <para>&postscript; is a popular output format for many programs.
             Some people even write &postscript; code directly.  Unfortunately,
             &postscript; printers are expensive.  Section <link
               linkend="printing-advanced-ps">Simulating &postscript; on
               Non &postscript; Printers</link> tells how you can further modify
             a printer's text filter to accept and print &postscript; data on a
             <emphasis>non &postscript;</emphasis> printer.  You should read
             this section if you do not have a &postscript; printer.</para>
         </listitem>
               
         <listitem>
           <para>Section <link
               linkend="printing-advanced-convfilters">Conversion
               Filters</link> tells about a way you can automate the conversion
             of specific file formats, such as graphic or typesetting data,
             into formats your printer can understand.  After reading this
             section, you should be able to set up your printers such that
             users can type <command>lpr -t</command> to print troff data, or
             <command>lpr -d</command> to print &tex; DVI data, or <command>lpr
               -v</command> to print raster image data, and so forth.  I
             recommend reading this section.</para>
         </listitem>
               
         <listitem>
           <para>Section <link linkend="printing-advanced-of">Output
               Filters</link> tells all about a not often used feature of 
 	    <application>LPD</application>:
             output filters.  Unless you are printing header pages (see <link
               linkend="printing-advanced-header-pages">Header Pages</link>),
             you can probably skip that section altogether.</para>
         </listitem>
 
         <listitem>
           <para>Section <link linkend="printing-advanced-lpf">lpf: a Text
               Filter</link> describes <command>lpf</command>, a fairly
             complete if simple text filter for line printers (and laser
             printers that act like line printers) that comes with FreeBSD.  If
             you need a quick way to get printer accounting working for plain
             text, or if you have a printer which emits smoke when it sees
             backspace characters, you should definitely consider
             <command>lpf</command>.</para>
         </listitem>
       </itemizedlist>
       
       <note>
 	<para>A copy of the various scripts described below can be
 	  found in the <filename
 	  class="directory">/usr/share/examples/printing</filename>
 	  directory.</para>
       </note>
 
       <sect3 id="printing-advanced-filters">
         <title>How Filters Work</title>
 
         <para>As mentioned before, a filter is an executable program started
           by <application>LPD</application> to handle the device-dependent part of
 	  communicating with the printer.</para>
             
         <para>When <application>LPD</application> wants to print a file in a 
 	  job, it starts a filter
           program.  It sets the filter's standard input to the file to print,
           its standard output to the printer, and its standard error to the
           error logging file (specified in the <literal>lf</literal>
           capability in <filename>/etc/printcap</filename>, or
           <filename>/dev/console</filename> by default).</para>
             
         <indexterm>
           <primary><command>troff</command></primary>
         </indexterm>
         <para>Which filter <application>LPD</application> starts and the 
 	  filter's arguments depend on
           what is listed in the <filename>/etc/printcap</filename> file and
           what arguments the user specified for the job on the      
             &man.lpr.1; command line.  For example, if the user typed
           <command>lpr -t</command>, <application>LPD</application> would
 	  start the troff filter, listed
           in the <literal>tf</literal> capability for the destination printer.
           If the user wanted to print plain text, it would start the
           <literal>if</literal> filter (this is mostly true: see <link
             linkend="printing-advanced-of">Output Filters</link> for
           details).</para>
 
         <para>There are three kinds of filters you can specify in
           <filename>/etc/printcap</filename>:</para>
 
         <itemizedlist>
           <listitem>
             <para>The <emphasis>text filter</emphasis>, confusingly called the
               <emphasis>input filter</emphasis> in 
 	      <application>LPD</application> documentation, handles
               regular text printing.  Think of it as the default filter.  
 	      <application>LPD</application>
               expects every printer to be able to print plain text by default,
               and it is the text filter's job to make sure backspaces, tabs,
               or other special characters do not confuse the printer.  If you
               are in an environment where you have to account for printer
               usage, the text filter must also account for pages printed,
               usually by counting the number of lines printed and comparing
               that to the number of lines per page the printer supports.  The
               text filter is started with the following argument list:
 
               <cmdsynopsis>
                 <command>filter-name</command>
                 <arg>-c</arg>
                 <arg choice="plain">-w<replaceable>width</replaceable></arg>
                 <arg choice="plain">-l<replaceable>length</replaceable></arg>
                 <arg choice="plain">-i<replaceable>indent</replaceable></arg>
                 <arg choice="plain">-n <replaceable>login</replaceable></arg>
                 <arg choice="plain">-h <replaceable>host</replaceable></arg>
                 <arg choice="plain"><replaceable>acct-file</replaceable></arg>
               </cmdsynopsis>
 
               where
               
               <variablelist>
                 <varlistentry>
                   <term><option>-c</option></term>
 
                   <listitem>
                     <para>appears if the job is submitted with <command>lpr
                         -l</command></para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>width</replaceable></term>
                   
                   <listitem>
                     <para>is the value from the <literal>pw</literal> (page
                       width) capability specified in
                       <filename>/etc/printcap</filename>, default 132</para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>length</replaceable></term>
                   
                   <listitem>
                     <para>is the value from the <literal>pl</literal> (page
                       length) capability, default 66</para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>indent</replaceable></term>
                   
                   <listitem>
                     <para>is the amount of the indentation from <command>lpr
                         -i</command>, default 0</para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>login</replaceable></term>
                   
                   <listitem>
                     <para>is the account name of the user printing the
                       file</para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>host</replaceable></term>
                   
                   <listitem>
                     <para>is the host name from which the job was
                       submitted</para>
                   </listitem>
                 </varlistentry>
                 
                 <varlistentry>
                   <term><replaceable>acct-file</replaceable></term>
                   
                   <listitem>
                     <para>is the name of the accounting file from the
                       <literal>af</literal> capability.</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
             </para>
           </listitem>
 
 	  <indexterm>
       <primary>printing</primary>
       <secondary>filters</secondary>
     </indexterm>          
           <listitem>
             <para>A <emphasis>conversion filter</emphasis> converts a specific
               file format into one the printer can render onto paper.  For
               example, ditroff typesetting data cannot be directly printed,
               but you can install a conversion filter for ditroff files to
               convert the ditroff data into a form the printer can digest and
               print.  Section <link
                 linkend="printing-advanced-convfilters">Conversion
                 Filters</link> tells all about them. Conversion filters also
               need to do accounting, if you need printer accounting.
               Conversion filters are started with the following arguments:
 
               <cmdsynopsis>
                 <command>filter-name</command>
                 <arg
                   choice="plain">-x<replaceable>pixel-width</replaceable></arg>
                 <arg choice="plain">-y<replaceable>pixel-height</replaceable></arg>
                 <arg choice="plain">-n <replaceable>login</replaceable></arg>
                 <arg choice="plain">-h <replaceable>host</replaceable></arg>
                 <arg choice="plain"><replaceable>acct-file</replaceable></arg>
               </cmdsynopsis>
 
               where <replaceable>pixel-width</replaceable> is the value
               from the <literal>px</literal> capability (default 0) and
               <replaceable>pixel-height</replaceable> is the value from the
               <literal>py</literal> capability (default 0).</para>
           </listitem>
           
           <listitem>
             <para>The <emphasis>output filter</emphasis> is used only if there
               is no text filter, or if header pages are enabled. In my
               experience, output filters are rarely used.  Section <link
                 linkend="printing-advanced-of">Output Filters</link> describe
               them.  There are only two arguments to an output filter:
 
               <cmdsynopsis>
                 <command>filter-name</command>
                 <arg choice="plain">-w<replaceable>width</replaceable></arg>
                 <arg choice="plain">-l<replaceable>length</replaceable></arg>
               </cmdsynopsis>
 
               which are identical to the text filters <option>-w</option> and
               <option>-l</option> arguments.</para>
           </listitem>
         </itemizedlist>
 
         <para>Filters should also <emphasis>exit</emphasis> with the
           following exit status:</para>
             
         <variablelist>
           <varlistentry>
             <term>exit 0</term>
 
             <listitem>
               <para>If the filter printed the file successfully.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term>exit 1</term>
             
             <listitem>
               <para>If the filter failed to print the file but wants 
 		<application>LPD</application> to
                 try to print the file again.  <application>LPD</application>
 		will restart a filter if it exits with this status.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term>exit 2</term>
             
             <listitem>
               <para>If the filter failed to print the file and does not want
                 <application>LPD</application> to try again.  
 		<application>LPD</application> will throw out the file.</para>
             </listitem>
           </varlistentry>
         </variablelist>
 
         <para>The text filter that comes with the FreeBSD release,
           <filename>/usr/libexec/lpr/lpf</filename>, takes advantage of the
           page width and length arguments to determine when to send a form
           feed and how to account for printer usage.  It uses the login, host,
           and accounting file arguments to make the accounting entries.</para>
 
         <para>If you are shopping for filters, see if they are LPD-compatible.
           If they are, they must support the argument lists described above.
           If you plan on writing filters for general use, then have them
           support the same argument lists and exit codes.</para>
       </sect3>
       
       <sect3 id="printing-advanced-if-conversion">
         <title>Accommodating Plain Text Jobs on &postscript; Printers</title>
         <indexterm><primary>print jobs</primary></indexterm>
 
         <para>If you are the only user of your computer and &postscript; (or
           other language-based) printer, and you promise to never send plain
           text to your printer and to never use features of various programs
           that will want to send plain text to your printer, then you do not
           need to worry about this section at all.</para>
             
         <para>But, if you would like to send both &postscript; and plain text
           jobs to the printer, then you are urged to augment your printer
           setup.  To do so, we have the text filter detect if the arriving job
           is plain text or &postscript;.  All &postscript; jobs must start with
           <literal>%!</literal> (for other printer languages, see your printer
           documentation).  If those are the first two characters in the job,
           we have &postscript;, and can pass the rest of the job directly.  If
           those are not the first two characters in the file, then the filter
           will convert the text into &postscript; and print the result.</para>
             
         <para>How do we do this?</para>
 
         <indexterm>
           <primary>printers</primary>
           <secondary>serial</secondary>
         </indexterm>
         <para>If you have got a serial printer, a great way to do it is to
           install <command>lprps</command>.  <command>lprps</command> is a
           &postscript; printer filter which performs two-way communication with
           the printer.  It updates the printer's status file with verbose
           information from the printer, so users and administrators can see
           exactly what the state of the printer is (such as <errorname>toner
             low</errorname> or <errorname>paper jam</errorname>).  But more
           importantly, it includes a program called <command>psif</command>
           which detects whether the incoming job is plain text and calls
           <command>textps</command> (another program that comes with
           <command>lprps</command>) to convert it to &postscript;.  It then uses
           <command>lprps</command> to send the job to the printer.</para>
             
         <para><command>lprps</command> is part of the FreeBSD Ports Collection
           (see <link linkend="ports">The Ports Collection</link>).  You can
           fetch, build and install it yourself, of course.  After installing
           <command>lprps</command>, just specify the pathname to the
           <command>psif</command> program that is part of
           <command>lprps</command>.  If you installed <command>lprps</command>
           from the ports collection, use the following in the serial
           &postscript; printer's entry in
           <filename>/etc/printcap</filename>:</para>
               
         <programlisting>:if=/usr/local/libexec/psif:</programlisting>
 
         <para>You should also specify the <literal>rw</literal> capability;
           that tells <application>LPD</application> to open the printer in 
 	  read-write mode.</para>
             
         <para>If you have a parallel &postscript; printer (and therefore cannot
           use two-way communication with the printer, which
           <command>lprps</command> needs), you can use the following shell
           script as the text filter:</para>
 
         <programlisting>#!/bin/sh
 #
 #  psif - Print PostScript or plain text on a PostScript printer
 #  Script version; NOT the version that comes with lprps
 #  Installed in /usr/local/libexec/psif
 #
 
 IFS="" read -r first_line
 first_two_chars=`expr "$first_line" : '\(..\)'`
 
 if [ "$first_two_chars" = "%!" ]; then
     #
     #  PostScript job, print it.
     #
     echo "$first_line" &amp;&amp; cat &amp;&amp; printf "\004" &amp;&amp; exit 0
     exit 2
 else
     #
     #  Plain text, convert it, then print it.
     #
     ( echo "$first_line"; cat ) | /usr/local/bin/textps &amp;&amp; printf "\004" &amp;&amp; exit 0
     exit 2
 fi</programlisting>
             
         <para>In the above script, <command>textps</command> is a program we
           installed separately to convert plain text to &postscript;.  You can
           use any text-to-&postscript; program you wish.  The FreeBSD Ports
           Collection (see <link linkend="ports">The Ports Collection</link>)
           includes a full featured text-to-&postscript; program called
           <literal>a2ps</literal> that you might want to investigate.</para>
       </sect3>
           
       <sect3 id="printing-advanced-ps">
         <title>Simulating &postscript; on Non &postscript; Printers</title>
         <indexterm>
           <primary>PostScript</primary>
           <secondary>emulating</secondary>
         </indexterm>
         <indexterm>
           <primary>Ghostscript</primary></indexterm>
         <para>&postscript; is the <emphasis>de facto</emphasis> standard for
           high quality typesetting and printing.  &postscript; is, however, an
           <emphasis>expensive</emphasis> standard. Thankfully, Aladdin
           Enterprises has a free &postscript; work-alike called
           <application>Ghostscript</application> that runs with FreeBSD.
           Ghostscript can read most &postscript; files and can render their
           pages onto a variety of devices, including many brands of
           non-PostScript printers.  By installing Ghostscript and using a
           special text filter for your printer, you can make your
           non &postscript; printer act like a real &postscript; printer.</para>
             
         <para>Ghostscript is in the FreeBSD Ports Collection, if you
           would like to install it from there.  You can fetch, build, and
           install it quite easily yourself, as well.</para>
             
         <para>To simulate &postscript;, we have the text filter detect if it is
           printing a &postscript; file.  If it is not, then the filter will pass
           the file directly to the printer; otherwise, it will use Ghostscript
           to first convert the file into a format the printer will
           understand.</para>
             
         <para>Here is an example: the following script is a text filter
           for Hewlett Packard DeskJet 500 printers.  For other printers,
           substitute the <option>-sDEVICE</option> argument to the
           <command>gs</command> (Ghostscript) command.  (Type <command>gs
             -h</command> to get a list of devices the current installation of
           Ghostscript supports.)</para>
 
         <programlisting>#!/bin/sh
 #
 #  ifhp - Print Ghostscript-simulated PostScript on a DeskJet 500
 #  Installed in /usr/local/libexec/ifhp
 
 #
 #  Treat LF as CR+LF (to avoid the "staircase effect" on HP/PCL
 #  printers):
 #
 printf "\033&amp;k2G" || exit 2
 
 #
 #  Read first two characters of the file
 #
 IFS="" read -r first_line
 first_two_chars=`expr "$first_line" : '\(..\)'`
 
 if [ "$first_two_chars" = "%!" ]; then
     #
     #  It is PostScript; use Ghostscript to scan-convert and print it.
     #
     /usr/local/bin/gs -dSAFER -dNOPAUSE -q -sDEVICE=djet500 \
       -sOutputFile=- - &amp;&amp; exit 0
 else
     #
     #  Plain text or HP/PCL, so just print it directly; print a form feed
     #  at the end to eject the last page.
     #
     echo "$first_line" &amp;&amp; cat &amp;&amp; printf "\033&amp;l0H" &amp;&amp; 
 exit 0
 fi
 
 exit 2</programlisting>
 
         <para>Finally, you need to notify <application>LPD</application> of 
 	  the filter via the <literal>if</literal> capability:</para>
             
         <programlisting>:if=/usr/local/libexec/ifhp:</programlisting>
 
         <para>That is it.  You can type <command>lpr plain.text</command> and
           <filename>lpr whatever.ps</filename> and both should print
           successfully.</para>
       </sect3>
       
       <sect3 id="printing-advanced-convfilters">
         <title>Conversion Filters</title>
 
         <para>After completing the simple setup described in <link
             linkend="printing-simple">Simple Printer Setup</link>, the first
           thing you will probably want to do is install conversion filters for
           your favorite file formats (besides plain ASCII text).</para>
             
         <sect4>
           <title>Why Install Conversion Filters?</title>
           <indexterm>
             <primary>&tex;</primary>
             <secondary>printing dvi files</secondary>
           </indexterm>
           
           <para>Conversion filters make printing various kinds of files easy.
             As an example, suppose we do a lot of work with the &tex;
             typesetting system, and we have a &postscript; printer.  Every time
             we generate a DVI file from &tex;, we cannot print it directly until
             we convert the DVI file into &postscript;.  The command sequence
             goes like this:</para>
                 
           <screen>&prompt.user; <userinput>dvips seaweed-analysis.dvi</userinput>
 &prompt.user; <userinput>lpr seaweed-analysis.ps</userinput></screen>
                 
           <para>By installing a conversion filter for DVI files, we can skip
             the hand conversion step each time by having 
 	    <application>LPD</application> do it for us.
             Now, each time we get a DVI file, we are just one step away from
             printing it:</para>
               
           <screen>&prompt.user; <userinput>lpr -d seaweed-analysis.dvi</userinput></screen>
                 
           <para>We got <application>LPD</application> to do the DVI file 
 	    conversion for us by specifying
             the <option>-d</option> option.  Section <link
               linkend="printing-lpr-options-format">Formatting and Conversion
               Options</link> lists the conversion options.</para>
               
           <para>For each of the conversion options you want a printer to
             support, install a <emphasis>conversion filter</emphasis> and
             specify its pathname in <filename>/etc/printcap</filename>.  A
             conversion filter is like the text filter for the simple printer
             setup (see section <link linkend="printing-textfilter">Installing
               the Text Filter</link>) except that instead of printing plain
             text, the filter converts the file into a format the printer can
             understand.</para>
         </sect4>
 
         <sect4>
           <title>Which Conversion Filters Should I Install?</title>
           
           <para>You should install the conversion filters you expect to use.
             If you print a lot of DVI data, then a DVI conversion filter is in
             order.  If you have got plenty of troff to print out, then you
             probably want a troff filter.</para>
               
           <para>The following table summarizes the filters that 
 	    <application>LPD</application> works
             with, their capability entries for the
             <filename>/etc/printcap</filename> file, and how to invoke them
             with the <command>lpr</command> command:</para>
 
-          <informaltable frame="none">
+          <informaltable frame="none" pgwide="1">
             <tgroup cols="3">
               <thead>
                 <row>
                   <entry>File type</entry>
                   <entry><filename>/etc/printcap</filename> capability</entry>
                   <entry><command>lpr</command> option</entry>
                 </row>
               </thead>
               
               <tbody>
                 <row>
                   <entry>cifplot</entry>
                   <entry><literal>cf</literal></entry>
                   <entry><option>-c</option></entry>
                 </row>
                 
                 <row>
                   <entry>DVI</entry>
                   <entry><literal>df</literal></entry>
                   <entry><option>-d</option></entry>
                 </row>
                 
                 <row>
                   <entry>plot</entry>
                   <entry><literal>gf</literal></entry>
                   <entry><option>-g</option></entry>
                 </row>
                 
                 <row>
                   <entry>ditroff</entry>
                   <entry><literal>nf</literal></entry>
                   <entry><option>-n</option></entry>
                 </row>
                 
                 <row>
                   <entry>FORTRAN text</entry>
                   <entry><literal>rf</literal></entry>
                   <entry><option>-f</option></entry>
                 </row>
                 
                 <row>
                   <entry>troff</entry>
                   <entry><literal>tf</literal></entry>
                   <entry><option>-f</option></entry>
                 </row>
                 
                 <row>
                   <entry>raster</entry>
                   <entry><literal>vf</literal></entry>
                   <entry><option>-v</option></entry>
                 </row>
                 
                 <row>
                   <entry>plain text</entry>
                   <entry><literal>if</literal></entry>
                   <entry>none, <option>-p</option>, or
                     <option>-l</option></entry>
                 </row>
               </tbody>
             </tgroup>
           </informaltable>
           
           <para>In our example, using <command>lpr -d</command> means the
             printer needs a <literal>df</literal> capability in its entry in
             <filename>/etc/printcap</filename>.</para>
               
           <indexterm><primary>FORTRAN</primary></indexterm>
           <para>Despite what others might contend, formats like FORTRAN text
             and plot are probably obsolete.  At your site, you can give new
             meanings to these or any of the formatting options just by
             installing custom filters.  For example, suppose you would like to
             directly print Printerleaf files (files from the Interleaf desktop
             publishing program), but will never print plot files.  You could
             install a Printerleaf conversion filter under the
             <literal>gf</literal> capability and then educate your users that
             <command>lpr -g</command> mean <quote>print Printerleaf
             files.</quote></para>
         </sect4>
 
         <sect4>
           <title>Installing Conversion Filters</title>
           
           <para>Since conversion filters are programs you install outside of
             the base FreeBSD installation, they should probably go under
             <filename>/usr/local</filename>.  The directory
             <filename>/usr/local/libexec</filename> is a popular location,
             since they are specialized programs that only 
 	    <application>LPD</application> will run;
             regular users should not ever need to run them.</para>
               
           <para>To enable a conversion filter, specify its pathname under the
             appropriate capability for the destination printer in
             <filename>/etc/printcap</filename>.</para>
               
           <para>In our example, we will add the DVI conversion filter to the
             entry for the printer named <literal>bamboo</literal>.  Here is
             the example <filename>/etc/printcap</filename> file again, with
             the new <literal>df</literal> capability for the printer
             <literal>bamboo</literal>.</para>
 
           <programlisting>#
 #  /etc/printcap for host rose - added df filter for bamboo
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
         :if=/usr/local/libexec/psif:\
         :df=/usr/local/libexec/psdf:</programlisting>
 
           <para>The DVI filter is a shell script named
             <filename>/usr/local/libexec/psdf</filename>.  Here is that
             script:</para>
 
           <programlisting>#!/bin/sh
 #
 #  psdf - DVI to PostScript printer filter
 #  Installed in /usr/local/libexec/psdf
 #
 # Invoked by lpd when user runs lpr -d
 #
 exec /usr/local/bin/dvips -f | /usr/local/libexec/lprps "$@"</programlisting>
 
           <para>This script runs <command>dvips</command> in filter mode (the
             <option>-f</option> argument) on standard input, which is the job
             to print.  It then starts the &postscript; printer filter
             <command>lprps</command> (see section <link
               linkend="printing-advanced-if-conversion">Accommodating Plain
               Text Jobs on &postscript; Printers</link>) with the arguments 
 	    <application>LPD</application>
             passed to this script. <command>lprps</command> will use those
             arguments to account for the pages printed.</para>
         </sect4>
             
         <sect4>
           <title>More Conversion Filter Examples</title>
               
           <para>Since there is no fixed set of steps to install conversion
             filters, let me instead provide more examples.  Use these as
             guidance to making your own filters.  Use them directly, if
             appropriate.</para>
               
           <para>This example script is a raster (well, GIF file, actually)
             conversion filter for a Hewlett Packard LaserJet III-Si
             printer:</para>
 
           <programlisting>#!/bin/sh
 #
 #  hpvf - Convert GIF files into HP/PCL, then print
 #  Installed in /usr/local/libexec/hpvf
                   
 PATH=/usr/X11R6/bin:$PATH; export PATH
 giftopnm | ppmtopgm | pgmtopbm | pbmtolj -resolution 300 \
     &amp;&amp; exit 0 \
     || exit 2</programlisting>
 
           <para>It works by converting the GIF file into a portable anymap,
             converting that into a portable graymap, converting that into a
             portable bitmap, and converting that into LaserJet/PCL-compatible
             data.</para>
               
           <para>Here is the <filename>/etc/printcap</filename> file with an
             entry for a printer using the above filter:</para>
 
           <programlisting>#
 #  /etc/printcap for host orchid
 #
 teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
         :lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
         :if=/usr/local/libexec/hpif:\
         :vf=/usr/local/libexec/hpvf:</programlisting>
               
           <para>The following script is a conversion filter for troff data
             from the groff typesetting system for the &postscript; printer named
             <literal>bamboo</literal>:</para>
 
           <programlisting>#!/bin/sh
 #
 #  pstf - Convert groff's troff data into PS, then print.
 #  Installed in /usr/local/libexec/pstf
 #
 exec grops | /usr/local/libexec/lprps "$@"</programlisting>
               
           <para>The above script makes use of <command>lprps</command> again
             to handle the communication with the printer.  If the printer were
             on a parallel port, we would use this script instead:</para>
 
           <programlisting>#!/bin/sh
 #
 #  pstf - Convert groff's troff data into PS, then print.
 #  Installed in /usr/local/libexec/pstf
 #
 exec grops</programlisting>
           
           <para>That is it.  Here is the entry we need to add to
             <filename>/etc/printcap</filename> to enable the filter:</para>
                 
           <programlisting>:tf=/usr/local/libexec/pstf:</programlisting>
               
           <para>Here is an example that might make old hands at FORTRAN blush.
             It is a FORTRAN-text filter for any printer that can directly
             print plain text.  We will install it for the printer
             <literal>teak</literal>:</para>
 
           <programlisting>#!/bin/sh
 #
 # hprf - FORTRAN text filter for LaserJet 3si:
 # Installed in /usr/local/libexec/hprf
 #
 
 printf "\033&amp;k2G" &amp;&amp; fpr &amp;&amp; printf "\033&amp;l0H" &amp;&amp;
  exit 0
 exit 2</programlisting>
               
           <para>And we will add this line to the
             <filename>/etc/printcap</filename> for the printer
             <literal>teak</literal> to enable this filter:</para>
               
           <programlisting>:rf=/usr/local/libexec/hprf:</programlisting>
               
           <para>Here is one final, somewhat complex example.  We will add a
             DVI filter to the LaserJet printer <literal>teak</literal>
             introduced earlier.  First, the easy part: updating
             <filename>/etc/printcap</filename> with the location of the DVI
             filter:</para>
               
           <programlisting>:df=/usr/local/libexec/hpdf:</programlisting>
               
           <para>Now, for the hard part: making the filter.  For that, we need
             a DVI-to-LaserJet/PCL conversion program.  The FreeBSD Ports
             Collection (see <link linkend="ports">The Ports Collection</link>)
             has one: <command>dvi2xx</command> is the name of the package.
             Installing this package gives us the program we need,
             <command>dvilj2p</command>, which converts DVI into LaserJet IIp,
             LaserJet III, and LaserJet 2000 compatible codes.</para>
               
           <para><command>dvilj2p</command> makes the filter
             <command>hpdf</command> quite complex since
             <command>dvilj2p</command> cannot read from standard input.  It
             wants to work with a filename. What is worse, the filename has to
             end in <filename>.dvi</filename> so using
             <filename>/dev/fd/0</filename> for standard input is problematic.
             We can get around that problem by linking (symbolically) a
             temporary file name (one that ends in <filename>.dvi</filename>)
             to <filename>/dev/fd/0</filename>, thereby forcing
             <command>dvilj2p</command> to read from standard input.</para>
               
           <para>The only other fly in the ointment is the fact that we cannot
             use <filename>/tmp</filename> for the temporary link. Symbolic
             links are owned by user and group <username>bin</username>.  The
             filter runs as user <username>daemon</username>.  And the
             <filename>/tmp</filename> directory has the sticky bit set. The
             filter can create the link, but it will not be able clean up when
             done and remove it since the link will belong to a different
             user.</para>
               
           <para>Instead, the filter will make the symbolic link in the current
             working directory, which is the spooling directory (specified by
             the <literal>sd</literal> capability in
             <filename>/etc/printcap</filename>).  This is a perfect place for
             filters to do their work, especially since there is (sometimes)
             more free disk space in the spooling directory than under
             <filename>/tmp</filename>.</para>
               
           <para>Here, finally, is the filter:</para>
 
           <programlisting>#!/bin/sh
 #
 #  hpdf - Print DVI data on HP/PCL printer
 #  Installed in /usr/local/libexec/hpdf
 
 PATH=/usr/local/bin:$PATH; export PATH
 
 #
 #  Define a function to clean up our temporary files.  These exist
 #  in the current directory, which will be the spooling directory
 #  for the printer.
 #
 cleanup() {
    rm -f hpdf$$.dvi
 }
 
 #
 #  Define a function to handle fatal errors: print the given message
 #  and exit 2.  Exiting with 2 tells LPD to do not try to reprint the
 #  job.
 #
 fatal() {
     echo "$@" 1&gt;&amp;2
     cleanup
     exit 2
 }
 
 #
 #  If user removes the job, LPD will send SIGINT, so trap SIGINT
 #  (and a few other signals) to clean up after ourselves.
 #
 trap cleanup 1 2 15 
 
 #
 #  Make sure we are not colliding with any existing files.
 #
 cleanup
 
 #
 #  Link the DVI input file to standard input (the file to print).
 #
 ln -s /dev/fd/0 hpdf$$.dvi || fatal "Cannot symlink /dev/fd/0"
 
 #
 #  Make LF = CR+LF
 #
 printf "\033&amp;k2G" || fatal "Cannot initialize printer"
 
 # 
 #  Convert and print.  Return value from dvilj2p does not seem to be
 #  reliable, so we ignore it.
 #
 dvilj2p -M1 -q -e- dfhp$$.dvi
 
 #
 #  Clean up and exit
 #
 cleanup
 exit 0</programlisting>
         </sect4>
 
         <sect4 id="printing-advanced-autoconv">
           <title>Automated Conversion: an Alternative to Conversion
             Filters</title>
               
           <para>All these conversion filters accomplish a lot for your
             printing environment, but at the cost forcing the user to specify
             (on the &man.lpr.1; command line) which one to use.
             If your users are not particularly computer literate, having to
             specify a filter option will become annoying.  What is worse,
             though, is that an incorrectly specified filter option may run a
             filter on the wrong type of file and cause your printer to spew
             out hundreds of sheets of paper.</para>
               
           <para>Rather than install conversion filters at all, you might want
             to try having the text filter (since it is the default filter)
             detect the type of file it has been asked to print and then
             automatically run the right conversion filter.  Tools such as
             <command>file</command> can be of help here.  Of course, it will
             be hard to determine the differences between
             <emphasis>some</emphasis> file types&mdash;and, of course, you can
             still provide conversion filters just for them.</para>
               
           <indexterm><primary>apsfilter</primary></indexterm>
           <indexterm>
             <primary>printing</primary>
             <secondary>filters</secondary>
             <tertiary>apsfilter</tertiary>
           </indexterm>
           <para>The FreeBSD Ports Collection has a text filter that performs
             automatic conversion called <command>apsfilter</command>.  It can
             detect plain text, &postscript;, and DVI files, run the proper
             conversions, and print.</para>
         </sect4>
       </sect3>
       
       <sect3 id="printing-advanced-of">
         <title>Output Filters</title>
 
         <para>The <application>LPD</application> spooling system supports one 
 	  other type of filter that
           we have not yet explored: an output filter.  An output filter is
           intended for printing plain text only, like the text filter, but
           with many simplifications.  If you are using an output filter but no
           text filter, then:</para>
 
         <itemizedlist>
           <listitem>
             <para><application>LPD</application> starts an output filter once
 	      for the entire job instead
               of once for each file in the job.</para>
           </listitem>
           
           <listitem>
             <para><application>LPD</application> does not make any provision
 	      to identify the start or the
               end of files within the job for the output filter.</para>
           </listitem>
           
           <listitem>
             <para><application>LPD</application> does not pass the user's 
 	      login or host to the filter, so
               it is not intended to do accounting.  In fact, it gets only two
               arguments:</para>
                     
             <cmdsynopsis>
               <command>filter-name</command>
               <arg choice="plain">-w<replaceable>width</replaceable></arg>
               <arg choice="plain">-l<replaceable>length</replaceable></arg>
             </cmdsynopsis>
             
             <para>Where <replaceable>width</replaceable> is from the
               <literal>pw</literal> capability and
               <replaceable>length</replaceable> is from the
               <literal>pl</literal> capability for the printer in
               question.</para>
           </listitem>
         </itemizedlist>
 
         <para>Do not be seduced by an output filter's simplicity.  If you
           would like each file in a job to start on a different page an output
           filter <emphasis>will not work</emphasis>.  Use a text filter (also
           known as an input filter); see section <link
             linkend="printing-textfilter">Installing the Text Filter</link>.
           Furthermore, an output filter is actually <emphasis>more
             complex</emphasis> in that it has to examine the byte stream being
           sent to it for special flag characters and must send signals to
           itself on behalf of <application>LPD</application>.</para>
             
         <para>However, an output filter is <emphasis>necessary</emphasis> if
           you want header pages and need to send escape sequences or other
           initialization strings to be able to print the header page.  (But it
           is also <emphasis>futile</emphasis> if you want to charge header
           pages to the requesting user's account, since 
 	  <application>LPD</application> does not give any
           user or host information to the output filter.)</para>
             
         <para>On a single printer, <application>LPD</application>
 	  allows both an output filter and text or other filters.  In
 	  such cases, <application>LPD</application> will start the
 	  output filter
           to print the header page (see section <link
             linkend="printing-advanced-header-pages">Header Pages</link>)
           only.  <application>LPD</application> then expects the
 	  output filter to <emphasis>stop
             itself</emphasis> by sending two bytes to the filter: ASCII 031
           followed by ASCII 001.  When an output filter sees these two bytes
           (031, 001), it should stop by sending <literal>SIGSTOP</literal>
 	  to itself.  When 
 	  <application>LPD</application>'s
           done running other filters, it will restart the output filter by
           sending <literal>SIGCONT</literal> to it.</para>
             
         <para>If there is an output filter but <emphasis>no</emphasis> text
           filter and <application>LPD</application> is working on a plain
 	  text job, <application>LPD</application> uses the output
           filter to do the job.  As stated before, the output filter will
           print each file of the job in sequence with no intervening form
           feeds or other paper advancement, and this is probably
           <emphasis>not</emphasis> what you want.  In almost all cases, you
           need a text filter.</para>
             
         <para>The program <command>lpf</command>, which we introduced earlier
           as a text filter, can also run as an output filter.  If you need a
           quick-and-dirty output filter but do not want to write the byte
           detection and signal sending code, try <command>lpf</command>.  You
           can also wrap <command>lpf</command> in a shell script to handle any
           initialization codes the printer might require.</para>
       </sect3>
       
       <sect3 id="printing-advanced-lpf">
         <title><command>lpf</command>: a Text Filter</title>
 
         <para>The program <filename>/usr/libexec/lpr/lpf</filename> that comes
           with FreeBSD binary distribution is a text filter (input filter)
           that can indent output (job submitted with <command>lpr
             -i</command>), allow literal characters to pass (job submitted
           with <command>lpr -l</command>), adjust the printing position for
           backspaces and tabs in the job, and account for pages printed.  It
           can also act like an output filter.</para>
             
         <para><command>lpf</command> is suitable for many printing
           environments.  And although it has no capability to send
           initialization sequences to a printer, it is easy to write a shell
           script to do the needed initialization and then execute
           <command>lpf</command>.</para>
             
         <indexterm><primary>page accounting</primary></indexterm>
         <indexterm>
           <primary>accounting</primary>
           <secondary>printer</secondary>
         </indexterm>
         <para>In order for <command>lpf</command> to do page accounting
           correctly, it needs correct values filled in for the
           <literal>pw</literal> and <literal>pl</literal> capabilities in the
           <filename>/etc/printcap</filename> file.  It uses these values to
           determine how much text can fit on a page and how many pages were in
           a user's job.  For more information on printer accounting, see <link
             linkend="printing-advanced-acct">Accounting for Printer
             Usage</link>.</para>
       </sect3>
     </sect2>
     
     <sect2 id="printing-advanced-header-pages">
       <title>Header Pages</title>
       
       <para>If you have <emphasis>lots</emphasis> of users, all of them using
         various printers, then you probably want to consider <emphasis>header
           pages</emphasis> as a necessary evil.</para>
           
       <indexterm>
         <primary>banner pages</primary>
 	<see>header pages</see>
       </indexterm>
       <indexterm><primary>header pages</primary></indexterm>
       <para>Header pages, also known as <emphasis>banner</emphasis> or
         <emphasis>burst pages</emphasis> identify to whom jobs belong after
         they are printed.  They are usually printed in large, bold letters,
         perhaps with decorative borders, so that in a stack of printouts they
         stand out from the real documents that comprise users' jobs.  They
         enable users to locate their jobs quickly.  The obvious drawback to a
         header page is that it is yet one more sheet that has to be printed
         for every job, their ephemeral usefulness lasting not more than a few
         minutes, ultimately finding themselves in a recycling bin or rubbish
         heap.  (Note that header pages go with each job, not each file in a
         job, so the paper waste might not be that bad.)</para>
           
       <para>The <application>LPD</application> system can provide header
 	pages automatically for your
         printouts <emphasis>if</emphasis> your printer can directly print
        plain text.  If you have a &postscript; printer, you will need an
         external program to generate the header page; see <link
           linkend="printing-advanced-header-pages-ps">Header Pages on
           &postscript; Printers</link>.</para>
       
           <sect3 id="printing-advanced-header-pages-enabling">
         <title>Enabling Header Pages</title>
 
         <para>In the <link linkend="printing-simple">Simple Printer
             Setup</link> section, we turned off header pages by specifying
           <literal>sh</literal> (meaning <quote>suppress header</quote>) in the
           <filename>/etc/printcap</filename> file.  To enable header pages for
           a printer, just remove the <literal>sh</literal> capability.</para>
 
         <para>Sounds too easy, right?</para>
 
         <para>You are right.  You <emphasis>might</emphasis> have to provide
           an output filter to send initialization strings to the printer.
           Here is an example output filter for Hewlett Packard PCL-compatible
           printers:</para>
 
         <programlisting>#!/bin/sh
 #
 #  hpof - Output filter for Hewlett Packard PCL-compatible printers
 #  Installed in /usr/local/libexec/hpof
 
 printf "\033&amp;k2G" || exit 2
 exec /usr/libexec/lpr/lpf</programlisting>
             
         <para>Specify the path to the output filter in the
           <literal>of</literal> capability.  See the <link
             linkend="printing-advanced-of">Output Filters</link> section for more
           information.</para>
             
         <para>Here is an example <filename>/etc/printcap</filename> file for
           the printer <literal>teak</literal> that we introduced earlier; we
           enabled header pages and added the above output filter:</para>
 
         <programlisting>#
 #  /etc/printcap for host orchid
 #
 teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
         :lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
         :if=/usr/local/libexec/hpif:\
         :vf=/usr/local/libexec/hpvf:\
         :of=/usr/local/libexec/hpof:</programlisting>
             
         <para>Now, when users print jobs to <literal>teak</literal>, they get
           a header page with each job.  If users want to spend time searching
           for their printouts, they can suppress header pages by submitting
           the job with <command>lpr -h</command>; see the <link
             linkend="printing-lpr-options-misc">Header Page Options</link> section for
           more &man.lpr.1; options.</para>
 
         <note>
           <para><application>LPD</application> prints a form feed character
 	    after the header page. If
             your printer uses a different character or sequence of characters
             to eject a page, specify them with the <literal>ff</literal>
             capability in <filename>/etc/printcap</filename>.</para>
         </note>
       </sect3>
       
       <sect3 id="printing-advanced-header-pages-controlling">
         <title>Controlling Header Pages</title>
 
         <para>By enabling header pages, <application>LPD</application> will
 	  produce a <emphasis>long
             header</emphasis>, a full page of large letters identifying the
           user, host, and job.  Here is an example (kelly printed the job
           named outline from host <hostid>rose</hostid>):</para>
             
         <programlisting>      k                   ll       ll
       k                    l        l
       k                    l        l
       k   k     eeee       l        l     y    y
       k  k     e    e      l        l     y    y
       k k      eeeeee      l        l     y    y
       kk k     e           l        l     y    y
       k   k    e    e      l        l     y   yy
       k    k    eeee      lll      lll     yyy y
                                                y
                                           y    y
                                            yyyy
 
 
                                    ll
                           t         l        i
                           t         l
        oooo    u    u   ttttt       l       ii     n nnn     eeee
       o    o   u    u     t         l        i     nn   n   e    e
       o    o   u    u     t         l        i     n    n   eeeeee
       o    o   u    u     t         l        i     n    n   e
       o    o   u   uu     t  t      l        i     n    n   e    e
        oooo     uuu u      tt      lll      iii    n    n    eeee
 
 
 
 
 
 
 
 
 
       r rrr     oooo     ssss     eeee
       rr   r   o    o   s    s   e    e
       r        o    o    ss      eeeeee
       r        o    o      ss    e
       r        o    o   s    s   e    e
       r         oooo     ssss     eeee
 
 
 
 
 
 
 
                                               Job:  outline
                                               Date: Sun Sep 17 11:04:58 1995</programlisting>
 
         <para><application>LPD</application> appends a form feed after this
 	  text so the job starts on a
           new page (unless you have <literal>sf</literal> (suppress form
           feeds) in the destination printer's entry in
           <filename>/etc/printcap</filename>).</para>
             
         <para>If you prefer, <application>LPD</application> can make a 
 	  <emphasis>short header</emphasis>;
           specify <literal>sb</literal> (short banner) in the
           <filename>/etc/printcap</filename> file. The header page will look
           like this:</para>
             
         <programlisting>rose:kelly  Job: outline  Date: Sun Sep 17 11:07:51 1995</programlisting>
 
         <para>Also by default, <application>LPD</application> prints the
 	  header page first, then the job.
           To reverse that, specify <literal>hl</literal> (header last) in
           <filename>/etc/printcap</filename>.</para>
       </sect3>
       
       <sect3 id="printing-advanced-header-pages-accounting">
         <title>Accounting for Header Pages</title>
 
         <para>Using <application>LPD</application>'s built-in header pages
 	  enforces a particular paradigm
           when it comes to printer accounting: header pages must be
           <emphasis>free of charge</emphasis>.</para>
             
         <para>Why?</para>
 
         <para>Because the output filter is the only external program that will
           have control when the header page is printed that could do
           accounting, and it is not provided with any <emphasis>user or
             host</emphasis> information or an accounting file, so it has no
           idea whom to charge for printer use.  It is also not enough to just
           <quote>add one page</quote> to the text filter or any of the
           conversion filters (which do have user and host information) since
           users can suppress header pages with <command>lpr -h</command>.
           They could still be charged for header pages they did not print.
           Basically, <command>lpr -h</command> will be the preferred option of
           environmentally-minded users, but you cannot offer any incentive to
           use it.</para>
             
         <para>It is <emphasis>still not enough</emphasis> to have each of the
           filters generate their own header pages (thereby being able to
           charge for them).  If users wanted the option of suppressing the
           header pages with <command>lpr -h</command>, they will still get
           them and be charged for them since <application>LPD</application>
 	  does not pass any knowledge
           of the <option>-h</option> option to any of the filters.</para>
 
         <para>So, what are your options?</para>
 
         <para>You can:</para>
 
         <itemizedlist>
           <listitem>
             <para>Accept <application>LPD</application>'s paradigm and make
 	      header pages free.</para>
           </listitem>
           
           <listitem>
             <para>Install an alternative to <application>LPD</application>,
 	      such as 
 		<application>LPRng</application>. Section
               <link linkend="printing-lpd-alternatives">Alternatives to the
                 Standard Spooler</link> tells more about other spooling
               software you can substitute for <application>LPD</application>.
 	    </para>
           </listitem>
           
           <listitem>
             <para>Write a <emphasis>smart</emphasis> output filter. Normally,
               an output filter is not meant to do anything more than
               initialize a printer or do some simple character conversion.  It
               is suited for header pages and plain text jobs (when there is no
               text (input) filter).  But, if there is a text filter for the
               plain text jobs, then <application>LPD</application> will start
 	      the output filter only for
               the header pages.  And the output filter can parse the header
               page text that <application>LPD</application> generates to
 	      determine what user and host to
               charge for the header page.  The only other problem with this
               method is that the output filter still does not know what
               accounting file to use (it is not passed the name of the file
               from the <literal>af</literal> capability), but if you have a
               well-known accounting file, you can hard-code that into the
               output filter.  To facilitate the parsing step, use the
               <literal>sh</literal> (short header) capability in
               <filename>/etc/printcap</filename>.  Then again, all that might
               be too much trouble, and users will certainly appreciate the
               more generous system administrator who makes header pages
               free.</para>
           </listitem>
         </itemizedlist>
       </sect3>
       
       <sect3 id="printing-advanced-header-pages-ps">
         <title>Header Pages on &postscript; Printers</title>
 
         <para>As described above, <application>LPD</application> can generate
 	  a plain text header page
           suitable for many printers.  Of course, &postscript; cannot directly
           print plain text, so the header page feature of 
 	  <application>LPD</application> is
           useless&mdash;or mostly so.</para>
             
         <para>One obvious way to get header pages is to have every conversion
           filter and the text filter generate the header page. The filters
           should use the user and host arguments to generate a suitable
           header page.  The drawback of this method is that users will always
           get a header page, even if they submit jobs with <command>lpr
             -h</command>.</para>
             
         <para>Let us explore this method.  The following script takes three
           arguments (user login name, host name, and job name) and makes a
           simple &postscript; header page:</para>
 
         <programlisting>#!/bin/sh
 #
 #  make-ps-header - make a PostScript header page on stdout
 #  Installed in /usr/local/libexec/make-ps-header
 #
 
 #
 #  These are PostScript units (72 to the inch).  Modify for A4 or
 #  whatever size paper you are using:
 #
 page_width=612
 page_height=792
 border=72
 
 #
 #  Check arguments
 #
 if [ $# -ne 3 ]; then
     echo "Usage: `basename $0` &lt;user&gt; &lt;host&gt; &lt;job&gt;" 1&gt;&amp;2
     exit 1
 fi
 
 #
 #  Save these, mostly for readability in the PostScript, below.
 #
 user=$1
 host=$2
 job=$3
 date=`date`
 
 #
 #  Send the PostScript code to stdout.
 #
 exec cat &lt;&lt;EOF
 %!PS
 
 %
 %  Make sure we do not interfere with user's job that will follow
 %
 save
 
 %
 %  Make a thick, unpleasant border around the edge of the paper.
 %
 $border $border moveto
 $page_width $border 2 mul sub 0 rlineto
 0 $page_height $border 2 mul sub rlineto
 currentscreen 3 -1 roll pop 100 3 1 roll setscreen
 $border 2 mul $page_width sub 0 rlineto closepath
 0.8 setgray 10 setlinewidth stroke 0 setgray
 
 %
 %  Display user's login name, nice and large and prominent
 %
 /Helvetica-Bold findfont 64 scalefont setfont
 $page_width ($user) stringwidth pop sub 2 div $page_height 200 sub moveto
 ($user) show
 
 %
 %  Now show the boring particulars
 %
 /Helvetica findfont 14 scalefont setfont
 /y 200 def
 [ (Job:) (Host:) (Date:) ] {
 200 y moveto show /y y 18 sub def }
 forall
 
 /Helvetica-Bold findfont 14 scalefont setfont
 /y 200 def
 [ ($job) ($host) ($date) ] {
         270 y moveto show /y y 18 sub def
 } forall
 
 %
 % That is it
 %
 restore
 showpage
 EOF</programlisting>
 
         <para>Now, each of the conversion filters and the text filter can call
           this script to first generate the header page, and then print the
           user's job.  Here is the DVI conversion filter from earlier in this
           document, modified to make a header page:</para>
 
         <programlisting>#!/bin/sh
 #
 #  psdf - DVI to PostScript printer filter
 #  Installed in /usr/local/libexec/psdf
 #
 #  Invoked by lpd when user runs lpr -d
 #
                 
 orig_args="$@"
 
 fail() {
     echo "$@" 1&gt;&amp;2
     exit 2
 }
 
 while getopts "x:y:n:h:" option; do
     case $option in
         x|y)  ;; # Ignore
         n)    login=$OPTARG ;;
         h)    host=$OPTARG ;;
         *)    echo "LPD started `basename $0` wrong." 1&gt;&amp;2
               exit 2
               ;;
     esac
 done
 
 [ "$login" ] || fail "No login name"
 [ "$host" ] || fail "No host name"
 
 ( /usr/local/libexec/make-ps-header $login $host "DVI File"
   /usr/local/bin/dvips -f ) | eval /usr/local/libexec/lprps $orig_args</programlisting>
 
         <para>Notice how the filter has to parse the argument list in order to
           determine the user and host name.  The parsing for the other
           conversion filters is identical.  The text filter takes a slightly
           different set of arguments, though (see section <link
             linkend="printing-advanced-filters">How      Filters
             Work</link>).</para>
             
         <para>As we have mentioned before, the above scheme, though fairly
           simple, disables the <quote>suppress header page</quote> option (the
           <option>-h</option> option) to <command>lpr</command>.  If users
           wanted to save a tree (or a few pennies, if you charge for header
           pages), they would not be able to do so, since every filter's going
           to print a header page with every job.</para>
             
         <para>To allow users to shut off header pages on a per-job basis, you
           will need to use the trick introduced in section <link
             linkend="printing-advanced-header-pages-accounting">Accounting for
             Header Pages</link>: write an output filter that parses the
           LPD-generated header page and produces a &postscript; version.  If the
           user submits the job with <command>lpr -h</command>, then 
 	  <application>LPD</application> will
           not generate a header page, and neither will your output filter.
           Otherwise, your output filter will read the text from 
 	  <application>LPD</application> and send
           the appropriate header page &postscript; code to the printer.</para>
             
         <para>If you have a &postscript; printer on a serial line, you can make
           use of <command>lprps</command>, which comes with an output filter,
           <command>psof</command>, which does the above.  Note that
           <command>psof</command> does not charge for header pages.</para>
       </sect3>
     </sect2>
     
     <sect2 id="printing-advanced-network-printers">
       <title>Networked Printing</title>
       
       <indexterm>
         <primary>printers</primary>
         <secondary>network</secondary>
       </indexterm>
       <indexterm><primary>network printing</primary></indexterm>
       <para>FreeBSD supports networked printing: sending jobs to remote
         printers.  Networked printing generally refers to two different
         things:</para>
       
       <itemizedlist>
         <listitem>
           <para>Accessing a printer attached to a remote host.  You install a
             printer that has a conventional serial or parallel interface on
             one host.  Then, you set up <application>LPD</application> to 
 	    enable access to the printer
             from other hosts on the network. Section <link
               linkend="printing-advanced-network-rm">Printers Installed on
               Remote Hosts</link> tells how to do this.</para>
         </listitem>
 
         <listitem>
           <para>Accessing a printer attached directly to a network.  The
             printer has a network interface in addition (or in place of) a
             more conventional serial or parallel interface.  Such a printer
             might work as follows:</para>
           
           <itemizedlist>
             <listitem>
               <para>It might understand the <application>LPD</application>
 		protocol and can even queue
                 jobs from remote hosts.  In this case, it acts just like a
                 regular host running <application>LPD</application>.  Follow 
 		the same procedure in
                 section <link linkend="printing-advanced-network-rm">Printers
                   Installed on Remote Hosts</link> to set up such a
                 printer.</para>
             </listitem>
             
             <listitem>
               <para>It might support a data stream network connection. In this
                 case, you <quote>attach</quote> the printer to one host on the
                 network by making that host responsible for spooling jobs and
                 sending them to the printer. Section <link
                   linkend="printing-advanced-network-net-if">Printers with
                   Networked Data Stream Interfaces</link> gives some
                 suggestions on installing such printers.</para>
             </listitem>
           </itemizedlist>
         </listitem>
       </itemizedlist>
           
       <sect3 id="printing-advanced-network-rm">
         <title>Printers Installed on Remote Hosts</title>
 
         <para>The <application>LPD</application> spooling system has built-in
 	  support for sending jobs to
           other hosts also running <application>LPD</application> (or are 
 	  compatible with <application>LPD</application>).  This
           feature enables you to install a printer on one host and make it
           accessible from other hosts.  It also works with printers that have
           network interfaces that understand the 
 	  <application>LPD</application> protocol.</para>
             
         <para>To enable this kind of remote printing, first install a printer
           on one host, the <emphasis>printer host</emphasis>, using the simple
           printer setup described in the <link linkend="printing-simple">Simple
             Printer Setup</link> section.  Do any advanced setup in <link
             linkend="printing-advanced">Advanced Printer Setup</link> that you
           need.  Make sure to test the printer and see if it works with the
           features of <application>LPD</application> you have enabled.  
 	  Also ensure that the
           <emphasis>local host</emphasis> has authorization to use the 
 	  <application>LPD</application>
           service in the <emphasis>remote host</emphasis> (see <link
             linkend="printing-advanced-restricting-remote">Restricting Jobs
             from Remote Printers</link>).</para>
             
         <indexterm>
           <primary>printers</primary>
           <secondary>network</secondary>
         </indexterm>
         <indexterm><primary>network printing</primary></indexterm>
         <para>If you are using a printer with a network interface that is
           compatible with <application>LPD</application>, then the 
 	  <emphasis>printer host</emphasis> in
           the discussion below is the printer itself, and the
           <emphasis>printer name</emphasis> is the name you configured for the
           printer.  See the documentation that accompanied your printer and/or
           printer-network interface.</para>
 
         <tip>
           <para>If you are using a Hewlett Packard Laserjet then the printer
             name <literal>text</literal> will automatically perform the LF to
             CRLF conversion for you, so you will not require the
             <filename>hpif</filename> script.</para>
         </tip>
             
         <para>Then, on the other hosts you want to have access to the printer,
           make an entry in their <filename>/etc/printcap</filename> files with
           the following:</para>
 
         <orderedlist>
           <listitem>
             <para>Name the entry anything you want.  For simplicity, though,
               you probably want to use the same name and aliases as on the
               printer host.</para>
           </listitem>
           
           <listitem>
             <para>Leave the <literal>lp</literal> capability blank, explicitly
               (<literal>:lp=:</literal>).</para>
           </listitem>
           
           <listitem>
             <para>Make a spooling directory and specify its location in the
               <literal>sd</literal> capability.  <application>LPD</application>
 	      will store jobs here
               before they get sent to the printer host.</para>
           </listitem>
           
           <listitem>
             <para>Place the name of the printer host in the
               <literal>rm</literal> capability.</para>
           </listitem>
           
           <listitem>
             <para>Place the printer name on the <emphasis>printer
                 host</emphasis> in the <literal>rp</literal>
               capability.</para>
           </listitem>
         </orderedlist>
 
         <para>That is it.  You do not need to list conversion filters, page
           dimensions, or anything else in the
           <filename>/etc/printcap</filename> file.</para>
 
         <para>Here is an example.  The host <hostid>rose</hostid> has two
           printers, <literal>bamboo</literal> and <literal>rattan</literal>.
           We will enable users on the host <hostid>orchid</hostid> to print
           to those printers.
           Here is the <filename>/etc/printcap</filename> file for
           <hostid>orchid</hostid> (back from section <link
             linkend="printing-advanced-header-pages-enabling">Enabling Header
             Pages</link>).  It already had the entry for the printer
           <literal>teak</literal>; we have added entries for the two printers
           on the host <hostid>rose</hostid>:</para>
 
         <programlisting>#
 #  /etc/printcap for host orchid - added (remote) printers on rose
 #
 
 #
 #  teak is local; it is connected directly to orchid:
 #
 teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
         :lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
         :if=/usr/local/libexec/ifhp:\
         :vf=/usr/local/libexec/vfhp:\
         :of=/usr/local/libexec/ofhp:
 
 #
 #  rattan is connected to rose; send jobs for rattan to rose:
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
 
 #
 #  bamboo is connected to rose as well:
 #
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:</programlisting>
 
         <para>Then, we just need to make spooling directories on
           <hostid>orchid</hostid>:</para>
               
         <screen>&prompt.root; <userinput>mkdir -p /var/spool/lpd/rattan /var/spool/lpd/bamboo</userinput>
 &prompt.root; <userinput>chmod 770 /var/spool/lpd/rattan /var/spool/lpd/bamboo</userinput>
 &prompt.root; <userinput>chown daemon:daemon /var/spool/lpd/rattan /var/spool/lpd/bamboo</userinput></screen>
               
         <para>Now, users on <hostid>orchid</hostid> can print to
           <literal>rattan</literal> and <literal>bamboo</literal>.  If, for
           example, a user on <hostid>orchid</hostid> typed
               
           <screen>&prompt.user; <userinput>lpr -P bamboo -d sushi-review.dvi</userinput></screen>
 
           the <application>LPD</application> system on <hostid>orchid</hostid>
 	  would copy the job to the spooling
           directory <filename>/var/spool/lpd/bamboo</filename> and note that it was a
           DVI job.  As soon as the host <hostid>rose</hostid> has room in its
           <literal>bamboo</literal> spooling directory, the two 
 	  <application>LPDs</application> would transfer the
           file to <hostid>rose</hostid>.  The file would wait in <hostid>rose</hostid>'s
           queue until it was finally printed.  It would be converted from DVI to
           &postscript; (since <literal>bamboo</literal> is a &postscript; printer) on
           <hostid>rose</hostid>.</para>
       </sect3>
       
       <sect3 id="printing-advanced-network-net-if">
         <title>Printers with Networked Data Stream Interfaces</title>
 
         <para>Often, when you buy a network interface card for a printer, you
           can get two versions: one which emulates a spooler (the more
           expensive version), or one which just lets you send data to it as if
           you were using a serial or parallel port (the cheaper version).
           This section tells how to use the cheaper version. For the more
           expensive one, see the previous section <link
             linkend="printing-advanced-network-rm">Printers Installed on
             Remote Hosts</link>.</para>
             
         <para>The format of the <filename>/etc/printcap</filename> file lets
           you specify what serial or parallel interface to use, and (if you
           are using a serial interface), what baud rate, whether to use flow
           control, delays for tabs, conversion of newlines, and more.  But
           there is no way to specify a connection to a printer that is
           listening on a TCP/IP or other network port.</para>
             
         <para>To send data to a networked printer, you need to develop a
           communications program that can be called by the text and conversion
           filters.  Here is one such example: the script
           <command>netprint</command> takes all data on standard input and
           sends it to a network-attached printer.  We specify the hostname of
           the printer as the first argument and the port number to which to
           connect as the second argument to <command>netprint</command>.  Note
           that this supports one-way communication only (FreeBSD to printer);
           many network printers support two-way communication, and you might
           want to take advantage of that (to get printer status, perform
           accounting, etc.).</para>
 
         <programlisting>#!/usr/bin/perl
 #
 #  netprint - Text filter for printer attached to network
 #  Installed in /usr/local/libexec/netprint
 #
 $#ARGV eq 1 || die "Usage: $0 &lt;printer-hostname&gt; &lt;port-number&gt;";
 
 $printer_host = $ARGV[0];
 $printer_port = $ARGV[1];
 
 require 'sys/socket.ph';
 
 ($ignore, $ignore, $protocol) = getprotobyname('tcp');
 ($ignore, $ignore, $ignore, $ignore, $address)
     = gethostbyname($printer_host);
 
 $sockaddr = pack('S n a4 x8', &amp;AF_INET, $printer_port, $address);
 
 socket(PRINTER, &amp;PF_INET, &amp;SOCK_STREAM, $protocol)
     || die "Can't create TCP/IP stream socket: $!";
 connect(PRINTER, $sockaddr) || die "Can't contact $printer_host: $!";
 while (&lt;STDIN&gt;) { print PRINTER; }
 exit 0;</programlisting>
             
         <para>We can then use this script in various filters.  Suppose we had
           a Diablo 750-N line printer connected to the network.  The printer
           accepts data to print on port number 5100.  The host name of the
           printer is scrivener.  Here is the text filter for the
           printer:</para>
 
         <programlisting>#!/bin/sh
 #
 #  diablo-if-net - Text filter for Diablo printer `scrivener' listening
 #  on port 5100.   Installed in /usr/local/libexec/diablo-if-net
 #
 exec /usr/libexec/lpr/lpf "$@" | /usr/local/libexec/netprint scrivener 5100</programlisting>
       </sect3>
     </sect2>
     
     <sect2 id="printing-advanced-restricting">
       <title>Restricting Printer Usage</title>
       
       <indexterm>
         <primary>printers</primary>
         <secondary>restricting access to</secondary>
       </indexterm>
       <para>This section gives information on restricting printer usage. The
         <application>LPD</application> system lets you control who can access
 	a printer, both locally or
         remotely, whether they can print multiple copies, how large their jobs
         can be, and how large the printer queues can get.</para>
       
       <sect3 id="printing-advanced-restricting-copies">
         <title>Restricting Multiple Copies</title>
 
         <para>The <application>LPD</application> system makes it easy for
 	  users to print multiple copies
           of a file.  Users can print jobs with <command>lpr -#5</command>
           (for example) and get five copies of each file in the job.  Whether
           this is a good thing is up to you.</para>
             
         <para>If you feel multiple copies cause unnecessary wear and tear on
           your printers, you can disable the <option>-#</option> option to
             &man.lpr.1; by adding the <literal>sc</literal> capability to the
           <filename>/etc/printcap</filename> file.  When users submit jobs
           with the <option>-#</option> option, they will see:</para>
               
         <screen>lpr: multiple copies are not allowed</screen>
 
 
         <para>Note that if you have set up access to a printer remotely (see
           section <link linkend="printing-advanced-network-rm">Printers
             Installed on Remote Hosts</link>), you need the
           <literal>sc</literal> capability on the remote
           <filename>/etc/printcap</filename> files as well, or else users will
           still be able to submit multiple-copy jobs by using another
           host.</para>
 
         <para>Here is an example.  This is the
           <filename>/etc/printcap</filename> file for the host
           <hostid>rose</hostid>.  The printer <literal>rattan</literal> is
           quite hearty, so we will allow multiple copies, but the laser
           printer <literal>bamboo</literal> is a bit more delicate, so we will
           disable multiple copies by adding the <literal>sc</literal>
           capability:</para>
 
         <programlisting>#
 #  /etc/printcap for host rose - restrict multiple copies on bamboo
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:sc:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
         :if=/usr/local/libexec/psif:\
         :df=/usr/local/libexec/psdf:</programlisting>
             
         <para>Now, we also need to add the <literal>sc</literal> capability on
           the host <hostid>orchid</hostid>'s
           <filename>/etc/printcap</filename> (and while we are at it, let us
           disable multiple copies for the printer
           <literal>teak</literal>):</para>
 
         <programlisting>#
 #  /etc/printcap for host orchid - no multiple copies for local
 #  printer teak or remote printer bamboo
 teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
         :lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:sc:\
         :if=/usr/local/libexec/ifhp:\
         :vf=/usr/local/libexec/vfhp:\
         :of=/usr/local/libexec/ofhp:
 
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:sc:</programlisting>
             
         <para>By using the <literal>sc</literal> capability, we prevent the
           use of <command>lpr -#</command>, but that still does not prevent
           users from running &man.lpr.1;
           multiple times, or from submitting the same file multiple times in
           one job like this:</para>
               
         <screen>&prompt.user; <userinput>lpr forsale.sign forsale.sign forsale.sign forsale.sign forsale.sign</userinput></screen>
               
         <para>There are many ways to prevent this abuse (including ignoring
           it) which you are free to explore.</para>
       </sect3>
       
       <sect3 id="printing-advanced-restricting-access">
         <title>Restricting Access to Printers</title>
 
         <para>You can control who can print to what printers by using the &unix;
           group mechanism and the <literal>rg</literal> capability in
           <filename>/etc/printcap</filename>.  Just place the users you want
           to have access to a printer in a certain group, and then name that
           group in the <literal>rg</literal> capability.</para>
             
         <para>Users outside the group (including <username>root</username>)
 	  will be greeted with
           
           <errorname>lpr: Not a member of the restricted group</errorname>
           
           if they try to print to the controlled printer.</para>
 
         <para>As with the <literal>sc</literal> (suppress multiple copies)
           capability, you need to specify <literal>rg</literal> on remote
           hosts that also have access to your printers, if you feel it is
           appropriate (see section <link
             linkend="printing-advanced-network-rm">Printers Installed on
             Remote Hosts</link>).</para>
             
         <para>For example, we will let anyone access the printer
           <literal>rattan</literal>, but only those in group
           <literal>artists</literal> can use <literal>bamboo</literal>.  Here
           is the familiar <filename>/etc/printcap</filename> for host
           <hostid>rose</hostid>:</para>
 
         <programlisting>#
 #  /etc/printcap for host rose - restricted group for bamboo
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:
 
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
         :if=/usr/local/libexec/psif:\
         :df=/usr/local/libexec/psdf:</programlisting>
 
         <para>Let us leave the other example
           <filename>/etc/printcap</filename> file (for the host
           <hostid>orchid</hostid>) alone.  Of course, anyone on
           <hostid>orchid</hostid> can print to <literal>bamboo</literal>.  It
           might be the case that we only allow certain logins on
           <hostid>orchid</hostid> anyway, and want them to have access to the
           printer.  Or not.</para>
 
         <note>
           <para>There can be only one restricted group per printer.</para>
         </note>
       </sect3>
       
       <sect3 id="printing-advanced-restricting-sizes">
         <title>Controlling Sizes of Jobs Submitted</title>
 
         <indexterm><primary>print jobs</primary></indexterm>
         <para>If you have many users accessing the printers, you probably need
           to put an upper limit on the sizes of the files users can submit to
           print.  After all, there is only so much free space on the
           filesystem that houses the spooling directories, and you also need
           to make sure there is room for the jobs of other users.</para>
             
         <indexterm>
           <primary>print jobs</primary>
           <secondary>controlling</secondary>
         </indexterm>
         <para><application>LPD</application> enables you to limit the maximum
 	  byte size a file in a job
           can be with the <literal>mx</literal> capability. The units are in
           <literal>BUFSIZ</literal> blocks, which are 1024 bytes.  If you put
 	  a zero for this
           capability, there will be no limit on file size; however, if no
           <literal>mx</literal> capability is specified, then a default limit
           of 1000 blocks will be used.</para>
 
         <note>
           <para>The limit applies to <emphasis>files</emphasis> in a job, and
             <emphasis>not</emphasis> the total job size.</para>
         </note>
 
         <para><application>LPD</application> will not refuse a file that is
 	  larger than the limit you
           place on a printer.  Instead, it will queue as much of the file up
           to the limit, which will then get printed.  The rest will be
           discarded.  Whether this is correct behavior is up for
           debate.</para>
             
         <para>Let us add limits to our example printers
           <literal>rattan</literal> and <literal>bamboo</literal>.  Since
           those artists' &postscript; files tend to be large, we will limit them
           to five megabytes. We will put no limit on the plain text line
           printer:</para>
 
         <programlisting>#
 #  /etc/printcap for host rose
 #
 
 #
 #  No limit on job size:
 #
 rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:mx#0:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:
 
 #
 #  Limit of five megabytes:
 #
 bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
         :if=/usr/local/libexec/psif:\
         :df=/usr/local/libexec/psdf:</programlisting>
 
         <para>Again, the limits apply to the local users only.  If you have
           set up access to your printers remotely, remote users will not get
           those limits.  You will need to specify the <literal>mx</literal>
           capability in the remote <filename>/etc/printcap</filename> files as
           well.  See section <link
             linkend="printing-advanced-network-rm">Printers Installed      on
             Remote Hosts</link> for more information on remote
           printing.</para>
             
         <para>There is another specialized way to limit job sizes from remote
           printers; see section <link
             linkend="printing-advanced-restricting-remote">Restricting Jobs
             from Remote Printers</link>.</para>
       </sect3>
       
       <sect3 id="printing-advanced-restricting-remote">
         <title>Restricting Jobs from Remote Printers</title>
 
         <para>The <application>LPD</application> spooling system provides 
 	  several ways to restrict print
           jobs submitted from remote hosts:</para>
             
         <variablelist>
           <varlistentry>
             <term>Host restrictions</term>
 
             <listitem>
               <para>You can control from which remote hosts a local 
 		<application>LPD</application> accepts requests with the files
                 <filename>/etc/hosts.equiv</filename> and
                 <filename>/etc/hosts.lpd</filename>.
 		<application>LPD</application> checks to see if an
                 incoming request is from a host listed in either one of these
                 files.  If not, <application>LPD</application> refuses the
 		request.</para>
                     
               <para>The format of these files is simple: one host name per
                 line.  Note that the file
                 <filename>/etc/hosts.equiv</filename> is also used by the
                   &man.ruserok.3; protocol, and affects programs like
                   &man.rsh.1; and &man.rcp.1;, so be careful.</para>
               
               <para>For example, here is the
                 <filename>/etc/hosts.lpd</filename> file on the host
                 <hostid>rose</hostid>:</para>
 
               <programlisting>orchid
 violet
 madrigal.fishbaum.de</programlisting>
 
               <para>This means <hostid>rose</hostid> will accept requests from
                 the hosts <hostid>orchid</hostid>, <hostid>violet</hostid>,
                 and <hostid role="fqdn">madrigal.fishbaum.de</hostid>. If any
                 other host tries to access <hostid>rose</hostid>'s
                 <application>LPD</application>, the job will be refused.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term>Size restrictions</term>
             
             <listitem>
               <para>You can control how much free space there needs to remain
                 on the filesystem where a spooling directory resides.  Make a
                 file called <filename>minfree</filename> in the spooling
                 directory for the local printer.  Insert in that file a number
                 representing how many disk blocks (512 bytes) of free space
                 there has to be for a remote job to be accepted.</para>
                     
               <para>This lets you insure that remote users will not fill your
                 filesystem.  You can also use it to give a certain priority to
                 local users: they will be able to queue jobs long after the
                 free disk space has fallen below the amount specified in the
                 <filename>minfree</filename> file.</para>
                     
               <para>For example, let us add a <filename>minfree</filename>
                 file for the printer <literal>bamboo</literal>.  We examine
                 <filename>/etc/printcap</filename> to find the spooling
                 directory for this printer; here is <literal>bamboo</literal>'s
                 entry:</para>
                   
               <programlisting>bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
         :sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
         :lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:mx#5000:\
         :if=/usr/local/libexec/psif:\
         :df=/usr/local/libexec/psdf:</programlisting>
 
               <para>The spooling directory is given in the <literal>sd</literal>
                 capability.  We will make three megabytes (which is 6144 disk blocks)
                 the amount of free disk space that must exist on the filesystem for
                 <application>LPD</application> to accept remote jobs:</para>
                   
               <screen>&prompt.root; <userinput>echo 6144 &gt; /var/spool/lpd/bamboo/minfree
               </userinput></screen>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term>User restrictions</term>
             
             <listitem>
               <para>You can control which remote users can print to local
                 printers by specifying the <literal>rs</literal> capability in
                 <filename>/etc/printcap</filename>.  When
                 <literal>rs</literal> appears in the entry for a
                 locally-attached printer, <application>LPD</application> will
 		accept jobs from remote
                 hosts <emphasis>if</emphasis> the user submitting the job also
                 has an account of the same login name on the local host.
                 Otherwise, <application>LPD</application> refuses the job.</para>
                     
               <para>This capability is particularly useful in an environment
                 where there are (for example) different departments sharing a
                 network, and some users transcend departmental boundaries.  By
                 giving them accounts on your systems, they can use your
                 printers from their own departmental systems.  If you would
                 rather allow them to use <emphasis>only</emphasis> your
                 printers and not your computer resources, you can give them
                 <quote>token</quote> accounts, with no home directory and a
                 useless shell like <filename>/usr/bin/false</filename>.</para>
             </listitem>
           </varlistentry>
         </variablelist>
       </sect3>
     </sect2>
     
     <sect2 id="printing-advanced-acct">
       <title>Accounting for Printer Usage</title>
           
       <indexterm>
         <primary>accounting</primary>
         <secondary>printer</secondary>
       </indexterm>
       <para>So, you need to charge for printouts.  And why not? Paper and ink
         cost money.  And then there are maintenance costs&mdash;printers are
         loaded with moving parts and tend to break down.  You have examined
         your printers, usage patterns, and maintenance fees and have come up
         with a per-page (or per-foot, per-meter, or per-whatever) cost.  Now,
         how do you actually start accounting for printouts?</para>
           
       <para>Well, the bad news is the <application>LPD</application> spooling
 	system does not provide
         much help in this department.  Accounting is highly dependent on the
         kind of printer in use, the formats being printed, and
         <emphasis>your</emphasis> requirements in charging for printer
         usage.</para>
       
       <para>To implement accounting, you have to modify a printer's text
         filter (to charge for plain text jobs) and the conversion filters (to
         charge for other file formats), to count pages or query the printer
         for pages printed.  You cannot get away with using the simple output
         filter, since it cannot do accounting.  See section <link
           linkend="printing-advanced-filter-intro">Filters</link>.</para>
           
       <para>Generally, there are two ways to do accounting:</para>
       
       <itemizedlist>
         <listitem>
           <para><emphasis>Periodic accounting</emphasis> is the more common
             way, possibly because it is easier.  Whenever someone prints a
             job, the filter logs the user, host, and number of pages to an
             accounting file.  Every month, semester, year, or whatever time
             period you prefer, you collect the accounting files for the
             various printers, tally up the pages printed by users, and charge
             for usage.  Then you truncate all the logging files, starting with
             a clean slate for the next period.</para>
         </listitem>
               
         <listitem>
           <para><emphasis>Timely accounting</emphasis> is less common,
             probably because it is more difficult.  This method has the
             filters charge users for printouts as soon as they use the
             printers.  Like disk quotas, the accounting is immediate. You can
             prevent users from printing when their account goes in the red,
             and might provide a way for users to check and adjust their
             <quote>print quotas.</quote> But this method requires some database
             code to track users and their quotas.</para>
         </listitem>
       </itemizedlist>
       
       <para>The <application>LPD</application> spooling system supports both 
 	methods easily: since you
         have to provide the filters (well, most of the time), you also have to
         provide the accounting code.  But there is a bright side: you have
         enormous flexibility in your accounting methods.  For example, you
         choose whether to use periodic or timely accounting. You choose what
         information to log: user names, host names, job types, pages printed,
         square footage of paper used, how long the job took to print, and so
         forth.  And you do so by modifying the filters to save this
         information.</para>
           
       <sect3>
         <title>Quick and Dirty Printer Accounting</title>
 
         <para>FreeBSD comes with two programs that can get you set up with
           simple periodic accounting right away.  They are the text filter
           <command>lpf</command>, described in section <link
             linkend="printing-advanced-lpf">lpf: a Text Filter</link>, and
             &man.pac.8;, a program to gather and total
           entries from printer accounting files.</para>
 
         <para>As mentioned in the section on filters (<link
             linkend="printing-advanced-filters">Filters</link>), 
 	  <application>LPD</application> starts
           the text and the conversion filters with the name of the accounting
           file to use on the filter command line.  The filters can use this
           argument to know where to write an accounting file entry.  The name
           of this file comes from the <literal>af</literal> capability in
           <filename>/etc/printcap</filename>, and if not specified as an
           absolute path, is relative to the spooling directory.</para>
 
         <para><application>LPD</application> starts <command>lpf</command>
 	  with page width and length
           arguments (from the <literal>pw</literal> and <literal>pl</literal>
           capabilities).  <command>lpf</command> uses these arguments to
           determine how much paper will be used.  After sending the file to
           the printer, it then writes an accounting entry in the accounting
           file.  The entries look like this:</para>
 
         <programlisting>2.00 rose:andy
 3.00 rose:kelly
 3.00 orchid:mary
 5.00 orchid:mary
 2.00 orchid:zhang</programlisting>
             
         <para>You should use a separate accounting file for each printer, as
           <command>lpf</command> has no file locking logic built into it, and
           two <command>lpf</command>s might corrupt each other's entries if
           they were to write to the same file at the same time.  An easy way
           to insure a separate accounting file for each printer is to use
           <literal>af=acct</literal> in <filename>/etc/printcap</filename>.
           Then, each accounting file will be in the spooling directory for a
           printer, in a file named <filename>acct</filename>.</para>
             
         <para>When you are ready to charge users for printouts, run the
             &man.pac.8; program.  Just change to the spooling directory for
           the printer you want to collect on and type <literal>pac</literal>.
           You will get a dollar-centric summary like the following:</para>
             
         <screen>  Login               pages/feet   runs    price
 orchid:kelly                5.00    1   $  0.10
 orchid:mary                31.00    3   $  0.62
 orchid:zhang                9.00    1   $  0.18
 rose:andy                   2.00    1   $  0.04
 rose:kelly                177.00  104   $  3.54
 rose:mary                  87.00   32   $  1.74
 rose:root                  26.00   12   $  0.52
 
 total                     337.00  154   $  6.74</screen>
               
         <para>These are the arguments &man.pac.8; expects:</para>
 
         <variablelist>
           <varlistentry>
             <term><option>-P<replaceable>printer</replaceable></option></term>
 
             <listitem>
               <para>Which <replaceable>printer</replaceable> to summarize.
                 This option works only if there is an absolute path in the
                 <literal>af</literal> capability in
                 <filename>/etc/printcap</filename>.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><option>-c</option></term>
             
             <listitem>
               <para>Sort the output by cost instead of alphabetically by user
                 name.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><option>-m</option></term>
             
             <listitem>
               <para>Ignore host name in the accounting files.  With this
                 option, user <username>smith</username> on host
                 <hostid>alpha</hostid> is the same user
                 <username>smith</username> on host <hostid>gamma</hostid>.
                 Without, they are different users.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><option>-p<replaceable>price</replaceable></option></term>
             
             <listitem>
               <para>Compute charges with <replaceable>price</replaceable>
                 dollars per page or per foot instead of the price from the
                 <literal>pc</literal> capability in
                 <filename>/etc/printcap</filename>, or two cents (the
                 default).  You can specify <replaceable>price</replaceable> as
                 a floating point number.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><option>-r</option></term>
             
             <listitem>
               <para>Reverse the sort order.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><option>-s</option></term>
             
             <listitem>
               <para>Make an accounting summary file and truncate the
                 accounting file.</para>
             </listitem>
           </varlistentry>
           
           <varlistentry>
             <term><replaceable>name</replaceable>
               <replaceable>&hellip;</replaceable></term>
             
             <listitem>
               <para>Print accounting information for the given user
                 <replaceable>names</replaceable> only.</para>
             </listitem>
           </varlistentry>
         </variablelist>
 
         <para>In the default summary that &man.pac.8; produces, you see the
           number of pages printed by each user from various hosts.  If, at
           your site, host does not matter (because users can use any host),
           run <command>pac -m</command>, to produce the following
           summary:</para>
               
         <screen>  Login               pages/feet   runs    price
 andy                        2.00    1   $  0.04
 kelly                     182.00  105   $  3.64
 mary                      118.00   35   $  2.36
 root                       26.00   12   $  0.52
 zhang                       9.00    1   $  0.18
 
 total                     337.00  154   $  6.74</screen>
               
 
         <para>To compute the dollar amount due,
             &man.pac.8; uses the <literal>pc</literal> capability in the
           <filename>/etc/printcap</filename> file (default of 200, or 2 cents
           per page).  Specify, in hundredths of cents, the price per page or
           per foot you want to charge for printouts in this capability.  You
           can override this value when you run &man.pac.8; with the
           <option>-p</option> option.  The units for the <option>-p</option>
           option are in dollars, though, not hundredths of cents.  For
           example,
               
           <screen>&prompt.root; <userinput>pac -p1.50</userinput></screen>
               
           makes each page cost one dollar and fifty cents.  You can really
           rake in the profits by using this option.</para>
 
         <para>Finally, running <command>pac -s</command> will save the summary
           information in a summary accounting file, which is named the same as
           the printer's accounting file, but with <literal>_sum</literal>
           appended to the name.  It then truncates the accounting file.  When
           you run &man.pac.8; again, it rereads the
           summary file to get starting totals, then adds information from the
           regular accounting file.</para>
       </sect3>
       
       <sect3>
         <title>How Can You Count Pages Printed?</title>
 
         <para>In order to perform even remotely accurate accounting, you need
           to be able to determine how much paper a job uses.  This is the
           essential problem of printer accounting.</para>
             
         <para>For plain text jobs, the problem is not that hard to solve: you
           count how many lines are in a job and compare it to how many lines
           per page your printer supports.  Do not forget to take into account
           backspaces in the file which overprint lines, or long logical lines
           that wrap onto one or more additional physical lines.</para>
             
         <para>The text filter <command>lpf</command> (introduced in <link
             linkend="printing-advanced-lpf">lpf: a Text Filter</link>) takes
           into account these things when it does accounting.  If you are
           writing a text filter which needs to do accounting, you might want
           to examine <command>lpf</command>'s source code.</para>
             
         <para>How do you handle other file formats, though?</para>
 
         <para>Well, for DVI-to-LaserJet or DVI-to-&postscript; conversion, you
           can have your filter parse the diagnostic output of
           <command>dvilj</command> or <command>dvips</command> and look to see
           how many pages were converted.  You might be able to do similar
           things with other file formats and conversion programs.</para>
 
         <para>But these methods suffer from the fact that the printer may not
           actually print all those pages.  For example, it could jam, run out
           of toner, or explode&mdash;and the user would still get
           charged.</para>
             
         <para>So, what can you do?</para>
 
         <para>There is only one <emphasis>sure</emphasis> way to do
           <emphasis>accurate</emphasis> accounting.  Get a printer that can
           tell you how much paper it uses, and attach it via a serial line or
           a network connection.  Nearly all &postscript; printers support this
           notion.  Other makes and models do as well (networked Imagen laser
           printers, for example).  Modify the filters for these printers to
           get the page usage after they print each job and have them log
           accounting information based on that value
           <emphasis>only</emphasis>.  There is no line counting nor
           error-prone file examination required.</para>
             
         <para>Of course, you can always be generous and make all printouts
           free.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="printing-using">
     <title>Using Printers</title>
     
     <indexterm>
       <primary>printers</primary>
       <secondary>usage</secondary>
    </indexterm>
     <para>This section tells you how to use printers you have set up with
       FreeBSD.  Here is an overview of the user-level commands:</para>
 
     <variablelist>
       <varlistentry>
 	<term>&man.lpr.1;</term>
 
 	<listitem>
 	  <para>Print jobs</para>
 	</listitem>
       </varlistentry>
       
       <varlistentry>
 	<term>&man.lpq.1;</term>
 
 	<listitem>
 	  <para>Check printer queues</para>
 	</listitem>
       </varlistentry>
       
       <varlistentry>
 	<term>&man.lprm.1;</term>
 
 	<listitem>
 	  <para>Remove jobs from a printer's queue</para>
 	</listitem>
       </varlistentry>
     </variablelist>
     
     <para>There is also an administrative command, &man.lpc.8;, described in
       the section <link linkend="printing-lpc">Administering the 
 	<application>LPD</application>
 	Spooler</link>, used to control printers and their queues.</para>
 
     <para>All three of the commands &man.lpr.1;, &man.lprm.1;, and &man.lpq.1;
       accept an option <option>-P
 	<replaceable>printer-name</replaceable></option> to specify on which
       printer/queue to operate, as listed in the
       <filename>/etc/printcap</filename> file.  This enables you to submit,
       remove, and check on jobs for various printers.  If you do not use the
       <option>-P</option> option, then these commands use the printer
       specified in the <envar>PRINTER</envar> environment variable.  Finally,
       if you do not have a <envar>PRINTER</envar> environment variable, these
       commands default to the printer named <literal>lp</literal>.</para>
 
     <para>Hereafter, the terminology <emphasis>default printer</emphasis>
       means the printer named in the <envar>PRINTER</envar> environment
       variable, or the printer named <literal>lp</literal> when there is no
       <envar>PRINTER</envar> environment variable.</para>
     
     <sect2 id="printing-lpr">
       <title>Printing Jobs</title>
       
       <para>To print files, type:</para>
       
       <screen>&prompt.user; <userinput>lpr <replaceable>filename</replaceable> <replaceable>...</replaceable></userinput></screen>
 	    
       <indexterm><primary>printing</primary></indexterm>
       <para>This prints each of the listed files to the default printer.  If
 	you list no files, &man.lpr.1; reads data to
 	print from standard input.  For example, this command prints some
 	important system files:</para>
 
       <screen>&prompt.user; <userinput>lpr /etc/host.conf /etc/hosts.equiv</userinput></screen>
 	    
       <para>To select a specific printer, type:</para>
 		    
       <screen>&prompt.user; <userinput>lpr -P <replaceable>printer-name</replaceable> <replaceable>filename</replaceable> <replaceable>...</replaceable></userinput></screen>
 
       <para>This example prints a long listing of the current directory to the
 	printer named <literal>rattan</literal>:</para>
 	    
       <screen>&prompt.user; <userinput>ls -l | lpr -P rattan</userinput></screen>
 	    
       <para>Because no files were listed for the
 	  &man.lpr.1; command, <command>lpr</command> read the data to print
 	from standard input, which was the output of the <command>ls
 	  -l</command> command.</para>
       
       <para>The &man.lpr.1; command can also accept a wide variety of options
 	to control formatting, apply file conversions, generate multiple
 	copies, and so forth. For more information, see the section <link
 	  linkend="printing-lpr-options">Printing Options</link>.</para>
     </sect2>
     
     <sect2 id="printing-lpq">
       <title>Checking Jobs</title>
       
       <indexterm><primary>print jobs</primary></indexterm>
       <para>When you print with &man.lpr.1;, the data you wish to print is put
 	together in a package called a <quote>print job</quote>, which is sent
 	to the <application>LPD</application> spooling system.  Each printer 
 	has a queue of jobs, and
 	your job waits in that queue along with other jobs from yourself and
 	from other users.  The printer prints those jobs in a first-come,
 	first-served order.</para>
 
       <para>To display the queue for the default printer, type &man.lpq.1;.
 	For a specific printer, use the <option>-P</option> option.  For
 	example, the command
 
 	<screen>&prompt.user; <userinput>lpq -P bamboo</userinput></screen>
 
 	shows the queue for the printer named <literal>bamboo</literal>.  Here
 	is an example of the output of the <command>lpq</command>
 	command:</para>
 	    
       <screen>bamboo is ready and printing
 Rank   Owner    Job  Files                              Total Size
 active kelly    9    /etc/host.conf, /etc/hosts.equiv   88 bytes
 2nd    kelly    10   (standard input)                   1635 bytes
 3rd    mary     11   ...                                78519 bytes</screen>
 	    
       <para>This shows three jobs in the queue for <literal>bamboo</literal>.
 	The first job, submitted by user kelly, got assigned <quote>job
 	number</quote> 9.  Every job for a printer gets a unique job number.
 	Most of the time you can ignore the job number, but you will need it
 	if you want to cancel the job; see section <link
 	  linkend="printing-lprm">Removing Jobs</link> for details.</para>
 	  
       <para>Job number nine consists of two files; multiple files given on the
 	  &man.lpr.1; command line are treated as part of a single job.  It
 	is the currently active job (note the word <literal>active</literal>
 	under the <quote>Rank</quote> column), which means the printer should
 	be currently printing that job.  The second job consists of data
 	passed as the standard input to the &man.lpr.1; command.  The third
 	  job came from user <username>mary</username>; it is a much larger
 	  job. The pathname of the file she is trying to print is too long to
 	  fit, so the &man.lpq.1; command just shows three dots.</para>
 
       <para>The very first line of the output from &man.lpq.1; is also useful:
 	it tells what the printer is currently doing (or at least what 
 	<application>LPD</application> thinks the printer is doing).</para>
 
       <para>The &man.lpq.1; command also support a <option>-l</option> option
 	to generate a detailed long listing.  Here is an example of
 	<command>lpq -l</command>:</para>
 	    
       <screen>waiting for bamboo to become ready (offline ?)
 kelly: 1st				 [job 009rose]
        /etc/host.conf                    73 bytes
        /etc/hosts.equiv                  15 bytes
 
 kelly: 2nd				 [job 010rose]
        (standard input)                  1635 bytes
 
 mary: 3rd                                [job 011rose]
       /home/orchid/mary/research/venus/alpha-regio/mapping 78519 bytes</screen>
     </sect2>
 
     <sect2 id="printing-lprm">
       <title>Removing Jobs</title>
       
       <para>If you change your mind about printing a job, you can remove the
 	job from the queue with the &man.lprm.1; command.  Often, you can
 	even use &man.lprm.1; to remove an active job, but some or all of the
 	job might still get printed.</para>
 	  
       <para>To remove a job from the default printer, first use
 	  &man.lpq.1; to find the job number.  Then type:</para>
 	  
       <screen>&prompt.user; <userinput>lprm <replaceable>job-number</replaceable></userinput></screen>
 	    
       <para>To remove the job from a specific printer, add the
 	<option>-P</option> option.  The following command removes job number
 	10 from the queue for the printer <literal>bamboo</literal>:</para>
 	    
       <screen>&prompt.user; <userinput>lprm -P bamboo 10</userinput></screen>
       
       <para>The &man.lprm.1; command has a few shortcuts:</para>
       
       <variablelist>
 	<varlistentry>
 	  <term>lprm -</term>
 
 	  <listitem>
 	    <para>Removes all jobs (for the default printer) belonging to
 	      you.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>lprm <replaceable>user</replaceable></term>
 	  
 	  <listitem>
 	    <para>Removes all jobs (for the default printer) belonging to
 	      <replaceable>user</replaceable>.  The superuser can remove other
 	      users' jobs; you can remove only your own jobs.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term>lprm</term>
 	  
 	  <listitem>
 	    <para>With no job number, user name, or <option>-</option>
 	      appearing on the command line,
 		    &man.lprm.1; removes the currently active job on the
 	      default printer, if it belongs to you.  The superuser can remove
 	      any active job.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
       
       <para>Just use the <option>-P</option> option with the above shortcuts
 	to operate on a specific printer instead of the default. For example,
 	the following command removes all jobs for the current user in the
 	queue for the printer named <literal>rattan</literal>:</para>
 	  
       <screen>&prompt.user; <userinput>lprm -P rattan -</userinput></screen>
 	  
       <note>
 	<para>If you are working in a networked environment, &man.lprm.1; will
 	  let you remove jobs only from the
 	  host from which the jobs were submitted, even if the same printer is
 	  available from other hosts. The following command sequence
 	  demonstrates this:</para>
 	      
 	<screen>&prompt.user; <userinput>lpr -P rattan myfile</userinput>
 &prompt.user; <userinput>rlogin orchid</userinput>
 &prompt.user; <userinput>lpq -P rattan</userinput>
 Rank   Owner	  Job  Files                          Total Size
 active seeyan	  12	...                           49123 bytes
 2nd    kelly      13   myfile                         12 bytes
 &prompt.user; <userinput>lprm -P rattan 13</userinput>
 rose: Permission denied
 &prompt.user; <userinput>logout</userinput>
 &prompt.user; <userinput>lprm -P rattan 13</userinput>
 dfA013rose dequeued
 cfA013rose dequeued
 	</screen>
       </note>
     </sect2>
     
     <sect2 id="printing-lpr-options">
       <title>Beyond Plain Text: Printing Options</title>
       
       <para>The &man.lpr.1; command supports a number of options that control
 	formatting text, converting graphic and other file formats, producing
 	multiple copies, handling of the job, and more.  This section
 	describes the options.</para>
 	  
       <sect3 id="printing-lpr-options-format">
 	<title>Formatting and Conversion Options</title>
 
 	<para>The following &man.lpr.1; options control formatting of the
 	  files in the job.  Use these options if the job does not contain
 	  plain text or if you want plain text formatted through the
 	    &man.pr.1; utility.</para>
 	    
         <indexterm><primary>&tex;</primary></indexterm>
 	<para>For example, the following command prints a DVI file (from the
 	  &tex; typesetting system) named <filename>fish-report.dvi</filename>
 	  to the printer named <literal>bamboo</literal>:</para>
 	      
 	<screen>&prompt.user; <userinput>lpr -P bamboo -d fish-report.dvi</userinput></screen>
 	      
 	<para>These options apply to every file in the job, so you cannot mix
 	  (say) DVI and ditroff files together in a job. Instead, submit the
 	  files as separate jobs, using a different conversion option for each
 	  job.</para>
 
 	<note>
 	  <para>All of these options except <option>-p</option> and
 	    <option>-T</option> require conversion filters installed for the
 	    destination printer.  For example, the <option>-d</option> option
 	    requires the DVI conversion filter.  Section <link
 	      linkend="printing-advanced-convfilters">Conversion
 	      Filters</link> gives details.</para>
 	</note>
 
 	<variablelist>
 	  <varlistentry>
 	    <term><option>-c</option></term>
 
 	    <listitem>
 	      <para>Print cifplot files.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-d</option></term>
 	    
 	    <listitem>
 	      <para>Print DVI files.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-f</option></term>
 	    
 	    <listitem>
 	      <para>Print FORTRAN text files.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-g</option></term>
 	    
 	    <listitem>
 	      <para>Print plot data.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-i <replaceable>number</replaceable></option></term>
 		  
 	    <listitem>
 	      <para>Indent the output by <replaceable>number</replaceable>
 		columns; if you omit <replaceable>number</replaceable>, indent
 		by 8 columns.  This option works only with certain conversion
 		filters.</para>
 
 	      <note>
 		<para>Do not put any space between the <option>-i</option> and
 		  the number.</para>
 	      </note>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-l</option></term>
 	    
 	    <listitem>
 	      <para>Print literal text data, including control
 		characters.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-n</option></term>
 	    
 	    <listitem>
 	      <para>Print ditroff (device independent troff) data.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-p</term>
 	    
 	    <listitem>
 	      <para>Format plain text with &man.pr.1; before printing.  See
 		  &man.pr.1; for more information.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-T <replaceable>title</replaceable></option></term>
 	    
 	    <listitem>
 	      <para>Use <replaceable>title</replaceable> on the
 		  &man.pr.1; header instead of the file name.  This option has
 		effect only when used with the <option>-p</option>
 		option.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-t</option></term>
 	    
 	    <listitem>
 	      <para>Print troff data.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term><option>-v</option></term>
 	    
 	    <listitem>
 	      <para>Print raster data.</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
 		    
 	<para>Here is an example: this command prints a nicely formatted
 	  version of the &man.ls.1; manual page on the default printer:</para>
 	    
 	<screen>&prompt.user; <userinput>zcat /usr/share/man/man1/ls.1.gz | troff -t -man | lpr -t</userinput></screen>
 	      
 	<para>The &man.zcat.1; command uncompresses the source of the
 	  &man.ls.1; manual page and passes it to the &man.troff.1;
 	  command, which formats that source and makes GNU troff
 	  output and passes it to &man.lpr.1;, which submits the job
 	  to the <application>LPD</application> spooler.  Because we 
 	  used the <option>-t</option>
 	  option to &man.lpr.1;, the spooler will convert the GNU
 	  troff output into a format the default printer can
 	  understand when it prints the job.</para>
       </sect3>
       
       <sect3 id="printing-lpr-options-job-handling">
 	<title>Job Handling Options</title>
 
 	<para>The following options to &man.lpr.1; tell 
 	  <application>LPD</application> to handle the job
 	  specially:</para>
       
 	<variablelist>
 	  <varlistentry>
 	    <term>-# <replaceable>copies</replaceable></term>
 
 	    <listitem>
 	      <para>Produce a number of <replaceable>copies</replaceable> of
 		each file in the job instead of just one copy.  An
 		administrator may disable this option to reduce printer
 		wear-and-tear and encourage photocopier usage.  See section
 		<link
 		  linkend="printing-advanced-restricting-copies">Restricting
 		  Multiple Copies</link>.</para>
 
 	      <para>This example prints three copies of
 		<filename>parser.c</filename> followed by three copies of
 		<filename>parser.h</filename> to the default printer:</para>
 		      
 	      <screen>&prompt.user; <userinput>lpr -#3 parser.c parser.h</userinput></screen>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-m</term>
 	    
 	    <listitem>
 	      <para>Send mail after completing the print job.  With this
 		option, the <application>LPD</application> system will send
 		mail to your account when it
 		finishes handling your job.  In its message, it will tell you
 		if the job completed successfully or if there was an error,
 		and (often) what the error was.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-s</term>
 	    
 	    <listitem>
 	      <para>Do not copy the files to the spooling directory, but make
 		symbolic links to them instead.</para>
 		    
 	      <para>If you are printing a large job, you probably want to use
 		this option.  It saves space in the spooling directory (your
 		job might overflow the free space on the filesystem where the
 		spooling directory resides).  It saves time as well since 
 		<application>LPD</application>
 		will not have to copy each and every byte of your job to the
 		spooling directory.</para>
 		    
 	      <para>There is a drawback, though: since 
 		<application>LPD</application> will refer to the
 		original files directly, you cannot modify or remove them
 		until they have been printed.</para>
 	      
 	      <note>
 		<para>If you are printing to a remote printer, 
 		  <application>LPD</application> will
 		  eventually have to copy files from the local host to the
 		  remote host, so the <option>-s</option> option will save
 		  space only on the local spooling directory, not the remote.
 		  It is still useful, though.</para>
 	      </note>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-r</term>
 	    
 	    <listitem>
 	      <para>Remove the files in the job after copying them to the
 		spooling directory, or after printing them with the
 		<option>-s</option> option.  Be careful with this
 		option!</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
       </sect3>
 	  
       <sect3 id="printing-lpr-options-misc">
 	<title>Header Page Options</title>
 
 	<para>These options to &man.lpr.1; adjust the text that normally
 	  appears on a job's header page. If header pages are suppressed for
 	  the destination printer, these options have no effect.  See section
 	  <link linkend="printing-advanced-header-pages">Header Pages</link>
 	  for information about setting up header pages.</para>
 	    
 	<variablelist>
 	  <varlistentry>
 	    <term>-C <replaceable>text</replaceable></term>
 
 	    <listitem>
 	      <para>Replace the hostname on the header page with
 		<replaceable>text</replaceable>.  The hostname is normally the
 		name of the host from which the job was submitted.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-J <replaceable>text</replaceable></term>
 	    
 	    <listitem>
 	      <para>Replace the job name on the header page with
 		<replaceable>text</replaceable>.  The job name is normally the
 		name of the first file of the job, or
 		<filename>stdin</filename> if you are printing standard
 		input.</para>
 	    </listitem>
 	  </varlistentry>
 	  
 	  <varlistentry>
 	    <term>-h</term>
 	    
 	    <listitem>
 	      <para>Do not print any header page.</para>
 	      
 	      <note>
 		<para>At some sites, this option may have no effect due to the
 		  way header pages are generated.  See <link
 		    linkend="printing-advanced-header-pages">Header
 		    Pages</link> for details.</para>
 	      </note>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
       </sect3>
     </sect2>
     
     <sect2 id="printing-lpc">
       <title>Administering Printers</title>
       
       <para>As an administrator for your printers, you have had to install,
 	set up, and test them.  Using the &man.lpc.8; command, you
 	can interact with your printers in yet more ways. With &man.lpc.8;,
 	you can</para>
       
       <itemizedlist>
 	<listitem>
 	  <para>Start and stop the printers</para>
 	</listitem>
 
 	<listitem>
 	  <para>Enable and disable their queues</para>
 	</listitem>
 
 	<listitem>
 	  <para>Rearrange the order of the jobs in each queue.</para>
 	</listitem>
       </itemizedlist>
       
       <para>First, a note about terminology: if a printer is
 	<emphasis>stopped</emphasis>, it will not print anything in its queue.
 	Users can still submit jobs, which will wait in the queue until the
 	printer is <emphasis>started</emphasis> or the queue is
 	cleared.</para>
 	  
       <para>If a queue is <emphasis>disabled</emphasis>, no user (except
 	<username>root</username>) can submit jobs for the printer.  An
 	<emphasis>enabled</emphasis> queue allows jobs to be submitted.  A
 	printer can be <emphasis>started</emphasis> for a disabled queue, in
 	which case it will continue to print jobs in the queue until the queue
 	is empty.</para>
 	  
       <para>In general, you have to have <username>root</username> privileges
 	to use the &man.lpc.8; command.  Ordinary users can use the &man.lpc.8;
 	command to get printer status and to restart a hung printer only.</para>
 
       <para>Here is a summary of the &man.lpc.8; commands.  Most of the
 	commands take a <replaceable>printer-name</replaceable> argument to
 	tell on which printer to operate.  You can use <literal>all</literal>
 	for the <replaceable>printer-name</replaceable> to mean all printers
 	listed in <filename>/etc/printcap</filename>.</para>
       
       <variablelist>
 	<varlistentry>
 	  <term><command>abort
 	      <replaceable>printer-name</replaceable></command></term>
 
 	  <listitem>
 	    <para>Cancel the current job and stop the printer.  Users can
 	      still submit jobs if the queue is enabled.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>clean
 	      <replaceable>printer-name</replaceable></command></term>
 	  
 	  <listitem>
 	    <para>Remove old files from the printer's spooling directory.
 	      Occasionally, the files that make up a job are not properly
 	      removed by <application>LPD</application>, particularly if 
 	      there have been errors during
 	      printing or a lot of administrative activity.  This command
 	      finds files that do not belong in the spooling directory and
 	      removes them.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>disable
 	      <replaceable>printer-name</replaceable></command></term>
 	  
 	  <listitem>
 	    <para>Disable queuing of new jobs.  If the printer is running, it
 	      will continue to print any jobs remaining in the queue.  The
 	      superuser (<username>root</username>) can always submit jobs,
 	      even to a disabled queue.</para>
 		  
 	    <para>This command is useful while you are testing a new printer
 	      or filter installation: disable the queue and submit jobs as
 	      <username>root</username>.  Other users will not be able to submit
 	      jobs until you complete your testing and re-enable the queue with
 	      the <command>enable</command> command.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>down <replaceable>printer-name</replaceable>
 	      <replaceable>message</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Take a printer down.  Equivalent to
 	      <command>disable</command> followed by <command>stop</command>.
 	      The <replaceable>message</replaceable> appears as the printer's
 	      status whenever a user checks the printer's queue with
 		    &man.lpq.1; or status with <command>lpc
 		status</command>.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>enable
 	      <replaceable>printer-name</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Enable the queue for a printer.  Users can submit jobs but
 	      the printer will not print anything until it is started.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>help
 	      <replaceable>command-name</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Print help on the command
 	      <replaceable>command-name</replaceable>.  With no
 	      <replaceable>command-name</replaceable>, print a summary of the
 	      commands available.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>restart
 	      <replaceable>printer-name</replaceable></command></term>
 	  
 	  <listitem>
 	    <para>Start the printer.  Ordinary users can use this command if
 	      some extraordinary circumstance hangs 
 	      <application>LPD</application>, but they cannot start
 	      a printer stopped with either the <command>stop</command> or
 	      <command>down</command> commands.  The
 	      <command>restart</command> command is equivalent to
 	      <command>abort</command> followed by
 	      <command>start</command>.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>start
 	      <replaceable>printer-name</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Start the printer.  The printer will print jobs in its
 	      queue.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>stop
 	      <replaceable>printer-name</replaceable></command></term>
 	  
 	  <listitem>
 	    <para>Stop the printer.  The printer will finish the current job
 	      and will not print anything else in its queue.  Even though the
 	      printer is stopped, users can still submit jobs to an enabled
 	      queue.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>topq <replaceable>printer-name</replaceable>
 	      <replaceable>job-or-username</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Rearrange the queue for
 	      <replaceable>printer-name</replaceable> by placing the jobs with
 	      the listed <replaceable>job</replaceable> numbers or the jobs
 	      belonging to <replaceable>username</replaceable> at the top of
 	      the queue. For this command, you cannot use
 	      <literal>all</literal> as the
 	      <replaceable>printer-name</replaceable>.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><command>up
 	      <replaceable>printer-name</replaceable></command></term>
 		
 	  <listitem>
 	    <para>Bring a printer up; the opposite of the
 	      <command>down</command> command.  Equivalent to
 	      <command>start</command> followed by
 	      <command>enable</command>.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
       
       <para>&man.lpc.8; accepts the above commands on the command line.  If
 	you do not enter any commands, &man.lpc.8; enters an interactive mode,
 	where you can enter commands until you type <command>exit</command>,
 	<command>quit</command>, or end-of-file.</para>
     </sect2>
   </sect1>
   
   <sect1 id="printing-lpd-alternatives">
     <title>Alternatives to the Standard Spooler</title>
     
     <para>If you have been reading straight through this manual, by now you
       have learned just about everything there is to know about the 
       <application>LPD</application>
       spooling system that comes with FreeBSD.  You can probably appreciate
       many of its shortcomings, which naturally leads to the question:
       <quote>What other spooling systems are out there (and work with
       FreeBSD)?</quote></para>
 
     <variablelist>
       <varlistentry>
 	<term>LPRng</term>
 
  	<indexterm><primary>LPRng</primary></indexterm>	  
 	<listitem>
 	  <para><application>LPRng</application>, which purportedly means
 	    <quote>LPR: the Next
 	    Generation</quote> is a complete rewrite of PLP.  Patrick Powell
 	    and Justin Mason (the principal maintainer of PLP) collaborated to
 	    make <application>LPRng</application>.  The main site for 
 	    <application>LPRng</application> is <ulink
 	      url="http://www.lprng.org/"></ulink>.</para>
 	</listitem>
       </varlistentry>
       <varlistentry>
 	<term>CUPS</term>
 
  	<indexterm><primary>CUPS</primary></indexterm>	  
 	<listitem>
 	  <para><application>CUPS</application>, the Common UNIX Printing
 	    System, provides a portable printing layer for &unix;-based
 	    operating systems.  It has been developed by Easy Software
 	    Products to promote a standard printing solution for all &unix;
 	    vendors and users.</para>
 
 	  <para><application>CUPS</application> uses the Internet Printing
 	    Protocol (<acronym>IPP</acronym>) as the basis for managing
 	    print jobs and queues.  The Line Printer Daemon
 	    (<acronym>LPD</acronym>) Server Message Block
 	    (<acronym>SMB</acronym>), and AppSocket (a.k.a. JetDirect)
 	    protocols are also supported with reduced functionality.  CUPS
 	    adds network printer browsing and PostScript Printer Description
 	    (<acronym>PPD</acronym>) based printing options to support
 	    real-world printing under &unix;.</para>
 
 	  <para>The main site for <application>CUPS</application> is <ulink
 	    url="http://www.cups.org/"></ulink>.</para>
 	</listitem>
       </varlistentry>
     </variablelist>
   </sect1>
 
   <sect1 id="printing-troubleshooting">
     <title>Troubleshooting</title>
 
     <para>After performing the simple test with &man.lptest.1;, you might
       have gotten one of the following results instead of the correct
       printout:</para>
 
     <variablelist>
       <varlistentry>
 	<term>It worked, after awhile; or, it did not eject a full
 	  sheet.</term>
 
 	<listitem>
 	  <para>The printer printed the above, but it sat for awhile and
 	    did nothing.  In fact, you might have needed to press a
 	    PRINT REMAINING or FORM FEED button on the printer to get any
 	    results to appear.</para>
 
 	  <para>If this is the case, the printer was probably waiting to
 	    see if there was any more data for your job before it printed
 	    anything.  To fix this problem, you can have the text filter
 	    send a FORM FEED character (or whatever is necessary) to the
 	    printer.  This is usually sufficient to have the printer
 	    immediately print any text remaining in its internal buffer.
 	    It is also useful to make sure each print job ends on a full
 	    sheet, so the next job does not start somewhere on the middle
 	    of the last page of the previous job.</para>
 
 	  <para>The following replacement for the shell script
 	    <filename>/usr/local/libexec/if-simple</filename> prints a
 	    form feed after it sends the job to the printer:</para>
 
 	  <programlisting>#!/bin/sh
 #
 # if-simple - Simple text input filter for lpd
 # Installed in /usr/local/libexec/if-simple
 #
 # Simply copies stdin to stdout.  Ignores all filter arguments.
 # Writes a form feed character (\f) after printing job.
 
 /bin/cat &amp;&amp; printf "\f" &amp;&amp; exit 0
 exit 2</programlisting>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>It produced the <quote>staircase effect.</quote></term>
 
 	<listitem>
 	  <para>You got the following on paper:</para>
 
 	  <programlisting>!"#$%&amp;'()*+,-./01234
                 "#$%&amp;'()*+,-./012345
                                  #$%&amp;'()*+,-./0123456</programlisting>
 
 	  <indexterm><primary>MS-DOS</primary></indexterm>
  	  <indexterm><primary>OS/2</primary></indexterm>
  	  <indexterm><primary>ASCII</primary></indexterm>
 	  <para>You have become another victim of the <emphasis>staircase
 	    effect</emphasis>, caused by conflicting interpretations of
 	    what characters should indicate a new line.  &unix; style
 	    operating systems use a single character:  ASCII code 10, the
 	    line feed (LF). &ms-dos;, &os2;, and others uses a pair of
 	    characters, ASCII code 10 <emphasis>and</emphasis> ASCII code
 	    13 (the carriage return or CR).  Many printers use the &ms-dos;
 	    convention for representing new-lines.</para>
 
 	  <para>When you print with FreeBSD, your text used just the line
 	    feed character.  The printer, upon seeing a line feed
 	    character, advanced the paper one line, but maintained the
 	    same horizontal position on the page for the next character
 	    to print.  That is what the carriage return is for:  to move
 	    the location of the next character to print to the left edge
 	    of the paper.</para>
 
 	  <para>Here is what FreeBSD wants your printer to do:</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <tbody>
 		<row>
 		  <entry>Printer received CR</entry>
 		  <entry>Printer prints CR</entry>
 		</row>
 
 		<row>
 		  <entry>Printer received LF</entry>
 		  <entry>Printer prints CR + LF</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 
 	  <para>Here are some ways to achieve this:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>Use the printer's configuration switches or control
 		panel to alter its interpretation of these characters.
 		Check your printer's manual to find out how to do
 		this.</para>
 
 	      <note>
 	        <para>If you boot your system into other operating systems
 		  besides FreeBSD, you may have to
 		  <emphasis>reconfigure</emphasis> the printer to use a an
 		  interpretation for CR and LF characters that those other
 		  operating systems use.  You might prefer one of the other
 		  solutions, below.</para>
 	      </note>
 	    </listitem>
 
 	    <listitem>
 	      <para>Have FreeBSD's serial line driver automatically
 		convert LF to CR+LF.  Of course, this works with printers
 		on serial ports <emphasis>only</emphasis>.  To enable this
 		feature, use the <literal>ms#</literal> capability and
 		set the <literal>onlcr</literal> mode
 		in the <filename>/etc/printcap</filename> file
 		for the printer.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Send an <emphasis>escape code</emphasis> to the
 	        printer to have it temporarily treat LF characters
 		differently.  Consult your printer's manual for escape
 		codes that your printer might support.  When you find the
 		proper escape code, modify the text filter to send the
 		code first, then send the print job.</para>
 
 	      <indexterm><primary>PCL</primary></indexterm>
 	      <para>Here is an example text filter for printers that
 		understand the Hewlett-Packard PCL escape codes.  This
 		filter makes the printer treat LF characters as a LF and
 		CR; then it sends the job; then it sends a form feed to
 		eject the last page of the job.  It should work with
 		nearly all Hewlett Packard printers.</para>
 
 	      <programlisting>#!/bin/sh
 #
 # hpif - Simple text input filter for lpd for HP-PCL based printers
 # Installed in /usr/local/libexec/hpif
 #
 # Simply copies stdin to stdout.  Ignores all filter arguments.
 # Tells printer to treat LF as CR+LF.  Ejects the page when done.
 
 printf "\033&amp;k2G" &amp;&amp; cat &amp;&amp; printf "\033&amp;l0H" &amp;&amp; exit 0
 exit 2</programlisting>
 
 	      <para>Here is an example <filename>/etc/printcap</filename>
 		from a host called <hostid>orchid</hostid>.  It has a single printer
 		attached to its first parallel port, a Hewlett Packard
 		LaserJet 3Si named <literal>teak</literal>.  It is using the
 		above script as its text filter:</para>
 
 	      <programlisting>#
 #  /etc/printcap for host orchid
 #
 teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
         :lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
         :if=/usr/local/libexec/hpif:</programlisting>
 	    </listitem>
           </itemizedlist>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>It overprinted each line.</term>
 
 	<listitem>
 	  <para>The printer never advanced a line.  All of the lines of
 	    text were printed on top of each other on one line.</para>
 
 	  <para>This problem is the <quote>opposite</quote> of the
 	    staircase effect, described above, and is much rarer.
 	    Somewhere, the LF characters that FreeBSD uses to end a line
 	    are being treated as CR characters to return the print
 	    location to the left edge of the paper, but not also down a
 	    line.</para>
 
 	  <para>Use the printer's configuration switches or control panel
 	    to enforce the following interpretation of LF and CR
 	    characters:</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <thead>
 		<row>
 		  <entry>Printer receives</entry>
 		  <entry>Printer prints</entry>
 		</row>
 	      </thead>
 
 	      <tbody>
 		<row>
 		  <entry>CR</entry>
 		  <entry>CR</entry>
 		</row>
 
 		<row>
 		  <entry>LF</entry>
 		  <entry>CR + LF</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>The printer lost characters.</term>
 
 	<listitem>
 	  <para>While printing, the printer did not print a few characters
 	    in each line.  The problem might have gotten worse as the
 	    printer ran, losing more and more characters.</para>
 
 	  <para>The problem is that the printer cannot keep up with the
 	    speed at which the computer sends data over a serial line
 	    (this problem should not occur with printers on parallel
 	    ports).  There are two ways to overcome the problem:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>If the printer supports XON/XOFF flow control, have
 		FreeBSD use it by specifying the <literal>ixon</literal> mode
 		in the <literal>ms#</literal> capability.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>If the printer supports carrier flow control, specify
 		the <literal>crtscts</literal> mode in the 
 		<literal>ms#</literal> capability.
 		Make sure the cable connecting the printer to the computer
 		is correctly wired for carrier flow control.</para>
 	    </listitem>
 	  </itemizedlist>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>It printed garbage.</term>
 
 	<listitem>
 	  <para>The printer printed what appeared to be random garbage,
 	    but not the desired text.</para>
 
 	  <para>This is usually another symptom of incorrect
 	    communications parameters with a serial printer.  Double-check
 	    the bps rate in the <literal>br</literal> capability, and the
 	    parity setting in the
 	    <literal>ms#</literal> capability; make sure the printer is
 	    using the same settings as specified in the
 	    <filename>/etc/printcap</filename> file.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Nothing happened.</term>
 
 	<listitem>
 	  <para>If nothing happened, the problem is probably within
 	    FreeBSD and not the hardware.  Add the log file
 	    (<literal>lf</literal>) capability to the entry for the
 	    printer you are debugging in the
 	    <filename>/etc/printcap</filename> file.  For example, here is
 	    the entry for <literal>rattan</literal>, with the
 	    <literal>lf</literal> capability:</para>
 
 	  <programlisting>rattan|line|diablo|lp|Diablo 630 Line Printer:\
         :sh:sd=/var/spool/lpd/rattan:\
         :lp=/dev/lpt0:\
         :if=/usr/local/libexec/if-simple:\
         :lf=/var/log/rattan.log</programlisting>
 
 	  <para>Then, try printing again.  Check the log file (in our
 	    example, <filename>/var/log/rattan.log</filename>) to see any
 	    error messages that might appear.  Based on the messages you
 	    see, try to correct the problem.</para>
 
 	  <para>If you do not specify a <literal>lf</literal> capability,
 	    <application>LPD</application> uses 
 	    <filename>/dev/console</filename> as a default.</para>
 	</listitem>
       </varlistentry>
     </variablelist>
   </sect1>
 </chapter>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
 
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 95be50b109..2cf47cd045 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,7583 +1,7583 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="security">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Matthew</firstname>
 	<surname>Dillon</surname>
 	<contrib>Much of this chapter has been taken from the
 	security(7) manual page by </contrib>
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>Security</title>
   <indexterm><primary>security</primary></indexterm>
 
   <sect1 id="security-synopsis">
     <title>Synopsis</title>
 
     <para>This chapter will provide a basic introduction to system security
       concepts, some general good rules of thumb, and some advanced topics
       under &os;.  A lot of the topics covered here can be applied
       to system and Internet security in general as well.  The Internet
       is no longer a <quote>friendly</quote> place in which everyone
       wants to be your kind neighbor.  Securing your system is imperative
       to protect your data, intellectual property, time, and much more
       from the hands of hackers and the like.</para>
 
     <para>&os; provides an array of utilities and mechanisms to ensure
       the integrity and security of your system and network.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Basic system security concepts, in respect to &os;.</para>
       </listitem>
 
       <listitem>
 	<para>About the various crypt mechanisms available in &os;,
 	  such as <acronym>DES</acronym> and <acronym>MD5</acronym>.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up one-time password authentication.</para>
       </listitem>
 
       <listitem>
 	<para>How to configure <acronym>TCP</acronym> Wrappers for use
 	  with <command>inetd</command>.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up <application>KerberosIV</application> on &os;
 	  releases prior to 5.0.</para>
       </listitem>
 
       <listitem>
 	<para>How to set up <application>Kerberos5</application> on
 	  post &os; 5.0 releases.</para>
       </listitem>
 
       <listitem>
 	<para>How to create firewalls using <acronym>PF</acronym>,
 	  IPFILTER (IPF) or <acronym>IPFW</acronym>.</para>
       </listitem>
 
       <listitem>
 	<para>How to configure IPsec and create a <acronym>VPN</acronym> between
 	&os;/&windows; machines.</para>
       </listitem>
      
       <listitem>
 	<para>How to configure and use <application>OpenSSH</application>, &os;'s <acronym>SSH</acronym>
 	  implementation.</para>
       </listitem>
 
       <listitem>
 	<para>What file system <acronym>ACL</acronym>s are and how to use them.</para>
       </listitem>
 
       <listitem>
 	<para>How to utilize the &os; security advisories
 	  publications.</para>
       </listitem>
 
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Understand basic &os; and Internet concepts.</para>
       </listitem>
     </itemizedlist>
 
   </sect1>
 
   <sect1 id="security-intro">
     <title>Introduction</title>
 
     <para>Security is a function that begins and ends with the system
       administrator.  While all BSD &unix; multi-user systems have some
       inherent security, the job of building and maintaining additional
       security mechanisms to keep those users <quote>honest</quote> is
       probably one of the single largest undertakings of the sysadmin.
       Machines are only as secure as you make them, and security concerns
       are ever competing with the human necessity for convenience.  &unix;
       systems, in general, are capable of running a huge number of
       simultaneous processes and many of these processes operate as
       servers &mdash; meaning that external entities can connect and talk
       to them.  As yesterday's mini-computers and mainframes become
       today's desktops, and as computers become networked and
       internetwork, security becomes an even bigger issue.</para>
 
     <para>Security is best implemented through a layered
       <quote>onion</quote> approach.  In a nutshell, what you want to do is
       to create as many layers of security as are convenient and then
       carefully monitor the system for intrusions.  You do not want to
       overbuild your security or you will interfere with the detection
       side, and detection is one of the single most important aspects of
       any security mechanism.  For example, it makes little sense to set
       the <literal>schg</literal> flags (see &man.chflags.1;) on every 
       system binary because
       while this may temporarily protect the binaries, it prevents an
       attacker who has broken in from making an easily detectable change
       that may result in your security mechanisms not detecting the attacker
       at all.</para>
 
     <para>System security also pertains to dealing with various forms of
       attack, including attacks that attempt to crash, or otherwise make a
       system unusable, but do not attempt to compromise the
       <username>root</username> account (<quote>break root</quote>).
       Security concerns
       can be split up into several categories:</para>
 
     <orderedlist>
       <listitem>
 	<para>Denial of service attacks.</para>
       </listitem>
 
       <listitem>
 	<para>User account compromises.</para>
       </listitem>
 
       <listitem>
 	<para>Root compromise through accessible servers.</para>
       </listitem>
 
       <listitem>
 	<para>Root compromise via user accounts.</para>
       </listitem>
 
       <listitem>
 	<para>Backdoor creation.</para>
       </listitem>
     </orderedlist>
 
     <indexterm>
       <primary>DoS attacks</primary>
       <see>Denial of Service (DoS)</see>
     </indexterm>
     <indexterm>
       <primary>security</primary>
       <secondary>DoS attacks</secondary>
       <see>Denial of Service (DoS)</see>
     </indexterm>
     <indexterm><primary>Denial of Service (DoS)</primary></indexterm>
 
     <para>A denial of service attack is an action that deprives the
       machine of needed resources.  Typically, DoS attacks are
       brute-force mechanisms that attempt to crash or otherwise make a
       machine unusable by overwhelming its servers or network stack.  Some
       DoS attacks try to take advantage of bugs in the networking
       stack to crash a machine with a single packet.  The latter can only
       be fixed by applying a bug fix to the kernel.  Attacks on servers
       can often be fixed by properly specifying options to limit the load
       the servers incur on the system under adverse conditions.
       Brute-force network attacks are harder to deal with.  A
       spoofed-packet attack, for example, is nearly impossible to stop,
       short of cutting your system off from the Internet.  It may not be
       able to take your machine down, but it can saturate your
       Internet connection.</para>
 
     <indexterm>
       <primary>security</primary>
       <secondary>account compromises</secondary>
     </indexterm>
 
     <para>A user account compromise is even more common than a DoS
       attack.  Many sysadmins still run standard 
       <application>telnetd</application>, <application>rlogind</application>,
       <application>rshd</application>,
       and <application>ftpd</application> servers on their machines.
       These servers, by default, do
       not operate over encrypted connections.  The result is that if you
       have any moderate-sized user base, one or more of your users logging
       into your system from a remote location (which is the most common
       and convenient way to login to a system) will have his or her
       password sniffed.  The attentive system admin will analyze his
       remote access logs looking for suspicious source addresses even for
       successful logins.</para>
 
     <para>One must always assume that once an attacker has access to a
       user account, the attacker can break <username>root</username>.
       However, the reality is that in a well secured and maintained system,
       access to a user account does not necessarily give the attacker
       access to <username>root</username>.  The distinction is important
       because without access to <username>root</username> the attacker
       cannot generally hide his tracks and may, at best, be able to do
       nothing more than mess with the user's files, or crash the machine.
       User account compromises are very common because users tend not to
       take the precautions that sysadmins take.</para>
 
     <indexterm>
       <primary>security</primary>
       <secondary>backdoors</secondary>
     </indexterm>
 
     <para>System administrators must keep in mind that there are
       potentially many ways to break <username>root</username> on a machine.
       The attacker may know the <username>root</username> password,
       the attacker may find a bug in a root-run server and be able
       to break <username>root</username> over a network
       connection to that server, or the attacker may know of a bug in
       a suid-root program that allows the attacker to break
       <username>root</username> once he has broken into a user's account.
       If an attacker has found a way to break <username>root</username>
       on a machine, the attacker may not have a need
       to install a backdoor.  Many of the <username>root</username> holes
       found and closed to date involve a considerable amount of work
       by the attacker to cleanup after himself, so most attackers install
       backdoors.  A backdoor provides the attacker with a way to easily
       regain <username>root</username> access to the system, but it
       also gives the smart system administrator a convenient way
       to detect the intrusion.
       Making it impossible for an attacker to install a backdoor may
       actually be detrimental to your security, because it will not
       close off the hole the attacker found to break in the first
       place.</para>
 
 
     <para>Security remedies should always be implemented with a
       multi-layered <quote>onion peel</quote> approach and can be
       categorized as follows:</para>
 
     <orderedlist>
       <listitem>
 	<para>Securing <username>root</username> and staff accounts.</para>
       </listitem>
 
       <listitem>
 	<para>Securing <username>root</username>&ndash;run servers
 	  and suid/sgid binaries.</para>
       </listitem>
 
       <listitem>
 	<para>Securing user accounts.</para>
       </listitem>
 
       <listitem>
 	<para>Securing the password file.</para>
       </listitem>
 
       <listitem>
 	<para>Securing the kernel core, raw devices, and
 	  file systems.</para>
       </listitem>
 
       <listitem>
 	<para>Quick detection of inappropriate changes made to the
 	  system.</para>
       </listitem>
 
       <listitem>
 	<para>Paranoia.</para>
       </listitem>
     </orderedlist>
 
     <para>The next section of this chapter will cover the above bullet
       items in greater depth.</para>
   </sect1>
 
   <sect1 id="securing-freebsd">
     <title>Securing &os;</title>
     <indexterm>
       <primary>security</primary>
       <secondary>securing &os;</secondary>
     </indexterm>
 
     <note>
       <title>Command vs. Protocol</title>
       <para>Throughout this document, we will use
        <application>bold</application> text to refer to an
        application, and a <command>monospaced</command> font to refer
        to specific commands.  Protocols will use a normal font.  This
        typographical distinction is useful for instances such as ssh,
        since it is
        a protocol as well as command.</para>
     </note>
 
     <para>The sections that follow will cover the methods of securing your
       &os; system that were mentioned in the <link
         linkend="security-intro">last section</link> of this chapter.</para>
 
     <sect2 id="securing-root-and-staff">
       <title>Securing the <username>root</username> Account and
 	Staff Accounts</title>
       <indexterm>
         <primary><command>su</command></primary>
       </indexterm>
 
       <para>First off, do not bother securing staff accounts if you have
 	not secured the <username>root</username> account.
 	Most systems have a password assigned to the <username>root</username>
 	account.  The first thing you do is assume
 	that the password is <emphasis>always</emphasis> compromised.
 	This does not mean that you should remove the password.  The
 	password is almost always necessary for console access to the
 	machine.  What it does mean is that you should not make it
 	possible to use the password outside of the console or possibly
 	even with the &man.su.1; command.  For example, make sure that
 	your ptys are specified as being insecure in the
 	<filename>/etc/ttys</filename> file so that direct
 	<username>root</username> logins
 	via <command>telnet</command> or <command>rlogin</command> are
 	disallowed.  If using other login services such as
         <application>sshd</application>, make sure that direct
 	<username>root</username> logins are disabled there as well.
 	You can do this by editing
         your <filename>/etc/ssh/sshd_config</filename> file, and making
         sure that <literal>PermitRootLogin</literal> is set to
         <literal>NO</literal>.  Consider every access method &mdash;
         services such as FTP often fall through the cracks.
 	Direct <username>root</username> logins should only be allowed
 	via the system console.</para>
       <indexterm>
         <primary><groupname>wheel</groupname></primary>
       </indexterm>
 
       <para>Of course, as a sysadmin you have to be able to get to
 	<username>root</username>, so we open up a few holes.
 	But we make sure these holes require additional password
 	verification to operate.  One way to make <username>root</username>
 	accessible is to add appropriate staff accounts to the
 	<groupname>wheel</groupname> group (in
 	<filename>/etc/group</filename>).  The staff members placed in the
 	<groupname>wheel</groupname> group are allowed to
 	<command>su</command> to <username>root</username>.
 	You should never give staff
 	members native <groupname>wheel</groupname> access by putting them in the
 	<groupname>wheel</groupname> group in their password entry.  Staff
 	accounts should be placed in a <groupname>staff</groupname> group, and
 	then added to the <groupname>wheel</groupname> group via the
 	<filename>/etc/group</filename> file.  Only those staff members
 	who actually need to have <username>root</username> access
 	should be placed in the
 	<groupname>wheel</groupname> group.  It is also possible, when using
 	an authentication method such as Kerberos, to use Kerberos'
 	<filename>.k5login</filename> file in the <username>root</username>
 	account to allow a &man.ksu.1; to <username>root</username>
 	without having to place anyone at all in the
 	<groupname>wheel</groupname> group.  This may be the better solution
 	since the <groupname>wheel</groupname> mechanism still allows an
 	intruder to break <username>root</username> if the intruder
 	has gotten hold of your
 	password file and can break into a staff account.  While having
 	the <groupname>wheel</groupname> mechanism is better than having
 	nothing at all, it is not necessarily the safest option.</para>
 
       <!-- XXX:
 	This will need updating depending on the outcome of PR bin/71147.
 	Personally I know what I'd like to see, which puts this in definite
 	need of a rewrite, but we'll have to wait and see.  ceri@
       -->
 
       <para>An indirect way to secure staff accounts, and ultimately
         <username>root</username> access is to use an alternative
 	login access method and
         do what is known as <quote>starring</quote> out the encrypted
         password for the staff accounts.  Using the &man.vipw.8;
         command, one can replace each instance of an encrypted password
         with a single <quote><literal>*</literal></quote> character.
 	This command will update the <filename>/etc/master.passwd</filename>
 	file and user/password database to disable password-authenticated
         logins.</para>
 
       <para>A staff account entry such as:</para>
 
       <programlisting>foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
 
       <para>Should be changed to this:</para>
 
       <programlisting>foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
 
       <para>This change will prevent normal logins from occurring,
         since the encrypted password will never match
         <quote><literal>*</literal></quote>.  With this done,
 	staff members must use
         another mechanism to authenticate themselves such as
         &man.kerberos.1; or &man.ssh.1; using a public/private key
         pair.  When using something like Kerberos, one generally must
         secure the machines which run the Kerberos servers and your
         desktop workstation.  When using a public/private key pair
         with ssh, one must generally secure
         the machine used to login <emphasis>from</emphasis> (typically
         one's workstation).  An additional layer of protection can be
         added to the key pair by password protecting the key pair when
         creating it with &man.ssh-keygen.1;.  Being able to
         <quote>star</quote> out the passwords for staff accounts also
         guarantees that staff members can only login through secure
         access methods that you have set up.  This forces all staff
         members to use secure, encrypted connections for all of their
         sessions, which closes an important hole used by many
         intruders: sniffing the network from an unrelated,
         less secure machine.</para>
 
       <para>The more indirect security mechanisms also assume that you are
 	logging in from a more restrictive server to a less restrictive
 	server.  For example, if your main box is running all sorts of
 	servers, your workstation should not be running any.  In order for
 	your workstation to be reasonably secure you should run as few
 	servers as possible, up to and including no servers at all, and
 	you should run a password-protected screen blanker.  Of course,
 	given physical access to a workstation an attacker can break any
 	sort of security you put on it.  This is definitely a problem that
 	you should consider, but you should also consider the fact that the
 	vast majority of break-ins occur remotely, over a network, from
 	people who do not have physical access to your workstation or
 	servers.</para>
       <indexterm><primary>KerberosIV</primary></indexterm>
 
       <para>Using something like Kerberos also gives you the ability to
 	disable or change the password for a staff account in one place,
 	and have it immediately affect all the machines on which the staff
 	member may have an account.  If a staff member's account gets
 	compromised, the ability to instantly change his password on all
 	machines should not be underrated.  With discrete passwords,
 	changing a password on N machines can be a mess.  You can also
 	impose re-passwording restrictions with Kerberos:  not only can a
 	Kerberos ticket be made to timeout after a while, but the Kerberos
 	system can require that the user choose a new password after a
 	certain period of time (say, once a month).</para>
     </sect2>
 
     <sect2>
       <title>Securing Root-run Servers and SUID/SGID Binaries</title>
 
       <indexterm>
         <primary><command>ntalk</command></primary>
       </indexterm>
       <indexterm>
         <primary><command>comsat</command></primary>
       </indexterm>
       <indexterm>
         <primary><command>finger</command></primary>
       </indexterm>
       <indexterm>
         <primary>sandboxes</primary>
       </indexterm>
       <indexterm>
         <primary><application>sshd</application></primary>
       </indexterm>
       <indexterm>
         <primary><application>telnetd</application></primary>
       </indexterm>
       <indexterm>
         <primary><application>rshd</application></primary>
       </indexterm>
       <indexterm>
         <primary><application>rlogind</application></primary>
       </indexterm>
 
       <para>The prudent sysadmin only runs the servers he needs to, no
 	more, no less.  Be aware that third party servers are often the
 	most bug-prone.  For example, running an old version of
 	<application>imapd</application> or
 	<application>popper</application> is like giving a universal
 	<username>root</username> ticket out to the entire world.
 	Never run a server that you have not checked out carefully.
 	Many servers do not need to be run as <username>root</username>.
 	For example, the <application>ntalk</application>,
 	<application>comsat</application>, and
 	<application>finger</application> daemons can be run in special
 	user <firstterm>sandboxes</firstterm>.  A sandbox is not perfect,
 	unless you go through a large amount of trouble, but the onion
 	approach to security still stands: If someone is able to break
 	in through a server running in a sandbox, they still have to
 	break out of the sandbox.  The more layers the attacker must
 	break through, the lower the likelihood of his success.  Root
 	holes have historically been found in virtually every server
 	ever run as <username>root</username>, including basic system servers.
 	If you are running a machine through which people only login via
 	<application>sshd</application> and never login via
 	<application>telnetd</application> or
 	<application>rshd</application> or
 	<application>rlogind</application>, then turn off those
 	services!</para>
       
       <para>&os; now defaults to running
 	<application>ntalkd</application>,
 	<application>comsat</application>, and
 	<application>finger</application> in a sandbox.  Another program
 	which may be a candidate for running in a sandbox is &man.named.8;.
 	<filename>/etc/defaults/rc.conf</filename> includes the arguments
 	necessary to run <application>named</application> in a sandbox in a
 	commented-out form.  Depending on whether you are installing a new
 	system or upgrading an existing system, the special user accounts
 	used by these sandboxes may not be installed.  The prudent
 	sysadmin would research and implement sandboxes for servers
 	whenever possible.</para>
       <indexterm>
         <primary><application>sendmail</application></primary>
       </indexterm>
 
       <para>There are a number of other servers that typically do not run
 	in sandboxes: <application>sendmail</application>,
 	<application>popper</application>,
 	<application>imapd</application>, <application>ftpd</application>,
 	and others.  There are alternatives to some of these, but
 	installing them may require more work than you are willing to
 	perform (the convenience factor strikes again).  You may have to
 	run these servers as <username>root</username> and rely on other
 	mechanisms to detect break-ins that might occur through them.</para>
 
       <para>The other big potential <username>root</username> holes in a
 	system are the
 	suid-root and sgid binaries installed on the system.  Most of
 	these binaries, such as <application>rlogin</application>, reside
 	in <filename>/bin</filename>, <filename>/sbin</filename>,
 	<filename>/usr/bin</filename>, or <filename>/usr/sbin</filename>.
 	While nothing is 100% safe, the system-default suid and sgid
 	binaries can be considered reasonably safe.  Still,
 	<username>root</username> holes are occasionally found in these
 	binaries.  A <username>root</username> hole was found in
 	<literal>Xlib</literal> in 1998 that made
 	<application>xterm</application> (which is typically suid)
 	vulnerable.  It is better to be safe than sorry and the prudent
 	sysadmin will restrict suid binaries, that only staff should run,
 	to a special group that only staff can access, and get rid of
 	(<command>chmod 000</command>) any suid binaries that nobody uses.
 	A server with no display generally does not need an
 	<application>xterm</application> binary.  Sgid binaries can be
 	almost as dangerous.  If an intruder can break an sgid-kmem binary,
 	the intruder might be able to read <filename>/dev/kmem</filename>
 	and thus read the encrypted password file, potentially compromising
 	any passworded account.  Alternatively an intruder who breaks
 	group <literal>kmem</literal> can monitor keystrokes sent through
 	ptys, including Pt's used by users who login through secure
 	methods.  An intruder that breaks the <groupname>tty</groupname>
 	group can write to
 	almost any user's tty.  If a user is running a terminal program or
 	emulator with a keyboard-simulation feature, the intruder can
 	potentially generate a data stream that causes the user's terminal
 	to echo a command, which is then run as that user.</para>
     </sect2>
 
     <sect2 id="secure-users">
       <title>Securing User Accounts</title>
 
       <para>User accounts are usually the most difficult to secure.  While
 	you can impose Draconian access restrictions on your staff and
 	<quote>star</quote> out their passwords, you may not be able to
 	do so with any general user accounts you might have.  If you do
 	have sufficient control, then you may win out and be able to secure
 	the user accounts properly.  If not, you simply have to be more
 	vigilant in your monitoring of those accounts.  Use of
 	ssh and Kerberos for user accounts is
 	more problematic, due to the extra administration and technical
 	support required, but still a very good solution compared to a
 	crypted password file.</para>
     </sect2>
 
     <sect2>
       <title>Securing the Password File</title>
 
       <para>The only sure fire way is to <literal>*</literal> out as many
 	passwords as you can and use ssh or
 	Kerberos for access to those accounts.  Even though the encrypted
 	password file (<filename>/etc/spwd.db</filename>) can only be read
 	by <username>root</username>, it may be possible for an intruder
 	to obtain read access to that file even if the attacker cannot
 	obtain root-write access.</para>
 
       <para>Your security scripts should always check for and report
 	changes to the password file (see the <link
 	  linkend="security-integrity">Checking file integrity</link> section
 	below).</para>
     </sect2>
 
     <sect2>
       <title>Securing the Kernel Core, Raw Devices, and
 	File systems</title>
 
       <para>If an attacker breaks <username>root</username> he can do
         just about anything, but
 	there are certain conveniences.  For example, most modern kernels
 	have a packet sniffing device driver built in.  Under &os; it
 	is called the <devicename>bpf</devicename> device.  An intruder
 	will commonly attempt to run a packet sniffer on a compromised
 	machine.  You do not need to give the intruder the capability and
 	most systems do not have the need for the
 	<devicename>bpf</devicename> device compiled in.</para>
 
       <indexterm>
         <primary><command>sysctl</command></primary>
       </indexterm>
       <para>But even if you turn off the <devicename>bpf</devicename>
 	device, you still have
 	<filename>/dev/mem</filename> and 
 	<filename>/dev/kmem</filename>
 	to worry about.  For that matter, the intruder can still write to
 	raw disk devices.  Also, there is another kernel feature called
 	the module loader, &man.kldload.8;.  An enterprising intruder can
 	use a KLD module to install his own <devicename>bpf</devicename>
 	device, or other sniffing
 	device, on a running kernel.  To avoid these problems you have to
 	run the kernel at a higher secure level, at least securelevel 1.
 	The securelevel can be set with a <command>sysctl</command> on
 	the <varname>kern.securelevel</varname> variable.  Once you have
 	set the securelevel to 1, write access to raw devices will be
 	denied and special <command>chflags</command> flags,
 	such as <literal>schg</literal>,
 	will be enforced.  You must also ensure that the
 	<literal>schg</literal> flag is set on critical startup binaries,
 	directories, and script files &mdash; everything that gets run up
 	to the point where the securelevel is set.  This might be overdoing
 	it, and upgrading the system is much more difficult when you
 	operate at a higher secure level.  You may compromise and run the
 	system at a higher secure level but not set the
 	<literal>schg</literal> flag for every system file and directory
 	under the sun.  Another possibility is to simply mount
 	<filename>/</filename> and <filename>/usr</filename> read-only.
 	It should be noted that being too Draconian in what you attempt to
 	protect may prevent the all-important detection of an
 	intrusion.</para>
     </sect2>
 
     <sect2 id="security-integrity">
       <title>Checking File Integrity: Binaries, Configuration Files,
 	Etc.</title>
 
       <para>When it comes right down to it, you can only protect your core
 	system configuration and control files so much before the
 	convenience factor rears its ugly head.  For example, using
 	<command>chflags</command> to set the <literal>schg</literal> bit
 	on most of the files in <filename>/</filename> and
 	<filename>/usr</filename> is probably counterproductive, because
 	while it may protect the files, it also closes a detection window.
 	The last layer of your security onion is perhaps the most
 	important &mdash; detection.  The rest of your security is pretty
 	much useless (or, worse, presents you with a false sense of
 	safety) if you cannot detect potential incursions.  Half the job
 	of the onion is to slow down the attacker, rather than stop him, in
 	order to give the detection side of the equation a chance to catch
 	him in the act.</para>
 
       <para>The best way to detect an incursion is to look for modified,
 	missing, or unexpected files.  The best way to look for modified
 	files is from another (often centralized) limited-access system.
 	Writing your security scripts on the extra-secure limited-access
 	system makes them mostly invisible to potential attackers, and this
 	is important.  In order to take maximum advantage you generally
 	have to give the limited-access box significant access to the
 	other machines in the business, usually either by doing a
 	read-only NFS export of the other machines to the limited-access
 	box, or by setting up ssh key-pairs to
 	allow the limited-access box to ssh to
 	the other machines.  Except for its network traffic, NFS is the
 	least visible method &mdash; allowing you to monitor the
 	file systems on each client box virtually undetected.  If your
 	limited-access server is connected to the client boxes through a
 	switch, the NFS method is often the better choice.  If your
 	limited-access server is connected to the client boxes through a
 	hub, or through several layers of routing, the NFS method may be
 	too insecure (network-wise) and using
 	ssh may be the better choice even with
 	the audit-trail tracks that ssh
 	lays.</para>
 
       <para>Once you give a limited-access box, at least read access to the
 	client systems it is supposed to monitor, you must write scripts
 	to do the actual monitoring.  Given an NFS mount, you can write
 	scripts out of simple system utilities such as &man.find.1; and
 	&man.md5.1;.  It is best to physically md5 the client-box files
 	at least once a day, and to test control files such as those
 	found in <filename>/etc</filename> and
 	<filename>/usr/local/etc</filename> even more often.  When
 	mismatches are found, relative to the base md5 information the
 	limited-access machine knows is valid, it should scream at a
 	sysadmin to go check it out.  A good security script will also
 	check for inappropriate suid binaries and for new or deleted files
 	on system partitions such as <filename>/</filename> and
 	<filename>/usr</filename>.</para>
 
       <para>When using ssh rather than NFS,
 	writing the security script is much more difficult.   You
 	essentially have to <command>scp</command> the scripts to the client 
 	box in order to
 	run them, making them visible, and for safety you also need to
 	<command>scp</command> the binaries (such as find) that those
 	scripts use.  The <application>ssh</application> client on the
 	client box may already be compromised.  All in all, using
 	ssh may be necessary when running over
 	insecure links, but it is also a lot harder to deal with.</para>
 
       <para>A good security script will also check for changes to user and
 	staff members access configuration files:
 	<filename>.rhosts</filename>, <filename>.shosts</filename>,
 	<filename>.ssh/authorized_keys</filename> and so forth&hellip;
 	files that might fall outside the purview of the
 	<literal>MD5</literal> check.</para>
 
       <para>If you have a huge amount of user disk space, it may take too
 	long to run through every file on those partitions.  In this case,
 	setting mount flags to disallow suid binaries and devices on those
 	partitions is a good idea.  The <literal>nodev</literal> and
 	<literal>nosuid</literal> options (see &man.mount.8;) are what you
 	want to look into.  You should probably scan them anyway, at least
 	once a week, since the object of this layer is to detect a break-in
 	whether or not the break-in is effective.</para>
 
       <para>Process accounting (see &man.accton.8;) is a relatively
 	low-overhead feature of the operating system which might help
 	as a post-break-in evaluation mechanism.  It is especially
 	useful in tracking down how an intruder has actually broken into
 	a system, assuming the file is still intact after the break-in
 	occurs.</para>
 
       <para>Finally, security scripts should process the log files, and the
 	logs themselves should be generated in as secure a manner as
 	possible &mdash; remote syslog can be very useful.  An intruder
 	tries to cover his tracks, and log files are critical to the
 	sysadmin trying to track down the time and method of the initial
 	break-in.  One way to keep a permanent record of the log files is
 	to run the system console to a serial port and collect the
 	information on a continuing basis through a secure machine
 	monitoring the consoles.</para>
     </sect2>
 
     <sect2>
       <title>Paranoia</title>
 
       <para>A little paranoia never hurts.  As a rule, a sysadmin can add
 	any number of security features, as long as they do not affect
 	convenience, and can add security features that
 	<emphasis>do</emphasis> affect convenience with some added thought.
 	Even more importantly, a security administrator should mix it up a
 	bit &mdash; if you use recommendations such as those given by this
 	document verbatim, you give away your methodologies to the
 	prospective attacker who also has access to this document.</para>
     </sect2>
 
     <sect2>
       <title>Denial of Service Attacks</title>
       <indexterm><primary>Denial of Service (DoS)</primary></indexterm>
 
       <para>This section covers Denial of Service attacks.  A DoS attack
 	is typically a packet attack.  While there is not much you can do
 	about modern spoofed packet attacks that saturate your network,
 	you can generally limit the damage by ensuring that the attacks
 	cannot take down your servers.</para>
 
       <orderedlist>
 	<listitem>
 	  <para>Limiting server forks.</para>
 	</listitem>
 
 	<listitem>
 	  <para>Limiting springboard attacks (ICMP response attacks, ping
 	    broadcast, etc.).</para>
 	</listitem>
 
 	<listitem>
 	  <para>Kernel Route Cache.</para>
 	</listitem>
       </orderedlist>
 
       <para>A common DoS attack is against a forking server that attempts
 	to cause the server to eat processes, file descriptors, and memory,
 	until the machine dies.  <application>inetd</application>
 	(see &man.inetd.8;) has several
 	options to limit this sort of attack.  It should be noted that
 	while it is possible to prevent a machine from going down, it is
 	not generally possible to prevent a service from being disrupted
 	by the attack.  Read the <application>inetd</application> manual
 	page carefully and pay
 	specific attention to the <option>-c</option>, <option>-C</option>,
 	and <option>-R</option> options.  Note that spoofed-IP attacks
 	will circumvent the <option>-C</option> option to 
 	<application>inetd</application>, so
 	typically a combination of options must be used.  Some standalone
 	servers have self-fork-limitation parameters.</para>
 
       <para><application>Sendmail</application> has its
 	<option>-OMaxDaemonChildren</option> option, which tends to work
 	much better than trying to use sendmail's load limiting options
 	due to the load lag.  You should specify a
 	<literal>MaxDaemonChildren</literal> parameter, when you start
 	<application>sendmail</application>, high enough to handle your
 	expected load, but not so high that the computer cannot handle that
 	number of <application>sendmails</application> without falling on
 	its face.  It is also prudent to run sendmail in queued mode
 	(<option>-ODeliveryMode=queued</option>) and to run the daemon
 	(<command>sendmail -bd</command>) separate from the queue-runs
 	(<command>sendmail -q15m</command>).  If you still want real-time
 	delivery you can run the queue at a much lower interval, such as
 	<option>-q1m</option>, but be sure to specify a reasonable
 	<literal>MaxDaemonChildren</literal> option for
 	<emphasis>that</emphasis> sendmail to prevent cascade failures.</para>
 
       <para><application>Syslogd</application> can be attacked directly
 	and it is strongly recommended that you use the <option>-s</option>
 	option whenever possible, and the <option>-a</option> option
 	otherwise.</para>
 
       <para>You should also be fairly careful with connect-back services
 	such as <application>tcpwrapper</application>'s reverse-identd,
 	which can be attacked directly.  You generally do not want to use
 	the reverse-ident feature of
 	<application>tcpwrappers</application> for this reason.</para>
 
       <para>It is a very good idea to protect internal services from
 	external access by firewalling them off at your border routers.
 	The idea here is to prevent saturation attacks from outside your
 	LAN, not so much to protect internal services from network-based
 	<username>root</username> compromise.
 	Always configure an exclusive firewall, i.e.,
 	<quote>firewall everything <emphasis>except</emphasis> ports A, B,
 	C, D, and M-Z</quote>.  This way you can firewall off all of your
 	low ports except for certain specific services such as
 	<application>named</application> (if you are primary for a zone),
 	<application>ntalkd</application>,
 	<application>sendmail</application>, and other Internet-accessible
 	services.  If you try to configure the firewall the other way
 	&mdash; as an inclusive or permissive firewall, there is a good
 	chance that you will forget to <quote>close</quote> a couple of
 	services, or that you will add a new internal service and forget
 	to update the firewall.  You can still open up the high-numbered
 	port range on the firewall, to allow permissive-like operation,
 	without compromising your low ports.  Also take note that &os;
 	allows you to control the range of port numbers used for dynamic
 	binding, via the various <varname>net.inet.ip.portrange</varname>
 	<command>sysctl</command>'s (<command>sysctl -a | fgrep
 	portrange</command>), which can also ease the complexity of your
 	firewall's configuration.  For example, you might use a normal
 	first/last range of 4000 to 5000, and a hiport range of 49152 to
 	65535, then block off everything under 4000 in your firewall
 	(except for certain specific Internet-accessible ports, of
 	course).</para>
 
       <indexterm><primary>ICMP_BANDLIM</primary></indexterm>
 
       <para>Another common DoS attack is called a springboard attack
 	&mdash; to attack a server in a manner that causes the server to
 	generate responses which overloads the server, the local
 	network, or some other machine.  The most common attack of this
 	nature is the <emphasis>ICMP ping broadcast attack</emphasis>.
 	The attacker spoofs ping packets sent to your LAN's broadcast
 	address with the source IP address set to the actual machine they
 	wish to attack.  If your border routers are not configured to
 	stomp on ping's to broadcast addresses, your LAN winds up
 	generating sufficient responses to the spoofed source address to
 	saturate the victim, especially when the attacker uses the same
 	trick on several dozen broadcast addresses over several dozen
 	different networks at once.  Broadcast attacks of over a hundred
 	and twenty megabits have been measured.  A second common
 	springboard attack is against the ICMP error reporting system.
 	By constructing packets that generate ICMP error responses, an
 	attacker can saturate a server's incoming network and cause the
 	server to saturate its outgoing network with ICMP responses.  This
 	type of attack can also crash the server by running it out of
 	mbuf's, especially if the server cannot drain the ICMP responses
 	it generates fast enough.  The &os; kernel has a new kernel
 	compile option called <option>ICMP_BANDLIM</option>
 	which limits the effectiveness
 	of these sorts of attacks.  The last major class of springboard
 	attacks is related to certain internal 
 	<application>inetd</application> services such as the
 	udp echo service.  An attacker simply spoofs a UDP packet with the
 	source address being server A's echo port, and the destination
 	address being server B's echo port, where server A and B are both
 	on your LAN.  The two servers then bounce this one packet back and
 	forth between each other.  The attacker can overload both servers
 	and their LANs simply by injecting a few packets in this manner.
 	Similar problems exist with the internal 
 	<application>chargen</application> port.  A
 	competent sysadmin will turn off all of these inetd-internal test
 	services.</para>
 
       <para>Spoofed packet attacks may also be used to overload the kernel
 	route cache.  Refer to the <varname>net.inet.ip.rtexpire</varname>,
 	<varname>rtminexpire</varname>, and <varname>rtmaxcache</varname>
 	<command>sysctl</command> parameters.  A spoofed packet attack
 	that uses a random source IP will cause the kernel to generate a
 	temporary cached route in the route table, viewable with
 	<command>netstat -rna | fgrep W3</command>.  These routes
 	typically timeout in 1600 seconds or so.  If the kernel detects
 	that the cached route table has gotten too big it will dynamically
 	reduce the <varname>rtexpire</varname> but will never decrease it 
 	to less than <varname>rtminexpire</varname>.  There are two 
 	problems:</para>
 	
       <orderedlist>
 	<listitem>
 	  <para>The kernel does not react quickly enough when a lightly
 	    loaded server is suddenly attacked.</para>
 	</listitem>
 	
 	<listitem>
 	  <para>The <varname>rtminexpire</varname> is not low enough for
 	    the kernel to survive a sustained attack.</para>
 	</listitem>
       </orderedlist>
       
       <para>If your servers are connected to the Internet via a T3 or
         better, it may be prudent to manually override both
 	<varname>rtexpire</varname> and <varname>rtminexpire</varname>
 	via &man.sysctl.8;.  Never set either parameter to zero (unless
 	you want to crash the machine).  Setting both
 	parameters to 2 seconds should be sufficient to protect the route
 	table from attack.</para>
     </sect2>
 
     <sect2>
       <title>Access Issues with Kerberos and SSH</title>
       <indexterm><primary><command>ssh</command></primary></indexterm>
       <indexterm><primary>KerberosIV</primary></indexterm>
 
       <para>There are a few issues with both Kerberos and
 	ssh that need to be addressed if
 	you intend to use them.  Kerberos V is an excellent
 	authentication protocol, but there are bugs in the kerberized
 	<application>telnet</application> and
 	<application>rlogin</application> applications that make them
 	unsuitable for dealing with binary streams.  Also, by default
 	Kerberos does not encrypt a session unless you use the
 	<option>-x</option> option.  <application>ssh</application>
 	encrypts everything by default.</para>
 
       <para>ssh works quite well in every
 	respect except that it forwards encryption keys by default.  What
 	this means is that if you have a secure workstation holding keys
 	that give you access to the rest of the system, and you
 	ssh to an insecure machine, your keys
 	are usable.  The actual keys themselves are not exposed, but
 	ssh installs a forwarding port for the
 	duration of your login, and if an attacker has broken
 	<username>root</username> on the
 	insecure machine he can utilize that port to use your keys to gain
 	access to any other machine that your keys unlock.</para>
 
       <para>We recommend that you use ssh in
 	combination with Kerberos whenever possible for staff logins.
 	<application>ssh</application> can be compiled with Kerberos
 	support.  This reduces your reliance on potentially exposed
 	ssh keys while at the same time
 	protecting passwords via Kerberos.  ssh
 	keys should only be used for automated tasks from secure machines
 	(something that Kerberos is unsuited to do).  We also recommend that
 	you either turn off key-forwarding in the
 	ssh configuration, or that you make use
 	of the <literal>from=IP/DOMAIN</literal> option that
 	ssh allows in its
 	<filename>authorized_keys</filename> file to make the key only
 	usable to entities logging in from specific machines.</para>
     </sect2>
   </sect1>
 
   <sect1 id="crypt">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Bill</firstname>
 	  <surname>Swingle</surname>
 	  <contrib>Parts rewritten and updated by </contrib>
 	</author>
       </authorgroup>
       <!-- 21 Mar 2000 -->
     </sect1info>
 
     <title>DES, MD5, and Crypt</title>
     <indexterm>
       <primary>security</primary>
       <secondary>crypt</secondary>
     </indexterm>
 
     <indexterm><primary>crypt</primary></indexterm>
     <indexterm><primary>DES</primary></indexterm>
     <indexterm><primary>MD5</primary></indexterm>
 
     <para>Every user on a &unix; system has a password associated with
       their account.  It seems obvious that these passwords need to be
       known only to the user and the actual operating system.  In
       order to keep these passwords secret, they are encrypted with
       what is known as a <quote>one-way hash</quote>, that is, they can
       only be easily encrypted but not decrypted.  In other words, what
       we told you a moment ago was obvious is not even true:  the
       operating system itself does not <emphasis>really</emphasis> know
       the password.  It only knows the <emphasis>encrypted</emphasis>
       form of the password.  The only way to get the
       <quote>plain-text</quote> password is by a brute force search of the
       space of possible passwords.</para>
 
     <para>Unfortunately the only secure way to encrypt passwords when
       &unix; came into being was based on DES, the Data Encryption
       Standard.  This was not such a problem for users resident in
       the US, but since the source code for DES could not be exported
       outside the US, &os; had to find a way to both comply with 
       US law and retain compatibility with all the other &unix;
       variants that still used DES.</para>
 
     <para>The solution was to divide up the encryption libraries 
       so that US users could install the DES libraries and use
       DES but international users still had an encryption method
       that could be exported abroad.  This is how &os; came to
       use MD5 as its default encryption method.  MD5 is believed to
       be more secure than DES, so installing DES is offered primarily
       for compatibility reasons.</para>
 
     <sect2>
       <title>Recognizing Your Crypt Mechanism</title>
 
       <para>Before &os;&nbsp;4.4 <filename>libcrypt.a</filename> was a
 	symbolic link pointing to the library which was used for
 	encryption. &os; 4.4 changed <filename>libcrypt.a</filename> to
 	provide a configurable password authentication hash library.
 	Currently the library supports DES, MD5 and Blowfish hash
 	functions.  By default &os; uses MD5 to encrypt
 	passwords.</para>
 
       <para>It is pretty easy to identify which encryption method 
 	&os; is set up to use.  Examining the encrypted passwords in
 	the <filename>/etc/master.passwd</filename> file is one way.
 	Passwords encrypted with the MD5 hash are longer than those
 	encrypted with the DES hash and also begin with the characters
 	<literal>&dollar;1&dollar;</literal>.  Passwords starting with
 	<literal>&dollar;2a&dollar;</literal> are encrypted with the
 	Blowfish hash function.  DES password strings do not
 	have any particular identifying characteristics, but they are
 	shorter than MD5 passwords, and are coded in a 64-character
 	alphabet which does not include the <literal>&dollar;</literal>
 	character, so a relatively short string which does not begin with
 	a dollar sign is very likely a DES password.</para>
 
       <para>The password format used for new passwords is controlled
 	by the <literal>passwd_format</literal> login capability in
 	<filename>/etc/login.conf</filename>, which takes values of
 	<literal>des</literal>, <literal>md5</literal> or
 	<literal>blf</literal>.  See the &man.login.conf.5; manual page
 	for more information about login capabilities.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="one-time-passwords">
     <title>One-time Passwords</title>
     <indexterm><primary>one-time passwords</primary></indexterm>
     <indexterm>
       <primary>security</primary>
       <secondary>one-time passwords</secondary>
     </indexterm>
 
     <para>S/Key is a one-time password scheme based on a one-way hash
       function.  &os; uses the MD4 hash for compatibility but other
       systems have used MD5 and DES-MAC.  S/Key has been part of the
       &os; base system since version 1.1.5 and is also used on a
       growing number of other operating systems.  S/Key is a registered
       trademark of Bell Communications Research, Inc.</para>
 
     <para>From version 5.0 of &os;, S/Key has been replaced with
       the functionally equivalent OPIE (One-time Passwords In
       Everything).  OPIE uses the MD5 hash by default.</para>
 
     <para>There are three different sorts of passwords which we will discuss
       below.  The first is your usual &unix; style or
       Kerberos password; we will call this a <quote>&unix; password</quote>.
       The second sort is the one-time password which is generated by the
       S/Key <command>key</command> program or the OPIE
       &man.opiekey.1; program and accepted by the
       <command>keyinit</command> or &man.opiepasswd.1; programs
       and the login prompt; we will
       call this a <quote>one-time password</quote>.  The final sort of
       password is the secret password which you give to the
       <command>key</command>/<command>opiekey</command> programs (and
       sometimes the
       <command>keyinit</command>/<command>opiepasswd</command> programs)
       which it uses to generate
       one-time passwords; we will call it a <quote>secret password</quote>
       or just unqualified <quote>password</quote>.</para>
 
     <para>The secret password does not have anything to do with your &unix;
       password; they can be the same but this is not recommended.  S/Key
       and OPIE secret passwords are not limited to 8 characters like old
       &unix; passwords<footnote><para>Under &os; the standard login
       password may be up to 128 characters in length.</para></footnote>,
       they can be as long as you like.  Passwords of six or
       seven word long phrases are fairly common.  For the most part, the
       S/Key or OPIE system operates completely independently of the &unix;
       password system.</para>
 
     <para>Besides the password, there are two other pieces of data that
       are important to S/Key and OPIE.  One is what is known as the
       <quote>seed</quote> or <quote>key</quote>, consisting of two letters
       and five digits.  The other is what is called the <quote>iteration
       count</quote>, a number between 1 and 100.  S/Key creates the
       one-time password by concatenating the seed and the secret password,
       then applying the MD4/MD5 hash as many times as specified by the
       iteration count and turning the result into six short English words.
       These six English words are your one-time password.  The
       authentication system (primarily PAM) keeps
       track of the last one-time password used, and the user is
       authenticated if the hash of the user-provided password is equal to
       the previous password.  Because a one-way hash is used it is
       impossible to generate future one-time passwords if a successfully
       used password is captured; the iteration count is decremented after
       each successful login to keep the user and the login program in
       sync.  When the iteration count gets down to 1, S/Key and OPIE must be
       reinitialized.</para>
 
     <para>There are three programs involved in each system
       which we will discuss below.  The <command>key</command> and
       <command>opiekey</command> programs accept an iteration
       count, a seed, and a secret password, and generate a one-time
       password or a consecutive list of one-time passwords.  The
       <command>keyinit</command> and <command>opiepasswd</command>
       programs are used to initialize S/Key and OPIE respectively,
       and to change passwords, iteration counts, or seeds; they
       take either a secret passphrase, or an iteration count,
       seed, and one-time password.  The <command>keyinfo</command>
       and <command>opieinfo</command> programs examine the
       relevant credentials files (<filename>/etc/skeykeys</filename> or
       <filename>/etc/opiekeys</filename>) and print out the invoking user's
       current iteration count and seed.</para>
 
     <para>There are four different sorts of operations we will cover.  The
       first is using <command>keyinit</command> or
       <command>opiepasswd</command> over a secure connection to set up
       one-time-passwords for the first time,  or to change your password
       or seed.  The second operation is using <command>keyinit</command>
       or <command>opiepasswd</command> over an insecure connection, in
       conjunction with <command>key</command> or <command>opiekey</command>
       over a secure connection,  to do the same.  The third is using
       <command>key</command>/<command>opiekey</command> to log in over
       an insecure connection.  The fourth is using <command>key</command>
       or <command>opiekey</command> to generate a number of keys which
       can be written down or printed out to carry with you when going to
       some location without secure connections to anywhere.</para>
 
     <sect2>
       <title>Secure Connection Initialization</title>
 
       <para>To initialize S/Key for the first time, change your password,
 	or change your seed while logged in over a secure connection
 	(e.g. on the console of a machine or via <application>ssh</application>), use the
 	<command>keyinit</command> command without any parameters while
 	logged in as yourself:</para>
 
       <screen>&prompt.user; <userinput>keyinit</userinput>
 Adding unfurl:
 Reminder - Only use this method if you are directly connected.
 If you are using telnet or rlogin exit with no password and use keyinit -s.
 Enter secret password: 
 Again secret password: 
 
 ID unfurl s/key is 99 to17757
 DEFY CLUB PRO NASH LACE SOFT</screen>
 
       <para>For OPIE, <command>opiepasswd</command> is used instead:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd -c</userinput>
 [grimreaper] ~ $ opiepasswd -f -c
 Adding unfurl:
 Only use this method from the console; NEVER from remote. If you are using
 telnet, xterm, or a dial-in, type ^C now or exit with no password.
 Then run opiepasswd without the -c parameter.
 Using MD5 to compute responses.
 Enter new secret pass phrase:
 Again new secret pass phrase:
 ID unfurl OTP key is 499 to4268
 MOS MALL GOAT ARM AVID COED
 </screen>
 
       <para>At the <prompt>Enter new secret pass phrase:</prompt> or
         <prompt>Enter secret password:</prompt> prompts, you
 	should enter a password or phrase.  Remember, this is not the
 	password that you will use to login with, this is used to generate
 	your one-time login keys.  The <quote>ID</quote> line gives the
 	parameters of your particular instance: your login name, the
         iteration count, and seed.  When logging in the system
 	will remember these parameters and present them back to you so you
 	do not have to remember them.  The last line gives the particular
 	one-time password which corresponds to those parameters and your
 	secret password; if you were to re-login immediately, this
 	one-time password is the one you would use.</para>
     </sect2>
 
     <sect2>
       <title>Insecure Connection Initialization</title>
       
       <para>To initialize or change your secret password over an
 	insecure connection, you will need to already have a secure
 	connection to some place where you can run <command>key</command>
         or <command>opiekey</command>; this might be in the form of a
 	desk accessory on a &macintosh;, or a shell prompt on a machine you
 	trust.  You will also need to make up an iteration count (100 is
 	probably a good value), and you may make up your own seed or use a
 	randomly-generated one.  Over on the insecure connection (to the
 	machine you are initializing), use the <command>keyinit
 	-s</command> command:</para>
 
       <screen>&prompt.user; <userinput>keyinit -s</userinput>
 Updating unfurl:
 Old key: to17758
 Reminder you need the 6 English words from the key command.
 Enter sequence count from 1 to 9999: <userinput>100</userinput>
 Enter new key [default to17759]: 
 s/key 100 to 17759
 s/key access password:
 s/key access password:<userinput>CURE MIKE BANE HIM RACY GORE</userinput>
 </screen>
 
       <para>For OPIE, you need to use <command>opiepasswd</command>:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd</userinput>
 
 Updating unfurl:
 You need the response from an OTP generator.
 Old secret pass phrase:
         otp-md5 498 to4268 ext
         Response: GAME GAG WELT OUT DOWN CHAT
 New secret pass phrase:
         otp-md5 499 to4269
         Response: LINE PAP MILK NELL BUOY TROY
 
 ID mark OTP key is 499 gr4269
 LINE PAP MILK NELL BUOY TROY
 </screen>
 
       <para>To accept the default seed (which the
 	<command>keyinit</command> program confusingly calls a
 	<literal>key</literal>), press <keycap>Return</keycap>.
 	Then before entering an
 	access password, move over to your secure connection or S/Key desk
 	accessory, and give it the same parameters:</para>
 
       <screen>&prompt.user; <userinput>key 100 to17759</userinput>
 Reminder - Do not use this program while logged in via telnet or rlogin.
 Enter secret password: <userinput>&lt;secret password&gt;</userinput>
 CURE MIKE BANE HIM RACY GORE</screen>
 
       <para>Or for OPIE:</para>
 
       <screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
 Using the MD5 algorithm to compute response.
 Reminder: Don't use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT
 </screen>
 
       <para>Now switch back over to the insecure connection, and copy the
 	one-time password generated over to the relevant program.</para>
     </sect2>
 
     <sect2>
       <title>Generating a Single One-time Password</title>
 
       <para>Once you have initialized S/Key or OPIE, when you login you will be 
 	presented with a prompt like this:</para>
 
 <screen>&prompt.user; <userinput>telnet example.com</userinput>
 Trying 10.0.0.1...
 Connected to example.com
 Escape character is '^]'.
 
 FreeBSD/i386 (example.com) (ttypa)
 
 login: <userinput>&lt;username&gt;</userinput>
 s/key 97 fw13894
 Password: </screen>
 
       <para>Or for OPIE:</para>
 
 <screen>&prompt.user; <userinput>telnet example.com</userinput>
 Trying 10.0.0.1...
 Connected to example.com
 Escape character is '^]'.
 
 FreeBSD/i386 (example.com) (ttypa)
 
 login: <userinput>&lt;username&gt;</userinput>
 otp-md5 498 gr4269 ext
 Password: </screen>
 
       <para>As a side note, the S/Key and OPIE prompts have a useful feature
 	(not shown here): if you press <keycap>Return</keycap>
 	at the password prompt, the
 	prompter will turn echo on, so you can see what you are
 	typing.  This can be extremely useful if you are attempting to
 	type in a password by hand, such as from a printout.</para>
 
       <indexterm><primary>MS-DOS</primary></indexterm>
       <indexterm><primary>Windows</primary></indexterm>
       <indexterm><primary>MacOS</primary></indexterm>
 
       <para>At this point you need to generate your one-time password to
 	answer this login prompt.  This must be done on a trusted system
 	that you can run <command>key</command> or
         <command>opiekey</command> on.  (There are versions of these for DOS,
 	&windows; and &macos; as well.) They need both the iteration count and
 	the seed as command line options.  You can cut-and-paste these
         right from the login prompt on the machine that you are logging
         in to.</para>
 
       <para>On the trusted system:</para>
 
       <screen>&prompt.user; <userinput>key 97 fw13894</userinput>
 Reminder - Do not use this program while logged in via telnet or rlogin.
 Enter secret password: 
 WELD LIP ACTS ENDS ME HAAG</screen>
 
       <para>For OPIE:</para>
 
       <screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
 Using the MD5 algorithm to compute response.
 Reminder: Don't use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT</screen>
 
       <para>Now that you have your one-time password you can continue
 	logging in:</para>
 
       <screen>login: <userinput>&lt;username&gt;</userinput>
 s/key 97 fw13894
 Password: <userinput>&lt;return to enable echo&gt;</userinput>
 s/key 97 fw13894
 Password [echo on]: WELD LIP ACTS ENDS ME HAAG
 Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... </screen>
 
     </sect2>
 
     <sect2>
       <title>Generating Multiple One-time Passwords</title>
 
       <para>Sometimes you have to go places where you do not have
 	access to a trusted machine or secure connection.  In this case,
 	it is possible to use the <command>key</command> and
 	<command>opiekey</command> commands to
 	generate a number of one-time passwords beforehand to be printed
 	out and taken with you.  For example:</para>
 
       <screen>&prompt.user; <userinput>key -n 5 30 zz99999</userinput>
 Reminder - Do not use this program while logged in via telnet or rlogin.
 Enter secret password: <userinput>&lt;secret password&gt;</userinput>
 26: SODA RUDE LEA LIND BUDD SILT 
 27: JILT SPY DUTY GLOW COWL ROT  
 28: THEM OW COLA RUNT BONG SCOT  
 29: COT MASH BARR BRIM NAN FLAG  
 30: CAN KNEE CAST NAME FOLK BILK</screen>
 
       <para>Or for OPIE:</para>
 
       <screen>&prompt.user; <userinput>opiekey -n 5 30 zz99999</userinput>
 Using the MD5 algorithm to compute response.
 Reminder: Don't use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
 26: JOAN BORE FOSS DES NAY QUIT
 27: LATE BIAS SLAY FOLK MUCH TRIG
 28: SALT TIN ANTI LOON NEAL USE
 29: RIO ODIN GO BYE FURY TIC
 30: GREW JIVE SAN GIRD BOIL PHI</screen>
 
       <para>The <option>-n 5</option> requests five keys in sequence, the
 	<option>30</option> specifies what the last iteration number
 	should be.  Note that these are printed out in
 	<emphasis>reverse</emphasis> order of eventual use.  If you are
 	really paranoid, you might want to write the results down by hand;
 	otherwise you can cut-and-paste into <command>lpr</command>.  Note
 	that each line shows both the iteration count and the one-time
 	password; you may still find it handy to scratch off passwords as
 	you use them.</para>
     </sect2>
 
     <sect2>
       <title>Restricting Use of &unix; Passwords</title>
 
       <para>S/Key can place restrictions on the use of &unix; passwords based
 	on the host name, user name, terminal port, or IP address of a
 	login session.  These restrictions can be found in the
 	configuration file <filename>/etc/skey.access</filename>.  The
 	&man.skey.access.5; manual page has more information on the complete
 	format of the file and also details some security cautions to be
 	aware of before depending on this file for security.</para>
 
       <para>If there is no <filename>/etc/skey.access</filename> file
 	(this is the default on &os; 4.X systems), then all users will
 	be allowed to use &unix; passwords.  If the file exists, however,
 	then all users will be required to use S/Key unless explicitly
 	permitted to do otherwise by configuration statements in the
 	<filename>skey.access</filename> file.  In all cases, &unix;
 	passwords are permitted on the console.</para>
 
       <para>Here is a sample <filename>skey.access</filename> configuration
 	file which illustrates the three most common sorts of configuration
 	statements:</para>
 
       <programlisting>permit internet 192.168.0.0 255.255.0.0
 permit user fnord
 permit port ttyd0</programlisting>
 
       <para>The first line (<literal>permit internet</literal>) allows
 	users whose IP source address (which is vulnerable to spoofing)
 	matches the specified value and mask, to use &unix; passwords.  This
 	should not be considered a security mechanism, but rather, a means
 	to remind authorized users that they are using an insecure network
 	and need to use S/Key for authentication.</para>
 
       <para>The second line (<literal>permit user</literal>) allows the
 	specified username, in this case <username>fnord</username>, to use
 	&unix; passwords at any time.  Generally speaking, this should only
 	be used for people who are either unable to use the
 	<command>key</command> program, like those with dumb terminals, or
 	those who are ineducable.</para>
 
       <para>The third line (<literal>permit port</literal>) allows all
 	users logging in on the specified terminal line to use &unix;
 	passwords; this would be used for dial-ups.</para>
 
       <para>OPIE can restrict the use of &unix; passwords based on the IP
 	address of a login session just like S/Key does.  The relevant file
 	is <filename>/etc/opieaccess</filename>, which is present by default
 	on &os; 5.0 and newer systems.  Please check &man.opieaccess.5;
 	for more information on this file and which security considerations
 	you should be aware of when using it.</para>
 	
       <para>Here is a sample <filename>opieaccess</filename> file:</para>
 
       <programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
 
       <para>This line allows users whose IP source address (which is
 	vulnerable to spoofing) matches the specified value and mask,
 	to use &unix; passwords at any time.</para>
 	
       <para>If no rules in <filename>opieaccess</filename> are matched,
 	the default is to deny non-OPIE logins.</para>
 
     </sect2>
   </sect1>
 
   <sect1 id="tcpwrappers">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Written by: </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <indexterm><primary>TCP Wrappers</primary></indexterm>
       
     <title>TCP Wrappers</title>
 
     <para>Anyone familiar with &man.inetd.8; has probably heard
       of <acronym>TCP</acronym> Wrappers at some point.  But few
       individuals seem to fully comprehend its usefulness in a
       network environment.  It seems that everyone wants to
       install a firewall to handle network connections.  While a
       firewall has a wide variety of uses, there are some things
       that a firewall not handle such as sending text back to the
       connection originator.  The <acronym>TCP</acronym> software
       does this and much more.  In the next few sections many of
       the <acronym>TCP</acronym> Wrappers features will be discussed,
       and, when applicable, example configuration lines will be
       provided.</para>
 
     <para>The <acronym>TCP</acronym> Wrappers software extends the
       abilities of <command>inetd</command> to provide support for
       every server daemon under its control.  Using this method it
       is possible to provide logging support, return messages to
       connections, permit a daemon to only accept internal connections,
       etc.  While some of these features can be provided by implementing
       a firewall, this will add not only an extra layer of protection
       but go beyond the amount of control a firewall can
       provide.</para>
 
     <para>The added functionality of <acronym>TCP</acronym> Wrappers
       should not be considered a replacement for a good firewall;
       however, but should used in conjunction with a firewall and
       other security configurations to add an extra layer of protection
       for the system.</para>
 
     <para>Since this is an extension to the configuration of
       <command>inetd</command>, the reader is expected have
       read the <link linkend="network-inetd">inetd configuration</link>
       section.</para>
 
     <note>
       <para>While programs run by &man.inetd.8; are not exactly
 	<quote>daemons</quote>, they have traditionally been called
 	daemons.  This is the term we will use in this section too.</para>
     </note>
 
     <sect2>
       <title>Initial Configuration</title>
 
       <para>The only requirement of using <acronym>TCP</acronym>
 	Wrappers in &os; is to ensure the <command>inetd</command>
 	server is started from <filename>rc.conf</filename> with the
 	<option>-Ww</option> option; this is the default setting.  Of
 	course,	proper configuration of
 	<filename>/etc/hosts.allow</filename> is also expected, but
 	&man.syslogd.8; will throw messages in the system logs in
 	these cases.</para>
 
       <note>
 	<para>Unlike other implementations of <acronym>TCP</acronym>
 	  Wrappers, the use of <filename>hosts.deny</filename> has
 	  been deprecated.  All configuration options should be placed
 	  in <filename>/etc/hosts.allow</filename>.</para>
       </note>
 
       <para>In the simplest configuration, daemon connection policies
 	are set to either be permitted or blocked depending on the
 	options in <filename>/etc/hosts.allow</filename>.  The default
 	configuration in &os; is to allow a connection to every daemon
 	started with <command>inetd</command>.  Changing this will be
 	discussed only after the basic configuration is covered.</para>
 
       <para>Basic configuration usually takes the form of
 	<literal>daemon : address : action</literal>.  Where
 	<literal>daemon</literal> is the daemon name which
 	<command>inetd</command> started.  The
 	<literal>address</literal> can be a valid hostname, an
 	<acronym>IP</acronym> address or an IPv6 address enclosed in
 	brackets ([&nbsp;]).  The action field can be either allow
 	or deny	to grant or deny access appropriately.  Keep in mind
 	that configuration works off a first rule match semantic,
 	meaning that the configuration file is scanned in ascending
 	order for a matching rule.  When a match is found the rule
 	is applied and the search process will halt.</para>
 
       <para>Several other options exist but they will be explained
 	in a later section.  A simple configuration line may easily be
 	constructed from that information alone.  For example, to
 	allow <acronym>POP</acronym>3 connections via the
 	<filename role="package">mail/qpopper</filename> daemon,
 	the following lines should be appended to
 	<filename>hosts.allow</filename>:</para>
 
       <programlisting># This line is required for POP3 connections:
 qpopper : ALL : allow</programlisting>
 
       <para>After adding this line, <command>inetd</command> will need
 	restarted.  This can be accomplished by use of the &man.kill.1;
 	command, or with the <parameter>restart</parameter> parameter
 	with <filename>/etc/rc.d/inetd</filename>.</para>
       </sect2>
 
       <sect2>
         <title>Advanced Configuration</title>
 
       <para><acronym>TCP</acronym> Wrappers has advanced
 	options too; they will allow for more control over the
 	way connections are handled.  In some cases it may be
 	a good idea to return a comment to certain hosts or
 	daemon connections.  In other cases, perhaps a log file
 	should be recorded or an email sent to the administrator.
 	Other situations may require the use of a service for local
 	connections only.  This	is all possible through the use of
 	configuration options known as <literal>wildcards</literal>,
 	expansion characters and external command execution.  The
 	next two sections are written to cover these situations.</para>
 	
       <sect3>
 	<title>External Commands</title>
 
 	<para>Suppose that a situation occurs where a connection
 	  should be denied yet a reason should be sent to the
 	  individual who attempted to establish that connection.  How
 	  could it be done?  That action can be made possible by
 	  using the <option>twist</option> option.  When a connection
 	  attempt is made, <option>twist</option> will be called to
 	  execute a shell command or script.  An example already exists
 	  in the <filename>hosts.allow</filename> file:</para>
 
 	<programlisting># The rest of the daemons are protected.
 ALL : ALL \
         : severity auth.info \
         : twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
 
 	<para>This example shows that the message,
 	  <quote>You are not allowed to use <literal>daemon</literal>
 	  from <literal>hostname</literal>.</quote> will be returned
 	  for any daemon not previously configured in the access file.
 	  This is extremely useful for sending a reply back to the
 	  connection initiator right after the established connection
 	  is dropped.  Note that any message returned
 	  <emphasis>must</emphasis> be wrapped in quote
 	  <literal>"</literal> characters; there are no exceptions to
 	  this rule.</para>
 
 	<warning>
 	  <para>It may be possible to launch a denial of service attack
 	    on the server if an attacker, or group of attackers could
 	    flood these daemons with connection requests.</para>
 	</warning>
 
 	<para>Another possibility is to use the <option>spawn</option>
 	  option in these cases.  Like <option>twist</option>, the
 	  <option>spawn</option> implicitly denies the connection and
 	  may be used to run external shell commands or scripts.
 	  Unlike <option>twist</option>, <option>spawn</option> will
 	  not send a reply back to the individual who established the
 	  connection.  For an example, consider the following
 	  configuration line:</para>
 
 	<programlisting># We do not allow connections from example.com:
 ALL : .example.com \
 	: spawn (/bin/echo %a from %h attempted to access %d &gt;&gt; \
 	  /var/log/connections.log) \
 	: deny</programlisting>
 
 	<para>This will deny all connection attempts from the
 	  <hostid role="fqdn">*.example.com</hostid> domain;
 	  simultaneously logging the hostname, <acronym>IP</acronym>
 	  address and the daemon which they attempted to access in the
 	  <filename>/var/log/connections.log</filename> file.</para>
 
 	<para>Aside from the already explained substitution characters
 	  above, e.g. %a, a few others exist.  See the
 	  &man.hosts.access.5; manual page for the complete list.</para>
       </sect3>
 
       <sect3>
 	<title>Wildcard Options</title>
 
 	<para>Thus far the <literal>ALL</literal> example has been used
 	  continuously throughout the examples.  Other options exist
 	  which could extend the functionality a bit further.  For
 	  instance, <literal>ALL</literal> may be used to match every
 	  instance of either a daemon, domain or an
 	  <acronym>IP</acronym> address. Another wildcard available is
 	  <literal>PARANOID</literal> which may be used to match any
 	  host which provides an <acronym>IP</acronym> address that may
 	  be forged.  In other words, <literal>paranoid</literal> may
 	  be used to define an action to be taken whenever a connection
 	  is made from an <acronym>IP</acronym> address that differs
 	  from its hostname.  The following example may shed some more
 	  light on this discussion:</para>
 
 	<programlisting># Block possibly spoofed requests to sendmail:
 sendmail : PARANOID : deny</programlisting>
 
 	<para>In that example all connection requests to
 	  <command>sendmail</command> which have an
 	  <acronym>IP</acronym> address that varies from its hostname
 	  will be denied.</para>
 
 	<caution>
 	  <para>Using the <literal>PARANOID</literal> may severely
 	    cripple servers if the client or server has a broken
 	    <acronym>DNS</acronym> setup.  Administrator discretion
 	    is advised.</para>
 	</caution>
 
 	<para>To learn more about wildcards and their associated
 	  functionality, see the &man.hosts.access.5; manual
 	  page.</para>
 
 	<para>Before any of the specific configuration lines above will
 	  work, the first configuration line should be commented out
 	  in <filename>hosts.allow</filename>.  This was noted at the
 	  beginning of this section.</para>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="kerberosIV">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Mark</firstname>
 	  <surname>Murray</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Mark</firstname>
 	  <surname>Dapoz</surname>
 	  <contrib>Based on a contribution by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title><application>KerberosIV</application></title>
 
     <para>Kerberos is a network add-on system/protocol that allows users to
       authenticate themselves through the services of a secure server.
       Services such as remote login, remote copy, secure inter-system file
       copying and other high-risk tasks are made considerably safer and more
       controllable.</para>
 
     <para>The following instructions can be used as a guide on how to set up
       Kerberos as distributed for &os;. However, you should refer to the
       relevant manual pages for a complete description.</para>
 
     <sect2>
       <title>Installing <application>KerberosIV</application></title>
 
       <indexterm><primary>MIT</primary></indexterm>
       <indexterm>
 	<primary>KerberosIV</primary>
 	<secondary>Installing</secondary>
       </indexterm>
       <para>Kerberos is an optional component of &os;.  The easiest
         way to install this software is by selecting the <literal>krb4</literal> or
         <literal>krb5</literal> distribution in <application>sysinstall</application>
         during the initial installation of &os;. This will install
         the <quote>eBones</quote> (KerberosIV) or <quote>Heimdal</quote> (Kerberos5)
         implementation of Kerberos.  These implementations are
         included because they are developed outside the USA/Canada and
         were thus available to system owners outside those countries
         during the era of restrictive export controls on cryptographic
         code from the USA.</para>
 
       <para>Alternatively, the MIT implementation of Kerberos is
         available from the ports collection as
         <filename role="package">security/krb5</filename>.</para>
     </sect2>
 
     <sect2>
       <title>Creating the Initial Database</title>
       
       <para>This is done on the Kerberos server only.  First make sure that
 	you do not have any old Kerberos databases around.  You should change
 	to the directory <filename>/etc/kerberosIV</filename> and check that
 	only the following files are present:</para>
 	  
       <screen>&prompt.root; <userinput>cd /etc/kerberosIV</userinput>
 &prompt.root; <userinput>ls</userinput>
 README		krb.conf        krb.realms</screen>
 	  
       <para>If any additional files (such as <filename>principal.*</filename>
 	or <filename>master_key</filename>) exist, then use the
 	<command>kdb_destroy</command> command to destroy the old Kerberos
 	database, or if Kerberos is not running, simply delete the extra
 	files.</para>
 	  
       <para>You should now edit the <filename>krb.conf</filename> and
 	<filename>krb.realms</filename> files to define your Kerberos realm.
 	In this case the realm will be <literal>EXAMPLE.COM</literal> and the
 	server is <hostid role="fqdn">grunt.example.com</hostid>.  We edit
 	or create the <filename>krb.conf</filename> file:</para>
 	  
       <screen>&prompt.root; <userinput>cat krb.conf</userinput>
 EXAMPLE.COM
 EXAMPLE.COM grunt.example.com admin server
 CS.BERKELEY.EDU okeeffe.berkeley.edu
 ATHENA.MIT.EDU kerberos.mit.edu
 ATHENA.MIT.EDU kerberos-1.mit.edu
 ATHENA.MIT.EDU kerberos-2.mit.edu
 ATHENA.MIT.EDU kerberos-3.mit.edu
 LCS.MIT.EDU kerberos.lcs.mit.edu
 TELECOM.MIT.EDU bitsy.mit.edu
 ARC.NASA.GOV trident.arc.nasa.gov</screen>
 	  
       <para>In this case, the other realms do not need to be there.  They are
 	here as an example of how a machine may be made aware of multiple
 	realms.  You may wish to not include them for simplicity.</para>
 	  
       <para>The first line names the realm in which this system works.  The
 	other lines contain realm/host entries.  The first item on a line is a
 	realm, and the second is a host in that realm that is acting as a
 	<quote>key distribution center</quote>.  The words <literal>admin
 	  server</literal> following a host's name means that host also
 	provides an administrative database server.  For further explanation
 	of these terms, please consult the Kerberos manual pages.</para>
 	  
       <para>Now we have to add <hostid role="fqdn">grunt.example.com</hostid>
 	to the <literal>EXAMPLE.COM</literal> realm and also add an entry to
 	put all hosts in the <hostid role="domainname">.example.com</hostid>
 	domain in the <literal>EXAMPLE.COM</literal> realm.  The
 	<filename>krb.realms</filename> file would be updated as
 	follows:</para>
 	  
       <screen>&prompt.root; <userinput>cat krb.realms</userinput>
 grunt.example.com EXAMPLE.COM
 .example.com EXAMPLE.COM
 .berkeley.edu CS.BERKELEY.EDU
 .MIT.EDU ATHENA.MIT.EDU
 .mit.edu ATHENA.MIT.EDU</screen>
 	  
       <para>Again, the other realms do not need to be there.  They are here as
 	an example of how a machine may be made aware of multiple realms.  You
 	may wish to remove them to simplify things.</para>
 	  
       <para>The first line puts the <emphasis>specific</emphasis> system into
 	the named realm.  The rest of the lines show how to default systems of
 	a particular subdomain to a named realm.</para>
 	  
       <para>Now we are ready to create the database.  This only needs to run
 	on the Kerberos server (or Key Distribution Center).  Issue the
 	<command>kdb_init</command> command to do this:</para>
 	  
       <screen>&prompt.root; <userinput>kdb_init</userinput>
 <prompt>Realm name [default  ATHENA.MIT.EDU ]:</prompt> <userinput>EXAMPLE.COM</userinput>
 You will be prompted for the database Master Password.
 It is important that you NOT FORGET this password.
 		
 <prompt>Enter Kerberos master key:</prompt> </screen>
 	  
       <para>Now we have to save the key so that servers on the local machine
 	can pick it up.  Use the <command>kstash</command> command to do
 	this:</para>
 	
       <screen>&prompt.root; <userinput>kstash</userinput>
 	      
 <prompt>Enter Kerberos master key:</prompt>
 
 Current Kerberos master key version is 1.
 
 Master key entered. BEWARE!</screen>
 	
       <para>This saves the encrypted master password in
 	<filename>/etc/kerberosIV/master_key</filename>.</para>
     </sect2>
     
     <sect2>
       <title>Making It All Run</title>
 	
       <indexterm>
 	<primary>KerberosIV</primary>
 	<secondary>Inital Startup</secondary>
       </indexterm>
 
       <para>Two principals need to be added to the database for
 	<emphasis>each</emphasis> system that will be secured with Kerberos.
 	Their names are <literal>kpasswd</literal> and <literal>rcmd</literal>.
 	These two principals are made for each system, with the instance being
 	the name of the individual system.</para>
 	  
       <para>These daemons, <application>kpasswd</application> and
 	<application>rcmd</application> allow other systems to change Kerberos
 	passwords and run commands like &man.rcp.1;,
 	&man.rlogin.1; and &man.rsh.1;.</para>
 	  
       <para>Now let us add these entries:</para>
 	    
       <screen>&prompt.root; <userinput>kdb_edit</userinput>
 Opening database...
 
 <prompt>Enter Kerberos master key:</prompt>
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 <prompt>Principal name:</prompt> <userinput>passwd</userinput>
 <prompt>Instance:</prompt> <userinput>grunt</userinput>
 
 &lt;Not found&gt;, <prompt>Create [y] ?</prompt> <userinput>y</userinput>
 
 Principal: passwd, Instance: grunt, kdc_key_ver: 1
 <prompt>New Password:</prompt>                    &lt;---- enter RANDOM here
 Verifying password
 
 <prompt>New Password:</prompt> &lt;---- enter RANDOM here
 
 <prompt>Random password [y] ?</prompt> <userinput>y</userinput>
 
 Principal's new key version = 1
 <prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
 <prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
 <prompt>Attributes [ 0 ] ?</prompt>
 Edit O.K.
 <prompt>Principal name:</prompt> <userinput>rcmd</userinput>
 <prompt>Instance:</prompt> <userinput>grunt</userinput>
 
 &lt;Not found&gt;, <prompt>Create [y] ?</prompt>
 
 Principal: rcmd, Instance: grunt, kdc_key_ver: 1
 <prompt>New Password:</prompt>		&lt;---- enter RANDOM here
 Verifying password
 
 <prompt>New Password:</prompt>           &lt;---- enter RANDOM here
 
 <prompt>Random password [y] ?</prompt>
 
 Principal's new key version = 1
 <prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
 <prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
 <prompt>Attributes [ 0 ] ?</prompt>
 Edit O.K.
 <prompt>Principal name:</prompt>         &lt;---- null entry here will cause an exit</screen>
     </sect2>
 
     <sect2>
       <title>Creating the Server File</title>
       
       <para>We now have to extract all the instances which define the
 	services on each machine.  For this we use the
 	<command>ext_srvtab</command> command.  This will create a file
 	which must be copied or moved <emphasis>by secure
 	  means</emphasis> to each Kerberos client's
 	<filename>/etc/kerberosIV</filename> directory.  This file must
 	be present on each server and client, and is crucial to the
 	operation of Kerberos.</para>
 	  
 	  
       <screen>&prompt.root; <userinput>ext_srvtab grunt</userinput>
 <prompt>Enter Kerberos master key:</prompt>
 		
 Current Kerberos master key version is 1.
 
 Master key entered. BEWARE!
 Generating 'grunt-new-srvtab'....</screen>
 	  
       <para>Now, this command only generates a temporary file which must be
 	renamed to <filename>srvtab</filename> so that all the servers can pick
 	it up.  Use the &man.mv.1; command to move it into place on
 	the original system:</para>
 	  
       <screen>&prompt.root; <userinput>mv grunt-new-srvtab srvtab</userinput></screen>
 	  
       <para>If the file is for a client system, and the network is not deemed
 	safe, then copy the
 	<filename><replaceable>client</replaceable>-new-srvtab</filename> to
 	removable media and transport it by secure physical means.  Be sure to
 	rename it to <filename>srvtab</filename> in the client's
 	<filename>/etc/kerberosIV</filename> directory, and make sure it is
 	mode 600:</para>
 	  
       <screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput>
 &prompt.root; <userinput>chmod 600 srvtab</userinput></screen>
     </sect2>
     
     <sect2>
       <title>Populating the Database</title>
       
       <para>We now have to add some user entries into the database.  First
 	let us create an entry for the user <username>jane</username>.  Use the
 	<command>kdb_edit</command> command to do this:</para>
 	  
       <screen>&prompt.root; <userinput>kdb_edit</userinput>
 Opening database...
 
 <prompt>Enter Kerberos master key:</prompt>
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 <prompt>Principal name:</prompt> <userinput>jane</userinput>
 <prompt>Instance:</prompt>
 
 &lt;Not found&gt;, <prompt>Create [y] ?</prompt> <userinput>y</userinput>
 
 Principal: jane, Instance: , kdc_key_ver: 1
 <prompt>New Password:</prompt>                &lt;---- enter a secure password here
 Verifying password
 
 <prompt>New Password:</prompt>                &lt;---- re-enter the password here
 Principal's new key version = 1
 <prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
 <prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
 <prompt>Attributes [ 0 ] ?</prompt>
 Edit O.K.
 <prompt>Principal name:</prompt>		   &lt;---- null entry here will cause an exit</screen>
     </sect2>
 
     <sect2>
       <title>Testing It All Out</title>
       
       <para>First we have to start the Kerberos daemons.  Note that if you
 	have correctly edited your <filename>/etc/rc.conf</filename> then this
 	will happen automatically when you reboot.  This is only necessary on
 	the Kerberos server.  Kerberos clients will automatically get what
 	they need from the <filename>/etc/kerberosIV</filename>
 	directory.</para>
 	  
       <screen>&prompt.root; <userinput>kerberos &amp;</userinput>
 Kerberos server starting
 Sleep forever on error
 Log file is /var/log/kerberos.log
 Current Kerberos master key version is 1.
 
 Master key entered. BEWARE!
 
 Current Kerberos master key version is 1
 Local realm: EXAMPLE.COM
 &prompt.root; <userinput>kadmind -n &amp;</userinput>
 KADM Server KADM0.0A initializing
 Please do not use 'kill -9' to kill this job, use a
 regular kill instead
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!</screen>
 	  
       <para>Now we can try using the <command>kinit</command> command to get a
 	ticket for the ID <username>jane</username> that we created
 	above:</para>
 	  
       <screen>&prompt.user; <userinput>kinit jane</userinput>
 MIT Project Athena (grunt.example.com)
 Kerberos Initialization for "jane"
 <prompt>Password:</prompt> </screen>
 	  
       <para>Try listing the tokens using <command>klist</command> to see if we
 	really have them:</para>
 	  
       <screen>&prompt.user; <userinput>klist</userinput>
 Ticket file:    /tmp/tkt245
 Principal:      jane@EXAMPLE.COM
 
   Issued           Expires          Principal
 Apr 30 11:23:22  Apr 30 19:23:22  krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
 	  
       <para>Now try changing the password using &man.passwd.1; to
 	check if the <application>kpasswd</application> daemon can get 
 	authorization to the Kerberos database:</para>
 	  
       <screen>&prompt.user; <userinput>passwd</userinput>
 realm EXAMPLE.COM
 <prompt>Old password for jane:</prompt>
 <prompt>New Password for jane:</prompt>
 Verifying password
 <prompt>New Password for jane:</prompt>
 Password changed.</screen>
     </sect2>
 
     <sect2>
       <title>Adding <command>su</command> Privileges</title>
       
       <para>Kerberos allows us to give <emphasis>each</emphasis> user
 	who needs <username>root</username> privileges their own
 	<emphasis>separate</emphasis> &man.su.1; password.
 	We could now add an ID which is authorized to
 	&man.su.1; to <username>root</username>.  This is
 	controlled by having an instance of <username>root</username>
 	associated with a principal.  Using <command>kdb_edit</command>
 	we can create the entry <literal>jane.root</literal> in the
 	Kerberos database:</para>
 	  
       <screen>&prompt.root; <userinput>kdb_edit</userinput>
 Opening database...
 
 <prompt>Enter Kerberos master key:</prompt>
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 <prompt>Principal name:</prompt> <userinput>jane</userinput>
 <prompt>Instance:</prompt> <userinput>root</userinput>
 
 &lt;Not found&gt;, Create [y] ? y
 
 Principal: jane, Instance: root, kdc_key_ver: 1
 <prompt>New Password:</prompt>                    &lt;---- enter a SECURE password here
 Verifying password
 
 <prompt>New Password:</prompt>    	 	 &lt;---- re-enter the password here
 
 Principal's new key version = 1
 <prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
 <prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt> <userinput>12</userinput> &lt;--- Keep this short!
 <prompt>Attributes [ 0 ] ?</prompt>
 Edit O.K.
 <prompt>Principal name:</prompt>		         &lt;---- null entry here will cause an exit</screen>
 	  
       <para>Now try getting tokens for it to make sure it works:</para>
       
       <screen>&prompt.root; <userinput>kinit jane.root</userinput>
 MIT Project Athena (grunt.example.com)
 Kerberos Initialization for "jane.root"
 <prompt>Password:</prompt></screen>
 	  
       <para>Now we need to add the user to <username>root</username>'s
 	  <filename>.klogin</filename> file:</para>
 	  
       <screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
 jane.root@EXAMPLE.COM</screen>
 	  
       <para>Now try doing the &man.su.1;:</para>
 	  
       <screen>&prompt.user; <userinput>su</userinput>
 <prompt>Password:</prompt></screen>
 	  
       <para>and take a look at what tokens we have:</para>
 	  
       <screen>&prompt.root; <userinput>klist</userinput>
 Ticket file:	/tmp/tkt_root_245
 Principal:      jane.root@EXAMPLE.COM
 
   Issued           Expires          Principal
 May  2 20:43:12  May  3 04:43:12  krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
     </sect2>
 
     <sect2>
       <title>Using Other Commands</title>
       
       <para>In an earlier example, we created a principal called
 	<literal>jane</literal> with an instance <literal>root</literal>.
 	This was based on a user with the same name as the principal, and this
 	is a Kerberos default; that a
 	<literal>&lt;principal&gt;.&lt;instance&gt;</literal> of the form
 	<literal>&lt;username&gt;.</literal><username>root</username> will allow
 	that <literal>&lt;username&gt;</literal> to &man.su.1; to
 	<username>root</username> if the necessary entries are in the
 	<filename>.klogin</filename> file in <username>root</username>'s
 	home directory:</para>
 	  
       <screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
 jane.root@EXAMPLE.COM</screen>
       
       <para>Likewise, if a user has in their own home directory lines of the
 	form:</para>
       
       <screen>&prompt.user; <userinput>cat ~/.klogin</userinput>
 jane@EXAMPLE.COM
 jack@EXAMPLE.COM</screen>
 	  
       <para>This allows anyone in the <literal>EXAMPLE.COM</literal> realm
 	who has authenticated themselves as <username>jane</username> or
 	<username>jack</username> (via <command>kinit</command>, see above)
 	to access to <username>jane</username>'s
 	account or files on this system (<hostid>grunt</hostid>) via
 	&man.rlogin.1;, &man.rsh.1; or
 	&man.rcp.1;.</para>
 	  
       <para>For example, <username>jane</username> now logs into another system using
 	Kerberos:</para>
 	  
 	    <screen>&prompt.user; <userinput>kinit</userinput>
 MIT Project Athena (grunt.example.com)
 <prompt>Password:</prompt>
 &prompt.user; <userinput>rlogin grunt</userinput>
 Last login: Mon May  1 21:14:47 from grumble
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.   All rights reserved.
 
 FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	  
       <para>Or <username>jack</username> logs into <username>jane</username>'s account on the same machine
 	(<username>jane</username> having
 	set up the <filename>.klogin</filename> file as above, and the person
 	in charge of Kerberos having set up principal
 	<emphasis>jack</emphasis> with a null instance):</para>
 	  
       <screen>&prompt.user; <userinput>kinit</userinput>
 &prompt.user; <userinput>rlogin grunt -l jane</userinput>
 MIT Project Athena (grunt.example.com)
 <prompt>Password:</prompt>
 Last login: Mon May  1 21:16:55 from grumble
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.   All rights reserved.
 FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
     </sect2>
   </sect1>
 
   <sect1 id="kerberos5">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tillman</firstname>
 	  <surname>Hodgson</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Mark</firstname>
 	  <surname>Murray</surname>
 	  <contrib>Based on a contribution by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
 
     <title><application>Kerberos5</application></title>
 
     <para>Every &os; release beyond &os;-5.1 includes support
       only for <application>Kerberos5</application>.  Hence
       <application>Kerberos5</application> is the only version
       included, and its configuration is similar in many aspects
       to that of <application>KerberosIV</application>.  The following
       information only applies to
       <application>Kerberos5</application> in post &os;-5.0
       releases.  Users who wish to use the
       <application>KerberosIV</application> package may install the
       <filename role="package">security/krb4</filename> port.</para>
 
     <para><application>Kerberos</application> is a network add-on
       system/protocol that allows users to authenticate themselves
       through the services of a secure server.  Services such as remote
       login, remote copy, secure inter-system file copying and other
       high-risk tasks are made considerably safer and more
       controllable.</para>
 
     <para><application>Kerberos</application> can be described as an
       identity-verifying proxy system.  It can also be described as a
       trusted third-party authentication system.
       <application>Kerberos</application> provides only one
       function &mdash; the secure authentication of users on the network.
       It does not provide authorization functions (what users are
       allowed to do) or auditing functions (what those users did).
       After a client and server have used
       <application>Kerberos</application> to prove their identity, they
       can also encrypt all of their communications to assure privacy
       and data integrity as they go about their business.</para>
 
     <para>Therefore it is highly recommended that
       <application>Kerberos</application> be used with other security
       methods which provide authorization and audit services.</para>
 
     <para>The following instructions can be used as a guide on how to set
       up <application>Kerberos</application> as distributed for &os;.
       However, you should refer to the relevant manual pages for a complete
       description.</para>
 
     <para>For purposes of demonstrating a <application>Kerberos</application>
       installation, the various name spaces will be handled as follows:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
 	  will be example.org.</para>
       </listitem>
 
       <listitem>
 	<para>The <application>Kerberos</application> realm will be
 	  EXAMPLE.ORG.</para>
       </listitem>
     </itemizedlist>
 
     <note>
       <para>Please use real domain names when setting up
 	<application>Kerberos</application> even if you intend to run
 	it internally.  This avoids <acronym>DNS</acronym> problems
 	and assures inter-operation with other
 	<application>Kerberos</application> realms.</para>
     </note>
 
     <sect2>
       <title>History</title>
       <indexterm>
 	<primary>Kerberos5</primary>
 	<secondary>History</secondary>
       </indexterm>
 
       <para><application>Kerberos</application> was created by
 	<acronym>MIT</acronym> as a solution to network security problems.
 	The <application>Kerberos</application> protocol uses strong
 	cryptography so that a client can prove its identity to a server
 	(and vice versa) across an insecure network connection.</para>
 
       <para><application>Kerberos</application> is both the name of a
 	network authentication protocol and an adjective to describe
 	programs that implement the program
 	(<application>Kerberos</application> telnet, for example).  The
 	current version of the protocol is version 5, described in
 	<acronym>RFC</acronym>&nbsp;1510.</para>
 
       <para>Several free implementations of this protocol are available,
 	covering a wide range of operating systems.  The Massachusetts
 	Institute of Technology (<acronym>MIT</acronym>), where
 	<application>Kerberos</application> was originally developed,
 	continues to develop their <application>Kerberos</application>
 	package.  It is commonly used in the <acronym>US</acronym>
 	as a cryptography product, as such it
 	has historically been affected by <acronym>US</acronym> export
 	regulations.  The <acronym>MIT</acronym>
 	<application>Kerberos</application> is available as a port
 	(<filename role="package">security/krb5</filename>).  Heimdal
 	<application>Kerberos</application> is another version 5
 	implementation, and was explicitly developed outside of the
 	<acronym>US</acronym> to avoid export
 	regulations (and is thus often included in non-commercial &unix;
 	variants).  The Heimdal <application>Kerberos</application>
 	distribution is available as a port
 	(<filename role="package">security/heimdal</filename>), and a
 	minimal installation of it is included in the base &os;
 	install.</para>
 
     <para>In order to reach the widest audience, these instructions assume
 	the use of the Heimdal distribution included in &os;.</para>
 
     </sect2>
 
     <sect2>
       <title>Setting up a Heimdal <acronym>KDC</acronym></title>
       <indexterm>
 	<primary>Kerberos5</primary>
 	<secondary>Key Distribution Center Configuration</secondary>
       </indexterm>
 
       <para>The Key Distribution Center (<acronym>KDC</acronym>) is the
 	centralized authentication service that
 	<application>Kerberos</application> provides &mdash; it is the
 	computer that issues <application>Kerberos</application> tickets.
 	The <acronym>KDC</acronym> is considered <quote>trusted</quote> by
 	all other computers in the <application>Kerberos</application>
 	realm, and thus has heightened security concerns.</para>
 
     <para>Note that while running the <application>Kerberos</application>
 	server requires very few computing resources, a dedicated machine
 	acting only as a <acronym>KDC</acronym> is recommended for security
 	reasons.</para>
 
     <para>To begin setting up a <acronym>KDC</acronym>, ensure that your
 	<filename>/etc/rc.conf</filename> file contains the correct
 	settings to act as a <acronym>KDC</acronym> (you may need to adjust
 	paths to reflect your own system):</para>
 
     <programlisting>kerberos5_server_enable="YES"
 kadmind5_server_enable="YES"
 kerberos_stash="YES"</programlisting>
 
       <note>
 	<para>The <option>kerberos_stash</option> is only available in
 	  &os; 4.X.</para>
       </note>
 
       <para>Next we will set up your <application>Kerberos</application>
 	config file, <filename>/etc/krb5.conf</filename>:</para>
 
       <programlisting>[libdefaults]
     default_realm = EXAMPLE.ORG
 [realms]
     EXAMPLE.ORG = {
         kdc = kerberos.example.org
         admin_server = kerberos.example.org
     }
 [domain_realm]
     .example.org = EXAMPLE.ORG</programlisting>
 
       <para>Note that this <filename>/etc/krb5.conf</filename> file implies
 	that your <acronym>KDC</acronym> will have the fully-qualified
 	hostname of <hostid role="fqdn">kerberos.example.org</hostid>.
 	You will need to add a CNAME (alias) entry to your zone file to
 	accomplish this if your <acronym>KDC</acronym> has a different
 	hostname.</para>
 
       <note>
 	<para>For large networks with a properly configured
 	  <acronym>BIND</acronym> <acronym>DNS</acronym> server, the
 	  above example could be trimmed to:</para>
 
 	<programlisting>[libdefaults]
       default_realm = EXAMPLE.ORG</programlisting>
 
 	<para>With the following lines being appended to the
 	  <hostid role="fqdn">example.org</hostid> zonefile:</para>
 
 	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 _kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
 _kpasswd._udp       IN  SRV     01 00 464 kerberos.example.org.
 _kerberos-adm._tcp  IN  SRV     01 00 749 kerberos.example.org.
 _kerberos           IN  TXT     EXAMPLE.ORG.</programlisting></note>
 
       <note>
         <para>For clients to be able to find the
           <application>Kerberos</application> services, you
           <emphasis>must</emphasis> have either a fully configured
           <filename>/etc/krb5.conf</filename> or a miminally configured
           <filename>/etc/krb5.conf</filename> <emphasis>and</emphasis> a
           properly configured DNS server.</para>
       </note>
 
       <para>Next we will create the <application>Kerberos</application>
 	database.  This database contains the keys of all principals encrypted
 	with a master password.  You are not
 	required to remember this password, it will be stored in a file
 	(<filename>/var/heimdal/m-key</filename>).  To create the master
 	key, run <command>kstash</command> and enter a password.</para>
 
       <para>Once the master key has been created, you can initialize the
 	database using the <command>kadmin</command> program with the
 	<literal>-l</literal> option (standing for <quote>local</quote>).
 	This option instructs <command>kadmin</command> to modify the
 	database files directly rather than going through the
 	<command>kadmind</command> network service.  This handles the
 	chicken-and-egg problem of trying to connect to the database
 	before it is created.  Once you have the <command>kadmin</command>
 	prompt, use the <command>init</command> command to create your
 	realms initial database.</para>
 
       <para>Lastly, while still in <command>kadmin</command>, create your
 	first principal using the <command>add</command> command.  Stick
 	to the defaults options for the principal for now, you can always
 	change them later with the <command>modify</command> command.
 	Note that you can use the <literal>?</literal> command at any
 	prompt to see the available options.</para>
 
       <para>A sample database creation session is shown below:</para>
 
       <screen>&prompt.root; <userinput>kstash</userinput>
 Master key: <userinput>xxxxxxxx</userinput>
 Verifying password - Master key: <userinput>xxxxxxxx</userinput>
 
 &prompt.root; <userinput>kadmin -l</userinput>
 kadmin> <userinput>init EXAMPLE.ORG</userinput>
 Realm max ticket life [unlimited]:
 kadmin> <userinput>add tillman</userinput>
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
 Password: <userinput>xxxxxxxx</userinput>
 Verifying password - Password: <userinput>xxxxxxxx</userinput></screen>
 
       <para>Now it is time to start up the <acronym>KDC</acronym> services.
 	Run <command>/etc/rc.d/kerberos start</command> and
 	<command>/etc/rc.d/kadmind start</command> to bring up the
 	services.  Note that you won't have any kerberized daemons running
 	at this point but you should be able to confirm the that the
 	<acronym>KDC</acronym> is functioning by obtaining and listing a
 	ticket for the principal (user) that you just created from the
 	command-line of the <acronym>KDC</acronym> itself:</para>
 
       <screen>&prompt.user; <userinput>k5init <replaceable>tillman</replaceable></userinput>
 tillman@EXAMPLE.ORG's Password:
 
 &prompt.user; <userinput>k5list</userinput>
 Credentials cache: FILE:<filename>/tmp/krb5cc_500</filename>
 	Principal: tillman@EXAMPLE.ORG
 
   Issued           Expires          Principal
 Aug 27 15:37:58  Aug 28 01:37:58  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
 
       </sect2>
 
       <sect2>
 	<title><application>Kerberos</application> enabling a server with
 	  Heimdal services</title>
 
         <indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>Enabling Services</secondary>
         </indexterm>
 
 	<para>First, we need a copy of the <application>Kerberos</application>
 	  configuration file, <filename>/etc/krb5.conf</filename>.  To do
 	  so, simply copy it over to the client computer from the
 	  <acronym>KDC</acronym> in a secure fashion (using network utilities,
 	  such as &man.scp.1;, or physically via a
 	  floppy disk).</para>
 
 	<para>Next you need a <filename>/etc/krb5.keytab</filename> file.
 	  This is the major difference between a server providing
 	  <application>Kerberos</application> enabled daemons and a
 	  workstation &mdash; the server must have a
 	  <filename>keytab</filename> file.  This file
 	  contains the servers host key, which allows it and the
 	  <acronym>KDC</acronym> to verify each others identity.  It
 	  must be transmitted to the server in a secure fashion, as the
 	  security of the server can be broken if the key is made public.
 	  This explicitly means that transferring it via a clear text
 	  channel, such as <acronym>FTP</acronym>, is a very bad idea.</para>
 
 	<para>Typically, you transfer to the <filename>keytab</filename>
 	  to the server using the <command>kadmin</command> program.
 	  This is handy because you also need to create the host principal
 	  (the <acronym>KDC</acronym> end of the
 	  <filename>krb5.keytab</filename>) using
 	  <command>kadmin</command>.</para>
 
 	<para>Note that you must have already obtained a ticket and that this
 	  ticket must be allowed to use the <command>kadmin</command>
 	  interface in the <filename>kadmind.acl</filename>.  See the section
 	  titled <quote>Remote administration</quote> in the Heimdal info
 	  pages (<command>info heimdal</command>) for details on designing
 	  access control lists.  If you do not want to enable remote
 	  <command>kadmin</command> access, you can simply securely connect
 	  to the <acronym>KDC</acronym> (via local console,
 	  &man.ssh.1; or <application>Kerberos</application>
 	  &man.telnet.1;) and perform administration locally
 	  using <command>kadmin -l</command>.</para>
 
 	<para>After installing the <filename>/etc/krb5.conf</filename> file,
 	  you can use <command>kadmin</command> from the
 	  <application>Kerberos</application> server.  The
 	  <command>add --random-key</command> command will let you add the
 	  servers host principal, and the <command>ext</command> command
 	  will allow you to extract the servers host principal to its own
 	  keytab.  For example:</para>
 
 	<screen>&prompt.root; <userinput>kadmin</userinput>
 kadmin><userinput> add --random-key host/myserver.example.org</userinput>
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
 kadmin><userinput> ext host/myserver.example.org</userinput>
 kadmin><userinput> exit</userinput></screen>
 
 	<para>Note that the <command>ext</command> command (short for
 	  <quote>extract</quote>) stores the extracted key in
 	  <filename>/etc/krb5.keytab</filename> by default.</para>
 
 	<para>If you do not have <command>kadmind</command> running on the
 	  <acronym>KDC</acronym> (possibly for security reasons) and thus
 	  do not have access to <command>kadmin</command> remotely, you
 	  can add the host principal
 	  (<username>host/myserver.EXAMPLE.ORG</username>) directly on the
 	  <acronym>KDC</acronym> and then extract it to a temporary file
 	  (to avoid over-writing the <filename>/etc/krb5.keytab</filename>
 	  on the <acronym>KDC</acronym>) using something like this:</para>
 
 	<screen>&prompt.root; <userinput>kadmin</userinput>
 kadmin><userinput> ext --keytab=/tmp/example.keytab host/myserver.example.org</userinput>
 kadmin><userinput> exit</userinput></screen>
 
 	<para>You can then securely copy the keytab to the server
 	  computer (using <command>scp</command> or a floppy, for
 	  example).  Be sure to specify a non-default keytab name
 	  to avoid over-writing the keytab on the
 	  <acronym>KDC</acronym>.</para>
 
 	<para>At this point your server can communicate with the
 	  <acronym>KDC</acronym> (due to its <filename>krb5.conf</filename>
 	  file) and it can prove its own identity (due to the
 	  <filename>krb5.keytab</filename> file).  It is now ready for
 	  you to enable some <application>Kerberos</application> services.
 	  For this example we will enable the <command>telnet</command>
 	  service by putting a line like this into your
 	  <filename>/etc/inetd.conf</filename> and then restarting the
 	  &man.inetd.8; service with
 	  <command>/etc/rc.d/inetd restart</command>:</para>
 
 	<programlisting>telnet    stream  tcp     nowait  root    /usr/libexec/telnetd  telnetd -a user</programlisting>
 
 	<para>The critical bit is that the <command>-a</command>
 	  (for authentication) type is set to user.  Consult the
 	  &man.telnetd.8; manual page for more details.</para>
 
       </sect2>
 
       <sect2>
 	<title><application>Kerberos</application> enabling a client with Heimdal</title>
 
 	<indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>Client Configuration</secondary>
 	</indexterm>
 
 	<para>Setting up a client computer is almost trivially easy.  As
 	  far as <application>Kerberos</application> configuration goes,
 	  you only need the <application>Kerberos</application>
 	  configuration file, located at <filename>/etc/krb5.conf</filename>.
 	  Simply securely copy it over to the client computer from the
 	  <acronym>KDC</acronym>.</para>
 
 	<para>Test your client computer by attempting to use
 	  <command>kinit</command>, <command>klist</command>, and
 	  <command>kdestroy</command> from the client to obtain, show, and
 	  then delete a ticket for the principal you created above.  You
 	  should also be able to use <application>Kerberos</application>
 	  applications to connect to <application>Kerberos</application>
 	  enabled servers, though if that does not work and obtaining a
 	  ticket does the problem is likely with the server and not with
 	  the client or the <acronym>KDC</acronym>.</para>
 
 	<para>When testing an application like <command>telnet</command>,
 	  try using a packet sniffer (such as &man.tcpdump.1;)
 	  to confirm that your password is not sent in the clear.  Try
 	  using <command>telnet</command> with the <literal>-x</literal>
 	  option, which encrypts the entire data stream (similar to
 	  <command>ssh</command>).</para>
 
 	<para>The core <application>Kerberos</application> client applications
 	  (traditionally named <command>kinit</command>,
 	  <command>klist</command>, <command>kdestroy</command>, and
 	  <command>kpasswd</command>) are installed in
 	  the base &os; install. Note that &os; versions prior to 5.0
 	  renamed them to <command>k5init</command>,
 	  <command>k5list</command>, <command>k5destroy</command>,
 	  <command>k5passwd</command>, and <command>k5stash</command>
 	  (though it is typically only used once).</para>
 
 	<para>Various non-core <application>Kerberos</application> client
 	  applications are also installed by default.  This is where the
 	  <quote>minimal</quote> nature of the base Heimdal installation is
 	  felt: <command>telnet</command> is the only
 	  <application>Kerberos</application> enabled service.</para>
 
 	<para>The Heimdal port adds some of the missing client applications:
 	  <application>Kerberos</application> enabled versions of
 	  <command>ftp</command>, <command>rsh</command>,
 	  <command>rcp</command>, <command>rlogin</command>, and a few
 	  other less common programs. The <acronym>MIT</acronym> port also
 	  contains a full suite of <application>Kerberos</application>
 	  client applications.</para>
 
       </sect2>
 
       <sect2>
 	<title>User configuration files: <filename>.k5login</filename> and <filename>.k5users</filename></title>
 
 	<indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>User Configuration Files</secondary>
 	</indexterm>
 
 	<para>Users within a realm typically have their
 	  <application>Kerberos</application> principal (such as
 	  <username>tillman@EXAMPLE.ORG</username>) mapped to a local
 	  user account (such as a local account named
 	  <username>tillman</username>).  Client applications such as
 	  <command>telnet</command> usually do not require a user name
 	  or a principal.</para>
 
 	<para>Occasionally, however, you want to grant access to a local
 	  user account to someone who does not have a matching
 	  <application>Kerberos</application> principal.  For example,
 	  <username>tillman@EXAMPLE.ORG</username> may need access to the
 	  local user account <username>webdevelopers</username>.  Other
 	  principals may also need access to that local account.</para>
 
 	<para>The <filename>.k5login</filename> and
 	  <filename>.k5users</filename> files, placed in a users home
 	  directory, can be used similar to a powerful combination of
 	  <filename>.hosts</filename> and <filename>.rhosts</filename>,
 	  solving this problem. For example, if a
 	  <filename>.k5login</filename> with the following
 	  contents:</para>
 
 	<screen>tillman@example.org
 jdoe@example.org</screen>
 
 	<para>Were to be placed into the home directory of the local user
 	  <username>webdevelopers</username> then both principals listed
 	  would have access to that account without requiring a shared
 	  password.</para>
 
 	<para>Reading the manual pages for these commands is recommended.
 	  Note that the <command>ksu</command> manual page covers
 	  <filename>.k5users</filename>.</para>
 
       </sect2>
 
       <sect2>
 	<title><application>Kerberos</application> Tips, Tricks, and Troubleshooting</title>
 
 	<indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>Troubleshooting</secondary>
 	</indexterm>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>When using either the Heimdal or <acronym>MIT</acronym>
 	      <application>Kerberos</application> ports ensure that your
 	      <envar>PATH</envar> environment variable lists the
 	      <application>Kerberos</application> versions of the client
 	      applications before the system versions.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Do all the computers in your realm have synchronized
 	      time settings?  If not, authentication may fail.
 	      <xref linkend="network-ntp"> describes how to synchronize
 	      clocks using <acronym>NTP</acronym>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><acronym>MIT</acronym> and Heimdal inter-operate nicely.
 	      Except for <command>kadmin</command>, the protocol for
 	      which is not standardized.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>If you change your hostname, you also need to change your
 	      <username>host/</username> principal and update your keytab.
 	      This also applies to special keytab entries like the
 	      <username>www/</username> principal used for Apache's
 	      <filename role="package">www/mod_auth_kerb</filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>All hosts in your realm must be resolvable (both forwards
 	      and reverse) in <acronym>DNS</acronym> (or
 	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
 	      will work, but the A and PTR records must be correct and in
 	      place. The error message isn't very intuitive:
 	      <errorname>Kerberos5 refuses authentication because Read req
 	      failed: Key table entry not found</errorname>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Some operating systems that may being acting as clients
 	      to your <acronym>KDC</acronym> do not set the permissions
 	      for <command>ksu</command> to be setuid
 	      <username>root</username>.  This means that
 	      <command>ksu</command> does not work, which is a good
 	      security idea but annoying. This is not a
 	      <acronym>KDC</acronym> error.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>With <acronym>MIT</acronym>
 	      <application>Kerberos</application>, if you want to allow a
 	      principal to have a ticket life longer than the default ten
 	      hours, you must use <command>modify_principal</command> in
 	      <command>kadmin</command> to change the maxlife of both the
 	      principal in question and the <username>krbtgt</username>
 	      principal.  Then the principal can use the
 	      <literal>-l</literal> option with <command>kinit</command>
 	      to request a ticket with a longer lifetime.</para>
 	  </listitem>
 
 	  <listitem>
 	    <note><para>If you run a packet sniffer on your
 	      <acronym>KDC</acronym> to add in troubleshooting and then
 	      run <command>kinit</command> from a workstation, you will
 	      notice that your <acronym>TGT</acronym> is sent
 	      immediately upon running <command>kinit</command> &mdash;
 	      even before you type your password!  The explanation is
 	      that the <application>Kerberos</application> server freely
 	      transmits a <acronym>TGT</acronym> (Ticket Granting
 	      Ticket) to any unauthorized request;  however, every
 	      <acronym>TGT</acronym> is encrypted in a key derived from
 	      the user's password.  Therefore, when a user types their
 	      password it is not being sent to the <acronym>KDC</acronym>,
 	      it is being used to decrypt the <acronym>TGT</acronym> that
 	      <command>kinit</command> already obtained. If the decryption
 	      process results in a valid ticket with a valid time stamp,
 	      the user has valid <application>Kerberos</application>
 	      credentials.  These credentials include a session key for
 	      establishing secure communications with the
 	      <application>Kerberos</application> server in the future, as
 	      well as the actual ticket-granting ticket, which is actually
 	      encrypted with the <application>Kerberos</application>
 	      server's own key.  This second layer of encryption is
 	      unknown to the user, but it is what allows the
 	      <application>Kerberos</application> server to verify
 	      the authenticity of each <acronym>TGT</acronym>.</para></note>
 	  </listitem>
 
 	  <listitem>
 	    <para>If you want to use long ticket lifetimes (a week, for
 	      example) and you are using <application>OpenSSH</application>
 	      to connect to the machine where your ticket is stored, make
 	      sure that <application>Kerberos</application>
 	      <option>TicketCleanup</option> is set to <literal>no</literal>
 	      in your <filename>sshd_config</filename> or else your tickets
 	      will be deleted when you log out.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Remember that host principals can have a longer ticket
 	      lifetime as well.  If your user principal has a lifetime of a
 	      week but the host you are connecting to has a lifetime of nine
 	      hours, you will have an expired host principal in your cache
 	      and the ticket cache will not work as expected.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>When setting up a <filename>krb5.dict</filename> file to
 	    prevent specific bad passwords from being used (the manual page
 	    for <command>kadmind</command> covers this briefly), remember
 	    that it only applies to principals that have a password policy
 	    assigned to them.  The <filename>krb5.dict</filename> files
 	    format is simple: one string per line.  Creating a symbolic
 	    link to <filename>/usr/share/dict/words</filename> might be
 	    useful.</para>
 	  </listitem>
         </itemizedlist>
 
       </sect2>
 
       <sect2>
 	<title>Differences with the <acronym>MIT</acronym> port</title>
 
 	<para>The major difference between the <acronym>MIT</acronym>
 	  and Heimdal installs relates to the <command>kadmin</command>
 	  program which has a different (but equivalent) set of commands
 	  and uses a different protocol.  This has a large implications
 	  if your <acronym>KDC</acronym> is <acronym>MIT</acronym> as you
 	  will not be able to use the Heimdal <command>kadmin</command>
 	  program to administer your <acronym>KDC</acronym> remotely
 	  (or vice versa, for that matter).</para>
 
 	<para>The client applications may also take slightly different
 	  command line options to accomplish the same tasks.  Following
 	  the instructions on the <acronym>MIT</acronym>
 	  <application>Kerberos</application> web site
 	  (<ulink url="http://web.mit.edu/Kerberos/www/"></ulink>)
 	  is recommended. Be careful of path issues: the
 	  <acronym>MIT</acronym> port installs into
 	  <filename>/usr/local/</filename> by default, and the
 	  <quote>normal</quote> system applications may be run instead
 	  of <acronym>MIT</acronym> if your <envar>PATH</envar>
 	  environment variable lists the system directories first.</para>
 
 	<note><para>With the <acronym>MIT</acronym>
 	  <filename role="package">security/krb5</filename> port
 	  that is provided by &os;, be sure to read the
 	  <filename>/usr/local/share/doc/krb5/README.FreeBSD</filename>
 	  file installed by the port if you want to understand why logins
 	  via <command>telnetd</command> and <command>klogind</command>
 	  behave somewhat oddly.  Most importantly, correcting the
 	  <quote>incorrect permissions on cache file</quote> behavior
 	  requires that the <command>login.krb5</command> binary be used
 	  for authentication so that it can properly change ownership for
 	  the forwarded credentials.</para></note>
 
       </sect2>
 
       <sect2>
 	<title>Mitigating limitations found in <application>Kerberos</application></title>
 
 	<indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>Limitations and Shortcomings</secondary>
 	</indexterm>
 
 	<sect3>
 	 <title><application>Kerberos</application> is an all-or-nothing approach</title>
 
 	  <para>Every service enabled on the network must be modified to
 	    work with <application>Kerberos</application> (or be otherwise
 	    secured against network attacks) or else the users credentials
 	    could be stolen and re-used.  An example of this would be
 	    <application>Kerberos</application> enabling all remote shells
 	    (via <command>rsh</command> and <command>telnet</command>, for
 	    example) but not converting the <acronym>POP3</acronym> mail
 	    server which sends passwords in plain text.</para>
 
 	</sect3>
 
 	<sect3>
 	  <title><application>Kerberos</application> is intended for single-user workstations</title>
 
 	  <para>In a multi-user environment,
 	    <application>Kerberos</application> is less secure.
 	    This is because it stores the tickets in the
 	    <filename>/tmp</filename> directory, which is readable by all
 	    users.  If a user is sharing a computer with several other
 	    people simultaneously (i.e. multi-user), it is possible that
 	    the user's tickets can be stolen (copied) by another
 	    user.</para>
 
 	  <para>This can be overcome with the <literal>-c</literal>
 	    filename command-line option or (preferably) the
 	    <envar>KRB5CCNAME</envar> environment variable, but this
 	    is rarely done. In principal, storing the ticket in the users
 	    home directory and using simple file permissions can mitigate
 	    this problem.</para>
 
 	</sect3>
 
 	<sect3>
 	  <title>The KDC is a single point of failure</title>
 
 	  <para>By design, the <acronym>KDC</acronym> must be as secure as
 	    the master password database is contained on it.  The
 	    <acronym>KDC</acronym> should have absolutely no other
 	    services running on it and should be physically secured.  The
 	    danger is high because <application>Kerberos</application>
 	    stores all passwords encrypted with the same key (the
 	    <quote>master</quote> key), which in turn is stored as a file
 	    on the <acronym>KDC</acronym>.</para>
 
 	  <para>As a side note, a compromised master key is not quite as
 	    bad as one might normally fear.  The master key is only used
 	    to encrypt the <application>Kerberos</application> database
 	    and as a seed for the random number generator.  As long as
 	    access to your <acronym>KDC</acronym> is secure, an attacker
 	    cannot do much with the master key.</para>
 
 	  <para>Additionally, if the <acronym>KDC</acronym> is unavailable
 	    (perhaps due to a denial of service attack or network problems)
 	    the network services are unusable as authentication can not be
 	    performed, a recipe for a denial-of-service attack.  This can
 	    alleviated with multiple <acronym>KDC</acronym>s (a single
 	    master and one or more slaves) and with careful implementation
 	    of secondary or fall-back authentication
 	    (<acronym>PAM</acronym> is excellent for this).</para>
 
 	</sect3>
 
 	<sect3>
 	  <title><application>Kerberos</application> Shortcomings</title>
 
 	  <para><application>Kerberos</application> allows users, hosts
 	    and services to authenticate between themselves.  It does not
 	    have a mechanism to authenticate the <acronym>KDC</acronym>
 	    to the users, hosts or services.  This means that a trojanned
 	    <command>kinit</command> (for example) could record all user
 	    names and passwords.  Something like
 	    <filename role="package">security/tripwire</filename> or
 	    other file system integrity checking tools can alleviate
 	    this.</para>
 
 	</sect3>
       </sect2>
 
       <sect2>
 	<title>Resources and further information</title>
 
 	<indexterm>
 	  <primary>Kerberos5</primary>
 	  <secondary>External Resources</secondary>
 	</indexterm>
 
 	<itemizedlist>
 	  <listitem>
 	  <para><ulink
 	    url="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html">
 	    The <application>Kerberos</application> FAQ</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink url="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
 	    an Authentication System: a Dialog in Four Scenes</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink url="http://www.ietf.org/rfc/rfc1510.txt?number=1510">RFC 1510,
 	    The <application>Kerberos</application> Network Authentication Service
 	    (V5)</ulink></para>
 	</listitem>
 
 	<listitem>
 	  <para><ulink url="http://web.mit.edu/Kerberos/www/"><acronym>MIT</acronym>
 	    <application>Kerberos</application> home page</ulink></para>
 	</listitem>
 
 	<listitem>
 	<para><ulink url="http://www.pdc.kth.se/heimdal/">Heimdal
 	  <application>Kerberos</application> home page</ulink></para>
 	</listitem>
 
 	</itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 id="firewalls">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Joseph J.</firstname>
           <surname>Barbish</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
         <author>
           <firstname>Brad</firstname>
           <surname>Davis</surname>
 	  <contrib>Converted to SGML and updated by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Firewalls</title>
 
     <indexterm><primary>firewall</primary></indexterm>
     <indexterm>
       <primary>security</primary>
      <secondary>firewalls</secondary>
    </indexterm>
     <sect2>
       <title>Introduction</title>
       <para>All software-based firewalls provide some way to filter
         incoming and outgoing traffic that flows through your system.
         The firewall uses one or more sets of <quote>rules</quote> to
         inspect the network packets as they come in or go out of your
         network connections and either allows the traffic through or
         blocks it. The rules of the firewall can inspect one or more
         characteristics of the packets, including but not limited to
         the protocol type, the source or destination host address and
         the source or destination port.</para>
 
       <para>Firewalls greatly enhance the security of your network,
         your applications and services. They can be used to do one of
         more of the following things:</para>
 
       <itemizedlist>
         <listitem>
           <para>To protect and insulate the applications, services and
             machines of your internal network from unwanted traffic
             coming in from the public Internet.</para>
         </listitem>
 
         <listitem>
           <para>To limit or disable access from hosts of the internal
             network to services of the public Internet.</para>
         </listitem>
 
         <listitem>
           <para>To support network address translation (<acronym>NAT</acronym>), which
             allows your internal network to use private <acronym>IP</acronym> addresses
             and share a single connection to the public Internet
             (either with a single <acronym>IP</acronym> address or by a shared pool of
             automatically assigned public addresses).</para>
         </listitem>
       </itemizedlist>
     </sect2>
 
     <sect2>
       <title>Firewall Rule Set Types</title>
       <para>Constructing a software application firewall rule set may
         seem to be trivial, but most people get it wrong. The most
         common mistake is to create an <quote>exclusive</quote> firewall rather
         than an <quote>inclusive</quote> firewall.</para>
 
       <para>An exclusive firewall allows all services through except
         for those matching a set of rules that block certain
         services.</para>
 
       <para>An inclusive firewall does the reverse. It only allows
         services matching the rules through and blocks everything else.
         This way you can control what services can originate behind the
         firewall destined for the public Internet and also control which
         services originating from the public Internet may access your
         network. Inclusive firewalls are much, much safer than exclusive
         firewalls.</para>
 
       <para>When you use your browser to access a web site there are
         many internal functions that happen before your screen fills
         with the data from the target web site. Your browser does not
         receive one large file containing all the data and display
         format instructions at one time. Each internal function accesses
         the public Internet in multiple send/receive cycles of packets
         of information. When all the packets containing the data finally
         arrive, the data contained in the packets is combined together
         to fill your screen. Each service (<acronym>DNS</acronym>, <acronym>HTTP</acronym>, etc) has its own
         port number. The port number 80 is for <acronym>HTTP</acronym> services. So you
         can code your firewall to only allow web page session start
         requests originating from your <acronym>LAN</acronym> to pass through the firewall
         out to the public Internet.</para>
 
       <para>Security can be tightened further by telling the firewall to
         monitor the send/receive cycles of all the packets making up
         that session until the session completes. These are called
         stateful capabilities and provides the maximum level of
         protection.</para>
 
       <para>A firewall rule set that does not implement stateful
         capabilities on all the services being authorized is an insecure
         firewall that is still open to many of the most common methods
         of attack.</para>
      </sect2>
 
      <sect2>
       <title>Firewall Software Applications</title>
       <para>&os; has two different firewall software products built
         into the base system. They are IPFILTER (i.e. also known as IPF)
         and IPFIREWALL (i.e. also known as IPFW). IPFIREWALL has the
         built in DUMMYNET traffic shaper facilities for controlling
         bandwidth usage. IPFILTER does not have a built in traffic
         shaper facility for controlling bandwidth usage, but the ALTQ
         port application can be used to accomplish the same function.
         The DUMMYNET feature and <acronym>ALTQ</acronym> is generally useful only to large
         ISPs or commercial users. Both IPF and IPFW use rules to control
         the access of packets to and from your system, although they go
         about it different ways and have different rule syntaxes.</para>
 
       <para>The IPFW sample rule set (found in
         <filename>/etc/rc.firewall</filename>) delivered in the basic
         install is outdated, complicated and does not use stateful
         rules on the interface facing the public Internet. It
         exclusively uses legacy stateless rules which only have the
         ability to open or close the service ports. The IPFW example
         stateful rules sets presented here supercede the
         <filename>/etc/rc.firewall</filename> file distributed with the
         system.</para>
 
       <para>Stateful rules have technically advanced interrogation
         abilities capable of defending against the flood of different
         methods currently employed by attackers.</para>
 
       <para>Both of these firewall software solutions IPF and IPFW still
         maintain their legacy heritage of their original rule processing
         order and reliance on non-stateful rules. These outdated
         concepts are not covered here, only the new, modern stateful
         rule construct and rule processing order is presented.</para>
 
       <para>You should read about both of them and make your own
         decision on which one best fits your needs.</para>
 
       <para>The author prefers IPFILTER because its stateful rules are
         much less complicated to use in a <acronym>NAT</acronym> environment and it has a
         built in ftp proxy that simplifies the rules to allow secure
         outbound FTP usage. If is also more appropriate to the knowledge
         level of the inexperienced firewall user.</para>
 
       <para>Since all firewalls are based on interrogating the values
         of selected packet control fields, the creator of the firewall
         rules must have an understanding of how <acronym>TCP</acronym>/IP works, what the
         different values in the packet control fields are and how these
         values are used in a normal session conversation. For a good
         explanation go to:
         <ulink url="http://www.ipprimer.com/overview.cfm"></ulink>.</para>
    </sect2>
 
    <sect2>
       <title>The Packet Filter Firewall</title>
 
       <para>As of July 2003 the OpenBSD firewall software application
         known as <acronym>PF</acronym> was ported to &os;&nbsp;5.3.
         <acronym>PF</acronym> is a complete, fully featured firewall
         that contains <acronym>ALTQ</acronym>
         for bandwidth usage management in a way similar to the dummynet
         provides in <acronym>IPFW</acronym>.
         The OpenBSD project does an outstanding job of maintaining the
         PF users' guide that it will not be made part of this handbook
         firewall section as that would just be duplicated effort.</para>
 
       <para>For older 5.X version of &os; you can find
         <acronym>PF</acronym> in the &os; ports collection here:
         <filename role="package">security/pf</filename>.</para>
 
       <para>More info can be found at the PF for &os; web site:
         <ulink url="http://pf4freebsd.love2party.net/"></ulink>.</para>
 
       <para>The OpenBSD PF user's guide is here:
         <ulink url="http://www.openbsd.org/faq/pf/"></ulink>.
         </para>
 
       <warning>
           <para>PF in &os; 5.X is at the level of OpenBSD version 3.5. The
             port from the &os; ports collection at the level of OpenBSD
             version 3.4. Keep that in mind when browsing the user's
             guide.</para>
         </warning>
 
     <sect3>
       <title>Enabling PF</title>
       <para>PF is included in the basic &os; install for versions newer than
         5.3 as a separate run time loadable module. PF will dynamically load
 	        its kernel loadable module when the rc.conf statement
         <literal>pf_enable="YES"</literal> is used. The
         loadable module was created with &man.pflog.4; logging
         enabled.</para>
     </sect3>
 
     <sect3>
       <title>Kernel options</title>
       <para>It is not a mandatory requirement that you enable PF by
         compiling the following options into the &os; kernel. It is only
         presented here as background information. Compiling PF into the
         kernel causes the loadable module to never be used.</para>
 
       <para>Sample kernel config PF option statements are in the
         <filename>/usr/src/sys/conf/NOTES</filename> kernel source and are
         reproduced here:</para>
 
       <programlisting>device pf
 device pflog
 device pfsync</programlisting>
 
       <para><literal>device pf</literal> tells the compile to include
         Packet Filter as part of its core kernel.</para>
 
       <para><literal>device pflog</literal> enables the optional
         &man.pflog.4; pseudo network device which can be used to log traffic
         to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon can be used to
         store the logging information to disk.</para>
 
       <para><literal>device pfsync</literal> enables the optional
         &man.pfsync.4; pseudo network device that is used to monitor
         <quote>state changes</quote>. As this is not part of the loadable
         module one has to build a custom kernel to use it.</para>
 
       <para>These settings will take affect only after you have built and
                 installed a kernel with them set.</para>
     </sect3>
 
     <sect3>
       <title>Available rc.conf Options</title>
 
       <para>You need the following statements in <filename>/etc/rc.conf
         </filename> to activate PF at boot time:</para>
 
       <programlisting>pf_enable="YES"                 # Enable PF (load module if required)
 pf_rules="/etc/pf.conf"         # rules definition file for pf
 pf_flags=""                     # additional flags for pfctl startup
 pflog_enable="YES"              # start pflogd(8)
 pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
 pflog_flags=""                  # additional flags for pflogd startup</programlisting>
 
       <para>If you have a LAN behind this firewall and have to forward
         packets for the computers in the LAN or want to do NAT you have to
         enable the following option as well:</para>
 
       <programlisting>gateway_enable="YES"            # Enable as Lan gateway</programlisting>
 
     </sect3>
    </sect2>
 
    <sect2>
       <title>The IPFILTER (IPF) Firewall</title>
       <para>The author of IPFILTER is Darren Reed. IPFILTER is not
         operating system dependent. IPFILTER is a open source
         application and has been ported to &os;, NetBSD, OpenBSD,
         SunOS, HP/UX, and Solaris operating systems. IPFILTER is
         actively being supported and maintained, with updated versions
         being released regularly.</para>
 
       <para>IPFILTER is based on a kernel-side firewall and <acronym>NAT</acronym>
         mechanism that can be controlled and monitored by userland
         interface programs. The firewall rules can be set or deleted
         with the &man.ipf.8; utility. The <acronym>NAT</acronym> rules can be set or
         deleted with the &man.ipnat.1; utility. The &man.ipfstat.8;
         utility can print run-time statistics for the kernel parts of
         IPFILTER.  The &man.ipmon.8; program can log IPFILTER actions
         to the system log files.</para>
 
       <para>IPF was originally written using a rule processing logic
         of <quote>the last matching rule wins</quote> and used only
         stateless type of rules. Over time IPF has been enhanced to
         include a <quote>quick</quote> option and a stateful
         <quote>keep state</quote> option which drastically modernized
         the rules processing logic. IPF's official documentation covers
         the legacy rule coding parameters and the legacy rule file
         processing logic. the modernized functions are only included as
         additional options, completely understating their benefits in
         producing a far superior secure firewall.</para>
 
       <para>The instructions contained in this section are based on
         using rules that contain the <quote>quick</quote> option and
         the stateful <quote>keep state</quote> option. This is the
         basic framework for coding an inclusive firewall rule set.
         </para>
 
       <para>An inclusive firewall only allows packets matching the
         rules to pass through. This way you can control what services
         can originate behind the firewall destine for the public
         Internet and also control the services which can originate from
         the public Internet accessing your private network. Everything
         else is blocked and logged by default design. Inclusive
         firewalls are much, much more secure than exclusive firewall
         rule sets and is the only rule set type covered here in.</para>
 
       <para>For detailed explanation of the legacy rules processing
         method see:
         <ulink url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
         and
         <ulink url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
         .</para>
 
       <para>The IPF FAQ is at
         <ulink url="http://www.phildev.net/ipf/index.html"></ulink>.
         </para>
 
     <sect3>
       <title>Enabling IPF</title>
       <para>IPF is included in the basic &os; install as a separate
         run time loadable module. IPF will dynamically load its kernel
         loadable module when the rc.conf statement <literal>
         ipfilter_enable="YES"</literal> is used. The loadable
         module was created with logging enabled and the <literal>default
         pass all</literal> options. You do not need to compile IPF into
         the &os; kernel just to change the default to <literal>block all
         </literal>, you can do that by just coding a block all rule at
         the end of your rule set.</para>
     </sect3>
 
     <sect3>
       <title>Kernel options</title>
       <para>It is not a mandatory requirement that you enable IPF by
         compiling the following options into the &os; kernel. It is
         only presented here as background information. Compiling IPF
         into the kernel causes the loadable module to never be used.
         </para>
 
       <para>Sample kernel config IPF option statements are in the
         <filename>/usr/src/sys/i386/conf/LINT</filename> kernel source
         and are reproduced here.</para>
 
       <programlisting>options IPFILTER
 options IPFILTER_LOG
 options IPFILTER_DEFAULT_BLOCK</programlisting>
 
       <para><literal>options IPFILTER</literal> tells the compile
         to include IPFILTER as part of its core kernel.</para>
 
       <para><literal>options IPFILTER_LOG</literal> enables the
         option to have IPF log traffic by writing to the ipl packet
         logging pseudo&mdash;device for every rule that has the <literal>log
         </literal> keyword.</para>
 
       <para><literal>options IPFILTER_DEFAULT_BLOCK</literal>
         changes the default behavior so any packet not matching a
         firewall <literal>pass</literal> rule gets blocked.</para>
 
       <para>These settings will take affect only after you have built
         and installed a kernel with them set.</para>
     </sect3>
 
     <sect3>
       <title>Available rc.conf Options</title>
       <para>You need the following statements in <filename>/etc/rc.conf
         </filename> to activate IPF at boot time:</para>
 
       <programlisting>ipfilter_enable="YES"             # Start ipf firewall
 ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
 ipmon_enable="YES"                # Start IP monitor log
 ipmon_flags="-Ds"                # D = start as daemon
                                   # s = log to syslog
                                   # v = log tcp window, ack, seq
                                   # n = map IP & port to names</programlisting>
       <para>If you have a LAN behind this firewall that uses the
         reserved private IP address ranges, then you need to add the
   following to enable <acronym>NAT</acronym> function.</para>
 
       <programlisting>gateway_enable="YES"              # Enable as Lan gateway
 ipnat_enable="YES"                # Start ipnat function
 ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlisting>
 
      </sect3>
 
      <sect3>
      <title>IPF</title>
      <para>The ipf command is used to load your rules file. Normally
        you create a file containing your custom rules and use this
        command to replace in mass the currently running firewall
        internal rules.</para>
 
      <programlisting><command>ipf -Fa -f /etc/ipf.rules</command></programlisting>
 
      <para>-Fa means flush all internal rules tables.</para>
      <para>-f means this is the file to read for the rules to load.</para>
 
      <para>This gives you the ability to make changes to their custom
        rules file, run the above IPF command thus updating the running
        firewall with a fresh copy of all the rules without having to
        reboot the system. This method is very convenient for testing new
        rules as the procedure can be executed as many times as needed.
        </para>
 
      <para>See the &man.ipf.8; manual page for details on the other flags
        available with this command.</para>
 
      <para>The &man.ipf.8; command expects the rules file to be a
        standard text file. It will not accept a rules file written as a
        script with symbolic substitution.</para>
 
      <para>There is a way to build IPF rules that utilities the power of
        script symbolic substitution. See the Building Rule Script
        section.</para>
 
      </sect3>
 
      <sect3>
        <title>IPFSTAT</title>
        <para>The default behavior of &man.ipfstat.8; is to retrieve and
          display the totals of the accumulated statistics gathered as a
          result of applying the user coded rules against packets going
          in and out of the firewall since it was last started, or since
          the last time the accumulators were reset to zero by
          <command>ipf -Z</command> command.</para>
 
       <para>See the &man.ipfstat.8; manual page for details.</para>
 
       <para>The default &man.ipfstat.8; command output will look
         something like this:</para>
 
       <screen>input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
  output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
  input packets logged: blocked 99286 passed 0
  output packets logged: blocked 0 passed 0
  packets logged: input 0 output 0
  log failures: input 3898 output 0
  fragment state(in): kept 0 lost 0
  fragment state(out): kept 0 lost 0
  packet state(in): kept 169364 lost 0
  packet state(out): kept 431395 lost 0
  ICMP replies: 0 <acronym>TCP</acronym> RSTs sent: 0
  Result cache hits(in): 1215208 (out): 1098963
  IN Pullups succeeded: 2 failed: 0
  OUT Pullups succeeded: 0 failed: 0
  Fastroute successes: 0 failures: 0
  <acronym>TCP</acronym> cksum fails(in): 0 (out): 0
  Packet log flags set: (0)</screen>
 
       <para>When supplied with either -i for inbound or -o for outbound,
         it will retrieve and display the appropriate list of filter
         rules currently installed and in use by the kernel.</para>
 
       <para><command>ipfstat -in</command> displays the inbound internal
         rules table with rule number.</para>
 
       <para><command>ipfstat -on</command> displays the outbound
         internal rules table with the rule number.<para>
 
       <para>The output will look something like this:</para>
 
       <screen>@1 pass out on xl0 from any to any
 @2 block out on dc0 from any to any
 @3 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
 
       <para><command>ipfstat -ih</command> displays the inbound internal
         rules table prefixed each rule with count of how many times the
         rule was matched.</para>
 
       <para><command>ipfstat -oh</command> displays the outbound
         internal rules table prefixed each rule with count of how many
         times the rule was matched.</para>
 
       <para>The output will look something like this:</para>
 
       <screen>2451423 pass out on xl0 from any to any
 354727 block out on dc0 from any to any
 430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
 
       <para>One of the most important functions of the ipfstat command
         is the -t flag which activates the display state table in a way
         similar to the way &man.top.1; shows the &os; running process
         table. When your firewall is under attack this function gives
         you the ability to identify, drill down to, and see the
         attacking packets. The optional sub-flags give the ability to
         select destination or source IP, port, protocol, you want to
         monitor in real time. See the &man.ipfstat.8; manual page for
         details.<para>
 
      </sect3>
      <sect3>
 
        <title>IPMON</title>
        <para>In order for <command>ipmon</command> to properly work, the
          kernel option IPFILTER_LOG must be turned on. This command has
          2 different modes it can be used in. Native mode is the default
          mode when you type the command on the command line without the
          -D flag.</para>
 
        <para>Daemon mode is for when you want to have a continuous
          system log file available so you can review logging of past
          events. This is how &os; and IPFILTER are configured to work
          together. &os; has a built in facility to automatically
          rotate syslogs. That is why outputting the log information to
          syslogd is better than the default of outputting to a regular
          file. In <filename>rc.conf</filename> file you see the
          ipmon_flags statement uses the "-Ds" flags</para>
 
        <programlisting>ipmon_flags="-Ds" # D = start as daemon
                   # s = log to syslog
                   # v = log tcp window, ack, seq
                   # n = map IP & port to names</programlisting>
 
        <para>The benefits of logging are obvious. It provides the
          ability to review, after the fact, information like: what
          packets had been dropped, what addresses they came from and
          where they were going. These all give you a significant edge in
          tracking down attackers.</para>
 
        <para>Even with the logging facility enabled, IPF will not
          generate any rule logging on its own. The firewall
          administrator decides what rules in the rule set he wants to
          log and adds the log keyword to those rules. Normally only
          deny rules are logged.</para>
 
        <para>Its very customary to include a default deny everything
          rule with the log keyword included as your last rule in the
          rule set. This way you get to see all the packets that did not
          match any of the rules in the rule set.</para>
      </sect3>
 
      <sect3>
        <title>IPMON Logging</title>
 
        <para>Syslogd uses its own special method for segregation of log
          data. It uses special grouping called <quote>facility</quote>
          and <quote>level.</quote> IPMON in -Ds mode uses Local0 as the
          <quote>facility</quote> name. All IPMON logged data goes to
          Local0. The following levels can be used to further segregate
          the logged data if desired.</para>
 
        <screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
 LOG_NOTICE - packets logged which are also passed
 LOG_WARNING - packets logged which are also blocked
 LOG_ERR - packets which have been logged and which can be considered short</screen>
 
        <para>To setup IPFILTER to log all data to <filename>
          /var/log/ipfilter.log</filename>, you will need to create the
          file. The following command will do that:</para>
 
        <programlisting><command>touch /var/log/ipfilter.log</command></programlisting>
 
        <para>The syslog function is controlled by definition statements
          in the <filename>/etc/syslog.conf</filename> file. The <filename>syslog.conf</filename> file offers
          considerable flexibility in how syslog will deal with system
          messages issued by software applications like IPF.</para>
 
        <para>Add the following statement to <filename>/etc/syslog.conf
          </filename>:</para>
 
        <programlisting>Local0.* /var/log/ipfilter.log</programlisting>
 
        <para>The <literal>Local0.*</literal> means to write all the logged messages to the
          coded file location.</para>
 
        <para>To activate the changes to <filename>/etc/syslog.conf
          </filename> you can reboot or bump the syslog task into
          re-reading <filename>/etc/syslog.conf</filename> by <command>
          kill -HUP &lt;pid&gt;</command>. You get the pid (i.e. process
          number) by listing the tasks with the <command>ps -ax</command>
          command. Find syslog in the display and the pid is the number
          in the left column.</para>
 
        <para>Do not forget to change <filename>/etc/newsyslog.conf
          </filename> to rotate the new log you just created above.
          </para>
 
      </sect3>
 
      <sect3>
        <title>The Format of Logged Messages</title>
 
        <para>Messages generated by ipmon consist of data fields
          separated by white space. Fields common to all messages are:
          </para>
 
        <orderedlist>
          <listitem>
            <para>The date of packet receipt.</para>
          </listitem>
 
          <listitem>
            <para>The time of packet receipt. This is in the form
              HH:MM:SS.F, for hours, minutes, seconds, and fractions of a
              second (which can be several digits long).</para>
          </listitem>
 
          <listitem>
            <para>The name of the interface the packet was processed on,
              e.g. <devicename>dc0</devicename>.</para>
          </listitem>
 
          <listitem>
            <para>The group and rule number of the rule, e.g. <literal>@0:17</literal>.
              </para>
          </listitem>
        </orderedlist>
 
        <para>These can be viewed with ipfstat -in.<para>
 
        <orderedlist>
          <listitem>
            <para>The action: p for passed, b for blocked, S for a short
              packet, n did not match any rules, L for a log rule. The
              order of precedence in showing flags is: S, p, b, n, L. A
              capital P or B means that the packet has been logged due to
              a global logging setting, not a particular rule.</para>
          </listitem>
 
          <listitem>
            <para>The addresses. This is actually three fields: the
              source address and port (separated by a comma), the ->
              symbol, and the destination address and port.
              209.53.17.22,80 -> 198.73.220.17,1722.</para>
          </listitem>
 
          <listitem>
            <para>PR followed by the protocol name or number, e.g. PR
              tcp.</para>
          </listitem>
 
          <listitem>
            <para>len followed by the header length and total length of
              the packet, e.g. len 20 40.</para>
          </listitem>
        </orderedlist>
 
        <para>If the packet is a <acronym>TCP</acronym> packet, there will be an additional
          field starting with a hyphen followed by letters corresponding
          to any flags that were set. See the &man.ipmon.8; manual page
          for a list of letters and their flags.</para>
 
        <para>If the packet is an ICMP packet, there will be two fields
          at the end, the first always being <quote>ICMP</quote>, and
          the next being the ICMP message and sub-message type,
          separated by a slash, e.g. ICMP 3/3 for a port unreachable
          message.</para>
 
      </sect3>
 
      <sect3>
        <title>Building the Rule Script</title>
 
        <para>Some experienced IPF users create a file containing the
          rules and code them in a manner compatible with running them
          as a script with symbolic substitution. The major benefit of
          doing this is you only have to change the value associated
          with the symbolic name and when the script is run all the rules
          containing the symbolic name will have the value substituted in
          the rules. Being a script, you can use symbolic substitution to
          code frequent used values and substitute them in multiple
          rules. You will see this in the following example.</para>
 
        <para>The script syntax used here is compatible with the sh, csh,
          and tcsh shells.</para>
 
        <para>Symbolic substitution fields are prefixed with a dollar
          sign &dollar;.</para>
 
        <para>Symbolic fields do not have the &dollar; prefix</para>
 
        <para>The value to populate the Symbolic field must be enclosed
          with "double quotes".</para>
 
        <para>Start your rule file with something like this:</para>
 
 
 <programlisting>############# Start of IPF rules script ########################
 
 oif="dc0"            # name of the outbound interface
 odns="192.0.2.11"    # ISP's dns server IP address Symbolic&gt;
 myip="192.0.2.7"     # My Static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
 
 # You can use this same to build the /etc/ipf.rules file
 #cat &gt;&gt; /etc/ipf.rules &lt;&lt; EOF
 
 # exec ipf command and read inline data, stop reading
 # when word EOF is found. There has to be one line
 # after the EOF line to work correctly.
 /sbin/ipf -Fa -f - &lt;&lt; EOF
 
 # Allow out access to my ISP's Domain name server.
 pass out quick on &dollar;oif proto tcp from any to &dollar;odns port = 53 &dollar;fks
 pass out quick on &dollar;oif proto udp from any to &dollar;odns port = 53 &dollar;ks
 
 # Allow out non-secure standard www function
 pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 80 &dollar;fks
 
 # Allow out secure www function https over TLS SSL
 pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 443 &dollar;fks
 EOF
 ################## End of IPF rules script ########################</programlisting>
 
        <para>That is all there is to it. The rules are not important in
          this example, how the Symbolic substitution field are populated
          and used are. If the above example was in /etc/ipf.rules.script
          file, you could reload these rules by entering on the command
          line.</para>
 
        <programlisting><command>sh /etc/ipf.rules.script</command>
          </programlisting>
 
        <para>There is one problem with using a rules file with embedded
          symbolics. IPF has no problem with it, but the rc startup
          scripts that read <filename>rc.conf</filename> will have
          problems.</para>
 
        <para>To get around this limitation with a rc scripts, remove
          the following line:</para>
 
        <programlisting><command>ipfilter_rules=</command>
          </programlisting>
 
        <para>Add a script like the following to your <filename>
          /usr/local/etc/rc.d/</filename> startup directory. The script
          should have a obvious name like <filename>loadipfrules.sh
          </filename>. The <filename>.sh</filename> extension is mandatory.
 
        <programlisting>#!/bin/sh
 sh /etc/ipf.rules.script</programlisting>
 
        <para>The permission on this script file must be read, write,
          exec for owner root.</para>
 
        <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
 
        <para>Now when you system boots your IPF rules will be loaded
          using the script.</para>
 
      </sect3>
 
      <sect3>
        <title>IPF Rule Sets</title>
        <para>A rule set is a group of ipf rules coded to pass or block
          packets based on the values contained in the packet. The
          bi-directional exchange of packets between hosts comprises a
          session conversation. The firewall rule set processes the
          packet 2 times, once on its arrival from the public Internet
          host and again as it leaves for its return trip back to the
          public Internet host. Each tcp/ip service (i.e. telnet, www,
          mail, etc.) is predefined by its protocol, source and
          destination IP address, or the source and destination port
          number. This is the basic selection criteria used to create
          rules which will pass or block services.</para>
 
        <para>IPF was originally written using a rules processing logic
          of 'the last matching rule wins' and used only stateless
          rules. Over time IPF has been enhanced to include a 'quick'
          option and a stateful 'keep state' option which drastically
          modernized the rules processing logic.</para>
 
        <para>The instructions contained in this section is based on
          using rules that contain the 'quick' option. and the stateful
          'keep state' option. This is the basic framework for coding an
          inclusive firewall rule set.</para>
 
        <para>An inclusive firewall only allows services matching the
          rules through. This way you can control what services can
          originate behind the firewall destined for the public Internet
          and also control the services which can originate from the
          public Internet accessing your private network. Everything
          else is blocked and logged by default design. Inclusive
          firewalls are much, much securer than exclusive firewall rule
          sets and is the only rule set type covered herein.</para>
 
        <note>
          <para>Warning, when working with the firewall rules, always,
            always do it from the root console of the system running the
            firewall or you can end up locking your self out.</para>
        </note>
      </sect3>
 
      <sect3>
        <title>Rule Syntax</title>
        <para>The rule syntax presented here has been simplified to only
          address the modern stateful rule context and <quote>first matching
          rule wins</quote> logic. For the complete legacy rule syntax
          description see the &man.ipf.8; manual page.</para>
 
        <para><literal>#</literal> is used to mark the start of a comment and may appear at
          the end of a rule line or on its own lines. Blank lines are
          ignored.</para>
 
        <para>Rules contain keywords, These keywords have to be coded in
          a specific order from left to right on the line. Keywords are
          identified in bold type. Some keywords have sub-options which
          may be keywords them selves and also include more sub-options.
          Each of the headings in the below syntax has a bold section
          header which expands on the content.</para>
 
        <!-- This section is probably wrong.. See the OpenBSD flag -->
 
        <para><replaceable>ACTION IN-OUT OPTIONS SELECTION STATEFUL
          PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL
          </replaceable></para>
 
        <para><replaceable>ACTION</replaceable> = block | pass</para>
 
        <para><replaceable>IN-OUT</replaceable> = in | out</para>
 
        <para><replaceable>OPTIONS</replaceable> = log | quick | on
          interface-name</para>
 
        <para><replaceable>SELECTION</replaceable> = proto value |
          source/destination IP | port = number | flags flag-value</para>
 
        <para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp |
          icmp</para>
 
        <para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from
          object to object</para>
 
        <para><replaceable>OBJECT</replaceable> = IP address | any</para>
 
        <para><replaceable>PORT_NUM</replaceable> = port number</para>
 
        <para><replaceable>TCP_FLAG</replaceable> = S</para>
 
        <para><replaceable>STATEFUL</replaceable> = keep state</para>
 
          <sect4>
            <title>ACTION</title>
 
            <para>The action indicates what to do with the packet if it
              matches the rest of the filter rule. Each rule <emphasis>must</emphasis> have a
              action. The following actions are recognized:</para>
 
            <para>block indicates that the packet should be dropped if
              the selection parameters match the packet.</para>
 
            <para>pass indicates that the packet should exit the firewall
              if the selection parameters match the packet.</para>
          </sect4>
 
          <sect4>
            <title>IN-OUT</title>
            <para>This is a mandatory requirement that each filter rule
              explicitly state which side of the I/O it is to be used on.
              The next keyword must be either in or out and one or the
              other has to be coded or the rule will not pass syntax
              check.</para>
 
            <para>in means this rule is being applied against an inbound
              packet which has just been received on the interface
              facing the public Internet.</para>
 
            <para>out means this rule is being applied against an
              outbound packet destined for the interface facing the public
              Internet.</para>
          </sect4>
 
          <sect4>
            <title>OPTIONS</title>
            <note>
              <para>These options must be used in the order shown here.
                </para>
            </note>
 
            <para>log indicates that the packet header will be written to
              the ipl log (as described in the LOGGING section below) if
              the selection parameters match the packet.</para>
 
            <para>quick indicates that if the selection parameters match
              the packet, this rule will be the last rule checked,
              allowing a "short-circuit" path to avoid processing any
              following rules for this packet. This option is a mandatory
              requirement for the modernized rules processing logic.
              </para>
 
            <para>on indicates the interface name to be incorporated into
              the selection parameters. Interface names are as displayed
              by ifconfig. Using this option, the rule will only match if
              the packet is going through that interface in the specified
              direction (in/out). This option is a mandatory requirement
              for the modernized rules processing logic.</para>
 
            <para>When a packet is logged, the headers of the packet are
              written to the IPL packet logging pseudo-device.
              Immediately following the log keyword, the following
              qualifiers may be used (in this order):</para>
 
            <para>body indicates that the first 128 bytes of the packet
              contents will be logged after the headers.</para>
 
            <para>first If the 'log' keyword is being used in conjunction
              with a "keep state" option, it is recommended that this
              option is also applied so that only the triggering packet
              is logged and not every packet which there after matches
              the 'keep state' information.</para>
          </sect4>
 
          <sect4>
            <title>SELECTION</title>
            <para>The keywords described in this section are used to
              describe attributes of the packet to be interrogated when
              determining whether rules match or don't match. There is a
              keyword subject, and it has sub-option keywords, one of
              which has to be selected. The following general-purpose
              attributes are provided for matching, and must be used in
              this order:</para>
          </sect4>
 
          <sect4>
            <title>PROTO</title>
            <para>Proto is the subject keyword, it must be coded along
              with one of it.s corresponding keyword sub-option values.
              The value allows a specific protocol to be matched against.
              This option is a mandatory requirement for the modernized
              rules processing logic.</para>
 
            <para>tcp/udp | udp | tcp | icmp or any protocol names found
              in /etc/protocols are recognized and may be used. The
              special protocol keyword tcp/udp may be used to match
              either a <acronym>TCP</acronym> or a UDP packet, and has been added as a
              convenience to save duplication of otherwise identical
              rules.</para>
          </sect4>
 
          <sect4>
            <title>SRC_ADDR/DST_ADDR</title>
            <para>The 'all' keyword is essentially a synonym for "from
              any to any" with no other match parameters.</para>
 
            <para>from src to dst The from and to keywords are used to
              match against IP addresses. Rules must specify BOTH source
              and destination parameters. .any. is a special keyword that
              matches any IP address. As in 'from any to any' or 'from
              0.0.0.0/0 to any' or 'from any to 0.0.0.0/0' or 'from
              0.0.0.0 to any' or 'from any to 0.0.0.0'</para>
 
            <para>IP addresses may be specified as a dotted IP address
              numeric form/mask-length, or as single dotted IP address
              numeric form.</para>
 
            <para>There isn't a way to match ranges of IP addresses which
              do not express themselves easily as mask-length. See this
              link for help on writing mask-length:
              <ulink url="http://jodies.de/ipcalc"></ulink></para>
          </sect4>
 
          <sect4>
            <title>PORT</title>
            <para>If a port match is included, for either or both of
              source and destination, then it is only applied to <acronym>TCP</acronym> and
              UDP packets. When composing port comparisons, either the
              service name from /etc/services or an integer port number
              may be used. When the port appears as part of the from
              object, it matches the source port number, when it appears
              as part of the to object, it matches the destination port
              number. The use of the port option with the .to. object is
              a mandatory requirement for the modernized rules processing
              logic. As in 'from any to any port = 80'</para>
 
            <para>Port comparisons may be done in a number of forms, with
              a number of comparison operators, or port ranges may be
              specified.</para>
 
            <para>port "=" | "!=" | "&lt;" | "&gt;" | "&lt;=" | "&gt;=" | "eq" | "ne"
              | "lt" | "gt" | "le" | "ge".</para>
 
            <para>To specify port ranges, port "&lt;&gt;" | "&gt;&lt;"</para>
 
            <warning>
              <para>Following the source and destination matching
                parameters, the following two parameters are mandatory
                requirements for the modernized rules processing logic.
                </para>
            </warning>
          </sect4>
 
          <sect4>
            <title><acronym>TCP</acronym>_FLAG</title>
            <para>Flags are only effective for <acronym>TCP</acronym> filtering. The letters
               represents one of the possible flags that can be
               interrogated in the <acronym>TCP</acronym> packet header.</para>
 
            <para>The modernized rules processing logic uses the 'flags
              S' parameter to identify the tcp session start request.
              </para>
          </sect4>
 
          <sect4>
            <title>STATEFUL</title>
            <para>'keep state' indicates that on a pass rule, any packets
              that match the rules selection parameters is to activate
              the stateful filtering facility.</para>
 
            <note>
              <para>This option is a mandatory requirement for the
                modernized rules processing logic.</para>
            </note>
          </sect4>
         </sect3>
 
         <sect3>
         <title>Stateful Filtering</title>
         <para>Stateful filtering treats traffic as a bi-directional
           exchange of packets comprising a session conversation. When
           activated keep-state dynamically generates internal rules for
           each anticipated packet being exchanged during the
           bi-directional session conversation. It has the interrogation
           abilities to determine if the session conversation between the
           originating sender and the destination are following the valid
           procedure of bi-directional packet exchange. Any packets that
           do not properly fit the session conversation template are
           automatically rejected as impostors.</para>
 
         <para>Keep state will also allow ICMP packets related to a <acronym>TCP</acronym>
           or UDP session through. So if you get ICMP type 3 code 4 in
           response to some web surfing allowed out by a keep state rule,
           they will be automatically allowed in. Any packet that IPF can
           be certain is part of a active session, even if it is a
           different protocol, will be let in.</para>
 
         <para>What happens is:</para>
 
         <para>Packets destined to go out the interface connected to the
           public Internet are first checked against the dynamic state
           table, if the packet matches the next expected packet
           comprising in a active session conversation, then it exits
           the firewall and the state of the session conversation flow
           is updated in the dynamic state table, the remaining packets
           get checked against the outbound rule set.</para>
 
         <para>Packets coming in to the interface connected to the public
           Internet are first checked against the dynamic state table, if
           the packet matches the next expected packet comprising a
           active session conversation, then it exits the firewall and
           the state of the session conversation flow is updated in the
           dynamic state table, the remaining packets get checked against
           the inbound rule set.</para>
 
         <para>When the conversation completes it is removed from the
           dynamic state table.</para>
 
         <para>Stateful filtering allows you to focus on blocking/passing
           new sessions. If the new session is passed, all its subsequent
           packets will be allowed through automatically and any
           impostors automatically rejected. If a new session is blocked,
           none of its subsequent packets will be allowed through.
           Stateful filtering has technically advanced interrogation
           abilities capable of defending against the flood of different
           attack methods currently employed by attackers.</para>
       </sect3>
 
       <sect3>
         <title>Inclusive Rule set Example</title>
         <para>The following rule set is an example of how to code a very
           secure inclusive type of firewall. An inclusive firewall only
           allows services matching pass rules through and blocks all
           other by default. All firewalls have at the minimum two
           interfaces which have to have rules to allow the firewall to
           function.</para>
 
         <para>All Unix flavored systems including &os; are designed
           to use interface l0 and IP address 127.0.0.1 for internal
           communication with in the &os; operating system. The
           firewall rules must contain rules to allow free unmolested
           movement of these special internally used packets.</para>
 
         <para>The interface which faces the public Internet, is the one
           which you code your rules to authorize and control access out
           to the public Internet and access requests arriving from the
           public Internet. This can be your .user ppp. tun0 interface
           or your NIC card that is cabled to your DSL or cable modem.
           </para>
 
         <para>In cases where one or more than one NICs are cabled to
           Private LANs (local area networks) behind the firewall, those
           interfaces must have a rule coded to allow free unmolested
           movement of packets originating from those LAN interfaces.
           </para>
 
         <para>The rules should be first organized into three major
           sections, all the free unmolested interfaces, public interface
           outbound, and the public interface inbound.</para>
 
         <para>The order of the rules in each of the public interface
           sections should be in order of the most used rules being
           placed before less often used rules with the last rule in the
           section being a block log all packets on that interface and
           direction.</para>
 
         <para>The Outbound section in the following rule set only
           contains 'pass' rules which contain selection values that
           uniquely identify the service that is authorized for public
           Internet access. All the rules have the 'quick', 'on',
           'proto', 'port', and 'keep state' option coded. The 'proto
           tcp' rules have the 'flag' option included to identify the
           session start request as the triggering packet to activate the
           stateful facility.</para>
 
         <para>The Inbound section has all the blocking of undesirable
           packets first for two different reasons. First is these things
           being blocked may be part of an otherwise valid packet which
           may be allowed in by the later authorized service rules.
           Second reason is that by having a rule that explicitly blocks
           selected packets that I receive on an infrequent bases and
           don't want to see in the log, this keeps them from being
           caught by the last rule in the section which blocks and logs
           all packets which have fallen through the rules. The last rule
           in the section which blocks and logs all packets is how you
           create the legal evidence needed to prosecute the people who
           are attacking your system.</para>
 
         <para>Another thing you should take note of, is there is no
           response returned for any of the undesirable stuff, their
           packets just get dropped and vanish. This way the attackers
           has no knowledge if his packets have reached your system.
           The less the attackers can learn about your system the more
           secure it is. The inbound 'nmap OS fingerprint' attempts
           rule I log the first occurrence because this is something a
           attacker would do.</para>
 
         <para>Any time you see log messages on a rule with .log first.
           You should do an <command>ipfstat -hio</command> command to see the number of times
           the rule has been matched so you know if your are being
           flooded, i.e. under attack.</para>
 
         <para>When you log packets with port numbers you do not
           recognize, go to
           <ulink url="http://www.securitystats.com/tools/portsearch.php"></ulink>
           and do a port number lookup to find what the purpose of that
           port number is.</para>
 
         <para>Check out this link for port numbers used by Trojans
           <ulink url="http://www.simovits.com/trojans/trojans.html"></ulink>
           </para>
 
         <para>The following rule set is a complete very secure
           'inclusive' type of firewall rule set that I have used on my
           system. You can not go wrong using this rule set for your own.
           Just comment out any pass rules for services to don.t want to
           authorize.</para>
 
         <para>If you see messages in your log that you want to stop
           seeing just add a block rule in the inbound section.</para>
 
         <para>You have to change the <devicename>dc0</devicename> interface name in every rule
           to the interface name of the Nic card that connects your
           system to the public Internet. For user PPP it would be
           <devicename>tun0</devicename>.</para>
 
         <para>Add the following statements to <filename>/etc/ipf.rules</filename>:</para>
 
         <programlisting>#################################################################
 # No restrictions on Inside Lan Interface for private network
 # Not needed unless you have Lan
 #################################################################
 
 #pass out quick on xl0 all
 #pass in quick on xl0 all
 
 #################################################################
 # No restrictions on Loopback Interface
 #################################################################
 pass in quick on lo0 all
 pass out quick on lo0 all
 
 #################################################################
 # Interface facing Public Internet (Outbound Section)
 # Interrogate session start requests originating from behind the
 # firewall on the private network
 # or from this gateway server destine for the public Internet.
 #################################################################
 
 # Allow out access to my ISP's Domain name server.
 # xxx must be the IP address of your ISP.s DNS.
 # Dup these lines if your ISP has more than one DNS server
 # Get the IP addresses from /etc/resolv.conf file
 pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
 pass out quick on dc0 proto udp from any to xxx port = 53 keep state
 
 # Allow out access to my ISP's DHCP server for cable or DSL networks.
 # This rule is not needed for .user ppp. type connection to the
 # public Internet, so you can delete this whole group.
 # Use the following rule and check log for IP address.
 # Then put IP address in commented out rule & delete first rule
 pass out log quick on dc0 proto udp from any to any port = 67 keep state
 #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
 
 
 # Allow out non-secure standard www function
 pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
 
 # Allow out secure www function https over TLS SSL
 pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
 
 # Allow out send & get email function
 pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
 pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
 
 # Allow out Time
 pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
 
 # Allow out nntp news
 pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
 
 # Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
 # This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in
 # the nat rules file to make this single rule function correctly.
 # If you want to use the pkg_add command to install application packages
 # on your gateway system you need this rule.
 pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
 
 # Allow out secure FTP, Telnet, and SCP
 # This function is using SSH (secure shell)
 pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
 
 # Allow out non-secure Telnet
 pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
 
 # Allow out FBSD CVSUP function
 pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
 
 # Allow out ping to public Internet
 pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
 
 # Allow out whois for LAN PC to public Internet
 pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
 
 # Block and log only the first occurrence of everything
 # else that.s trying to get out.
 # This rule enforces the block all by default logic.
 block out log first quick on dc0 all
 
 #################################################################
 # Interface facing Public Internet (Inbound Section)
 # Interrogate packets originating from the public Internet
 # destine for this gateway server or the private network.
 #################################################################
 
 # Block all inbound traffic from non-routable or reserved address spaces
 block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private IP
 block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private IP
 block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918 private IP
 block in quick on dc0 from 127.0.0.0/8 to any       #loopback
 block in quick on dc0 from 0.0.0.0/8 to any         #loopback
 block in quick on dc0 from 169.254.0.0/16 to any    #DHCP auto-config
 block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs
 block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster interconnect
 block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E multicast
 
 ##### Block a bunch of different nasty things. ############
 # That I don't want to see in the log
 
 # Block frags
 block in quick on dc0 all with frags
 
 # Block short tcp packets
 block in quick on dc0 proto tcp all with short
 
 # block source routed packets
 block in quick on dc0 all with opt lsrr
 block in quick on dc0 all with opt ssrr
 
 # Block nmap OS fingerprint attempts
 # Log first occurrence of these so I can get their IP address
 block in log first quick on dc0 proto tcp from any to any flags FUP
 
 # Block anything with special options
 block in quick on dc0 all with ipopts
 
 # Block public pings
 block in quick on dc0 proto icmp all icmp-type 8
 
 # Block ident
 block in quick on dc0 proto tcp from any to any port = 113
 
 # Block all Netbios service. 137=name, 138=datagram, 139=session
 # Netbios is MS/Windows sharing services.
 # Block MS/Windows hosts2 name server requests 81
 block in log first quick on dc0 proto tcp/udp from any to any port = 137
 block in log first quick on dc0 proto tcp/udp from any to any port = 138
 block in log first quick on dc0 proto tcp/udp from any to any port = 139
 block in log first quick on dc0 proto tcp/udp from any to any port = 81
 
 # Allow traffic in from ISP's DHCP server. This rule must contain
 # the IP address of your ISP.s DHCP server as it.s the only
 # authorized source to send this packet type. Only necessary for
 # cable or DSL configurations. This rule is not needed for
 # .user ppp. type connection to the public Internet.
 # This is the same IP address you captured and
 # used in the outbound section.
 pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
 
 # Allow in standard www function because I have apache server
 pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
 
 # Allow in non-secure Telnet session from public Internet
 # labeled non-secure because ID/PW passed over public Internet as clear text.
 # Delete this sample group if you do not have telnet server enabled.
 #pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
 
 # Allow in secure FTP, Telnet, and SCP from public Internet
 # This function is using SSH (secure shell)
 pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
 
 # Block and log only first occurrence of all remaining traffic
 # coming into the firewall. The logging of only the first
 # occurrence stops a .denial of service. attack targeted
 # at filling up your log file space.
 # This rule enforces the block all by default logic.
 block in log first quick on dc0 all
 ################### End of rules file #####################################
         </programlisting>
        </sect3>
 
        <sect3>
         <title><acronym>NAT</acronym></title>
         <para><acronym>NAT</acronym> stands for Network Address Translation. To those
           familiar with Linux, this concept is called IP Masquerading,
           <acronym>NAT</acronym> and IP Masquerading are the same thing. One of the many
           things the IPF <acronym>NAT</acronym> function enables, is the ability to have a
           private Local Area Network (LAN) behind the firewall sharing a
           single ISP assigned IP address to the public Internet.</para>
 
         <para>You ask why would someone want to do this. ISPs normally
           assign a dynamic IP address to their non-commercial users.
           Dynamic means the IP address can be different each time you
           dial in and logon to your ISP, or for cable and DSL modem
           users when you power off and then power on your modems you can
           get assigned a different IP address. This IP address is how
           you are known to the public Internet.</para>
 
         <para>Now lets say you have 5 PCs at home and each one needs
           Internet access. You would have to pay your ISP for an
           individual Internet account for each PC and have 5 phone
           lines.</para>
 
         <para>With <acronym>NAT</acronym> you only need a single account with your ISP,
           then cable your other 4 PC.s to a switch and the switch to
           the NIC in your &os; system which is going to service your
           LAN as a gateway. <acronym>NAT</acronym> will automatically translate the private
           LAN IP address for each separate PC on the LAN to the single
           public IP address as it exits the firewall bound for the
           public Internet. It also does the reverse translation for
           returning packets.</para>
 
         <para><acronym>NAT</acronym> is most often accomplished without the approval, or
           knowledge, of your ISP and in most cases is grounds for your
           ISP terminating your account if found out. Commercial users
           pay a lot more for their Internet connection and usually get
           assigned a block of static IP address which never change. The
           ISP also expects and consents to their Commercial customers
           using <acronym>NAT</acronym> for their internal private LANs.</para>
 
         <para>There is a special range of IP addresses reserved for
           <acronym>NAT</acronym>ed private LAN IP address. According to RFC 1918, you can
           use the following IP ranges for private nets which will never
           be routed directly to the public Internet.</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="2">
             <colspec colwidth="1*">
             <colspec colwidth="1*">
             <colspec colwidth="1*">
             <tbody>
               <row>
            <entry>Start IP <hostid role="ipaddr">10.0.0.0</hostid>
              </entry>
            <entry>-</entry>
            <entry>Ending IP <hostid role="ipaddr">10.255.255.255
              </hostid></entry>
               </row>
 
               <row>
            <entry>Start IP <hostid role="ipaddr">172.16.0.0</hostid>
              </entry>
            <entry>-</entry>
            <entry>Ending IP <hostid role="ipaddr">172.31.255.255
              </hostid></entry>
               </row>
 
               <row>
            <entry>Start IP <hostid role="ipaddr">192.168.0.0</hostid>
              </entry>
            <entry>-</entry>
            <entry>Ending IP <hostid role="ipaddr">192.168.255.255
              </hostid></entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
       </sect3>
 
       <sect3>
         <title>IP<acronym>NAT</acronym></title>
         <para><acronym>NAT</acronym> rules are loaded by using the ipnat command. Typically
           the <acronym>NAT</acronym> rules are stored in <filename>/etc/ipnat.rules
           </filename>. See &man.ipnat.1 for details.</para>
 
         <para>When changing the <acronym>NAT</acronym> rules after <acronym>NAT</acronym> has been started,
           Make your changes to the file containing the nat rules, then
           run ipnat command with the -CF flags to delete the internal
           in use <acronym>NAT</acronym> rules and flush the contents of the translation
           table of all active entries.</para>
 
         <para>To reload the <acronym>NAT</acronym> rules issue a command like this:</para>
 
         <programlisting>ipnat -CF -f /etc/ipnat.rules</programlisting>
 
         <para>To display some statistics about your <acronym>NAT</acronym>, use this
           command:</para>
 
         <programlisting>ipnat -s</programlisting>
 
         <para>To list the <acronym>NAT</acronym> table's current mappings, use this
           command:</para>
 
         <programlisting>ipnat -l</programlisting>
 
         <para>To turn verbose mode on, and display information relating
           to rule processing and active rules/table entries:</para>
 
         <programlisting>ipnat -v</programlisting>
       </sect3>
 
       <sect3>
         <title>IP<acronym>NAT</acronym> Rules</title>
         <para><acronym>NAT</acronym> rules are very flexible and can accomplish many
           different things to fit the needs of commercial and home
           users.</para>
 
         <para>The rule syntax presented here has been simplified to
           what is most commonly used in a non-commercial environment.
           For a complete rule syntax description see the &man.ipnat.5; manual page.</para>
 
         <para>The syntax for a <acronym>NAT</acronym> rule looks something like this:
           </para>
 
         <programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
 
         <para>The keyword <literal>map</literal> starts the rule.</para>
 
         <para>Replace <replaceable>IF</replaceable> with the external
           interface.</para>
 
         <para>The <replaceable>LAN_IP_RANGE</replaceable> is what your
           internal clients use for IP Addressing, usually this is
           something like <hostid role="ipaddr">192.168.1.0/24</hostid>.
           </para>
 
         <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
           be the external IP address or the special keyword `0.32',
           which means to use the IP address assigned to
           <replaceable>IF</replaceable>.</para>
       </sect3>
 
       <sect3>
         <title>How <acronym>NAT</acronym> works</title>
         <para>A packet arrives at the firewall from the LAN with a
           public destination. It passes through the outbound filter
           rules, <acronym>NAT</acronym> gets his turn at the packet and applies its rules
           top down, first matching rule wins. <acronym>NAT</acronym> tests each of its
           rules against the packets interface name and source IP
           address. When a packets interface name matches a <acronym>NAT</acronym> rule then
           the [source IP address, i.e. private Lan IP address] of the
           packet is checked to see if it falls within the IP address
           range specified to the left of the arrow symbol on the <acronym>NAT</acronym>
           rule. On a match the packet has its source IP address
           rewritten with the public IP address obtained by the `0.32'
           keyword. <acronym>NAT</acronym> posts a entry in its internal <acronym>NAT</acronym> table so when
           the packet returns from the public Internet it can be mapped
           back to its original private IP address and then passed to
           the filter rules for processing.</para>
 
       </sect3>
 
       <sect3>
         <title>Enabling IP<acronym>NAT</acronym></title>
         <para>To enable IP<acronym>NAT</acronym> add these statements to
           <filename>/etc/rc.conf</filename></para>
 
         <para>To enable your machine to route traffic between
           interfaces.</para>
 
         <programlisting>gateway_enable="YES"</programlisting>
 
         <para>To start IP<acronym>NAT</acronym> automatically each time:</para>
 
         <programlisting>ipnat_enable="YES"</programlisting>
 
         <para>To specify where to load the IP<acronym>NAT</acronym> rules from</para>
 
         <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
       </sect3>
 
       <sect3>
         <title><acronym>NAT</acronym> for a very large LAN</title>
         <para>For networks that have large numbers of PC's on the Lan or
           networks with more that a single LAN the process of funneling
           all those private IP address into a single public IP address
           becomes a resource problem that may cause problems with same
           port numbers being used many times across many <acronym>NAT</acronym>ed LAN PC's
           causing collisions. There are 2 ways to relieve this resource
           problem.</para>
 
         <sect4>
           <title>Assigning Ports to Use</title>
           <para>BLAH</para>
           <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
 
           <para>In the above rule the packet's source port is unchanged
             as the packet passes through IP<acronym>NAT</acronym>. By adding the portmap
             keyword you can tell IP<acronym>NAT</acronym> to only use source ports in a
             range. For example the following rule will tell IP<acronym>NAT</acronym> to
             modify the source port to be within that range.
 
           <programlisting>map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp 20000:60000</programlisting>
 
           <para>Additionally we can make things even easier by using
             the `auto' keyword to tell IP<acronym>NAT</acronym> to determine by itself
             which ports are available to use:</para>
 
           <programlisting>map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp auto</programlisting>
         </sect4>
 
         <sect4>
           <title>Using a pool of public addresses</title>
           <para>In very large LANs there comes a point where there are
             just too many LAN addresses to fit into a single public
             address. By changing the following rule:</para>
 
           <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1</programlisting>
 
           <para>Currently this rule maps all connections through
             <hostid role="ipaddr">204.134.75.1</hostid>. This can be
             changed to specify a range:</para>
 
           <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1-10</programlisting>
 
           <para>Or a subnet using CIDR notation such as:</para>
 
           <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
         </sect4>
       </sect3>
 
       <sect3>
         <title>Port Redirection</title>
         <para>An very common practice is to have a web server, email
           server, database server and DNS sever each segregated to a
           different PC on the LAN. In this case the traffic from these
           servers still have to be <acronym>NAT</acronym>ed, but there has to be some way
           to direct the inbound traffic to the correct LAN PC's. IP<acronym>NAT</acronym>
           has the redirection facilities of <acronym>NAT</acronym> to solve this problem.
           Lets say you have your web server on LAN address
           <hostid role="ipaddr">10.0.10.25</hostid> and your single
           public IP address is <hostid role="ipaddr">20.20.20.5</hostid>
           you would code the rule like this:</para>
 
           <programlisting>map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
 
           <para>or</para>
 
           <programlisting>map dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting>
 
           <para>or for a LAN DNS Server on LAN address of
             <hostid role="ipaddr">10.0.10.33</hostid> that needs to
             receive public DNS requests</para>
 
           <programlisting>map dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
       </sect3>
 
       <sect3>
         <title>FTP and <acronym>NAT</acronym></title>
         <para>FTP is a dinosaur left over from the time before the
           Internet as it is know today, when research universities were
           leased lined together and FTP was used to share files among
           research Scientists. This was a time when data security was
           not even an idea yet. Over the years the FTP protocol became
           buried into the backbone of the emerging Internet and its
           username and password being sent in clear text was never
           changed to address new security concerns. FTP has two flavors,
           it can run in active mode or passive mode. The difference is
           in how the data channel is acquired. Passive mode is more
           secure as the data channel is acquired be the ordinal ftp
           session requester. For a real good explanation of FTP and the
           different modes see
           <ulink url="http://www.slacksite.com/other/ftp.html"></ulink>
           </para>
 
         <sect4>
           <title>IP<acronym>NAT</acronym> Rules</title>
 
           <para>IP<acronym>NAT</acronym> has a special built in FTP proxy option which can be
             specified on the <acronym>NAT</acronym> map rule. It can monitor all outbound
             packet traffic for FTP active or passive start session
             requests and dynamically create temporary filter rules
             containing only the port number really in use for the data
             channel. This eliminates the security risk FTP normally
             exposes the firewall to from having large ranges of high order
             port numbers open.</para>
 
           <para>This rule will handle all the traffic for the internal
             LAN:</para>
 
           <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
           <para>This rule handles the FTP traffic from the gateway.</para>
 
           <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
           <para>This rule handles all non-FTP traffic from the internal
             LAN.</para>
 
           <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
 
           <para>The FTP map rule goes before our regular map rule. All
             packets are tested against the first rule from the top.
             Matches on interface name, then private LAN source IP
             address, and then is it a FTP packet. If all that matches
             then the special FTP proxy creates temp filter rules to let
             the FTP session packets pass in and out, in addition to also
             <acronym>NAT</acronym>ing the FTP packets. All LAN packets that are not FTP do
             not match the first rule and fall through to the third rule
             and are tested, matching on interface and source IP, then
             are <acronym>NAT</acronym>ed.</para>
         </sect4>
         <sect4>
           <title>IP<acronym>NAT</acronym> FTP Filter Rules</title>
           <para>Only one filter rule is needed for FTP if the <acronym>NAT</acronym> FTP
             proxy is used.</para>
 
           <para>Without the FTP Proxy you will need the following three
             rules</para>
 
           <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
 pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
 
 # Allow out passive mode data channel high order port numbers
 pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state
 
 # Active mode let data channel in from FTP server
 pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
         </sect4>
         <sect4>
           <title>FTP <acronym>NAT</acronym> Proxy Bug</title>
           <para>As of &os; 4.9 which includes IPFILTER version 3.4.31
             the FTP proxy works as documented during the FTP session
             until the session is told to close. When the close happens
             packets returning from the remote FTP server are blocked and
             logged coming in on port 21. The <acronym>NAT</acronym> FTP/proxy appears to
             remove its temp rules prematurely, before receiving the
             response from the remote FTP server acknowledging the close.
             Posted problem report to ipf mailing list.</para>
 
           <para>Solution is to add filter rule like this one to get rid
             of these unwanted log messages or do nothing and ignore FTP
             inbound error messages in your log. Not like you do FTP
             session to the public Internet all the time, so this is not
             a big deal.</para>
 
           <programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting>
         </sect4>
       </sect3>
     </sect2>
 
     <sect2>
       <title>IPFW</title>
       <para>The IPFIREWALL (IPFW) is a &os; sponsored firewall
         software application authored and maintained by &os;
         volunteer staff members. It uses the legacy Stateless rules and
         a legacy rule coding technique to achieve what is referred to as
         Simple Stateful logic.</para>
 
       <para>The IPFW stateless rule syntax is empowered with technically
         sophisticated selection capabilities which far surpasses the
         knowledge level of the customary firewall installer. IPFW is
         targeted at the professional user or the advanced technical
         computer hobbyist who have advanced packet selection
         requirements. A high degree of detailed knowledge into how
         different protocols use and create their unique packet header
         information is necessary before the power of the IPFW rules can
         be unleashed. Providing that level of explanation is out of the
         scope of this section of the handbook.</para>
 
       <para>IPFW is composed of 7 components, the primary component is
         the kernel firewall filter rule processor and its integrated
         packet accounting facility, the logging facility, the 'divert'
         rule which triggers the <acronym>NAT</acronym> facility, and the advanced special
         purpose facilities, the dummynet traffic shaper facilities, the
         'fwd rule' forward facility, the bridge facility, and the
         ipstealth facility.</para>
 
       <sect3>
         <title>Enabling IPFW</title>
         <para>IPFW is included in the basic &os; install as a
           separate run time loadable module. IPFW will dynamically load
           the kernel module when the <filename>rc.conf</filename>
           statement <literal>firewall_enable="YES"</literal> is used. You do not need to
           compile IPFW into the &os; kernel unless you want <acronym>NAT</acronym>
           function enabled.</para>
 
         <para>After rebooting your system with <literal>firewall_enable="YES"</literal> in
           <filename>rc.conf</filename> the following white highlighted
           message is displayed on the screen as part of the boot
           process:</para>
 
         <screen>IP packet filtering initialized, divert disabled, rule-based forwarding
 enabled, default to deny, logging disabled</screen>
 
         <para>You can disregard this message as it is out dated and no
           longer is the true status of the IPFW loadable module. The
           loadable module really does have logging ability compiled in.
           </para>
 
         <para>To set the verbose logging limit, There is a knob you can
           set in <filename>/etc/sysctl.conf</filename> by adding this
           statement, logging will be enabled on future reboots.</para>
 
         <programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
       </sect3>
 
       <sect3>
         <title>Kernel Options</title>
         <para>It is not a mandatory requirement that you enable IPFW by
           compiling the following options into the &os; kernel unless
           you need <acronym>NAT</acronym> function. It is presented here as background
           information.</para>
 
         <programlisting>options    IPFIREWALL</programlisting>
 
         <para>This option enables IPFW as part of the kernel</para>
 
         <programlisting>options    IPFIREWALL_VERBOSE</programlisting>
 
         <para>Enables logging of packets that pass through IPFW and
           have the 'log' keyword specified in the rule set.</para>
 
         <programlisting>options    IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
 
         <para>This specifies the default number of packets from a
           particular rule is to be logged. Without this option, each
           repeated occurrences of the same packet will be logged, and
           eventually consuming all the free disk space resulting in
           services being denied do to lack of resources. The 5 is the
           number of consecutive times to log evidence of this unique
           occurrence.</para>
 
         <programlisting>options    IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
 
         <para>This option will allow everything to pass through the
           firewall by default. Which is a good idea when you are first
           setting up your firewall.</para>
 
         <programlisting>options    IPV6FIREWALL
 options    IPV6FIREWALL_VERBOSE
 options    IPV6FIREWALL_VERBOSE_LIMIT
 options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
 
         <para>These options are exactly the same as the IPv4 options
           but they are for IPv6. If you don't use IPv6 you might want
           to use IPV6FIREWALL without any rules to block all IPv6</para>
 
         <programlisting>options    IPDIVERT</programlisting>
 
         <para>This enables the use of <acronym>NAT</acronym> functionality.</para>
 
         <note>
           <para>If you don't include IPFIREWALL_DEFAULT_TO_ACCEPT or set
            your rules to allow incoming packets you will block all
            packets going to and from this machine.</para>
         </note>
       </sect3>
 
       <sect3>
         <title><filename>/etc/rc.conf</filename> Options</title>
         <para>If you don't have IPFW compliled into your kernel you will
           need to load it with the following statement in your
           <filename>/etc/rc.conf</filename>:</para>
 
         <programlisting>firewall_enable="YES"</programlisting>
 
         <para>Set the script to run to activate your rules:</para>
 
         <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
 
         <para>Enable logging:</para>
 
         <programlisting>firewall_logging="YES"</programlisting>
       </sect3>
 
       <sect3>
         <title>The IPFW Command</title>
         <para>The ipfw command is the normal vehicle for making manual
           single rule additions or deletions to the firewall active
           internal rules while it is running. The problem with using this
           method is once your system is shutdown or halted all the rules
           you added or changed or deleted are lost. Writing all your
           rules in a file and using that file to load the rules at boot
           time, or to replace in mass the currently running firewall
           rules with changes you made to the files content is the
           recommended method used here.</para>
 
         <para>The IPFW command is still a very useful to display the
           running firewall rules to the console screen. The IPFW
           accounting facility dynamically creates a counter for each
           rule that counts each packet that matches the rule. During the
           process of testing a rule, listing the rule with its counter
           is the only way of determining if the rule is functioning.
           </para>
 
         <para>To list all the rules in sequence:</para>
 
         <programlisting><command>ipfw list</command></programlisting>
 
         <para>To list all the rules with a time stamp of when the last
           time the rule was matched:</para>
 
         <programlisting><command>ipfw -t list</command></programlisting>
 
         <para>To list the accounting information, packet count for
           matched rules along with the rules themselves. The first
           column is the rule number, followed by the number of outgoing
           matched packets, followed by the number of incoming matched
           packets, and then the rule itself.</para>
 
         <programlisting><command>ipfw -a list</command></programlisting>
 
         <para>List the dynamic rules in addition to the static rules:
           </para>
 
         <programlisting><command>ipfw -d list</command></programlisting>
 
         <para>Also show the expired dynamic rules:</para>
 
         <programlisting><command>ipfw -d -e list</command></programlisting>
 
         <para>Zero the counters:</para>
 
         <programlisting><command>ipfw zero</command></programlisting>
 
         <para>Zero the counters for just rule <replaceable>NUM
           </replaceable>:</para>
 
         <programlisting><command>ipfw zero NUM</command></programlisting>
       </sect3>
 
       <sect3>
         <title>IPFW Rule Sets</title>
         <para>A rule set is a group of ipfw rules coded to allow or deny
           packets based on the values contained in the packet. The
           bi-directional exchange of packets between hosts comprises a
           session conversation. The firewall rule set processes the
           packet 2 times, once on its arrival from the public Internet
           host and again as it leaves for its return trip back to the
           public Internet host. Each tcp/ip service (i.e. telnet, www,
           mail, etc.) is predefined by its protocol, and port number.
           This is the basic selection criteria used to create rules
           which will allow or deny services.</para>
 
         <para>When a packet enters the firewall it is compared against
           the first rule in the rule set and progress one rule at a
           time moving from top to bottom of the set in ascending rule
           number sequence order. When the packet matches a rule
           selection parameters, the rules action field value is executed
           and the search of the rule set terminates for that packet.
           This is referred to as the 'first match wins' search method.
           If the packet does not match any of the rules, it gets caught
           by the mandatory ipfw default rule, number 65535 which denies
           all packets and discards them without any reply back to the
           originating destination.</para>
 
         <para>The instructions contained here are based on using rules
           that contain the stateful 'keep state', 'limit', 'in'/'out',
           and via options. This is the basic framework for coding an
           inclusive type firewall rule set.</para>
 
         <para>An inclusive firewall only allows services matching the
           rules through. This way you can control what services can
           originate behind the firewall destine for the public Internet
           and also control the services which can originate from the
           public Internet accessing your private network. Everything
           else is denied by default design. Inclusive firewalls are
           much, much more secure than exclusive firewall rule sets and
           is the only rule set type covered here in.</para>
 
         <warning>
           <para>When working with the firewall rules be
             careful, you can end up locking your self out.</para>
         </warning>
 
         <sect4>
           <title>Rule Syntax</title>
           <para>The rule syntax presented here has been simplified to
             what is necessary to create a standard inclusive type
             firewall rule set. For a complete rule syntax description
             see the &man.ipfw.8; manual page.</para>
 
           <para>Rules contain keywords, These keywords have to be coded
             in a specific order from left to right on the line. Keywords
             are identified in bold type. Some keywords have sub-options
             which may be keywords them selves and also include more
             sub-options.</para>
 
           <para><literal>#</literal> is used to mark the start of a comment and may appear
             at the end of a rule line or on its own lines. Blank lines
             are ignored.</para>
 
           <para><replaceable>CMD RULE# ACTION LOGGING SELECTION STATEFUL
             </replaceable></para>
 
           <sect5>
             <title>CMD</title>
             <para>Each rule has to be prefixed with 'add' to add the
               rule to the internal table.</para>
           </sect5>
 
           <sect5>
             <title>RULE#</title>
             <para>Each rule has to have a rule number to go with it.
              </para>
           </sect5>
 
           <sect5>
             <title>ACTION</title>
             <para>A rule can be associated with one of the following
               actions, which will be executed when the packet matches
               the selection criterion of the rule.</para>
 
             <para><parameter>allow | accept | pass | permit</parameter>
               </para>
 
             <para>These all mean the same thing which is to allow
               packets that match the rule to exit the firewall rule
               processing. The search terminates at this rule.</para>
 
             <para><parameter>check-state</parameter></para>
 
             <para>Checks the packet against the dynamic rules table. If
               a match is found, execute the action associated with the
               rule which generated this dynamic rule, otherwise move to
               the next rule. The Check-state rule does not have
               selection criterion. If no check-state rule is present in
               the rule set, the dynamic rules table is checked at the
               first keep-state or limit rule.</para>
 
             <para><parameter>deny | drop</parameter></para>
 
             <para>Both words mean the same thing which is to discard
               packets that match this rule. The search terminates.
               </para>
           </sect5>
 
           <sect5>
             <title>Logging</title>
             <para><parameter>log</parameter> or <parameter>logamount
               </parameter></para>
 
             <para> When a packet matches a rule with the log keyword, a
                message will be logged to syslogd with a facility name of
                SECURITY. The logging only occurs if the number of
                packets logged so far for that particular rule does not
                exceed the logamount parameter. If no logamount is
                specified, the limit is taken from the sysctl variable
                net.inet.ip.fw.verbose_limit. In both cases, a value of
                zero removes the logging limit. Once the limit is
                reached, logging can be re-enabled by clearing the
                logging counter or the packet counter for that rule, see
                the ipfw reset log command. Note: logging is done after
                all other packet matching conditions have been
                successfully verified, and before performing the final
                action (accept, deny) on the packet. It is up to you to
                decide which rules you want to enable logging on.</para>
           </sect5>
 
           <sect5>
             <title>Selection</title>
             <para>The keywords described in this section are used to
               describe attributes of the packet to be interrogated when
               determining whether rules match or don't match the packet.
               The following general-purpose attributes are provided for
               matching, and must be used in this order:</para>
 
             <para><parameter>udp | tcp | icmp</parameter></para>
 
             <para>or any protocol names found in /etc/protocols are
               recognized and may be used. The value specified is
               protocol to be matched against. This is a mandatory
               requirement.</para>
 
             <para><parameter>from src to dst</parameter></para>
 
             <para>The from and to keywords are used to match against IP
               addresses. Rules must specify BOTH source and destination
               parameters. any is a special keyword that matches any IP
               address. me is a special keyword that matches any IP
               address configured on an interface in your &os; system to
               represent the PC the firewall is running on. (i.e. this
               box) As in from me to any or from any to me or from
               0.0.0.0/0 to any  or from any to 0.0.0.0/0 or from 0.0.0.0
               to any or from any to 0.0.0.0 or from me to 0.0.0.0. IP
               addresses are specified as a dotted IP address numeric
               form/mask-length, or as single dotted IP address numeric
               form. This is a mandatory requirement. See this link for
               help on writing mask-lengths. <ulink
               url="http://jodies.de/ipcalc"></ulink></para>
 
             <para><parameter>port number</parameter></para>
 
             <para>For protocols which support port numbers (such as <acronym>TCP</acronym>
               and UDP). It is mandatory that you code the port number of
               the service you want to match on. Service names (from
               <filename>/etc/services</filename>) may be used instead of
               numeric port values.</para>
 
             <para><parameter>in | out</parameter></para>
 
             <para>Matches incoming or outgoing packets, respectively. The in
               and out are keywords and it is mandatory that you code one
               or the other as part of your rule matching criterion.
               </para>
 
             <para><parameter>via IF</parameter></para>
 
             <para>Matches packets going through the interface specified
               by exact name. The via keyword causes the interface to
               always be checked as part of the match process.</para>
 
             <para><parameter>setup</parameter></para>
 
             <para>This is a mandatory keyword that identifies the
               session start request for <acronym>TCP</acronym> packets.</para>
 
             <para><parameter>keep-state</parameter></para>
 
             <para>This is a mandatory> keyword. Upon a match, the
               firewall will create a dynamic rule, whose default
               behavior is to match bidirectional traffic between source
               and destination IP/port using the same protocol.</para>
 
             <para><parameter>limit {src-addr | src-port | dst-addr |
               dst-port}</parameter></para>
 
             <para>The firewall will only allow <replaceable>N</replaceable> connections with the
               same set of parameters as specified in the rule. One or
               more of source and destination addresses and ports can be
               specified. The 'limit' and 'keep-state' can not be used on
               same rule. Limit provides the same stateful function as
               'keep-state' plus its own functions.</para>
           </sect5>
 
         </sect4>
 
         <sect4>
           <title>Stateful Rule Option</title>
           <para>Stateful filtering treats traffic as a bi-directional
             exchange of packets comprising a session conversation. It
             has the interrogation abilities to determine if the session
             conversation between the originating sender and the
             destination are following the valid procedure of
             bi-directional packet exchange. Any packets that do not
             properly fit the session conversation template are
             automatically rejected as impostors.</para>
 
           <para>'check-state' is used to identify where in the IPFW
             rules set the packet is to be tested against the dynamic
             rules facility. On a match the packet exits the firewall to
             continue on its way and a new rule is dynamic created for
             the next anticipated packet being exchanged during this
             bi-directional session conversation. On a no match the
             packet advances to the next rule in the rule set for
             testing.</para>
 
           <para>The dynamic rules facility is vulnerable to resource
             depletion from a SYN-flood attack which would open a huge
             number of dynamic rules. To counter this attack, &os;
             version 4.5 added another new option named limit. This
             option is used to limit the number of simultaneous session
             conversations by interrogating the rules source or
             destinations fields as directed by the limit option and
             using the packet's IP address found there, in a search of
             the open dynamic rules counting the number of times this
             rule and IP address combination occurred, if this count is
             greater that the value specified on the limit option, the
             packet is discarded.</para>
         </sect4>
 
         <sect4>
           <title>Logging Firewall Messages</title>
           <para>The benefits of logging are obvious, provides the
             ability to review after the fact the rules you activated
             logging on which provides information like, what packets had
             been dropped, what addresses they came from, where they were
             going, giving you a significant edge in tracking down
             attackers.</para>
 
           <para>Even with the logging facility enabled, IPFW will not
             generate any rule logging on it's own. The firewall
             administrator decides what rules in the rule set he wants to
             log and adds the log verb to those rules. Normally only deny
             rules are logged. Like the deny rule for incoming <acronym>ICMP</acronym>
             pings. It's very customary to duplicate the ipfw default
             deny everything rule with the log verb included as your
             last rule in the rule set. This way you get to see all the
             packets that did not match any of the rules in the rule set.</para>
 
           <para>Logging is a two edged sword, if you're not careful, you
             can lose yourself in the over abundance of log data and fill
             your disk up with growing log files. DoS attacks that fill
             up disk drives is one of the oldest attacks around. These
             log message are not only written to syslogd, but also are
             displayed on the root console screen and soon become very
             annoying.</para>
 
           <para>The <literal>IPFIREWALL_VERBOSE_LIMIT=5</literal> kernel option limits the
             number of consecutive messages sent to the system logger
             syslogd, concerning the packet matching of a given rule.
             When this option is enabled in the kernel, the number of
             consecutive messages concerning a particular rule is capped
             at the number specified. There is nothing to be gained from
             200 log messages saying the same identical thing. For
             instance, 5 consecutive messages concerning a particular
             rule would be logged to syslogd, the remainder identical
             consecutive messages would be counted and posted to the
             syslogd with a phrase like this:</para>
 
           <programlisting>last message repeated 45 times</programlisting>
 
           <para>All logged packets messages are written by default to
             <filename>/var/log/security</filename> file, which is
             defined in the <filename>/etc/syslog.conf</filename> file.
             </para>
         </sect4>
 
         <sect4>
           <title>Building Rule Script</title>
           <para>Most experienced IPFW users create a file containing the
             rules and code them in a manner compatible with running them
             as a script. The major benefit of doing this is the firewall
             rules can be refreshed in mass without the need of
             rebooting the system to activate the new rules. This method
             is very convenient in testing new rules as the procedure can
             be executed as many times as needed. Being a script, you can
             use symbolic substitution to code frequent used values and
             substitution them in multiple rules. You will see this in
             the following example.</para>
 
           <para>The script syntax used here is compatible with the 'sh',
             'csh', 'tcsh' shells. Symbolic substitution fields are
             prefixed with a dollar sign &dollar;. Symbolic fields do not have
             the &dollar; prefix. The value to populate the Symbolic field must
             be enclosed to "double quotes".</para>
 
           <para>Start your rules file like this:</para>
 
           <programlisting>############### start of example ipfw rules script #############
 #
 ipfw -q -f flush       # Delete all rules
 # Set defaults
 oif="tun0"             # out interface
 odns="192.0.2.11"      # ISP's dns server IP address
 cmd="ipfw -q add "     # build rule prefix
 ks="keep-state"        # just too lazy to key this each time
 &dollar;cmd 00500 check-state
 &dollar;cmd 00502 deny all from any to any frag
 &dollar;cmd 00501 deny tcp from any to any established
 &dollar;cmd 00600 allow tcp from any to any 80 out via &dollar;oif setup &dollar;ks
 &dollar;cmd 00610 allow tcp from any to &dollar;odns 53 out via &dollar;oif setup &dollar;ks
 &dollar;cmd 00611 allow udp from any to &dollar;odns 53 out via &dollar;oif &dollar;ks
 ################### End of example ipfw rules script ############</programlisting>
 
           <para>That is all there is to it. The rules are not important
             in this example, how the Symbolic substitution field are
             populated and used are.</para>
 
           <para>If the above example was in
             <filename>/etc/ipfw.rules</filename> file, you could reload
             these rules by entering on the command line.</para>
 
           <programlisting><command>sh /etc/ipfw.rules</command>
             </programlisting>
 
           <para>The <filename>/etc/ipfw.rules</filename> file could be
             located any where you want and the file could be named any
             thing you would like.</para>
 
           <para>The same thing could also be accomplished by running
             these commands by hand:</para>
 
           <programlisting>ipfw -q -f flush
 ipfw -q add check-state
 ipfw -q add deny all from any to any frag
 ipfw -q add deny tcp from any to any established
 ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
 ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
 ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</programlisting>
 
         </sect4>
         <sect4>
           <title>Stateful Ruleset</title>
           <para>The following non-<acronym>NAT</acronym>ed rule set is a example of how to
             code a very secure 'inclusive' type of firewall. An
             inclusive firewall only allows services matching pass rules
             through and blocks all other by default. All firewalls have
             at the minimum two interfaces which have to have rules to
             allow the firewall to function.</para>
 
           <para>All &unix; flavored operating systems, &os; included, are designed to
             use interface lo and IP address
             <hostid role="ipaddr">127.0.0.1</hostid> for internal
             communication with in &os;. The firewall rules must contain
             rules to allow free unmolested movement of these special
             internally used packets.</para>
 
           <para>The interface which faces the public Internet, is the
             one which you code your rules to authorize and control
             access out to the public Internet and access requests
             arriving from the public Internet. This can be your ppp tun0
             interface or your NIC that is connected to your DSL or cable
             modem.</para>
 
           <para>In cases where one or more than one NIC are connected to
             a private LANs behind the firewall, those interfaces must
             have rules coded to allow free unmolested movement of
             packets originating from those LAN interfaces.</para>
 
           <para>The rules should be first organized into three major
             sections, all the free unmolested interfaces, public
             interface outbound, and the public interface inbound.
             </para>
 
           <para>The order of the rules in each of the public interface
             sections should be in order of the most used rules being
             placed before less often used rules with the last rule in
             the section being a block log all packets on that interface
             and direction.</para>
 
           <para>The Outbound section in the following rule set only
             contains 'allow' rules which contain selection values that
             uniquely identify the service that is authorized for public
             Internet access. All the rules have the, proto, port,
             in/out, via and keep state option coded. The 'proto tcp'
             rules have the 'setup' option included to identify the start
             session request as the trigger packet to be posted to the
             keep state stateful table.</para>
 
           <para>The Inbound section has all the blocking of undesirable
             packets first for 2 different reasons. First is these things
             being blocked may be part of an otherwise valid packet which
             may be allowed in by the later authorized service rules.
             Second reason is that by having a rule that explicitly
             blocks selected packets that I receive on an infrequent
             bases and don't want to see in the log, this keeps them from
             being caught by the last rule in the section which blocks
             and logs all packets which have fallen through the rules.
             The last rule in the section which blocks and logs all
             packets is how you create the legal evidence needed to
             prosecute the people who are attacking your system.</para>
 
           <para>Another thing you should take note of, is there is no
             response returned for any of the undesirable stuff, their
             packets just get dropped and vanish. This way the attackers
             has no knowledge if his packets have reached your system.
             The less the attackers can learn about your system the more
             secure it is. When you log packets with port numbers you do
             not recognize, go to
             <ulink url="http://www.securitystats.com/tools/portsearch.php"></ulink>
             and do a port number lookup to find what the purpose of that
             port number is. Check out this link for port numbers used by
             Trojans:
             <ulink url="http://www.simovits.com/trojans/trojans.html"></ulink>
             .</para>
         </sect4>
         <sect4>
           <title>An Example Inclusive Ruleset</title>
           <para>The following non-<acronym>NAT</acronym>ed rule set is a complete inclusive
             type ruleset. You can not go wrong using this rule set for
             you own. Just comment out any pass rules for services to
             don't want. If you see messages in your log that you want to
             stop seeing just add a deny rule in the inbound section. You
             have to change the 'dc0' interface name in every rule to the
             interface name of the NIC that connects your system to the
             public Internet. For user ppp it would be 'tun0'.</para>
 
           <para>You will see a pattern in the usage of these rules.
             </para>
 
           <itemizedlist>
             <listitem>
               <para>All statements that are a request to start a session
                 to the public Internet use keep-state.</para>
             </listitem>
 
             <listitem>
               <para>All the authorized services that originate from the
                 public Internet have the limit option to stop flooding.
                 </para>
             </listitem>
 
             <listitem>
               <para>All rules use in or out to clarify direction.
                 </para>
             </listitem>
 
             <listitem>
               <para>All rules use via interface name to specify the
                 interface the packet is traveling over.</para>
             </listitem>
           </itemizedlist>
 
           <para>The following rules go into
             <filename>/etc/ipfw.rules</filename>.</para>
 
           <programlisting>################ Start of IPFW rules file ###############################
 # Flush out the list before we begin.
 ipfw -q -f flush
 
 # Set rules command prefix
 cmd="ipfw -q add"
 pif="dc0"     # public interface name of Nic card
                         # facing the public Internet
 
 #################################################################
 # No restrictions on Inside Lan Interface for private network
 # Not needed unless you have Lan.
 # Change xl0 to your Lan Nic card interface name
 #################################################################
 #&dollar;cmd 00005 allow all from any to any via xl0
 
 #################################################################
 # No restrictions on Loopback Interface
 #################################################################
 &dollar;cmd 00010 allow all from any to any via lo0
 
 #################################################################
 # Allow the packet through if it has previous been added to the
 # the "dynamic" rules table by a allow keep-state statement.
 #################################################################
 &dollar;cmd 00015 check-state
 
 #################################################################
 # Interface facing Public Internet (Outbound Section)
 # Interrogate session start requests originating from behind the
 # firewall on the private network or from this gateway server
 # destine for the public Internet.
 #################################################################
 
 # Allow out access to my ISP's Domain name server.
 # x.x.x.x must be the IP address of your ISP.s DNS
 # Dup these lines if your ISP has more than one DNS server
 # Get the IP addresses from /etc/resolv.conf file
 &dollar;cmd 00110 allow tcp from any to x.x.x.x 53 out via &dollar;pif setup keep-state
 &dollar;cmd 00111 allow udp from any to x.x.x.x 53 out via &dollar;pif keep-state
 
 # Allow out access to my ISP's DHCP server for cable/DSL configurations.
 # This rule is not needed for .user ppp. connection to the public Internet.
 # so you can delete this whole group.
 # Use the following rule and check log for IP address.
 # Then put IP address in commented out rule & delete first rule
 &dollar;cmd 00120 allow log udp from any to any 67 out via &dollar;pif keep-state
 #&dollar;cmd 00120 allow udp from any to x.x.x.x 67 out via &dollar;pif keep-state
 
 # Allow out non-secure standard www function
 &dollar;cmd 00200 allow tcp from any to any 80 out via &dollar;pif setup keep-state
 
 # Allow out secure www function https over TLS SSL
 &dollar;cmd 00220 allow tcp from any to any 443 out via &dollar;pif setup keep-state
 
 # Allow out send & get email function
 &dollar;cmd 00230 allow tcp from any to any 25 out via &dollar;pif setup keep-state
 &dollar;cmd 00231 allow tcp from any to any 110 out via &dollar;pif setup keep-state
 
 # Allow out FBSD (make install & CVSUP) functions
 # Basically give user root "GOD" privileges.
 &dollar;cmd 00240 allow tcp from me to any out via &dollar;pif setup keep-state uid root
 
 # Allow out ping
 &dollar;cmd 00250 allow icmp from any to any out via &dollar;pif keep-state
 
 # Allow out Time
 &dollar;cmd 00260 allow tcp from any to any 37 out via &dollar;pif setup keep-state
 
 # Allow out nntp news (i.e. news groups)
 &dollar;cmd 00270 allow tcp from any to any 119 out via &dollar;pif setup keep-state
 
 # Allow out secure FTP, Telnet, and SCP
 # This function is using SSH (secure shell)
 &dollar;cmd 00280 allow tcp from any to any 22 out via &dollar;pif setup keep-state
 
 # Allow out whois
 &dollar;cmd 00290 allow tcp from any to any 43 out via &dollar;pif setup keep-state
 
 # deny and log everything else that.s trying to get out.
 # This rule enforces the block all by default logic.
 &dollar;cmd 00299 deny log all from any to any out via &dollar;pif
 
 #################################################################
 # Interface facing Public Internet (Inbound Section)
 # Interrogate packets originating from the public Internet
 # destine for this gateway server or the private network.
 #################################################################
 
 # Deny all inbound traffic from non-routable reserved address spaces
 &dollar;cmd 00300 deny all from 192.168.0.0/16 to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 00301 deny all from 172.16.0.0/12 to anyin via &dollar;pif     #RFC 1918 private IP
 &dollar;cmd 00302 deny all from 10.0.0.0/8 to anyin via &dollar;pif          #RFC 1918 private IP
 &dollar;cmd 00303 deny all from 127.0.0.0/8 to anyin via &dollar;pif        #loopback
 &dollar;cmd 00304 deny all from 0.0.0.0/8 to anyin via &dollar;pif            #loopback
 &dollar;cmd 00305 deny all from 169.254.0.0/16 to anyin via &dollar;pif   #DHCP auto-config
 &dollar;cmd 00306 deny all from 192.0.2.0/24 to anyin via &dollar;pif       #reserved for docs
 &dollar;cmd 00307 deny all from 204.152.64.0/23 to anyin via &dollar;pif  #Sun cluster interconnect
 &dollar;cmd 00308 deny all from 224.0.0.0/3 to anyin via &dollar;pif         #Class D & E multicast
 
 # Deny public pings
 &dollar;cmd 00310 deny icmp from any to anyin via &dollar;pif
 
 # Deny ident
 &dollar;cmd 00315 deny tcp from any to any 113in via &dollar;pif
 
 # Deny all Netbios service. 137=name, 138=datagram, 139=session
 # Netbios is MS/Windows sharing services.
 # Block MS/Windows hosts2 name server requests 81
 &dollar;cmd 00320 deny tcp from any to any 137in via &dollar;pif
 &dollar;cmd 00321 deny tcp from any to any 138in via &dollar;pif
 &dollar;cmd 00322 deny tcp from any to any 139in via &dollar;pif
 &dollar;cmd 00323 deny tcp from any to any 81 in via &dollar;pif
 
 # Deny any late arriving packets
 &dollar;cmd 00330 deny all from any to any frag in via &dollar;pif
 
 # Deny ACK packets that did not match the dynamic rule table
 &dollar;cmd 00332 deny tcp from any to any established in via &dollar;pif
 
 # Allow traffic in from ISP's DHCP server. This rule must contain
 # the IP address of your ISP.s DHCP server as it.s the only
 # authorized source to send this packet type.
 # Only necessary for cable or DSL configurations.
 # This rule is not needed for .user ppp. type connection to
 # the public Internet. This is the same IP address you captured
 # and used in the outbound section.
 #&dollar;cmd 00360 allow udp from any to x.x.x.x 67 in via &dollar;pif keep-state
 
 # Allow in standard www function because I have apache server
 &dollar;cmd 00400 allow tcp from any to me 80 in via &dollar;pif setup limit src-addr 2
 
 # Allow in secure FTP, Telnet, and SCP from public Internet
 &dollar;cmd 00410 allow tcp from any to me 22 in via &dollar;pif setup limit src-addr 2
 
 # Allow in non-secure Telnet session from public Internet
 # labeled non-secure because ID & PW are passed over public
 # Internet as clear text.
 # Delete this sample group if you do not have telnet server enabled.
 &dollar;cmd 00420 allow tcp from any to me 23 in via &dollar;pif setup limit src-addr 2
 
 # Reject & Log all incoming connections from the outside
 &dollar;cmd 00499 deny log all from any to any in via &dollar;pif
 
 # Everything else is denied by default
 # deny and log all packets that fell through to see what they are
 &dollar;cmd 00999 deny log all from any to any
 ################ End of IPFW rules file ###############################
           </programlisting>
         </sect4>
 
         <sect4>
           <title>An Example <acronym>NAT</acronym> and Stateful Ruleset</title>
           <para>There are some additional configuration statements that
             need to be enabled to activate the <acronym>NAT</acronym> function of IPFW. The
             kernel source needs 'option divert' statement added to the
             other IPFIREWALL statements compiled into a custom kernel.
             </para>
 
           <para>In addition to the normal IPFW options in
             <filename>/etc/rc.conf</filename>, the following are needed.
             </para>
 
           <programlisting>natd_enable="YES"                   # Enable <acronym>NAT</acronym>D function
 natd_interface="rl0"                # interface name of public Internet NIC
 natd_flags="-dynamic -m"            # -m = preserve port numbers if possible</programlisting>
 
           <para>Utilizing stateful rules with divert natd rule (Network
             Address Translation) greatly complicates the rule set coding
             logic. The positioning of the check-state, and 'divert natd'
             rules in the rule set becomes very critical. This is no
             longer a simple fall-through logic flow. A new action type
             is used, called 'skipto'. To use the skipto command it is
             mandatory that you number each rule so you know exactly
             where the skipto rule number is you are really jumping to.
             </para>
 
           <para>The following is an uncommented example of one coding
             method, selected here to explain the sequence of the packet
             flow through the rule sets.</para>
 
           <para>The processing flow starts with the first rule from the
             top of the rule file and progress one rule at a time deeper
             into the file until the end is reach or the packet being
             tested to the selection criteria matches and the packet is
             released out of the firewall. It's important to take notice
             of the location of rule numbers 100 101, 450, 500, and 510.
             These rules control the translation of the outbound and
             inbound packets so their entries in the keep-state dynamic
             table always register the private Lan IP address. Next
             notice that all the allow and deny rules specified the
             direction the packet is going (IE outbound or inbound) and
             the interface. Also notice that all the start outbound
             session requests all skipto rule 500 for the network address
             translation.</para>
 
           <para>Lets say a LAN user uses their web browser to get a web
             page. Web pages use port 80 to communicate over. So the
             packet enters the firewall, It does not match 100 because
             it is headed out not in. It passes rule 101 because this is
             the first packet so it has not been posted to the keep-state
             dynamic table yet. The packet finally comes to rule 125 a
             matches. It's outbound through the NIC facing the public
             Internet. The packet still has it's source IP address as a
             private Lan IP address. On the match to this rule, two
             action take place. The keep-state option will post this rule
             into the keep-state dynamic rules table and the specified
             action is executed. The action is part of the info posted to
             the dynamic table. In this case it's "skipto rule 500". Rule
             500 <acronym>NAT</acronym>s the packet IP address and out it goes. Remember
             this, this is very important. This packet makes it's way to
             the destination and returns and enters the top of the rule
             set. This time it does match rule 100 and has it destination
             IP address mapped back to it's corresponding Lan IP address.
             It then is processed by the check-state rule, it's found in
             the table as an existing session conversation and released
             to the LAN. It goes to the LAN PC that sent it and a new
             packet is sent requesting another segment of the data from
             the remote server. This time it gets checked by the
             check-state rule and it's outbound entry is found,  the
             associated action, 'skipto 500', is executed. the packet
             jumps to rule 500 gets <acronym>NAT</acronym>ed and released on it's way out.
             </para>
 
           <para>On the inbound side, everything coming in that is part
             of an existing session conversation is being automatically
             handled by the check-state rule and the properly placed
             divert natd rules. All we have to address is denying all the
             bad packets and only allowing in the authorized services.
             Lets say there is a apache server running on the firewall
             box and we want people on the public Internet to be able to
             access the local web site. The new inbound start request
             packet matches rule 100 and its IP address is mapped to LAN
             IP for the firewall box. The packet is them matched against
             all the nasty things we want to check for and finally
             matches against rule 425. On a match two things occur, the
             limit option is an extension to keep-state. The packet rule
             is posted to the keep-state dynamic table but this time any
             new session requests originating from that source IP address
             is limited to 2. This defends against DoS attacks of service
             running on the specified port number. The action is allow so
             the packet is released to the LAN. On return the check-state
             rule recognizes the packet as belonging to an existing
             session conversation sends it to rule 500 for <acronym>NAT</acronym>ing and
             released to outbound interface.</para>
 
           <para>Example Ruleset #1:</para>
 
           <programlisting>#!/bin/sh
 cmd="ipfw -q add"
 skip="skipto 500"
 pif=rl0
 ks="keep-state"
 good_tcpo="22,25,37,43,53,80,443,110,119"
 
 ipfw -q -f flush
 
 &dollar;cmd 002 allow all from any to any via xl0  # exclude Lan traffic
 &dollar;cmd 003 allow all from any to any via lo0  # exclude loopback traffic
 
 &dollar;cmd 100 divert natd ip from any to any in via &dollar;pif
 &dollar;cmd 101 check-state
 
 # Authorized outbound packets
 &dollar;cmd 120 &dollar;skip udp from any to xx.168.240.2 53 out via &dollar;pif &dollar;ks
 &dollar;cmd 121 &dollar;skip udp from any to xx.168.240.5 53 out via &dollar;pif &dollar;ks
 &dollar;cmd 125 &dollar;skip tcp from any to any &dollar;good_tcpo out via &dollar;pif setup &dollar;ks
 &dollar;cmd 130 &dollar;skip icmp from any to any  out via &dollar;pif &dollar;ks
 &dollar;cmd 135 &dollar;skip udp from any to any 123 out via &dollar;pif &dollar;ks
 
 
 # Deny all inbound traffic from non-routable reserved address spaces
 &dollar;cmd 300 deny all from 192.168.0.0/16  to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 301 deny all from 172.16.0.0/12   to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 302 deny all from 10.0.0.0/8      to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 303 deny all from 127.0.0.0/8     to any in via &dollar;pif  #loopback
 &dollar;cmd 304 deny all from 0.0.0.0/8       to any in via &dollar;pif  #loopback
 &dollar;cmd 305 deny all from 169.254.0.0/16  to any in via &dollar;pif  #DHCP auto-config
 &dollar;cmd 306 deny all from 192.0.2.0/24    to any in via &dollar;pif  #reserved for docs
 &dollar;cmd 307 deny all from 204.152.64.0/23 to any in via &dollar;pif  #Sun cluster
 &dollar;cmd 308 deny all from 224.0.0.0/3     to any in via &dollar;pif  #Class D & E multicast
 
 # Authorized inbound packets
 &dollar;cmd 400 allow udp from xx.70.207.54 to any 68 in &dollar;ks
 &dollar;cmd 420 allow tcp from any to me 80 in via &dollar;pif setup limit src-addr 1
 
 
 &dollar;cmd 450 deny log ip from any to any
 
 # This is skipto location for outbound stateful rules
 &dollar;cmd 500 divert natd ip from any to any out via &dollar;pif
 &dollar;cmd 510 allow ip from any to any
 
 ######################## end of rules  ##################
             </programlisting>
           <para>The following is pretty much the same as above but, uses
             a self documenting coding style full of description comments
             to help the inexperienced IPFW rule writer to better
             understand what the rules are doing.</para>
 
           <para>Example Ruleset #2:</para>
 
           <programlisting>
 #!/bin/sh
 ################ Start of IPFW rules file ###############################
 # Flush out the list before we begin.
 ipfw -q -f flush
 
 # Set rules command prefix
 cmd="ipfw -q add"
 skip="skipto 800"
 pif="rl0"     # public interface name of Nic card
               # facing the public Internet
 
 #################################################################
 # No restrictions on Inside Lan Interface for private network
 # Change xl0 to your Lan Nic card interface name
 #################################################################
 &dollar;cmd 005 allow all from any to any via xl0
 
 #################################################################
 # No restrictions on Loopback Interface
 #################################################################
 &dollar;cmd 010 allow all from any to any via lo0
 
 #################################################################
 # check if packet is inbound and nat address if it is
 #################################################################
 &dollar;cmd 014 divert natd ip from any to any in via &dollar;pif
 
 #################################################################
 # Allow the packet through if it has previous been added to the
 # the "dynamic" rules table by a allow keep-state statement.
 #################################################################
 &dollar;cmd 015 check-state
 
 #################################################################
 # Interface facing Public Internet (Outbound Section)
 # Interrogate session start requests originating from behind the
 # firewall on the private network or from this gateway server
 # destine for the public Internet.
 #################################################################
 
 # Allow out access to my ISP's Domain name server.
 # x.x.x.x must be the IP address of your ISP's DNS
 # Dup these lines if your ISP has more than one DNS server
 # Get the IP addresses from /etc/resolv.conf file
 &dollar;cmd 020 &dollar;skip tcp from any to x.x.x.x 53 out via &dollar;pif setup keep-state
 
 
 # Allow out access to my ISP's DHCP server for cable/DSL configurations.
 &dollar;cmd 030 &dollar;skip udp from any to x.x.x.x 67 out via &dollar;pif keep-state
 
 # Allow out non-secure standard www function
 &dollar;cmd 040 &dollar;skip tcp from any to any 80 out via &dollar;pif setup keep-state
 
 # Allow out secure www function https over TLS SSL
 &dollar;cmd 050 &dollar;skip tcp from any to any 443 out via &dollar;pif setup keep-state
 
 # Allow out send & get email function
 &dollar;cmd 060 &dollar;skip tcp from any to any 25 out via &dollar;pif setup keep-state
 &dollar;cmd 061 &dollar;skip tcp from any to any 110 out via &dollar;pif setup keep-state
 
 # Allow out FreeBSD (make install & CVSUP) functions
 # Basically give user root "GOD" privileges.
 &dollar;cmd 070 &dollar;skip tcp from me to any out via &dollar;pif setup keep-state uid root
 
 # Allow out ping
 &dollar;cmd 080 &dollar;skip icmp from any to any out via &dollar;pif keep-state
 
 # Allow out Time
 &dollar;cmd 090 &dollar;skip tcp from any to any 37 out via &dollar;pif setup keep-state
 
 # Allow out nntp news (i.e. news groups)
 &dollar;cmd 100 &dollar;skip tcp from any to any 119 out via &dollar;pif setup keep-state
 
 # Allow out secure FTP, Telnet, and SCP
 # This function is using SSH (secure shell)
 &dollar;cmd 110 &dollar;skip tcp from any to any 22 out via &dollar;pif setup keep-state
 
 # Allow out whois
 &dollar;cmd 120 &dollar;skip tcp from any to any 43 out via &dollar;pif setup keep-state
 
 # Allow ntp time server
 &dollar;cmd 130 &dollar;skip udp from any to any 123 out via &dollar;pif keep-state
 
 #################################################################
 # Interface facing Public Internet (Inbound Section)
 # Interrogate packets originating from the public Internet
 # destine for this gateway server or the private network.
 #################################################################
 
 # Deny all inbound traffic from non-routable reserved address spaces
 &dollar;cmd 300 deny all from 192.168.0.0/16  to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 301 deny all from 172.16.0.0/12   to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 302 deny all from 10.0.0.0/8      to any in via &dollar;pif  #RFC 1918 private IP
 &dollar;cmd 303 deny all from 127.0.0.0/8     to any in via &dollar;pif  #loopback
 &dollar;cmd 304 deny all from 0.0.0.0/8       to any in via &dollar;pif  #loopback
 &dollar;cmd 305 deny all from 169.254.0.0/16  to any in via &dollar;pif  #DHCP auto-config
 &dollar;cmd 306 deny all from 192.0.2.0/24    to any in via &dollar;pif  #reserved for docs
 &dollar;cmd 307 deny all from 204.152.64.0/23 to any in via &dollar;pif  #Sun cluster
 &dollar;cmd 308 deny all from 224.0.0.0/3     to any in via &dollar;pif  #Class D & E multicast
 
 # Deny ident
 &dollar;cmd 315 deny tcp from any to any 113 in via &dollar;pif
 
 # Deny all Netbios service. 137=name, 138=datagram, 139=session
 # Netbios is MS/Windows sharing services.
 # Block MS/Windows hosts2 name server requests 81
 &dollar;cmd 320 deny tcp from any to any 137 in via &dollar;pif
 &dollar;cmd 321 deny tcp from any to any 138 in via &dollar;pif
 &dollar;cmd 322 deny tcp from any to any 139 in via &dollar;pif
 &dollar;cmd 323 deny tcp from any to any 81  in via &dollar;pif
 
 # Deny any late arriving packets
 &dollar;cmd 330 deny all from any to any frag in via &dollar;pif
 
 # Deny ACK packets that did not match the dynamic rule table
 &dollar;cmd 332 deny tcp from any to any established in via &dollar;pif
 
 # Allow traffic in from ISP's DHCP server. This rule must contain
 # the IP address of your ISP's DHCP server as it's the only
 # authorized source to send this packet type.
 # Only necessary for cable or DSL configurations.
 # This rule is not needed for 'user ppp' type connection to
 # the public Internet. This is the same IP address you captured
 # and used in the outbound section.
 &dollar;cmd 360 allow udp from x.x.x.x to any 68 in via &dollar;pif keep-state
 
 # Allow in standard www function because I have apache server
 &dollar;cmd 370 allow tcp from any to me 80 in via &dollar;pif setup limit src-addr 2
 
 # Allow in secure FTP, Telnet, and SCP from public Internet
 &dollar;cmd 380 allow tcp from any to me 22 in via &dollar;pif setup limit src-addr 2
 
 # Allow in non-secure Telnet session from public Internet
 # labeled non-secure because ID & PW are passed over public
 # Internet as clear text.
 # Delete this sample group if you do not have telnet server enabled.
 &dollar;cmd 390 allow tcp from any to me 23 in via &dollar;pif setup limit src-addr 2
 
 # Reject & Log all unauthorized incoming connections from the public Internet
 &dollar;cmd 400 deny log all from any to any in via &dollar;pif
 
 # Reject & Log all unauthorized out going connections to the public Internet
 &dollar;cmd 450 deny log all from any to any out via &dollar;pif
 
 # This is skipto location for outbound stateful rules
 &dollar;cmd 800 divert natd ip from any to any out via &dollar;pif
 &dollar;cmd 801 allow ip from any to any
 
 # Everything else is denied by default
 # deny and log all packets that fell through to see what they are
 &dollar;cmd 999 deny log all from any to any
 ################ End of IPFW rules file ###############################</programlisting>
 
         </sect4>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="openssl">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Written by: </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>OpenSSL</title>
     <indexterm>
       <primary>security</primary>
       <secondary>OpenSSL</secondary>
     </indexterm>
 
     <para>One feature that many users overlook is the
       <application>OpenSSL</application> toolkit included
       in &os;.  <application>OpenSSL</application> provides an
       encryption transport layer on top of the normal communications
       layer; thus allowing it to be intertwined with many network
       applications and services.</para>
 
     <para>Some uses of <application>OpenSSL</application> may include
       encrypted authentication of mail clients, web based transactions
       such as credit card payments and more.  Many ports such as
       <filename role="package">www/apache13-ssl</filename>, and
       <filename role="package">mail/sylpheed-claws</filename>
       will offer compilation support for building with
       <application>OpenSSL</application>.</para>
 
     <note>
       <para>In most cases the ports collection will attempt to build
 	the <filename role="package">security/openssl</filename>
 	unless the <makevar>WITH_OPENSSL_BASE</makevar> make variable
 	is explicitly set to <quote>yes</quote>.</para>
     </note>
 
     <para>The version of <application>OpenSSL</application> included
       in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
       Transport Layer Security v1 (TLSv1) network security protocols
       and can be used as a general cryptographic library for use
       with applications.</para>
 
     <note>
       <para>While <application>OpenSSL</application> supports the
 	<acronym>IDEA</acronym> algorithm, it is disabled by default
 	due to United States patents.  To use it, the license should
 	be reviewed and, if the restrictions are acceptable, the
 	<makevar>MAKE_IDEA</makevar> variable must be set in
 	<filename>make.conf</filename>.</para>
     </note>
 
     <para>Perhaps one of the most common uses of
       <application>OpenSSL</application> provide certificates for
       use with software applications.  These certificates ensure
       that the credentials of the company or individual is valid
       and are not fraudulent.  If the certificate in question has
       not been verified by one of the several Certificate Authorities,
       or <acronym>CA</acronym>s, a warning is usually produced.  A
       Certificate Authority is a company, such as VeriSign, who will
       sign certificates in order to validate credentials of individuals
       or companies.  This process has a cost associated with it and
       is definitely not a requirement for using certificates; however,
       it can put some of the more paranoid users at ease.</para>
 
     <sect2>
       <title>Generating Certificates</title>
 
       <indexterm>
 	<primary>OpenSSL</primary>
 	<secondary>certificate generation</secondary>
       </indexterm>
 
       <para>To generate a certificate, the following command is
 	available:</para>
 
       <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
 Generating a 1024 bit RSA private key
 ................++++++
 .......................................++++++
 writing new private key to 'cert.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
 State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
 Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
 Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
 Common Name (eg, YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
 Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput>
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
 An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
 
       <para>Notice the response directly after the
 	<quote>Common Name</quote> prompt shows a domain name.
 	This prompt requires a server name to be entered for
 	verification purposes; placing anything	but a domain name
 	would yield a useless certificate.  Other options for
 	instance expire time, alternate encryption algorithms, etc.
 	are available.  A complete list may be obtained by viewing
 	the &man.openssl.1; manual page.</para>
 
       <para>A file, <filename>cert.pem</filename> should now exist in
 	the directory which the aforementioned command was issued.  This
 	is the certificate which may be sent to any one of the many
 	<acronym>CA</acronym>s for signing.</para>
 
       <para>In cases where a signature from a <acronym>CA</acronym> is
 	not required, a self signed certificate can be created.  First,
 	generate the <acronym>CA</acronym> key:</para>
 
       <screen>&prompt.root; <userinput>openssl gendsa -des3 -out \
 <filename>myca.key</filename> 1024</userinput></screen>
 
       <para>Use this key to create the certificate:</para>
 
       <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key \
 <filename>myca.key</filename> -out <filename>new.crt</filename></userinput></screen>
 
       <para>Two new files should appear in the directory: a certificate
 	authority signature file, <filename>myca.key</filename> and the
 	certificate itself, <filename>new.crt</filename>.  These should
 	be placed in a directory, preferably under
 	<filename class="directory">/etc</filename>, which is readable
 	only by <username>root</username>.  Permissions of 0700 should be fine for this and
 	they can be set with the <command>chmod</command>
 	utility.</para>
     </sect2>
 
     <sect2>
       <title>Using Certificates, an Example</title>
 
       <para>So what can these files do?  A good use would be to
 	encrypt connections to the <application>Sendmail</application>
 	<acronym>MTA</acronym>.  This would dissolve the use of clear
 	text authentication for users who send mail via the local
 	<acronym>MTA</acronym>.</para>
 
       <note>
 	<para>This is not the best use in the world as some
 	  <acronym>MUA</acronym>s will present the user with an
 	  error if they have not installed the certificate locally.
 	  Refer to the documentation included with the software for
 	  more information on certificate installation.</para>
       </note>
 
       <para>The following lines should be placed inside the
 	local <filename>.mc</filename> file:</para>
 
       <programlisting>dnl SSL Options
 define(`confCACERT_PATH',`/etc/certs')dnl
 define(`confCACERT',`/etc/certs/new.crt')dnl
 define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
 define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
 define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
 
       <para>Where <filename class="directory">/etc/certs/</filename>
 	is the directory to be used for storing the certificate
 	and key files locally.  The last few requirements are a rebuild
 	of the local <filename>.cf</filename> file.  This is easily
 	achieved by typing <command>make</command>
 	<parameter>install</parameter> within the
 	<filename class="directory">/etc/mail</filename>
 	directory.  Follow that up with <command>make</command>
 	<parameter>restart</parameter> which should start the
 	<application>Sendmail</application> daemon.</para>
 
       <para>If all went well there will be no error messages in the
 	<filename>/var/log/maillog</filename> file and
 	<application>Sendmail</application> will show up in the process
 	list.</para>
 
       <para>For a simple test, simply connect to the mail server
 	using the &man.telnet.1; utility:</para>
 
       <screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
 Trying 192.0.34.166...
 Connected to <hostid role="fqdn">example.com</hostid>.
 Escape character is '^]'.
 220 <hostid role="fqdn">example.com</hostid> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
 <userinput>ehlo <replaceable>example.com</replaceable></userinput>
 250-example.com Hello example.com [192.0.34.166], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH LOGIN PLAIN
 250-STARTTLS
 250-DELIVERBY
 250 HELP
 <userinput>quit</userinput>
 221 2.0.0 <hostid role="fqdn">example.com</hostid> closing connection
 Connection closed by foreign host.</screen>
 
       <para>If the <quote>STARTTLS</quote> line appears in the output
 	then everything is working correctly.</para>
     </sect2>
   </sect1>
 
   <sect1 id="ipsec">
     <sect1info>
       <authorgroup>
         <author>
   	  <firstname>Nik</firstname>
 	  <surname>Clayton</surname>
 	  <affiliation>
 	    <address><email>nik@FreeBSD.org</email></address>
           </affiliation>
           <contrib>Written by </contrib>
         </author>
       </authorgroup>
     </sect1info>
 
     <title>VPN over IPsec</title>
     <para>Creating a VPN between two networks, separated by the
       Internet, using FreeBSD gateways.</para>
  
     <sect2>
       <sect2info>
         <authorgroup>
           <author>
             <firstname>Hiten M.</firstname>
             <surname>Pandya</surname>
 	    <affiliation>
 	      <address><email>hmp@FreeBSD.org</email></address>
 	    </affiliation>
 	    <contrib>Written by </contrib>
 	  </author>
 	</authorgroup>
       </sect2info>
 
       <title>Understanding IPsec</title>
 
       <para>This section will guide you through the process of setting
 	up IPsec, and to use it in an environment which consists of
 	FreeBSD and <application>&microsoft.windows; 2000/XP</application>
 	machines, to make them communicate securely.  In order to set up
 	IPsec, it is necessary that you are familiar with the concepts
 	of building a custom kernel (see
 	<xref linkend="kernelconfig">).</para>
     
       <para><emphasis>IPsec</emphasis> is a protocol which sits on top
 	of the Internet Protocol (IP) layer.  It allows two or more
 	hosts to communicate in a secure manner (hence the name).  The
 	FreeBSD IPsec <quote>network stack</quote> is based on the
 	<ulink url="http://www.kame.net/">KAME</ulink> implementation,
 	which has support for both protocol families, IPv4 and
 	IPv6.</para>
 
       <note>
         <para>FreeBSD 5.X contains a <quote>hardware
         accelerated</quote> IPsec stack, known as <quote>Fast
         IPsec</quote>, that was obtained from OpenBSD.  It employs
         cryptographic hardware (whenever possible) via the
         &man.crypto.4; subsystem to optimize the performance of IPsec.
         This subsystem is new, and does not support all the features
         that are available in the KAME version of IPsec.  However, in
         order to enable hardware-accelerated IPsec, the following
         kernel option has to be added to your kernel configuration
         file:</para>
 
         <screen>
 options	  FAST_IPSEC  # new IPsec (cannot define w/ IPSEC)
         </screen>
 
         <para> Note, that it is not currently possible to use the
 	  <quote>Fast IPsec</quote> subsystem in lue with the KAME
 	  implementation of IPsec.  Consult the &man.fast.ipsec.4;
 	  manual page for more information.</para>
 
       </note>
   
       <para>IPsec consists of two sub-protocols:</para>
 
       <itemizedlist>
         <listitem>
           <para><emphasis>Encapsulated Security Payload
 	      (ESP)</emphasis>, protects the IP packet data from third
 	    party interference, by encrypting the contents using
 	    symmetric cryptography algorithms (like Blowfish,
 	    3DES).</para>
         </listitem>
         <listitem>
           <para><emphasis>Authentication Header (AH)</emphasis>,
 	    protects the IP packet header from third party interference
 	    and spoofing, by computing a cryptographic checksum and
 	    hashing the IP packet header fields with a secure hashing
 	    function.  This is then followed by an additional header
 	    that contains the hash, to allow the information in the
 	    packet to be authenticated.</para>
         </listitem>
       </itemizedlist>
       
       <para><acronym>ESP</acronym> and <acronym>AH</acronym> can
 	either be used together or separately, depending on the
 	environment.</para>
       
       <para>IPsec can either be used to directly encrypt the traffic
 	between two hosts (known as <emphasis>Transport
 	  Mode</emphasis>); or to build <quote>virtual tunnels</quote>
 	between two subnets, which could be used for secure
 	communication between two corporate networks (known as
 	<emphasis>Tunnel Mode</emphasis>).  The latter is more commonly
 	known as a <emphasis>Virtual Private Network (VPN)</emphasis>.
 	The &man.ipsec.4; manual page should be consulted for detailed
 	information on the IPsec subsystem in FreeBSD.</para>
       
       <para>To add IPsec support to your kernel, add the following
 	options to your kernel configuration file:</para>
       
       <screen>
 options   IPSEC        #IP security
 options   IPSEC_ESP    #IP security (crypto; define w/ IPSEC)
       </screen>
 
       <para>If IPsec debugging support is desired, the following
 	kernel option should also be added:</para>
 
       <screen>
 options   IPSEC_DEBUG  #debug for IP security
       </screen>
     </sect2>
 
     <sect2>
       <title>The Problem</title>
  
       <para>There is no standard for what constitutes a VPN.  VPNs can
 	be implemented using a number of different technologies, each of
 	which have their own strengths and weaknesses.  This section
 	presents a scenario, and the strategies used for implementing a
 	VPN for this scenario.</para>
     </sect2>
     
     <sect2> 
       <title>The Scenario: Two networks, connected to the Internet, to
         behave as one</title>
       
       <para>The premise is as follows:</para>
       
       <itemizedlist>
         <listitem>
           <para>You have at least two sites</para>
         </listitem>
         <listitem>
           <para>Both sites are using IP internally</para>
         </listitem>
         <listitem>
           <para>Both sites are connected to the Internet, through a
             gateway that is running FreeBSD.</para>
         </listitem>
         <listitem>
           <para>The gateway on each network has at least one public IP
             address.</para>
         </listitem>
         <listitem>
           <para>The internal addresses of the two networks can be
             public or private IP addresses, it doesn't matter.  You can
             be running NAT on the gateway machine if necessary.</para>
         </listitem>
         <listitem>
           <para>The internal IP addresses of the two networks
             <emphasis>do not collide</emphasis>.  While I expect it is
             theoretically possible to use a combination of VPN
             technology and NAT to get this to work, I expect it to be a
             configuration nightmare.</para>
         </listitem>
       </itemizedlist>
       
       <para>If you find that you are trying to connect two networks,
         both of which, internally, use the same private IP address range
         (e.g. both of them use <hostid
         role="ipaddr">192.168.1.x</hostid>), then one of the networks will
         have to be renumbered.</para>
  
       <para>The network topology might look something like this:</para>
  
       <mediaobject>
 	<imageobject>
 	  <imagedata fileref="security/ipsec-network" align="center">
 	</imageobject>
 
 	<textobject>
 <literallayout class="monospaced">Network #1            [ Internal Hosts ]    Private Net, 192.168.1.2-254
                       [   Win9x/NT/2K  ]
                       [      UNIX      ]
                                |
                                |
                         .---[fxp1]---.      Private IP, 192.168.1.1
                         |   FreeBSD  |
                         `---[fxp0]---'      Public IP, A.B.C.D
                                |
                                |
                       -=-=- Internet -=-=-
                                |
                                |
                         .---[fxp0]---.      Public IP, W.X.Y.Z
                         |   FreeBSD  |
                         `---[fxp1]---'      Private IP, 192.168.2.1
                                |
                                |
 Network #2            [ Internal Hosts ]
                       [   Win9x/NT/2K  ]    Private Net, 192.168.2.2-254
                       [      UNIX      ]</literallayout>
 	</textobject>
       </mediaobject>
  
       <para>Notice the two public IP addresses.  I'll use the letters to
         refer to them in the rest of this article.  Anywhere you see those
         letters in this article, replace them with your own public IP
         addresses.  Note also that internally, the two gateway
         machines have .1 IP addresses, and that the two networks have
         different private IP addresses (<hostid
         role="ipaddr">192.168.1.x</hostid> and <hostid
         role="ipaddr">192.168.2.x</hostid> respectively).  All the
         machines on the private networks have been configured to use the
         <hostid role="ipaddr">.1</hostid> machine as their default
         gateway.</para>
  
       <para>The intention is that, from a network point of view, each
         network should view the machines on the other network as though
         they were directly attached the same router -- albeit a slightly
         slow router with an occasional tendency to drop packets.</para>
  
       <para>This means that (for example), machine <hostid
         role="ipaddr">192.168.1.20</hostid> should be able to run</para>
  
       <programlisting>ping 192.168.2.34</programlisting>
  
       <para>and have it work, transparently.  &windows; machines should
         be able to see the machines on the other network, browse file
         shares, and so on, in exactly the same way that they can browse
         machines on the local network.</para>
  
       <para>And the whole thing has to be secure.  This means that
         traffic between the two networks has to be encrypted.</para>
  
       <para>Creating a VPN between these two networks is a multi-step
         process.  The stages are as follows:</para>
  
       <orderedlist>
         <listitem>
           <para>Create a <quote>virtual</quote> network link between the two
             networks, across the Internet.  Test it, using tools like
             &man.ping.8;, to make sure it works.</para>
         </listitem>
  
         <listitem>
           <para>Apply security policies to ensure that traffic between
             the two networks is transparently encrypted and decrypted as
             necessary.  Test this, using tools like &man.tcpdump.1;, to
             ensure that traffic is encrypted.</para>
         </listitem>
 
         <listitem>
           <para>Configure additional software on the FreeBSD gateways,
             to allow &windows; machines to see one another across the
             VPN.</para>
         </listitem>
       </orderedlist>
 
     <sect3>
       <title>Step 1: Creating and testing a <quote>virtual</quote>
         network link</title>
  
       <para>Suppose that you were logged in to the gateway machine on
         network #1 (with public IP address <hostid
         role="ipaddr">A.B.C.D</hostid>, private IP address <hostid
         role="ipaddr">192.168.1.1</hostid>), and you ran <command>ping
         192.168.2.1</command>, which is the private address of the machine
         with IP address <hostid role="ipaddr">W.X.Y.Z</hostid>.  What
         needs to happen in order for this to work?</para>
 
       <orderedlist>
         <listitem>
           <para>The gateway machine needs to know how to reach <hostid
             role="ipaddr">192.168.2.1</hostid>.  In other words, it needs
             to have a route to <hostid
             role="ipaddr">192.168.2.1</hostid>.</para>
         </listitem>
         <listitem>
           <para>Private IP addresses, such as those in the <hostid
             role="ipaddr">192.168.x</hostid> range are not supposed to
             appear on the Internet at large.  Instead, each packet you
             send to <hostid role="ipaddr">192.168.2.1</hostid> will need
             to be wrapped up inside another packet.  This packet will need
             to appear to be from <hostid role="ipaddr">A.B.C.D</hostid>,
             and it will have to be sent to <hostid
             role="ipaddr">W.X.Y.Z</hostid>.  This process is called
             <firstterm>encapsulation</firstterm>.</para>
         </listitem>
         <listitem>
           <para>Once this packet arrives at <hostid
             role="ipaddr">W.X.Y.Z</hostid> it will need to
             <quote>unencapsulated</quote>, and delivered to <hostid
             role="ipaddr">192.168.2.1</hostid>.</para>
 	</listitem>
       </orderedlist>
  
       <para>You can think of this as requiring a <quote>tunnel</quote>
         between the two networks.  The two <quote>tunnel mouths</quote> are the IP
         addresses <hostid role="ipaddr">A.B.C.D</hostid> and <hostid
         role="ipaddr">W.X.Y.Z</hostid>, and the tunnel must be told the
         addresses of the private IP addresses that will be allowed to pass
         through it.  The tunnel is used to transfer traffic with private
         IP addresses across the public Internet.</para>
  
       <para>This tunnel is created by using the generic interface, or
         <devicename>gif</devicename> devices on FreeBSD.  As you can
         imagine, the <devicename>gif</devicename> interface on each
         gateway host must be configured with four IP addresses; two for
         the public IP addresses, and two for the private IP
         addresses.</para>
  
       <para>Support for the gif device must be compiled in to the
         &os; kernel on both machines.  You can do this by adding the
         line:</para>
  
       <programlisting>pseudo-device gif</programlisting>
  
       <para>to the kernel configuration files on both machines, and
         then compile, install, and reboot as normal.</para>
  
       <para>Configuring the tunnel is a two step process.  First the
         tunnel must be told what the outside (or public) IP addresses
         are, using &man.gifconfig.8;.  Then the private IP addresses must be
         configured using &man.ifconfig.8;.</para>
 
       <note>
 	<para>In &os;&nbsp;5.X, the functionality provided by the
 	  &man.gifconfig.8; utility has been merged into 
 	  &man.ifconfig.8;.</para></note>
  
       <para>On the gateway machine on network #1 you would run the
         following two commands to configure the tunnel.</para>
  
       <programlisting>gifconfig gif0 A.B.C.D W.X.Y.Z
 ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
       </programlisting>
  
       <para>On the other gateway machine you run the same commands,
         but with the order of the IP addresses reversed.</para>
  
       <programlisting>gifconfig gif0 W.X.Y.Z A.B.C.D
 ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
       </programlisting>
  
       <para>You can then run:</para>
  
       <programlisting>gifconfig gif0</programlisting>
  
       <para>to see the configuration.  For example, on the network #1
         gateway, you would see this:</para>
  
       <screen>&prompt.root; <userinput>gifconfig gif0</userinput>
 gif0: flags=8011&lt;UP,POINTTOPOINT,MULTICAST&gt; mtu 1280
 inet 192.168.1.1 --&gt; 192.168.2.1 netmask 0xffffffff
 physical address inet A.B.C.D --&gt; W.X.Y.Z
       </screen>
  
       <para>As you can see, a tunnel has been created between the
         physical addresses <hostid role="ipaddr">A.B.C.D</hostid> and
         <hostid role="ipaddr">W.X.Y.Z</hostid>, and the traffic allowed
         through the tunnel is that between <hostid
         role="ipaddr">192.168.1.1</hostid> and <hostid
         role="ipaddr">192.168.2.1</hostid>.</para>
  
       <para>This will also have added an entry to the routing table
         on both machines, which you can examine with the command <command>netstat -rn</command>.
         This output is from the gateway host on network #1.</para>
  
       <screen>&prompt.root; <userinput>netstat -rn</userinput>
 Routing tables
  
 Internet:
 Destination      Gateway       Flags    Refs    Use    Netif  Expire
 ...
 192.168.2.1      192.168.1.1   UH        0        0    gif0
 ...
       </screen>
  
       <para>As the <quote>Flags</quote> value indicates, this is a
         host route, which means that each gateway knows how to reach the
         other gateway, but they do not know how to reach the rest of
         their respective networks.  That problem will be fixed
         shortly.</para>
  
       <para>It is likely that you are running a firewall on both
         machines.  This will need to be circumvented for your VPN
         traffic.  You might want to allow all traffic between both
         networks, or you might want to include firewall rules that
         protect both ends of the VPN from one another.</para>
  
       <para>It greatly simplifies testing if you configure the
         firewall to allow all traffic through the VPN.  You can always
         tighten things up later.  If you are using &man.ipfw.8; on the
         gateway machines then a command like</para>
 
       <programlisting>ipfw add 1 allow ip from any to any via gif0</programlisting>
  
       <para>will allow all traffic between the two end points of the
         VPN, without affecting your other firewall rules.  Obviously
         you will need to run this command on both gateway hosts.</para>
  
       <para>This is sufficient to allow each gateway machine to ping
         the other.  On <hostid role="ipaddr">192.168.1.1</hostid>, you
         should be able to run</para>
  
       <programlisting>ping 192.168.2.1</programlisting>
  
       <para>and get a response, and you should be able to do the same
         thing on the other gateway machine.</para>
  
       <para>However, you will not be able to reach internal machines
         on either network yet.  This is because of the routing --
         although the gateway machines know how to reach one another,
         they do not know how to reach the network behind each one.</para>
  
       <para>To solve this problem you must add a static route on each
         gateway machine.  The command to do this on the first gateway
         would be:</para>
  
       <programlisting>route add 192.168.2.0 192.168.2.1 netmask 0xffffff00
       </programlisting>
  
       <para>This says <quote>In order to reach the hosts on the
         network <hostid role="ipaddr">192.168.2.0</hostid>, send the
         packets to the host <hostid
         role="ipaddr">192.168.2.1</hostid></quote>.  You will need to
         run a similar command on the other gateway, but with the
         <hostid role="ipaddr">192.168.1.x</hostid> addresses
         instead.</para>
  
       <para>IP traffic from hosts on one network will now be able to
         reach hosts on the other network.</para>
  
       <para>That has now created two thirds of a VPN between the two
         networks, in as much as it is <quote>virtual</quote> and it is a
         <quote>network</quote>.  It is not private yet.  You can test
         this using &man.ping.8; and &man.tcpdump.1;.  Log in to the
         gateway host and run</para>
  
       <programlisting>tcpdump dst host 192.168.2.1</programlisting>
 
       <para>In another log in session on the same host run</para>
 
       <programlisting>ping 192.168.2.1</programlisting>
  
       <para>You will see output that looks something like this:</para>
  
       <programlisting>
 16:10:24.018080 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
 16:10:24.018109 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
 16:10:25.018814 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
 16:10:25.018847 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
 16:10:26.028896 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
 16:10:26.029112 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
       </programlisting>
  
       <para>As you can see, the ICMP messages are going back and forth
         unencrypted.  If you had used the <option>-s</option> parameter to
         &man.tcpdump.1; to grab more bytes of data from the packets you
         would see more information.</para>
  
       <para>Obviously this is unacceptable.  The next section will
         discuss securing the link between the two networks so that it
         all traffic is automatically encrypted.</para>
  
       <itemizedlist>
         <title>Summary:</title>
         <listitem>
           <para>Configure both kernels with <quote>pseudo-device
           gif</quote>.</para>
         </listitem>
         <listitem>
           <para>Edit <filename>/etc/rc.conf</filename> on gateway host
             #1 and add the following lines (replacing IP addresses as
             necessary).</para>
           <programlisting>gifconfig_gif0="A.B.C.D W.X.Y.Z"
 ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff"
 static_routes="vpn"
 route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
           </programlisting>
         </listitem>
 
         <listitem>
           <para>Edit your firewall script
           (<filename>/etc/rc.firewall</filename>, or similar) on both
           hosts, and add</para>
 
           <programlisting>ipfw add 1 allow ip from any to any via gif0</programlisting>
         </listitem>
         <listitem>
           <para>Make similar changes to
             <filename>/etc/rc.conf</filename> on gateway host #2,
             reversing the order of IP addresses.</para>
         </listitem>
       </itemizedlist>
     </sect3>
 
     <sect3>
       <title>Step 2: Securing the link</title>
  
       <para>To secure the link we will be using IPsec.  IPsec provides
         a mechanism for two hosts to agree on an encryption key, and to
         then use this key in order to encrypt data between the two
         hosts.</para>
  
       <para>The are two areas of configuration to be considered here.</para>
  
       <orderedlist>
         <listitem>
           <para>There must be a mechanism for two hosts to agree on the
             encryption mechanism to use.  Once two hosts have agreed on
             this mechanism there is said to be a <quote>security association</quote>
             between them.</para>
         </listitem>
         <listitem>
           <para>There must be a mechanism for specifying which traffic
             should be encrypted.  Obviously, you don't want to encrypt
             all your outgoing traffic -- you only want to encrypt the
             traffic that is part of the VPN.  The rules that you put in
             place to determine what traffic will be encrypted are called
             <quote>security policies</quote>.</para>
          </listitem>
        </orderedlist>
  
        <para>Security associations and security policies are both
          maintained by the kernel, and can be modified by userland
          programs.  However, before you can do this you must configure the
          kernel to support IPsec and the Encapsulated Security Payload
          (ESP) protocol.  This is done by configuring a kernel with:</para>
  
        <programlisting>options IPSEC
 options IPSEC_ESP
        </programlisting>
  
        <para>and recompiling, reinstalling, and rebooting.  As before
          you will need to do this to the kernels on both of the gateway
          hosts.</para>
  
        <para>You have two choices when it comes to setting up security
          associations.  You can configure them by hand between two hosts,
          which entails choosing the encryption algorithm, encryption keys,
          and so forth, or you can use daemons that implement the Internet
          Key Exchange protocol (IKE) to do this for you.</para>
  
        <para>I recommend the latter.  Apart from anything else, it is
          easier to set up.</para>
  
        <para>Editing and displaying security policies is carried out
          using &man.setkey.8;.  By analogy, <command>setkey</command> is
          to the kernel's security policy tables as &man.route.8; is to
          the kernel's routing tables.  <command>setkey</command> can
          also display the current security associations, and to continue
          the analogy further, is akin to <command>netstat -r</command>
          in that respect.</para>
  
        <para>There are a number of choices for daemons to manage
          security associations with FreeBSD.  This article will describe
          how to use one of these, racoon.  racoon is in the FreeBSD ports
          collection, in the security/ category, and is installed in the
          usual way.</para>
  
        <para>racoon must be run on both gateway hosts.  On each host it
          is configured with the IP address of the other end of the VPN,
          and a secret key (which you choose, and must be the same on both
          gateways).</para>
  
        <para>The two daemons then contact one another, confirm that they
          are who they say they are (by using the secret key that you
          configured).  The daemons then generate a new secret key, and use
          this to encrypt the traffic over the VPN.  They periodically
          change this secret, so that even if an attacker were to crack one
          of the keys (which is as theoretically close to unfeasible as it
          gets) it won't do them much good -- by the time they've cracked
          the key the two daemons have chosen another one.</para>
  
        <para>racoon's configuration is stored in
          <filename>${PREFIX}/etc/racoon</filename>.  You should find a
          configuration file there, which should not need to be changed
          too much.  The other component of racoon's configuration,
          which you will need to change, is the <quote>pre-shared
          key</quote>.</para>
  
        <para>The default racoon configuration expects to find this in
          the file <filename>${PREFIX}/etc/racoon/psk.txt</filename>.  It is important to note
          that the pre-shared key is <emphasis>not</emphasis> the key that will be used to
          encrypt your traffic across the VPN link, it is simply a token
          that allows the key management daemons to trust one another.</para>
 
        <para><filename>psk.txt</filename> contains a line for each
          remote site you are dealing with.  In this example, where there
          are two sites, each <filename>psk.txt</filename> file will contain one line (because
          each end of the VPN is only dealing with one other end).</para>
  
        <para>On gateway host #1 this line should look like this:</para>
  
        <programlisting>W.X.Y.Z            secret</programlisting>
  
        <para>That is, the <emphasis>public</emphasis> IP address of the remote end,
          whitespace, and a text string that provides the secret.
          Obviously, you shouldn't use <quote>secret</quote> as your key -- the normal
          rules for choosing a password apply.</para>
  
        <para>On gateway host #2 the line would look like this</para>
  
        <programlisting>A.B.C.D            secret</programlisting>
  
        <para>That is, the public IP address of the remote end, and the
          same secret key.  <filename>psk.txt</filename> must be mode
          <literal>0600</literal> (i.e., only read/write to
          <username>root</username>) before racoon will run.</para>
  
        <para>You must run racoon on both gateway machines.  You will
          also need to add some firewall rules to allow the IKE traffic,
          which is carried over UDP to the ISAKMP (Internet Security Association
          Key Management Protocol) port.  Again, this should be fairly early in
          your firewall ruleset.</para>
  
        <programlisting>ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
 ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
        </programlisting>
  
        <para>Once racoon is running you can try pinging one gateway host
          from the other.  The connection is still not encrypted, but
          racoon will then set up the security associations between the two
          hosts -- this might take a moment, and you may see this as a
          short delay before the ping commands start responding.</para>
  
        <para>Once the security association has been set up you can
          view it using &man.setkey.8;.  Run</para>
  
        <programlisting>setkey -D</programlisting>
  
        <para>on either host to view the security association information.</para>
  
        <para>That's one half of the problem.  They other half is setting
          your security policies.</para>
  
        <para>To create a sensible security policy, let's review what's
          been set up so far.  This discussions hold for both ends of the
          link.</para>
  
        <para>Each IP packet that you send out has a header that contains
          data about the packet.  The header includes the IP addresses of
          both the source and destination.  As we already know, private IP
          addresses, such as the <hostid role="ipaddr">192.168.x.y</hostid>
          range are not supposed to appear on the public Internet.
          Instead, they must first be encapsulated inside another packet.
          This packet must have the public source and destination IP
          addresses substituted for the private addresses.</para>
  
        <para>So if your outgoing packet started looking like this:</para>
  
 	<mediaobject>
 	  <imageobject>
 	    <imagedata fileref="security/ipsec-out-pkt" align="center">
 	  </imageobject>
 
 	  <textobject>
 	    <literallayout class="monospaced">
   .----------------------.
   | Src: 192.168.1.1     |
   | Dst: 192.168.2.1     |
   | &lt;other header info&gt;  |
   +----------------------+
   | &lt;packet data&gt;        |
   `----------------------'</literallayout>
 	  </textobject>
 	</mediaobject>
  
        <para>Then it will be encapsulated inside another packet, looking
          something like this:</para>
  
 	<mediaobject>
 	  <imageobject>
 	    <imagedata fileref="security/ipsec-encap-pkt" align="center">
 	  </imageobject>
 
 	  <textobject>
 	    <literallayout class="monospaced">
   .--------------------------.
   | Src: A.B.C.D             |
   | Dst: W.X.Y.Z             |
   | &lt;other header info&gt;      |
   +--------------------------+
   | .----------------------. |
   | | Src: 192.168.1.1     | |
   | | Dst: 192.168.2.1     | |
   | | &lt;other header info&gt;  | |
   | +----------------------+ |
   | | &lt;packet data&gt;        | |
   | `----------------------' |
   `--------------------------'</literallayout>
 	  </textobject>
 	</mediaobject>
  
        <para>This encapsulation is carried out by the
          <devicename>gif</devicename> device.  As
          you can see, the packet now has real IP addresses on the outside,
          and our original packet has been wrapped up as data inside the
          packet that will be put out on the Internet.</para>
  
        <para>Obviously, we want all traffic between the VPNs to be
          encrypted.  You might try putting this in to words, as:</para>
 
        <para><quote>If a packet leaves from <hostid
          role="ipaddr">A.B.C.D</hostid>, and it is destined for <hostid
          role="ipaddr">W.X.Y.Z</hostid>, then encrypt it, using the
          necessary security associations.</quote></para>
  
        <para><quote>If a packet arrives from <hostid
          role="ipaddr">W.X.Y.Z</hostid>, and it is destined for <hostid
          role="ipaddr">A.B.C.D</hostid>, then decrypt it, using the
          necessary security associations.</quote></para>
  
        <para>That's close, but not quite right.  If you did this, all
          traffic to and from <hostid role="ipaddr">W.X.Y.Z</hostid>, even
          traffic that was not part of the VPN, would be encrypted.  That's
          not quite what you want.  The correct policy is as follows</para>
  
        <para><quote>If a packet leaves from <hostid
          role="ipaddr">A.B.C.D</hostid>, and that packet is encapsulating
          another packet, and it is destined for <hostid
          role="ipaddr">W.X.Y.Z</hostid>, then encrypt it, using the
          necessary security associations.</quote></para>
  
        <para><quote>If a packet arrives from <hostid
          role="ipaddr">W.X.Y.Z</hostid>, and that packet is encapsulating
          another packet, and it is destined for <hostid
          role="ipaddr">A.B.C.D</hostid>, then decrypt it, using the
          necessary security associations.</quote></para>
  
        <para>A subtle change, but a necessary one.</para>
  
        <para>Security policies are also set using &man.setkey.8;.
          &man.setkey.8; features a configuration language for defining the
          policy.  You can either enter configuration instructions via
          stdin, or you can use the <option>-f</option> option to specify a
          filename that contains configuration instructions.</para>
  
        <para>The configuration on gateway host #1 (which has the public
          IP address <hostid role="ipaddr">A.B.C.D</hostid>) to force all
          outbound traffic to <hostid role="ipaddr">W.X.Y.Z</hostid> to be
          encrypted is:</para>
  
        <programlisting>
 spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
        </programlisting>
  
        <para>Put these commands in a file (e.g.
        <filename>/etc/ipsec.conf</filename>) and then run</para>
 
        <screen>&prompt.root; <userinput>setkey -f /etc/ipsec.conf</userinput></screen>
  
        <para><option>spdadd</option> tells &man.setkey.8; that we want
          to add a rule to the secure policy database.  The rest of this
          line specifies which packets will match this policy.  <hostid
          role="ipaddr">A.B.C.D/32</hostid> and <hostid
          role="ipaddr">W.X.Y.Z/32</hostid> are the IP addresses and
          netmasks that identify the network or hosts that this policy will
          apply to.  In this case, we want it to apply to traffic between
          these two hosts.  <option>ipencap</option> tells the kernel that
          this policy should only apply to packets that encapsulate other
          packets.  <option>-P out</option> says that this policy applies
          to outgoing packets, and <option>ipsec</option> says that the
          packet will be secured.</para>
  
        <para>The second line specifies how this packet will be
          encrypted.  <option>esp</option> is the protocol that will be
          used, while <option>tunnel</option> indicates that the packet
          will be further encapsulated in an IPsec packet.  The repeated
          use of <hostid role="ipaddr">A.B.C.D</hostid> and <hostid
          role="ipaddr">W.X.Y.Z</hostid> is used to select the security
          association to use, and the final <option>require</option>
          mandates that packets must be encrypted if they match this
          rule.</para>
  
        <para>This rule only matches outgoing packets.  You will need a
          similar rule to match incoming packets.</para>
  
        <programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;</programlisting>
  
        <para>Note the <option>in</option> instead of
          <option>out</option> in this case, and the necessary reversal of
          the IP addresses.</para>
  
        <para>The other gateway host (which has the public IP address
          <hostid role="ipaddr">W.X.Y.Z</hostid>) will need similar rules.</para>
  
        <programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
 spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;</programlisting>
  
        <para>Finally, you need to add firewall rules to allow ESP and
         IPENCAP packets back and forth.  These rules will need to be
         added to both hosts.</para>
  
        <programlisting>ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
 ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
 ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
 ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
        </programlisting>
  
        <para>Because the rules are symmetric you can use the same rules
          on each gateway host.</para>
  
        <para>Outgoing packets will now look something like this:</para>
  
 	<mediaobject>
 	  <imageobject>
 	    <imagedata fileref="security/ipsec-crypt-pkt" align="center">
 	  </imageobject>
 
 	  <textobject>
 	    <literallayout class="monospaced">
   .------------------------------.  --------------------------.
   | Src: A.B.C.D                 |                            |
   | Dst: W.X.Y.Z                 |                            |
   | &lt;other header info&gt;          |                            |  Encrypted
   +------------------------------+                            |  packet.
   | .--------------------------. |  -------------.            |  contents
   | | Src: A.B.C.D             | |               |            |  are
   | | Dst: W.X.Y.Z             | |               |            |  completely
   | | &lt;other header info&gt;      | |               |            |- secure
   | +--------------------------+ |               |  Encap'd   |  from third
   | | .----------------------. | |  -.           |  packet    |  party
   | | | Src: 192.168.1.1     | | |   |  Original |- with real |  snooping
   | | | Dst: 192.168.2.1     | | |   |  packet,  |  IP addr   |
   | | | &lt;other header info&gt;  | | |   |- private  |            |
   | | +----------------------+ | |   |  IP addr  |            |
   | | | &lt;packet data&gt;        | | |   |           |            |
   | | `----------------------' | |  -'           |            |
   | `--------------------------' |  -------------'            |
   `------------------------------'  --------------------------'
 	    </literallayout>
 	  </textobject>
 	</mediaobject>
 
        <para>When they are received by the far end of the VPN they will
          first be decrypted (using the security associations that have
          been negotiated by racoon).  Then they will enter the
          <devicename>gif</devicename> interface, which will unwrap
          the second layer, until you are left with the innermost
          packet, which can then travel in to the inner network.</para>
  
        <para>You can check the security using the same &man.ping.8; test from
          earlier.  First, log in to the
          <hostid role="ipaddr">A.B.C.D</hostid> gateway machine, and
          run:</para>
  
        <programlisting>tcpdump dst host 192.168.2.1</programlisting>
  
        <para>In another log in session on the same host run</para>
  
        <programlisting>ping 192.168.2.1</programlisting>
  
        <para>This time you should see output like the following:</para>
  
        <programlisting>XXX tcpdump output</programlisting>
  
        <para>Now, as you can see, &man.tcpdump.1; shows the ESP packets.  If
          you try to examine them with the <option>-s</option> option you will see
          (apparently) gibberish, because of the encryption.</para>
  
       <para>Congratulations.  You have just set up a VPN between two
         remote sites.</para>
  
       <itemizedlist>
         <title>Summary</title>
         <listitem>
           <para>Configure both kernels with:</para>
  
           <programlisting>options IPSEC
 options IPSEC_ESP
           </programlisting>
         </listitem>
         <listitem>
           <para>Install <filename
             role="package">security/racoon</filename>.  Edit
             <filename>${PREFIX}/etc/racoon/psk.txt</filename> on both
             gateway hosts, adding an entry for the remote host's IP
             address and a secret key that they both know.  Make sure
             this file is mode 0600.</para>
         </listitem>
         <listitem>
           <para>Add the following lines to
             <filename>/etc/rc.conf</filename> on each host:</para>
  
           <programlisting>ipsec_enable="YES"
 ipsec_file="/etc/ipsec.conf"
           </programlisting>
         </listitem>
         <listitem>
           <para>Create an <filename>/etc/ipsec.conf</filename> on each
             host that contains the necessary spdadd lines.  On gateway
             host #1 this would be:</para>
  
           <programlisting>
 spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec
   esp/tunnel/A.B.C.D-W.X.Y.Z/require;
 spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec
   esp/tunnel/W.X.Y.Z-A.B.C.D/require;
 </programlisting>
  
           <para>On gateway host #2 this would be:</para>
  
 <programlisting>
 spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
   esp/tunnel/W.X.Y.Z-A.B.C.D/require;
 spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
   esp/tunnel/A.B.C.D-W.X.Y.Z/require;
 </programlisting>
         </listitem>
         <listitem>
           <para>Add firewall rules to allow IKE, ESP, and IPENCAP
             traffic to both hosts:</para>
  
           <programlisting>
 ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
 ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
 ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
 ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
 ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
 ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
           </programlisting>
         </listitem>
       </itemizedlist>
 
       <para>The previous two steps should suffice to get the VPN up and
         running.  Machines on each network will be able to refer to one
         another using IP addresses, and all traffic across the link will
         be automatically and securely encrypted.</para>
     </sect3> 
     </sect2> 
   </sect1>
 
   <sect1 id="openssh">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Chern</firstname>
 	  <surname>Lee</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
 	<!-- 21 April 2001 -->
       </authorgroup>
     </sect1info>
 
     <title>OpenSSH</title>
     <indexterm><primary>OpenSSH</primary></indexterm>
     <indexterm>
       <primary>security</primary>
       <secondary>OpenSSH</secondary>
     </indexterm>
 
     <para><application>OpenSSH</application> is a set of network connectivity tools used to
       access remote machines securely.  It can be used as a direct
       replacement for <command>rlogin</command>,
       <command>rsh</command>, <command>rcp</command>, and
       <command>telnet</command>.  Additionally, any other TCP/IP
       connections can be tunneled/forwarded securely through SSH.
       <application>OpenSSH</application> encrypts all traffic to effectively eliminate eavesdropping,
       connection hijacking, and other network-level attacks.</para>
 
     <para><application>OpenSSH</application> is maintained by the OpenBSD project, and is based
       upon SSH v1.2.12 with all the recent bug fixes and updates.  It
       is compatible with both SSH protocols 1 and 2.  <application>OpenSSH</application> has been
       in the base system since FreeBSD&nbsp;4.0.</para>
 
     <sect2>
       <title>Advantages of Using OpenSSH</title>
   
       <para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
         data is sent over the network in an clear, un-encrypted form.
         Network sniffers anywhere in between the client and server can
         steal your user/password information or data transferred in
         your session.  <application>OpenSSH</application> offers a variety of authentication and
         encryption methods to prevent this from happening.</para>
     </sect2>
 
     <sect2>
       <title>Enabling sshd</title>
       <indexterm>
         <primary>OpenSSH</primary>
         <secondary>enabling</secondary>
       </indexterm>
 
       <para>Be sure to make the following addition to your 
         <filename>rc.conf</filename> file:</para>
       <screen>sshd_enable="YES"</screen>
       <para>This will load &man.sshd.8;, the daemon program for <application>OpenSSH</application>,
 	the next time your system initializes.  Alternatively, you can
 	simply run directly the <application>sshd</application> daemon by typing <command>sshd</command> on the command line.</para>
     </sect2>
 
     <sect2>
       <title>SSH Client</title>
       <indexterm>
         <primary>OpenSSH</primary>
         <secondary>client</secondary>
       </indexterm>
 
       <para>The &man.ssh.1; utility works similarly to 
         &man.rlogin.1;.</para>
 
       <screen>&prompt.root; <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
 Host key not found from the list of known hosts.
 Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
 Host 'example.com' added to the list of known hosts.
 user@example.com's password: <userinput>*******</userinput></screen>
 
       <para>The login will continue just as it would have if a session was
         created using <command>rlogin</command> or
         <command>telnet</command>.  SSH utilizes a key fingerprint
         system for verifying the authenticity of the server when the 
         client connects.  The user is prompted to enter
 	<literal>yes</literal> only when
         connecting for the first time.  Future attempts to login are all
         verified against the saved fingerprint key.  The SSH client
         will alert you if the saved fingerprint differs from the
         received fingerprint on future login attempts.  The fingerprints
         are saved in <filename>~/.ssh/known_hosts</filename>, or
 	<filename>~/.ssh/known_hosts2</filename> for SSH v2
 	fingerprints.</para>
 
       <para>By default, <application>OpenSSH</application> servers are configured to accept both
 	SSH v1 and SSH v2 connections.  The client, however, can choose
 	between the two.  Version 2 is known to be more robust and
 	secure than its predecessor.</para>
 
       <para>The &man.ssh.1; command can be forced to use either protocol
 	by passing it the <option>-1</option> or <option>-2</option> argument
 	for v1 and v2, respectively.</para>
     </sect2>
     
     <sect2>
       <title>Secure Copy</title>
       <indexterm>
         <primary>OpenSSH</primary>
         <secondary>secure copy</secondary>
       </indexterm>
       <indexterm><primary><command>scp</command></primary></indexterm>
 
       <para>The &man.scp.1; command works similarly to
 	&man.rcp.1;; it copies a file to or from a remote machine,
 	except in a secure fashion.</para>
 
       <screen>&prompt.root; <userinput> scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
 user@example.com's password: <userinput>*******</userinput>
 COPYRIGHT            100% |*****************************|  4735       
 00:00    
 &prompt.root;</screen>
       <para>Since the fingerprint was already saved for this host in the
         previous example, it is verified when using &man.scp.1;
         here.</para>
 
       <para>The arguments passed to &man.scp.1; are similar
 	to &man.cp.1;, with the file or files in the first
 	argument, and the destination in the second.  Since the file is
 	fetched over the network, through SSH, one or more of the file
 	arguments takes on the form
 	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
 
     </sect2>
 
     <sect2>
       <title>Configuration</title>
       <indexterm>
         <primary>OpenSSH</primary>
         <secondary>configuration</secondary>
       </indexterm>
 
       <para>The system-wide configuration files for both the
         <application>OpenSSH</application> daemon and client reside
         within the <filename>/etc/ssh</filename> directory.</para>
 
       <para><filename>ssh_config</filename> configures the client 
         settings, while <filename>sshd_config</filename> configures the 
         daemon.</para>
 
       <para>Additionally, the <option>sshd_program</option>
 	(<filename>/usr/sbin/sshd</filename> by default), and
 	<option>sshd_flags</option> <filename>rc.conf</filename>
 	options can provide more levels of configuration.</para>
     </sect2>
 
     <sect2>
       <title>ssh-keygen</title>
 
       <para>Instead of using passwords, &man.ssh-keygen.1; can
         be used to generate RSA keys to authenticate a user:</para>
 
       <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>rsa1</replaceable></userinput>
 Initializing random number generator...
 Generating p:  .++ (distance 66)
 Generating q:  ..............................++ (distance 498)
 Computing the keys...
 Key generation complete.
 Enter file in which to save the key (/home/user/.ssh/identity):
 Enter passphrase:
 Enter the same passphrase again:
 Your identification has been saved in /home/user/.ssh/identity.
 ...</screen>
 
       <para>&man.ssh-keygen.1; will create a public and private
         key pair for use in authentication.  The private key is stored in
         <filename>~/.ssh/identity</filename>, whereas the public key is
         stored in <filename>~/.ssh/identity.pub</filename>.  The public
         key must be placed in <filename>~/.ssh/authorized_keys</filename>
         of the remote machine in order for the setup to work.</para>
 
       <para>This will allow connection to the remote machine based upon
         RSA authentication instead of passwords.</para>
 
       <note><para>The <option>-t rsa1</option> option will create RSA
 	keys for use by SSH protocol version 1.  If you want to use
 	RSA keys with the SSH protocol version 2, you have to use the
 	command <command>ssh-keygen -t rsa</command>.</para></note>
 
       <para>If a passphrase is used in &man.ssh-keygen.1;, the user
         will be prompted for a password each time in order to use the private
         key.</para>
 
       <para>A SSH protocol version 2 DSA key can be created for the same purpose by using
 	the <command>ssh-keygen -t dsa</command> command.
 	This will
 	create a public/private DSA key for use in SSH protocol version 2 sessions only.
 	The public key is stored in <filename>~/.ssh/id_dsa.pub</filename>,
 	while the private key is in <filename>~/.ssh/id_dsa</filename>.</para>
 
       <para>DSA public keys are also placed in
 	<filename>~/.ssh/authorized_keys</filename> on the remote
 	machine.</para>
 
       <para>&man.ssh-agent.1; and &man.ssh-add.1; are 
         utilities used in managing multiple passworded private keys.</para>
 
       <warning><para>The various options and files can be different
 	according to the <application>OpenSSH</application> version you have on your system, to
 	avoid problems you should consult the &man.ssh-keygen.1;
 	manual page.</para></warning>
     </sect2>
 
     <sect2 id="security-ssh-tunneling">
       <title>SSH Tunneling</title>
       <indexterm>
         <primary>OpenSSH</primary>
         <secondary>tunneling</secondary>
       </indexterm>
 
       <para><application>OpenSSH</application> has the ability to create a tunnel to encapsulate
         another protocol in an encrypted session.</para>
 
       <para>The following command tells &man.ssh.1; to create a tunnel 
          for <application>telnet</application>:</para>
 
        <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
 &prompt.user;</screen>
 
       <para>The <command>ssh</command> command is used with the
 	following options:</para>
 
       <variablelist>
 	<varlistentry>
 	  <term><option>-2</option></term>
 	  
 	  <listitem>
 	    <para>Forces <command>ssh</command> to use version 2 of
 	      the protocol. (Do not use if you are working with older
 	      SSH servers)</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><option>-N</option></term>
 
 	  <listitem>
 	    <para>Indicates no command, or tunnel only.  If omitted,
 	      <command>ssh</command> would initiate a normal
 	      session.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><option>-f</option></term>
 
 	  <listitem>
 	    <para>Forces <command>ssh</command> to run in the
 	      background.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
 	  <term><option>-L</option></term>
 
 	  <listitem>
 	    <para>Indicates a local tunnel in
 	      <replaceable>localport:remotehost:remoteport</replaceable>
 	      fashion.</para>
 	  </listitem>
 	  </varlistentry>
 
 	<varlistentry>
 	  <term><option>user@foo.example.com</option></term>
 
 	  <listitem>
 	    <para>The remote SSH server.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
 
 
       <para>An SSH tunnel works by creating a listen socket on
 	<hostid>localhost</hostid> on the specified port.
 	It then forwards any connection received
 	on the local host/port via the SSH connection to the specified
 	remote host and port.</para>
 
       <para>In the example, port <replaceable>5023</replaceable> on
 	<hostid>localhost</hostid> is being forwarded to port
 	<replaceable>23</replaceable> on <hostid>localhost</hostid>
 	of the remote machine.  Since <replaceable>23</replaceable> is <application>telnet</application>,
 	this would create a secure <application>telnet</application> session through an SSH tunnel.</para>
 
       <para>This can be used to wrap any number of insecure TCP
         protocols such as SMTP, POP3, FTP, etc.</para>
 
       <example>
 	<title>Using SSH to Create a Secure Tunnel for SMTP</title>
 
         <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
 user@mailserver.example.com's password: <userinput>*****</userinput>
 &prompt.user; <userinput>telnet localhost 5025</userinput>
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 mailserver.example.com ESMTP</screen>     
 
         <para>This can be used in conjunction with an
           &man.ssh-keygen.1; and additional user accounts to create a
           more seamless/hassle-free SSH tunneling environment.  Keys
           can be used in place of typing a password, and the tunnels
           can be run as a separate user.</para>
       </example>
 
       <sect3>
 	<title>Practical SSH Tunneling Examples</title>
 
 	<sect4>
 	  <title>Secure Access of a POP3 Server</title>
 
 	  <para>At work, there is an SSH server that accepts
 	    connections from the outside.  On the same office network
 	    resides a mail server running a POP3 server.  The network,
 	    or network path between your home and office may or may not
 	    be completely trustable.  Because of this, you need to check
 	    your e-mail in a secure manner.  The solution is to create
 	    an SSH connection to your office's SSH server, and tunnel
 	    through to the mail server.</para>
 
 	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput>
 user@ssh-server.example.com's password: <userinput>******</userinput></screen>
 
 	  <para>When the tunnel is up and running, you can point your
 	    mail client to send POP3 requests to <hostid>localhost</hostid>
 	    port 2110.  A connection here will be forwarded securely across
 	    the tunnel to <hostid>mail.example.com</hostid>.</para>
 	</sect4>
 
 	<sect4>
 	  <title>Bypassing a Draconian Firewall</title>
 
 	  <para>Some network administrators impose extremely draconian
 	    firewall rules, filtering not only incoming connections,
 	    but outgoing connections.  You may be only given access
 	    to contact remote machines on ports 22 and 80 for SSH
 	    and web surfing.</para>
 
 	  <para>You may wish to access another (perhaps non-work
 	    related) service, such as an Ogg Vorbis server to stream
 	    music.  If this Ogg Vorbis server is streaming on some other
 	    port than 22 or 80, you will not be able to access it.</para>
 
 	  <para>The solution is to create an SSH connection to a machine
 	    outside of your network's firewall, and use it to tunnel to
 	    the Ogg Vorbis server.</para>
 
 	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput>
 user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen>
 
 	  <para>Your streaming client can now be pointed to
 	    <hostid>localhost</hostid> port 8888, which will be
 	    forwarded over to <hostid>music.example.com</hostid> port
 	    8000, successfully evading the firewall.</para>
         </sect4>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Further Reading</title>
       <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
       <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 
         &man.ssh-agent.1; &man.ssh-add.1;</para>
       <para>&man.sshd.8; &man.sftp-server.8;</para>
     </sect2>
   </sect1>
 
   <sect1 id="fs-acl">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <indexterm>
       <primary>ACL</primary>
     </indexterm>
     <title>File System Access Control Lists</title>
 
     <para>In conjunction with file system enhancements like snapshots, FreeBSD 5.0
       and later offers the security of File System Access Control Lists
       (<acronym>ACLs</acronym>).</para>
 
     <para>Access Control Lists extend the standard &unix;
       permission model in a highly compatible (&posix;.1e) way.  This feature
       permits an administrator to make use of and take advantage of a
       more sophisticated security model.</para>
 
     <para>To enable <acronym>ACL</acronym> support for <acronym>UFS</acronym>
       file systems, the following:</para>
 
     <programlisting>options UFS_ACL</programlisting>
 
     <para>must be compiled into the kernel.  If this option has
       not been compiled in, a warning message will be displayed
       when attempting to mount a file system supporting <acronym>ACLs</acronym>.
       This option is included in the <filename>GENERIC</filename> kernel.
       <acronym>ACLs</acronym> rely on extended attributes being enabled on
       the file system.  Extended attributes are natively supported in the next generation
       &unix; file system, <acronym>UFS2</acronym>.</para>
 
     <note><para>A higher level of administrative overhead is required to
       configure extended attributes on <acronym>UFS1</acronym> than on
       <acronym>UFS2</acronym>.  The performance of extended attributes
       on <acronym>UFS2</acronym> is also substantially higher.  As a
       result, <acronym>UFS2</acronym> is generally recommended in preference
       to <acronym>UFS1</acronym> for use with access control lists.</para></note>
 
     <para><acronym>ACLs</acronym> are enabled by the mount-time administrative
       flag, <option>acls</option>, which may be added to <filename>/etc/fstab</filename>.
       The mount-time flag can also be automatically set in a persistent manner using
       &man.tunefs.8; to modify a superblock <acronym>ACLs</acronym> flag in the
       file system header.  In general, it is preferred to use the superblock flag
       for several reasons:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The mount-time <acronym>ACLs</acronym> flag cannot be changed by a
 	remount (&man.mount.8; <option>-u</option>), only by means of a complete
 	&man.umount.8; and fresh &man.mount.8;.  This means that
 	<acronym>ACLs</acronym> cannot be enabled on the root file system after boot.
 	It also means that you cannot change the disposition of a file system once
 	it is in use.</para>
       </listitem>
 
       <listitem>
 	<para>Setting the superblock flag will cause the file system to always be
 	mounted with <acronym>ACLs</acronym> enabled even if there is not an
 	<filename>fstab</filename> entry or if the devices re-order.  This prevents
 	accidental mounting of the file system without <acronym>ACLs</acronym>
 	enabled, which can result in <acronym>ACLs</acronym> being improperly enforced,
 	and hence security problems.</para>
       </listitem>
     </itemizedlist>
 
     <note><para>We may change the <acronym>ACLs</acronym> behavior to allow the flag to
       be enabled without a complete fresh &man.mount.8;, but we consider it desirable to
       discourage accidental mounting without <acronym>ACLs</acronym> enabled, because you
       can shoot your feet quite nastily if you enable <acronym>ACLs</acronym>, then disable
       them, then re-enable them without flushing the extended attributes.  In general, once
       you have enabled <acronym>ACLs</acronym> on a file system, they should not be disabled,
       as the resulting file protections may not be compatible with those intended by the
       users of the system, and re-enabling <acronym>ACLs</acronym> may re-attach the previous
       <acronym>ACLs</acronym> to files that have since had their permissions changed,
       resulting in other unpredictable behavior.</para></note>
       
     <para>File systems with <acronym>ACLs</acronym> enabled will show a <literal>+</literal>
       (plus) sign in their permission settings when viewed.  For example:</para>
 
     <programlisting>drwx------  2 robert  robert  512 Dec 27 11:54 private
 drwxrwx---+ 2 robert  robert  512 Dec 23 10:57 directory1
 drwxrwx---+ 2 robert  robert  512 Dec 22 10:20 directory2
 drwxrwx---+ 2 robert  robert  512 Dec 27 11:57 directory3
 drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
 
     <para>Here we see that the <filename>directory1</filename>,
       <filename>directory2</filename>, and <filename>directory3</filename>
       directories are all taking advantage of <acronym>ACLs</acronym>.  The
       <filename>public_html</filename> directory is not.</para>
 
     <sect2>
       <title>Making Use of <acronym>ACL</acronym>s</title>
 
       <para>The file system <acronym>ACL</acronym>s can be viewed by the
 	&man.getfacl.1; utility.  For instance, to view the
 	<acronym>ACL</acronym> settings on the <filename>test</filename>
 	file, one would use the command:</para>
 
       <screen>&prompt.user; <userinput>getfacl <filename>test</filename></userinput>
 	#file:test
 	#owner:1001
 	#group:1001
 	user::rw-
 	group::r--
 	other::r--</screen>
 
       <para>To change the <acronym>ACL</acronym> settings on this file,
 	invoke the &man.setfacl.1; utility.  Observe:</para>
 
       <screen>&prompt.user; <userinput>setfacl -k <filename>test</filename></userinput></screen>
 
       <para>The <option>-k</option> flag will remove all of the
 	currently defined <acronym>ACL</acronym>s from a file or file
 	system.  The more preferable method would be to use
 	<option>-b</option> as it leaves the basic fields required for
 	<acronym>ACL</acronym>s to work.</para>
 
       <screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- <filename>test</filename></userinput></screen>
 
       <para>In the aforementioned command, the <option>-m</option>
 	option was used to modify the default <acronym>ACL</acronym>
 	entries.  Since there were no pre-defined entries, as they were
 	removed by the previous command, this will restore the default
 	options and assign the options listed.  Take care to notice that
 	if you add a user or group which does not exist on the system,
 	an <errorname>Invalid argument</errorname> error will be printed
 	to <devicename>stdout</devicename>.</para>
     </sect2>
   </sect1>
 
   <sect1 id="security-advisories">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Tom</firstname>
 	  <surname>Rhodes</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <indexterm>
       <primary>FreeBSD Security Advisories</primary>
     </indexterm>
     <title>&os; Security Advisories</title>
 
     <para>Like many production quality operating systems, &os; publishes
       <quote>Security Advisories</quote>.  These advisories are usually
       mailed to the security lists and noted in the Errata only
       after the appropriate releases have been patched.  This section
       will work to explain what an advisory is, how to understand it,
       and what measures to take in order to patch a system.</para>
 
     <sect2>
       <title>What does an advisory look like?</title>
 
       <para>The &os; security advisories look similar to the one below,
 	taken from the &a.security-notifications.name; mailing list.</para>
 
       <programlisting>=============================================================================
 &os;-SA-XX:XX.UTIL                                     Security Advisory
                                                           The &os; Project
 
 Topic:          denial of service due to some problem<co id="co-topic">
 
 Category:       core<co id="co-category">
 Module:         sys<co id="co-module">
 Announced:      2003-09-23<co id="co-announce">
 Credits:        Person@EMAIL-ADDRESS<co id="co-credit">
 Affects:        All releases of &os;<co id="co-affects">
                 &os; 4-STABLE prior to the correction date
 Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
                 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
                 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
                 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
                 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
                 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
                 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
                 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
                 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)<co id="co-corrected">
 &os; only:   NO<co id="co-only">
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit
 http://www.FreeBSD.org/security/.
 
 I.   Background<co id="co-backround">
 
 
 II.  Problem Description<co id="co-descript">
 
 
 III. Impact<co id="co-impact">
 
 
 IV.  Workaround<co id="co-workaround">
 
 
 V.   Solution<co id="co-solution">
 
 
 VI.  Correction details<co id="co-details">
 
 
 VII. References<co id="co-ref"></programlisting>
 
 
       <calloutlist>
 	<callout arearefs="co-topic">
 	  <para>The <literal>Topic</literal> field indicates exactly what the problem is.
 	    It is basically an introduction to the current security
 	    advisory and notes the utility with the
 	    vulnerability.</para>
 	</callout>
 
 	<callout arearefs="co-category">
 	  <para>The <literal>Category</literal> refers to the affected part of the system
 	    which may be one of <literal>core</literal>, <literal>contrib</literal>, or <literal>ports</literal>.  The <literal>core</literal>
 	    category means that the vulnerability affects a core
 	    component of the &os; operating system.  The <literal>contrib</literal>
 	    category means that the vulnerability affects software
 	    contributed to the &os; Project, such as
 	    <application>sendmail</application>.  Finally the <literal>ports</literal>
 	    category indicates that the vulnerability affects add on
 	    software available as part of the ports collection.</para>
 	</callout>
 
 	<callout arearefs="co-module">
 	  <para>The <literal>Module</literal> field refers to the component location, for
 	    instance <literal>sys</literal>.  In this example, we see that the module,
 	    <literal>sys</literal>, is affected; therefore, this vulnerability
 	    affects a component used within the kernel.</para>
 	</callout>
 
 	<callout arearefs="co-announce">
 	  <para>The <literal>Announced</literal> field reflects the date said security
 	    advisory was published, or announced to the world.  This
 	    means that the security team has verified that the problem
 	    does exist and that a patch has been committed to the &os;
 	    source code repository.</para>
 	</callout>
 
 	<callout arearefs="co-credit">
 	  <para>The <literal>Credits</literal> field gives credit to the individual or
 	    organization who noticed the vulnerability and reported
 	    it.</para>
 	</callout>
 
 	<callout arearefs="co-affects">
 	  <para>The <literal>Affects</literal> field explains which releases of &os; are
 	    affected by this vulnerability.  For the kernel, a quick
 	    look over the output from <command>ident</command> on the
 	    affected files will help in determining the revision.
 	    For ports, the version number is listed after the port name
 	    in <filename>/var/db/pkg</filename>.  If the system does not
 	    sync with the &os; <acronym>CVS</acronym> repository and rebuild
 	    daily, chances are that it is affected.</para>
 	</callout>
 
 	<callout arearefs="co-corrected">
 	  <para>The <literal>Corrected</literal> field indicates the date, time, time
 	    offset, and release that was corrected.</para>
 	</callout>
 
 	<callout arearefs="co-only">
 	  <para>The <literal>&os; only</literal> field indicates whether this vulnerability
 	    affects just &os;, or if it affects other operating systems
 	    as well.</para>
 	</callout>
 
 	<callout arearefs="co-backround">
 	  <para>The <literal>Background</literal> field gives information on exactly what
 	    the affected utility is.  Most of the time this is why
 	    the utility exists in &os;, what it is used for, and a bit
 	    of information on how the utility came to be.</para>
 	</callout>
 
 	<callout arearefs="co-descript">
 	  <para>The <literal>Problem Description</literal> field explains the security hole
 	    in depth.  This can include information on flawed code, or
 	    even how the utility could be maliciously used to open
 	    a security hole.</para>
 	</callout>
 
 	<callout arearefs="co-impact">
 	  <para>The <literal>Impact</literal> field describes what type of impact the
 	    problem could have on a system.  For example, this could
 	    be anything from a denial of service attack, to extra
 	    privileges available to users, or even giving the attacker
 	    superuser access.</para>
 	</callout>
 
 	<callout arearefs="co-workaround">
 	  <para>The <literal>Workaround</literal> field offers a feasible workaround to
 	    system administrators who may be incapable of upgrading
 	    the system.  This may be due to time constraints, network
 	    availability, or a slew of other reasons.  Regardless,
 	    security should not be taken lightly, and an affected system
 	    should either be patched or the security hole workaround
 	    should be implemented.</para>
 	</callout>
 
 	<callout arearefs="co-solution">
 	  <para>The <literal>Solution</literal> field offers instructions on patching the
 	    affected system.  This is a step by step tested and verified
 	    method for getting a system patched and working
 	    securely.</para>
 	</callout>
 
 	<callout arearefs="co-details">
 	  <para>The <literal>Correction Details</literal> field displays the
 	    <acronym>CVS</acronym> branch or release name with the
 	    periods changed to underscore characters.  It also shows
 	    the revision number of the affected files within each
 	    branch.</para>
 	</callout>
 
 	<callout arearefs="co-ref">
 	  <para>The <literal>References</literal> field usually offers sources of other
 	    information.  This can included web <acronym>URL</acronym>s,
 	    books, mailing lists, and newsgroups.</para>
 	</callout>
       </calloutlist>
     </sect2>
   </sect1>
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
diff --git a/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml b/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml
index 69f99ba140..cb2e14a788 100644
--- a/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml
@@ -1,2668 +1,2668 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="serialcomms">
   <title>Serial Communications</title>
   
   <sect1 id="serial-synopsis">
     <title>Synopsis</title>
 
     <indexterm><primary>serial communications</primary></indexterm>
     <para>&unix; has always had support for serial communications.  In fact,
       the very first &unix; machines relied on serial lines for user input
       and output.  Things have changed a lot from the days when the average
       <quote>terminal</quote> consisted of a 10-character-per-second serial
       printer and a keyboard.  This chapter will cover some of the ways in
       which FreeBSD uses serial communications.</para>
 
     <para>After reading this chapter, you will know:</para>
     <itemizedlist>
       <listitem><para>How to connect terminals to your FreeBSD
 	  system.</para></listitem>
       <listitem><para>How to use a modem to dial out to remote
 	  hosts.</para></listitem>
       <listitem><para>How to allow remote users to login to your
 	  system with a modem.</para></listitem>
       <listitem><para>How to boot your system from a serial
 	  console.</para></listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
     <itemizedlist>
       <listitem><para>Know how to configure and install a new kernel (<xref
         linkend="kernelconfig">).</para></listitem>
       <listitem><para>Understand &unix; permissions and processes (<xref linkend="basics">).</para></listitem>
       <listitem><para>Have access to the technical manual for the
         serial hardware (modem or multi-port card) that you would like
         to use with FreeBSD.</para></listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="serial">
     <title>Introduction</title>
     
     <!-- XXX Write me! -->
 
     <sect2 id="serial-terminology">
       <title>Terminology</title>
 
       <variablelist>
         <indexterm><primary>bits-per-second</primary></indexterm>
 	<varlistentry>
 	  <term>bps</term>
 	  <listitem>
 	    <para>Bits per Second &mdash; the rate at which data is
 	      transmitted</para>
 	  </listitem>
 	</varlistentry>
 	  
 	<varlistentry>
 	  <term>DTE</term>
 	  <indexterm><primary>DTE</primary></indexterm>
 	  <listitem>
 	    <para>Data Terminal Equipment &mdash; for example, your
 	      computer</para>
 	  </listitem>
 	</varlistentry>
 	  
 	<varlistentry>
 	  <term>DCE</term>
 	  <indexterm><primary>DCE</primary></indexterm>
 	  <listitem>
 	    <para>Data Communications Equipment &mdash;  your modem</para>
 	  </listitem>
 	</varlistentry>
 	  
 	<varlistentry>
 	  <term>RS-232</term>
 	  <indexterm><primary>RS-232C cables</primary></indexterm>
 	  <listitem>
 	    <para>EIA standard for hardware serial communications</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
 
       <para>When talking about communications data rates, this section
 	does not use the term <quote>baud</quote>.  Baud refers to the
 	number of electrical state transitions that may be made in a
 	period of time, while <quote>bps</quote> (bits per second) is
 	the <emphasis>correct</emphasis> term to use (at least it does not
 	seem to bother the curmudgeons quite as much).</para>
     </sect2>
 
     <sect2 id="serial-cables-ports">
       <title>Cables and Ports</title>
       
       <para>To connect a modem or terminal to your FreeBSD system, you
 	will need a serial port on your computer and the proper cable to connect
 	to your serial device.  If you are already familiar with your
 	hardware and the cable it requires, you can safely skip this
 	section.</para>
 	  
       <sect3 id="term-cables">
 	<title>Cables</title>
 
 	<para>There are several different kinds of serial cables.  The
 	  two most common types for our purposes are null-modem cables
 	  and standard (<quote>straight</quote>) RS-232 cables.  The documentation
 	  for your hardware should describe the type of cable
 	  required.</para>
 	    
 	<sect4 id="term-cables-null">
 	  <title>Null-modem Cables</title>
 
 	  <indexterm>
 	    <primary>null-modem cable</primary>
 	  </indexterm>
 	  <para>A null-modem cable passes some signals, such as <quote>signal
 	    ground</quote>, straight through, but switches other signals.  For
 	    example, the <quote>send data</quote> pin on one end goes to the
 	    <quote>receive data</quote> pin on the other end.</para>
 	      
 	  <para>If you like making your own cables, you can construct
 	    a null-modem cable for use with
 	    terminals.  This table shows the RS-232C signal names and the pin
 	    numbers on a DB-25 connector.</para>
 
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="5">
 	      <thead>
 		<row>
 		  <entry>Signal</entry>
 		  <entry>Pin #</entry>
 		  <entry></entry>
 		  <entry>Pin #</entry>
 		  <entry>Signal</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>SG</entry>
 		  <entry>7</entry>
 		  <entry>connects to</entry>
 		  <entry>7</entry>
 		  <entry>SG</entry>
 		</row>
 		
 		<row>
 		  <entry>TD</entry>
 		  <entry>2</entry>
 		  <entry>connects to</entry>
 		  <entry>3</entry>
 		  <entry>RD</entry>
 		</row>
 		
 		<row>
 		  <entry>RD</entry>
 		  <entry>3</entry>
 		  <entry>connects to</entry>
 		  <entry>2</entry>
 		  <entry>TD</entry>
 		</row>
 		
 		<row>
 		  <entry>RTS</entry>
 		  <entry>4</entry>
 		  <entry>connects to</entry>
 		  <entry>5</entry>
 		  <entry>CTS</entry>
 		</row>
 		
 		<row>
 		  <entry>CTS</entry>
 		  <entry>5</entry>
 		  <entry>connects to</entry>
 		  <entry>4</entry>
 		  <entry>RTS</entry>
 		</row>
 		
 		<row>
 		  <entry>DTR</entry>
 		  <entry>20</entry>
 		  <entry>connects to</entry>
 		  <entry>6</entry>
 		  <entry>DSR</entry>
 		</row>
 		
 		<row>
 		  <entry>DCD</entry>
 		  <entry>8</entry>
 		  <entry></entry>
 		  <entry>6</entry>
 		  <entry>DSR</entry>
 		</row>
 		
 		<row>
 		  <entry>DSR</entry>
 		  <entry>6</entry>
 		  <entry>connects to</entry>
 		  <entry>20</entry>
 		  <entry>DTR</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	  
 	  <note>
 	    <para>Connect <quote>Data Set Ready</quote> (DSR) and
 	      <quote>Data Carrier Detect</quote> (DCD) internally in the
 	      connector hood, and then to <quote>Data Terminal
 	        Ready</quote> (DTR) in the remote hood.</para>
 	  </note>
 	</sect4>
 
 	<sect4 id="term-cables-std">
 	  <title>Standard RS-232C Cables</title>
 	  <indexterm><primary>RS-232C cables</primary></indexterm>
 
 	  <para>A standard serial cable passes all the RS-232C signals
 	    straight-through.  That is, the <quote>send data</quote> pin on one
 	    end of the cable goes to the <quote>send data</quote> pin on the
 	    other end. This is the type of cable to use to connect a modem to your
 	    FreeBSD system, and is also appropriate for some
 	    terminals.</para>
 	</sect4>
       </sect3>
       
       <sect3 id="term-ports">
 	<title>Ports</title>
 
 	<para>Serial ports are the devices through which data is transferred
 	  between the FreeBSD host computer and the terminal. This section
 	  describes the kinds of ports that exist and how they are addressed
 	  in FreeBSD.</para>
 
 	<sect4 id="term-portkinds">
 	  <title>Kinds of Ports</title>
 	  
 	  <para>Several kinds of serial ports exist.  Before you purchase or
 	    construct a cable, you need to make sure it will fit the ports on
 	    your terminal and on the FreeBSD system.</para>
 	      
 	  <para>Most terminals will have DB25 ports.  Personal computers,
 	    including PCs running FreeBSD, will have DB25 or DB9 ports. If you
 	    have a multiport serial card for your PC, you may have RJ-12 or
 	    RJ-45 ports.</para>
 	      
 	  <para>See the documentation that accompanied the hardware for
 	    specifications on the kind of port in use.  A visual inspection of
 	    the port often works too.</para>
 	</sect4>
 
 	<sect4 id="term-portnames">
 	  <title>Port Names</title>
 	  
 	  <para>In FreeBSD, you access each serial port through an entry in
 	    the <filename>/dev</filename> directory.  There are two different
 	    kinds of entries:</para>
 	      
 	  <itemizedlist>
 	    <listitem>
 	      <para>Call-in ports are named
 		<filename>/dev/ttyd<replaceable>N</replaceable></filename>
 		where <replaceable>N</replaceable> is the port number,
 		starting from zero.  Generally, you use the call-in port for
 		terminals.  Call-in ports require that the serial line assert
 		the data carrier detect (DCD) signal to work correctly.</para>
 	    </listitem>
 	    
 	    <listitem>
 	      <para>Call-out ports are named
 		<filename>/dev/cuaa<replaceable>N</replaceable></filename>.
 		You usually do not use the call-out port for terminals, just
 		for modems.  You may use the call-out port if the serial cable
 		or the terminal does not support the carrier detect
 		signal.</para>
 	    </listitem>
 	  </itemizedlist>
 	  
 	  <para>If you have connected a terminal to the first serial port
 	    (<devicename>COM1</devicename> in &ms-dos;), then you will
 	    use <filename>/dev/ttyd0</filename> to refer to the terminal.  If
 	    the terminal is on the second serial port (also known as
 	    <devicename>COM2</devicename>), use
 	    <filename>/dev/ttyd1</filename>, and so forth.</para>
 
 	</sect4>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Kernel Configuration</title>
       
       <para>FreeBSD supports four serial ports by default.  In the
 	&ms-dos; world, these are known as
 	<devicename>COM1</devicename>,
 	<devicename>COM2</devicename>,
 	<devicename>COM3</devicename>, and 
 	<devicename>COM4</devicename>.  FreeBSD currently supports
 	<quote>dumb</quote> multiport serial interface cards, such as
 	the BocaBoard 1008 and 2016, as well as more
 	intelligent multi-port cards such as those made by Digiboard
 	and Stallion Technologies.  However, the default kernel only looks
 	for the standard COM ports.</para>
 	  
       <para>To see if your kernel recognizes any of your serial ports, watch
 	for messages while the kernel is booting, or use the
 	<command>/sbin/dmesg</command> command to replay the kernel's boot
 	messages.  In particular, look for messages that start with the
 	characters <literal>sio</literal>.</para>
 
       <tip><para>To view just the messages that have the word
 	<literal>sio</literal>, use the command:</para>
 	  
       <screen>&prompt.root; <userinput>/sbin/dmesg | grep 'sio'</userinput></screen>
       </tip>
 	    
       <para>For example, on a system with four serial ports, these are the
 	serial-port specific kernel boot messages:</para>
       
       <screen>sio0 at 0x3f8-0x3ff irq 4 on isa
 sio0: type 16550A
 sio1 at 0x2f8-0x2ff irq 3 on isa
 sio1: type 16550A
 sio2 at 0x3e8-0x3ef irq 5 on isa
 sio2: type 16550A
 sio3 at 0x2e8-0x2ef irq 9 on isa
 sio3: type 16550A</screen>
 	  
       <para>If your kernel does not recognize all of your serial
 	ports, you will probably need to configure a custom FreeBSD
 	kernel for your system.  For detailed information on
 	configuring your kernel, please see <xref
 	linkend="kernelconfig">.</para>
 
       <para>The relevant device lines for your kernel configuration
 	file would look like this, for FreeBSD&nbsp;4.X:</para>
 	  
       <programlisting>device		sio0	at isa? port IO_COM1 irq 4
 device		sio1	at isa? port IO_COM2 irq 3
 device		sio2	at isa? port IO_COM3 irq 5
 device		sio3	at isa? port IO_COM4 irq 9</programlisting>
 	  
 
       <para>and like this, for FreeBSD&nbsp;5.X:</para>
 
       <programlisting>device		sio</programlisting>
 
       <para>You can comment-out or completely remove lines for devices
 	you do not have in the case of FreeBSD&nbsp;4.X; for
 	FreeBSD&nbsp;5.X you have to edit your
 	<filename>/boot/device.hints</filename> file to configure your
 	serial ports.  Please refer to the &man.sio.4; manual page for
 	more information on serial ports and multiport boards configuration.
 	Be careful if you are using a configuration
 	file that was previously used for a different version of
 	FreeBSD because the device flags and the syntax have changed between
 	versions.</para>
 
       <note>
 	<para><literal>port IO_COM1</literal> is a substitution for
 	  <literal>port 0x3f8</literal>, <literal>IO_COM2</literal> is
 	  <literal>0x2f8</literal>, <literal>IO_COM3</literal> is
 	  <literal>0x3e8</literal>, and <literal>IO_COM4</literal> is
 	  <literal>0x2e8</literal>, which are fairly common port addresses for
 	  their respective serial ports; interrupts 4, 3, 5, and 9 are fairly
 	  common interrupt request lines.  Also note that regular serial ports
 	  <emphasis>cannot</emphasis> share interrupts on ISA-bus PCs
 	  (multiport boards have on-board electronics that allow all the
 	  16550A's on the board to share one or two interrupt request
 	  lines).</para>
       </note>
 	  
     </sect2>
 
     <sect2>
       <title>Device Special Files</title>
       
       <para>Most devices in the kernel are accessed through <quote>device
 	special files</quote>, which are located in the
 	<filename>/dev</filename> directory.  The <devicename>sio</devicename>
 	devices are accessed through the
 	<filename>/dev/ttyd<replaceable>N</replaceable></filename> (dial-in)
 	and <filename>/dev/cuaa<replaceable>N</replaceable></filename>
 	(call-out) devices.  FreeBSD also provides initialization devices
 	(<filename>/dev/ttyid<replaceable>N</replaceable></filename> and
 	<filename>/dev/cuaia<replaceable>N</replaceable></filename>) and
 	locking devices
 	(<filename>/dev/ttyld<replaceable>N</replaceable></filename> and
 	<filename>/dev/cuala<replaceable>N</replaceable></filename>).  The
 	initialization devices are used to initialize communications port
 	parameters each time a port is opened, such as
 	<literal>crtscts</literal> for modems which use
 	<literal>RTS/CTS</literal> signaling for flow control.  The locking
 	devices are used to lock flags on ports to prevent users or programs
 	changing certain parameters; see the manual pages &man.termios.4;,
 	  &man.sio.4;, and &man.stty.1; for
 	information on the terminal settings, locking and initializing
 	devices, and setting terminal options, respectively.</para>
       
       <sect3>
 	<title>Making Device Special Files</title>
 
 	<note><para>FreeBSD&nbsp;5.0 includes the &man.devfs.5;
 	  filesystem which automatically creates device nodes as
 	  needed.  If you are running a version of FreeBSD with
 	  <literal>devfs</literal> enabled then you can safely skip
 	  this section.</para></note>
 
 	<para>A shell script called <command>MAKEDEV</command> in the
 	  <filename>/dev</filename> directory manages the device special
 	  files.  To use <command>MAKEDEV</command> to make dial-up device
 	  special files for <devicename>COM1</devicename> (port 0),
 	  <command>cd</command> to <filename>/dev</filename> and issue the
 	  command <command>MAKEDEV ttyd0</command>. Likewise, to make dial-up
 	  device special files for <devicename>COM2</devicename> (port 1),
 	  use <command>MAKEDEV ttyd1</command>.</para>
 	    
 	<para><command>MAKEDEV</command> not only creates the
 	  <filename>/dev/ttyd<replaceable>N</replaceable></filename> device
 	  special files, but also the
 	  <filename>/dev/cuaa<replaceable>N</replaceable></filename>,
 	  <filename>/dev/cuaia<replaceable>N</replaceable></filename>,
 	  <filename>/dev/cuala<replaceable>N</replaceable></filename>,
 	  <filename>/dev/ttyld<replaceable>N</replaceable></filename>,
 	  and
 	  <filename>/dev/ttyid<replaceable>N</replaceable></filename>
 	  nodes.</para>
 	    
 	<para>After making new device special files, be sure to check the
 	  permissions on the files (especially the
 	  <filename>/dev/cua*</filename> files) to make sure that only users
 	  who should have access to those device special files can read and
 	  write on them &mdash; you probably do not want to allow your average
 	  user to use your modems to dial-out.  The default permissions on the
 	  <filename>/dev/cua*</filename> files should be sufficient:</para>
 	    
 	<screen>crw-rw----    1 uucp     dialer    28, 129 Feb 15 14:38 /dev/cuaa1
 crw-rw----    1 uucp     dialer    28, 161 Feb 15 14:38 /dev/cuaia1
 crw-rw----    1 uucp     dialer    28, 193 Feb 15 14:38 /dev/cuala1</screen>
 	    
 	<para>These permissions allow the user <username>uucp</username> and
 	  users in the group <username>dialer</username> to use the call-out
 	  devices.</para>
       </sect3>
     </sect2>
 
 
     <sect2 id="serial-hw-config">
       <title>Serial Port Configuration</title>
 
     <indexterm><primary><devicename>ttyd</devicename></primary></indexterm>
     <indexterm><primary><devicename>cuaa</devicename></primary></indexterm>
 
     <para>The <devicename>ttyd<replaceable>N</replaceable></devicename> (or
       <devicename>cuaa<replaceable>N</replaceable></devicename>) device is the
       regular device you will want to open for your applications.  When a
       process opens the device, it will have a default set of terminal I/O
       settings.  You can see these settings with the command</para>
 
     <screen>&prompt.root; <userinput>stty -a -f /dev/ttyd1</userinput></screen>
 	  
     <para>When you change the settings to this device, the settings are in
       effect until the device is closed.  When it is reopened, it goes back to
       the default set.  To make changes to the default set, you can open and
       adjust the settings of the <quote>initial state</quote> device. For
       example, to turn on <option>CLOCAL</option> mode, 8 bit communication,
       and <option>XON/XOFF</option> flow control by default for 
       <devicename>ttyd5</devicename>, type:</para>
 
     <screen>&prompt.root; <userinput>stty -f /dev/ttyid5 clocal cs8 ixon ixoff</userinput></screen>
 	  
     <indexterm>
       <primary>rc files</primary>
       <secondary><filename>rc.serial</filename></secondary>
     </indexterm>
 
     <!-- XXX; /etc/rc.serial is gone in 5.1.
       How do you set default parameters for these devices in 5.X ? -->
 
     <para>System-wide initialization of the serial devices is
       controlled in <filename>/etc/rc.serial</filename>.  This file
       affects the default settings of serial devices.</para>
 
     <para>To prevent certain settings from being changed by an
       application, make adjustments to the <quote>lock state</quote>
       device.  For example, to lock the speed of
       <devicename>ttyd5</devicename> to 57600&nbsp;bps, type:</para>
 	  
     <screen>&prompt.root; <userinput>stty -f /dev/ttyld5 57600</userinput></screen>
 
     <para>Now, an application that opens
       <devicename>ttyd5</devicename> and tries to change the speed of
       the port will be stuck with 57600&nbsp;bps.</para>
 
     <indexterm>
       <primary><command>MAKEDEV</command></primary>
     </indexterm>
     <para>Naturally, you should make the initial state and lock state devices
       writable only by the <username>root</username> account.</para>
     </sect2>
   </sect1>
       
   <sect1 id="term">
     <sect1info>
       <authorgroup>
         <author>
 	  <firstname>Sean</firstname>
 	  <surname>Kelly</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
 	<!-- 28 July 1996 -->
       </authorgroup>
     </sect1info>
     <title>Terminals</title>
     
     <indexterm><primary>terminals</primary></indexterm>
 
     <para>Terminals provide a convenient and low-cost way to access 
       your FreeBSD system when you are not at the computer's console or on
       a connected network.  This section describes how to use terminals with
       FreeBSD.</para>
 
     <sect2 id="term-uses">
       <title>Uses and Types of Terminals</title>
       
       <para>The original &unix; systems did not have consoles.  Instead, people
 	logged in and ran programs through terminals that were connected to
 	the computer's serial ports.  It is quite similar to using a modem and
 	terminal software to dial into a remote system to do text-only
 	work.</para>
 	  
       <para>Today's PCs have consoles capable of high quality graphics, but
 	the ability to establish a login session on a serial port still exists
 	in nearly every &unix; style operating system today; FreeBSD is no
 	exception.  By using a terminal attached to an unused serial port, you
 	can log in and run any text program that you would normally run on the
 	console or in an <command>xterm</command> window in the X Window
 	System.</para>
 	  
       <para>For the business user, you can attach many terminals to a FreeBSD
 	system and place them on your employees' desktops.  For a home user, a
 	spare computer such as an older IBM PC or a &macintosh; can be a
 	terminal wired into a more powerful computer running FreeBSD.  You can
 	turn what might otherwise be a single-user computer into a powerful
 	multiple user system.</para>
 	  
       <para>For FreeBSD, there are three kinds of terminals:</para>
 	  
       <itemizedlist>
 	<listitem>
 	  <para><link linkend="term-dumb">Dumb terminals</link></para>
 	</listitem>
 
 	<listitem>
 	  <para><link linkend="term-pcs">PCs acting as terminals</link></para>
 	</listitem>
 
 	<listitem>
 	  <para><link linkend="term-x">X terminals</link></para>
 	</listitem>
       </itemizedlist>
 	  
       <para>The remaining subsections describe each kind.</para>
 	  
       <sect3 id="term-dumb">
 	<title>Dumb Terminals</title>
 
 	<para>Dumb terminals are specialized pieces of hardware that let you
 	  connect to computers over serial lines.  They are called
 	  <quote>dumb</quote> because they have only enough computational power
 	  to display, send, and receive text.  You cannot run any programs on
 	  them.  It is the computer to which you connect them that has all the
 	  power to run text editors, compilers, email, games, and so
 	  forth.</para>
 	    
 	<para>There are hundreds of kinds of dumb terminals made by many
 	  manufacturers, including Digital Equipment Corporation's VT-100 and
 	  Wyse's WY-75.  Just about any kind will work with FreeBSD. Some
 	  high-end terminals can even display graphics, but only certain
 	  software packages can take advantage of these advanced
 	  features.</para>
 	    
 	<para>Dumb terminals are popular in work environments where workers do
 	  not need access to graphical applications such as those provided by
 	  the X Window System.</para>
       </sect3>
 	  
       <sect3 id="term-pcs">
 	<title>PCs Acting as Terminals</title>
 
 	<para>If a <link linkend="term-dumb">dumb terminal</link> has just
 	  enough ability to display, send, and receive text, then certainly
 	  any spare personal computer can be a dumb terminal. All you need is
 	  the proper cable and some <emphasis>terminal emulation</emphasis>
 	  software to run on the computer.</para>
 	    
 	<para>Such a configuration is popular in homes.  For example, if your
 	  spouse is busy working on your FreeBSD system's console, you can do
 	  some text-only work at the same time from a less powerful personal
 	  computer hooked up as a terminal to the FreeBSD system.</para>
       </sect3>
 	  
       <sect3 id="term-x">
 	<title>X Terminals</title>
 
 	<para>X terminals are the most sophisticated kind of terminal
 	  available.  Instead of connecting to a serial port, they usually
 	  connect to a network like Ethernet.  Instead of being relegated to
 	  text-only applications, they can display any X application.</para>
 	    
 	<para>We introduce X terminals just for the sake of completeness.
 	  However, this chapter does <emphasis>not</emphasis> cover setup,
 	  configuration, or use of X terminals.</para>
       </sect3>
     </sect2>
     
     <sect2 id="term-config">
       <title>Configuration</title>
       
       <para>This section describes what you need to configure on your FreeBSD
 	system to enable a login session on a terminal.  It assumes you have
 	already configured your kernel to support the serial port to which the
 	terminal is connected&mdash;and that you have connected it.</para>
 	  
       <para>Recall from <xref linkend="boot"> that the
 	<command>init</command> process is responsible for all process
 	control and initialization at system startup.  One of the
 	tasks performed by <command>init</command> is to read the
 	<filename>/etc/ttys</filename> file and start a
 	<command>getty</command> process on the available terminals.
 	The <command>getty</command> process is responsible for
 	reading a login name and starting the <command>login</command>
 	program.</para>
 	  
       <para>Thus, to configure terminals for your FreeBSD system the
 	following steps should be taken as <username>root</username>:</para>
 
       <procedure>
 	<step>
 	  <para>Add a line to <filename>/etc/ttys</filename> for the entry in
 	    the <filename>/dev</filename> directory for the serial port if it
 	    is not already there.</para>
 	</step>
 
 	<step>
 	  <para>Specify that <command>/usr/libexec/getty</command> be run on
 	    the port, and specify the appropriate
 	    <replaceable>getty</replaceable> type from the
 	    <filename>/etc/gettytab</filename> file.</para>
 	</step>
 
 	<step>
 	  <para>Specify the default terminal type.</para>
 	</step>
 
 	<step>
 	  <para>Set the port to <quote>on.</quote></para>
 	</step>
 	      
 	<step>
 	  <para>Specify whether the port should be
 	    <quote>secure.</quote></para>
 	</step>
 
 	<step>
 	  <para>Force <command>init</command> to reread the
 	    <filename>/etc/ttys</filename> file.</para>
 	</step>
       </procedure>
       
       <para>As an optional step, you may wish to create a custom
 	<replaceable>getty</replaceable> type for use in step 2 by making an
 	entry in <filename>/etc/gettytab</filename>.  This chapter does
 	not explain how to do so; you are encouraged to see the
 	  &man.gettytab.5; and the &man.getty.8; manual pages for more
 	information.</para>
       
       <sect3 id="term-etcttys">
 	<title>Adding an Entry to <filename>/etc/ttys</filename></title>
 
 	<para>The <filename>/etc/ttys</filename> file lists all of the ports
 	  on your FreeBSD system where you want to allow logins.  For example,
 	  the first virtual console <filename>ttyv0</filename> has an entry in
 	  this file.  You can log in on the console using this entry.  This
 	  file also contains entries for the other virtual consoles, serial ports,
 	  and pseudo-ttys.  For a hardwired terminal, just list the serial
 	  port's <filename>/dev</filename> entry without the
 	  <filename>/dev</filename> part (for example, 
 	  <filename>/dev/ttyv0</filename> would be listed as
 	  <devicename>ttyv0</devicename>).</para>
 
 	<para>A default FreeBSD install includes an
 	  <filename>/etc/ttys</filename> file with support for the first
 	  four serial ports: <filename>ttyd0</filename> through
 	  <filename>ttyd3</filename>.  If you are attaching a terminal
 	  to one of those ports, you do not need to add another entry.</para>
 
 	<example id="ex-etc-ttys">
 	  <title>Adding Terminal Entries to
 	    <filename>/etc/ttys</filename></title> 
 
 	  <para>Suppose we would like to connect two terminals to the
 	    system: a Wyse-50 and an old 286 IBM PC running
 	    <application>Procomm</application> terminal software
 	    emulating a VT-100 terminal.  We connect the Wyse to the
 	    second serial port and the 286 to the sixth serial port (a
 	    port on a multiport serial card).  The corresponding
 	    entries in the <filename>/etc/ttys</filename> file would
 	    look like this:</para>
 
 	  <programlisting>ttyd1<co 
 	      id="co-ttys-line1col1">  "/usr/libexec/getty std.38400"<co
 	      id="co-ttys-line1col2">  wy50<co
 	      id="co-ttys-line1col3">  on<co
 	      id="co-ttys-line1col4">  insecure<co
 	      id="co-ttys-line1col5">
 ttyd5   "/usr/libexec/getty std.19200"  vt100  on  insecure
 	  </programlisting>
       
 	  <calloutlist>
 	    <callout arearefs="co-ttys-line1col1">
 	      <para>The first field normally specifies the name of
 	      the terminal special file as it is found in
 	      <filename>/dev</filename>.</para>
 	    </callout>
 	    <callout arearefs="co-ttys-line1col2">
 
 	      <para>The second field is the command to execute for
 	        this line, which is usually &man.getty.8;.
 	        <command>getty</command> initializes and opens the
 	        line, sets the speed, prompts for a user name and then
 	        executes the &man.login.1; program.</para>
 
 	      <para>The <command>getty</command> program accepts one
 		(optional) parameter on its command line, the
 		<replaceable>getty</replaceable> type.  A
 		<replaceable>getty</replaceable> type configures
 		characteristics on the terminal line, like bps rate
 		and parity. The <command>getty</command> program reads
 		these characteristics from the file
 		<filename>/etc/gettytab</filename>.</para>
 
 	      <para>The file <filename>/etc/gettytab</filename>
 		contains lots of entries for terminal lines both old
 		and new.  In almost all cases, the entries that start
 		with the text <literal>std</literal> will work for
 		hardwired terminals. These entries ignore parity.
 		There is a <literal>std</literal> entry for each bps
 		rate from 110 to 115200.  Of course, you can add your
 		own entries to this file. The &man.gettytab.5; manual
 		page provides more information.</para>
 
 	      <para>When setting the <replaceable>getty</replaceable>
 		type in the <filename>/etc/ttys</filename> file, make
 		sure that the communications settings on the terminal
 		match.</para>
 	    
 	      <para>For our example, the Wyse-50 uses no parity and
 		connects at 38400&nbsp;bps.  The 286&nbsp;PC uses no parity and
 		connects at 19200&nbsp;bps.</para>
 
 	    </callout>
 
 	    <callout arearefs="co-ttys-line1col3">
 
 	      <para>The third field is the type of terminal usually
 		connected to that tty line.  For dial-up ports,
 		<literal>unknown</literal> or
 		<literal>dialup</literal> is typically used in this
 		field since users may dial up with practically any
 		type of terminal or software.  For hardwired
 		terminals, the terminal type does not change, so you
 		can put a real terminal type from the &man.termcap.5;
 		database file in this field.</para>
 
 	      <para>For our example, the Wyse-50 uses the real
 		terminal type while the 286 PC running
 		<application>Procomm</application> will be set to
 		emulate at VT-100. </para>
 
 	    </callout>
 
 	    <callout arearefs="co-ttys-line1col4">
 	      <para>The fourth field specifies if the port should be
 	        enabled.  Putting <literal>on</literal> here will have
 	        the <command>init</command> process start the program
 	        in the second field, <command>getty</command>.  If you
 	        put <literal>off</literal> in this field, there will
 	        be no <command>getty</command>, and hence no logins on
 	        the port.</para>
 	    </callout>
 
 	    <callout arearefs="co-ttys-line1col5">
 	      <para>The final field is used to specify whether the
 	        port is secure.  Marking a port as secure means that
 	        you trust it enough to allow the
 	        <username>root</username> account (or any account with
 	        a user ID of 0) to login from that port.  Insecure
 	        ports do not allow <username>root</username> logins.
 	        On an insecure port, users must login from
 	        unprivileged accounts and then use &man.su.1; or a
 	        similar mechanism to gain superuser privileges.</para>
 
 	      <para>It is highly recommended that you use
 		<quote>insecure</quote>
 	        even for terminals that are behind locked doors.  It
 	        is quite easy to login and use <command>su</command>
 	        if you need superuser privileges.</para>
 	    </callout>
 	  </calloutlist>
 	</example>
       </sect3>  
 
       <sect3 id="term-hup">
 	<title>Force <command>init</command> to Reread
 	  <filename>/etc/ttys</filename></title>
 
 	<para>After making the necessary changes to the
 	  <filename>/etc/ttys</filename> file you should send a SIGHUP
 	  (hangup) signal to the <command>init</command> process to
 	  force it to re-read its configuration file.  For example:</para>
 
 	<screen>&prompt.root; <userinput>kill -HUP 1</userinput></screen>
 
 	<note>
 	  <para><command>init</command> is always the first process run
 	    on a system, therefore it will always have PID 1.</para>
 	</note>
 
 	<para>If everything is set up correctly, all cables are in
 	  place, and the terminals are powered up, then a
 	  <command>getty</command> process should be running on each
 	  terminal and you should see login prompts on your terminals
 	  at this point.</para>
       </sect3>
     </sect2>
     
     <sect2 id="term-debug">
       <title>Troubleshooting Your Connection</title>
       
       <para>Even with the most meticulous attention to detail, something could
 	still go wrong while setting up a terminal.  Here is a list of
 	symptoms and some suggested fixes.</para>
       
       <sect3>
 	<title>No Login Prompt Appears</title>
 
 	<para>Make sure the terminal is plugged in and powered up. If it
 	  is a personal computer acting as a terminal, make sure it is
 	  running terminal emulation software on the correct serial
 	  port.</para>
 
 	<para>Make sure the cable is connected firmly to both the terminal
 	  and the FreeBSD computer.  Make sure it is the right kind of
 	  cable.</para>
 
 	<para>Make sure the terminal and FreeBSD agree on the bps rate and
 	  parity settings.  If you have a video display terminal, make
 	  sure the contrast and brightness controls are turned up.  If it
 	  is a printing terminal, make sure paper and ink are in good
 	  supply.</para>
 
 	<para>Make sure that a <command>getty</command> process is running
 	  and serving the terminal.  For example, to get a list of
 	  running <command>getty</command> processes with
 	  <command>ps</command>, type:</para>
 
         <screen>&prompt.root; <userinput>ps -axww|grep getty</userinput></screen>
 
 	<para>You should see an entry for the terminal.  For
 	  example, the following display shows that a
 	  <command>getty</command> is running on the second serial
 	  port <literal>ttyd1</literal> and is using the
 	  <literal>std.38400</literal> entry in
 	  <filename>/etc/gettytab</filename>:</para>
 
 	<screen>22189  d1  Is+    0:00.03 /usr/libexec/getty std.38400 ttyd1</screen>
 
 	<para>If no <command>getty</command> process is running, make sure
 	  you have enabled the port in <filename>/etc/ttys</filename>.
 	  Also remember to run <command>kill -HUP 1</command>
 	  after modifying the <filename>ttys</filename> file.</para>
 
 	<para>If the <command>getty</command> process is running
 	  but the terminal still does not display a login prompt,
 	  or if it displays a prompt but will not allow you to
 	  type, your terminal or cable may not support hardware
 	  handshaking. Try changing the entry in
 	  <filename>/etc/ttys</filename> from
 	  <literal>std.38400</literal> to
 	  <literal>3wire.38400</literal> remember to run
 	  <command>kill -HUP 1</command> after modifying
 	  <filename>/etc/ttys</filename>). The
 	  <literal>3wire</literal> entry is similar to
 	  <literal>std</literal>, but ignores hardware
 	  handshaking. You may need to reduce the baud rate or
 	  enable software flow control when using
 	  <literal>3wire</literal> to prevent buffer
 	  overflows.</para>
 
       </sect3>
 
       <sect3>
 	<title>If Garbage Appears Instead of a Login Prompt</title>
 
 	<para>Make sure the terminal and FreeBSD agree on the bps rate and
 	  parity settings.  Check the <command>getty</command> processes
 	  to make sure the
 	  correct <replaceable>getty</replaceable> type is in use.  If
 	  not, edit <filename>/etc/ttys</filename> and run <command>kill
 	  -HUP 1</command>.</para>
 
       </sect3>
 
       <sect3>
 	<title>Characters Appear Doubled; the Password Appears When Typed</title>
 
 	<para>Switch the terminal (or the terminal emulation software)
 	  from <quote>half duplex</quote> or <quote>local echo</quote> to
 	  <quote>full duplex.</quote></para>
 
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="dialup">
     <sect1info>
       <authorgroup>
 	<author>
 	  <firstname>Guy</firstname>
 	  <surname>Helmer</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
         <author>
 	  <firstname>Sean</firstname>
 	  <surname>Kelly</surname>
 	  <contrib>Additions by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Dial-in Service</title>
     <indexterm><primary>dial-in service</primary></indexterm>
 
     <para>Configuring your FreeBSD system for dial-in service is very
       similar to connecting terminals except that you are dealing with
       modems instead of terminals.</para>
 
       <sect2>
 	<title>External vs. Internal Modems</title>
 
 	<para>External modems seem to be more convenient for dial-up, because
 	  external modems often can be semi-permanently configured via
 	  parameters stored in non-volatile RAM and they usually provide
 	  lighted indicators that display the state of important RS-232
 	  signals.  Blinking lights impress visitors, but lights are also very
 	  useful to see whether a modem is operating properly.</para>
 	    
 	<para>Internal modems usually lack non-volatile RAM, so their
 	  configuration may be limited only to setting DIP switches.  If your
 	  internal modem has any signal indicator lights, it is probably
 	  difficult to view the lights when the system's cover is in
 	  place.</para>
       
       <sect3>
 	<title>Modems and Cables</title>
 	<indexterm><primary>modem</primary></indexterm>
 
 	<para>If you are using an external modem, then you will of
 	  course need the proper cable.  A standard RS-232C serial
 	  cable should suffice as long as all of the normal signals
 	  are wired:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>Transmitted Data (<acronym>TD</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Received Data (<acronym>RD</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Request to Send (<acronym>RTS</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Clear to Send (<acronym>CTS</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Data Set Ready (<acronym>DSR</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Data Terminal Ready (<acronym>DTR</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Carrier Detect (<acronym>CD</acronym>)</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Signal Ground (<acronym>SG</acronym>)</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>FreeBSD needs the <acronym>RTS</acronym> and
 	  <acronym>CTS</acronym> signals for flow-control at speeds above
 	  2400&nbsp;bps, the <acronym>CD</acronym> signal to detect when a call has
 	  been answered or the line has been hung up, and the
 	  <acronym>DTR</acronym> signal to reset the modem after a session is
 	  complete.  Some cables are wired without all of the needed signals,
 	  so if you have problems, such as a login session not going away when
 	  the line hangs up, you may have a problem with your cable.</para>
 	    
 	<para>Like other &unix; like operating systems, FreeBSD uses the
 	  hardware signals to find out when a call has been answered
 	  or a line has been hung up and to hangup and reset the modem
 	  after a call.  FreeBSD avoids sending commands to the modem
 	  or watching for status reports from the modem.  If you are
 	  familiar with connecting modems to PC-based bulletin board
 	  systems, this may seem awkward.</para>
       </sect3>
       </sect2>
       
       <sect2>
 	<title>Serial Interface Considerations</title>
 
 	<para>FreeBSD supports NS8250-, NS16450-, NS16550-, and NS16550A-based
 	  EIA RS-232C (CCITT V.24) communications interfaces.  The 8250 and
 	  16450 devices have single-character buffers.  The 16550 device
 	  provides a 16-character buffer, which allows for better system
 	  performance.  (Bugs in plain 16550's prevent the use of the
 	  16-character buffer, so use 16550A's if possible).  Because
 	  single-character-buffer devices require more work by the operating
 	  system than the 16-character-buffer devices, 16550A-based serial
 	  interface cards are much preferred. If the system has many active
 	  serial ports or will have a heavy load, 16550A-based cards are
 	  better for low-error-rate communications.</para>
       </sect2>
     
     <sect2>
       <title>Quick Overview</title>
 
       <indexterm><primary>getty</primary></indexterm>
       <para>As with terminals, <command>init</command> spawns a
 	<command>getty</command> process for each configured serial
 	port for dial-in connections.  For example, if a modem is
 	attached to <filename>/dev/ttyd0</filename>, the command
 	<command>ps ax</command> might show this:</para>
 	  
       <screen> 4850 ??  I      0:00.09 /usr/libexec/getty V19200 ttyd0</screen>
 	    
       <para>When a user dials the modem's line and the modems connect, the
 	<acronym>CD</acronym> (Carrier Detect) line is reported by the modem.
 	The kernel
 	notices that carrier has been detected and completes
 	<command>getty</command>'s open of the port.  <command>getty</command>
 	sends a <prompt>login:</prompt> prompt at the specified initial line
 	speed.  <command>getty</command> watches to see if legitimate
 	characters are received, and, in a typical configuration, if it finds
 	junk (probably due to the modem's connection speed being different
 	than <command>getty</command>'s speed), <command>getty</command> tries
 	adjusting the line speeds until it receives reasonable
 	characters.</para>
 	  
       <indexterm>
         <primary><command>/usr/bin/login</command></primary>
       </indexterm>
       <para>After the user enters his/her login name,
 	<command>getty</command> executes
 	<filename>/usr/bin/login</filename>, which completes the login
 	by asking for the user's password and then starting the user's
 	shell.</para>
     </sect2>
     
     
     <sect2>
       <title>Configuration Files</title>
       
       <para>There are three system configuration files in the
 	<filename>/etc</filename> directory that you will probably need to
 	edit to allow dial-up access to your FreeBSD system.  The first,
 	<filename>/etc/gettytab</filename>, contains configuration information
 	for the <filename>/usr/libexec/getty</filename> daemon.  Second,
 	<filename>/etc/ttys</filename> holds information that tells
 	<filename>/sbin/init</filename> what <filename>tty</filename> devices
 	should have <command>getty</command> processes running on them.
 	Lastly, you can place port initialization commands in the
 	<filename>/etc/rc.serial</filename> script.</para>
 	  
       <para>There are two schools of thought regarding dial-up modems on &unix;.
 	One group likes to configure their modems and systems so that no matter
 	at what speed a remote user dials in, the local computer-to-modem
 	RS-232 interface runs at a locked speed.  The benefit of this
 	configuration is that the remote user always sees a system login
 	prompt immediately.  The downside is that the system does not know
 	what a user's true data rate is, so full-screen programs like Emacs
 	will not adjust their screen-painting methods to make their response
 	better for slower connections.</para>
 	  
       <para>The other school configures their modems' RS-232 interface to vary
 	its speed based on the remote user's connection speed.  For example,
 	V.32bis (14.4&nbsp;Kbps) connections to the modem might make the modem run
 	its RS-232 interface at 19.2&nbsp;Kbps, while 2400&nbsp;bps connections make the
 	modem's RS-232 interface run at 2400&nbsp;bps. Because
 	<command>getty</command> does not understand any particular modem's
 	connection speed reporting, <command>getty</command> gives a
 	<prompt>login:</prompt> message at an initial speed and watches the
 	characters that come back in response.  If the user sees junk, it is
 	assumed that they know they should press the
 	<keycode>Enter</keycode> key until they see a recognizable
 	prompt.  If the data rates do not match, <command>getty</command> sees
 	anything the user types as <quote>junk</quote>, tries going to the next
 	speed and gives the <prompt>login:</prompt> prompt again.  This
 	procedure can continue ad nauseam, but normally only takes a keystroke
 	or two before the user sees a good prompt.  Obviously, this login
 	sequence does not look as clean as the former
 	<quote>locked-speed</quote> method, but a user on a low-speed
 	connection should receive better interactive response from full-screen
 	programs.</para>
 
       <para>This section will try to give balanced configuration information,
 	but is biased towards having the modem's data rate follow the
 	connection rate.</para>
 
       <sect3>
 	<title><filename>/etc/gettytab</filename></title>
 
   <indexterm>
     <primary><filename>/etc/gettytab</filename></primary>
   </indexterm>
 	<para><filename>/etc/gettytab</filename> is a &man.termcap.5;-style
 	  file of configuration information for &man.getty.8;.  Please see the
 	    &man.gettytab.5; manual page for complete information on the
 	  format of the file and the list of capabilities.</para>
 
 	<sect4>
 	  <title>Locked-speed Config</title>
 	  
 	  <para>If you are locking your modem's data communications rate at a
 	    particular speed, you probably will not need to make any changes
 	    to <filename>/etc/gettytab</filename>.</para>
 	</sect4>
 
 	<sect4>
 	  <title>Matching-speed Config</title>
 	  
 	  <para>You will need to set up an entry in
 	    <filename>/etc/gettytab</filename> to give
 	    <command>getty</command> information about the speeds you wish to
 	    use for your modem.  If you have a 2400&nbsp;bps modem, you can
 	    probably use the existing <literal>D2400</literal> entry.</para>
 	      
 	  <programlisting>#
 # Fast dialup terminals, 2400/1200/300 rotary (can start either way)
 #
 D2400|d2400|Fast-Dial-2400:\
         :nx=D1200:tc=2400-baud:
 3|D1200|Fast-Dial-1200:\
         :nx=D300:tc=1200-baud:
 5|D300|Fast-Dial-300:\
         :nx=D2400:tc=300-baud:</programlisting>
 	      
 	  <para>If you have a higher speed modem, you will probably need to
 	    add an entry in <filename>/etc/gettytab</filename>; here is an
 	    entry you could use for a 14.4&nbsp;Kbps modem with a top interface
 	    speed of 19.2&nbsp;Kbps:</para>
 	      
 	  <programlisting>#
 # Additions for a V.32bis Modem
 #
 um|V300|High Speed Modem at 300,8-bit:\
         :nx=V19200:tc=std.300:
 un|V1200|High Speed Modem at 1200,8-bit:\
         :nx=V300:tc=std.1200:
 uo|V2400|High Speed Modem at 2400,8-bit:\
         :nx=V1200:tc=std.2400:
 up|V9600|High Speed Modem at 9600,8-bit:\
         :nx=V2400:tc=std.9600:
 uq|V19200|High Speed Modem at 19200,8-bit:\
         :nx=V9600:tc=std.19200:</programlisting>
 	      
 	  <para>This will result in 8-bit, no parity connections.</para>
 	      
 	  <para>The example above starts the communications rate at 19.2&nbsp;Kbps
 	    (for a V.32bis connection), then cycles through 9600&nbsp;bps (for
 	    V.32), 2400&nbsp;bps, 1200&nbsp;bps, 300&nbsp;bps, and back to 19.2&nbsp;Kbps.
 	    Communications rate cycling is implemented with the
 	    <literal>nx=</literal> (<quote>next table</quote>) capability.
 	    Each of the lines uses a <literal>tc=</literal> (<quote>table
 	    continuation</quote>) entry to pick up the rest of the
 	    <quote>standard</quote> settings for a particular data rate.</para>
 	      
 	  <para>If you have a 28.8&nbsp;Kbps modem and/or you want to take
 	    advantage of compression on a 14.4&nbsp;Kbps modem, you need to use a
 	    higher communications rate than 19.2&nbsp;Kbps.  Here is an example of
 	    a <filename>gettytab</filename> entry starting a 57.6&nbsp;Kbps:</para>
 	      
 	  <programlisting>#
 # Additions for a V.32bis or V.34 Modem
 # Starting at 57.6 Kbps
 #
 vm|VH300|Very High Speed Modem at 300,8-bit:\
         :nx=VH57600:tc=std.300:
 vn|VH1200|Very High Speed Modem at 1200,8-bit:\
         :nx=VH300:tc=std.1200:
 vo|VH2400|Very High Speed Modem at 2400,8-bit:\
         :nx=VH1200:tc=std.2400:
 vp|VH9600|Very High Speed Modem at 9600,8-bit:\
         :nx=VH2400:tc=std.9600:
 vq|VH57600|Very High Speed Modem at 57600,8-bit:\
         :nx=VH9600:tc=std.57600:</programlisting>
 
 	  <para>If you have a slow CPU or a heavily loaded system and do
 	    not have 16550A-based serial ports, you may receive 
 	    <errorname>sio</errorname>
 	    <quote>silo</quote> errors at 57.6&nbsp;Kbps.</para>
 	</sect4>
       </sect3>
       
       <sect3 id="dialup-ttys">
 	<title><filename>/etc/ttys</filename></title>
 	<indexterm>
 	  <primary><filename>/etc/ttys</filename></primary>
 	</indexterm>
 
 	<para>Configuration of the <filename>/etc/ttys</filename> file
 	  was covered in <xref linkend="ex-etc-ttys">.
 	  Configuration for modems is similar but we must pass a
 	  different argument to <command>getty</command> and specify a
 	  different terminal type.  The general format for both
 	  locked-speed and matching-speed configurations is:</para>
 	    
 	<programlisting>ttyd0   "/usr/libexec/getty <replaceable>xxx</replaceable>"   dialup on</programlisting>
 	    
 	<para>The first item in the above line is the device special file for
 	  this entry &mdash; <literal>ttyd0</literal> means
 	  <filename>/dev/ttyd0</filename> is the file that this
 	  <command>getty</command> will be watching.  The second item,
 	  <literal>"/usr/libexec/getty
 	    <replaceable>xxx</replaceable>"</literal>
 	  (<replaceable>xxx</replaceable> will be replaced by the initial
 	  <filename>gettytab</filename> capability) is the process
 	  <command>init</command> will run on the device.  The third item,
 	  <literal>dialup</literal>, is the default terminal type.  The fourth
 	  parameter, <literal>on</literal>, indicates to
 	  <command>init</command> that the line is operational.  There can be
 	  a fifth parameter, <literal>secure</literal>, but it should only be
 	  used for terminals which are physically secure (such as the system
 	  console).</para>
 	    
 	<para>The default terminal type (<literal>dialup</literal> in the
 	  example above) may depend on local preferences.
 	  <literal>dialup</literal> is the traditional default terminal type
 	  on dial-up lines so that users may customize their login scripts to
 	  notice when the terminal is <literal>dialup</literal> and
 	  automatically adjust their terminal type.  However, the author finds
 	  it easier at his site to specify <literal>vt102</literal> as the
 	  default terminal type, since the users just use VT102 emulation on
 	  their remote systems.</para>
 	    
 	<para>After you have made changes to <filename>/etc/ttys</filename>,
 	  you may send the <command>init</command> process a
 	  <acronym>HUP</acronym> signal to re-read the file.  You can use the
 	  command
 
 	<screen>&prompt.root; <userinput>kill -HUP 1</userinput></screen>
 
 	  to send the signal.  If this is your first time setting up the
 	  system, you may want to wait until your modem(s) are properly
           configured and connected before signaling <command>init</command>.
 	  </para>
 
 	<sect4>
 	  <title>Locked-speed Config</title>
 	  
 	  <para>For a locked-speed configuration, your
 	    <filename>ttys</filename> entry needs to have a fixed-speed entry
 	    provided to <command>getty</command>.  For a modem whose port
 	    speed is locked at 19.2&nbsp;Kbps, the <filename>ttys</filename> entry
 	    might look like this:</para>
 	      
 	  <programlisting>ttyd0   "/usr/libexec/getty std.19200"   dialup on</programlisting>
 	      
 	  <para>If your modem is locked at a different data rate,
 	    substitute the appropriate value for
 	    <literal>std.<replaceable>speed</replaceable></literal>
 	    instead of <literal>std.19200</literal>.  Make sure that
 	    you use a valid type listed in
 	    <filename>/etc/gettytab</filename>.</para>
 	</sect4>
 
 	<sect4>
 	  <title>Matching-speed Config</title>
 	  
 	  <para>In a matching-speed configuration, your
 	    <filename>ttys</filename> entry needs to reference the appropriate
 	    beginning <quote>auto-baud</quote> (sic) entry in
 	    <filename>/etc/gettytab</filename>.  For example, if you added the
 	    above suggested entry for a matching-speed modem that starts at
 	    19.2&nbsp;Kbps (the <filename>gettytab</filename> entry containing the
 	    <literal>V19200</literal> starting point), your
 	    <filename>ttys</filename> entry might look like this:</para>
 	      
 	  <programlisting>ttyd0   "/usr/libexec/getty V19200"   dialup on</programlisting>
 	</sect4>
       </sect3>
 	  
       <sect3>
 	<title><filename>/etc/rc.serial</filename></title>
 	<indexterm>
 	  <primary>rc files</primary>
 	  <secondary><filename>rc.serial</filename></secondary>
 	</indexterm>
 
 	<para>High-speed modems, like V.32, V.32bis, and V.34 modems,
 	  need to use hardware (<filename>RTS/CTS</filename>) flow
 	  control. You can add <command>stty</command> commands to
 	  <filename>/etc/rc.serial</filename> to set the hardware flow
 	  control flag in the FreeBSD kernel for the modem
 	  ports.</para>
 	    
 	<para>For example to set the <literal>termios</literal> flag
 	  <varname>crtscts</varname> on serial port #1's
 	  (<devicename>COM2</devicename>) dial-in and dial-out initialization
 	  devices, the following lines could be added to
 	  <filename>/etc/rc.serial</filename>:</para>
 	<programlisting># Serial port initial configuration
 stty -f /dev/ttyid1 crtscts
 stty -f /dev/cuaia1 crtscts</programlisting>
 	    	    
       </sect3>
     </sect2>
     
     <sect2>
       <title>Modem Settings</title>
       
       <para>If you have a modem whose parameters may be permanently set in
 	non-volatile RAM, you will need to use a terminal program (such as
 	Telix under &ms-dos; or <command>tip</command> under FreeBSD) to set the
 	parameters.  Connect to the modem using the same communications speed
 	as the initial speed <command>getty</command> will use and configure
 	the modem's non-volatile RAM to match these requirements:</para>
 	  
       <itemizedlist>
 	<listitem>
 	  <para><acronym>CD</acronym> asserted when connected</para>
 	</listitem>
 
 	<listitem>
 	  <para><acronym>DTR</acronym> asserted for operation; dropping DTR
 	    hangs up line and resets modem</para>
 	</listitem>
 
 	<listitem>
 	  <para><acronym>CTS</acronym> transmitted data flow control</para>
 	</listitem>
 
 	<listitem>
 	  <para>Disable <acronym>XON/XOFF</acronym> flow control</para>
 	</listitem>
 
 	<listitem>
 	  <para><acronym>RTS</acronym> received data flow control</para>
 	</listitem>
 
 	<listitem>
 	  <para>Quiet mode (no result codes)</para>
 	</listitem>
 
 	<listitem>
 	  <para>No command echo</para>
 	</listitem>
       </itemizedlist>
       
       <para>Please read the documentation for your modem to find out what
 	commands and/or DIP switch settings you need to give it.</para>
       
       <para>For example, to set the above parameters on a &usrobotics;
 	&sportster; 14,400 external modem, one could give these commands to
 	the modem:</para>
       
       <programlisting>ATZ
 AT&amp;C1&amp;D2&amp;H1&amp;I0&amp;R2&amp;W</programlisting>
 	  
       <para>You might also want to take this opportunity to adjust other
 	settings in the modem, such as whether it will use V.42bis and/or MNP5
 	compression.</para>
 	  
       <para>The &usrobotics; &sportster; 14,400 external modem also has some DIP switches
 	that need to be set; for other modems, perhaps you can use these
 	settings as an example:</para>
       
       <itemizedlist>
 	<listitem>
 	  <para>Switch 1: UP &mdash; DTR Normal</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 2: N/A (Verbal Result Codes/Numeric Result
 	    Codes)</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 3: UP &mdash; Suppress Result Codes</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 4: DOWN &mdash; No echo, offline commands</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 5: UP &mdash; Auto Answer</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 6: UP &mdash; Carrier Detect Normal</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 7: UP &mdash; Load NVRAM Defaults</para>
 	</listitem>
 
 	<listitem>
 	  <para>Switch 8: N/A (Smart Mode/Dumb Mode)</para>
 	</listitem>
       </itemizedlist>
       
       <para>Result codes should be disabled/suppressed for dial-up modems to
 	avoid problems that can occur if <command>getty</command> mistakenly
 	gives a <prompt>login:</prompt> prompt to a modem that is in command
 	mode and the modem echoes the command or returns a result
 	code.  This sequence can result in a extended, silly conversation
  	between <command>getty</command> and the modem.</para>
 	  
       <sect3>
 	<title>Locked-speed Config</title>
 
 	<para>For a locked-speed configuration, you will need to configure the
 	  modem to maintain a constant modem-to-computer data rate independent
 	  of the communications rate.  On a &usrobotics; &sportster; 14,400 external
 	  modem, these commands will lock the modem-to-computer data rate at
 	  the speed used to issue the commands:</para>
 	    
 	<programlisting>ATZ
 AT&amp;B1&amp;W</programlisting>
       </sect3>
 	  
       <sect3>
 	<title>Matching-speed Config</title>
 
 	<para>For a variable-speed configuration, you will need to configure
 	  your modem to adjust its serial port data rate to match the incoming
 	  call rate.  On a &usrobotics; &sportster; 14,400 external modem, these commands
 	  will lock the modem's error-corrected data rate to the speed used to
 	  issue the commands, but allow the serial port rate to vary for
 	  non-error-corrected connections:</para>
 	    
 	<programlisting>ATZ
 AT&amp;B2&amp;W</programlisting>
       </sect3>
 	  
       <sect3>
 	<title>Checking the Modem's Configuration</title>
 
 	<para>Most high-speed modems provide commands to view the modem's
 	  current operating parameters in a somewhat human-readable fashion.
 	  On the &usrobotics; &sportster; 14,400 external modems, the command
 	  <command>ATI5</command> displays the settings that are stored in the
 	  non-volatile RAM.  To see the true operating parameters of the modem
 	  (as influenced by the modem's DIP switch settings), use the commands
 	  <command>ATZ</command> and then <command>ATI4</command>.</para>
 	    
 	<para>If you have a different brand of modem, check your modem's
 	  manual to see how to double-check your modem's configuration
 	  parameters.</para>
       </sect3>
     </sect2>
     
     <sect2>
       <title>Troubleshooting</title>
       
       <para>Here are a few steps you can follow to check out the dial-up modem
 	on your system.</para>
       
       <sect3>
 	<title>Checking Out the FreeBSD System</title>
 
 	<para>Hook up your modem to your FreeBSD system, boot the system, and,
 	  if your modem has status indication lights, watch to see whether the
 	  modem's <acronym>DTR</acronym> indicator lights when the
 	  <prompt>login:</prompt> prompt appears on the system's console
 	  &mdash; if it lights up, that should mean that FreeBSD has started a
 	  <command>getty</command> process on the appropriate communications
 	  port and is waiting for the modem to accept a call.</para>
 	    
 	<para>If the <acronym>DTR</acronym> indicator does not light, login to
 	  the FreeBSD system through the console and issue a <command>ps
 	    ax</command> to see if FreeBSD is trying to run a
 	  <command>getty</command> process on the correct port. You should see
 	  lines like these among the processes displayed:</para>
 
 	<screen>  114 ??  I      0:00.10 /usr/libexec/getty V19200 ttyd0
   115 ??  I      0:00.10 /usr/libexec/getty V19200 ttyd1</screen>
 	    
 	<para>If you see something different, like this:</para>
 	  
 	  <screen>  114 d0  I      0:00.10 /usr/libexec/getty V19200 ttyd0</screen>
 	    
 	<para>and the modem has not accepted a call yet, this means that
 	  <command>getty</command> has completed its open on the
 	  communications port.  This could indicate a problem with the cabling
 	  or a mis-configured modem, because <command>getty</command> should
 	  not be able to open the communications port until
 	  <acronym>CD</acronym> (carrier detect) has been asserted by the
 	  modem.</para>
 	    
 	<para>If you do not see any <command>getty</command> processes waiting
 	  to open the desired
 	  <filename>ttyd<replaceable>N</replaceable></filename> port,
 	  double-check your entries in <filename>/etc/ttys</filename> to see
 	  if there are any mistakes there.  Also, check the log file
 	  <filename>/var/log/messages</filename> to see if there are any log
 	  messages from <command>init</command> or <command>getty</command>
 	  regarding any problems.  If there are any messages, triple-check the
 	  configuration files <filename>/etc/ttys</filename> and
 	  <filename>/etc/gettytab</filename>, as well as the appropriate
 	  device special files <filename>/dev/ttydN</filename>, for any
 	  mistakes, missing entries, or missing device special files.</para>
       </sect3>
       
       <sect3>
 	<title>Try Dialing In</title>
 
 	<para>Try dialing into the system; be sure to use 8 bits, no parity,
 	  and 1
 	  stop bit on the remote system.  If you do not get a prompt right
 	  away, or get garbage, try pressing <keycode>Enter</keycode>
 	  about once per second.  If you still do not see a
 	  <prompt>login:</prompt> prompt after a while, try sending a
 	  <command>BREAK</command>. If you are using a high-speed modem to do
 	  the dialing, try dialing again after locking the dialing modem's
 	  interface speed (via <command>AT&amp;B1</command> on a &usrobotics;
 	  &sportster; modem, for example).</para>
 	    
 	<para>If you still cannot get a <prompt>login:</prompt> prompt, check
 	  <filename>/etc/gettytab</filename> again and double-check
 	  that</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>The initial capability name specified in
 	      <filename>/etc/ttys</filename> for the line matches a name of a
 	      capability in <filename>/etc/gettytab</filename></para>
 		</listitem>
 		
 	  <listitem>
 	    <para>Each <literal>nx=</literal> entry matches another
 	      <filename>gettytab</filename> capability name</para>
 	  </listitem>
 	  
 	  <listitem>
 	    <para>Each <literal>tc=</literal> entry matches another
 	      <filename>gettytab</filename> capability name</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>If you dial but the modem on the FreeBSD system will not answer,
 	  make sure that the modem is configured to answer the phone when
 	  <acronym>DTR</acronym> is asserted.  If the modem seems to be
 	  configured correctly, verify that the <acronym>DTR</acronym> line is
 	  asserted by checking the modem's indicator lights (if it has
 	  any).</para>
 	    
 	<para>If you have gone over everything several times and it still does
 	  not work, take a break and come back to it later.  If it still does
 	  not work, perhaps you can send an electronic mail message to the
 	  &a.questions; describing your modem and your problem, and the good
 	  folks on the list will try to help.</para>
       </sect3>
     </sect2>
     
   </sect1>
   
   <sect1 id="dialout">
     <title>Dial-out Service</title>
     <indexterm><primary>dial-out service</primary></indexterm>
     
     <para>The following are tips for getting your host to be able to connect
       over the modem to another computer.  This is appropriate for
       establishing a terminal session with a remote host.</para>
     
     <para>This is useful to log onto a BBS.</para>
     
     <para>This kind of connection can be extremely helpful to get a file on
       the Internet if you have problems with PPP.  If you need to FTP
       something and PPP is broken, use the terminal session to FTP it. Then
       use zmodem to transfer it to your machine.</para>
 
     <sect2>
       <title>My Stock Hayes Modem Is Not Supported, What Can I Do?</title>
       
       <para>Actually, the manual page for <command>tip</command> is out of date.
 	There is a generic Hayes dialer already built in. Just use
 	<literal>at=hayes</literal> in your <filename>/etc/remote</filename>
 	file.</para>
 	  
       <para>The Hayes driver is not smart enough to recognize some of the
 	advanced features of newer modems&mdash;messages like
 	<literal>BUSY</literal>, <literal>NO DIALTONE</literal>, or
 	<literal>CONNECT 115200</literal> will just confuse it.  You should
 	turn those messages off when you use <command>tip</command> (using
 	<command>ATX0&amp;W</command>).</para>
 	  
       <para>Also, the dial timeout for <command>tip</command> is 60 seconds.
 	Your modem should use something less, or else tip will think there is
 	a communication problem.  Try <command>ATS7=45&amp;W</command>.</para>
 	 
       <note>
 	<para>As shipped, <command>tip</command> does not yet support
 	  Hayes modems fully.  The solution is to edit the file
 	  <filename>tipconf.h</filename> in the directory
 	  <filename>/usr/src/usr.bin/tip/tip</filename>. Obviously you need the
 	  source distribution to do this.</para>
 	  
 	<para>Edit the line <literal>#define HAYES 0</literal> to
 	  <literal>#define HAYES 1</literal>.  Then <command>make</command> and
 	  <command>make install</command>.  Everything works nicely after
 	  that.</para>
       </note>
     </sect2>
     
     <sect2 id="direct-at">
       <title>How Am I Expected to Enter These AT Commands?</title>
       
       <indexterm>
         <primary><filename>/etc/remote</filename></primary>
       </indexterm>
       <para>Make what is called a <quote>direct</quote> entry in your
 	<filename>/etc/remote</filename> file.  For example, if your modem is
 	hooked up to the first serial port, <filename>/dev/cuaa0</filename>,
 	then put in the following line:</para>
 
       <programlisting>cuaa0:dv=/dev/cuaa0:br#19200:pa=none</programlisting>
 
       <para>Use the highest bps rate your modem supports in the br capability.
 	Then, type <command>tip cuaa0</command> and you will be connected to
 	your modem.</para>
 	  
       <para>If there is no <filename>/dev/cuaa0</filename> on your system, do
 	this:</para>
 	    
       <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV cuaa0</userinput></screen>
 		  
       <para>Or use <command>cu</command> as <username>root</username> with the
 	following command:</para>
       
       <screen>&prompt.root; <userinput>cu -l<replaceable>line</replaceable> -s<replaceable>speed</replaceable></userinput></screen>
 	    
       <para><replaceable>line</replaceable> is the serial port
 	(e.g.<filename>/dev/cuaa0</filename>) and
 	<replaceable>speed</replaceable> is the speed
 	(e.g.<literal>57600</literal>).  When you are done entering the AT
 	commands hit <keycap>~.</keycap> to exit.</para>
     </sect2>
     
     <sect2>
       <title>The <literal>@</literal> Sign for the pn Capability Does Not
 	Work!</title>
       
       <para>The <literal>@</literal> sign in the phone number capability tells
 	tip to look in <filename>/etc/phones</filename> for a phone number.
 	But the <literal>@</literal> sign is also a special character in
 	capability files like <filename>/etc/remote</filename>.  Escape it
 	with a backslash:</para>
 
       <programlisting>pn=\@</programlisting>
     </sect2>
     
     <sect2>
       <title>How Can I Dial a Phone Number on the Command Line?</title>
       
       <para>Put what is called a <quote>generic</quote> entry in your
 	<filename>/etc/remote</filename> file.  For example:</para>
 
       <programlisting>tip115200|Dial any phone number at 115200 bps:\
         :dv=/dev/cuaa0:br#115200:at=hayes:pa=none:du:
 tip57600|Dial any phone number at 57600 bps:\
         :dv=/dev/cuaa0:br#57600:at=hayes:pa=none:du:</programlisting>
       
       <para>Then you can do things like:</para>
       
       <screen>&prompt.root; <userinput>tip -115200 5551234</userinput></screen>
 	    
       <para>If you prefer <command>cu</command> over <command>tip</command>,
 	use a generic <literal>cu</literal> entry:</para>
 
       <programlisting>cu115200|Use cu to dial any number at 115200bps:\
         :dv=/dev/cuaa1:br#57600:at=hayes:pa=none:du:</programlisting>
 
       <para>and type:</para>
 
       <screen>&prompt.root; <userinput>cu 5551234 -s 115200</userinput></screen>
     </sect2>
     
     <sect2>
       <title>Do I Have to Type in the bps Rate Every Time I Do That?</title>
 	  
       <para>Put in an entry for <literal>tip1200</literal> or
 	<literal>cu1200</literal>, but go ahead and use whatever bps rate is
 	appropriate with the br capability.  <command>tip</command> thinks a
 	good default is 1200&nbsp;bps which is why it looks for a
 	<literal>tip1200</literal> entry.  You do not have to use 1200&nbsp;bps,
 	though.</para>
     </sect2>
     
     <sect2>
       <title>I Access a Number of Hosts Through a Terminal Server</title>
       
       <para>Rather than waiting until you are connected and typing
 	<command>CONNECT &lt;host&gt;</command> each time, use tip's
 	<literal>cm</literal> capability.  For example, these entries in
 	<filename>/etc/remote</filename>:</para>
 
       <programlisting>pain|pain.deep13.com|Forrester's machine:\
         :cm=CONNECT pain\n:tc=deep13:
 muffin|muffin.deep13.com|Frank's machine:\
         :cm=CONNECT muffin\n:tc=deep13:
 deep13:Gizmonics Institute terminal server:\
         :dv=/dev/cuaa2:br#38400:at=hayes:du:pa=none:pn=5551234:</programlisting>
 	  
       <para>will let you type <command>tip pain</command> or <command>tip
 	  muffin</command> to connect to the hosts pain or muffin, and
 	<command>tip deep13</command> to get to the terminal server.</para>
     </sect2>
     
     <sect2>
       <title>Can Tip Try More Than One Line for Each Site?</title>
       
       <para>This is often a problem where a university has several modem lines
 	and several thousand students trying to use them.</para>
 	  
       <para>Make an entry for your university in
 	<filename>/etc/remote</filename> and use <literal>@</literal> for the
 	<literal>pn</literal> capability:</para>
 
       <programlisting>big-university:\
         :pn=\@:tc=dialout
 dialout:\
         :dv=/dev/cuaa3:br#9600:at=courier:du:pa=none:</programlisting>
 	  
       <para>Then, list the phone numbers for the university in
 	<filename>/etc/phones</filename>:</para>
 
       <programlisting>big-university 5551111
 big-university 5551112
 big-university 5551113
 big-university 5551114</programlisting>
 	  
       <para><command>tip</command> will try each one in the listed order, then
 	give up.  If you want to keep retrying, run <command>tip</command> in
 	a while loop.</para>
     </sect2>
     
     <sect2>
       <title>Why Do I Have to Hit 
         <keycombo action="simul">
           <keycap>Ctrl</keycap>  
           <keycap>P</keycap>
         </keycombo>
         Twice to Send
         <keycombo action="simul">
           <keycap>Ctrl</keycap>
           <keycap>P</keycap>
         </keycombo>
         Once?</title>
 	  
       <para><keycombo action="simul"><keycap>Ctrl</keycap><keycap>P</keycap></keycombo> is the default <quote>force</quote> character, used to tell
 	<command>tip</command> that the next character is literal data.  You
 	can set the force character to any other character with the
 	<command>~s</command> escape, which means <quote>set a
 	variable.</quote></para>
 	  
       <para>Type
 	<command>~sforce=<replaceable>single-char</replaceable></command>
 	followed by a newline.  <replaceable>single-char</replaceable> is any
 	single character. If you leave out
 	<replaceable>single-char</replaceable>, then the force character is
 	the nul character, which you can get by typing 
 	<keycombo action="simul">
 	  <keycap>Ctrl</keycap><keycap>2</keycap>
 	</keycombo>
 	or
 	<keycombo action="simul">
 	  <keycap>Ctrl</keycap><keycap>Space</keycap>
 	</keycombo>.
 	A pretty good value for <replaceable>single-char</replaceable> is
 	<keycombo action="simul">
 	  <keycap>Shift</keycap>
 	  <keycap>Ctrl</keycap>
 	  <keycap>6</keycap>
 	</keycombo>, which is only used on some terminal
 	servers.</para>
 	  
       <para>You can have the force character be whatever you want by
 	specifying the following in your <filename>&#36;HOME/.tiprc</filename>
 	file:</para>
 
       <programlisting>force=&lt;single-char&gt;</programlisting>
     </sect2>
     
     <sect2>
       <title>Suddenly Everything I Type Is in Upper Case??</title>
       
       <para>You must have pressed 
 	<keycombo action="simul">
 	  <keycap>Ctrl</keycap>
 	  <keycap>A</keycap>
 	</keycombo>, <command>tip</command>'s
 	<quote>raise character,</quote> specially designed for people with
 	broken caps-lock keys.  Use <command>~s</command> as above and set the
 	variable <literal>raisechar</literal> to something reasonable.  In
 	fact, you can set it to the same as the force character, if you never
 	expect to use either of these features.</para>
 	  
       <para>Here is a sample .tiprc file perfect for
         <application>Emacs</application> users who need to type
 	<keycombo action="simul">
 	  <keycap>Ctrl</keycap><keycap>2</keycap>
 	</keycombo>
 	and 
 	<keycombo action="simul">
 	  <keycap>Ctrl</keycap><keycap>A</keycap>
 	</keycombo>
 	a lot:</para>
 
       <programlisting>force=^^
 raisechar=^^</programlisting>
 
       <para>The ^^ is 
 	<keycombo action="simul">
 	  <keycap>Shift</keycap><keycap>Ctrl</keycap><keycap>6</keycap>
 	</keycombo>.</para>
 
     </sect2>
     
     <sect2>
       <title>How Can I Do File Transfers with <command>tip</command>?</title>
       
       <para>If you are talking to another &unix; system, you can send and
 	receive files with <command>~p</command> (put) and
 	<command>~t</command> (take).  These commands run
 	<command>cat</command> and <command>echo</command> on the remote
 	system to accept and send files.  The syntax is:</para>
 
       <cmdsynopsis>
 	<command>~p</command>
 	<arg choice="plain">local-file</arg>
 	<arg choice="opt">remote-file</arg>
       </cmdsynopsis>
       
       <cmdsynopsis>
 	<command>~t</command>
 	<arg choice="plain">remote-file</arg>
 	<arg choice="opt">local-file</arg>
       </cmdsynopsis>
       
       <para>There is no error checking, so you probably should use another
 	protocol, like zmodem.</para>
     </sect2>
     
     <sect2>
       <title>How Can I Run zmodem with <command>tip</command>?</title>
       
       <para>To receive files, start the sending program on the remote end.
 	Then, type <command>~C rz</command> to begin receiving them
 	locally.</para>
       
       <para>To send files, start the receiving program on the remote end.
 	Then, type <command>~C sz <replaceable>files</replaceable></command>
 	to send them to the remote system.</para>
     </sect2>
   </sect1>
 
   <sect1 id="serialconsole-setup">
     <sect1info>
       <authorgroup>
         <author>
 	  <firstname>Kazutaka</firstname>
 	  <surname>YOKOTA</surname>
 	  <contrib>Contributed by </contrib>
 	</author>
       </authorgroup>
       <authorgroup>
 	<author>
 	  <firstname>Bill</firstname>
 	  <surname>Paul</surname>
 	  <contrib>Based on a document by </contrib>
 	</author>
       </authorgroup>
     </sect1info>
     <title>Setting Up the Serial Console</title>
     <indexterm><primary>serial console</primary></indexterm>
     
     <sect2 id="serialconsole-intro">
       <title>Introduction</title>
       
       <para>FreeBSD has the ability to boot on a system with only
 	a dumb terminal on a serial port as a console.  Such a configuration
 	should be useful for two classes of people:  system administrators who
 	wish to install FreeBSD on machines that have no keyboard or monitor
 	attached, and developers who want to debug the kernel or device
 	drivers.</para>
   
       <para>As described in <xref linkend="boot">, FreeBSD employs a three stage
 	bootstrap.  The first two stages are in the boot block code which is
 	stored at the beginning of the FreeBSD slice on the boot disk.  The
 	boot block will then load and run the boot loader
 	(<filename>/boot/loader</filename>) as the third stage code.</para>
   
       <para>In order to set up the serial console you must configure the boot
 	block code, the boot loader code and the kernel.</para>
       
     </sect2>
     
     <sect2 id="serialconsole-howto-fast">
       <title>Serial Console Configuration, Terse Version</title>
   
       <para>This section assumes that you are using the default setup,
 	know how to connect serial ports and just want a fast overview
 	of a serial console.  If you encounter difficulty with these
 	steps, please see the more extensive explanation of all the
 	options and advanced settings in
 	<xref linkend="serialconsole-howto">.</para>
 
       <procedure>
 
 	<step>
 	  <para>Connect the serial port.  The serial console will be
 	    on <devicename>COM1</devicename>.</para>
 	</step>
 
 	<step>
 	  <para><command>echo -h &gt; /boot.config</command> to enable
 	    the serial console for the boot loader and kernel.</para>
 	</step>
 
 	<step>
 	  <para>Edit <filename>/etc/ttys</filename> and change
 	    <literal>off</literal> to <literal>on</literal> for the
 	    <literal>ttyd0</literal> entry.  This enables a login
 	    prompt on the serial console, which mirrors how video
 	    consoles are typically setup.</para>
 	</step>
 
 	<step>
 	  <para><command>shutdown -r now</command> will reboot the
 	    system with the serial console.</para>
 	</step>
 
       </procedure>
 
     </sect2>
 
     <sect2 id="serialconsole-howto">
       <title>Serial Console Configuration</title>
   
       <procedure>
 	<step>
 	  <para>Prepare a serial cable.</para>
 	  
 	  <indexterm><primary>null-modem cable</primary></indexterm>
 	  <para>You will need either a null-modem cable or a standard serial 
 	    cable and a null-modem adapter.  See <xref linkend="serial-cables-ports"> for
 	    a discussion on serial cables.</para>
 	</step>
 
 	<step>
 	  <para>Unplug your keyboard.</para>
 	  
 	  <para>Most PC systems probe for the keyboard during the Power-On
 	    Self-Test (POST) and will generate an error if the keyboard is not
 	    detected.  Some machines complain loudly about the lack of a
 	    keyboard and will not continue to boot until it is plugged
 	    in.</para>
     
 	  <para>If your computer complains about the error, but boots anyway,
 	    then you do not have to do anything special.  (Some machines with
 	    Phoenix BIOS installed merely say <errorname>Keyboard
 	      failed</errorname> and continue to boot normally.)</para>
 
 	  <para>If your computer refuses to boot without a keyboard attached
 	    then you will have to configure the BIOS so that it ignores this
 	    error (if it can).  Consult your motherboard's manual for details
 	    on how to do this.</para>
 	  
 	  <tip>
 	    <para>Setting the keyboard to <quote>Not installed</quote> in the
 	      BIOS setup does <emphasis>not</emphasis> mean that you will not
 	      be able to use your keyboard.  All this does is tell the BIOS
 	      not to probe for a keyboard at power-on, so it will not
 	      complain if the keyboard is not plugged in.  You can leave the
 	      keyboard plugged in even with this flag set to <quote>Not
 	      installed</quote> and the keyboard will still work.</para>
 	  </tip>
 	  
 	  <note>
 	    <para>If your system has a &ps2; mouse, chances are very good  that
 	      you may have to unplug your mouse as well as your keyboard.
 	      This is because &ps2; mice share some hardware with the keyboard
 	      and leaving the mouse plugged in can fool the keyboard probe
 	      into thinking the keyboard is still there.  It is said that a
 	      Gateway 2000 Pentium 90&nbsp;MHz system with an AMI BIOS that behaves
 	      this way.  In general, this is not a problem since the mouse is
 	      not much good without the keyboard anyway.</para>
 	  </note>
 	</step>
 
 	<step>
 	  <para>Plug a dumb terminal into <devicename>COM1</devicename>
 	    (<devicename>sio0</devicename>).</para>
 	  
 	  <para>If you do not have a dumb terminal, you can use an old PC/XT
 	    with a modem program, or the serial port on another &unix; box.  If
 	    you do not have a <devicename>COM1</devicename>
 	    (<devicename>sio0</devicename>), get one.  At this time, there is
 	    no way to select a port other than <devicename>COM1</devicename>
 	    for the boot blocks without recompiling the boot blocks.  If you
 	    are already using <devicename>COM1</devicename> for another
 	    device, you will have to temporarily remove that device and
 	    install a new boot block and kernel once you get FreeBSD up and
 	    running. (It is assumed that <devicename>COM1</devicename> will
 	    be available on a file/compute/terminal server anyway; if you
 	    really need <devicename>COM1</devicename> for something else
 	    (and you cannot switch that something else to
 	    <devicename>COM2</devicename> (<devicename>sio1</devicename>)),
 	    then you probably should not even be bothering with all this in
 	    the first place.)</para>
 	</step>
     
 	<step>
 	  <para>Make sure the configuration file of your kernel has
 	    appropriate flags set for <devicename>COM1</devicename>
 	    (<devicename>sio0</devicename>).</para>
 	  
 	  <para>Relevant flags are:</para>
 	  
 	  <variablelist>
 	    <varlistentry>
 	      <term><literal>0x10</literal></term>
 	      
 	      <listitem>
 		<para>Enables console support for this unit.  The other
 		  console flags are ignored unless this is set. Currently, at
 		  most one unit can have console support;  the first one (in
 		  config file order) with this flag set is preferred.  This
 		  option alone will not make the serial port the console.  Set
 		  the following flag or use the <option>-h</option> option
 		  described below, together with this flag.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term><literal>0x20</literal></term>
 	      
 	      <listitem>
 		<para>Forces this unit to be the console (unless there is
 		  another higher priority console), regardless of the
 		  <option>-h</option> option discussed below.  This flag
 		  replaces the <literal>COMCONSOLE</literal> option in FreeBSD
 		  versions 2.<replaceable>X</replaceable>.  The flag <literal>0x20</literal> must be used
 		  together with the <option>0x10</option> flag.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term><literal>0x40</literal></term>
 	      
 	      <listitem>
 		<para>Reserves this unit (in conjunction with
 		  <literal>0x10</literal>) and makes the unit
 		  unavailable for normal access.  You should not set
 		  this flag to the serial port unit which you want to
 		  use as the serial console.  The only use of this
 		  flag is to designate the unit for kernel remote
 		  debugging.  See <ulink
 		  url="&url.books.developers-handbook;/index.html">The
 		  Developer's Handbook</ulink> for more information on
 		  remote debugging.</para>
 		
 		<note>
 		  <para>In FreeBSD&nbsp;4.0 or later the semantics of the
 		    flag <literal>0x40</literal> are slightly different and
 		    there is another flag to specify a serial port for remote
 		    debugging.</para>
 		</note>
 	      </listitem>
 	    </varlistentry>
 	  </variablelist>
 	  
 	  <para>Example:</para>
 	  
 	  <programlisting>device sio0 at isa? port IO_COM1 flags 0x10 irq 4</programlisting>
       
 	  <para>See the &man.sio.4; manual page for more details.</para>
 	  
 	  <para>If the flags were not set, you need to run UserConfig (on a
 	    different console) or recompile the kernel.</para>
 	</step>
 
 	<step>
 	  <para>Create <filename>boot.config</filename> in the root directory
 	    of the <literal>a</literal> partition on the boot drive.</para>
 	  
 	  <para>This file will instruct the boot block code how you would like
 	    to boot the system.  In order to activate the serial console, you
 	    need one or more of the following options&mdash;if you want
 	    multiple options, include them all on the same line:</para>
 	  
 	  <variablelist>
 	    <varlistentry>
 	      <term><option>-h</option></term>
 	      
 	      <listitem>
 		<para>Toggles internal and serial consoles.  You can use this
 		  to switch console devices.  For instance, if you boot from
 		  the internal (video) console, you can use
 		  <option>-h</option> to direct the boot loader and the kernel
 		  to use the serial port as its console device. Alternatively,
 		  if you boot from the serial port, you can use the
 		  <option>-h</option> to tell the boot loader and the kernel
 		  to use the video display as the console instead.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term><option>-D</option></term>
 	      
 	      <listitem>
 		<para>Toggles single and dual console configurations.  In the
 		  single configuration the console will be either the internal
 		  console (video display) or the serial port, depending on the
 		  state of the <option>-h</option> option above.  In the dual
 		  console configuration, both the video display  and the
 		  serial port will become the console at the same time,
 		  regardless of the state of the <option>-h</option> option.
 		  However, note that the dual console configuration takes  effect
 		  only during the boot block is running.  Once the boot loader
 		  gets control, the console specified by the
 		  <option>-h</option> option becomes the only console.</para>
 	      </listitem>
 	    </varlistentry>
 	    
 	    <varlistentry>
 	      <term><option>-P</option></term>
 	      
 	      <listitem>
 		<para>Makes the boot block probe the keyboard.  If no keyboard
 		  is found, the <option>-D</option> and <option>-h</option>
 		  options are automatically set.</para>
 		
 		<note>
 		  <para>Due to space constraints in the current version of the
 		    boot blocks, the <option>-P</option> option is capable of
 		    detecting extended keyboards only.  Keyboards with less
 		    than 101 keys (and without F11 and F12  keys) may not be
 		    detected.  Keyboards on some laptop computers may not be
 		    properly found because of this limitation.  If this is
 		    the case with your system, you have to abandon using
 		    the <option>-P</option> option.  Unfortunately there is no
 		    workaround for this problem.</para>
 		</note>
 	      </listitem>
 	    </varlistentry>
 	  </variablelist>
       
 	  <para>Use either the <option>-P</option> option to select the
 	    console automatically, or the <option>-h</option> option to
 	    activate the serial console.</para>
       
 	  <para>You may include other options described in &man.boot.8; as
 	    well.</para>
       
 	  <para>The options, except for <option>-P</option>, will be passed to
 	    the boot loader (<filename>/boot/loader</filename>).  The boot
 	    loader will determine which of the internal video or the serial
 	    port should become the console by examining the state of the
 	    <option>-h</option> option alone.  This means that if you specify
 	    the <option>-D</option> option but not the <option>-h</option>
 	    option in <filename>/boot.config</filename>, you can use the
 	    serial port as the console only during the boot block;  the boot
 	    loader will use the internal video display as the console.</para>
 	</step>
 
 	<step>
 	  <para>Boot the machine.</para>
 	  
 	  <para>When you start your FreeBSD box, the boot blocks will echo the
 	    contents of <filename>/boot.config</filename> to the console.  For
 	    example:</para>
     
 	  <screen>/boot.config: -P
 Keyboard: no</screen>
     
 	  <para>The second line appears only if you put <option>-P</option> in
 	    <filename>/boot.config</filename> and indicates presence/absence
 	    of the keyboard.  These messages go to either serial or internal
 	    console, or both, depending on the option in
 	    <filename>/boot.config</filename>.</para>
     
-	  <informaltable frame="none">
+	  <informaltable frame="none" pgwide="1">
 	    <tgroup cols="2">
 	      <thead>
 		<row>
 		  <entry>Options</entry>
 		  <entry>Message goes to</entry>
 		</row>
 	      </thead>
 	      
 	      <tbody>
 		<row>
 		  <entry>none</entry>
 		  <entry>internal console</entry>
 		</row>
 		
 		<row>
 		  <entry><option>-h</option></entry>
 		  <entry>serial console</entry>
 		</row>
 		
 		<row>
 		  <entry><option>-D</option></entry>
 		  <entry>serial and internal consoles</entry>
 		</row>
 		
 		<row>
 		  <entry><option>-Dh</option></entry>
 		  <entry>serial and internal consoles</entry>
 		</row>
 		
 		<row>
 		  <entry><option>-P</option>, keyboard present</entry>
 		  <entry>internal console</entry>
 		</row>
 		
 		<row>
 		  <entry><option>-P</option>, keyboard absent</entry>
 		  <entry>serial console</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
 	  
 	  <para>After the above messages, there will be a small pause before
 	    the boot blocks continue loading the boot loader and before any
 	    further messages printed to the console.  Under normal
 	    circumstances, you do not need to interrupt the boot blocks, but
 	    you may want to do so in order to make sure things are set up
 	    correctly.</para>
     
 	  <para>Hit any key, other than <keycode>Enter</keycode>, at the console to
 	    interrupt the boot process.  The boot blocks will then prompt you
 	    for further action.  You should now see something like:</para>
     
 	  <screen>>> FreeBSD/i386 BOOT
 Default: 0:ad(0,a)/boot/loader
 boot:</screen>
     
 	  <para>Verify the above message appears on either the serial or
 	    internal console or both, according to the options you put in
 	    <filename>/boot.config</filename>.  If the message appears in the
 	    correct console, hit <keycode>Enter</keycode> to continue the boot
 	    process.</para>
 	  
 	  <para>If you want the serial console but you do not see the prompt
 	    on the serial terminal, something is wrong with your settings.  In
 	    the meantime, you enter <option>-h</option> and hit Enter/Return
 	    (if possible) to tell the boot block (and then the boot loader and
 	    the kernel) to choose the serial port for the console. Once the
 	    system is up, go back and check what went wrong.</para>
 	</step>
       </procedure>
       
       <para>After the boot loader is loaded and you are in the third stage of
 	the boot process you can still switch between the internal console and
 	the serial console by setting appropriate environment variables in the
 	boot loader.  See <xref linkend="serialconsole-loader">.</para>
     </sect2>
   
   <sect2 id="serialconsole-summary">
     <title>Summary</title>
     
       <para>Here is the summary of various settings discussed in this section
 	and the console eventually selected.</para>
       
       <sect3>
 	<title>Case 1: You Set the Flags to 0x10 for 
 	  <devicename>sio0</devicename></title>
 
 	<programlisting>device sio0 at isa? port IO_COM1 flags 0x10 irq 4</programlisting>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="4">
 	    <thead>
 	      <row>
 		<entry>Options in /boot.config</entry>
 		<entry>Console during boot blocks</entry>
 		<entry>Console during boot loader</entry>
 		<entry>Console in kernel</entry>
 	      </row>
 	    </thead>
 	    
 	    <tbody>
 	      <row>
 		<entry>nothing</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-h</option></entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-D</option></entry>
 		<entry>serial and internal</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-Dh</option></entry>
 		<entry>serial and internal</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-P</option>, keyboard present</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-P</option>, keyboard absent</entry>
 		<entry>serial and internal</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
       
       <sect3>
 	<title>Case 2: You Set the Flags to 0x30 for sio0</title>
 
 	<programlisting>device sio0 at isa? port IO_COM1 flags 0x30 irq 4</programlisting>
   
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="4">
 	    <thead>
 	      <row>
 		<entry>Options in /boot.config</entry>
 		<entry>Console during boot blocks</entry>
 		<entry>Console during boot loader</entry>
 		<entry>Console in kernel</entry>
 	      </row>
 	    </thead>
 	    
 	    <tbody>
 	      <row>
 		<entry>nothing</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-h</option></entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-D</option></entry>
 		<entry>serial and internal</entry>
 		<entry>internal</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-Dh</option></entry>
 		<entry>serial and internal</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-P</option>, keyboard present</entry>
 		<entry>internal</entry>
 		<entry>internal</entry>
 		<entry>serial</entry>
 	      </row>
 	      
 	      <row>
 		<entry><option>-P</option>, keyboard absent</entry>
 		<entry>serial and internal</entry>
 		<entry>serial</entry>
 		<entry>serial</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect3>
     </sect2>
     
     <sect2 id="serialconsole-tips">
       <title>Tips for the Serial Console</title>
   
       <sect3>
 	<title>Setting a Faster Serial Port Speed</title>
 
 	<para>By default, the serial port settings are: 9600 baud, 8
 	  bits, no parity, and 1 stop bit.  If you wish to change the speed, you
 	  need to recompile at least the boot blocks.  Add the following line
 	  to <filename>/etc/make.conf</filename> and compile new boot
 	  blocks:</para>
 
 	<programlisting>BOOT_COMCONSOLE_SPEED=19200</programlisting>
   
 	<para>See <xref linkend="serialconsole-com2"> for detailed
 	  instructions about building and installing new boot blocks.</para>
 
 	<para>If the serial console is configured in some other way than by
 	  booting with <option>-h</option>, or if the serial console used by
 	  the kernel is different from the one used by the boot blocks, then
 	  you must also add the following option to the kernel configuration
 	  file and compile a new kernel:</para>
   
 	<programlisting>options CONSPEED=19200</programlisting>
       </sect3>
       
       <sect3 id="serialconsole-com2">
 	<title>Using Serial Port Other Than <devicename>sio0</devicename> for
 	  the Console</title>
 
 	<para>Using a port other than <devicename>sio0</devicename> as the
 	  console requires some recompiling.  If you want to use another
 	  serial port for whatever reasons, recompile the boot blocks, the
 	  boot loader and the kernel as follows.</para>
   
 	<procedure>
 	  <step>
 	    <para>Get the kernel source. (See <xref linkend="cutting-edge">)</para>
 	  </step>
 	  
 	  <step>
 	    <para>Edit <filename>/etc/make.conf</filename> and set
 	      <literal>BOOT_COMCONSOLE_PORT</literal> to the address of the
 	      port you want to use (0x3F8, 0x2F8, 0x3E8 or 0x2E8).  Only
 	      <devicename>sio0</devicename> through
 	      <devicename>sio3</devicename> (<devicename>COM1</devicename>
 	      through <devicename>COM4</devicename>) can be used;  multiport
 	      serial cards will not work.  No interrupt setting is
 	      needed.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Create a custom kernel configuration file and add
 	      appropriate flags for the serial port you want to use. For
 	      example, if you want to make <devicename>sio1</devicename>
 	      (<devicename>COM2</devicename>) the console:</para>
   
 	    <programlisting>device sio1 at isa? port IO_COM2 flags 0x10 irq 3</programlisting>
   
 	    <para>or</para>
 	    
 	    <programlisting>device sio1 at isa? port IO_COM2 flags 0x30 irq 3</programlisting>
   
 	    <para>The console flags for the other serial ports should not be
 	      set.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Recompile and install the boot blocks and the boot loader:</para>
 	    
 	    <screen>&prompt.root; <userinput>cd /sys/boot</userinput>
 &prompt.root; <userinput>make clean</userinput>
 &prompt.root; <userinput>make</userinput>
 &prompt.root; <userinput>make install</userinput></screen>
 	  </step>
 	  
 	  <step>
 	    <para>Rebuild and install the kernel.</para>
 	  </step>
 	  
 	  <step>
 	    <para>Write the boot blocks to the boot disk with
 		&man.disklabel.8; and boot from the new kernel.</para>
 	  </step>
 	</procedure>
       </sect3>
       
       <sect3 id="serialconsole-ddb">
 	<title>Entering the DDB Debugger from the Serial Line</title>
 
 	<para>If you wish to drop into the kernel debugger from the serial
 	  console (useful for remote diagnostics, but also dangerous if you
 	  generate a spurious BREAK on the serial port!) then you should
 	  compile your kernel with the following options:</para>
   
 	<programlisting>options BREAK_TO_DEBUGGER
 options DDB</programlisting>
       </sect3>
       
       <sect3>
 	<title>Getting a Login Prompt on the Serial Console</title>
 
 	<para>While this is not required, you may wish to get a
 	  <emphasis>login</emphasis> prompt over the serial line, now that you
 	  can see boot messages and can enter the kernel debugging session
 	  through the serial console.  Here is how to do it.</para>
   
 	<para>Open the file <filename>/etc/ttys</filename> with an editor 
 	  and locate the lines:</para>
   
       <programlisting>ttyd0 "/usr/libexec/getty std.9600" unknown off secure
 ttyd1 "/usr/libexec/getty std.9600" unknown off secure
 ttyd2 "/usr/libexec/getty std.9600" unknown off secure
 ttyd3 "/usr/libexec/getty std.9600" unknown off secure</programlisting>
   
 	<para><literal>ttyd0</literal> through <literal>ttyd3</literal>
 	  corresponds to <devicename>COM1</devicename> through
 	  <devicename>COM4</devicename>.  Change <literal>off</literal> to
 	  <literal>on</literal> for the desired port.  If you have changed the
 	  speed of the serial port, you need to change
 	  <literal>std.9600</literal> to match the current setting, e.g.
 	  <literal>std.19200</literal>.</para>
   
 	<para>You may also want to change the terminal type from
 	  <literal>unknown</literal> to the actual type of your serial
 	  terminal.</para>
 
 	<para>After editing the file, you must <command>kill -HUP 1</command>
 	  to make this change take effect.</para>
       </sect3>
     </sect2>
   
     <sect2 id="serialconsole-loader">
       <title>Changing Console from the Boot Loader</title>
       
       <para>Previous sections described how to set up the serial console by
 	tweaking the boot block.  This section shows that you can specify the
 	console by entering some commands and environment variables in the
 	boot loader.  As the boot loader is invoked at the third stage of the
 	boot process, after the boot block, the settings in the boot loader
 	will override the settings in the boot block.</para>
       
       <sect3>
 	<title>Setting Up the Serial Console</title>
 
 	<para>You can easily specify the boot loader and the kernel to use the
 	  serial console by writing just one line in
 	  <filename>/boot/loader.rc</filename>:</para>
   
 	<programlisting>set console=comconsole</programlisting>
   
 	<para>This will take effect regardless of the settings in the boot
 	  block discussed in the previous section.</para>
   
 	<para>You had better put the above line as the first line of
 	  <filename>/boot/loader.rc</filename> so as to see boot messages  on
 	  the serial console as early as possible.</para>
   
 	<para>Likewise, you can specify the internal console as:</para>
 
 	<programlisting>set console=vidconsole</programlisting>
   
 	<para>If you do not set the boot loader environment variable
 	  <envar>console</envar>, the boot loader, and subsequently the
 	  kernel, will use whichever console indicated by the
 	  <option>-h</option> option in the  boot block.</para>
   
 	<para>In versions 3.2 or later, you may specify the console in
 	  <filename>/boot/loader.conf.local</filename> or
 	  <filename>/boot/loader.conf</filename>, rather than in
 	  <filename>/boot/loader.rc</filename>.  In this method your
 	  <filename>/boot/loader.rc</filename> should look like:</para>
   
 	<programlisting>include /boot/loader.4th
 start</programlisting>
   
 	<para>Then, create <filename>/boot/loader.conf.local</filename>  and
 	  put the following line there.</para>
   
 	<programlisting>console=comconsole</programlisting>
   
 	<para>or</para>
 
 	<programlisting>console=vidconsole</programlisting>
   
 	<para>See &man.loader.conf.5; for more information.</para>
 
 	<note>
 	  <para>At the moment, the boot loader has no option equivalent to the
 	    <option>-P</option> option in the boot block, and there is no
 	    provision to automatically select the internal console and the
 	    serial console based on the presence of the keyboard.</para>
 	</note>
       </sect3>
   
       <sect3>
 	<title>Using a Serial Port Other Than <devicename>sio0</devicename> for
 	  the Console</title>
 
 	<para>You need to recompile the boot loader to use a serial port other
 	  than <devicename>sio0</devicename> for the serial console. Follow the
 	  procedure described in <xref linkend="serialconsole-com2">.</para>
       </sect3>
     </sect2>
     
     <sect2 id="serialconsole-caveats">
       <title>Caveats</title>
       
       <para>The idea here is to allow people to set up dedicated servers  that
 	require no graphics hardware or attached keyboards.  Unfortunately,
 	while most systems will let you boot without a keyboard, there
 	are quite a few that will not let you boot without a graphics adapter.
 	Machines with AMI BIOSes can be configured to  boot with no graphics
 	adapter installed simply by changing the <quote>graphics adapter</quote> setting in
 	the CMOS configuration to <quote>Not installed.</quote></para>
   
       <para>However, many machines do not support this option and will refuse
 	to boot if you have no display hardware in the system.  With these
 	machines, you will have to leave some kind of graphics card plugged in,
 	(even if it is just a junky mono board) although you will not have to
 	attach a monitor. You might also try installing an AMI
 	BIOS.</para>
     </sect2>
   </sect1>
 </chapter>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
 
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.sgml b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
index 6cf0dbd325..dbbef62300 100644
--- a/en_US.ISO8859-1/books/handbook/users/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
@@ -1,1129 +1,1129 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="users">
   <chapterinfo>
     <authorgroup>
       <author>
         <firstname>Neil</firstname>
 	<surname>Blakey-Milner</surname>
 	<contrib>Contributed by </contrib>
       </author>
     </authorgroup>
     <!-- Feb 2000 -->
   </chapterinfo>
 
   <title>Users and Basic Account Management</title>
   
   <sect1 id="users-synopsis">
     <title>Synopsis</title>
     
     <para>FreeBSD allows multiple users to use the computer at the same time.
       Obviously, only one of those users can be sitting in front of the screen and
       keyboard at any one time
       <footnote>
 	<para>Well, unless you hook up multiple terminals, but we will
 	save that for <xref linkend="serialcomms">.</para>
       </footnote>, but any number of users can log in through the
       network to get their work done.  To use the system every user must have
       an account.</para>
     
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
 	<para>The differences between the various user accounts on a FreeBSD
 	  system.</para>
       </listitem>
 
       <listitem>
 	<para>How to add user accounts.</para>
       </listitem>
 
       <listitem>
 	<para>How to remove user accounts.</para>
       </listitem>
 
       <listitem>
 	<para>How to change account details, such as the user's full name, or
 	preferred shell.</para>
       </listitem>
 
       <listitem>
 	<para>How to set limits on a per-account basis, to control the
 	  resources such as memory and CPU time that accounts and groups of
 	  accounts are allowed to access.</para>
       </listitem>
 
       <listitem>
 	<para>How to use groups to make account management easier.</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem>
 	<para>Understand the basics of &unix; and FreeBSD (<xref
 	    linkend="basics">).</para>
       </listitem>
     </itemizedlist>
   </sect1>
 
   <sect1 id="users-introduction">
     <title>Introduction</title>
 
     <para>All access to the system is achieved via accounts, and all
       processes are run by users, so user and account management are
       of integral importance on FreeBSD systems.</para>
 
     <para>Every account on a FreeBSD system has certain information associated
       with it to identify the account.</para>
 
     <variablelist>
       <varlistentry>
 	<term>User name</term>
 
 	<listitem>
 	  <para>The user name as it would be typed at the
 	    <prompt>login:</prompt> prompt.  User names must be unique across
 	    the computer; you may not have two users with the same
 	    user name.  There are a number of rules for creating valid user
 	    names, documented in &man.passwd.5;; you would typically use user
 	    names that consist of eight or fewer all lower case
 	    characters.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Password</term>
 
 	<listitem>
 	  <para>Each account has a password associated with it.  The password
 	    may be blank, in which case no password will be required to access
 	    the system.  This is normally a very bad idea; every account
 	    should have a password.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>User ID (UID)</term>
 
 	<listitem>
 	  <para>The UID is a number, traditionally from 0 to 65535<footnote id="users-largeuidgid">
 	      <para>It is possible to use UID/GIDs as large as
 		4294967295, but such IDs can cause serious problems
 		with software that makes assumptions about the values
 		of IDs.</para>
 	    </footnote>, used to uniquely identify
 	    the user to the system.  Internally, FreeBSD uses the UID to
 	    identify users&mdash;any FreeBSD commands that allow you to
 	    specify a user name will convert it to the UID before working with
 	    it.  This means that you can have several accounts with different
 	    user names but the same UID.  As far as FreeBSD is concerned these
 	    accounts are one user.  It is unlikely you will ever need to do
 	    this.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Group ID (GID)</term>
 
 	<listitem>
 	  <para>The GID is a number, traditionally from 0 to 65535<footnoteref linkend="users-largeuidgid">, used to uniquely identify
 	    the primary group that the user belongs to.  Groups are a
 	    mechanism for controlling access to resources based on a user's
 	    GID rather than their UID.  This can significantly reduce the size
 	    of some configuration files.  A user may also be in more than one
 	    group.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Login class</term>
 
 	<listitem>
 	  <para>Login classes are an extension to the group mechanism that
 	    provide additional flexibility when tailoring the system to
 	    different users.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Password change time</term>
 
 	<listitem>
 	  <para>By default FreeBSD does not force users to change their
 	    passwords periodically.  You can enforce this on a per-user basis,
 	    forcing some or all of your users to change their passwords after
 	    a certain amount of time has elapsed.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Account expiry time</term>
 
 	<listitem>
 	  <para>By default FreeBSD does not expire accounts.  If you are
 	    creating accounts that you know have a limited lifespan, for
 	    example, in a school where you have accounts for the students,
 	    then you can specify when the account expires.  After the expiry
 	    time has elapsed the account cannot be used to log in to the
 	    system, although the account's directories and files will
 	    remain.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>User's full name</term>
 
 	<listitem>
 	  <para>The user name uniquely identifies the account to FreeBSD, but
 	    does not necessarily reflect the user's real name.  This
 	    information can be associated with the account.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>Home directory</term>
 
 	<listitem>
 	  <para>The home directory is the full path to a directory on the
 	    system in which the user will start when logging on to the
 	    system.  A common convention is to put all user home directories
 	    under
 	    <filename>/home/<replaceable>username</replaceable></filename>
 	    or <filename>/usr/home/<replaceable>username</replaceable></filename>.
 	    The user would store their personal files in their home directory,
 	    and any directories they may create in there.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>User shell</term>
 
 	<listitem>
 	  <para>The shell provides the default environment users use to
 	    interact with the system.  There are many different kinds of
 	    shells, and experienced users will have their own preferences,
 	    which can be reflected in their account settings.</para>
 	</listitem>
       </varlistentry>
     </variablelist>
 
     <para>There are three main types of accounts: the <link
 	linkend="users-superuser">Superuser</link>, <link
 	linkend="users-system">system users</link>, and <link
 	linkend="users-user">user accounts</link>.  The Superuser
       account, usually called <username>root</username>, is used to
       manage the system with no limitations on privileges.  System
       users run services.  Finally, user accounts are used by real
       people, who log on, read mail, and so forth.</para>
   </sect1>
     
   <sect1 id="users-superuser">
     <title>The Superuser Account</title>
     
     <indexterm>
       <primary>accounts</primary>
       <secondary>superuser (root)</secondary>
     </indexterm>
     <para>The superuser account, usually called
       <username>root</username>, comes preconfigured to facilitate
       system administration, and should not be used for day-to-day
       tasks like sending and receiving mail, general exploration of
       the system, or programming.</para>
       
     <para>This is because the superuser, unlike normal user accounts,
       can operate without limits, and misuse of the superuser account
       may result in spectacular disasters.  User accounts are unable
       to destroy the system by mistake, so it is generally best to use
       normal user accounts whenever possible, unless you especially
       need the extra privilege.</para>
 
     <para>You should always double and triple-check commands you issue
       as the superuser, since an extra space or missing character can
       mean irreparable data loss.</para>
 
     <para>So, the first thing you should do after reading this
       chapter is to create an unprivileged user account for yourself
       for general usage if you have not already.  This applies equally
       whether you are running a multi-user or single-user machine.
       Later in this chapter, we discuss how to create additional
       accounts, and how to change between the normal user and
       superuser.</para>
   </sect1>
     
   <sect1 id="users-system">
     <title>System Accounts</title>
 
     <indexterm>
       <primary>accounts</primary>
       <secondary>system</secondary>
     </indexterm>
     <para>System users are those used to run services such as DNS,
       mail, web servers, and so forth.  The reason for this is
       security; if all services ran as the superuser, they could
       act without restriction.</para>
 
     <indexterm>
       <primary>accounts</primary>
       <secondary><username>daemon</username></secondary>
     </indexterm>
     <indexterm>
       <primary>accounts</primary>
       <secondary><username>operator</username></secondary>
     </indexterm>
     <para>Examples of system users are <username>daemon</username>,
       <username>operator</username>, <username>bind</username> (for
       the Domain Name Service), and <username>news</username>.  Often
       sysadmins create <username>httpd</username> to run web servers
       they install.</para>
 
     <indexterm>
       <primary>accounts</primary>
       <secondary><username>nobody</username></secondary>
     </indexterm>
     <para><username>nobody</username> is the generic unprivileged
       system user.  However, it is important to keep in mind that the
       more services that use <username>nobody</username>, the more
       files and processes that user will become associated with, and
       hence the more privileged that user becomes.</para>
   </sect1>
 
   <sect1 id="users-user">
     <title>User Accounts</title>
 
     <indexterm>
       <primary>accounts</primary>
       <secondary>user</secondary>
     </indexterm>
     <para>User accounts are the primary means of access for real
       people to the system, and these accounts insulate the user and
       the environment, preventing the users from damaging the system
       or other users, and allowing users to customize their
       environment without affecting others.</para>
 
     <para>Every person accessing your system should have a unique user
       account.  This allows you to find out who is doing what, prevent
       people from clobbering each others' settings or reading each
       others' mail, and so forth.</para>
 
     <para>Each user can set up their own environment to accommodate
       their use of the system, by using alternate shells, editors, key
       bindings, and language.</para>
   </sect1>
 
   <sect1 id="users-modifying">
     <title>Modifying Accounts</title>
 
     <indexterm>
       <primary>accounts</primary>
       <secondary>modifying</secondary>
     </indexterm>
 
     <para>There are a variety of different commands available in the
       &unix; environment to manipulate user accounts.  The most common
       commands are summarized below, followed by more detailed
       examples of their usage.</para>
 
-    <informaltable frame="none">
+    <informaltable frame="none" pgwide="1">
       <tgroup cols="2">
 	<colspec colwidth="1*">
 	<colspec colwidth="2*">
 
 	<thead>
 	  <row>
 	    <entry>Command</entry>
 	    <entry>Summary</entry>
 	  </row>
 	</thead>
 	<tbody>
 	  <row>
 	    <entry>&man.adduser.8;</entry>
 	    <entry>The recommended command-line application for adding
 	    new users.</entry>
 	  </row>
 	  <row>
 	    <entry>&man.rmuser.8;</entry>
 	    <entry>The recommended command-line application for
 	    removing users.</entry>
 	  </row>
 	  <row>
 	    <entry>&man.chpass.1;</entry>
 	    <entry>A flexible tool to change user database information.</entry>
 	  </row>
 	  <row>
 	    <entry>&man.passwd.1;</entry>
 	    <entry>The simple command-line tool to change user
 	    passwords.</entry>
 	  </row>
 	  <row>
 	    <entry>&man.pw.8;</entry>
 	    <entry>A powerful and flexible tool to modify all aspects
 	    of user accounts.</entry>
 	  </row>
 	</tbody>
       </tgroup>
     </informaltable>
 
     <sect2 id="users-adduser">
       <title><command>adduser</command></title>
 
       <indexterm>
         <primary>accounts</primary>
         <secondary>adding</secondary>
       </indexterm>
       <indexterm>
         <primary><command>adduser</command></primary>
       </indexterm>
       <indexterm>
         <primary><filename class="directory">/usr/share/skel</filename></primary>
       </indexterm>
       <indexterm><primary>skeleton directory</primary></indexterm>
       <para>&man.adduser.8; is a simple program for
 	adding new users.  It creates entries in the system
 	<filename>passwd</filename> and <filename>group</filename>
 	files.  It will also create a home directory for the new user,
 	copy in the default configuration files (<quote>dotfiles</quote>) from
 	<filename>/usr/share/skel</filename>, and can optionally mail
 	the new user a welcome message.</para>
 
       <para>In &os;&nbsp;5.0, &man.adduser.8; was rewritten from a
 	Perl script to a shell script that acts as wrapper around
 	&man.pw.8;, so its usage is slightly different on &os;&nbsp;4.X
 	and &os;&nbsp;5.X.</para>
 
       <para>To create the initial configuration file, use
 	<command>adduser -s -config_create</command>.
 	<footnote>
 	  <para>The <option>-s</option> makes &man.adduser.8;
 	    default to
 	    quiet.  We use <option>-v</option> later when we want to
 	    change defaults.</para>
 	</footnote>
 	Next, we configure &man.adduser.8;
 	defaults, and create our first user account, since using
 	<username>root</username> for normal usage is evil and
 	nasty.</para>
 
       <example>
 	<title>Configuring <command>adduser</command> and adding a
 	  user on &os;&nbsp;4.X</title>
 
 	<screen>&prompt.root; <userinput>adduser -v</userinput>
 Use option ``-silent'' if you don't want to see all warnings and questions.
 Check /etc/shells
 Check /etc/master.passwd
 Check /etc/group
 Enter your default shell: csh date no sh tcsh zsh [sh]: <userinput>zsh</userinput>
 Your default shell is: zsh -&gt; /usr/local/bin/zsh
 Enter your default HOME partition: [/home]:
 Copy dotfiles from: /usr/share/skel no [/usr/share/skel]: 
 Send message from file: /etc/adduser.message no 
 [/etc/adduser.message]: <userinput>no</userinput>
 Do not send message
 Use passwords (y/n) [y]: <userinput>y</userinput>
 
 Write your changes to /etc/adduser.conf? (y/n) [n]: <userinput>y</userinput>
 
 Ok, let's go.
 Don't worry about mistakes. I will give you the chance later to correct any input.
 Enter username [a-z0-9_-]: <userinput>jru</userinput>
 Enter full name []: <userinput>J. Random User</userinput>
 Enter shell csh date no sh tcsh zsh [zsh]: 
 Enter home directory (full path) [/home/jru]: 
 Uid [1001]: 
 Enter login class: default []: 
 Login group jru [jru]: 
 Login group is ``jru''. Invite jru into other groups: guest no 
 [no]: <userinput>wheel</userinput>
 Enter password []: 
 Enter password again []: 
 
 Name:	  jru
 Password: ****
 Fullname: J. Random User
 Uid:	  1001
 Gid:	  1001 (jru)
 Class:	  
 Groups:	  jru wheel
 HOME:     /home/jru
 Shell:	  /usr/local/bin/zsh
 OK? (y/n) [y]: <userinput>y</userinput>
 Added user ``jru''
 Copy files from /usr/share/skel to /home/jru
 Add another user? (y/n) [y]: <userinput>n</userinput>
 Goodbye!
 &prompt.root;</screen>
       </example>
 
       <para>In summary, we changed the default shell to
 	<application>zsh</application> (an additional shell found in
 	the Ports Collection), and turned off the sending of a welcome mail to
 	added users.  We then saved the configuration,
 	created an account for <username>jru</username>, and made
 	sure <username>jru</username> is in <username>wheel</username>
 	group (so that she may assume the role of
 	<username>root</username> with the &man.su.1;
 	command.)</para>
 
       <note>
 	<para>The password you type in is not echoed, nor are asterisks
 	  displayed.  Make sure that you do not mistype the password.
 	  </para>
       </note>
 
       <note>
 	<para>Just use &man.adduser.8; without arguments
 	  from now on, and you will not have to go through changing the
 	  defaults.  If the program asks you to change the defaults,
 	  exit the program, and try the <option>-s</option>
 	  option.</para>
       </note>
 
       <example>
 	<title>Adding a user on &os;&nbsp;5.X</title>
 
 	<screen>&prompt.root; <userinput>adduser</userinput>
 Username: <userinput>jru</userinput>
 Full name: <userinput>J. Random User</userinput>
 Uid (Leave empty for default):
 Login group [jru]:
 Login group is jru. Invite jru into other groups? []: <userinput>wheel</userinput>
 Login class [default]:
 Shell (sh csh tcsh zsh nologin) [sh]: <userinput>zsh</userinput>
 Home directory [/home/jru]:
 Use password-based authentication? [yes]:
 Use an empty password? (yes/no) [no]:
 Use a random password? (yes/no) [no]:
 Enter password:
 Enter password again:
 Lock out the account after creation? [no]:
 Username   : jru
 Password   : ****
 Full Name  : J. Random User
 Uid        : 1001
 Class      :
 Groups     : jru wheel
 Home       : /home/jru
 Shell      : /usr/local/bin/zsh
 Locked     : no
 OK? (yes/no): <userinput>yes</userinput>
 adduser: INFO: Successfully added (jru) to the user database.
 Add another user? (yes/no): <userinput>no</userinput>
 Goodbye!
 &prompt.root;</screen>
       </example>
     </sect2>
 
     <sect2 id="users-rmuser">
       <title><command>rmuser</command></title>
 
       <indexterm><primary><command>rmuser</command></primary></indexterm>
       <indexterm>
         <primary>accounts</primary>
         <secondary>removing</secondary>
       </indexterm>
 
       <para>You can use &man.rmuser.8; to
 	completely remove a user from the system.
 	&man.rmuser.8; performs the following
 	steps:</para>
 
       <procedure>
 	<step>
 	  <para>Removes the user's &man.crontab.1; entry (if
 	    any).</para>
 	</step>
 	<step>
 	  <para>Removes any &man.at.1; jobs belonging to the
 	    user.</para>
 	</step>
 	<step>
 	  <para>Kills all processes owned by the user.</para>
 	</step>
 	<step>
 	  <para>Removes the user from the system's local password
 	    file.</para>
 	</step>
 	<step>
 	  <para>Removes the user's home directory (if it is owned by
 	    the user).</para>
 	</step>
 	<step>
 	  <para>Removes the incoming mail files belonging to the user
 	    from <filename>/var/mail</filename>.</para>
 	</step>
 	<step>
 	  <para>Removes all files owned by the user from temporary
 	    file storage areas such as <filename>/tmp</filename>.</para>
 	</step>
 	<step>
 	  <para>Finally, removes the username from all groups to which
 	    it belongs in <filename>/etc/group</filename>.
 	    
 	    <note>
 	      <para>If a group becomes empty and the group name is the
 		same as the username, the group is removed; this
 		complements the per-user unique groups created by
 		&man.adduser.8;.</para>
 	    </note>
 	  </para>
 	</step>
       </procedure>
 
       <para>&man.rmuser.8; cannot be used to remove
 	superuser accounts, since that is almost always an indication
 	of massive destruction.</para>
 
       <para>By default, an interactive mode is used, which attempts to
 	make sure you know what you are doing.</para>
 
       <example>
 	<title><command>rmuser</command> Interactive Account Removal</title>
 
 	<screen>&prompt.root; <userinput>rmuser jru</userinput>
 Matching password entry:
 jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
 Is this the entry you wish to remove? <userinput>y</userinput>
 Remove user's home directory (/home/jru)? <userinput>y</userinput>
 Updating password file, updating databases, done.
 Updating group file: trusted (removing group jru -- personal group is empty) done.
 Removing user's incoming mail file /var/mail/jru: done.
 Removing files belonging to jru from /tmp: done.
 Removing files belonging to jru from /var/tmp: done.
 Removing files belonging to jru from /var/tmp/vi.recover: done.
 &prompt.root;</screen>
       </example>
     </sect2>
 
     <sect2 id="users-chpass">
       <title><command>chpass</command></title>
 
       <indexterm><primary><command>chpass</command></primary></indexterm>
       <para>&man.chpass.1; changes user database
 	information such as passwords, shells, and personal
 	information.</para>
 
       <para>Only system administrators, as the superuser, may change
 	other users' information and passwords with 
 	&man.chpass.1;.</para>
 
       <para>When passed no options, aside from an optional username,
 	&man.chpass.1; displays an editor
 	containing user information.  When the user exists from the
 	editor, the user database is updated with the new
 	information.</para>
 
       <note>
 	<para>In &os;&nbsp;5.X, you will be asked for your password
 	 after exiting the editor if you are not the superuser.</para>
       </note>
 
       <example>
 	<title>Interactive <command>chpass</command> by Superuser</title>
 
 	<screen>#Changing user database information for jru.
 Login: jru
 Password: *
 Uid [#]: 1001
 Gid [# or name]: 1001
 Change [month day year]:
 Expire [month day year]:
 Class:
 Home directory: /home/jru
 Shell: /usr/local/bin/zsh
 Full Name: J. Random User
 Office Location:
 Office Phone:
 Home Phone:
 Other information:</screen>
       </example>
 
       <para>The normal user can change only a small subset of this
 	information, and only for themselves.</para>
 
       <example>
 	<title>Interactive <command>chpass</command> by Normal User</title>
 
 	<screen>#Changing user database information for jru.
 Shell: /usr/local/bin/zsh
 Full Name: J. Random User
 Office Location:
 Office Phone:
 Home Phone:
 Other information:</screen>
       </example>
 
       <note>
 	<para>&man.chfn.1; and &man.chsh.1; are
 	  just links to &man.chpass.1;, as 
 	  are &man.ypchpass.1;,
 	  &man.ypchfn.1;, and
 	  &man.ypchsh.1;.  NIS support is automatic, so
 	  specifying the <literal>yp</literal> before the command is
 	  not necessary.  If this is confusing to you, do not worry, NIS will
 	  be covered in <xref linkend="network-servers">.</para>
       </note>
     </sect2>
     <sect2 id="users-passwd">
       <title><command>passwd</command></title>
 
       <indexterm><primary><command>passwd</command></primary></indexterm>
       <indexterm>
         <primary>accounts</primary>
         <secondary>changing password</secondary>
       </indexterm>
       <para>&man.passwd.1; is the usual way to
 	change your own password as a user, or another user's password
 	as the superuser.</para>
 
       <note>
 	<para>To prevent accidental or unauthorized changes, the original
 	  password must be entered before a new password can be set.</para>
       </note>
 
       <example>
 	<title>Changing Your Password</title>
 
 	<screen>&prompt.user; <userinput>passwd</userinput>
 Changing local password for jru.
 Old password:
 New password:
 Retype new password:
 passwd: updating the database...
 passwd: done</screen>
       </example>
 
       <example>
 	<title>Changing Another User's Password as the Superuser</title>
 
         <screen>&prompt.root; <userinput>passwd jru</userinput>
 Changing local password for jru.
 New password:
 Retype new password:
 passwd: updating the database...
 passwd: done</screen>
       </example>
 
       <note>
 	<para>As with &man.chpass.1;,
 	  &man.yppasswd.1; is just a link to
 	  &man.passwd.1;, so NIS works with either
 	  command.</para>
       </note>
     </sect2>
 
 
     <sect2 id="users-pw">
       <title><command>pw</command></title>
       <indexterm><primary><command>pw</command></primary></indexterm>
 
       <para>&man.pw.8; is a command line utility to create, remove,
 	modify, and display users and groups.  It functions as a front
 	end to the system user and group files.  &man.pw.8;
 	has a very powerful set of command line options that make it
 	suitable for use in shell scripts, but new users may find it
 	more complicated than the other commands presented
 	here.</para>
     </sect2>
 
 
   </sect1>
 
   <sect1 id="users-limiting">
     <title>Limiting Users</title>
 
     <indexterm><primary>limiting users</primary></indexterm>
     <indexterm>
       <primary>accounts</primary>
       <secondary>limiting</secondary>
     </indexterm>
     <para>If you have users, the ability to limit their system use may
       have come to mind.  FreeBSD provides
       several ways an administrator can limit the amount of system
       resources an individual may use.  These limits are
       divided into two sections: disk quotas, and other resource
       limits.</para>
 
     <indexterm><primary>quotas</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>quotas</secondary>
     </indexterm>
     <indexterm><primary>disk quotas</primary></indexterm>
     <para>Disk quotas limit disk usage to users, and
       they
       provide a way to quickly check that usage without
       calculating it every time.  Quotas are discussed in <xref
       linkend="quotas">.</para>
 
     <para>The other resource limits include ways to limit the amount of
       CPU, memory, and other resources a user may consume.  These are
       defined using login classes and are discussed here.</para>
 
     <indexterm>
       <primary><filename>/etc/login.conf</filename></primary>
     </indexterm>
     <para>Login classes are defined in
       <filename>/etc/login.conf</filename>.  The precise semantics are
       beyond the scope of this section, but are described in detail in the
       &man.login.conf.5; manual page.  It is sufficient to say that each
       user is assigned to a login class (<literal>default</literal> by
       default), and that each login class has a set of login capabilities
       associated with it.  A login capability is a
       <literal><replaceable>name</replaceable>=<replaceable>value</replaceable></literal>
       pair, where <replaceable>name</replaceable> is a well-known
       identifier and <replaceable>value</replaceable> is an arbitrary
       string processed accordingly depending on the name.  Setting up login
       classes and capabilities is rather straight-forward and is also
       described in &man.login.conf.5;.</para>
       
     <note>
       <para>The system does not read the configuration in
 	<filename>/etc/login.conf</filename> directly, but reads the database
 	file <filename>/etc/login.conf.db</filename>.
 	To generate <filename>/etc/login.conf.db</filename> from
 	<filename>/etc/login.conf</filename>, execute the following
 	command:</para>
 
       <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
     </note>
 
     <para>Resource limits are different from plain vanilla login
       capabilities in two ways.  First, for every limit, there is a soft
       (current) and hard limit.  A soft limit may be adjusted by the user
       or application, but may be no higher than the hard limit.  The latter
       may be lowered by the user, but never raised.  Second, most resource
       limits apply per process to a specific user, not the user as a whole.
       Note, however, that these differences are mandated by the specific
       handling of the limits, not by the implementation of the login
       capability framework (i.e., they are not <emphasis>really</emphasis>
       a special case of login capabilities).</para>
 
     <para>And so, without further ado, below are the most commonly used
       resource limits (the rest, along with all the other login
       capabilities, may be found in &man.login.conf.5;).</para>
 
     <variablelist>
       <varlistentry>
         <term><literal>coredumpsize</literal></term>
 
 	<listitem>
     <indexterm><primary>coredumpsize</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>coredumpsize</secondary>
     </indexterm>
 	  <para>The limit on the size of a core file generated by a program
 	  is, for obvious reasons, subordinate to other limits on disk
 	  usage (e.g., <literal>filesize</literal>, or disk quotas).
 	  Nevertheless, it is often used as a less-severe method of
 	  controlling disk space consumption: since users do not generate
 	  core files themselves, and often do not delete them, setting this
 	  may save them from running out of disk space should a large
 	  program (e.g., <application>emacs</application>) crash.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>cputime</literal></term>
 
 	<listitem>
     <indexterm><primary>cputime</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>cputime</secondary>
     </indexterm>
 	  <para>This is the maximum amount of CPU time a user's process may
 	    consume.  Offending processes will be killed by the kernel.
 
 	    <note>
 	      <para>This is a limit on CPU <emphasis>time</emphasis>
 	        consumed, not percentage of the CPU as displayed in some
 	        fields by &man.top.1; and &man.ps.1;.  A limit on the
 	        latter is, at the time of this writing, not possible, and
 	        would be rather useless: a compiler&mdash;probably a
 	        legitimate task&mdash;can easily use almost 100% of a CPU
 	        for some time.</para>
 	    </note>
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>filesize</literal></term>
 
 	<listitem>
     <indexterm><primary>filesize</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>filesize</secondary>
     </indexterm>
 	  <para>This is the maximum size of a file the user may possess.
 	    Unlike <link linkend="quotas">disk quotas</link>, this limit is
 	    enforced on individual files, not the set of all files a user
 	    owns.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>maxproc</literal></term>
 
 	<listitem>
     <indexterm><primary>maxproc</primary></indexterm>
         <indexterm>
       <primary>limiting users</primary>
       <secondary>maxproc</secondary>
     </indexterm>
 	  <para>This is the maximum number of processes a user may be
 	    running.  This includes foreground and background processes
 	    alike.  For obvious reasons, this may not be larger than the
 	    system limit specified by the <varname>kern.maxproc</varname>
 	    &man.sysctl.8;.  Also note that setting this 
 	    too small may hinder a
 	    user's productivity: it is often useful to be logged in
 	    multiple times or execute pipelines.  Some tasks, such as
 	    compiling a large program, also spawn multiple processes (e.g.,
 	    &man.make.1;, &man.cc.1;, and other intermediate
 	    preprocessors).</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>memorylocked</literal></term>
 
 	<listitem>
     <indexterm><primary>memorylocked</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>memorylocked</secondary>
     </indexterm>
 	  <para>This is the maximum amount a memory a process may have
 	    requested to be locked into main memory (e.g., see
 	    &man.mlock.2;).  Some system-critical programs, such as
             &man.amd.8;, lock into main memory such that in the event
 	    of being swapped out, they do not contribute to
 	    a system's trashing in time of trouble.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>memoryuse</literal></term>
 
 	<listitem>
     <indexterm><primary>memoryuse</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>memoryuse</secondary>
     </indexterm>
 	  <para>This is the maximum amount of memory a process may consume
 	    at any given time.  It includes both core memory and swap
 	    usage.  This is not a catch-all limit for restricting memory
 	    consumption, but it is a good start.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>openfiles</literal></term>
 
 	<listitem>
     <indexterm><primary>openfiles</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>openfiles</secondary>
     </indexterm>
 	  <para>This is the maximum amount of files a process may have
 	    open.  In FreeBSD, files are also used to represent sockets and
 	    IPC channels; thus, be careful not to set this too low.  The
 	    system-wide limit for this is defined by the
 	    <varname>kern.maxfiles</varname> &man.sysctl.8;.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>sbsize</literal></term>
 
 	<listitem>
     <indexterm><primary>sbsize</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>sbsize</secondary>
     </indexterm>
 	  <para>This is the limit on the amount of network memory, and thus
 	    mbufs, a user may consume.  This originated as a response to an
 	    old DoS attack by creating a lot of sockets, but can be
 	    generally used to limit network communications.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term><literal>stacksize</literal></term>
 
 	<listitem>
     <indexterm><primary>stacksize</primary></indexterm>
     <indexterm>
       <primary>limiting users</primary>
       <secondary>stacksize</secondary>
     </indexterm>
 	  <para>This is the maximum size a process' stack may grow to.
 	    This alone is not sufficient to limit the amount of memory a
 	    program may use; consequently, it should be used in conjunction
 	    with other limits.</para>
 	</listitem>
       </varlistentry>
     </variablelist>
 
     <para>There are a few other things to remember when setting resource
       limits.  Following are some general tips, suggestions, and
       miscellaneous comments.</para>
 
     <itemizedlist>
       <listitem>
         <para>Processes started at system startup by
           <filename>/etc/rc</filename> are assigned to the
           <literal>daemon</literal> login class.</para>
       </listitem>
 
       <listitem>
         <para>Although the <filename>/etc/login.conf</filename> that comes
           with the system is a good source of reasonable values for most
           limits, only you, the administrator, can know what is appropriate
           for your system.  Setting a limit too high may open your system
           up to abuse, while setting it too low may put a strain on
           productivity.</para>
       </listitem>
 
       <listitem>
         <para>Users of the X Window System (X11) should probably be granted
 	  more resources than other users.  X11 by itself takes a lot of
 	  resources, but it also encourages users to run more programs
 	  simultaneously.</para>
       </listitem>
 
       <listitem>
         <para>Remember that many limits apply to individual processes, not
           the user as a whole.  For example, setting 
 	  <varname>openfiles</varname> to 50 means
           that each process the user runs may open up to 50 files.  Thus,
           the gross amount of files a user may open is the value of
           <literal>openfiles</literal> multiplied by the value of
           <literal>maxproc</literal>.  This also applies to memory
           consumption.</para>
       </listitem>
     </itemizedlist>
 
     <para>For further information on resource limits and login classes and
       capabilities in general, please consult the relevant manual pages:
       &man.cap.mkdb.1;, &man.getrlimit.2;, &man.login.conf.5;.</para>
   </sect1>
 
   <sect1 id="users-personalizing">
     <title>Personalizing Users</title>
 
     <para>Localization is an environment set up by the system
       administrator or user to accommodate different languages,
       character sets, date and time standards, and so on.  This is
       discussed in the <link linkend="l10n">localization</link>
       chapter.</para>
   </sect1>
 
   <sect1 id="users-groups">
     <title>Groups</title>
 
     <indexterm><primary>groups</primary></indexterm>
     <indexterm>
       <primary><filename>/etc/groups</filename></primary>
     </indexterm>
     <indexterm>
       <primary>accounts</primary>
       <secondary>groups</secondary>
     </indexterm>
     <para>A group is simply a list of users.  Groups are identified by
       their group name and GID (Group ID).  In FreeBSD (and most other &unix; like
       systems), the two factors the kernel uses to decide whether a process
       is allowed to do something is its user ID and list of groups it
       belongs to.  Unlike a user ID, a process has a list of groups
       associated with it.  You may hear some things refer to the <quote>group ID</quote>
       of a user or process; most of the time, this just means the first
       group in the list.</para>
 
     <para>The group name to group ID map is in
       <filename>/etc/group</filename>.  This is a plain text file with four
       colon-delimited fields.  The first field is the group name, the
       second is the encrypted password, the third the group ID, and the
       fourth the comma-delimited list of members.  It can safely be edited
       by hand (assuming, of course, that you do not make any syntax
       errors!).  For a more complete description of the syntax, see the
       &man.group.5; manual page.</para>
 
     <para>If you do not want to edit <filename>/etc/group</filename>
       manually, you can use the &man.pw.8; command to add and edit groups.
       For example, to add a group called <groupname>teamtwo</groupname> and
       then confirm that it exists you can use:</para>
 
     <example>
       <title>Adding a Group Using &man.pw.8;</title>
 
       <screen>&prompt.root; <userinput>pw groupadd teamtwo</userinput>
 &prompt.root; <userinput>pw groupshow teamtwo</userinput>
 teamtwo:*:1100:</screen>
     </example>
 
     <para>The number <literal>1100</literal> above is the group ID of the
       group <groupname>teamtwo</groupname>.  Right now,
       <groupname>teamtwo</groupname> has no members, and is thus rather
       useless.  Let's change that by inviting <username>jru</username> to
       the <groupname>teamtwo</groupname> group.</para>
 
     <example>
       <title>Adding Somebody to a Group Using &man.pw.8;</title>
 
       <screen>&prompt.root; <userinput>pw groupmod teamtwo -M jru</userinput>
 &prompt.root; <userinput>pw groupshow teamtwo</userinput>
 teamtwo:*:1100:jru</screen>
     </example>
 
     <para>The argument to the <option>-M</option> option is a
       comma-delimited list of users who are members of the group.  From the
       preceding sections, we know that the password file also contains a
       group for each user.  The latter (the user) is automatically added to
       the group list by the system; the user will not show up as a member
       when using the <option>groupshow</option> command to &man.pw.8;,
       but will show up when the information is queried via &man.id.1; or
       similar tool.  In other words, &man.pw.8; only manipulates the
       <filename>/etc/group</filename> file; it will never attempt to read
       additionally data from <filename>/etc/passwd</filename>.</para>
 
     <example>
       <title>Using &man.id.1; to Determine Group Membership</title>
 
       <screen>&prompt.user; <userinput>id jru</userinput>
 uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
     </example>
 
     <para>As you can see, <username>jru</username> is a member of the
       groups <groupname>jru</groupname> and
       <groupname>teamtwo</groupname>.</para>
 
     <para>For more information about &man.pw.8;, see its manual page, and
       for more information on the format of
       <filename>/etc/group</filename>, consult the &man.group.5; manual
       page.</para>
   </sect1>
 </chapter>
 
 <!-- 
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/handbook/x11/chapter.sgml b/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
index 997f341471..e657ae8d70 100644
--- a/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
@@ -1,1801 +1,1801 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <chapter id="x11">
   <chapterinfo>
     <authorgroup>
       <author>
 	<firstname>Ken</firstname>
 	<surname>Tom</surname>
 	<contrib>Updated for X.Org's X11 server by </contrib>
       </author>
       <author>
 	<firstname>Marc</firstname>
 	<surname>Fonvieille</surname>
       </author>
     </authorgroup>
   </chapterinfo>
 
   <title>The X Window System</title>
 
   <sect1 id="x11-synopsis">
     <title>Synopsis</title>
 
     <para>FreeBSD uses X11 to provide users with
       a powerful graphical user interface.  X11
       is an open-source implementation of the X Window System that
       includes both <application>&xorg;</application> and
       <application>&xfree86;</application>.  &os; versions up to and
       including &os;&nbsp;4.10-RELEASE and &os;&nbsp;5.2.1-RELEASE
       will find the default installation to be
       <application>&xfree86;</application>, the X11 server released by
       The &xfree86; Project, Inc.  As of &os;&nbsp;5.3-RELEASE, the
       default and official flavor of X11 was changed to
       <application>&xorg;</application>, the X11 server developed by
       the X.Org Foundation.</para>
 
     <para>This chapter will cover the installation and configuration
       of X11 with emphasis on
       <application>&xorg;</application>.</para>
 
     <para>For more information on the video hardware that X11
       supports, check either the <ulink
       url="http://www.x.org/">&xorg;</ulink> or <ulink
       url="http://www.XFree86.org/">&xfree86;</ulink> web
       sites.</para>
 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
       <listitem>
         <para>The various components of the X Window System, and how they
           interoperate.</para>
       </listitem>
 
       <listitem>
 	<para>How to install and configure X11.</para>
       </listitem>
 
       <listitem>
         <para>How to install and use different window managers.</para>
       </listitem>
 
       <listitem>
 	<para>How to use &truetype; fonts in X11.</para>
       </listitem>
 
       <listitem>
         <para>How to set up your system for graphical logins
           (<application>XDM</application>).</para>
       </listitem>
     </itemizedlist>
 
     <para>Before reading this chapter, you should:</para>
 
     <itemizedlist>
       <listitem><para>Know how to install additional third-party
         software (<xref linkend="ports">).</para></listitem>
     </itemizedlist>
 
     <note>
       <para>This chapter covers the installation and the configuration
 	of both <application>&xorg;</application> and
 	<application>&xfree86;</application> X11 servers.  For the most
 	part, configuration files, commands and syntaxes are identical.
 	In the case where there are differences, both
 	<application>&xorg;</application> and
 	<application>&xfree86;</application> syntaxes will be
 	shown.</para>
     </note>
   </sect1>
 
   <sect1 id="x-understanding">
     <title>Understanding X</title>
 
     <para>Using X for the first time can be somewhat of a shock to someone
       familiar with other graphical environments, such as &microsoft.windows; or
       &macos;.</para>
 
     <para>While it is not necessary to understand all of the details of various
       X components and how they interact, some basic knowledge makes
       it possible to take advantage of X's strengths.</para>
 
     <sect2>
       <title>Why X?</title>
 
       <para>X is not the first window system written for &unix;, but it is the
         most popular of them.  X's original development team had worked on another
         window system prior to writing X.  That system's name was
         <quote>W</quote> (for <quote>Window</quote>).  X was just the next
         letter in the Roman alphabet.</para>
 
       <para>X can be called <quote>X</quote>, <quote>X Window System</quote>,
 	<quote>X11</quote>, and a number of other terms.  You may find
 	that using the term <quote>X Windows</quote> to describe X11
 	can be offensive to some people; for a bit more insight on
 	this, see &man.X.7;.</para>
     </sect2>
 
     <sect2>
       <title>The X Client/Server Model</title>
 
       <para>X was designed from the beginning to be network-centric, and
         adopts a <quote>client-server</quote> model.</para>
 
       <para>In the X model, the
         <quote>X server</quote> runs on the computer that has the keyboard,
         monitor, and mouse attached.  The server's responsibility includes tasks such as managing
         the display, handling input from the keyboard and mouse, and so on.
         Each X application (such as <application>XTerm</application>, or
         <application>&netscape;</application>) is a <quote>client</quote>.  A
         client sends messages to the server such as <quote>Please draw a
           window at these coordinates</quote>, and the server sends back
           messages such as <quote>The user just clicked on the OK
           button</quote>.</para>
 
       <para>In a home or small
         office environment, the X server and the X clients commonly run on
         the same computer.  However, it is perfectly possible to run the X
         server on a less powerful desktop computer, and run X applications
         (the clients) on, say, the powerful and expensive machine that serves
         the office.  In this scenario the communication between the X client
         and server takes place over the network.</para>
 
       <para>This confuses some people, because the X terminology is
         exactly backward to what they expect.  They expect the <quote>X
           server</quote> to be the big powerful machine down the hall, and
         the <quote>X client</quote> to be the machine on their desk.</para>
 
       <para>It is important to remember that the X server is the machine with the monitor and
         keyboard, and the X clients are the programs that display the
         windows.</para>
 
       <para>There is nothing in the protocol that forces the client and
         server machines to be running the same operating system, or even to
         be running on the same type of computer.  It is certainly possible to
         run an X server on &microsoft.windows; or Apple's &macos;, and there are
         various free and commercial applications available that do exactly
         that.</para>
 
       <para>Starting with &os;&nbsp;5.3-RELEASE, the X server that
 	installs with &os; is <application>&xorg;</application>,
         and is available for free, under a
         license very similar to the FreeBSD license.  Commercial X servers for
         FreeBSD are also available.</para>
     </sect2>
 
     <sect2>
       <title>The Window Manager</title>
 
       <para>The X design philosophy is much like the &unix; design philosophy,
         <quote>tools, not policy</quote>.  This means that X does not try to
         dictate how a task is to be accomplished.  Instead, tools are provided
         to the user, and it is the user's responsibility to decide how to use
         those tools.</para>
 
       <para>This philosophy extends to X not dictating what windows should
         look like on screen, how to move them around with the mouse, what
         keystrokes should be used to move between windows (i.e.,
         <keycombo action="simul">
           <keycap>Alt</keycap>
           <keycap>Tab</keycap>
         </keycombo>, in the case of &microsoft.windows;), what the title bars
         on each window should look like, whether or not they have close
         buttons on them, and so on.</para>
 
       <para>Instead, X delegates this responsibility to an application called
         a <quote>Window Manager</quote>.  There are dozens of window
         managers available for X: <application>AfterStep</application>,
         <application>Blackbox</application>, <application>ctwm</application>,
         <application>Enlightenment</application>,
         <application>fvwm</application>, <application>Sawfish</application>,
         <application>twm</application>,
         <application>Window Maker</application>, and more.  Each of these
         window managers provides a different look and feel; some of them
         support <quote>virtual desktops</quote>; some of them allow customized
         keystrokes to manage the desktop; some have a <quote>Start</quote>
         button or similar device; some are <quote>themeable</quote>, allowing
         a complete change of look-and-feel by applying a new theme.  These
         window managers, and many more, are available in the
         <filename>x11-wm</filename> category of the Ports Collection.</para>
 
       <para>In addition, the <application>KDE</application> and
 	<application>GNOME</application> desktop environments both have their
 	own window managers which integrate with the desktop.</para>
 
       <para>Each window manager also has a different configuration mechanism;
         some expect configuration file written by hand, others feature
         GUI tools for most of the configuration tasks; at least one
         (<application>Sawfish</application>) has a configuration file written
         in a dialect of the Lisp language.</para>
 
       <note>
         <title>Focus Policy</title>
 
         <para>Another feature the window manager is responsible for is the
           mouse <quote>focus policy</quote>.  Every windowing system
           needs some means of choosing a window to be actively receiving
           keystrokes, and should visibly indicate which window is active as
           well.</para>
 
         <para>A familiar focus policy is called <quote>click-to-focus</quote>.
           This is the model utilized by &microsoft.windows;, in which a window
           becomes active upon receiving a mouse click.</para>
 
         <para>X does not support any particular focus policy.  Instead, the
           window manager controls which window has the focus at any one time.
           Different window managers will support different focus methods.  All
           of them support click to focus, and the majority of them support
           several others.</para>
 
         <para>The most popular focus policies are:</para>
 
         <variablelist>
           <varlistentry>
             <term>focus-follows-mouse</term>
 
             <listitem>
               <para>The window that is under the mouse pointer is the
                 window that has the focus.  This may not necessarily be
                 the window that is on top of all the other windows.
                 The focus is changed by pointing at another window, there
                 is no need to click in it as well.</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>sloppy-focus</term>
 
             <listitem>
               <para>This policy is a small extension to focus-follows-mouse.
                 With focus-follows-mouse, if the mouse is moved over the
                 root window (or background) then no window has the focus,
                 and keystrokes are simply lost.  With sloppy-focus, focus is
                 only changed when the cursor enters a new window, and not
                 when exiting the current window.</para>
             </listitem>
           </varlistentry>
 
           <varlistentry>
             <term>click-to-focus</term>
 
             <listitem>
               <para>The active window is selected by mouse click.  The
                 window may then be <quote>raised</quote>, and appear in
                 front of all other windows.  All keystrokes will now be
                 directed to this window, even if the cursor is moved to
                 another window.</para>
             </listitem>
           </varlistentry>
         </variablelist>
 
         <para>Many window managers support other policies, as well as
           variations on these.  Be sure to consult the documentation for
           the window manager itself.</para>
       </note>
     </sect2>
 
     <sect2>
       <title>Widgets</title>
 
       <para>The X approach of providing tools and not policy extends to the
         widgets seen on screen in each application.</para>
 
       <para><quote>Widget</quote> is a term for all the items in the user
         interface that can be clicked or manipulated in some way; buttons,
         check boxes, radio buttons, icons, lists, and so on.  &microsoft.windows;
         calls these <quote>controls</quote>.</para>
 
       <para>&microsoft.windows; and Apple's &macos; both have a very rigid widget
         policy.  Application developers are supposed to ensure that their
         applications share a common look and feel.  With X, it was not
         considered sensible to mandate a particular graphical style, or set
         of widgets to adhere to.</para>
 
       <para>As a result, do not expect X applications to have a common
         look and feel.  There are several popular widget sets and
         variations, including the original Athena widget set from MIT,
         <application>&motif;</application> (on which the widget set in
         &microsoft.windows; was modeled, all bevelled edges and three shades of
         grey), <application>OpenLook</application>, and others.</para>
 
       <para>Most newer X applications today will use a modern-looking widget
         set, either Qt, used by <application>KDE</application>, or
         GTK+, used by the
         <application>GNOME</application>
         project.  In this respect, there is some convergence in
         look-and-feel of the &unix; desktop, which certainly makes things
         easier for the novice user.</para>
     </sect2>
   </sect1>
 
   <sect1 id="x-install">
     <title>Installing X11</title>
 
     <para><application>&xorg;</application> or
       <application>&xfree86;</application> may be installed on &os;.
       Beginning with &os;&nbsp;5.3-RELEASE,
       <application>&xorg;</application> is the default X11
       implementation for &os;.  <application>&xorg;</application> is
       the X11 server of the X11R6.7 distribution released by the X.Org
       Foundation.  X11R6.7 is based on the code of
       <application>&xfree86&nbsp;4.4RC2</application> and X11R6.6.
       The X.Org Foundation released X11R6.7 in April 2004.</para>
 
     <para>To build and install <application>&xorg;</application> from the
       ports collection:</para>
 
     <screen>&prompt.root; <userinput>cd /usr/ports/x11/xorg</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
     <note>
       <para>To build <application>&xorg;</application> in its
 	entirety, be sure to have at least 4&nbsp;GB of free space
 	available.</para>
     </note>
 
     <para>To build and install <application>&xfree86;</application>
       from the ports collection:</para>
 
     <screen>&prompt.root; <userinput>cd /usr/ports/x11/XFree86-4</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
     <para>Alternatively, X11
       can be installed directly from packages.
       Binary packages to use with &man.pkg.add.1; tool are also available for
       X11.  When the remote fetching
       feature of &man.pkg.add.1; is used, the version number of the
       package must be removed.  &man.pkg.add.1; will automatically fetch
       the latest version of the application.</para>
 
     <para>So to fetch and install the package of
       <application>&xorg;</application>, simply type:</para>
 
     <screen>&prompt.root; <userinput>pkg_add -r xorg</userinput></screen>
 
     <para>The <application>&xfree86;&nbsp;4.X</application> package can be
       installed by typing:</para>
 
     <screen>&prompt.root; <userinput>pkg-add -r XFree86</userinput></screen>
 
     <note><para>The examples above will install the complete
       X11 distribution including the
       servers, clients, fonts etc.  Separate packages and ports of X11
       are also
       available.</para></note>
 
     <para>The rest of this chapter will explain how to configure
       X11, and how to set up a productive desktop
       environment.</para>
 
     <sect2 id="x-to-xorg">
       <title>Moving from <application>&xfree86;</application> to
 	<application>&xorg;</application></title>
 
       <para>As with any port, you should check the
 	<filename>/usr/ports/UPDATING</filename> file for changes.
 	Included in this file are instructions for converting your
 	system from <application>&xfree86;</application> to
 	<application>&xorg;</application>.</para>
 
       <para>Use <application>CVSup</application> to update your ports
 	tree prior to attempting any conversion.  You will also need
 	to install <filename
 	role="package">sysutils/portupgrade</filename> prior to
 	converting your X11 installation.</para>
 
       <para>In your <filename>/etc/make.conf</filename> you will need
 	to add the variable <literal>X_WINDOW_SYSTEM=xorg</literal>.
 	This ensures that your system knows which X11 is being used.
 	The older <literal>XFREE86_VERSION</literal> variable has been
 	deprecated and has been replaced with the
 	<literal>X_WINDOW_SYSTEM</literal> variable.</para>
 
       <para>Then, use the following commands:</para>
 
       <screen>&prompt.root; <userinput>pkg_delete -f /var/db/pkg/imake-4* /var/db/pkg/XFree86-*</userinput>
 &prompt.root; <userinput>cd /usr/ports/x11/xorg</userinput>
 &prompt.root; <userinput>make install clean</userinput>
 &prompt.root; <userinput>pkgdb -F</userinput></screen>
 
       <para>The &man.pkgdb.1; command is part of the
 	<application>portupgrade</application> software and will
 	update various package dependencies.</para>
 
       <note>
 	<para>To build <application>&xorg;</application> in its
 	  entirety, be sure to have at least 4&nbsp;GB of free space
 	  available.</para>
       </note>
     </sect2>
   </sect1>
 
   <sect1 id="x-config">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Christopher</firstname>
           <surname>Shumway</surname>
           <contrib>Contributed by </contrib>
           <!-- July 2001 -->
         </author>
       </authorgroup>
     </sect1info>
     <title>X11 Configuration</title>
 
 
     <indexterm><primary>&xfree86;&nbsp;4.X</primary></indexterm>
     <indexterm><primary>&xfree86;</primary></indexterm>
     <indexterm><primary>&xorg;</primary></indexterm>
     <indexterm><primary>X11</primary></indexterm>
 
     <sect2>
       <title>Before Starting</title>
 
       <para>Before configuration of X11
         the following information about the target system is needed:</para>
 
       <itemizedlist>
         <listitem><para>Monitor specifications</para></listitem>
         <listitem><para>Video Adapter chipset</para></listitem>
         <listitem><para>Video Adapter memory</para></listitem>
       </itemizedlist>
 
       <indexterm><primary>horizontal scan rate</primary></indexterm>
       <indexterm><primary>vertical scan rate</primary></indexterm>
 
       <para>The specifications for the monitor are used by
         X11 to determine the resolution and
         refresh rate to run at.  These specifications can usually be
         obtained from the documentation that came with the monitor or from
         the manufacturer's website.  There are two ranges of numbers that
         are needed, the horizontal scan rate and the vertical synchronization
         rate.</para>
 
       <para>The video adapter's chipset defines what driver module
         X11 uses to talk to the graphics
         hardware.  With most chipsets, this can be automatically
         determined, but it is still useful to know in case the automatic
         detection does not work correctly.</para>
 
       <para>Video memory on the graphic adapter determines the
         resolution and color depth which the system can run at.  This is
         important to know so the user knows the limitations of the
         system.</para>
 
     </sect2>
 
     <sect2>
       <title>Configuring X11</title>
 
       <para>Configuration of X11 is
         a multi-step process.  The first step is to build an initial
         configuration file.
         As the super user, simply
         run:</para>
 
       <screen>&prompt.root; <userinput>Xorg -configure</userinput></screen>
 
       <para>In the case of <application>&xfree86;</application>
 	type:</para>
 
       <screen>&prompt.root; <userinput>XFree86 -configure</userinput></screen>
 
       <para>This will generate an
         X11 configuration skeleton file in the
         <filename>/root</filename> directory called
 	<filename>xorg.conf.new</filename> (whether you &man.su.1; or
 	do a direct login affects the inherited supervisor
 	<envar>$HOME</envar> directory variable).
 	For <application>&xfree86;</application>, this configuration
 	file is called  <filename>XF86Config.new</filename>.  The
         X11 program will attempt to probe
         the graphics hardware on the system and write a
         configuration file to load the proper drivers for the detected
         hardware on the target system.</para>
 
       <para>The next step is to test the existing
         configuration to verify that <application>&xorg;</application>
         can work with the graphics
         hardware on the target system.  To perform this task,
         type:</para>
 
       <screen>&prompt.root; <userinput>Xorg -config xorg.conf.new</userinput></screen>
 
       <para><application>&xfree86;</application> users will type:</para>
 
       <screen>&prompt.root; <userinput>XFree86 -xf86config XF86Config.new</userinput></screen>
 
       <para>If a black and grey grid and an X mouse cursor appear,
         the configuration was successful.  To exit the test, just press
         <keycombo action="simul">
           <keycap>Ctrl</keycap>
           <keycap>Alt</keycap>
           <keycap>Backspace</keycap>
         </keycombo> simultaneously.</para>
 
 	<note><para>If the mouse does not work, you will need to first
 	  configure it before proceeding.  See <xref linkend="mouse">
 	  in the &os; install chapter.</para></note>
 
       <indexterm><primary>X11 Tuning</primary></indexterm>
 
       <para>Next, tune the <filename>xorg.conf.new</filename> (or <filename>XF86Config.new</filename> if you are running <application>&xfree86;</application>)
         configuration file to taste.  Open the file in a text editor such
         as &man.emacs.1; or &man.ee.1;.  First, add the
         frequencies for the target system's monitor.  These are usually
         expressed as a horizontal and vertical synchronization rate.  These
         values are added to the <filename>xorg.conf.new</filename> file
         under the <literal>"Monitor"</literal> section:</para>
 
       <programlisting>Section "Monitor"
         Identifier   "Monitor0"
         VendorName   "Monitor Vendor"
         ModelName    "Monitor Model"
         HorizSync    30-107
         VertRefresh  48-120
 EndSection</programlisting>
 
       <para>The <literal>HorizSync</literal> and
         <literal>VertRefresh</literal> keywords may be missing in the
         configuration file.  If they are, they need to be added, with
         the correct horizontal synchronization rate placed after the
         <literal>HorizSync</literal> keyword and the vertical
         synchronization rate after the <literal>VertRefresh</literal>
         keyword.  In the example above the target monitor's rates were
         entered.</para>
 
       <para>X allows DPMS (Energy Star) features to be used with capable
         monitors. The &man.xset.1; program controls the time-outs and can force
         standby, suspend, or off modes.  If you wish to enable DPMS features
         for your monitor, you must add the following line to the monitor
         section:</para>
 
       <programlisting>
         Option       "DPMS"</programlisting>
 
       <indexterm>
         <primary><filename>xorg.conf</filename></primary>
       </indexterm>
       <indexterm>
         <primary><filename>XF86Config</filename></primary>
       </indexterm>
 
       <para>While the <filename>xorg.conf.new</filename> (or <filename>XF86Config.new</filename>)
         configuration file is still open in an editor, select
         the default resolution and color depth desired.  This is
         defined in the <literal>"Screen"</literal> section:</para>
 
       <programlisting>Section "Screen"
         Identifier "Screen0"
         Device     "Card0"
         Monitor    "Monitor0"
         DefaultDepth 24
         SubSection "Display"
                 Viewport  0 0
                 Depth     24
                 Modes     "1024x768"
         EndSubSection
 EndSection</programlisting>
 
       <para>The <literal>DefaultDepth</literal> keyword describes
         the color depth to run at by default.  This can be overridden
         with the <option>-depth</option> command line switch to
         &man.Xorg.1; (or &man.XFree86.1;).
         The <literal>Modes</literal> keyword
         describes the resolution to run at for the given color depth.
         Note that only VESA standard modes are supported as defined by
         the target system's graphics hardware.
         In the example above, the default color depth is twenty-four
         bits per pixel.  At this color depth, the accepted resolution is
         1024 by 768
         pixels.</para>
 
       <para>Finally, write the configuration file and test it using
         the test mode given above.</para>
 
       <note>
 	<para>One of the tools available to assist you during
 	  troubleshooting process are the X11 log files, which contain
 	  information on each device that the X11 server attaches to.
 	  <application>&xorg;</application> log file names are in the format
 	  of <filename>/var/log/Xorg.0.log</filename>
 	  (<application>&xfree86;</application> log file names follow the
 	  format of <filename>XFree86.0.log</filename>).  The exact name
 	  of the log can vary from <filename>Xorg.0.log</filename> to
 	  <filename>Xorg.8.log</filename> and so forth.</para>
       </note>
 
       <para>If all is well, the configuration
         file needs to be installed in a common location where
         &man.Xorg.1; (or &man.XFree86.1;)
         can find it.
 	This is typically <filename>/etc/X11/xorg.conf</filename> or
 	<filename>/usr/X11R6/etc/X11/xorg.conf</filename> (for
 	<application>&xfree86;</application> it is called
         <filename>/etc/X11/XF86Config</filename> or
         <filename>/usr/X11R6/etc/X11/XF86Config</filename>).</para>
 
       <screen>&prompt.root; <userinput>cp xorg.conf.new /etc/X11/xorg.conf</userinput></screen>
 
       <para>For <application>&xfree86;</application>:</para>
 
       <screen>&prompt.root; <userinput>cp XF86Config.new /etc/X11/XF86Config</userinput></screen>
 
       <para>The X11 configuration process is now
         complete.  In order to start
         <application>&xfree86;&nbsp;4.X</application> with &man.startx.1;,
         install the <filename role="package">x11/wrapper</filename> port.
 	<application>&xorg;</application> already includes the wrapper
 	code and does not require the installation of the wrapper port.
 	The X11 server may also be started with the use of
         &man.xdm.1;.</para>
 
       <note><para>There is also a graphical configuration tool,
 	&man.xorgcfg.1; (&man.xf86cfg.1; for <application>&xfree86;</application>), that comes with the
 	X11 distribution.  It
 	allows you to interactively define your configuration by choosing
 	the appropriate drivers and settings.  This program can be invoked from the console, by typing the command <command>xorgcfg -textmode</command>.  For more details,
 	refer to the &man.xorgcfg.1; and &man.xf86cfg.1; manual pages.</para>
 
       <para>Alternatively, there is also a tool called &man.xorgconfig.1;
 	(&man.xf86config.1; for <application>&xfree86;</application>),
 	this program is a console utility that is less user friendly,
 	but it may work in situations where the other tools do
 	not.</para></note>
 
     </sect2>
 
     <sect2>
       <title>Advanced Configuration Topics</title>
 
       <sect3>
         <title>Configuration with &intel; i810 Graphics Chipsets</title>
 
         <indexterm><primary>Intel i810 graphic chipset</primary></indexterm>
 
         <para>Configuration with &intel; i810 integrated chipsets
           requires the <devicename>agpgart</devicename>
           AGP programming interface for X11
           to drive the card.  The &man.agp.4; driver is in the
 	  <filename>GENERIC</filename> kernel since releases
 	  4.8-RELEASE and 5.0-RELEASE.  On prior releases, you will
 	  have to add the following line:</para>
 
 	<programlisting>device agp</programlisting>
 
 	<para>in your kernel configuration file and rebuild a new
 	  kernel.  Instead, you may want to load
 	  the <filename>agp.ko</filename> kernel module
           automatically with the &man.loader.8; at boot time.
           For that, simply add this line to
           <filename>/boot/loader.conf</filename>:</para>
 
         <programlisting>agp_load="YES"</programlisting>
 
         <para>Next, if you are running FreeBSD&nbsp;4.X or earlier, a
           device node needs to be created for the
           programming interface.  To create the AGP device node, run
           &man.MAKEDEV.8; in the <filename>/dev</filename>
           directory:</para>
 
         <screen>&prompt.root; <userinput>cd /dev</userinput>
 &prompt.root; <userinput>sh MAKEDEV agpgart</userinput></screen>
 
 	<note>
 	  <para>FreeBSD&nbsp;5.X or later will use &man.devfs.5; to allocate
 	    device nodes transparently, therefore the
 	    &man.MAKEDEV.8; step is not required.</para>
 	</note>
 
         <para>This will allow configuration of the hardware as any other
           graphics board.  Note on systems without the &man.agp.4;
 	  driver compiled in the kernel, trying to load the module
 	  with &man.kldload.8; will not work.  This driver has to be
 	  in the kernel at boot time through being compiled in or
 	  using <filename>/boot/loader.conf</filename>.</para>
 
 	<para>If you are using <application>&xfree86;&nbsp;4.1.0</application> (or
 	  later) and messages about unresolved symbols like
           <literal>fbPictureInit</literal> appear, try adding the
           following line after <literal>Driver "i810"</literal> in the
           X11 configuration file:</para>
         <programlisting>Option "NoDDC"</programlisting>
       </sect3>
     </sect2>
   </sect1>
 
   <sect1 id="x-fonts">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Murray</firstname>
           <surname>Stokely</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>Using Fonts in X11</title>
 
     <sect2 id="type1">
     <title>Type1 Fonts</title>
     <para>The default fonts that ship with
       X11 are less than ideal for typical
     desktop publishing applications.  Large presentation fonts show up
     jagged and unprofessional looking, and small fonts in
     <application>&netscape;</application> are almost completely unintelligible.
     However, there are several free, high quality Type1 (&postscript;) fonts
     available which can be readily used
     with X11.  For instance, the URW font collection
     (<filename role="package">x11-fonts/urwfonts</filename>) includes
     high quality versions of standard type1 fonts (<trademark class="registered">Times Roman</trademark>,
     <trademark class="registered">Helvetica</trademark>, <trademark class="registered">Palatino</trademark> and others).  The Freefonts collection
     (<filename role="package">x11-fonts/freefonts</filename>) includes
     many more fonts, but most of them are intended for use in
     graphics software such as the <application>Gimp</application>, and are not
     complete enough to serve as screen fonts.  In addition,
     X11 can be configured to use
     &truetype; fonts with a minimum of effort.  For more details on
     this, see the &man.X.7; manual page or the
     <link linkend="truetype">section on &truetype; fonts</link>.</para>
 
     <para>To install the above Type1 font collections from the ports
         collection, run the following commands:</para>
 
     <screen>&prompt.root; <userinput>cd /usr/ports/x11-fonts/urwfonts</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
     <para>And likewise with the freefont or other collections.  To have the X
       server detect these fonts, add an appropriate line to the
       X server configuration file in <filename>/etc/X11/</filename>
       (<filename>xorg.conf</filename> for
       <application>&xorg;</application> and
       <filename>XF86Config</filename> for
       <application>&xfree86;</application>), which reads:</para>
 
       <programlisting>FontPath "/usr/X11R6/lib/X11/fonts/URW/"</programlisting>
 
       <para>Alternatively, at the command line in the X session
         run:</para>
 
       <screen>&prompt.user; <userinput>xset fp+ /usr/X11R6/lib/X11/fonts/URW</userinput>
 &prompt.user; <userinput>xset fp rehash</userinput></screen>
 
       <para>This will work but will be lost when the X session is closed,
     unless it is added to the startup file (<filename>~/.xinitrc</filename>
     for a normal <command>startx</command> session,
     or <filename>~/.xsession</filename> when logging in through a
     graphical login manager like <application>XDM</application>).
     A third way is to use the new
     <filename>/usr/X11R6/etc/fonts/local.conf</filename> file: see the
     section on <link linkend="antialias">anti-aliasing</link>.
     </para>
     </sect2>
 
     <sect2 id="truetype">
     <title>&truetype; Fonts</title>
 
     <indexterm><primary>TrueType Fonts</primary></indexterm>
     <indexterm><primary>fonts</primary>
       <secondary>TrueType</secondary>
     </indexterm>
 
     <para>Both <application>&xfree86;&nbsp;4.X</application> and <application>&xorg;</application> have built in support
     for rendering &truetype; fonts.  There are two different modules
     that can enable this functionality.  The freetype module is used
     in this example because it is more consistent with the other font
     rendering back-ends.  To enable the freetype module just add the
     following line to the <literal>"Module"</literal> section of the
     <filename>/etc/X11/xorg.conf</filename> or
     <filename>/etc/X11/XF86Config</filename> file.</para>
 
     <programlisting>Load  "freetype"</programlisting>
 
     <para>For <application>&xfree86;&nbsp;3.3.X</application>, a separate
       &truetype; font server is needed.
       <application>Xfstt</application> is commonly used for
       this purpose.  To install <application>Xfstt</application>,
       simply install the port
       <filename role="package">x11-servers/Xfstt</filename>.</para>
 
     <para>Now make a directory for the &truetype; fonts (for example,
       <filename>/usr/X11R6/lib/X11/fonts/TrueType</filename>)
       and copy all of the &truetype; fonts into this directory.  Keep in
       mind that &truetype; fonts cannot be directly taken from a
       &macintosh;; they must be in &unix;/&ms-dos;/&windows; format for use by
       X11.  Once the files have been
       copied into this directory, use
       <application>ttmkfdir</application> to create a
       <filename>fonts.dir</filename> file, so that the X font renderer
       knows that these new files have been installed.
       <command>ttmkfdir</command> is available from the FreeBSD
       Ports Collection as
       <filename role="package">x11-fonts/ttmkfdir</filename>.</para>
 
     <screen>&prompt.root; <userinput>cd /usr/X11R6/lib/X11/fonts/TrueType</userinput>
 &prompt.root; <userinput>ttmkfdir &gt; fonts.dir</userinput></screen>
 
     <para>Now add the &truetype; directory to the font
       path.  This is just the same as described above for <link
       linkend="type1">Type1</link> fonts, that is, use</para>
 
     <screen>&prompt.user; <userinput>xset fp+ /usr/X11R6/lib/X11/fonts/TrueType</userinput>
 &prompt.user; <userinput>xset fp rehash</userinput></screen>
 
     <para>or add a <literal>FontPath</literal> line to the
        <filename>xorg.conf</filename> (or <filename>XF86Config</filename>) file.</para>
 
       <para>That's it.  Now <application>&netscape;</application>,
         <application>Gimp</application>,
         <application>&staroffice;</application>, and all of the other X
         applications should now recognize the installed &truetype;
         fonts.  Extremely small fonts (as with text in a high resolution
         display on a web page) and extremely large fonts (within
         <application>&staroffice;</application>) will look much better
         now.</para>
     </sect2>
 
     <sect2 id="antialias">
     <sect2info>
       <authorgroup>
         <author>
           <firstname>Joe Marcus</firstname>
           <surname>Clarke</surname>
           <contrib>Updated by </contrib>
           <!-- May 2003 -->
         </author>
       </authorgroup>
     </sect2info>
     <title>Anti-Aliased Fonts</title>
 
     <indexterm><primary>anti-aliased fonts</primary></indexterm>
     <indexterm><primary>fonts</primary>
       <secondary>anti-aliased</secondary></indexterm>
 
     <para>Anti-aliasing has been available in X11 since
       <application>&xfree86;</application> 4.0.2.  However, font
       configuration was cumbersome before the introduction of
       <application>&xfree86;</application> 4.3.0.
       Beginning with
       <application>&xfree86;</application> 4.3.0, all fonts in X11
       that are found
       in <filename>/usr/X11R6/lib/X11/fonts/</filename> and
       <filename>~/.fonts/</filename> are automatically 
       made available for anti-aliasing to Xft-aware applications.  Not
       all applications are Xft-aware, but many have received Xft support.
       Examples of Xft-aware applications include Qt 2.3 and higher (the 
       toolkit for the <application>KDE</application> desktop), 
       GTK+ 2.0 and higher (the toolkit for the 
       <application>GNOME</application> desktop), and 
       <application>Mozilla</application> 1.2 and higher.
     </para>
 
     <para>In order to control which fonts are anti-aliased, or to
       configure anti-aliasing properties, create (or edit, if it
       already exists) the file
       <filename>/usr/X11R6/etc/fonts/local.conf</filename>.  Several
       advanced features of the Xft font system can be tuned using
       this file; this section describes only some simple
       possibilities.  For more details, please see
       &man.fonts-conf.5;.</para>
 
     <indexterm><primary>XML</primary></indexterm>
 
     <para>This file must be in XML format.  Pay careful attention to
       case, and make sure all tags are properly closed.  The file
       begins with the usual XML header followed by a DOCTYPE
       definition, and then the <literal>&lt;fontconfig&gt;</literal> tag:</para>
 
     <programlisting>
       &lt;?xml version="1.0"?&gt;
       &lt;!DOCTYPE fontconfig SYSTEM "fonts.dtd"&gt;
       &lt;fontconfig&gt;
     </programlisting>
 
     <para>As previously stated, all fonts in
       <filename>/usr/X11R6/lib/X11/fonts/</filename> as well as
       <filename>~/.fonts/</filename> are already made available to
       Xft-aware applications.  If you wish to add another directory
       outside of these two directory trees, add a line similar to the
       following to
       <filename>/usr/X11R6/etc/fonts/local.conf</filename>:</para>
 
     <programlisting>&lt;dir&gt;/path/to/my/fonts&lt;/dir&gt;</programlisting>
 
     <para>After adding new fonts, and especially new font directories,
       you should run the following command to rebuild the font
       caches:</para>
 
     <screen>&prompt.root; <userinput>fc-cache -f</userinput></screen>
 
     <para>Anti-aliasing makes borders slightly fuzzy, which makes very
       small text more readable and removes <quote>staircases</quote> from
       large text, but can cause eyestrain if applied to normal text.  To
       exclude font sizes smaller than 14 point from anti-aliasing, include
       these lines:</para>
 
       <programlisting>        &lt;match target="font"&gt;
             &lt;test name="size" compare="less"&gt;
                 &lt;double&gt;14&lt;/double&gt;
             &lt;/test&gt;
             &lt;edit name="antialias" mode="assign"&gt;
                 &lt;bool&gt;false&lt;/bool&gt;
             &lt;/edit&gt;
         &lt;/match&gt;
         &lt;match target="font"&gt;
             &lt;test name="pixelsize" compare="less" qual="any"&gt;
                 &lt;double&gt;14&lt;/double&gt;
             &lt;/test&gt;
             &lt;edit mode="assign" name="antialias"&gt;
                 &lt;bool&gt;false&lt;/bool&gt;
             &lt;/edit&gt;
         &lt;/match&gt;</programlisting>
 
     <indexterm><primary>fonts</primary>
       <secondary>spacing</secondary></indexterm>
 
     <para>Spacing for some monospaced fonts may also be inappropriate
       with anti-aliasing.  This seems to be an issue with
       <application>KDE</application>, in particular.  One possible fix for
       this is to force the spacing for such fonts to be 100.  Add the
       following lines:</para>
 
      <programlisting>       &lt;match target="pattern" name="family"&gt;
            &lt;test qual="any" name="family"&gt;
                &lt;string&gt;fixed&lt;/string&gt;
            &lt;/test&gt;
            &lt;edit name="family" mode="assign"&gt;
                &lt;string&gt;mono&lt;/string&gt;
            &lt;/edit&gt;
         &lt;/match&gt;
         &lt;match target="pattern" name="family"&gt;
             &lt;test qual="any" name="family"&gt;
                 &lt;string&gt;console&lt;/string&gt;
             &lt;/test&gt;
             &lt;edit name="family" mode="assign"&gt;
                 &lt;string&gt;mono&lt;/string&gt;
             &lt;/edit&gt;
         &lt;/match&gt;</programlisting>
 
       <para>(this aliases the other common names for fixed fonts as
         <literal>"mono"</literal>), and then add:</para>
 
       <programlisting>         &lt;match target="pattern" name="family"&gt;
              &lt;test qual="any" name="family"&gt;
                  &lt;string&gt;mono&lt;/string&gt;
              &lt;/test&gt;
              &lt;edit name="spacing" mode="assign"&gt;
                  &lt;int&gt;100&lt;/int&gt;
              &lt;/edit&gt;
          &lt;/match&gt;      </programlisting>
 
       <para>Certain fonts, such as Helvetica, may have a problem when
 	anti-aliased.  Usually this manifests itself as a font that
 	seems cut in half vertically.  At worst, it may cause
 	applications such as <application>Mozilla</application> to
 	crash.  To avoid this, consider adding the following to
 	<filename>local.conf</filename>:</para>
 
       <programlisting>         &lt;match target="pattern" name="family"&gt;
              &lt;test qual="any" name="family"&gt;
                  &lt;string&gt;Helvetica&lt;/string&gt;
              &lt;/test&gt;
              &lt;edit name="family" mode="assign"&gt;
                  &lt;string&gt;sans-serif&lt;/string&gt;
              &lt;/edit&gt;
          &lt;/match&gt;        </programlisting>
 
       <para>Once you have finished editing
         <filename>local.conf</filename> make sure you end the file
         with the <literal>&lt;/fontconfig&gt;</literal> tag.  Not doing this will cause
         your changes to be ignored.</para>
 
        <para>The default font set that comes with 
 	 X11 is not very
          desirable when it comes to anti-aliasing.  A much better
 	 set of default fonts can be found in the 
 	 <filename role="package">x11-fonts/bitstream-vera</filename>
 	 port.  This port will install a
 	 <filename>/usr/X11R6/etc/fonts/local.conf</filename> file
 	 if one does not exist already.  If the file does exist,
 	 the port will create a <filename>/usr/X11R6/etc/fonts/local.conf-vera
 	 </filename> file.  Merge the contents of this file into
 	 <filename>/usr/X11R6/etc/fonts/local.conf</filename>, and the 
 	 Bitstream fonts will automatically replace the default 
 	 X11 Serif, Sans Serif, and Monospaced
 	 fonts.</para>
 
        <para>Finally, users can add their own settings via their personal 
         <filename>.fonts.conf</filename> files.  To do this, each user should 
 	simply create a <filename>~/.fonts.conf</filename>.  This file must 
 	also be in XML format.</para>
 
        <indexterm><primary>LCD screen</primary></indexterm>
        <indexterm><primary>Fonts</primary>
          <secondary>LCD screen</secondary></indexterm>
 
        <para>One last point: with an LCD screen, sub-pixel sampling may be
         desired.  This basically treats the (horizontally separated)
         red, green and blue components separately to improve the horizontal
         resolution; the results can be dramatic.  To enable this, add the
         line somewhere in the <filename>local.conf</filename> file:</para>
 
        <programlisting>
          &lt;match target="font"&gt;
              &lt;test qual="all" name="rgba"&gt;
                  &lt;const&gt;unknown&lt;/const&gt;
              &lt;/test&gt;
              &lt;edit name="rgba" mode="assign"&gt;
                  &lt;const&gt;rgb&lt;/const&gt;
              &lt;/edit&gt;
          &lt;/match&gt;
        </programlisting>
 
        <note><para>Depending on the sort of display,
 	 <literal>rgb</literal> may need to be changed to <literal>bgr</literal>,
 	 <literal>vrgb</literal> or <literal>vbgr</literal>: experiment and
 	 see which works best.</para></note>
 
        <indexterm><primary>Mozilla</primary></indexterm>
        <indexterm><primary>web browsers</primary>
          <secondary>Mozilla</secondary>
          <see>Mozilla</see></indexterm>
 
        <para>Anti-aliasing should be enabled the next time the X
          server is started.  However, programs must know how to take
          advantage of it.  At present, the Qt toolkit does,
          so the entire <application>KDE</application> environment can
          use anti-aliased fonts (see <xref
          linkend="x11-wm-kde-antialias"> on
          <application>KDE</application> for details).  GTK+ and 
          <application>GNOME</application> can also be made to use 
          anti-aliasing via the <quote>Font</quote> capplet (see <xref
          linkend="x11-wm-gnome-antialias"> for details).  By default,
          <application>Mozilla</application> 1.2 and greater will 
          automatically use anti-aliasing. To disable this, rebuild 
          <application>Mozilla</application> with the
          <makevar>-DWITHOUT_XFT</makevar> flag.</para>
     </sect2>
   </sect1>
 
   <sect1 id="x-xdm">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Seth</firstname>
           <surname>Kingsley</surname>
           <contrib>Contributed by </contrib>
         </author>
       </authorgroup>
     </sect1info>
     <title>The X Display Manager</title>
     <sect2>
       <title>Overview</title>
 
       <indexterm><primary>X Display Manager</primary></indexterm>
       <para>The X Display Manager (<application>XDM</application>) is
         an optional part of the X Window System that is used for login
         session management.  This is useful for several types of
         situations, including minimal <quote>X Terminals</quote>,
         desktops, and large network display
         servers.  Since the X Window System is network and protocol
         independent, there are a wide variety of possible configurations
         for running X clients and servers on different machines
         connected by a network.  <application>XDM</application> provides
         a graphical interface for choosing which display server to
         connect to, and entering authorization information such as a
         login and password combination.</para>
 
       <para>Think of <application>XDM</application> as
         providing the same functionality to the user as the
         &man.getty.8; utility (see <xref linkend="term-config"> for
           details).  That is, it performs system logins to the display
           being connected to and then runs a session manager on behalf of
           the user (usually an X window
           manager).  <application>XDM</application> then waits for this
           program to exit, signaling that the user is done and should be
           logged out of the display.  At this point,
           <application>XDM</application> can display the login and display
           chooser screens for the next user to login.</para>
     </sect2>
 
     <sect2>
       <title>Using XDM</title>
 
       <para>The <application>XDM</application> daemon program is
         located in <filename>/usr/X11R6/bin/xdm</filename>.  This program
         can be run at any time as <username>root</username> and it will
         start managing the X display on the local machine.  If
         <application>XDM</application> is to be run every
         time the machine boots up, a convenient way to do this is by
         adding an entry to <filename>/etc/ttys</filename>.  For more
         information about the format and usage of this file, see <xref
         linkend="term-etcttys">.  There is a line in the default
         <filename>/etc/ttys</filename> file for running the
         <application>XDM</application> daemon on a virtual terminal:</para>
 
       <screen>ttyv8   "/usr/X11R6/bin/xdm -nodaemon"  xterm   off secure</screen>
 
       <para>By default this entry is disabled; in order to enable it
         change field 5 from <literal>off</literal> to
         <literal>on</literal> and restart &man.init.8; using the
         directions in <xref linkend="term-hup">.  The first field, the
         name of the terminal this program will manage, is
         <literal>ttyv8</literal>.  This means that
         <application>XDM</application> will start running on the 9th
         virtual terminal.</para>
     </sect2>
 
     <sect2>
       <title>Configuring XDM</title>
 
       <para>The <application>XDM</application> configuration directory
         is located in <filename>/usr/X11R6/lib/X11/xdm</filename>.  In
         this directory there are several files used to change the
         behavior and appearance of
         <application>XDM</application>.  Typically these files will
         be found:</para>
 
-        <informaltable frame="none">
+        <informaltable frame="none" pgwide="1">
           <tgroup cols="2">
             <thead>
               <row>
                 <entry>File</entry>
                 <entry>Description</entry>
               </row>
             </thead>
 
             <tbody>
               <row>
                 <entry><filename>Xaccess</filename></entry>
                 <entry>Client authorization ruleset.</entry>
               </row>
 
               <row>
                 <entry><filename>Xresources</filename></entry>
                 <entry>Default X resource values.</entry>
               </row>
 
               <row>
                 <entry><filename>Xservers</filename></entry>
                 <entry>List of remote and local displays to manage.</entry>
               </row>
 
               <row>
                 <entry><filename>Xsession</filename></entry>
                 <entry>Default session script for logins.</entry>
               </row>
 
               <row>
                 <entry><filename>Xsetup_</filename>*</entry>
                 <entry>Script to launch applications before the login
                   interface.</entry>
               </row>
 
               <row>
                 <entry><filename>xdm-config</filename></entry>
                 <entry>Global configuration for all displays running on
                   this machine.</entry>
               </row>
 
               <row>
                 <entry><filename>xdm-errors</filename></entry>
                 <entry>Errors generated by the server program.</entry>
               </row>
 
               <row>
                 <entry><filename>xdm-pid</filename></entry>
                 <entry>The process ID of the currently running XDM.</entry>
               </row>
             </tbody>
           </tgroup>
         </informaltable>
 
       <para>Also in this directory are a few scripts and programs used
         to set up the desktop when <application>XDM</application> is
         running.  The purpose of each of these files will be briefly
         described.  The exact syntax and usage of all of these files is
         described in &man.xdm.1;.</para>
 
       <para>The default configuration is a simple rectangular login
         window with the hostname of the machine displayed at the top in
         a large font and <quote>Login:</quote> and
         <quote>Password:</quote> prompts below.  This is a good starting
         point for changing the look and feel of
         <application>XDM</application> screens.</para>
 
       <sect3>
         <title>Xaccess</title>
 
         <para>The protocol for connecting to
           <application>XDM</application> controlled displays is called
           the X Display Manager Connection Protocol (XDMCP).  This file
           is a ruleset for controlling XDMCP connections from remote
           machines.  By default, it allows any client to connect, but
           that does not matter unless the <filename>xdm-config</filename>
           is changed to listen for remote connections.</para>
       </sect3>
 
       <sect3>
         <title>Xresources</title>
         <para>This is an application-defaults file for the display
           chooser and the login screens.  This is where the appearance
           of the login program can be modified.  The format is identical
           to the app-defaults file described in the
 	  X11 documentation.</para>
       </sect3>
 
       <sect3>
         <title>Xservers</title>
         <para>This is a list of the remote displays the chooser should
           provide as choices.</para>
       </sect3>
 
       <sect3>
         <title>Xsession</title>
         <para>This is the default session script for
           <application>XDM</application> to run after a user has logged
           in.  Normally each user will have a customized session script
           in <filename>~/.xsession</filename> that overrides this
           script.</para>
       </sect3>
 
       <sect3>
         <title>Xsetup_*</title>
         <para>These will be run automatically before displaying the
           chooser or login interfaces.  There is a script for each
           display being used, named <filename>Xsetup_</filename> followed
           by the local display number (for instance
           <filename>Xsetup_0</filename>).  Typically these scripts will
           run one or two programs in the background such as
           <command>xconsole</command>.</para>
       </sect3>
 
       <sect3>
         <title>xdm-config</title>
         <para>This contains settings in the form of app-defaults
           that are applicable to every display that this installation
           manages.</para>
       </sect3>
 
       <sect3>
         <title>xdm-errors</title>
         <para>This contains the output of the X servers that
           <application>XDM</application> is trying to run.  If a display
           that <application>XDM</application> is trying to start hangs
           for some reason, this is a good place to look for error
           messages.  These messages are also written to the user's
           <filename>~/.xsession-errors</filename> file on a per-session
           basis.</para>
       </sect3>
     </sect2>
 
     <sect2>
       <title>Running a Network Display Server</title>
 
       <para>In order for other clients to connect to the display
         server, edit the access control rules, and enable the connection
         listener.  By default these are set to conservative values.
         To make <application>XDM</application> listen for connections,
         first comment out a line in the <filename>xdm-config</filename>
         file:</para>
 
       <screen>! SECURITY: do not listen for XDMCP or Chooser requests
 ! Comment out this line if you want to manage X terminals with xdm
 DisplayManager.requestPort:     0</screen>
 
       <para>and then restart <application>XDM</application>.  Remember that
         comments in app-defaults files begin with a <quote>!</quote>
         character, not the usual <quote>#</quote>.  More strict
         access controls may be desired.  Look at the example
         entries in <filename>Xaccess</filename>, and refer to the
         &man.xdm.1; manual page.</para>
     </sect2>
 
      <sect2>
         <title>Replacements for XDM</title>
 
         <para>Several replacements for the default
           <application>XDM</application> program exist.  One of them,
           <application>kdm</application> (bundled with
           <application>KDE</application>) is described later in this
           chapter.  The <application>kdm</application> display manager offers many visual
           improvements and cosmetic frills, as well as the
           functionality to allow users to choose their window manager
           of choice at login time.</para>
      </sect2>
   </sect1>
 
   <sect1 id="x11-wm">
     <sect1info>
       <authorgroup>
         <author>
           <firstname>Valentino</firstname>
           <surname>Vaschetto</surname>
           <contrib>Contributed by </contrib>
         </author>
         <!-- June 2001 -->
       </authorgroup>
     </sect1info>
 
     <title>Desktop Environments</title>
 
     <para>This section describes the different desktop environments
       available for X on FreeBSD.  A <quote>desktop environment</quote>
       can mean anything ranging from a simple window manager to a
       complete suite of desktop applications, such as
       <application>KDE</application> or <application>GNOME</application>.
     </para>
 
     <sect2 id="x11-wm-gnome">
       <title>GNOME</title>
 
       <sect3 id="x11-wm-gnome-about">
         <title>About GNOME</title>
 
         <indexterm><primary>GNOME</primary></indexterm>
         <para><application>GNOME</application> is a user-friendly
           desktop environment that enables users to easily use and
           configure their computers.  <application>GNOME</application>
           includes a panel (for starting applications and displaying
           status), a desktop (where data and applications can be
           placed), a set of standard desktop tools and applications, and
           a set of conventions that make it easy for applications to
           cooperate and be consistent with each other.  Users of other
           operating systems or environments should feel right at home
           using the powerful graphics-driven environment that
           <application>GNOME</application> provides.  More
 	  information regarding <application>GNOME</application> on
 	  FreeBSD can be found on the <ulink
 	  url="http://www.FreeBSD.org/gnome">FreeBSD GNOME
 	  Project</ulink>'s web site.</para>
       </sect3>
 
       <sect3 id="x11-wm-gnome-install">
         <title>Installing GNOME</title>
 
         <para>The easiest way to install
           <application>GNOME</application> is through the
           <quote>Desktop Configuration</quote> menu during the FreeBSD
 	  installation process as described in <xref
 	  linkend="default-desktop"> of Chapter&nbsp;2.  It can also
           be easily installed from a package or the ports
           collection:</para>
 
         <para>To install the <application>GNOME</application> package
           from the network, simply type:</para>
 
         <screen>&prompt.root; <userinput>pkg_add -r gnome2</userinput></screen>
 
         <para>To build <application>GNOME</application> from source, use
           the ports tree:</para>
 
         <screen>&prompt.root; <userinput>cd /usr/ports/x11/gnome2</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
         <para>Once <application>GNOME</application> is installed,
           the X server must be told to start
           <application>GNOME</application> instead of a default window
           manager.  If a custom <filename>.xinitrc</filename> is already in
           place, simply replace the line that starts the current window
           manager with one that starts
           <application>/usr/X11R6/bin/gnome-session</application> instead.
           If nothing special has been done to configuration file,
           then it is enough to simply type:</para>
 
         <screen>&prompt.user; <userinput>echo "/usr/X11R6/bin/gnome-session" &gt; ~/.xinitrc</userinput></screen>
 
         <para>Next, type <command>startx</command>, and the
           <application>GNOME</application> desktop environment will be
           started.</para>
 
         <note><para>If a display manager, like
           <application>XDM</application>, is being used, this will not work.
           Instead, create an executable <filename>.xsession</filename>
           file with the same command in it.  To do this, edit the file
           and replace the existing window manager command with
           <application>/usr/X11R6/bin/gnome-session</application>:
           </para></note>
 
         <screen>&prompt.user; <userinput>echo "#!/bin/sh" > ~/.xsession</userinput>
 &prompt.user; <userinput>echo "/usr/X11R6/bin/gnome-session" >> ~/.xsession</userinput>
 &prompt.user; <userinput>chmod +x ~/.xsession</userinput></screen>
 
         <para>Another option is to configure the display manager to
           allow choosing the window manager at login time; the section on
           <link linkend="x11-wm-kde-details">KDE details</link>
           explains how to do this for <application>kdm</application>, the
           display manager of <application>KDE</application>.</para>
       </sect3>
 
       <sect3 id="x11-wm-gnome-antialias">
         <title>Anti-aliased Fonts with GNOME</title>
 
         <indexterm><primary>GNOME</primary>
           <secondary>anti-aliased fonts</secondary></indexterm>
 	<para>X11
 	  supports anti-aliasing via its <quote>RENDER</quote> extension.
 	  GTK+ 2.0 and greater (the toolkit used by
 	  <application>GNOME</application>) can make use of this
 	  functionality.  Configuring anti-aliasing is described in
 	  <xref linkend="antialias">.  So, with up-to-date software,
 	  anti-aliasing is possible within the
 	  <application>GNOME</application> desktop.  Just go to
 	  <menuchoice>
 	    <guimenu>Applications</guimenu>
 	    <guisubmenu>Desktop Preferences</guisubmenu>
 	    <guimenuitem>Font</guimenuitem></menuchoice>, and select either
 	  <guibutton>Best shapes</guibutton>, 
 	  <guibutton>Best contrast</guibutton>, or
 	  <guibutton>Subpixel smoothing (LCDs)</guibutton>.  For a
 	  GTK+ application that is not part of the 
 	  <application>GNOME</application> desktop, set the
 	  environment variable <varname>GDK_USE_XFT</varname> to
 	  <literal>1</literal> before launching the program.</para>
       </sect3>
     </sect2>
 
     <sect2 id="x11-wm-kde">
       <title>KDE</title>
 
       <indexterm><primary>KDE</primary></indexterm>
       <sect3 id="x11-wm-kde-about">
         <title>About KDE</title>
 
         <para><application>KDE</application> is an easy to use
           contemporary desktop environment.  Some of the things that
           <application>KDE</application> brings to the user are:</para>
 
         <itemizedlist>
           <listitem>
 	    <para>A beautiful contemporary desktop</para>
 	  </listitem>
 
           <listitem>
 	    <para>A desktop exhibiting complete network transparency</para>
 	  </listitem>
 
           <listitem>
 	    <para>An integrated help system allowing for convenient,
 	      consistent access to help on the use of the
 	      <application>KDE</application> desktop and its
 	      applications</para>
 	  </listitem>
 
           <listitem>
 	    <para>Consistent look and feel of all
               <application>KDE</application> applications</para>
 	  </listitem>
 
           <listitem>
 	    <para>Standardized menu and toolbars, keybindings, color-schemes,
 	      etc.</para>
 	  </listitem>
 
           <listitem>
 	    <para>Internationalization: <application>KDE</application>
               is available in more than 40 languages</para>
 	  </listitem>
 
           <listitem>
 	    <para>Centralized consisted dialog driven desktop
 	      configuration</para>
 	  </listitem>
 
           <listitem>
 	    <para>A great number of useful
               <application>KDE</application> applications</para>
 	  </listitem>
         </itemizedlist>
 
         <para><application>KDE</application> has an office application
           suite based on <application>KDE</application>'s
           <quote>KParts</quote> technology consisting
           of a spread-sheet, a presentation application, an organizer, a
           news client and more.  <application>KDE</application> also
           comes with a web browser called
           <application>Konqueror</application>, which represents
           a solid competitor to other existing web browsers on &unix;
           systems.  More information on <application>KDE</application>
           can be found on the <ulink url="http://www.kde.org/">KDE
           website</ulink>.  For FreeBSD specific informations and
 	  resources on <application>KDE</application>, consult
 	  the <ulink url="http://freebsd.kde.org/">FreeBSD-KDE
 	  team</ulink>'s website.</para>
       </sect3>
 
       <sect3 id="x11-wm-kde-install">
         <title>Installing KDE</title>
 
         <para>Just as with <application>GNOME</application> or any
           other desktop environment, the easiest way to install
           <application>KDE</application> is through the <quote>Desktop
           Configuration</quote> menu during the FreeBSD installation
 	  process as described in <xref linkend="default-desktop"> of Chapter
 	  2.  Once again, the software can be easily installed from a package
 	  or from the ports collection:</para>
 
         <para>To install the <application>KDE</application> package
           from the network, simply type:</para>
 
         <screen>&prompt.root; <userinput>pkg_add -r kde</userinput></screen>
 
 	<para>&man.pkg.add.1; will automatically fetch the latest version
 	  of the application.</para>
 
         <para>To build <application>KDE</application> from source,
           use the ports tree:</para>
 
         <screen>&prompt.root; <userinput>cd /usr/ports/x11/kde3</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
         <para>After <application>KDE</application> has been installed,
           the X server must be told to launch this application
           instead of the default window manager.  This is accomplished
           by editing the <filename>.xinitrc</filename> file:</para>
 
         <screen>&prompt.user; <userinput>echo "exec startkde" &gt; ~/.xinitrc</userinput></screen>
 
 	<para>Now, whenever the X Window System is invoked with
 	  <command>startx</command>,
           <application>KDE</application> will be the desktop.</para>
 
         <para>If a display manager such as
           <application>XDM</application> is being used, the
           configuration is slightly different.  Edit the
           <filename>.xsession</filename> file instead.  Instructions
           for <application>kdm</application> are described later in
           this chapter.</para>
       </sect3>
     </sect2>
 
     <sect2 id="x11-wm-kde-details">
         <title>More Details on KDE</title>
 
         <para>Now that <application>KDE</application> is installed on
           the system, most things can be discovered through the
           help pages, or just by pointing and clicking at various menus.
           &windows; or &mac; users will feel quite at home.</para>
 
         <para>The best reference for <application>KDE</application> is
           the on-line documentation.  <application>KDE</application>
           comes with its own web browser,
           <application>Konqueror</application>, dozens of useful
           applications, and extensive documentation.  The remainder of
           this section discusses the technical items that are
           difficult to learn by random exploration.</para>
 
       <sect3 id="x11-wm-kde-kdm">
         <title>The KDE Display Manager</title>
 
         <indexterm><primary>KDE</primary>
           <secondary>display manager</secondary></indexterm>
         <para>An administrator of a multi-user system may wish to have
           a graphical login screen to welcome users.
           <link linkend="x-xdm">XDM</link> can be
           used, as described earlier.  However,
           <application>KDE</application> includes an
           alternative, <application>kdm</application>, which is designed
           to look more attractive and include more login-time options.
           In particular, users can easily choose (via a menu) which
           desktop environment (<application>KDE</application>,
           <application>GNOME</application>, or something else) to run
           after logging on.</para>
 
         <para>To begin with, run the <application>KDE</application>
           control panel, <command>kcontrol</command>, as
           <username>root</username>.  It is generally considered
           unsafe to run the entire X environment as
           <username>root</username>.  Instead, run the window manager
           as a normal user, open a terminal window (such as
           <filename>xterm</filename> or <application>KDE</application>'s
           <filename>konsole</filename>), become <username>root</username>
           with <userinput>su</userinput> (the user must be in the
           <groupname>wheel</groupname>
           group in <filename>/etc/group</filename> for this), and then
           type <userinput>kcontrol</userinput>.</para>
 
 	<para>Click on the icon on the left marked
 	  <guibutton>System</guibutton>, then on <guibutton>Login
 	  manager</guibutton>.  On the right there are
           various configurable options, which the
           <application>KDE</application> manual will explain in greater
           detail.  Click on <guibutton>sessions</guibutton> on the right.
           Click <guibutton>New type</guibutton> to add various window
           managers and desktop environments.  These are just labels,
           so they can say <application>KDE</application> and
           <application>GNOME</application> rather than
           <application>startkde</application> or
           <application>gnome-session</application>.
           Include a label <literal>failsafe</literal>.</para>
 
         <para>Play with the other menus as well, they are mainly
           cosmetic and self-explanatory.  When you are done, click on
           <guibutton>Apply</guibutton> at the bottom, and quit the
           control center.</para>
 
         <para>To make sure <application>kdm</application> understands
           what the labels (<application>KDE</application>,
           <application>GNOME</application> etc) mean, edit the files used
           by <link linkend="x-xdm">XDM</link>.
           <note><para>In <application>KDE 2.2</application> this has
             changed: <application>kdm</application> now uses its own
             configuration files.  Please see the <application>KDE
             2.2</application> documentation for details.</para>
           </note>
           In a terminal window, as <username>root</username>,
           edit the file
           <filename>/usr/X11R6/lib/X11/xdm/Xsession</filename>.  There is
           a section in the middle like this:</para>
 
 	<screen>case $# in
 1)
         case $1 in
         failsafe)
                 exec xterm -geometry 80x24-0-0
                 ;;
         esac
 esac</screen>
 
         <para>A few lines need to be added to this section.
           Assuming the labels from used were <quote>KDE</quote> and
           <quote>GNOME</quote>,
           use the following:</para>
 
 	<screen>case $# in
 1)
         case $1 in
         kde)
                 exec /usr/local/bin/startkde
                 ;;
         GNOME)
                 exec /usr/X11R6/bin/gnome-session
                 ;;
         failsafe)
                 exec xterm -geometry 80x24-0-0
                 ;;
         esac
 esac</screen>
 
         <para>For the <application>KDE</application>
           login-time desktop background to be honored,
           the following line needs to be added to
           <filename>/usr/X11R6/lib/X11/xdm/Xsetup_0</filename>:</para>
 
         <screen>/usr/local/bin/kdmdesktop</screen>
 
         <para>Now, make sure <application>kdm</application> is listed in
           <filename>/etc/ttys</filename> to be started at the next bootup.
           To do this, simply follow the instructions from the previous
           section on <link linkend="x-xdm">XDM</link> and replace
           references to the <command>/usr/X11R6/bin/xdm</command>
           program with <command>/usr/local/bin/kdm</command>.</para>
       </sect3>
 
       <sect3 id="x11-wm-kde-antialias">
         <title>Anti-aliased Fonts</title>
 
         <indexterm><primary>KDE</primary>
           <secondary>anti-aliased fonts</secondary></indexterm>
         <para>X11
 	  supports anti-aliasing via
 	  its <quote>RENDER</quote> extension, and starting with version 2.3,
 	  Qt (the toolkit used by <application>KDE</application>) supports
 	  this extension.  Configuring this is described in <xref
           linkend="antialias"> on antialiasing X11 fonts.  So, with
           up-to-date software, anti-aliasing is possible on a
           <application>KDE</application> desktop.  Just go to the KDE
 	  menu, go to
 	  <menuchoice>
 	    <guimenu>Preferences</guimenu>
 	    <guisubmenu>Look and Feel</guisubmenu>
 	    <guimenuitem>Fonts</guimenuitem></menuchoice>, and click on the check box
           <guibutton>Use Anti-Aliasing for Fonts and Icons</guibutton>.
           For a Qt application which is not part of
 	  <application>KDE</application>, the environment variable
 	  <varname>QT_XFT</varname> needs to be set to <literal>true</literal>
 	  before starting the program.</para>
 
        </sect3>
      </sect2>
 
      <sect2 id="x11-wm-xfce">
          <title>XFce</title>
        <sect3 id="x11-wm-xfce-about">
          <title>About XFce</title>
 
         <para><application>XFce</application> is a desktop environment
           based on the GTK+
           toolkit used by <application>GNOME</application>, but is much
           more lightweight and meant for those who want a simple,
           efficient desktop which is nevertheless easy to use and
           configure.  Visually, it looks very much like
           <application>CDE</application>, found on commercial &unix;
           systems.  Some of <application>XFce</application>'s features
           are:</para>
 
          <itemizedlist>
            <listitem>
 	     <para>A simple, easy-to-handle desktop</para>
            </listitem>
 
            <listitem>
 	     <para>Fully configurable via mouse, with drag and
                drop, etc </para>
            </listitem>
 
            <listitem>
 	     <para>Main panel similar to <application>CDE</application>, with
 	       menus, applets and applications launchers</para>
            </listitem>
 
            <listitem>
 	     <para>Integrated window manager, file manager, sound manager,
 	       <application>GNOME</application> compliance module, and other
 	       things</para>
            </listitem>
 
            <listitem>
 	     <para>Themeable (since it uses GTK+)</para>
            </listitem>
 
            <listitem>
 	     <para>Fast, light and efficient: ideal for older/slower machines
 	       or machines with memory limitations</para>
            </listitem>
          </itemizedlist>
 
          <para>More information on <application>XFce</application>
           can be found on the <ulink url="http://www.xfce.org/">XFce
             website</ulink>.</para>
        </sect3>
 
        <sect3 id="x11-wm-xfce-install">
          <title>Installing XFce</title>
 
         <para>A binary package for <application>XFce</application>
           exists (at the time of writing).  To install, simply type:</para>
 
         <screen>&prompt.root; <userinput>pkg_add -r xfce4</userinput></screen>
 
         <para>Alternatively, to build from source, use the ports
           collection:</para>
 
         <screen>&prompt.root; <userinput>cd /usr/ports/x11-wm/xfce4</userinput>
 &prompt.root; <userinput>make install clean</userinput></screen>
 
         <para>Now, tell the X server to launch
          <application>XFce</application> the next time X is started.
          Simply type this:</para>
 
         <screen>&prompt.user; <userinput>echo "/usr/X11R6/bin/startxfce4" &gt; ~/.xinitrc</userinput></screen>
 
         <para>The next time X is started,
           <application>XFce</application> will be the desktop.
           As before, if a display manager like
           <application>XDM</application> is being used, create an
           <filename>.xsession</filename>, as described in the
           section on <link linkend="x11-wm-gnome">GNOME</link>, but
           with the <filename>/usr/X11R6/bin/startxfce4</filename>
           command; or, configure the display manager to allow
           choosing a desktop at login time, as explained in
           the section on <link linkend="x11-wm-kde-kdm">kdm</link>.</para>
       </sect3>
     </sect2>
   </sect1>
 
 </chapter>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-declaration: "../chapter.decl"
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      sgml-parent-document: ("../book.sgml" "part" "chapter")
      End:
 -->
diff --git a/en_US.ISO8859-1/books/porters-handbook/book.sgml b/en_US.ISO8859-1/books/porters-handbook/book.sgml
index 4c4e27cd39..82608ef582 100644
--- a/en_US.ISO8859-1/books/porters-handbook/book.sgml
+++ b/en_US.ISO8859-1/books/porters-handbook/book.sgml
@@ -1,8404 +1,8404 @@
 <!--
      The FreeBSD Documentation Project
 
      $FreeBSD$
 -->
 
 <!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
 <!ENTITY % books.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Books Entity Set//EN">
 %books.ent;
 ]>
 
 <book>
   <bookinfo>
     <title>FreeBSD Porter's Handbook</title>
 
     <authorgroup>
       <corpauthor>The FreeBSD Documentation Project</corpauthor>
     </authorgroup>
 
     <pubdate>April 2000</pubdate>
 
     <copyright>
       <year>2000</year>
       <year>2001</year>
       <year>2002</year>
       <year>2003</year>
       <year>2004</year>
       <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation
 	Project</holder>
     </copyright>
 
     &bookinfo.trademarks;
 
     &bookinfo.legalnotice;
   </bookinfo>
 
     <chapter id="why-port">
       <title>Introduction</title>
 
       <para>The FreeBSD ports collection is the way almost everyone
 	installs applications ("ports") on FreeBSD.  Like everything
 	else about FreeBSD, it is primarily a volunteer effort.
 	It is important to keep this in mind when reading this
 	document.</para>
 
       <para>In FreeBSD, anyone may submit a new port, or volunteer
 	to maintain an existing port if it is unmaintained&mdash;you
 	do not need any special commit privileges to do so.</para>
 
     </chapter>
 
     <chapter id="own-port">
       <title>Making a port yourself</title>
 
       <para>So, you are interested in making your own port or
 	upgrading an existing one?  Great!</para>
 
       <para>What follows are some guidelines for creating a new port for
 	FreeBSD.  If you want to upgrade an existing port, you should
 	read this and then read <xref linkend="port-upgrading">.</para>
 
       <para>When this document is not sufficiently detailed, you should
 	refer to <filename>/usr/ports/Mk/bsd.port.mk</filename>, which
 	all port Makefiles include.  Even if you do not hack Makefiles
 	daily, it is well commented, and you will still gain much
 	knowledge from it.  Additionally, you may send specific questions
 	to the &a.ports;.</para>
 
       <note>
 	<para>Only a fraction of the variables
 	  (<makevar><replaceable>VAR</replaceable></makevar>) that can be
 	  overridden are mentioned in this document.  Most (if not all)
 	  are documented at the start of <filename>/usr/ports/Mk/bsd.port.mk</filename>;
 	  the others probably ought to be.
 	  Note that this file uses a non-standard tab setting:
 	  <application>Emacs</application> and
 	  <application>Vim</application> should recognize the setting on
 	  loading the file.  Both &man.vi.1; and
 	  &man.ex.1; can be set to use the correct value by
 	  typing <command>:set tabstop=4</command> once the file has been
 	  loaded.</para>
       </note>
     </chapter>
 
     <chapter id="quick-porting">
       <title>Quick Porting</title>
 
       <para>This section tells you how to do a quick port.  In many cases, it
 	is not sufficient, so you will have to read further on into
 	the document.</para>
 
       <para>First, get the original tarball and put it into
 	<makevar>DISTDIR</makevar>, which defaults to
 	<filename>/usr/ports/distfiles</filename>.</para>
 
       <note>
 	<para>The following assumes that the software compiled out-of-the-box,
 	  i.e., there was absolutely no change required for the port to work
 	  on your FreeBSD box.  If you needed to change something, you will
 	  have to refer to the next section too.</para>
       </note>
 
       <sect1 id="porting-makefile">
 	<title>Writing the <filename>Makefile</filename></title>
 
 	<para>The minimal <filename>Makefile</filename> would look something
 	  like this:</para>
 
 	<programlisting># New ports collection makefile for:   oneko
 # Date created:        5 December 1994
 # Whom:                asami
 #
 # &dollar;FreeBSD&dollar;
 #
 
 PORTNAME=      oneko
 PORTVERSION=   1.1b
 CATEGORIES=    games
 MASTER_SITES=  ftp://ftp.cs.columbia.edu/archives/X11R5/contrib/
 
 MAINTAINER=    asami@FreeBSD.org
 COMMENT=       A cat chasing a mouse all over the screen
 
 MAN1=          oneko.1
 MANCOMPRESSED= yes
 USE_IMAKE=     yes
 
 .include &lt;bsd.port.mk&gt;</programlisting>
 
 	<para>See if you can figure it out.  Do not worry about the contents
 	  of the <literal>&dollar;FreeBSD&dollar;</literal> line, it will be
 	  filled in automatically by CVS when the port is imported to our main
 	  ports tree.  You can find a more detailed example in the <link
 	    linkend="porting-samplem">sample Makefile</link> section.</para>
       </sect1>
 
       <sect1 id="porting-desc">
 	<title>Writing the description files</title>
 
 	<para>There are two description files that are required for
 	  any port, whether they actually package or not. They are
 	  <filename>pkg-descr</filename> and
 	  <filename>pkg-plist</filename>.  Their
 	  <filename>pkg-</filename> prefix distinguishes them from
 	  other files.</para>
 
 	<sect2>
 	  <title><filename>pkg-descr</filename></title>
 
 	  <para>This is a longer description of the port.  One to a few
 	    paragraphs concisely explaining what the port does is
 	    sufficient.</para>
 
 	  <note>
 	    <para>This is <emphasis>not</emphasis> a manual or an in-depth
 	      description on how to use or compile the port! <emphasis>Please
 	      be careful if you are copying from the
 	      <filename>README</filename> or manpage</emphasis>; too often
 	      they are not a concise description of the port or are in an
 	      awkward format (e.g., manpages have justified spacing).  If the
 	      ported software has an official WWW homepage, you should list it
 	      here.  Prefix <emphasis>one</emphasis> of the websites with
 	      <literal>WWW:</literal> so that automated tools will work
 	      correctly.</para>
 	  </note>
 
 	  <para>It is recommended that you sign your name at the end of this
 	    file, as in:</para>
 
 	  <programlisting>This is a port of oneko, in which a cat chases a poor mouse all over
 the screen.
  :
 (etc.)
 
 WWW: http://www.oneko.org/
 
 - Satoshi
 asami@cs.berkeley.edu</programlisting>
 	</sect2>
 
 	<sect2>
 	  <title><filename>pkg-plist</filename></title>
 
 	  <para>This file lists all the files installed by the port.  It is
 	    also called the <quote>packing list</quote> because the package is
 	    generated by packing the files listed here.  The pathnames are
 	    relative to the installation prefix (usually
 	    <filename>/usr/local</filename> or
 	    <filename>/usr/X11R6</filename>).  If you are using the
 	    <makevar>MAN<replaceable>n</replaceable></makevar> variables (as
 	    you should be), do not list any manpages here.</para>
 
 	  <para>Here is a small example:</para>
 
 	  <programlisting>bin/oneko
 lib/X11/app-defaults/Oneko
 lib/X11/oneko/cat1.xpm
 lib/X11/oneko/cat2.xpm
 lib/X11/oneko/mouse.xpm
 @dirrm lib/X11/oneko</programlisting>
 
 	  <para>Refer to the &man.pkg.create.1; manual page for details on the
 	    packing list.</para>
 
 	  <note>
 	    <para>You should list all the files, but not the name directories,
 	      in the list.  Also, if the port creates directories for itself
 	      during installation, make sure to add <literal>@dirrm</literal>
 	      lines as necessary to remove them when the port is
 	      deleted.</para>
 
 	    <para>It is recommended that you keep all the filenames in this
 	      file sorted alphabetically.  It will make verifying the changes
 	      when you upgrade the port much easier.</para>
 
 	    <para>Creating a packing list manually can be a very tedious
 	      task.  If the port installs a large numbers of files, <link
 		linkend="porting-autoplist">creating the packing list
 		automatically</link> might save time.</para>
 	  </note>
 
 	  <para>There is only one case when <filename>pkg-plist</filename>
 	    can be omitted from a port.  If the port installs just a handful
 	    of files, and perhaps directories, the files and directories may
 	    be listed in the variables <makevar>PLIST_FILES</makevar> and
 	    <makevar>PLIST_DIRS</makevar>, respectively, within the port's
 	    <filename>Makefile</filename>.  For instance, we could get along
 	    without <filename>pkg-plist</filename> in the above
 	    <filename>oneko</filename> port by adding the
 	    following lines to the <filename>Makefile</filename>:</para>
 
 	  <programlisting>PLIST_FILES=    bin/oneko \
                 lib/X11/app-defaults/Oneko \
                 lib/X11/oneko/cat1.xpm \
                 lib/X11/oneko/cat2.xpm \
                 lib/X11/oneko/mouse.xpm
 PLIST_DIRS=     lib/X11/oneko</programlisting>
 
 	  <para>Of course, <makevar>PLIST_DIRS</makevar> should be left
 	    unset if a port installs no directories of its own.</para>
 
 	  <para>The price for this way of listing port's files and
 	    directories is that you cannot use command sequences
 	    described in &man.pkg.create.1;.  Therefore, it is suitable
 	    only for simple ports and makes them even simpler.  At the
 	    same time, it has the advantage of reducing the number of files
 	    in the ports collection.  Please consider using this technique
 	    before you resort to <filename>pkg-plist</filename>.</para>
 
 	  <para>Later we will see how <filename>pkg-plist</filename>
 	    and <makevar>PLIST_FILES</makevar> can be used to fulfil
 	    <link linkend="porting-plist">more sophisticated
 	    tasks</link>.</para>
 	</sect2>
       </sect1>
 
       <sect1 id="porting-checksum">
 	<title>Creating the checksum file</title>
 
 	<para>Just type <command>make makesum</command>. The ports make rules
 	  will automatically generate the file
 	  <filename>distinfo</filename>.</para>
       </sect1>
 
       <sect1 id="porting-testing">
 	<title>Testing the port</title>
 
 	<para>You should make sure that the port rules do exactly what you
 	  want them to do, including packaging up the port.  These are the
 	  important points you need to verify.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><filename>pkg-plist</filename> does not contain anything not
 	      installed by your port</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>pkg-plist</filename> contains everything that is
 	      installed by your port</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Your port can be installed multiple times using the
 	      <maketarget>reinstall</maketarget> target</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Your port <link linkend="porting-cleaning">cleans up</link>
 	      after itself upon deinstall</para>
 	  </listitem>
 	</itemizedlist>
 
 	<procedure>
 	  <title>Recommended test ordering</title>
 
 	  <step>
 	    <para><command>make install</command></para>
 	  </step>
 
 	  <step>
 	    <para><command>make package</command></para>
 	  </step>
 
 	  <step>
 	    <para><command>make deinstall</command></para>
 	  </step>
 
 	  <step>
 	    <para><command>pkg_add <replaceable>package-name</replaceable>
 	      </command></para>
 	  </step>
 
 	  <step>
 	    <para><command>make deinstall</command></para>
 	  </step>
 
 	  <step>
 	    <para><command>make reinstall</command></para>
 	  </step>
 
 	  <step>
 	    <para><command>make package</command></para>
 	  </step>
 	</procedure>
 
 	<para>Make sure that there are not any warnings issued in any of the
 	  <maketarget>package</maketarget> and
 	  <maketarget>deinstall</maketarget> stages.  After step 3, check to
 	  see if all the new directories are correctly deleted.  Also, try
 	  using the software after step 4, to ensure that it works correctly
 	  when installed from a package.</para>
       </sect1>
 
       <sect1 id="porting-portlint">
 	<title>Checking your port with <command>portlint</command></title>
 
 	<para>Please use <command>portlint</command> to see if your port
 	  conforms to our guidelines.  The <command>portlint</command> program
 	  is part of the ports collection.  In particular, you may want to
 	  check if the <link linkend="porting-samplem">Makefile</link> is in
 	  the right shape and the <link
 	    linkend="porting-pkgname">package</link> is named
 	  appropriately.</para>
       </sect1>
 
       <sect1 id="porting-submitting">
 	<title>Submitting the port</title>
 
 	<para>First, make sure you have read the <link
 	    linkend="porting-dads">DOs and DON'Ts</link> section.</para>
 
 	<para>Now that you are happy with your port, the only thing remaining
 	  is to put it in the main FreeBSD ports tree and make everybody else
 	  happy about it too.  We do not need your <filename>work</filename>
 	  directory or the <filename>pkgname.tgz</filename> package, so delete
 	  them now.  Next, simply include the output of <command>shar `find
 	    port_dir`</command> in a bug report and send it with the
 	    &man.send-pr.1; program (see <ulink url="&url.articles.contributing;/contrib-how.html#CONTRIB-GENERAL">Bug
 	    Reports and General Commentary</ulink> for more information about
 	    &man.send-pr.1;).  If the uncompressed port is larger than 20KB,
 	  you should compress it into a tarfile and use &man.uuencode.1;
 	  before including it in the bug report (uuencoded tarfiles are
 	  acceptable even if the bug report is smaller than 20KB but are not
 	  preferred).  Be sure to classify the bug report as category
 	  <literal>ports</literal> and class
 	  <literal>change-request</literal>  (Do not mark the report
 	  <literal>confidential</literal>!).
 	  Also add a short description of the program you ported
 	  to the <quote>Description</quote> field of the PR and
 	  the shar or uuencoded tarfile to the
 	  <quote>Fix</quote> field.</para>
 
 	<note>
 	  <para>You can make our work a lot easier, if you use a good
 	    description in the synopsis of the problem report.
 	    We prefer something like
 	    <quote>New port: &lt;category&gt;/&lt;portname&gt;
 	    &lt;short description of the port&gt;</quote> for new ports and
 	    <quote>Update port: &lt;category&gt;/&lt;portname&gt;
 	    &lt;short description of the update&gt;</quote> for port updates.
 	    If you stick to this scheme, the chance that someone will take a
 	    look at your PR soon is much better.</para>
 	</note>
 
 	<para>One more time, <emphasis>do not include the original source
 	    distfile, the <filename>work</filename> directory, or the package
 	    you built with <command>make package</command></emphasis>.</para>
 
 	<para>After you have submitted your port, please be patient.
 	  Sometimes it can take a few months before a port is included
 	  in FreeBSD, although it might only take a few days.  You can
 	  view the list of <ulink
 	  url="http://www.FreeBSD.org/cgi/query-pr-summary.cgi?category=ports">ports
 	  waiting to be committed to FreeBSD</ulink>.</para>
 
 	<para>Once we have looked at your port, we will get back to you if necessary, and put
 	  it in the tree.  Your name will also appear in the list of
 	  <ulink url="&url.articles.contributors;/contrib-additional.html">Additional FreeBSD Contributors</ulink>
 	  and other files. Isn't that great?!? <!-- smiley
 	  -->:-)</para>
       </sect1>
     </chapter>
 
     <chapter id="slow">
       <title>Slow Porting</title>
 
       <para>Ok, so it was not that simple, and the port required some
 	modifications to get it to work.  In this section, we will explain,
 	step by step, how to modify it to get it to work with the ports
 	paradigm.</para>
 
       <sect1 id="slow-work">
 	<title>How things work</title>
 
 	<para>First, this is the sequence of events which occurs when the user
 	  first types <command>make</command> in your port's directory.
 	  You may find that having <filename>bsd.port.mk</filename> in another
 	  window while you read this really helps to understand it.</para>
 
 	<para>But do not worry if you do not really understand what
 	  <filename>bsd.port.mk</filename> is doing, not many people do...
 	  <!-- smiley --><emphasis>:-&gt;</emphasis></para>
 
 	<procedure>
 
 	  <step>
 	    <para>The <maketarget>fetch</maketarget> target is run.  The
 	      <maketarget>fetch</maketarget> target is responsible for making
 	      sure that the tarball exists locally in
 	      <makevar>DISTDIR</makevar>. If <maketarget>fetch</maketarget>
 	      cannot find the required files in <makevar>DISTDIR</makevar> it
 	      will look up the URL <makevar>MASTER_SITES</makevar>, which is
 	      set in the Makefile, as well as our main FTP site at <ulink
 		url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/"></ulink>,
 	      where we put sanctioned distfiles as backup.  It will then
 	      attempt to fetch the named distribution file with
 	      <makevar>FETCH</makevar>, assuming that the requesting site has
 	      direct access to the Internet.  If that succeeds, it will save
 	      the file in <makevar>DISTDIR</makevar> for future use and
 	      proceed.</para>
 	  </step>
 
 	  <step>
 	    <para>The <maketarget>extract</maketarget> target is run.  It
 	      looks for your port's distribution file (typically a gzip'd
 	      tarball) in <makevar>DISTDIR</makevar> and unpacks it into a
 	      temporary subdirectory specified by <makevar>WRKDIR</makevar>
 	      (defaults to <filename>work</filename>).</para>
 	  </step>
 
 	  <step>
 	    <para>The <maketarget>patch</maketarget> target is run.  First,
 	      any patches defined in <makevar>PATCHFILES</makevar> are
 	      applied.  Second, if any patch files named
 	      <filename>patch-<replaceable>*</replaceable></filename> are found in
 	      <makevar>PATCHDIR</makevar> (defaults to the
 	      <filename>files</filename> subdirectory), they are applied at
 	      this time in alphabetical order.</para>
 	  </step>
 
 	  <step>
 	    <para>The <maketarget>configure</maketarget> target is run.  This
 	      can do any one of many different things.</para>
 
 	    <orderedlist>
 	      <listitem>
 		<para>If it exists, <filename>scripts/configure</filename> is
 		  run.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>If <makevar>HAS_CONFIGURE</makevar> or
 		  <makevar>GNU_CONFIGURE</makevar> is set,
 		  <filename><makevar>WRKSRC</makevar>/configure</filename> is
 		  run.</para>
 	      </listitem>
 
 	      <listitem>
 		<para>If <makevar>USE_IMAKE</makevar> is set,
 		  <makevar>XMKMF</makevar> (default: <command>xmkmf
 		    -a</command>) is run.</para>
 	      </listitem>
 	    </orderedlist>
 	  </step>
 
 	  <step>
 	    <para>The <maketarget>build</maketarget> target is run.  This is
 	      responsible for descending into the port's private working
 	      directory (<makevar>WRKSRC</makevar>) and building it.  If
 	      <makevar>USE_GMAKE</makevar> is set, GNU <command>make</command>
 	      will be used, otherwise the system <command>make</command> will
 	      be used.</para>
 	  </step>
 	</procedure>
 
 	<para>The above are the default actions.  In addition, you can define
 	  targets
 	  <maketarget>pre-<replaceable>something</replaceable></maketarget> or
 	  <maketarget>post-<replaceable>something</replaceable></maketarget>,
 	  or put scripts with those names, in the <filename>scripts</filename>
 	  subdirectory, and they will be run before or after the default
 	  actions are done.</para>
 
 	<para>For example, if you have a <maketarget>post-extract</maketarget>
 	  target defined in your <filename>Makefile</filename>, and a file
 	  <filename>pre-build</filename> in the <filename>scripts</filename>
 	  subdirectory, the <maketarget>post-extract</maketarget> target will
 	  be called after the regular extraction actions, and the
 	  <filename>pre-build</filename> script will be executed before the
 	  default build rules are done.  It is recommended that you use
 	  <filename>Makefile</filename> targets if the actions are simple
 	  enough, because it will be easier for someone to figure out what
 	  kind of non-default action the port requires.</para>
 
 	<para>The default actions are done by the
 	  <filename>bsd.port.mk</filename> targets
 	  <maketarget>do-<replaceable>something</replaceable></maketarget>.
 	  For example, the commands to extract a port are in the target
 	  <maketarget>do-extract</maketarget>.  If you are not happy with the
 	  default target, you can fix it by redefining the
 	  <maketarget>do-<replaceable>something</replaceable></maketarget>
 	  target in your <filename>Makefile</filename>.</para>
 
 	<note>
 	  <para>The <quote>main</quote> targets (e.g.,
 	    <maketarget>extract</maketarget>,
 	    <maketarget>configure</maketarget>, etc.) do nothing more than
 	    make sure all  the stages up to that one are completed and call
 	    the real targets or scripts, and they are not intended to be
 	    changed.  If you want to fix the extraction, fix
 	    <maketarget>do-extract</maketarget>, but never ever change
 	    the way <maketarget>extract</maketarget> operates!</para>
 	</note>
 
 	<para>Now that you understand what goes on when the user types
 	  <command>make</command>, let us go through the recommended steps to
 	  create the perfect port.</para>
       </sect1>
 
       <sect1 id="slow-sources">
 	<title>Getting the original sources</title>
 
 	<para>Get the original sources (normally) as a compressed tarball
 	  (<filename><replaceable>foo</replaceable>.tar.gz</filename> or
 	  <filename><replaceable>foo</replaceable>.tar.Z</filename>) and copy
 	  it into <makevar>DISTDIR</makevar>.  Always use
 	  <emphasis>mainstream</emphasis> sources when and where you
 	  can.</para>
 
 	<para>You will need to set the variable <makevar>MASTER_SITES</makevar>
 	  to reflect where the original tarball resides.  You will find
 	  convenient shorthand definitions for most mainstream sites
 	  in <filename>bsd.sites.mk</filename>.  Please use these
 	  sites&mdash;and the associated definitions&mdash;if
 	  at all possible, to help avoid the problem of having the same
 	  information repeated over again many times in the source base.
 	  As these sites tend to change over time, this becomes a
 	  maintenance nightmare for everyone involved.</para>
 
 	<para>If you cannot find a FTP/HTTP site that is well-connected to the
 	  net, or can only find sites that have irritatingly non-standard
 	  formats, you might want to put a copy on a reliable FTP or HTTP
 	  server that you control (e.g., your home page).</para>
 
 	<para>If you cannot find somewhere convenient and reliable to put the
 	  distfile
 	  we can <quote>house</quote> it ourselves
 	  on <hostid>ftp.FreeBSD.org</hostid>; however, this is the
 	  least-preferred solution.
 	  The distfile must be placed into
 	  <filename>~/public_distfiles/</filename> of someone's
 	  <hostid>freefall</hostid> account.
 	  Ask the person who commits your port to do this.
 	  This person will also set <makevar>MASTER_SITES</makevar> to
 	  <makevar>MASTER_SITE_LOCAL</makevar> and
 	  <makevar>MASTER_SITE_SUBDIR</makevar> to their
 	  <hostid>freefall</hostid> username.</para>
 
 	<para>If your port's distfile changes all the time without any
 	  kind of version update by the author,
 	  consider putting the distfile on your home page and listing it as
 	  the first <makevar>MASTER_SITES</makevar>.  If you can, try
 	  to talk the port author out of doing this; it
 	  really does help to establish some kind of source code control.
 	  Hosting your own version will prevent users
 	  from getting <errorname>checksum mismatch</errorname> errors, and
 	  also reduce the workload of maintainers of our FTP site.  Also, if
 	  there is only one master site for the port, it is recommended that
 	  you house a backup at your site and list it as the second
 	  <makevar>MASTER_SITES</makevar>.</para>
 
 	<para>If your port requires some additional `patches' that are
 	  available on the Internet, fetch them too and put them in
 	  <makevar>DISTDIR</makevar>.  Do not worry if they come from a site
 	  other than where you got the main source tarball, we have a way to
 	  handle these situations (see the description of <link
 	    linkend="porting-patchfiles">PATCHFILES</link> below).</para>
       </sect1>
 
       <sect1 id="slow-modifying">
 	<title>Modifying the port</title>
 
 	<para>Unpack a copy of the tarball in a private directory and make
 	  whatever changes are necessary to get the port to compile properly
 	  under the current version of FreeBSD.  Keep <emphasis>careful
 	    track</emphasis> of everything you do, as you will be automating
 	  the process shortly.  Everything, including the deletion, addition,
 	  or modification of files should be doable using an automated script
 	  or patch file when your port is finished.</para>
 
 	<para>If your port requires significant user interaction/customization
 	  to compile or install, you should take a look at one of Larry Wall's
 	  classic <application>Configure</application> scripts and perhaps do
 	  something similar yourself.  The goal of the new ports collection is
 	  to make each port as <quote>plug-and-play</quote> as possible for the
 	  end-user while using a minimum of disk space.</para>
 
 	<note>
 	  <para>Unless explicitly stated, patch files, scripts, and other
 	    files you have created and contributed to the FreeBSD ports
 	    collection are assumed to be covered by the standard BSD copyright
 	    conditions.</para>
 	</note>
       </sect1>
 
       <sect1 id="slow-patch">
 	<title>Patching</title>
 
 	<para>In the preparation of the port, files that have been added or
 	  changed can be picked up with a recursive &man.diff.1;
 	  for later feeding to &man.patch.1;.  Each set of patches you
 	  wish to apply should be collected into a file named
 	  <filename>patch-<replaceable>*</replaceable></filename> where
 	  <replaceable>*</replaceable> denotes the sequence in which the
 	  patches will be applied &mdash; these are done in
 	  <emphasis>alphabetical order</emphasis>, thus <literal>aa</literal>
 	  first, <literal>ab</literal> second and so on.  If you wish,
 	  you can use names that indicate the pathnames of the files that
 	  are patched, such as <filename>patch-Imakefile</filename> or
 	  <filename>patch-src-config.h</filename>.  These files should
 	  be stored in <makevar>PATCHDIR</makevar>, from where they will be
 	  automatically applied.  All patches should be relative to
 	  <makevar>WRKSRC</makevar> (generally the directory your port's
 	  tarball unpacks itself into, that being where the build is done).
 	  To make fixes and upgrades easier, you should avoid having more than
 	  one patch fix the same file (e.g., <filename>patch-aa</filename> and
 	  <filename>patch-ab</filename> both changing
 	  <filename><makevar>WRKSRC</makevar>/foobar.c</filename>).</para>
 
 	<para>Do not put RCS strings in patches.  CVS will mangle them when we
 	  put the files into the ports tree, and when we check them out again,
 	  they will come out different and the patch will fail.  RCS strings
 	  are surrounded by dollar (<literal>&dollar;</literal>) signs, and
 	  typically start with <literal>&dollar;Id</literal> or
 	  <literal>&dollar;RCS</literal>.</para>
 
 	<para>Using the recurse (<option>-r</option>) option to
 	  &man.diff.1; to generate patches is fine, but please take
 	  a look at the resulting patches to make sure you do not have any
 	  unnecessary junk in there.  In particular, diffs between two backup
 	  files, <filename>Makefile</filename>s when the port uses
 	  <command>Imake</command> or GNU <command>configure</command>, etc.,
 	  are unnecessary and should be deleted.  If you had to edit
 	  <filename>configure.in</filename> and run
 	  <command>autoconf</command> to regenerate
 	  <command>configure</command>, do not take the diffs of
 	  <command>configure</command> (it often grows to a few thousand
 	  lines!); define <literal>USE_AUTOCONF_VER=213</literal> and take the
 	  diffs of <filename>configure.in</filename>.</para>
 
 	<para>Quite often, there is a situation when the software being
 	  ported, especially if it is primarily developed on &windows;, uses
 	  the CR/LF convention for most of its source files.  This may cause
 	  problems with further patching, compiler warnings, scripts
 	  execution (<command>/bin/sh^M</command> not found), etc.  To
 	  quickly convert those files from CR/LF to just LF, you can do
 	  something like this:</para>
 
 	<programlisting>USE_REINPLACE=	yes
 
 post-extract:
 	@${FIND} -E ${WRKDIR} -type f -iregex ".*\.(c|cpp|h|txt)" -print0 | \
 		${XARGS} -0 ${REINPLACE_CMD} -e 's/[[:cntrl:]]*$$//' '{}' \;</programlisting>
 
 	<para>Of course, if you need to process each and every file,
 	  <option>-iregex</option> above can be omitted.  Be aware that this
 	  piece of code will strip all trailing control characters from each
 	  line of processed file (except <literal>\n</literal>).</para>
 
 	<para>Also, if you had to delete a file, then you can do it in the
 	  <maketarget>post-extract</maketarget> target rather than as part of
 	  the patch.  Once you are happy with the resulting diff, please split
 	  it up into one source file per patch file.</para>
       </sect1>
 
       <sect1 id="slow-configure">
 	<title>Configuring</title>
 
 	<para>Include any additional customization commands in your
 	  <filename>configure</filename> script and save it in the
 	  <filename>scripts</filename> subdirectory.  As mentioned above, you
 	  can also do this with <filename>Makefile</filename> targets and/or
 	  scripts with the name <filename>pre-configure</filename> or
 	  <filename>post-configure</filename>.</para>
       </sect1>
 
       <sect1 id="slow-user-input">
 	<title>Handling user input</title>
 
 	<para>If your port requires user input to build, configure, or install,
 	  you must set <makevar>IS_INTERACTIVE</makevar> in your <filename>Makefile</filename>.  This
 	  will allow <quote>overnight builds</quote> to skip your port if the
 	  user sets the variable <envar>BATCH</envar> in his environment (and
 	  if the user sets the variable <envar>INTERACTIVE</envar>, then
 	  <emphasis>only</emphasis> those ports requiring interaction are
 	  built).  This will save a lot of wasted time on the set of
 	  machines that continually build ports (see below).</para>
 
 	<para>It is also recommended that if there are reasonable default
 	  answers to the questions, you check the
 	  <makevar>PACKAGE_BUILDING</makevar> variable and turn off the
 	  interactive script when it is set.  This will allow us to build the
 	  packages for CDROMs and FTP.</para>
       </sect1>
     </chapter>
 
     <chapter id="makefile">
       <title>Configuring the Makefile</title>
 
       <para>Configuring the <filename>Makefile</filename> is pretty simple, and again we suggest
 	that you look at existing examples before starting. Also, there is a
 	<link linkend="porting-samplem">sample Makefile</link> in this
 	handbook, so take a look and please follow the ordering of variables
 	and sections in that template to make your port easier for others to
 	read.</para>
 
       <para>Now, consider the following problems in sequence as you design
 	your new <filename>Makefile</filename>:</para>
 
       <sect1 id="makefile-source">
 	<title>The original source</title>
 
 	<para>Does it live in <makevar>DISTDIR</makevar> as a standard
 	  gzip'd tarball named something like
 	  <filename>foozolix-1.2.tar.gz</filename>? If so, you can go on
 	  to the next step.  If not, you should look at overriding any of
 	  the <makevar>DISTNAME</makevar>, <makevar>EXTRACT_CMD</makevar>,
 	  <makevar>EXTRACT_BEFORE_ARGS</makevar>,
 	  <makevar>EXTRACT_AFTER_ARGS</makevar>,
 	  <makevar>EXTRACT_SUFX</makevar>, or <makevar>DISTFILES</makevar>
 	  variables, depending on how alien a format your port's
 	  distribution file is.  (The most common case is
 	  <literal>EXTRACT_SUFX=.tar.Z</literal>, when the tarball is
 	  condensed by regular <command>compress</command>, not
 	  <command>gzip</command>.)</para>
 
 	<para>In the worst case, you can simply create your own
 	  <maketarget>do-extract</maketarget> target to override the
 	  default, though this should be rarely, if ever,
 	  necessary.</para>
       </sect1>
 
     <sect1 id="makefile-naming">
       <title>Naming</title>
 
       <para>The first part of the port's <filename>Makefile</filename> names
 	the port, describes its version number, and lists it in the correct
 	category.</para>
 
       <sect2>
 	<title><makevar>PORTNAME</makevar> and <makevar>PORTVERSION</makevar></title>
 
 	<para>You should set <makevar>PORTNAME</makevar> to the
 	  base name of your port, and <makevar>PORTVERSION</makevar>
 	  to the version number of the port.</para>
       </sect2>
 
       <sect2 id="makefile-naming-revepoch">
 	<title><makevar>PORTREVISION</makevar> and
 	  <makevar>PORTEPOCH</makevar></title>
 
 	<sect3>
 	  <title><makevar>PORTREVISION</makevar></title>
 
 	  <para>The <makevar>PORTREVISION</makevar> variable is a
 	    monotonically increasing value which is reset to 0 with
 	    every increase of <makevar>PORTVERSION</makevar> (i.e.
 	    every time a new official vendor release is made), and
 	    appended to the package name if non-zero.
 	    Changes to <makevar>PORTREVISION</makevar> are
 	    used by automated tools (e.g.  &man.pkg.version.1;)
 	    to highlight the fact that a new package is
 	    available.</para>
 
 	  <para><makevar>PORTREVISION</makevar> should be increased
 	    each time a change is made to the port which significantly
 	    affects the content or structure of the derived
 	    package.</para>
 
 	  <para>Examples of when <makevar>PORTREVISION</makevar>
 	    should be bumped:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>Addition of patches to correct security
 		vulnerabilities, bugs, or to add new functionality to
 		the port.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Changes to the port <filename>Makefile</filename> to enable or disable
 		compile-time options in the package.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Changes in the packing list or the install-time
 		behavior of the package (e.g. change to a script
 		which generates initial data for the package, like ssh
 		host keys).</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Version bump of a port's shared library dependency
 		(in this case, someone trying to install the old
 		package after installing a newer version of the
 		dependency will fail since it will look for the old
 		libfoo.x instead of libfoo.(x+1)).</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Silent changes to the port distfile which have
 		significant functional differences, i.e. changes to
 		the distfile requiring a correction to
 		<filename>distinfo</filename> with no corresponding change to
 		<makevar>PORTVERSION</makevar>, where a <command>diff
 		-ru</command> of the old and new versions shows
 		non-trivial changes to the code.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para>Examples of changes which do not require a
 	    <makevar>PORTREVISION</makevar> bump:</para>
 
 	  <itemizedlist>
 	    <listitem>
 	      <para>Style changes to the port skeleton with no
 		functional change to what appears in the resulting
 		package.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Changes to <makevar>MASTER_SITES</makevar> or
 		other functional changes to the port which do not
 		affect the resulting package.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Trivial patches to the distfile such as correction
 		of typos, which are not important enough that users of
 		the package should go to the trouble of
 		upgrading.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Build fixes which cause a package to become
 		compilable where it was previously failing (as long as
 		the changes do not introduce any functional change on
 		any other platforms on which the port did previously
 		build). Since <makevar>PORTREVISION</makevar> reflects
 		the content of the package, if the package was not
 		previously buildable then there is no need to increase
 		<makevar>PORTREVISION</makevar> to mark a
 		change.</para>
 	    </listitem>
 	  </itemizedlist>
 
 	  <para>A rule of thumb is to ask yourself whether a change
 	    committed to a port is something which everyone
 	    would benefit from having (either because of an
 	    enhancement, fix, or by virtue that the new package will
 	    actually work at all), and weigh that against that fact
 	    that it will cause everyone who regularly updates their
 	    ports tree to be compelled to update. If yes, the
 	    <makevar>PORTREVISION</makevar> should be bumped.</para>
 	</sect3>
 
 	<sect3>
 	  <title><makevar>PORTEPOCH</makevar></title>
 
 	  <para>From time to time a software vendor or FreeBSD porter
 	    will do something silly and release a version of their
 	    software which is actually numerically less than the
 	    previous version. An example of this is a port which goes
 	    from foo-20000801 to foo-1.0 (the former will be
 	    incorrectly treated as a newer version since 20000801 is a
 	    numerically greater value than 1).</para>
 
 	  <para>In situations such as this, the
 	    <makevar>PORTEPOCH</makevar> version should be increased.
 	    If <makevar>PORTEPOCH</makevar> is nonzero it is appended
 	    to the package name as described in section 0 above.
 	    <makevar>PORTEPOCH</makevar> must never be decreased or reset
 	    to zero, because that would cause comparison to a package
 	    from an earlier epoch to fail (i.e. the package would not
 	    be detected as out of date): the new version number (e.g.
 	    <literal>1.0,1</literal> in the above example) is still
 	    numerically less than the previous version (20000801), but
 	    the <literal>,1</literal> suffix is treated specially by
 	    automated tools and found to be greater than the implied
 	    suffix <literal>,0</literal> on the earlier package.</para>
 
 	  <para>Dropping or resetting <makevar>PORTEPOCH</makevar>
 	    incorrectly leads
 	    to no end of grief; if you do not understand the above discussion,
 	    please keep after it until you do, or ask questions on
 	    the mailing lists.</para>
 
 	  <para>It is expected that <makevar>PORTEPOCH</makevar> will
 	    not be used for the majority of ports, and that sensible
 	    use of <makevar>PORTVERSION</makevar> can often pre-empt
 	    it becoming necessary if a future release of the software
 	    should change the version structure. However, care is
 	    needed by FreeBSD porters when a vendor release is made
 	    without an official version number &mdash; such as a code
 	    <quote>snapshot</quote> release.  The temptation is to label the
 	    release with the release date, which will cause problems
 	    as in the example above when a new <quote>official</quote> release is
 	    made.</para>
 
 	  <para>For example, if a snapshot release is made on the date
 	    20000917, and the previous version of the software was
 	    version 1.2, the snapshot release should be given a
 	    <makevar>PORTVERSION</makevar> of 1.2.20000917 or similar,
 	    not 20000917, so that the succeeding release, say 1.3, is
 	    still a numerically greater value.</para>
 	</sect3>
 
 	<sect3>
 	  <title>Example of <makevar>PORTREVISION</makevar> and
 	    <makevar>PORTEPOCH</makevar> usage</title>
 
 	  <para>The <literal>gtkmumble</literal> port, version
 	    <literal>0.10</literal>, is committed to the ports
 	    collection:</para>
 
 	  <programlisting>PORTNAME=       gtkmumble
 PORTVERSION=    0.10</programlisting>
 
 	  <para><makevar>PKGNAME</makevar> becomes
 	    <literal>gtkmumble-0.10</literal>.</para>
 
 	  <para>A security hole is discovered which requires a local
 	    FreeBSD patch. <makevar>PORTREVISION</makevar> is bumped
 	    accordingly.</para>
 
 	  <programlisting>PORTNAME=       gtkmumble
 PORTVERSION=    0.10
 PORTREVISION=   1</programlisting>
 
 	  <para><makevar>PKGNAME</makevar> becomes
 	    <literal>gtkmumble-0.10_1</literal></para>
 
 	  <para>A new version is released by the vendor, numbered <literal>0.2</literal>
 	    (it turns out the author actually intended
 	    <literal>0.10</literal> to actually mean
 	    <literal>0.1.0</literal>, not <quote>what comes after
 	      0.9</quote> - oops, too late now). Since the new minor
 	    version <literal>2</literal> is numerically less than the
 	    previous version <literal>10</literal>, the
 	    <makevar>PORTEPOCH</makevar> must be bumped to manually
 	    force the new package to be detected as <quote>newer</quote>. Since it
 	    is a new vendor release of the code,
 	    <makevar>PORTREVISION</makevar> is reset to 0 (or removed
 	    from the <filename>Makefile</filename>).</para>
 
 	  <programlisting>PORTNAME=       gtkmumble
 PORTVERSION=    0.2
 PORTEPOCH=      1</programlisting>
 
 	  <para><makevar>PKGNAME</makevar> becomes
 	    <literal>gtkmumble-0.2,1</literal></para>
 
 	  <para>The next release is 0.3. Since
 	    <makevar>PORTEPOCH</makevar> never decreases, the version
 	    variables are now:</para>
 
 	  <programlisting>PORTNAME=       gtkmumble
 PORTVERSION=    0.3
 PORTEPOCH=      1</programlisting>
 
 	  <para><makevar>PKGNAME</makevar> becomes
 	    <literal>gtkmumble-0.3,1</literal></para>
 
 	  <note>
 	    <para>If <makevar>PORTEPOCH</makevar> were reset
 	      to <literal>0</literal> with this upgrade, someone who had
 	      installed the <literal>gtkmumble-0.10_1</literal> package would not detect
 	      the <literal>gtkmumble-0.3</literal> package as newer, since
 	      <literal>3</literal> is still numerically less than
 	      <literal>10</literal>.  Remember, this is the whole point of
 	      <makevar>PORTEPOCH</makevar> in the first place.</para>
 	  </note>
 	</sect3>
       </sect2>
 
       <sect2>
 	<title><makevar>PKGNAMEPREFIX</makevar> and <makevar>PKGNAMESUFFIX</makevar></title>
 
 	<para>Two optional variables, <makevar>PKGNAMEPREFIX</makevar> and
 	  <makevar>PKGNAMESUFFIX</makevar>, are combined with
 	  <makevar>PORTNAME</makevar> and
 	  <makevar>PORTVERSION</makevar> to
 	  form <makevar>PKGNAME</makevar> as
 	  <literal>${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}</literal>.
 	  Make sure this conforms to our <link
 	  linkend="porting-pkgname">guidelines for a good package
 	  name</link>.  In particular, you are <emphasis>not</emphasis> allowed to use a
 	  hyphen (<literal>-</literal>) in
 	  <makevar>PORTVERSION</makevar>.  Also, if the package name
 	  has the <replaceable>language-</replaceable> or the
 	  <replaceable>-compiled.specifics</replaceable> part (see below), use
 	  <makevar>PKGNAMEPREFIX</makevar> and
 	  <makevar>PKGNAMESUFFIX</makevar>, respectively.  Do not make
 	  them part of <makevar>PORTNAME</makevar>.</para>
       </sect2>
 
     <sect2 id="porting-pkgname">
       <title>Package Naming Conventions</title>
 
       <para>The following are the conventions you should follow in naming your
 	packages.  This is to have our package directory easy to scan, as
 	there are already thousands of packages and users are going to
 	turn away if they hurt their eyes!</para>
 
       <para>The package name should look like
 	<filename><replaceable><optional>language<optional>_region</optional></optional>-name<optional><optional>-</optional>compiled.specifics</optional>-version.numbers</replaceable></filename>.</para>
 
       <para>The package name is defined as
 	<literal>${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}</literal>.
 	Make sure to set the variables to conform to that format.</para>
 
       <orderedlist>
 	<listitem>
 	  <para>FreeBSD strives to support the native language of its users.
 	    The <replaceable>language-</replaceable> part should be a two
 	    letter abbreviation of the natural language defined by ISO-639 if
 	    the port is specific to a certain language.  Examples are
 	    <literal>ja</literal> for Japanese, <literal>ru</literal> for
 	    Russian, <literal>vi</literal> for Vietnamese,
 	    <literal>zh</literal> for Chinese, <literal>ko</literal> for
 	    Korean and <literal>de</literal> for German.</para>
 
 	  <para>If the port is specific to a certain region within the
 	    language area, add the two letter country code as well.
 	    Examples are <literal>en_US</literal> for US English and
 	    <literal>fr_CH</literal> for Swiss French.</para>
 
 	  <para>The <replaceable>language-</replaceable> part should
 	    be set in the <makevar>PKGNAMEPREFIX</makevar> variable.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The first letter of <filename>name</filename> part
 	    should be lowercase.  (The rest of the name can contain
 	    capital letters, so use your own discretion when you are
 	    converting a software name that has some capital letters in it.)
 	    There is a tradition of naming <literal>perl 5</literal> modules by
 	    prepending <literal>p5-</literal> and converting the double-colon
 	    separator to a hyphen; for example, the
 	    <literal>Data::Dumper</literal> module becomes
 	    <literal>p5-Data-Dumper</literal>.  If the software in question
 	    has numbers, hyphens, or underscores in its name, you may include
 	    them as well (like <literal>kinput2</literal>).</para>
 	</listitem>
 
 	<listitem>
 	  <para>If the port can be built with different <link
 	      linkend="porting-masterdir">hardcoded defaults</link> (usually
 	    part of the directory name in a family of ports), the
 	    <replaceable>-compiled.specifics</replaceable> part should state
 	    the compiled-in defaults (the hyphen is optional).  Examples are
 	    papersize and font units.</para>
 
 	  <para>The <replaceable>-compiled.specifics</replaceable> part
 	    should be set in the <makevar>PKGNAMESUFFIX</makevar>
 	    variable.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The version string should follow a dash
 	    (<literal>-</literal>) and be a period-separated list of
 	    integers and single lowercase alphabetics.  In particular,
 	    it is not permissible to have another dash inside the
 	    version string.  The only exception is the string
 	    <literal>pl</literal> (meaning <quote>patchlevel</quote>), which can be
 	    used <emphasis>only</emphasis> when there are no major and
 	    minor version numbers in the software.  If the software
 	    version has strings like <quote>alpha</quote>, <quote>beta</quote>, <quote>rc</quote>, or <quote>pre</quote>, take
 	    the first letter and put it immediately after a period.
 	    If the version string continues after those names, the
 	    numbers should follow the single alphabet without an extra
 	    period between them.</para>
 
 	  <para>The idea is to make it easier to sort ports by looking
 	    at the version string.  In particular, make sure version
 	    number components are always delimited by a period, and
 	    if the date is part of the string, use the
 	    <literal><replaceable>yyyy</replaceable>.<replaceable>mm</replaceable>.<replaceable>dd</replaceable></literal>
 	    format, not
 	    <literal><replaceable>dd</replaceable>.<replaceable>mm</replaceable>.<replaceable>yyyy</replaceable></literal>
 	    or the non-Y2K compliant
 	    <literal><replaceable>yy</replaceable>.<replaceable>mm</replaceable>.<replaceable>dd</replaceable></literal>
 	    format.</para>
 	</listitem>
       </orderedlist>
 
       <para>Here are some (real) examples on how to convert the name
 	as called by the software authors to a suitable package
 	name:</para>
 
-      <informaltable frame="none">
+      <informaltable frame="none" pgwide="1">
 	<tgroup cols="6">
 	  <thead>
 	    <row>
 	      <entry>Distribution Name</entry>
 	      <entry><makevar>PKGNAMEPREFIX</makevar></entry>
 	      <entry><makevar>PORTNAME</makevar></entry>
 	      <entry><makevar>PKGNAMESUFFIX</makevar></entry>
 	      <entry><makevar>PORTVERSION</makevar></entry>
 	      <entry>Reason</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry>mule-2.2.2</entry>
 	      <entry>(empty)</entry>
 	      <entry>mule</entry>
 	      <entry>(empty)</entry>
 	      <entry>2.2.2</entry>
 	      <entry>No changes required</entry>
 	    </row>
 
 	    <row>
 	      <entry>XFree86-3.3.6</entry>
 	      <entry>(empty)</entry>
 	      <entry>XFree86</entry>
 	      <entry>(empty)</entry>
 	      <entry>3.3.6</entry>
 	      <entry>No changes required</entry>
 	    </row>
 
 	    <row>
 	      <entry>EmiClock-1.0.2</entry>
 	      <entry>(empty)</entry>
 	      <entry>emiclock</entry>
 	      <entry>(empty)</entry>
 	      <entry>1.0.2</entry>
 	      <entry>No uppercase names for single programs</entry>
 	    </row>
 
 	    <row>
 	      <entry>rdist-1.3alpha</entry>
 	      <entry>(empty)</entry>
 	      <entry>rdist</entry>
 	      <entry>(empty)</entry>
 	      <entry>1.3.a</entry>
 	      <entry>No strings like <literal>alpha</literal>
 		allowed</entry>
 	    </row>
 
 	    <row>
 	      <entry>es-0.9-beta1</entry>
 	      <entry>(empty)</entry>
 	      <entry>es</entry>
 	      <entry>(empty)</entry>
 	      <entry>0.9.b1</entry>
 	      <entry>No strings like <literal>beta</literal>
 		allowed</entry>
 	    </row>
 
 	    <row>
 	      <entry>mailman-2.0rc3</entry>
 	      <entry>(empty)</entry>
 	      <entry>mailman</entry>
 	      <entry>(empty)</entry>
 	      <entry>2.0.r3</entry>
 	      <entry>No strings like <literal>rc</literal>
 		allowed</entry>
 	    </row>
 
 	    <row>
 	      <entry>v3.3beta021.src</entry>
 	      <entry>(empty)</entry>
 	      <entry>tiff</entry>
 	      <entry>(empty)</entry>
 	      <entry>3.3</entry>
 	      <entry>What the heck was that anyway?</entry>
 	    </row>
 
 	    <row>
 	      <entry>tvtwm</entry>
 	      <entry>(empty)</entry>
 	      <entry>tvtwm</entry>
 	      <entry>(empty)</entry>
 	      <entry>pl11</entry>
 	      <entry>Version string always required</entry>
 	    </row>
 
 	    <row>
 	      <entry>piewm</entry>
 	      <entry>(empty)</entry>
 	      <entry>piewm</entry>
 	      <entry>(empty)</entry>
 	      <entry>1.0</entry>
 	      <entry>Version string always required</entry>
 	    </row>
 
 	    <row>
 	      <entry>xvgr-2.10pl1</entry>
 	      <entry>(empty)</entry>
 	      <entry>xvgr</entry>
 	      <entry>(empty)</entry>
 	      <entry>2.10.1</entry>
 	      <entry><literal>pl</literal> allowed only when no
 		major/minor version numbers</entry>
 	    </row>
 
 	    <row>
 	      <entry>gawk-2.15.6</entry>
 	      <entry>ja-</entry>
 	      <entry>gawk</entry>
 	      <entry>(empty)</entry>
 	      <entry>2.15.6</entry>
 	      <entry>Japanese language version</entry>
 	    </row>
 
 	    <row>
 	      <entry>psutils-1.13</entry>
 	      <entry>(empty)</entry>
 	      <entry>psutils</entry>
 	      <entry>-letter</entry>
 	      <entry>1.13</entry>
 	      <entry>Papersize hardcoded at package build time</entry>
 	    </row>
 
 	    <row>
 	      <entry>pkfonts</entry>
 	      <entry>(empty)</entry>
 	      <entry>pkfonts</entry>
 	      <entry>300</entry>
 	      <entry>1.0</entry>
 	      <entry>Package for 300dpi fonts</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
       <para>If there is absolutely no trace of version information in the
 	original source and it is unlikely that the original author will ever
 	release another version, just set the version string to
 	<literal>1.0</literal> (like the <literal>piewm</literal> example above).  Otherwise, ask
 	the original author or use the date string
 	(<literal><replaceable>yyyy</replaceable>.<replaceable>mm</replaceable>.<replaceable>dd</replaceable></literal>)
 	as the version.</para>
     </sect2>
     </sect1>
 
     <sect1 id="makefile-categories">
       <title>Categorization</title>
 
       <sect2>
 	<title><makevar>CATEGORIES</makevar></title>
 
 	<para>When a package is created, it is put under
 	  <filename>/usr/ports/packages/All</filename> and links are made from
 	  one or more subdirectories of
 	  <filename>/usr/ports/packages</filename>.  The names of these
 	  subdirectories are specified by the variable
 	  <makevar>CATEGORIES</makevar>.  It is intended to make life easier
 	  for the user when he is wading through the pile of packages on the
 	  FTP site or the CDROM.  Please take a look at the <link
 	    linkend="porting-categories">current list of categories</link> and pick the ones
 	  that are suitable for your port.</para>
 
 	<para>This list also determines where in the ports tree the port is
 	  imported.  If you put more than one category here, it is assumed
 	  that the port files will be put in the subdirectory with the name in
 	  the first category.  See <link
 	    linkend="choosing-categories">below</link> for more
 	  discussion about how to pick the right categories.</para>
 
 	<para>If your port truly belongs to something that is different from
 	  all the existing ones, you can even create a new category name.  In
 	  that case, please send mail to the &a.ports; to propose a new
 	  category.  However, in general, until there are more than a
 	  handful of ports which could be reclassified into the category
 	  you propose, you will probably be turned down.</para>
 
 	<note><para>Occasionally someone proposes reorganizing the categories
 	  with either a 2-level structure, or some other kind of keyword
 	  structure.  To date, nothing has come of any of these proposals
 	  because, while they are very easy to make, the effort involved to
 	  retrofit the entire existing ports collection with any kind of
 	  reorganization is daunting to say the very least.  Please read
 	  the history of these proposals in the mailing list archives before
 	  you post this idea; furthermore, you should be prepared to be
 	  challenged to offer a working prototype.</para></note>
       </sect2>
 
       <sect2 id="porting-categories">
 	<title>Current list of categories</title>
 
 	<para>Here is the current list of port categories.  Those
 	  marked with an asterisk (<literal>*</literal>) are
 	  <emphasis>virtual</emphasis> categories&mdash;those that do not have
 	  a corresponding subdirectory in the ports tree.  They are only
 	  used as secondary categories, and only for search purposes.</para>
 
 	<note>
 	  <para>For non-virtual categories, you will find a one-line
 	    description in the <makevar>COMMENT</makevar> in that
 	    subdirectory's <filename>Makefile</filename>.</para>
 	</note>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="3">
 	    <thead>
 	      <row>
 		<entry>Category</entry>
 		<entry>Description</entry>
 		<entry>Notes</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><filename>accessibility</filename></entry>
 		<entry>Ports to help disabled users.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>afterstep*</filename></entry>
 		<entry>Ports to support the
 		  <ulink url="http://www.afterstep.org">AfterStep</ulink>
 		  window manager.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>arabic</filename></entry>
 		<entry>Arabic language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>archivers</filename></entry>
 		<entry>Archiving tools.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>astro</filename></entry>
 		<entry>Astronomical ports.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>audio</filename></entry>
 		<entry>Sound support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>benchmarks</filename></entry>
 		<entry>Benchmarking utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>biology</filename></entry>
 		<entry>Biology-related software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>cad</filename></entry>
 		<entry>Computer aided design tools.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>chinese</filename></entry>
 		<entry>Chinese language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>comms</filename></entry>
 		<entry>Communication software.</entry>
 		<entry>Mostly software to talk to your serial port.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>converters</filename></entry>
 		<entry>Character code converters.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>databases</filename></entry>
 		<entry>Databases.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>deskutils</filename></entry>
 		<entry>Things that used to be on the desktop before
 		  computers were invented.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>devel</filename></entry>
 		<entry>Development utilities.</entry>
 		<entry>Do not put libraries here just because they are
 		  libraries&mdash;unless they truly do not belong anywhere
 		  else, they should not be in this category.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>dns</filename></entry>
 		<entry>DNS-related software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>editors</filename></entry>
 		<entry>General editors.</entry>
 		<entry>Specialized editors go in the section for those
 		  tools (e.g., a mathematical-formula editor will go
 		  in <filename>math</filename>).</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>elisp*</filename></entry>
 		<entry>Emacs-lisp ports.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>emulators</filename></entry>
 		<entry>Emulators for other operating systems.</entry>
 		<entry>Terminal emulators do <emphasis>not</emphasis> belong
 		  here&mdash;X-based ones should go to
 		  <filename>x11</filename> and text-based ones to either
 		  <filename>comms</filename> or <filename>misc</filename>,
 		  depending on the exact functionality.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>finance</filename></entry>
 		<entry>Monetary, financial and related applications.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>french</filename></entry>
 		<entry>French language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>ftp</filename></entry>
 		<entry>FTP client and server utilities.</entry>
 		<entry>If your port speaks both FTP and HTTP, put it in
 		  <filename>ftp</filename> with a secondary
 		  category of <filename>www</filename>.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>games</filename></entry>
 		<entry>Games.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>german</filename></entry>
 		<entry>German language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>gnome*</filename></entry>
 		<entry>Ports from the <ulink
 		  url="http://www.gnome.org">GNOME</ulink>
 		  Project.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>graphics</filename></entry>
 		<entry>Graphics utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>haskell*</filename></entry>
 		<entry>Software related to the Haskell language.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>hebrew</filename></entry>
 		<entry>Hebrew language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>hungarian</filename></entry>
 		<entry>Hungarian language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>ipv6*</filename></entry>
 		<entry>IPv6 related software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>irc</filename></entry>
 		<entry>Internet Relay Chat utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>japanese</filename></entry>
 		<entry>Japanese language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>java</filename></entry>
 		<entry>Software related to the Java language.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>kde*</filename></entry>
 		<entry>Ports from the <ulink url="http://www.kde.org">K Desktop Environment (KDE)</ulink>
 		  Project.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>korean</filename></entry>
 		<entry>Korean language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>lang</filename></entry>
 		<entry>Programming languages.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>linux*</filename></entry>
 		<entry>Linux applications and support utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>lisp*</filename></entry>
 		<entry>Software related to the Lisp language.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>mail</filename></entry>
 		<entry>Mail software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>math</filename></entry>
 		<entry>Numerical computation software and other utilities
 		  for mathematics.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>mbone</filename></entry>
 		<entry>MBone applications.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>misc</filename></entry>
 		<entry>Miscellaneous utilities</entry>
 		<entry>Basically things that
 		  do not belong anywhere else.
 		  If at all possible, try to
 		  find a better category for your port than
 		  <literal>misc</literal>, as ports tend to get overlooked
 		  in here.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>multimedia</filename></entry>
 		<entry>Multimedia software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>net</filename></entry>
 		<entry>Miscellaneous networking software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>net-mgmt</filename></entry>
 		<entry>Networking management software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>news</filename></entry>
 		<entry>USENET news software.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>offix*</filename></entry>
 		<entry>Ports from the <ulink url="http://leb.net/OffiX/">OffiX</ulink> suite.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>palm</filename></entry>
 		<entry>Software support for the <ulink url="http://www.palm.com/">Palm&trade;</ulink> series.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>parallel*</filename></entry>
 		<entry>Applications dealing with parallelism in computing.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>pear*</filename></entry>
 		<entry>Ports related to the Pear PHP framework.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>perl5*</filename></entry>
 		<entry>Ports that require <application>Perl</application> version 5 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>picobsd</filename></entry>
 		<entry>Ports to support <ulink url="http://people.FreeBSD.org/~picobsd/">PicoBSD</ulink>.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>plan9*</filename></entry>
 		<entry>Various programs from <ulink url="http://www.cs.bell-labs.com/plan9dist/">Plan9</ulink>.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>polish</filename></entry>
 		<entry>Polish language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>portuguese</filename></entry>
 		<entry>Portuguese language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>print</filename></entry>
 		<entry>Printing software.</entry>
 		<entry>Desktop publishing tools
 		  (previewers, etc.) belong here too.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>python*</filename></entry>
 		<entry>Software related to the <ulink url="http://www.python.org/">Python</ulink> language.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>ruby*</filename></entry>
 		<entry>Software related to the <ulink url="http://www.ruby-lang.org/">Ruby</ulink> language.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>russian</filename></entry>
 		<entry>Russian language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>science</filename></entry>
 		<entry>Scientific ports that do not fit into other
 		  categories such as <filename>astro</filename>,
 		  <filename>biology</filename> and
 		  <filename>math</filename>.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>security</filename></entry>
 		<entry>Security utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>shells</filename></entry>
 		<entry>Command line shells.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>sysutils</filename></entry>
 		<entry>System utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tcl76*</filename></entry>
 		<entry>Ports that use Tcl version 7.6 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tcl80*</filename></entry>
 		<entry>Ports that use Tcl version 8.0 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tcl81*</filename></entry>
 		<entry>Ports that use Tcl version 8.1 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tcl82*</filename></entry>
 		<entry>Ports that use Tcl version 8.2 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tcl83*</filename></entry>
 		<entry>Ports that use Tcl version 8.3 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>textproc</filename></entry>
 		<entry>Text processing utilities.</entry>
 		<entry>It does not include
 		  desktop publishing tools, which go to <filename>print</filename>.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tk42*</filename></entry>
 		<entry>Ports that use Tk version 4.2 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tk80*</filename></entry>
 		<entry>Ports that use Tk version 8.0 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tk81*</filename></entry>
 		<entry>Ports that use Tk version 8.1 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tk82*</filename></entry>
 		<entry>Ports that use Tk version 8.2 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tk83*</filename></entry>
 		<entry>Ports that use Tk version 8.3 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>tkstep80*</filename></entry>
 		<entry>Ports that use TkSTEP version 8.0 to run.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>ukrainian</filename></entry>
 		<entry>Ukrainian language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>vietnamese</filename></entry>
 		<entry>Vietnamese language support.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>windowmaker*</filename></entry>
 		<entry>Ports to support the WindowMaker window
 		  manager.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>www</filename></entry>
 		<entry>Software related to the World Wide Web.</entry>
 		<entry>HTML language
 		  support belongs here too.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11</filename></entry>
 		<entry>The X Window System and friends.</entry>
 		<entry>This category is only
 		  for software that directly supports the window system.  Do not
 		  put regular X applications here; most of them should go
 		  into other <filename>x11-*</filename> categories (see below).
 		  If your port <emphasis>is</emphasis> an X
 		  application, define <makevar>USE_XLIB</makevar> (implied by
 		  <makevar>USE_IMAKE</makevar>) and put it in the appropriate
 		  category.</entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-clocks</filename></entry>
 		<entry>X11 clocks.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-fm</filename></entry>
 		<entry>X11 file managers.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-fonts</filename></entry>
 		<entry>X11 fonts and font utilities.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-servers</filename></entry>
 		<entry>X11 servers.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-toolkits</filename></entry>
 		<entry>X11 toolkits.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>x11-wm</filename></entry>
 		<entry>X11 window managers.</entry>
 		<entry></entry>
 	      </row>
 
 	      <row>
 		<entry><filename>zope*</filename></entry>
 		<entry><ulink url="http://www.zope.org/">Zope</ulink> support.</entry>
 		<entry></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
       </sect2>
 
       <sect2 id="choosing-categories">
 	<title>Choosing the right category</title>
 
 	<para>As many of the categories overlap, you often have to choose
 	  which of the categories should be the primary category of your port.
 	  There are several rules that govern this issue.  Here is the list of
 	  priorities, in decreasing order of precedence:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>The first category must be a physical category (see
 	      <link linkend="porting-categories">above</link>).  This is
 	      necessary to make the packaging work.  Virtual categories and
 	      physical categories may be intermixed after that.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Language specific categories always come first.  For
 	      example, if your port installs Japanese X11 fonts, then your
 	      <makevar>CATEGORIES</makevar> line would read <filename>japanese
 		x11-fonts</filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Specific categories are listed before less-specific ones.  For
 	      instance, an HTML editor should be listed as <filename>www
 		editors</filename>, not the other way around.  Also, you should not
 	      list <filename>net</filename> when the port belongs to
 	      any of <filename>irc</filename>, <filename>mail</filename>,
 	      <filename>mbone</filename>, <filename>news</filename>,
 	      <filename>security</filename>, or <filename>www</filename>, as
 	      <filename>net</filename> is included implicitly.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>x11</filename> is used as a secondary category only
 	      when the primary category is a natural language.  In particular,
 	      you should not put <filename>x11</filename> in the category line
 	      for X applications.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><application>Emacs</application> modes should be
 	      placed in the same ports category as the application
 	      supported by the mode, not in
 	      <filename>editors</filename>.  For example, an
 	      <application>Emacs</application> mode to edit source
 	      files of some programming language should go into
 	      <filename>lang</filename>.
 	      </para>
 	  </listitem>
 
 	  <listitem>
 	    <para><filename>misc</filename>
 		  should not appear with any other non-virtual category.
 		  If you have <literal>misc</literal> with something else in
 		  your <makevar>CATEGORIES</makevar> line, that means you can
 		  safely delete <literal>misc</literal> and just put the port
 		  in that other subdirectory!</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>If your port truly does not belong anywhere else, put it in
 	      <filename>misc</filename>.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>If you are not sure about the category, please put a comment to
 	  that effect in your &man.send-pr.1; submission so we can
 	  discuss it before we import it.  If you are a committer, send a note
 	  to the &a.ports; so we can discuss it first.  Too often, new ports are
 	  imported to the wrong category only to be moved right away.
 	  This causes unnecessary and undesirable bloat in the master
 	  source repository.</para>
       </sect2>
     </sect1>
 
     <sect1 id="makefile-distfiles">
       <title>The distribution files</title>
 
       <para>The second part of the <filename>Makefile</filename> describes the
 	files that must be downloaded in order to build the port, and where
 	they can be downloaded from.</para>
 
       <sect2>
 	<title><makevar>DISTNAME</makevar></title>
 
 	<para><makevar>DISTNAME</makevar> is the name of the port as
 	  called by the authors of the software.
 	  <makevar>DISTNAME</makevar> defaults to
 	  <literal>${PORTNAME}-${PORTVERSION}</literal>, so override it only if necessary.
 	  <makevar>DISTNAME</makevar> is only used in two places.
 	  First, the distribution file list
 	  (<makevar>DISTFILES</makevar>) defaults to
 	  <makevar>${DISTNAME}</makevar><makevar>${EXTRACT_SUFX}</makevar>.
 	  Second, the distribution file is expected to extract into a
 	  subdirectory named <makevar>WRKSRC</makevar>, which defaults
 	  to <filename>work/<makevar>${DISTNAME}</makevar></filename>.</para>
 
 	<note>
 	  <para><makevar>PKGNAMEPREFIX</makevar> and
 	    <makevar>PKGNAMESUFFIX</makevar> do not affect
 	    <makevar>DISTNAME</makevar>.  Also note that if
 	    <makevar>WRKSRC</makevar> is equal to
 	    <filename>work/<makevar>${PORTNAME}-${PORTVERSION}</makevar></filename>
 	    while the original source archive is named something other than
 	    <makevar>${PORTNAME}-${PORTVERSION}${EXTRACT_SUFX}</makevar>,
 	    you should probably leave <makevar>DISTNAME</makevar>
 	    alone&mdash; you are better off defining
 	    <makevar>DISTFILES</makevar> than having to set both
 	    <makevar>DISTNAME</makevar> and <makevar>WRKSRC</makevar>
 	    (and possibly <makevar>EXTRACT_SUFX</makevar>).</para>
 	</note>
       </sect2>
 
       <sect2>
 	<title><makevar>MASTER_SITES</makevar></title>
 
 	<para>Record the directory part of the FTP/HTTP-URL pointing at the
 	  original tarball in <makevar>MASTER_SITES</makevar>.  Do not forget
 	  the trailing slash (<filename>/</filename>)!</para>
 
 	<para>The <command>make</command> macros will try to use this
 	  specification for grabbing the distribution file with
 	  <makevar>FETCH</makevar> if they cannot find it already on the
 	  system.</para>
 
 	<para>It is recommended that you put multiple sites on this list,
 	  preferably from different continents.  This will safeguard against
 	  wide-area network problems.  We are even planning to add support
 	  for automatically determining the closest master site and fetching
 	  from there; having multiple sites will go a long way towards
 	  helping this effort.</para>
 
 	<para>If the original tarball is part of one of the popular
 	  archives such as X-contrib, GNU, or Perl CPAN, you may be able
 	  refer to those sites in an easy compact form using
 	  <makevar>MASTER_SITE_<replaceable>*</replaceable></makevar>
 	  (e.g., <makevar>MASTER_SITE_XCONTRIB</makevar> and
 	  <makevar>MASTER_SITE_PERL_GNU</makevar>).  Simply set
 	  <makevar>MASTER_SITES</makevar> to one of these variables and
 	  <makevar>MASTER_SITE_SUBDIR</makevar> to the path within the
 	  archive.  Here is an example:</para>
 
 	<programlisting>MASTER_SITES=         ${MASTER_SITE_XCONTRIB}
 MASTER_SITE_SUBDIR=   applications</programlisting>
 
 	<para>These variables are defined in
 	  <filename>/usr/ports/Mk/bsd.sites.mk</filename>.  There are
 	  new entries added all the time, so make sure to check the
 	  latest version of this file before submitting a port.</para>
 
 	<para>The user can also set the <makevar>MASTER_SITE_*</makevar>
 	  variables in <filename>/etc/make.conf</filename> to override our
 	  choices, and use their favorite mirrors of these popular archives
 	  instead.</para>
       </sect2>
 
       <sect2>
 	<title><makevar>EXTRACT_SUFX</makevar></title>
 
 	<para>If you have one distribution file, and it uses an odd suffix to
 	  indicate the compression mechanism, set
 	  <makevar>EXTRACT_SUFX</makevar>.</para>
 
 	<para>For example, if the distribution file was named
 	  <filename>foo.tgz</filename> instead of the more normal
 	  <filename>foo.tar.gz</filename>, you would write:</para>
 
 	<programlisting>DISTNAME=      foo
 EXTRACT_SUFX=  .tgz</programlisting>
 
 	<para>The <makevar>USE_BZIP2</makevar> and <makevar>USE_ZIP</makevar>
 	  variables automatically set <makevar>EXTRACT_SUFX</makevar> to
 	  <literal>.bz2</literal> or <literal>.zip</literal> as necessary.  If
 	  neither of these are set then <makevar>EXTRACT_SUFX</makevar>
 	  defaults to <literal>.tar.gz</literal>.</para>
 
 	<note>
 	  <para>You never need to set both <makevar>EXTRACT_SUFX</makevar> and
 	    <makevar>DISTFILES</makevar>.</para>
 	</note>
       </sect2>
 
       <sect2>
 	<title><makevar>DISTFILES</makevar></title>
 
 	<para>Sometimes the names of the files to be downloaded have no
 	  resemblance to the name of the port.  For example, it might be
 	  called <filename>source.tar.gz</filename> or similar.  In other
 	  cases the application's source code might be in several different
 	  archives, all of which must be downloaded.</para>
 
 	<para>If this is the case, set <makevar>DISTFILES</makevar> to be a
 	  space separated list of all the files that must be
 	  downloaded.</para>
 
 	<programlisting>DISTFILES=     source1.tar.gz source2.tar.gz</programlisting>
 
 	<para>If not explicitly set, <makevar>DISTFILES</makevar> defaults to
 	  <literal>${DISTNAME}${EXTRACT_SUFX}</literal>.</para>
       </sect2>
 
       <sect2>
 	<title><makevar>EXTRACT_ONLY</makevar></title>
 
 	<para>If only some of the <makevar>DISTFILES</makevar> must be
 	  extracted&mdash;for example, one of them is the source code, while
 	  another is an uncompressed document&mdash;list the filenames that
 	  must be extracted in <makevar>EXTRACT_ONLY</makevar>.</para>
 
 	<programlisting>DISTFILES=     source.tar.gz manual.html
 EXTRACT_ONLY=  source.tar.gz</programlisting>
 
 	<para>If <emphasis>none</emphasis> of the <makevar>DISTFILES</makevar>
 	  should be uncompressed then set <makevar>EXTRACT_ONLY</makevar> to
 	  the empty string.</para>
 
 	<programlisting>EXTRACT_ONLY=</programlisting>
       </sect2>
 
       <sect2 id="porting-patchfiles">
 	<title><makevar>PATCHFILES</makevar></title>
 
 	<para>If your port requires some additional patches that are available
 	  by FTP or HTTP, set <makevar>PATCHFILES</makevar> to the names of
 	  the files and <makevar>PATCH_SITES</makevar> to the URL of the
 	  directory that contains them (the format is the same as
 	  <makevar>MASTER_SITES</makevar>).</para>
 
 	<para>If the patch is not relative to the top of the source tree
 	  (i.e., <makevar>WRKSRC</makevar>) because it contains some extra
 	  pathnames, set <makevar>PATCH_DIST_STRIP</makevar> accordingly. For
 	  instance, if all the pathnames in the patch have an extra
 	  <literal>foozolix-1.0/</literal> in front of the filenames, then set
 	  <literal>PATCH_DIST_STRIP=-p1</literal>.</para>
 
 	<para>Do not worry if the patches are compressed; they will be
 	  decompressed automatically if the filenames end with
 	  <filename>.gz</filename> or <filename>.Z</filename>.</para>
 
 	<para>If the patch is distributed with some other files, such as
 	  documentation, in a gzip'd tarball, you cannot just use
 	  <makevar>PATCHFILES</makevar>.  If that is the case, add the name
 	  and the location of the patch tarball to
 	  <makevar>DISTFILES</makevar> and <makevar>MASTER_SITES</makevar>.
 	  Then, use the <makevar>EXTRA_PATCHES</makevar> variable to
 	  point to those files and <filename>bsd.port.mk</filename>
 	  will automatically apply them for you.  In particular, do
 	  <emphasis>not</emphasis> copy patch files into the
 	  <makevar>PATCHDIR</makevar> directory&mdash;that directory may
 	  not be writable.</para>
 
 	<note>
 	  <para>The tarball will have been extracted alongside the
 	    regular source by then, so there is no need to explicitly extract
 	    it if it is a regular gzip'd or compress'd tarball. If you do the
 	    latter, take extra care not to overwrite something that already
 	    exists in that directory.  Also, do not forget to add a command to
 	    remove the copied patch in the <maketarget>pre-clean</maketarget>
 	    target.</para>
 	</note>
       </sect2>
 
       <sect2 id="porting-master-sites-n">
 	<title>Multiple distribution files or patches from different
 	  sites and subdirectories
 	  (<literal>MASTER_SITES:n</literal>)</title>
 
 	<para>(Consider this to be a somewhat <quote>advanced topic</quote>;
 	  those new to this document may wish to skip this section at first).
 	  </para>
 
 	<para>This section has information on the fetching mechanism
 	  known as both <literal>MASTER_SITES:n</literal> and
 	  <literal>MASTER_SITES_NN</literal>.  We will refer to this
 	  mechanism as <literal>MASTER_SITES:n</literal>
 	  hereon.</para>
 
 	<para>A little background first.  OpenBSD has a neat feature
 	  inside both <makevar>DISTFILES</makevar> and
 	  <makevar>PATCHFILES</makevar> variables, both files and
 	  patches can be postfixed with <literal>:n</literal>
 	  identifiers where <literal>n</literal> both can be
 	  <literal>[0-9]</literal> and denote a group designation.
 	  For example:</para>
 
 	<programlisting>DISTFILES=      alpha:0 beta:1</programlisting>
 
 	<para>In OpenBSD, distribution file <filename>alpha</filename>
 	  will be associated with variable
 	  <makevar>MASTER_SITES0</makevar> instead of our common
 	  <makevar>MASTER_SITES</makevar> and
 	  <filename>beta</filename> with
 	  <makevar>MASTER_SITES1</makevar>.</para>
 
 	<para>This is a very interesting feature which can decrease
 	  that endless search for the correct download site.</para>
 
 	<para>Just picture 2 files in <makevar>DISTFILES</makevar> and
 	  20 sites in <makevar>MASTER_SITES</makevar>, the sites slow
 	  as hell where <filename>beta</filename> is carried by all
 	  sites in <makevar>MASTER_SITES</makevar>, and
 	  <filename>alpha</filename> can only be found in the 20th
 	  site.  It would be such a waste to check all of them if
 	  maintainer knew this beforehand, would it not?  Not a good
 	  start for that lovely weekend!</para>
 
 	<para>Now that you have the idea, just imagine more
 	  <makevar>DISTFILES</makevar> and more
 	  <makevar>MASTER_SITES</makevar>.  Surely our
 	  <quote>distfiles survey meister</quote> would appreciate the
 	  relief to network strain that this would bring.</para>
 
 	<para>In the next sections, information will follow on the
 	  FreeBSD implementation of this idea.	We improved a bit on
 	  OpenBSD's concept.</para>
 
 	<sect3>
 	  <title>Simplified information</title>
 
 	  <para>This section tells you how to quickly prepare fine
 	    grained fetching of multiple distribution files and
 	    patches from different sites and subdirectories.  We
 	    describe here a case of simplified
 	    <literal>MASTER_SITES:n</literal> usage.  This will be
 	    sufficient for most scenarios.  However, if you need
 	    further information, you will have to refer to the next
 	    section.</para>
 
 	  <para>Some applications consist of multiple distribution
 	    files that must be downloaded from a number of different
 	    sites.  For example,
 	    <application>Ghostscript</application> consists of the
 	    core of the program, and then a large number of driver
 	    files that are used depending on the user's printer.  Some
 	    of these driver files are supplied with the core, but many
 	    others must be downloaded from a variety of different
 	    sites.</para>
 
 	  <para>To support this, each entry in
 	    <makevar>DISTFILES</makevar> may be followed by a colon
 	    and a <quote>tag name</quote>.  Each site listed in
 	    <makevar>MASTER_SITES</makevar> is then followed by a
 	    colon, and the tag that indicates which distribution files
 	    should be downloaded from this site.</para>
 
 	  <para>For example, consider an application with the source
 	    split in two parts, <filename>source1.tar.gz</filename>
 	    and <filename>source2.tar.gz</filename>, which must be
 	    downloaded from two different sites.  The port's
 	    <filename>Makefile</filename> would include lines like
 	    <xref
 	      linkend="ports-master-sites-n-example-simple-use-one-file-per-site">.</para>
 
 	  <example
 	    id="ports-master-sites-n-example-simple-use-one-file-per-site">
 	    <title>Simplified use of <literal>MASTER_SITES:n</literal>
 	      with 1 file per site</title>
 
 	    <programlisting>MASTER_SITES=   ftp://ftp.example1.com/:source1 \
 		ftp://ftp.example2.com/:source2
 DISTFILES=      source1.tar.gz:source1 \
 		source2.tar.gz:source2</programlisting>
 	  </example>
 
 	  <para>Multiple distribution files can have the same tag.
 	    Continuing the previous example, suppose that there was a
 	    third distfile, <filename>source3.tar.gz</filename>, that
 	    should be downloaded from
 	    <hostid>ftp.example2.com</hostid>.	The
 	    <filename>Makefile</filename> would then be written like
 	    <xref
 	      linkend="ports-master-sites-n-example-simple-use-more-than-one-file-per-site">.</para>
 
 	  <example
 	    id="ports-master-sites-n-example-simple-use-more-than-one-file-per-site">
 	    <title>Simplified use of <literal>MASTER_SITES:n</literal>
 	      with more than 1 file per site</title>
 
 	    <programlisting>MASTER_SITES=   ftp://ftp.example1.com/:source1 \
 		ftp://ftp.example2.com/:source2
 DISTFILES=      source1.tar.gz:source1 \
 		source2.tar.gz:source2 \
 		source3.tar.gz:source2</programlisting>
 	  </example>
 	</sect3>
 
 	<sect3>
 	  <title>Detailed information</title>
 
 	  <para>Okay, so the previous section example did not reflect
 	    your needs?	 In this section we will explain in detail how
 	    the fine grained fetching mechanism
 	    <literal>MASTER_SITES:n</literal> works and how you can
 	    modify your ports to use it.</para>
 
 	  <orderedlist>
 	    <listitem>
 	      <para>Elements can be postfixed with
 		<literal>:<replaceable>n</replaceable></literal> where
 		<replaceable>n</replaceable> is
 		<literal>[^:,]+</literal>, i.e.,
 		<replaceable>n</replaceable> could conceptually be any
 		alphanumeric string but we will limit it to
 		<literal>[a-zA-Z_][0-9a-zA-Z_]+</literal> for
 		now.</para>
 
 	      <para>Moreover, string matching is case sensitive;
 		i.e., <literal>n</literal> is different from
 		<literal>N</literal>.</para>
 
 	      <para>However, the following words cannot be used for
 		postfixing purposes since they yield special meaning:
 		<literal>default</literal>, <literal>all</literal> and
 		<literal>ALL</literal> (they are used internally in
 		item <xref
 		  linkend="porting-master-sites-n-what-changes-in-port-targets">).
 		Furthermore, <literal>DEFAULT</literal> is a special
 		purpose word (check item <xref
 		  linkend="porting-master-sites-n-DEFAULT-group">).</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>Elements postfixed with <literal>:n</literal>
 		belong to the group <literal>n</literal>,
 		<literal>:m</literal> belong to group
 		<literal>m</literal> and so forth.</para>
 	    </listitem>
 
 	    <listitem id="porting-master-sites-n-DEFAULT-group">
 	      <para>Elements without a postfix are groupless, i.e.,
 		they all belong to the special group
 		<literal>DEFAULT</literal>.  If you postfix any
 		elements with <literal>DEFAULT</literal>, you are just
 		being redundant unless you want to have an element
 		belonging to both <literal>DEFAULT</literal> and other
 		groups at the same time (check item <xref
 		  linkend="porting-master-sites-n-comma-operator">).</para>
 
 	      <para>The following examples are equivalent but the
 		first one is preferred:</para>
 
 	      <programlisting>MASTER_SITES=   alpha
 
 MASTER_SITES=   alpha:DEFAULT</programlisting>
 	    </listitem>
 
 	    <listitem>
 	      <para>Groups are not exclusive, an element may belong to
 		several different groups at the same time and a group
 		can either have either several different elements or
 		none at all.  Repeated elements within the same group
 		will be simply that, repeated elements.</para>
 	    </listitem>
 
 	    <listitem id="porting-master-sites-n-comma-operator">
 	      <para>When you want an element to belong to several
 		groups at the same time, you can use the comma
 		operator (<literal>,</literal>).</para>
 
 	      <para>Instead of repeating it several times, each time
 		with a different postfix, we can list several groups
 		at once in a single postfix.  For instance,
 		<literal>:m,n,o</literal> marks an element that
 		belongs to group <literal>m</literal>,
 		<literal>n</literal> and <literal>o</literal>.</para>
 
 	      <para>All the following examples are equivalent but the
 		last one is preferred:</para>
 
 	      <programlisting>MASTER_SITES=   alpha alpha:SOME_SITE
 
 MASTER_SITES=   alpha:DEFAULT alpha:SOME_SITE
 
 MASTER_SITES=   alpha:SOME_SITE,DEFAULT
 
 MASTER_SITES=   alpha:DEFAULT,SOME_SITE</programlisting>
 	    </listitem>
 
 	    <listitem>
 	      <para>All sites within a given group are sorted
 		according to <makevar>MASTER_SORT_AWK</makevar>.  All
 		groups within <makevar>MASTER_SITES</makevar> and
 		<makevar>PATCH_SITES</makevar> are sorted as
 		well.</para>
 	    </listitem>
 
 	    <listitem id="porting-master-sites-n-group-semantics">
 	      <para>Group semantics can be used in any of the
 		following variables <makevar>MASTER_SITES</makevar>,
 		<makevar>PATCH_SITES</makevar>,
 		<makevar>MASTER_SITE_SUBDIR</makevar>,
 		<makevar>PATCH_SITE_SUBDIR</makevar>,
 		<makevar>DISTFILES</makevar>, and
 		<makevar>PATCHFILES</makevar> according to the
 		following syntax:</para>
 
 	      <orderedlist>
 		<listitem>
 		  <para>All <makevar>MASTER_SITES</makevar>,
 		    <makevar>PATCH_SITES</makevar>,
 		    <makevar>MASTER_SITE_SUBDIR</makevar> and
 		    <makevar>PATCH_SITE_SUBDIR</makevar> elements must
 		    be terminated with the forward slash
 		    <literal>/</literal> character.  If any elements
 		    belong to any groups, the group postfix
 		    <literal>:<replaceable>n</replaceable></literal>
 		    must come right after the terminator
 		    <literal>/</literal>.  The
 		    <literal>MASTER_SITES:n</literal> mechanism relies
 		    on the existence of the terminator
 		    <literal>/</literal> to avoid confusing elements
 		    where a <literal>:n</literal> is a valid part of
 		    the element with occurrences where
 		    <literal>:n</literal> denotes group
 		    <literal>n</literal>.  For compatibility purposes,
 		    since the <literal>/</literal> terminator was not
 		    required before in both
 		    <makevar>MASTER_SITE_SUBDIR</makevar> and
 		    <makevar>PATCH_SITE_SUBDIR</makevar> elements, if
 		    the postfix immediate preceding character is not
 		    a <literal>/</literal> then <literal>:n</literal>
 		    will be considered a valid part of the element
 		    instead of a group postfix even if an element is
 		    postfixed with <literal>:n</literal>.  See both
 		    <xref
 		      linkend="ports-master-sites-n-example-detailed-use-master-site-subdir">
 		    and <xref
 		      linkend="ports-master-sites-n-example-detailed-use-complete-example-master-sites">.</para>
 
 		  <example id="ports-master-sites-n-example-detailed-use-master-site-subdir">
 		    <title>Detailed use of
 		      <literal>MASTER_SITES:n</literal> in
 		      <makevar>MASTER_SITE_SUBDIR</makevar></title>
 
 		    <programlisting>MASTER_SITE_SUBDIR=     old:n new/:NEW</programlisting>
 
 		    <itemizedlist>
 		      <listitem>
 			<para>Directories within group
 			  <literal>DEFAULT</literal> -> old:n</para>
 		      </listitem>
 
 		      <listitem>
 			<para>Directories within group
 			  <literal>NEW</literal> -> new</para>
 		      </listitem>
 		    </itemizedlist>
 		  </example>
 
 		  <example
 		    id="ports-master-sites-n-example-detailed-use-complete-example-master-sites">
 		      <title>Detailed use of
 			<literal>MASTER_SITES:n</literal> with comma
 			operator, multiple files, multiple sites and
 			multiple subdirectories</title>
 
 		    <programlisting>MASTER_SITES=   http://site1/%SUBDIR%/ http://site2/:DEFAULT \
 		http://site3/:group3 http://site4/:group4 \
 		http://site5/:group5 http://site6/:group6 \
 		http://site7/:DEFAULT,group6 \
 		http://site8/%SUBDIR%/:group6,group7 \
 		http://site9/:group8
 DISTFILES=      file1 file2:DEFAULT file3:group3 \
 		file4:group4,group5,group6 file5:grouping \
 		file6:group7
 MASTER_SITE_SUBDIR=     directory-trial:1 directory-n/:groupn \
 			directory-one/:group6,DEFAULT \
 			directory</programlisting>
 
 		    <para>The previous example results in the
 		      following fine grained fetching.	Sites are
 		      listed in the exact order they will be
 		      used.</para>
 
 		    <itemizedlist>
 		      <listitem>
 			<para><filename>file1</filename> will be
 			  fetched from</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory-one/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory-trial:1/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site2/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site7/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 
 		      <listitem>
 			<para><filename>file2</filename> will be
 			  fetched exactly as
 			  <filename>file1</filename> since they
 			  both belong to the same group</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory-one/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site1/directory-trial:1/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site2/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site7/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 
 		      <listitem>
 			<para><filename>file3</filename> will be
 			  fetched from</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site3/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 
 		      <listitem>
 			<para><filename>file4</filename> will be
 			  fetched from</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site4/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site5/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site6/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site7/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site8/directory-one/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 
 		      <listitem>
 			<para><filename>file5</filename> will be
 			  fetched from</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 
 		      <listitem>
 			<para><filename>file6</filename> will be
 			  fetched from</para>
 
 			<itemizedlist>
 			  <listitem>
 			    <para><makevar>MASTER_SITE_OVERRIDE</makevar></para>
 			  </listitem>
 
 			  <listitem>
 			    <para>http://site8/directory-one/</para>
 			  </listitem>
 
 			  <listitem>
 			    <para><makevar>MASTER_SITE_BACKUP</makevar></para>
 			  </listitem>
 			</itemizedlist>
 		      </listitem>
 		    </itemizedlist>
 		  </example>
 		</listitem>
 	      </orderedlist>
 	    </listitem>
 
 	    <listitem>
 	      <para>How do I group one of the special variables from
 		<filename>bsd.sites.mk</filename>, e.g.,
 		<makevar>MASTER_SITE_SOURCEFORGE</makevar>?</para>
 
 	      <para>See <xref
 		  linkend="ports-master-sites-n-example-detailed-use-master-site-sourceforge">.</para>
 
 	      <example
 		id="ports-master-sites-n-example-detailed-use-master-site-sourceforge">
 		<title>Detailed use of
 		  <literal>MASTER_SITES:n</literal> with
 		  <makevar>MASTER_SITE_SOURCEFORGE</makevar></title>
 
 		<programlisting>MASTER_SITES=   http://site1/ ${MASTER_SITE_SOURCEFORGE:S/$/:sourceforge,TEST/}
 DISTFILES=      something.tar.gz:sourceforge</programlisting>
 	      </example>
 
 	      <para><filename>something.tar.gz</filename> will be
 		fetched from all sites within
 		<makevar>MASTER_SITE_SOURCEFORGE</makevar>.</para>
 	    </listitem>
 
 	    <listitem>
 	      <para>How do I use this with <makevar>PATCH*</makevar>
 		variables?</para>
 
 	      <para>All examples were done with
 		<makevar>MASTER*</makevar> variables but they work
 		exactly the same for <makevar>PATCH*</makevar> ones as
 		can be seen in <xref
 		  linkend="ports-master-sites-n-example-detailed-use-patch-sites">.</para>
 
 	      <example
 		id="ports-master-sites-n-example-detailed-use-patch-sites">
 		<title>Simplified use of
 		  <literal>MASTER_SITES:n</literal> with
 		  <makevar>PATCH_SITES</makevar>.</title>
 
 		<programlisting>PATCH_SITES=    http://site1/ http://site2/:test
 PATCHFILES=     patch1:test</programlisting>
 	      </example>
 	    </listitem>
 	  </orderedlist>
 	</sect3>
 
 	<sect3>
 	  <title>What does change for ports?  What does not?</title>
 
 	  <orderedlist numeration="lowerroman">
 	    <listitem>
 	      <para>All current ports remain the same.  The
 		<literal>MASTER_SITES:n</literal> feature code is only
 		activated if there are elements postfixed with
 		<literal>:<replaceable>n</replaceable></literal> like
 		elements according to the aforementioned syntax rules,
 		especially as shown in item <xref
 		  linkend="porting-master-sites-n-group-semantics">.</para>
 	    </listitem>
 
 	    <listitem id="porting-master-sites-n-what-changes-in-port-targets">
 	      <para>The port targets remain the same:
 		<maketarget>checksum</maketarget>,
 		<maketarget>makesum</maketarget>,
 		<maketarget>patch</maketarget>,
 		<maketarget>configure</maketarget>,
 		<maketarget>build</maketarget>, etc.  With the obvious
 		exceptions of <maketarget>do-fetch</maketarget>,
 		<maketarget>fetch-list</maketarget>,
 		<maketarget>master-sites</maketarget> and
 		<maketarget>patch-sites</maketarget>.</para>
 
 	      <itemizedlist>
 		<listitem>
 		  <para><maketarget>do-fetch</maketarget>: deploys the
 		    new grouping postfixed
 		    <makevar>DISTFILES</makevar> and
 		    <makevar>PATCHFILES</makevar> with their matching
 		    group elements within both
 		    <makevar>MASTER_SITES</makevar> and
 		    <makevar>PATCH_SITES</makevar> which use matching
 		    group elements within both
 		    <makevar>MASTER_SITE_SUBDIR</makevar> and
 		    <makevar>PATCH_SITE_SUBDIR</makevar>.  Check <xref
 		      linkend="ports-master-sites-n-example-detailed-use-complete-example-master-sites">.</para>
 		</listitem>
 
 		<listitem>
 		  <para><maketarget>fetch-list</maketarget>: works
 		    like old <maketarget>fetch-list</maketarget> with
 		    the exception that it groups just like
 		    <maketarget>do-fetch</maketarget>.</para>
 		</listitem>
 
 		<listitem>
 		  <para><maketarget>master-sites</maketarget> and
 		    <maketarget>patch-sites</maketarget>:
 		    (incompatible with older versions) only return the
 		    elements of group <literal>DEFAULT</literal>;  in
 		    fact, they execute targets
 		    <maketarget>master-sites-default</maketarget> and
 		    <maketarget>patch-sites-default</maketarget>
 		    respectively.</para>
 
 		  <para>Furthermore, using target either
 		    <maketarget>master-sites-all</maketarget> or
 		    <maketarget>patch-sites-all</maketarget> is
 		    preferred to directly checking either
 		    <maketarget>MASTER_SITES</maketarget> or
 		    <maketarget>PATCH_SITES</maketarget>.  Also,
 		    directly checking is not guaranteed to work in any
 		    future versions.  Check item <xref
 		      linkend="porting-master-sites-n-new-port-targets-master-sites-all">
 		    for more information on these new port
 		    targets.</para>
 		</listitem>
 
 	      </itemizedlist>
 	    </listitem>
 
 	    <listitem>
 	      <para>New port targets</para>
 
 	      <orderedlist>
 		<listitem>
 		  <para>There are
 		    <maketarget>master-sites-<replaceable>n</replaceable></maketarget>
 		    and
 		    <maketarget>patch-sites-<replaceable>n</replaceable></maketarget>
 		    targets which will list the elements of the
 		    respective group <replaceable>n</replaceable>
 		    within <makevar>MASTER_SITES</makevar> and
 		    <makevar>PATCH_SITES</makevar> respectively.  For
 		    instance, both
 		    <maketarget>master-sites-DEFAULT</maketarget> and
 		    <maketarget>patch-sites-DEFAULT</maketarget> will
 		    return the elements of group
 		    <literal>DEFAULT</literal>,
 		    <maketarget>master-sites-test</maketarget> and
 		    <maketarget>patch-sites-test</maketarget> of group
 		    <literal>test</literal>, and thereon.</para>
 		</listitem>
 
 		<listitem id="porting-master-sites-n-new-port-targets-master-sites-all">
 		  <para>There are new targets
 		    <maketarget>master-sites-all</maketarget> and
 		    <maketarget>patch-sites-all</maketarget> which do
 		    the work of the old
 		    <maketarget>master-sites</maketarget> and
 		    <maketarget>patch-sites</maketarget> ones.  They
 		    return the elements of all groups as if they all
 		    belonged to the same group with the caveat that it
 		    lists as many
 		    <makevar>MASTER_SITE_BACKUP</makevar> and
 		    <makevar>MASTER_SITE_OVERRIDE</makevar> as there
 		    are groups defined within either
 		    <makevar>DISTFILES</makevar> or
 		    <makevar>PATCHFILES</makevar>;  respectively for
 		    <maketarget>master-sites-all</maketarget> and
 		    <maketarget>patch-sites-all</maketarget>.</para>
 		</listitem>
 	      </orderedlist>
 	    </listitem>
 	  </orderedlist>
 	</sect3>
       </sect2>
 
       <sect2>
 	<title><makevar>DIST_SUBDIR</makevar></title>
 
 	<para>Do not let your port clutter
 	  <filename>/usr/ports/distfiles</filename>.  If your port requires a
 	  lot of files to be fetched, or contains a file that has a name that
 	  might conflict with other ports (e.g.,
 	  <filename>Makefile</filename>), set <makevar>DIST_SUBDIR</makevar>
 	  to the name of the port (<literal>${PORTNAME}</literal> or
 	  <literal>${PKGNAMEPREFIX}${PORTNAME}</literal>
 	  should work fine).  This will change
 	  <makevar>DISTDIR</makevar> from the default
 	  <filename>/usr/ports/distfiles</filename> to
 	  <filename>/usr/ports/distfiles/<makevar>DIST_SUBDIR</makevar></filename>,
 	  and in effect puts everything that is required for your port into
 	  that subdirectory.</para>
 
 	<para>It will also look at the subdirectory with the same name on the
 	  backup master site at <filename>ftp.FreeBSD.org</filename>.
 	  (Setting <makevar>DISTDIR</makevar> explicitly in your
 	  <makevar>Makefile</makevar> will not accomplish this, so please use
 	  <makevar>DIST_SUBDIR</makevar>.)</para>
 
 	<note>
 	  <para>This does not affect the <makevar>MASTER_SITES</makevar> you
 	    define in your <filename>Makefile</filename>.</para>
 	</note>
       </sect2>
     </sect1>
 
       <sect1 id="makefile-maintainer">
 	<title><makevar>MAINTAINER</makevar></title>
 
 	<para>Set your mail-address here.  Please.  <!-- smiley
 	  --><emphasis>:-)</emphasis></para>
 
 	<para>Note that only a single address without the comment part is
 	  allowed as a <makevar>MAINTAINER</makevar> value.
 	  The format used should be <literal>user@hostname.domain</literal>.
 	  Please do not include any descriptive text such as your real
 	  name in this entry&mdash;that merely confuses
 	  <filename>bsd.port.mk</filename>.  Instead, put that information
 	  into your <filename>pkg-descr</filename>.</para>
 
 	<para>For a detailed description of the responsibilities of maintainers,
 	  refer to the <ulink url="&url.books.developers-handbook;/policies.html#POLICIES-MAINTAINER">MAINTAINER on
 	    Makefiles</ulink> section.</para>
 
 	<para>If the maintainer of a port does not respond to an update
 	  request from a user after two weeks (excluding major public
 	  holidays), then that is considered a maintainer timeout, and the
 	  update may be made without explicit maintainer approval.  If the
 	  maintainer does not respond within three months, then that
 	  maintainer is considered absent without leave, and can be
 	  replaced as the maintainer of the particular port in question.
 	  Exceptions to this are anything maintained by the &a.portmgr;, or
 	  the &a.security-officer;.  No unauthorized commits may ever be
 	  made to ports maintained by those groups.</para>
 
 	<para>The &a.portmgr; reserves the right to revoke or override
 	  anyone's maintainership for any reason, and the &a.security-officer;
 	  reserves the right to revoke or override maintainership for security
 	  reasons.</para>
       </sect1>
 
       <sect1 id="makefile-comment">
 	<title><makevar>COMMENT</makevar></title>
 
 	<para>This is a one-line description of the port.
 	  <emphasis>Please</emphasis> do not include the package name (or
 	  version number of the software) in the comment.  The comment
 	  should begin with a capital and end without a period.  Here
 	  is an example:</para>
 
 	<programlisting>COMMENT=       A cat chasing a mouse all over the screen</programlisting>
 
 	<para>The COMMENT variable should immediately follow the MAINTAINER
 	  variable in the <filename>Makefile</filename>.</para>
 
 	<para>Please try to keep the COMMENT line less than 70
 	  characters, as it is displayed to users as a one-line
 	  summary of the port.</para>
       </sect1>
 
       <sect1 id="makefile-depend">
 	<title>Dependencies</title>
 
 	<para>Many ports depend on other ports.  There are seven variables that
 	  you can use to ensure that all the required bits will be on the
 	  user's machine.  There are also some pre-supported dependency
 	  variables for common cases, plus a few more to control the behavior
 	  of dependencies.</para>
 
 	<sect2>
 	  <title><makevar>LIB_DEPENDS</makevar></title>
 
 	  <para>This variable specifies the shared libraries this port depends
 	    on.  It is a list of
 	    <replaceable>lib</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples where <replaceable>lib</replaceable> is the name of the
 	    shared library, <replaceable>dir</replaceable> is the
 	    directory in which to find it in case it is not available, and
 	    <replaceable>target</replaceable> is the target to call in that
 	    directory.  For example, <programlisting> LIB_DEPENDS=
 	      jpeg.9:${PORTSDIR}/graphics/jpeg:install</programlisting>
 	    will check for a shared jpeg library with major version 9, and
 	    descend into the <filename>graphics/jpeg</filename> subdirectory
 	    of your ports tree to build and install it if it is not found.
 	    The <replaceable>target</replaceable> part can be omitted if it is
 	    equal to <makevar>DEPENDS_TARGET</makevar> (which defaults to
 	    <literal>install</literal>).</para>
 
 	  <note>
 	    <para>The <replaceable>lib</replaceable> part is an argument given
 	      to <command>ldconfig -r | grep -wF</command>.  There shall be no
 	      regular expressions in this variable.</para>
 	  </note>
 
 	  <para>The dependency is checked twice, once from within the
 	    <maketarget>extract</maketarget> target and then from within the
 	    <maketarget>install</maketarget> target.  Also, the name of the
 	    dependency is put into the package so that
 	    &man.pkg.add.1; will automatically install it if it is
 	    not on the user's system.</para>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>RUN_DEPENDS</makevar></title>
 
 	  <para>This variable specifies executables or files this port depends
 	    on during run-time.  It is a list of
 	    <replaceable>path</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples where <replaceable>path</replaceable> is the name of the
 	    executable or file, <replaceable>dir</replaceable> is the
 	    directory in which to find it in case it is not available, and
 	    <replaceable>target</replaceable> is the target to call in that
 	    directory.  If <replaceable>path</replaceable> starts with a slash
 	    (<literal>/</literal>), it is treated as a file and its existence
 	    is  tested with <command>test -e</command>; otherwise, it is
 	    assumed to be an executable, and <command>which -s</command> is
 	    used to determine if the program exists in the user's search
 	    path.</para>
 
 	  <para>For example,</para>
 
 	    <programlisting>RUN_DEPENDS=   ${LOCALBASE}/etc/innd:${PORTSDIR}/news/inn \
 	       wish8.0:${PORTSDIR}/x11-toolkits/tk80</programlisting>
 
 	  <para>will check if the file or directory
 	    <filename>/usr/local/etc/innd</filename> exists, and build and
 	    install it from the <filename>news/inn</filename> subdirectory of
 	    the ports tree if it is not found.  It will also see if an
 	    executable called <command>wish8.0</command> is in your search
 	    path, and descend into the <filename>x11-toolkits/tk80</filename>
 	    subdirectory of your ports tree to build and install it if it is
 	    not found.</para>
 
 	  <note>
 	    <para>In this case, <command>innd</command> is actually an
 	      executable; if an executable is in a place that is not expected
 	      to be in a normal user's search path, you should use the full
 	      pathname.</para>
 	  </note>
 
 	  <para>The dependency is checked from within the
 	    <maketarget>install</maketarget> target.  Also, the name of the
 	    dependency is put into the  package so that
 	    &man.pkg.add.1; will automatically install it if it is
 	    not on the user's system.  The <replaceable>target</replaceable>
 	    part can be omitted if it is the same as
 	    <makevar>DEPENDS_TARGET</makevar>.</para>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>BUILD_DEPENDS</makevar></title>
 
 	  <para>This variable specifies executables or files this port
 	    requires to build.  Like <makevar>RUN_DEPENDS</makevar>, it is a
 	    list of
 	    <replaceable>path</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples. For example, <programlisting> BUILD_DEPENDS=
 	      unzip:${PORTSDIR}/archivers/unzip</programlisting> will check
 	    for an executable called <command>unzip</command>, and descend
 	    into the <filename>archivers/unzip</filename> subdirectory of your
 	    ports tree to build and install it if it is not found.</para>
 
 	  <note>
 	    <para><quote>build</quote> here means everything from extraction to
 	      compilation.  The dependency is checked from within the
 	      <maketarget>extract</maketarget> target.  The
 	      <replaceable>target</replaceable> part can be omitted if it is
 	      the same as <makevar>DEPENDS_TARGET</makevar></para>
 	  </note>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>FETCH_DEPENDS</makevar></title>
 
 	  <para>This variable specifies executables or files this port
 	    requires to fetch.  Like the previous two, it is a list of
 	    <replaceable>path</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples.  For example, <programlisting> FETCH_DEPENDS=
 	      ncftp2:${PORTSDIR}/net/ncftp2</programlisting> will check for an
 	    executable called <command>ncftp2</command>, and descend into the
 	    <filename>net/ncftp2</filename> subdirectory of your ports tree to
 	    build and install it if it is not found.</para>
 
 	  <para>The dependency is checked from within the
 	    <maketarget>fetch</maketarget> target.  The
 	    <replaceable>target</replaceable> part can be omitted if it is the
 	    same as <makevar>DEPENDS_TARGET</makevar>.</para>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>EXTRACT_DEPENDS</makevar></title>
 
 	  <para>This variable specifies executables or files this port
 	    requires for extraction.  Like the previous, it is a list of
 	    <replaceable>path</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples.  For example, <programlisting>EXTRACT_DEPENDS=
 	      unzip:${PORTSDIR}/archivers/unzip</programlisting> will check
 	    for an executable called <command>unzip</command>, and descend
 	    into the <filename>archivers/unzip</filename> subdirectory of
 	    your ports tree to build and install it if it is not found.</para>
 
 	  <para>The dependency is checked from within the
 	    <maketarget>extract</maketarget> target.  The
 	    <replaceable>target</replaceable> part can be omitted if it is the
 	    same as <makevar>DEPENDS_TARGET</makevar>.</para>
 
 	  <note>
 	    <para>Use this variable only if the extraction does not already
 	      work (the default assumes <command>gzip</command>) and cannot
 	      be made to work using <makevar>USE_ZIP</makevar> or
 	      <makevar>USE_BZIP2</makevar> described in <xref
 		linkend="use-vars">.</para>
 	  </note>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>PATCH_DEPENDS</makevar></title>
 
 	  <para>This variable specifies executables or files this port
 	    requires to patch.  Like the previous, it is a list of
 	    <replaceable>path</replaceable>:<replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>
 	    tuples.  For example, <programlisting> PATCH_DEPENDS=
 	      ${NONEXISTENT}:${PORTSDIR}/java/jfc:extract
 		</programlisting>will descend into the
 	    <filename>java/jfc</filename> subdirectory of your ports tree to
 	    build and install it if it is not found.</para>
 
 	  <para>The dependency is checked from within the
 	    <maketarget>patch</maketarget> target.  The
 	    <replaceable>target</replaceable> part can be omitted if it is the
 	    same as <makevar>DEPENDS_TARGET</makevar>.</para>
 	</sect2>
 
 	<sect2>
 	  <title><makevar>DEPENDS</makevar></title>
 
 	  <para>If there is a dependency that does not fall into either of the
 	    above categories, or your port requires having the source of
 	    the other port extracted in addition to having it installed,
 	    then use this variable.  This is a list of
 	    <replaceable>dir</replaceable><optional><replaceable>:target</replaceable></optional>,
 	    as there is nothing to check, unlike the previous four.  The
 	    <replaceable>target</replaceable> part can be omitted if it is the
 	    same as <makevar>DEPENDS_TARGET</makevar>.</para>
 	</sect2>
 
 	<sect2 id="use-vars">
 	<title><makevar>USE_<replaceable>*</replaceable></makevar></title>
 
 	<para>A number of variables exist in order to encapsulate common
 	  dependencies that many ports have.  Although their use is
 	  optional, they can help to reduce the verbosity of the port
 	  <filename>Makefile</filename>s.  Each of them is styled
 	  as <makevar>USE_<replaceable>*</replaceable></makevar>.  The
 	  usage of these variables is restricted to the port
 	  <filename>Makefile</filename>s and
 	  <filename>ports/Mk/bsd.*.mk</filename> and is not designed
 	  to encapsulate user-settable options &mdash; use
 	  <makevar>WITH_<replaceable>*</replaceable></makevar> and
 	  <makevar>WITHOUT_<replaceable>*</replaceable></makevar>
 	  for that purpose.</para>
 
 	<note>
 	  <para>It is <emphasis>always</emphasis> incorrect to set
 	    any <makevar>USE_<replaceable>*</replaceable></makevar>
 	    in <filename>/etc/make.conf</filename>.  For instance,
 	    setting <programlisting>USE_GCC=3.2</programlisting>
 	    would adds a dependency on gcc32 for every port,
 	    including gcc32 itself!</para>
 	</note>
 
 	<table frame="none">
 	  <title>The <makevar>USE_<replaceable>*</replaceable></makevar>
 	    variables</title>
 
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Variable</entry>
 
 		<entry>Means</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><makevar>USE_BZIP2</makevar></entry>
 
 		<entry>The port's tarballs are compressed with
 		  <command>bzip2</command>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_ZIP</makevar></entry>
 
 		<entry>The port's tarballs are compressed with
 		  <command>zip</command>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_GMAKE</makevar></entry>
 
 		<entry>The port requires <command>gmake</command> to
 		  build.</entry>
 
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_PERL5</makevar></entry>
 
 		<entry>The port requires <literal>perl 5</literal> to build and install.  See
 		  <xref linkend="using-perl"> for additional variables that
 		  can be set relating to <literal>perl</literal>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_X_PREFIX</makevar></entry>
 
 		<entry>The port installs in to <makevar>X11BASE</makevar>
 		  rather than <makevar>PREFIX</makevar>.  See
 		  <xref linkend="using-x11"> for additional variables that
 		  can be set relating to X11.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_AUTOMAKE_VER</makevar></entry>
 
 		<entry>The port uses GNU <command>automake</command> as part
 		  of its build process.  See <xref linkend="using-automake">
 		  for additional variables that can be set relating to
 		  <command>automake</command>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_AUTOCONF_VER</makevar></entry>
 
 		<entry>The port uses GNU <command>autoconf</command> as part
 		  of its build process.  See <xref linkend="using-automake">
 		  for additional variables that can be set relating to
 		  <command>autoconf</command>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_LIBTOOL_VER</makevar></entry>
 
 		<entry>The port uses GNU <command>libtool</command> as part of
 		  its build process.  See <xref linkend="using-automake"> for
 		  additional variables that can be set relating to
 		  <command>libtool</command>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>GMAKE</makevar></entry>
 
 		<entry>The full path for <command>gmake</command> if it is not
 		  in the <envar>PATH</envar>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_BISON</makevar></entry>
 
 		<entry>The port uses <command>bison</command> for
 		  building.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>USE_SDL</makevar></entry>
 
 		<entry>The port uses <literal>SDL</literal> for
 		  building and running. See <xref linkend="using-sdl"> on how to use
 		  <makevar>USE_SDL</makevar>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>NO_INSTALL_MANPAGES</makevar></entry>
 
 		<entry>Do not use the <maketarget>install.man</maketarget>
 		  target.</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</table>
 
 	  <para>Define <literal>USE_XLIB=yes</literal> if your port requires
 	    the X Window System to be installed (it is implied by
 	    <makevar>USE_IMAKE</makevar>).  Define
 	    <literal>USE_GMAKE=yes</literal> if your port requires GNU
 	    <command>make</command> instead of BSD <command>make</command>.
 	    Define <literal>USE_AUTOCONF_VER=213</literal> if your port requires
 	    GNU autoconf to be run.  Define <literal>USE_QT_VER=3</literal> if
 	    your port uses the latest Qt toolkit.  Use
 	    <literal>USE_PERL5=yes</literal> if your port requires version 5
 	    of the <literal>perl</literal> language.  (The last is especially important since
 	    some versions of FreeBSD have <literal>perl5</literal> as part of the base system
 	    while others do not.)</para>
 	</sect2>
 
 	<sect2>
 	  <title>Notes on dependencies</title>
 
 	  <para>As mentioned above, the default target to call when a
 	    dependency is required is <maketarget>DEPENDS_TARGET</maketarget>.
 	    It defaults to <literal>install</literal>.  This is a user
 	    variable; it is never defined in a port's
 	    <filename>Makefile</filename>.  If your port needs a special way
 	    to handle a dependency, use the <literal>:target</literal> part of
 	    the <makevar>*_DEPENDS</makevar> variables instead of redefining
 	    <makevar>DEPENDS_TARGET</makevar>.</para>
 
 	  <para>When you type <command>make clean</command>, its dependencies
 	    are automatically cleaned too.  If you do not wish this to happen,
 	    define the variable <makevar>NOCLEANDEPENDS</makevar> in your
 	    environment.  This may be particularly desirable if the port
 	    has something that takes a long time to rebuild in its
 	    dependency list, such as KDE, GNOME or Mozilla.</para>
 
 	  <para>To depend on another port unconditionally, use the
 	    variable <makevar>${NONEXISTENT}</makevar> as the first field
 	    of <makevar>BUILD_DEPENDS</makevar> or
 	    <makevar>RUN_DEPENDS</makevar>.  Use this only when you need to
 	    get the source of the other port.  You can often save
 	    compilation time by specifying the target too.  For
 	    instance
 
 	    <programlisting>BUILD_DEPENDS=   ${NONEXISTENT}:${PORTSDIR}/graphics/jpeg:extract</programlisting>
 
 	    will always descend to the <literal>jpeg</literal> port and extract it.</para>
 
 	  <para>Do not use <makevar>DEPENDS</makevar> unless there is no other
 	    way the behavior you want can be accomplished.  It will cause the
 	    other port to always be built (and installed, by default), and the
 	    dependency will go into the packages as well.  If this is really
 	    what you need, you should probably write it as
 	    <literal>BUILD_DEPENDS</literal> and
 	    <literal>RUN_DEPENDS</literal> instead&mdash;at least the
 	    intention will be clear.</para>
 	</sect2>
 
       <sect2>
 	<title>Circular dependencies are fatal</title>
 
 	<important>
 	  <para>Do not introduce any circular dependencies into the
 	  ports tree!</para>
 	</important>
 
 	<para>The ports building technology does not tolerate
 	  circular dependencies.  If you introduce one, you will have
 	  someone, somewhere in the world, whose FreeBSD installation will
 	  break almost immediately, with many others quickly to follow.
 	  These can really be hard to detect; if in doubt, before
 	  you make that change, make sure you have done the following:
 	  <command>cd /usr/ports; make index</command>.  That process
 	  can be quite slow on older machines, but you may be able to
 	  save a large number of people&mdash;including yourself&mdash;
 	  a lot of grief in the process.</para>
       </sect2>
 
       </sect1>
 
       <sect1 id="makefile-options">
       <title>Makefile Options</title>
 
       <para>Some large applications can be built in a number of
 	configurations, adding functionality if one of a number of
 	libraries or applications is available.  Examples include
 	choice of natural (human) language, GUI versus command-line,
 	or type of database to support.  Since not all users
 	want those libraries or applications, the ports system
 	provides hooks that the port author can use to control which
 	configuration should be built. Supporting these properly will
 	make users happy, and effectively provide 2 or more ports for the
 	price of one.</para>
 
         <sect2>
 	  <title><makevar>WITH_<replaceable>*</replaceable></makevar> and
 	    <makevar>WITHOUT_<replaceable>*</replaceable></makevar></title>
 
 	  <para>These variables are designed to be set by the system
 	    administrator.  There are many that are standardized in
 	    <filename>ports/Mk/bsd.*.mk</filename>; others are not,
 	    which can be confusing.  If you need to add such a
 	    configuration variable, please consider using one of the
 	    ones from the following list.</para>
 
 	  <note>
 	    <para>You should not assume that a
 	      <makevar>WITH_<replaceable>*</replaceable></makevar>
 	      necessarily has a corresponding
 	      <makevar>WITHOUT_<replaceable>*</replaceable></makevar>
 	      variable and vice versa.  In general, the default is
 	      simply assumed.</para>
 	  </note>
 
 	  <note>
 	    <para>Unless otherwise specified, these variables are only
 	      tested for being set or not set, rather than being set to
 	      some kind of variable such as <literal>YES</literal> or
 	      <literal>NO</literal>.</para>
 	  </note>
 
 	  <table frame="none">
 	    <title>The <makevar>WITH_<replaceable>*</replaceable></makevar>
 	      and <makevar>WITHOUT_<replaceable>*</replaceable></makevar>
 	      variables</title>
 
 	    <tgroup cols="2">
 	      <thead>
 	        <row>
 		  <entry>Variable</entry>
 
 		  <entry>Means</entry>
 	        </row>
 	      </thead>
 
 	      <tbody>
 	        <row>
 		  <entry><makevar>WITH_APACHE2</makevar></entry>
 
 		  <entry>If set, use
 		    <filename role="package">www/apache2</filename>
 		    instead of the default of
 		    <filename role="package">www/apache</filename>.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITH_BERKELEY_DB</makevar></entry>
 
 		  <entry>Define this variable to specify the ability to
 		    use a variant of the Berkeley database package such as
 		    <filename role="package">databases/db41</filename>.
 		    An associated variable,
 		    <makevar>WITH_BDB_VER</makevar>, may be
 		    set to values such as 2, 3, 4, 41 or 42.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITH_MYSQL</makevar></entry>
 
 		  <entry>Define this variable to specify the ability to
 		    use a variant of the MySQL database package such as
 		    <filename role="package">databases/mysql40-server</filename>.
 		    An associated variable, 
 		    <makevar>WANT_MYSQL_VER</makevar>, may be
 		    set to values such as 323, 40, 41, or 50.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITHOUT_NLS</makevar></entry>
 
 		  <entry>If set, says that internationalization is not
 		    needed, which can save compile time.  By default,
 		    internalization is used.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITH_OPENSSL_BASE</makevar></entry>
 
 		  <entry>Use the version of OpenSSL in the base system.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITH_OPENSSL_PORT</makevar></entry>
 
 		  <entry>Use the version of OpenSSL from
 		    <filename role="package">security/openssh</filename>,
 		    overwriting the version that was originally installed
 		    in the base system.</entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITH_POSTGRESQL</makevar></entry>
 
 		  <entry>Define this variable to specify the ability to
 		    use a variant of the PostGreSQL database package such as
 		    <filename role="package">databases/postgresql72</filename>.
 		    </entry>
 	        </row>
 
 	        <row>
 		  <entry><makevar>WITHOUT_X11</makevar></entry>
 
 		  <entry>If the port can be built both with and without
 		    X support, then it should normally be built with
 		    with X support. If this variable is defined, then
 		    then the version that does not have X support should
 		    be built instead.</entry>
 	        </row>
 	      </tbody>
 	    </tgroup>
 	  </table>
 
       </sect2>
     </sect1>
 
     <sect1 id="makefile-wrkdir">
       <title>Specifying the working directory</title>
 
       <para>Each port is extracted in to a working directory, which must be
 	writable.  The ports system defaults to having the
 	<makevar>DISTFILES</makevar> unpack in to a directory called
 	<literal>${DISTNAME}</literal>.  In other words, if you have
 	set:</para>
 
       <programlisting>PORTNAME=      foo
 PORTVERSION=   1.0</programlisting>
 
       <para>then the port's distribution files contain a top-level directory,
 	<filename>foo-1.0</filename>, and the rest of the files are located
 	under that directory.</para>
 
       <para>There are a number of variables you can override if that is not the
 	case.</para>
 
       <sect2>
 	<title><makevar>WRKSRC</makevar></title>
 
 	<para>The variable lists the name of the directory that is created when
 	  the application's distfiles are extracted.  If our previous example
 	  extracted into a directory called <filename>foo</filename> (and not
 	  <filename>foo-1.0</filename>) you would write:</para>
 
 	<programlisting>WRKSRC=      ${WRKDIR}/foo</programlisting>
 
 	<para>or possibly</para>
 
 	<programlisting>WRKSRC=      ${WRKDIR}/${PORTNAME}</programlisting>
       </sect2>
 
       <sect2>
 	<title><makevar>NO_WRKSUBDIR</makevar></title>
 
 	<para>If the port does not extract in to a subdirectory at all then
 	  you should set <makevar>NO_WRKSUBDIR</makevar> to indicate
 	  that.</para>
 
 	<programlisting>NO_WRKSUBDIR= yes</programlisting>
       </sect2>
     </sect1>
 
     <sect1 id="conflicts">
       <title><makevar>CONFLICTS</makevar></title>
 
 	<para>If your package cannot coexist with other packages
 	  (because of file conflicts, runtime incompatibility, etc.),
 	  list the other package names in the <makevar>CONFLICTS</makevar>
 	  variable. You can use shell globs like <literal>*</literal> and
 	  <literal>?</literal> here.  Packages names should be
 	  enumerated the same way they appear in
 	  <filename>/var/db/pkg</filename>.  Please make sure that
 	  <makevar>CONFLICTS</makevar> does not match this port's
 	  package itself, or else forcing its installation with
 	  <makevar>FORCE_PKG_REGISTER</makevar> will no longer work.
        </para>
     </sect1>
 
       <sect1 id="makefile-build">
 	<title>Building mechanisms</title>
 
 	<para>If your package uses GNU <command>make</command>, set
 	  <literal>USE_GMAKE=yes</literal>.  If your package uses
 	  <command>configure</command>, set
 	  <literal>HAS_CONFIGURE=yes</literal>.  If your package uses GNU
 	  <command>configure</command>, set
 	  <literal>GNU_CONFIGURE=yes</literal> (this implies
 	  <literal>HAS_CONFIGURE</literal>).  If you want to give some extra
 	  arguments to <command>configure</command> (the default argument list
 	  <literal>--prefix=&dollar;{PREFIX}</literal> for GNU
 	  <command>configure</command> and empty for non-GNU
 	  <command>configure</command>), set those extra arguments in
 	  <makevar>CONFIGURE_ARGS</makevar>.  If your package uses GNU
 	  <command>autoconf</command>, set
 	  <literal>USE_AUTOCONF_VER=213</literal>.  This implies
 	  <makevar>GNU_CONFIGURE</makevar>, and will cause
 	  <command>autoconf</command> to be run before
 	  <command>configure</command>.</para>
 
 	<note>
 	  <para>If your package uses GNU <command>configure</command>, and
 	    the resulting executable file has a <quote>strange</quote> name
 	    like
 	    <filename>i386-portbld-freebsd4.7-</filename><replaceable>appname</replaceable>,
 	    you will need to additionally override the
 	    <makevar>CONFIGURE_TARGET</makevar> variable to specify the
 	    target in the way required by scripts generated by recent
 	    versions of <command>autoconf</command>.  Add the following line
 	    immediately after the <literal>GNU_CONFIGURE=yes</literal> line
 	    in your <filename>Makefile</filename>:</para>
 
 	  <para>
 	    <literal>CONFIGURE_TARGET=--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}</literal>
 	    </para>
 	</note>
 
 	<para>If your package is an X application that creates
 	  <filename>Makefile</filename>s from <filename>Imakefile</filename>s
 	  using <command>imake</command>, then set
 	  <literal>USE_IMAKE=yes</literal>.  This will cause the configure
 	  stage to automatically do an <command>xmkmf -a</command>.  If the
 	  <option>-a</option> flag is a problem for your port, set
 	  <literal>XMKMF=xmkmf</literal>. If the port uses
 	  <command>imake</command> but does not understand the
 	  <maketarget>install.man</maketarget> target,
 	  <literal>NO_INSTALL_MANPAGES=yes</literal> should be set. In
 	  addition, the author of the original port should be shot. <!--
 	  smiley --><emphasis>:-&gt;</emphasis></para>
 
 	<para>If your port's source <filename>Makefile</filename> has
 	  something else than <maketarget>all</maketarget> as the main build
 	  target, set <makevar>ALL_TARGET</makevar> accordingly.  Same goes
 	  for <maketarget>install</maketarget> and
 	  <makevar>INSTALL_TARGET</makevar>.</para>
       </sect1>
     </chapter>
 
     <chapter id="special">
       <title>Special considerations</title>
 
       <para>There are some more things you have to take into account when you
 	create a port.  This section explains the most common of those.</para>
 
       <sect1 id="porting-shlibs">
 	<title>Shared Libraries</title>
 
 	<para>If your port installs one or more shared libraries, define a
 	  <makevar>INSTALLS_SHLIB</makevar> make variable, which will instruct
 	  a <filename>bsd.port.mk</filename> to run
 	  <literal>&dollar;{LDCONFIG} -m</literal> on the directory where the
 	  new library is installed (usually
 	  <filename><makevar>PREFIX</makevar>/lib</filename>) during
 	  <maketarget>post-install</maketarget> target to register it into the
 	  shared library cache.  This variable, when defined, will also
 	  facilitate addition of an appropriate
 	  <literal>@exec /sbin/ldconfig -m</literal> and
 	  <literal>@unexec /sbin/ldconfig -R</literal> pair into your
 	  <filename>pkg-plist</filename> file, so that a user who installed
 	  the package can start using the shared library immediately and
 	  de-installation will not cause the system to still believe the
 	  library is there.</para>
 
 	<para>If you need, you can override the default location where the new
 	  library is installed by defining the <makevar>LDCONFIG_DIRS</makevar>
 	  make variable, which should contain a list of directories into which
 	  shared libraries are to be installed.  For example if your port
 	  installs shared libraries into
 	  <filename><makevar>PREFIX</makevar>/lib/foo</filename> and
 	  <filename><makevar>PREFIX</makevar>/lib/bar</filename> directories
 	  you could use the following in your
 	  <filename>Makefile</filename>:</para>
 
 	<programlisting>INSTALLS_SHLIB= yes
 LDCONFIG_DIRS=  %%PREFIX%%/lib/foo %%PREFIX%%/lib/bar</programlisting>
 
 	<para>Note that content of <makevar>LDCONFIG_DIRS</makevar> is passed
 	  through &man.sed.1; just like the rest of <filename>pkg-plist</filename>,
 	  so <makevar>PLIST_SUB</makevar> substitutions also apply here.  It is
 	  recommended that you use <literal>%%PREFIX%%</literal> for
 	  <makevar>PREFIX</makevar>, <literal>%%LOCALBASE%%</literal> for
 	  <makevar>LOCALBASE</makevar> and <literal>%%X11BASE%%</literal> for
 	  <makevar>X11BASE</makevar>.</para>
       </sect1>
 
     <sect1 id="porting-restrictions">
       <title>Ports with distribution restrictions</title>
 
       <para>Licenses vary, and some of them place restrictions on how the
 	application can be packaged, whether it can be sold for profit, and so
 	on.</para>
 
       <important>
 	<para>It is your responsibility as a porter to read the licensing
 	  terms of the software and make sure that the FreeBSD project will
 	  not be held accountable for violating them by redistributing the
 	  source or compiled binaries either via FTP/HTTP or CD-ROM.  If in doubt,
 	  please contact the &a.ports;.</para>
       </important>
 
       <para>In situations like this, the variables described in the following
 	sections can be set.</para>
 
       <sect2>
 	<title><makevar>NO_PACKAGE</makevar></title>
 
 	<para>This variable indicates that we may not generate a binary
 	  package of the application.  For instance, the license may
 	  disallow binary redistribution, or it may prohibit distribution
 	  of packages created from patched sources.</para>
 
 	<para>However, the port's <makevar>DISTFILES</makevar> may be
 	  freely mirrored on FTP/HTTP.  They may also be distributed on
 	  a CD-ROM (or similar media) unless <makevar>NO_CDROM</makevar>
 	  is set as well.</para>
 
 	<para><makevar>NO_PACKAGE</makevar> should also be used if the binary
 	  package is not generally useful, and the application should always
 	  be compiled from the source code.  For example, if the application
 	  has configuration information that is site specific hard coded in to
 	  it at compile time, set <makevar>NO_PACKAGE</makevar>.</para>
 
 	<para><makevar>NO_PACKAGE</makevar> should be set to a string
 	  describing the reason why the package should not be
 	  generated.</para>
       </sect2>
 
       <sect2>
 	<title><makevar>NO_CDROM</makevar></title>
 
 	<para>This variable alone indicates that, although we are allowed
 	  to generate binary packages, we may put neither those packages
 	  nor the port's <makevar>DISTFILES</makevar> onto a CD-ROM (or
 	  similar media) for resale.  However, the binary packages and
 	  the port's <makevar>DISTFILES</makevar> will still be available
 	  via FTP/HTTP.</para>
 
 	<para> If this variable is set along with
 	  <makevar>NO_PACKAGE</makevar>, then only the port's
 	  <makevar>DISTFILES</makevar> will be available, and only via
 	  FTP/HTTP.</para>
 
 	<para><makevar>NO_CDROM</makevar> should be set to a string
 	  describing the reason why the port cannot be redistributed
 	  on CD-ROM.  For instance, this should be used if the port's license
 	  is for <quote>non-commercial</quote> use only.</para>
       </sect2>
 
       <sect2>
 	<title><makevar>RESTRICTED</makevar></title>
 
 	<para>Set this variable alone if the application's license permits
 	  neither mirroring the application's <makevar>DISTFILES</makevar>
 	  nor distributing the binary package in any way.</para>
 
 	<para><makevar>NO_CDROM</makevar> or <makevar>NO_PACKAGE</makevar>
 	  should not be set along with <makevar>RESTRICTED</makevar>
 	  since the latter variable implies the former ones.</para>
 
 	<para><makevar>RESTRICTED</makevar> should be set to a string
 	  describing the reason why the port cannot be redistributed.
 	  Typically, this indicates that the port contains proprietary
 	  software and that the user will need to manually download the
 	  <makevar>DISTFILES</makevar>, possibly after registering for the
 	  software or agreeing to accept the terms of an
 	  <acronym>EULA</acronym>.</para>
       </sect2>
 
       <sect2>
 	<title><makevar>RESTRICTED_FILES</makevar></title>
 
 	<para>When <makevar>RESTRICTED</makevar> or <makevar>NO_CDROM</makevar>
 	  is set, this variable defaults to <literal>${DISTFILES}
 	  ${PATCHFILES}</literal>, otherwise it is empty.  If only some of the
 	  distribution files are restricted, then set this variable to list
 	  them.</para>
 
 	<para>Note that the port committer should add an entry to
 	  <filename>/usr/ports/LEGAL</filename> for every listed distribution
 	  file, describing exactly what the restriction entails.</para>
       </sect2>
     </sect1>
 
     <sect1 id="using-perl">
       <title>Using <literal>perl</literal></title>
 
       <table frame="none">
 	<title>Variables for ports that use <literal>perl</literal></title>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Variable</entry>
 
 	      <entry>Means</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><makevar>USE_PERL5</makevar></entry>
 
 	      <entry>Says that the port uses <literal>perl 5</literal> to build and run.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_PERL5_BUILD</makevar></entry>
 
 	      <entry>Says that the port uses <literal>perl 5</literal> to build.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_PERL5_RUN</makevar></entry>
 
 	      <entry>Says that the port uses <literal>perl 5</literal> to run.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL</makevar></entry>
 
 	      <entry>The full path of <literal>perl 5</literal>, either in the
 		system or installed from a port, but without the version
 		number.  Use this if you need to replace
 		<quote><literal>#!</literal></quote>lines in scripts.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL_CONFIGURE</makevar></entry>
 
 	      <entry>Configure using Perl's MakeMaker.  It implies
 		<makevar>USE_PERL5</makevar>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Read only variables</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><makevar>PERL_VERSION</makevar></entry>
 
 	      <entry>The full version of <literal>perl</literal> installed (e.g.,
 		<literal>5.00503</literal>).</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL_VER</makevar></entry>
 
 	      <entry>The short version of <literal>perl</literal> installed (e.g.,
 		<literal>5.005</literal>).</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL_LEVEL</makevar></entry>
 
 	      <entry>The installed <literal>perl</literal> version as an integer of the form <literal>MNNNPP</literal>
 		(e.g., <literal>500503</literal>).</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL_ARCH</makevar></entry>
 
 	      <entry>Where <literal>perl</literal> stores architecture dependent libraries.
 		Defaults to <literal>${ARCH}-freebsd</literal>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>PERL_PORT</makevar></entry>
 
 	      <entry>Name of the <literal>perl</literal> port that is
 		installed (e.g., <literal>perl5</literal>).</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>SITE_PERL</makevar></entry>
 
 	      <entry>Directory name where site specific
 		<literal>perl</literal> packages go.
 		This value is added to PLIST_SUB.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
     </sect1>
 
     <sect1 id="using-x11">
       <title>Using X11</title>
 
       <table frame="none">
 	<title>Variables for ports that use X</title>
 
 	<tgroup cols="2">
 	  <tbody>
 	    <row>
 	      <entry><makevar>USE_X_PREFIX</makevar></entry>
 
 	      <entry>The port installs in <makevar>X11BASE</makevar>, not
 		<makevar>PREFIX</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_XLIB</makevar></entry>
 
 	      <entry>The port uses the X libraries.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_MOTIF</makevar></entry>
 
 	      <entry>The port uses the Motif toolkit.  Implies
 		<makevar>USE_XPM</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_IMAKE</makevar></entry>
 
 	      <entry>The port uses <command>imake</command>.  Implies
 		<makevar>USE_X_PREFIX</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>XMKMF</makevar></entry>
 
 	      <entry>Set to the path of <command>xmkmf</command> if not in the
 		<envar>PATH</envar>.  Defaults to <literal>xmkmf
 		  -a</literal>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
     </sect1>
 
     <sect1 id="using-automake">
       <title>Using <command>automake</command>, <command>autoconf</command>,
 	and <command>libtool</command></title>
 
       <table frame="none">
 	<title>Variables for ports that use automake, autoconf or
 	  libtool</title>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Variable</entry>
 
 	      <entry>Means</entry>
 	    </row>
 	  </thead>
 
 	  <tbody>
 	    <row>
 	      <entry><makevar>AUTOMAKE</makevar></entry>
 
 	      <entry>The full path for <command>automake</command> if it is
 		not in the <envar>PATH</envar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_AUTOMAKE_VER</makevar></entry>
 
 	      <entry>The port uses <command>automake</command>.  Valid values
 		for this variable are <literal>14</literal> and
 		<literal>15</literal>, and sets the
 		<makevar>AUTOMAKE_DIR</makevar> and
 		<makevar>ACLOCAL_DIR</makevar> variables
 		appropriately.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOMAKE_ARGS</makevar></entry>
 
 	      <entry>One or more command line arguments to pass to
 		<makevar>AUTOMAKE</makevar> if
 		<makevar>USE_AUTOMAKE_VER</makevar> is set.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOMAKE_ENV</makevar></entry>
 
 	      <entry>One or more environment variables to set (and their
 		values) before running <makevar>AUTOMAKE</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>ACLOCAL</makevar></entry>
 
 	      <entry>Set to the path of the GNU <command>aclocal</command> if
 		it is not in the <envar>PATH</envar>.  The default is set
 		according to the <makevar>USE_AUTOMAKE_VER</makevar>
 		variable.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>ACLOCAL_DIR</makevar></entry>
 
 	      <entry>Set to the path of the GNU <command>aclocal</command>
 		shared directory.  The default is set according to the
 		<makevar>USE_AUTOMAKE_VER</makevar> variable.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOMAKE_DIR</makevar></entry>
 
 	      <entry>Set to the path of the GNU <command>automake</command>
 		shared directory.  The default is set according to the
 		<makevar>USE_AUTOMAKE_VER</makevar> variable.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_AUTOCONF_VER</makevar></entry>
 
 	      <entry>Specifies that the port uses <command>autoconf</command>.
 		Implies <literal>GNU_CONFIGURE</literal>.
 		The default value is 213.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOCONF</makevar></entry>
 
 	      <entry>Set to the path of GNU <command>autoconf</command> if it
 		is not in the <envar>PATH</envar>.  The default is set
 		according to the <makevar>USE_AUTOCONF_VER</makevar>
 		variable.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOCONF_ARGS</makevar></entry>
 
 	      <entry>Command line arguments to pass to
 		<command>autoconf</command>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOCONF_ENV</makevar></entry>
 
 	      <entry>Set these
 		<literal><replaceable>variable</replaceable>=<replaceable>value</replaceable></literal>
 		pairs in the environment before running
 		<command>autoconf</command>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_AUTOHEADER_VER</makevar></entry>
 
 	      <entry>Specifies that the port uses <command>autoheader</command>.
 	        Implies <literal>USE_AUTOCONF_VER</literal>.
 		The default value is 213.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOHEADER</makevar></entry>
 
 	      <entry>Set to the path of GNU <command>autoheader</command> if
 		it is not in the <envar>PATH</envar>.  The default is set
 		according to <makevar>USE_AUTOCONF_VER</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTORECONF</makevar></entry>
 
 	      <entry>Set to the path of GNU <command>autoreconf</command> if
 		it is not in the <envar>PATH</envar>.  The default is set
 		according to <makevar>USE_AUTOCONF_VER</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOSCAN</makevar></entry>
 
 	      <entry>Set to the path of GNU <command>autoscan</command> if it
 		is not set in the <envar>PATH</envar>.  The default is set
 		according to <makevar>USE_AUTOCONF_VER</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>AUTOIFNAMES</makevar></entry>
 
 	      <entry>Set to the path of GNU <command>autoifnames</command> if
 		it is not set in the <envar>PATH</envar>.  The default is set
 		according to <makevar>USE_AUTOCONF_VER</makevar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_LIBTOOL_VER</makevar></entry>
 
 	      <entry>The port uses <command>libtool</command>.  Implies
 		<makevar>GNU_CONFIGURE</makevar>.
 		The default value is 13.</entry>
 	      </row>
 
 	    <row>
 	      <entry><makevar>LIBTOOL</makevar></entry>
 
 	      <entry>Set to the path of <command>libtool</command> if it is
 		not set in the <envar>PATH</envar>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>LIBTOOLFILES</makevar></entry>
 
 	      <entry>The files to patch for <command>libtool</command>.
 		Defaults to <literal>aclocal.m4</literal> if
 		<makevar>USE_AUTOCONF</makevar> is defined,
 		<literal>configure</literal> otherwise.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>LIBTOOLFLAGS</makevar></entry>
 
 	      <entry>Additional flags to pass to
 		<command>ltconfig</command>.  Defaults to
 		<literal>--disable-ltlibs</literal>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
     </sect1>
 
     <sect1 id="using-gnome">
       <title>Using GNOME</title>
 
       <para>The FreeBSD/GNOME project uses its own set of variables
 	to define which GNOME components a
 	particular port uses. A
 	<ulink url="http://www.FreeBSD.org/gnome/docs/porting.html">comprehensive
 	list of these variables</ulink> exists within the FreeBSD/GNOME
 	project's homepage.</para>
 
     </sect1>
 
     <sect1 id="using-kde">
       <title>Using KDE</title>
 
       <table frame="none">
 	<title>Variables for ports that use KDE</title>
 
 	<tgroup cols="2">
 	  <tbody>
 	    <row>
 	      <entry><makevar>USE_QT_VER</makevar></entry>
 
 	      <entry>The port uses the Qt toolkit.  Possible values are
 		<literal>1</literal> and
 		<literal>3</literal>;  each specify the major version
 		of Qt to use.  Sets both <makevar>MOC</makevar> and
 		<makevar>QTCPPFLAGS</makevar>to default appropriate
 		values.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_KDELIBS_VER</makevar></entry>
 
 	      <entry>The port uses KDE libraries.  Possible values are
 		<literal>3</literal>;  each specify the major version
 		of KDE to use.  Implies <makevar>USE_QT_VER</makevar>
 		of the appropriate version.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>USE_KDEBASE_VER</makevar></entry>
 
 	      <entry>The port uses KDE base.  Possible values are
 		<literal>3</literal>;  each specify the major version
 		of KDE to use.  Implies <makevar>USE_KDELIBS_VER</makevar>
 		of the appropriate version.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>MOC</makevar></entry>
 
 	      <entry>Set to the path of <command>moc</command>.
 		Default set according to <makevar>USE_QT_VER</makevar>
 		value.</entry>
 	    </row>
 
 	    <row>
 	      <entry><makevar>QTCPPFLAGS</makevar></entry>
 
 	      <entry>Set the <makevar>CPPFLAGS</makevar> to use when
 		processing Qt code.  Default set according to
 		<makevar>USE_QT_VER</makevar> value.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
 
     </sect1>
 
     <sect1 id="using-bison">
       <title>Using Bison</title>
 
       <para>This section is yet to be written.</para>
     </sect1>
 
     <sect1 id="using-java">
       <title>Using Java</title>
 
       <sect2 id="java-variables">
 	<title>Variable definitions</title>
 
       <para>If your port needs a Java&trade; Development Kit (JDK) to
 	either build, run or even extract the distfile, then it should
 	define <makevar>USE_JAVA</makevar>.</para>
 
       <para>There are several JDKs in the ports collection, from various
 	vendors, and in several versions.  If your port must use one of
 	these versions, you can define which one.  The most current
 	version is <filename role="package">java/jdk14</filename>.</para>
 
       <table frame="none">
 	<title>Variables that may be set by ports that use Java</title>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Variable</entry>
 	      <entry>Means</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry><makevar>USE_JAVA</makevar></entry>
 	      <entry>Should be defined for the remaining variables to have any
 		effect.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_VERSION</makevar></entry>
 	      <entry>List of space-separated suitable Java versions for
 		the port.  An optional <literal>"+"</literal> allows you to
 		specify a range of versions (allowed values:
 		<literal>1.1[+] 1.2[+] 1.3[+] 1.4[+]</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_OS</makevar></entry>
 	      <entry>List of space-separated suitable JDK port operating
 		systems for the port (allowed values: <literal>native
 		linux</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_VENDOR</makevar></entry>
 	      <entry>List of space-separated suitable JDK port vendors for
 		the port (allowed values: <literal>freebsd bsdjava sun ibm
 		blackdown</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_BUILD</makevar></entry>
 	      <entry>When set, it means that the selected JDK port should
 		be added to the build dependencies of the port.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_RUN</makevar></entry>
 	      <entry>When set, it means that the selected JDK port should
 		be added to the run dependencies of the port.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_EXTRACT</makevar></entry>
 	      <entry>When set, it means that the selected JDK port should
 		be added to the extract dependencies of the port.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>USE_JIKES</makevar></entry>
 	      <entry>Whether the port should or should not use the
 		<command>jikes</command> bytecode compiler to build. When
 		no value is set for this variable, the port will use
 		<command>jikes</command> to build if available. You may
 		also explicitely forbid or enforce the use of
 		<command>jikes</command> (by setting <literal>'no'</literal>
 		or <literal>'yes'</literal>). In the later case, <filename
 		role="package">devel/jikes</filename> will be added to build
 		dependencies of the port.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
 
       <para>Below is the list of all settings a port will receive after
 	setting <makevar>USE_JAVA</makevar>:</para>
 
       <table frame="none">
 	<title>Variables provided to ports that use Java</title>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Variable</entry>
 	      <entry>Value</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry><makevar>JAVA_PORT</makevar></entry>
 	      <entry>The name of the JDK port (e.g.
 		<literal>'java/jdk14'</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_PORT_VERSION</makevar></entry>
 	      <entry>The full version of the JDK port (e.g.
 		<literal>'1.4.2'</literal>). If you only need the first
 		two digits of this version number, use
 		<makevar>${JAVA_PORT_VERSION:C/^([0-9])\.([0-9])(.*)$/\1.\2/}</makevar>.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_PORT_OS</makevar></entry>
 	      <entry>The operating system used by the JDK port (e.g.
 		<literal>'linux'</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_PORT_VENDOR</makevar></entry>
 	      <entry>The vendor of the JDK port (e.g.
 		<literal>'sun'</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_PORT_OS_DESCRIPTION</makevar></entry>
 	      <entry>Description of the operating system used by the JDK port
 		(e.g. <literal>'Linux'</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_PORT_VENDOR_DESCRIPTION</makevar></entry>
 	      <entry>Description of the vendor of the JDK port (e.g.
 		<literal>'FreeBSD Foundation'</literal>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_HOME</makevar></entry>
 	      <entry>Path to the installation directory of the JDK (e.g.
 		<filename>'/usr/local/jdk1.3.1'</filename>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVAC</makevar></entry>
 	      <entry>Path to the Java compiler to use (e.g.
 		<filename>'/usr/local/jdk1.1.8/bin/javac'</filename> or
 		<filename>'/usr/local/bin/jikes'</filename>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAR</makevar></entry>
 	      <entry>Path to the <command>jar</command> tool to use (e.g.
 		<filename>'/usr/local/jdk1.2.2/bin/jar'</filename> or
 		<filename>'/usr/local/bin/fastjar'</filename>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>APPLETVIEWER</makevar></entry>
 	      <entry>Path to the <command>appletviewer</command> utility (e.g.
 		<filename>'/usr/local/linux-jdk1.2.2/bin/appletviewer'</filename>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA</makevar></entry>
 	      <entry>Path to the <command>java</command> executable. Use
 		this for executing Java programs (e.g.
 		<filename>'/usr/local/jdk1.3.1/bin/java'</filename>).</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVADOC</makevar></entry>
 	      <entry>Path to the <command>javadoc</command> utility
 		program.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVAH</makevar></entry>
 	      <entry>Path to the <command>javah</command> program.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVAP</makevar></entry>
 	      <entry>Path to the <command>javap</command> program.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_KEYTOOL</makevar></entry>
 	      <entry>Path to the <command>keytool</command> utility program.
 		This variable is availble only if the JDK is Java 1.2 or
 		higher.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_N2A</makevar></entry>
 	      <entry>Path to the <command>native2ascii</command> tool.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_POLICYTOOL</makevar></entry>
 	      <entry>Path to the <command>policytool</command> program.
 		This variable is available only if the JDK is Java 1.2 or
 		higher.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_SERIALVER</makevar></entry>
 	      <entry>Path to the <command>serialver</command> utility
 		program.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>RMIC</makevar></entry>
 	      <entry>Path to the RMI stub/skeleton generator,
 		<command>rmic</command>.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>RMIREGISTRY</makevar></entry>
 	      <entry>Path to the RMI registry program,
 		<command>rmiregistry</command>.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>RMID</makevar></entry>
 	      <entry>Path to the RMI daemon program <command>rmid</command>.
 		This variable is only available if the JDK is Java 1.2
 		or higher.</entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVA_CLASSES</makevar></entry>
 	      <entry>Path to the archive that contains the JDK class
 		files. On JDK 1.2 or later, this is
 		<filename>${JAVA_HOME}/jre/lib/rt.jar</filename>.  Earlier
 		JDKs used
 		<filename>${JAVA_HOME}/lib/classes.zip</filename>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
 
       <para>You may use the <literal>java-debug</literal> make target
 	to get information for debugging your port. It will display the
 	value of many of the forecited variables.</para>
 
       <para>Additionally, the following constants are defined so all
 	Java ports may be installed in a consistent way:</para>
 
       <table frame="none">
 	<title>Constants defined for ports that use Java</title>
 
 	<tgroup cols="2">
 	  <thead>
 	    <row>
 	      <entry>Constant</entry>
 	      <entry>Value</entry>
 	    </row>
 	  </thead>
 	  <tbody>
 	    <row>
 	      <entry><makevar>JAVASHAREDIR</makevar></entry>
 	      <entry>The base directory for everything related to Java.
 		Default: <filename>${PREFIX}/share/java</filename>.
 	      </entry>
 	    </row>
 	    <row>
 	      <entry><makevar>JAVAJARDIR</makevar></entry>
 	      <entry>The directory where JAR files should be installed.
 		Default:
 		<filename>${JAVASHAREDIR}/classes</filename>.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </table>
 
       </sect2>
 
       <sect2 id="java-best-practices">
 	<title>Best practices</title>
 
 	<para>When porting a Java library, your port should install the
 	  JAR file(s) in <filename>${JAVAJARDIR}</filename>, and everything
 	  else under <filename>${JAVASHAREDIR}/${PORTNAME}</filename>
 	  (except for the documentation, see below). In order to reduce
 	  the packing file size, you may reference the JAR file(s) directly
 	  in the <filename>Makefile</filename>. Just use the following
 	  statement (where <filename>myport.jar</filename> is the name
 	  of the JAR file installed as part of the port):</para>
 
 	<programlisting>PLIST_FILES+= ${JAVAJARDIR:S,^${PREFIX}/,,}/myport.jar</programlisting>
 
 	<para>When porting a Java application, the port usually installs
 	  everything under a single directory (including its JAR
 	  dependencies).  The use of
 	  <filename>${JAVASHAREDIR}/${PORTNAME}</filename> is strongly
 	  encouraged in this regard.  It is up the porter to decide
 	  whether the port should install the additional JAR dependencies
 	  under this directory or directly use the already installed ones
 	  (from <filename>${JAVAJARDIR}</filename>).</para>
 
 	<para>Regardless of the type of your port (library or application),
 	  the additional documentation should be installed in the
 	  <link linkend="dads-documentation">same location</link> as for
 	  any other port.  The JavaDoc tool is known to produce a
 	  different set of files depending on the version of the JDK that
 	  is used. For ports that do not enforce the use of a particular
 	  JDK, it is therefore a complex task to specify the packing list
 	  (<filename>pkg-plist</filename>).  This is one reason why
 	  porters are strongly encouraged to use the
 	  <makevar>PORTDOCS</makevar> macro.  Moreover, even if you can
 	  predict the set of files that will be generated by
 	  <command>javadoc</command>, the size of the resulting
 	  <filename>pkg-plist</filename> advocates for the use of
 	  <makevar>PORTDOCS</makevar>.</para>
 
 	<para>The default value for <makevar>DATADIR</makevar> is
 	  <filename>${PREFIX}/share/${PORTNAME}</filename>.  It is a good
 	  idea to override <makevar>DATADIR</makevar> to
 	  <filename>${JAVASHAREDIR}/${PORTNAME}</filename> for Java ports.
 	  Indeed, <makevar>DATADIR</makevar> is automatically addded to
 	  <makevar>PLIST_SUB</makevar> (documented <link
 	  linkend="porting-plist">here</link>) so you may use
 	  <literal>%%DATADIR%%</literal> directly in
 	  <filename>pkg-plist</filename>.</para>
 
 	<para>As for the choice of building Java ports from source or
 	  directly installing them from a binary distribution, there is
 	  no defined policy at the time of writing.  However, people from
 	  the <ulink
 	  url="http://www.freebsd.org/java/">&os; Java Project</ulink>
 	  encourage porters to have their ports built from source whenever
 	  it is a trivial task.</para>
 
 	<para>All the features that have been presented in this section
 	  are implemented in <filename>bsd.java.mk</filename>. If you
 	  ever think that your port needs more sophisticated Java support,
 	  please first have a look at the <ulink
 	  url="http://www.freebsd.org/cgi/cvsweb.cgi/ports/Mk/bsd.java.mk">
 	  bsd.java.mk CVS log</ulink> as it usually takes some time to
 	  document the latest features.  Then, if you think the support
 	  you are lacking would be beneficial to many other Java ports,
 	  feel free to discuss it on the &a.java;.</para>
 
 	<para>Although there is a <literal>java</literal> category for
 	  PRs, it refers to the JDK porting effort from the &os; Java
 	  project.  Therefore, you should submit your Java port in the
 	  <literal>ports</literal> category as for any other port, unless
 	  the issue you are trying to resolve is related to either a JDK
 	  implementation or <filename>bsd.java.mk</filename>.</para>
 
       </sect2>
 
     </sect1>
 
     <sect1 id="using-python">
       <title>Using Python</title>
 
       <para>This section is yet to be written.</para>
     </sect1>
 
     <sect1 id="using-emacs">
       <title>Using Emacs</title>
 
       <para>This section is yet to be written.</para>
     </sect1>
 
     <sect1 id="using-ruby">
       <title>Using Ruby</title>
 
       <para>This section is yet to be written.</para>
     </sect1>
 
     <sect1 id="using-sdl">
       <title>Using SDL</title>
 
       <para>The <makevar>USE_SDL</makevar> variable is used to autoconfigure
 	the dependencies for ports which use an SDL based library like
 	<filename role="package">devel/sdl12</filename> and
 	<filename role="package">x11-toolkits/sdl_gui</filename>.</para>
 
       <para>The following SDL libraries are recognized at the moment:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>sdl: <filename role="package">devel/sdl12</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>gfx: <filename role="package">graphics/sdl_gfx</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>gui: <filename role="package">x11-toolkits/sdl_gui</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>image: <filename role="package">graphics/sdl_image</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>ldbad: <filename role="package">devel/sdl_ldbad</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>mixer: <filename role="package">audio/sdl_mixer</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>mm: <filename role="package">devel/sdlmm</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>net: <filename role="package">net/sdl_net</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>sound: <filename role="package">audio/sdl_sound</filename></para>
 	</listitem>
 
 	<listitem>
 	  <para>ttf: <filename role="package">graphics/sdl_ttf</filename></para>
 	</listitem>
       </itemizedlist>
 
       <para>Therefore, if a port has a dependency on
 	<filename role="package">net/sdl_net</filename> and
 	<filename role="package">audio/sdl_mixer</filename>,
 	the syntax will be:</para>
 
       <programlisting>USE_SDL=        net mixer</programlisting>
 
       <para>The dependency <filename role="package">devel/sdl12</filename>,
 	which is required by <filename role="package">net/sdl_net</filename> and
 	<filename role="package">audio/sdl_mixer</filename>, is automatically
 	added as well.</para>
 
       <para>If you use <makevar>USE_SDL</makevar>, it will automatically:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para>Add a dependency on <application>sdl12-config</application> to
 	    <makevar>BUILD_DEPENDS</makevar></para>
 	</listitem>
 
 	<listitem>
 	  <para>Add the variable <makevar>SDL_CONFIG</makevar> to
 	    <makevar>CONFIGURE_ENV</makevar></para>
 	</listitem>
 
 	<listitem>
 	  <para>Add the dependencies of the selected libraries to the
 	    <makevar>LIB_DEPENDS</makevar></para>
 	</listitem>
       </itemizedlist>
 
       <para>To check whether an SDL library is available, you can do it
 	with the <makevar>WANT_SDL</makevar> variable:</para>
 
       <programlisting>WANT_SDL=yes
 
 .include &lt;bsd.port.pre.mk&gt;
 
 .if ${HAVE_SDL:Mmixer}!=""
 USE_SDL+=   mixer
 .endif
 
 .include &lt;bsd.port.post.mk&gt;</programlisting>
 
     </sect1>
   </chapter>
 
 <!--
 
     <chapter>
       <title>ELF support</title>
 
       <para>Since FreeBSD changed to an ELF binary format shortly after
 	3.0-RELEASE, we need to convert many ports that build shared
 	libraries to support ELF.  Complicating this task is that a 3.0
 	system can run as both ELF and a.out, and we wish to unofficially
 	support the 2.2 branch as long as possible.  Below are the guidelines on
 	how to convert a.out only ports to support both a.out and ELF
 	compilation.</para>
 
       <para>Some part of this list is only applicable during the conversion,
 	but will be left here for a while for reference in case you have come
 	across some old port you wish to upgrade.</para>
 
       <sect1>
 	<title>Moving a.out libraries out of the way</title>
 
 	<para>Any a.out libraries should be moved out of
 	  <filename>/usr/local/lib</filename> and similar to an
 	  <filename>aout</filename> subdirectory.  (If you do not move them out
 	  of the way, ELF ports will happily overwrite a.out libraries.) The
 	  <maketarget>move-aout-libs</maketarget> target in the 3.0-CURRENT
 	  <filename>src/Makefile</filename> (called from
 	  <maketarget>aout-to-elf</maketarget>) will do this for you.  It will
 	  only move a.out libs so it is safe to call it on a system with both
 	  ELF and a.out libs in the standard directories.</para>
       </sect1>
 
       <sect1>
 	<title>Format</title>
 
 	<para>The ports tree will build packages in the format the machine is
 	  in.  This means a.out for 2.2 and a.out or ELF for 3.0 depending on
 	  what <command>`objformat`</command> returns.  Also, once users move
 	  a.out libraries to a subdirectory, building a.out libraries will be
 	  unsupported.  (I.e., it may still work if you know what you are
 	  doing, but you are on your own.)</para>
 
 	<note>
 	  <para>If a port only works for a.out, set
 	    <makevar>BROKEN_ELF</makevar> to a string describing the reason
 	    why.  Such ports will be skipped during a build on an ELF
 	    system.</para>
 	</note>
       </sect1>
 
       <sect1>
 	<title><makevar>PORTOBJFORMAT</makevar></title>
 
 	<para><filename>bsd.port.mk</filename> will set
 	  <makevar>PORTOBJFORMAT</makevar> to <literal>aout</literal> or
 	  <literal>elf</literal> and export it in the environments
 	  <envar>CONFIGURE_ENV</envar>, <envar>SCRIPTS_ENV</envar> and
 	  <envar>MAKE_ENV</envar>.  (It is always going to be
 	  <literal>aout</literal> in 2.2-STABLE).  It is also passed to
 	  <maketarget>PLIST_SUB</maketarget> as
 	  <literal>PORTOBJFORMAT=${PORTOBJFORMAT}</literal>.  (See comment on
 	  <literal>ldconfig</literal> lines below.)</para>
 
 	<para>The variable is set using this line in
 	  <filename>bsd.port.mk</filename>:</para>
 
 	<programlisting>PORTOBJFORMAT!= test -x /usr/bin/objformat && /usr/bin/objformat || echo aout</programlisting>
 
 	<para>Ports' make processes should use this variable to decide what to
 	  do.  However, if the port's <filename>configure</filename> script
 	  already automatically detects an ELF system, it is not necessary to
 	  refer to <makevar>PORTOBJFORMAT</makevar>.</para>
       </sect1>
 
       <sect1>
 	<title>Building shared libraries</title>
 
 	<para>The following are differences in handling shared libraries for
 	  a.out and ELF.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>Shared library versions</para>
 
 	    <para>An ELF shared library should be called
 	      <filename>libfoo.so.<replaceable>M</replaceable></filename>
 	      where <replaceable>M</replaceable> is the single version number,
 	      and an a.out library should be called
 	      <filename>libfoo.so.<replaceable>M</replaceable>.<replaceable>N</replaceable></filename>
 	      where <replaceable>M</replaceable> is the major version and
 	      <replaceable>N</replaceable> is the minor version number.
 	      Do not mix those; <emphasis>never</emphasis> install an ELF
 	      shared library called
 	      <filename>libfoo.so.<replaceable>N</replaceable>.<replaceable>M</replaceable></filename>
 	      or an a.out shared library (or symlink) called
 	      <filename>libfoo.so.<replaceable>N</replaceable></filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>Linker command lines</para>
 
 	    <para>Assuming <command>cc -shared</command> is used rather than
 	      <command>ld</command> directly, the only difference is that you
 	      need to add
 	      <option>-Wl,-<replaceable>soname,libfoo.so.M</replaceable></option>
 	      on the command line for ELF.</para>
 	    </listitem>
 	</itemizedlist>
 
 	<para>You need to install a symlink from
 	  <filename>libfoo.so</filename> to
 	  <filename>libfoo.so.<replaceable>N</replaceable></filename> to make
 	  ELF linkers happy.  Since it should be listed in
 	  <filename>pkg-plist</filename> too, and it won't hurt in the a.out case
 	  (some ports even require the link for dynamic loading), you should
 	  just make this link regardless of the setting of
 	  <makevar>PORTOBJFORMAT</makevar>.</para>
       </sect1>
 
       <sect1>
 	<title><makevar>LIB_DEPENDS</makevar></title>
 
 	<para>All port <filename>Makefile</filename>s are edited to remove minor numbers from
 	  <makevar>LIB_DEPENDS</makevar>, and also to have the regexp support
 	  removed.  (E.g., <literal>foo\\.1\\.\\(33|40\\)</literal> becomes
 	  <literal>foo.2</literal>.)  They will be matched using <command>grep
 	    -wF</command>.</para>
       </sect1>
 
       <sect1>
 	<title><filename>pkg-plist</filename></title>
 
 	<para><filename>pkg-plist</filename> should contain the short (ELF) shlib
 	  names if the a.out minor number is zero, and the long (a.out) names
 	  otherwise.  <filename>bsd.port.mk</filename> will automatically add
 	  <literal>.0</literal> to the end of short shlib lines if
 	  <makevar>PORTOBJFORMAT</makevar> equals <literal>aout</literal>, and
 	  will delete the minor number from long shlib names if
 	  <makevar>PORTOBJFORMAT</makevar> equals
 	  <literal>elf</literal>.</para>
 
 	<para>In cases where you really need to install shlibs with two
 	  versions on an ELF system or those with one version on an a.out
 	  system (for instance, ports that install compatibility libraries for
 	  other operating systems), define the variable
 	  <makevar>NO_FILTER_SHLIBS</makevar>.  This will turn off the editing
 	  of <filename>pkg-plist</filename> mentioned in the previous
 	  paragraph.</para>
       </sect1>
 
       <sect1>
 	<title><literal>ldconfig</literal></title>
 
 	<para>The <literal>ldconfig</literal> line in <filename>Makefile</filename>s should
 	  read:</para>
 
 	<programlisting>${SETENV} OBJFORMAT=${PORTOBJFORMAT} ${LDCONFIG} -m ....</programlisting>
 
 	<para>In <filename>pkg-plist</filename> it should read;</para>
 
 	<programlisting>@exec /usr/bin/env OBJFORMAT=%%PORTOBJFORMAT%% /sbin/ldconfig -m ...
 @unexec /usr/bin/env OBJFORMAT=%%PORTOBJFORMAT%% /sbin/ldconfig -R</programlisting>
 
 	<para>This is to ensure that the correct <command>ldconfig</command>
 	  will be called depending on the format of the package, not the
 	  default format of the system.</para>
       </sect1>
     </chapter>
 
 -->
 
     <chapter id="porting-masterdir">
       <title><makevar>MASTERDIR</makevar></title>
 
       <para>If your port needs to build slightly different versions of
 	packages by having a variable (for instance, resolution, or paper
 	size) take different values, create one subdirectory per package to
 	make it easier for users to see what to do, but try to share as many
 	files as possible between ports.  Typically you only need a very short
 	<filename>Makefile</filename> in all but one of the directories if you
 	use variables cleverly.  In the sole <filename>Makefile</filename>,
 	you can use <makevar>MASTERDIR</makevar> to specify the directory
 	where the rest of the files are.  Also, use a variable as part of
 	<link linkend="porting-pkgname"><makevar>PKGNAMESUFFIX</makevar></link> so
 	the packages will have different names.</para>
 
       <para>This will be best demonstrated by an example.  This is part of
 	<filename>japanese/xdvi300/Makefile</filename>;</para>
 
       <programlisting>PORTNAME=       xdvi
 PORTVERSION=    17
 PKGNAMEPREFIX=  ja-
 PKGNAMESUFFIX=  ${RESOLUTION}
  :
 # default
 RESOLUTION?=   300
 .if ${RESOLUTION} != 118 && ${RESOLUTION} != 240 && \
        ${RESOLUTION} != 300 && ${RESOLUTION} != 400
        @${ECHO} "Error: invalid value for RESOLUTION: \"${RESOLUTION}\""
        @${ECHO} "Possible values are: 118, 240, 300 (default) and 400."
        @${FALSE}
 .endif</programlisting>
 
       <para><filename role="package">japanese/xdvi300</filename> also has all the regular
 	patches, package files, etc.  If you type <command>make</command>
 	there, it will take the default value for the resolution (300) and
 	build the port normally.</para>
 
       <para>As for other resolutions, this is the <emphasis>entire</emphasis>
 	<filename>xdvi118/Makefile</filename>:</para>
 
       <programlisting>RESOLUTION=     118
 MASTERDIR=      ${.CURDIR}/../xdvi300
 
 .include "${MASTERDIR}/Makefile"</programlisting>
 
       <para>(<filename>xdvi240/Makefile</filename> and
 	<filename>xdvi400/Makefile</filename> are similar).  The
 	<makevar>MASTERDIR</makevar> definition tells
 	<filename>bsd.port.mk</filename> that the regular set of
 	subdirectories like <makevar>FILESDIR</makevar> and
 	<makevar>SCRIPTDIR</makevar> are to be found under
 	<filename>xdvi300</filename>.  The <literal>RESOLUTION=118</literal>
 	line will override the <literal>RESOLUTION=300</literal> line in
 	<filename>xdvi300/Makefile</filename> and the port will be built with
 	resolution set to 118.</para>
     </chapter>
 
     <chapter id="shared">
       <title>Shared library versions</title>
 
       <para>Please read our <ulink url="&url.books.developers-handbook;/policies-shlib.html">policy on
 	shared library versioning</ulink> to understand what to do with
 	shared library versions in general.  Do not blindly assume software
 	authors know what they are doing; many of them do not.  It is very
 	important that these details are carefully considered, as we have
 	quite a unique situation where we are trying to have dozens of
 	potentially incompatible software pairs co-exist. Careless port
 	imports have caused great trouble regarding shared libraries in the
 	past (ever wondered why the port <filename>jpeg-6b</filename> has a
 	shared library version of 9?). If in doubt, send a message to the
 	&a.ports;.  Most of the time, your job ends by determining the right
 	shared library version and making appropriate patches to implement
 	it.</para>
 
 <!--
       <para>However, if there is a port which is a different version of the
 	same software already in the tree, the situation is much more complex.
 	In short, the FreeBSD implementation does not allow the user to
 	specify to the linker which version of shared library to link against
 	(the linker will always pick the highest numbered version).  This
 	means, if there is a <filename>libfoo.so.3.2</filename> and
 	<filename>libfoo.so.4.0</filename> in the system, there is no way to
 	tell the linker to link a particular application to
 	<filename>libfoo.so.3.2</filename>.  It is essentially completely
 	overshadowed in terms of compilation-time linkage.  In this case, the
 	only solution  is to rename the <emphasis>base</emphasis> part of the
 	shared library.  For instance, change
 	<filename>libfoo.so.4.0</filename> to
 	<filename>libfoo4.so.1.0</filename> so both version 3.2 and 4.0 can be
 	linked from other ports.</para>
 -->
     </chapter>
 
     <chapter id="porting-manpages">
       <title>Manpages</title>
 
       <para>The <makevar>MAN[1-9LN]</makevar> variables will automatically add
 	any manpages to <filename>pkg-plist</filename> (this means you must
 	<emphasis>not</emphasis> list manpages in the
 	<filename>pkg-plist</filename>&mdash;see <link
 	  linkend="porting-plist">generating PLIST</link> for more).  It also
 	makes the install stage automatically compress or uncompress manpages
 	depending on the setting of <makevar>NOMANCOMPRESS</makevar> in
 	<filename>/etc/make.conf</filename>.</para>
 
       <para>If your port tries to install multiple names for manpages using
 	symlinks or hardlinks, you must use the <makevar>MLINKS</makevar>
 	variable to identify these.  The link installed by your port will
 	be destroyed and recreated by <filename>bsd.port.mk</filename>
 	to make sure it points to the correct file.  Any manpages
 	listed in MLINKS must not be listed in the
 	<filename>pkg-plist</filename>.</para>
 
       <para>To specify whether the manpages are compressed upon installation,
 	use the <makevar>MANCOMPRESSED</makevar> variable. This variable can
 	take three values, <literal>yes</literal>, <literal>no</literal> and
 	<literal>maybe</literal>. <literal>yes</literal> means manpages are
 	already installed compressed, <literal>no</literal> means they are
 	not, and <literal>maybe</literal> means the software already respects
 	the value of <makevar>NOMANCOMPRESS</makevar> so
 	<filename>bsd.port.mk</filename> does not have to do anything
 	special.</para>
 
       <para><makevar>MANCOMPRESSED</makevar> is automatically set to
 	<literal>yes</literal> if <makevar>USE_IMAKE</makevar> is set and
 	<makevar>NO_INSTALL_MANPAGES</makevar> is not set, and to
 	<literal>no</literal> otherwise.  You do not have to explicitly define
 	it unless the default is not suitable for your port.</para>
 
       <para>If your port anchors its man tree somewhere other than
 	<makevar>PREFIX</makevar>, you can use the
 	<makevar>MANPREFIX</makevar> to set it.  Also, if only manpages in
 	certain sections go in a non-standard place, such as some <literal>perl</literal> modules
 	ports, you can set individual man paths using
 	<makevar>MAN<replaceable>sect</replaceable>PREFIX</makevar> (where
 	<replaceable>sect</replaceable> is one of <literal>1-9</literal>,
 	<literal>L</literal> or <literal>N</literal>).</para>
 
       <para>If your manpages go to language-specific subdirectories, set the
 	name of the languages to <makevar>MANLANG</makevar>.  The value of
 	this variable defaults to <literal>""</literal> (i.e., English
 	only).</para>
 
       <para>Here is an example that puts it all together.</para>
 
       <programlisting>MAN1=          foo.1
 MAN3=          bar.3
 MAN4=          baz.4
 MLINKS=        foo.1 alt-name.8
 MANLANG=       "" ja
 MAN3PREFIX=    ${PREFIX}/share/foobar
 MANCOMPRESSED= yes</programlisting>
 
       <para>This states that six files are installed by this port;</para>
 
 	  <programlisting>${PREFIX}/man/man1/foo.1.gz
 ${PREFIX}/man/ja/man1/foo.1.gz
 ${PREFIX}/share/foobar/man/man3/bar.3.gz
 ${PREFIX}/share/foobar/man/ja/man3/bar.3.gz
 ${PREFIX}/man/man4/baz.4.gz
 ${PREFIX}/man/ja/man4/baz.4.gz</programlisting>
 
       <para>Additionally <filename>${PREFIX}/man/man8/alt-name.8.gz</filename>
 	may or may not be installed by your port.  Regardless, a
 	symlink will be made to join the foo(1) manpage and
 	alt-name(8) manpage.</para>
 
     </chapter>
 
     <chapter id="porting-motif">
       <title>Ports that require Motif</title>
 
       <para>There are many programs that require a Motif library (available
 	from several commercial vendors, while there is a free clone reported
 	to be able to run many applications in
 	<filename role="package">x11-toolkits/lesstif</filename>) to compile.  Since it is a
 	popular toolkit and their licenses usually permit redistribution of
 	statically linked binaries, we have made special provisions for
 	handling ports that require Motif in a way that we can easily compile
 	binaries linked either dynamically (for people who are compiling from
 	the port) or statically (for people who distribute packages).</para>
 
       <sect1 id="motif-use">
 	<title><makevar>USE_MOTIF</makevar></title>
 
 	<para>If your port requires Motif, define this variable in the
 	  <filename>Makefile</filename>.  This will prevent people who do not own a copy of Motif
 	  from even attempting to build it.</para>
       </sect1>
 
       <sect1 id="motif-lib">
 	<title><makevar>MOTIFLIB</makevar></title>
 
 	<para>This variable will be set by <filename>bsd.port.mk</filename> to
 	  be the appropriate reference to the Motif library.  Please patch the
 	  source of your port to reference this wherever the Motif library is referenced in the
 	  <filename>Makefile</filename> or
 	  <filename>Imakefile</filename>.</para>
 
 	<para>There are two common cases:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>If the port refers to the Motif library as
 	      <literal>-lXm</literal> in its <filename>Makefile</filename> or
 	      <filename>Imakefile</filename>, simply substitute
 	      <literal>&dollar;{MOTIFLIB}</literal> for it.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>If the port uses <literal>XmClientLibs</literal> in its
 	      <filename>Imakefile</filename>, change it to
 	      <literal>&dollar;{MOTIFLIB} &dollar;{XTOOLLIB}
 		&dollar;{XLIB}</literal>.</para>
 	  </listitem>
 
 	</itemizedlist>
 
 	<para>Note that <makevar>MOTIFLIB</makevar> (usually) expands to
 	  <literal>-L/usr/X11R6/lib -lXm</literal> or
 	  <literal>/usr/X11R6/lib/libXm.a</literal>, so there is no need to
 	  add <literal>-L</literal> or <literal>-l</literal> in front.</para>
       </sect1>
     </chapter>
 
     <chapter id="x11-fonts">
       <title>X11 fonts</title>
 
       <para>If your port installs fonts for the X Window System, put them in
 	<filename><makevar>X11BASE</makevar>/lib/X11/fonts/local</filename>.
 	This directory was new to <application>XFree86 3.3.3</application>.  If it does not exist,
 	please create it, and print out a message urging the user to update
 	their <application>XFree86</application> to 3.3.3 or newer, or at least add this directory to the
 	font path in <filename>/etc/XF86Config</filename>.</para>
     </chapter>
 
     <chapter id="porting-info">
       <title>Info files</title>
 
       <para>If your package needs to install GNU info files, they should be
 	listed in the <makevar>INFO</makevar> variable (without the trailing
 	<literal>.info</literal>), and appropriate installation/de-installation
 	code will be automatically added to the temporary
 	<filename>pkg-plist</filename> before package registration.</para>
     </chapter>
 
     <chapter id="pkg-files">
       <title>The <filename>pkg-<replaceable>*</replaceable></filename> files</title>
 
       <para>There are some tricks we have not mentioned yet about the
 	<filename>pkg-<replaceable>*</replaceable></filename> files
 	that come in handy sometimes.</para>
 
       <sect1 id="porting-message">
 	<title><filename>pkg-message</filename></title>
 
 	<para>If you need to display a message to the installer, you may place
 	  the message in <filename>pkg-message</filename>.  This capability is
 	  often useful to display additional installation steps to be taken
 	  after a &man.pkg.add.1; or to display licensing
 	  information.</para>
 
 	<note>
 	  <para>The <filename>pkg-message</filename> file does not need to be
 	    added to <filename>pkg-plist</filename>.  Also, it will not get
 	    automatically printed if the user is using the port, not the
 	    package, so you should probably display it from the
 	    <maketarget>post-install</maketarget> target yourself.</para>
 	</note>
       </sect1>
 
       <sect1 id="pkg-install">
 	<title><filename>pkg-install</filename></title>
 
 	<para>If your port needs to execute commands when the binary package
 	  is installed with &man.pkg.add.1; you can do this via the
 	  <filename>pkg-install</filename> script.  This script will
 	  automatically be added to the package, and will be run twice by
 	  &man.pkg.add.1;: the first time as
 	  <literal>&dollar;{SH} pkg-install &dollar;{PKGNAME}
 	  PRE-INSTALL</literal> and the second time as
 	  <literal>&dollar;{SH} pkg-install &dollar;{PKGNAME} POST-INSTALL</literal>.
 	  <literal>&dollar;2</literal> can be tested to determine which mode
 	  the script is being run in.  The <envar>PKG_PREFIX</envar>
 	  environmental variable will be set to the package installation
 	  directory.  See &man.pkg.add.1; for
 	  additional information.</para>
 
 	<note>
 	  <para>This script is not run automatically if you install the port
 	    with <command>make install</command>.  If you are depending on it
 	    being run, you will have to explicitly call it from your port's
 	    <filename>Makefile</filename>, with a line like
 	    <literal>PKG_PREFIX=&dollar;{PREFIX} &dollar;{SH} &dollar;{PKGINSTALL}
 	    &dollar;{PKGNAME} PRE-INSTALL</literal>.</para>
 	</note>
       </sect1>
 
       <sect1 id="pkg-deinstall">
 	<title><filename>pkg-deinstall</filename></title>
 
 	<para>This script executes when a package is removed.</para>
 
 	<para>
 	  This script will be run twice by &man.pkg.delete.1;.
 	  The first time as <literal>&dollar;{SH} pkg-deinstall &dollar;{PKGNAME}
 	  DEINSTALL</literal> and the second time as
 	  <literal>&dollar;{SH} pkg-deinstall &dollar;{PKGNAME} POST-DEINSTALL</literal>.
 	</para>
       </sect1>
 
       <sect1 id="pkg-req">
 	<title><filename>pkg-req</filename></title>
 
 	<para>If your port needs to determine if it should install or not, you
 	  can create a <filename>pkg-req</filename> <quote>requirements</quote>
 	  script.  It will be invoked automatically at
 	  installation/de-installation time to determine whether or not
 	  installation/de-installation should proceed.</para>
 
 	<para>The script will be run at installation time by
 	  &man.pkg.add.1; as
 	  <literal>pkg-req &dollar;{PKGNAME} INSTALL</literal>.
 	  At de-installation time it will be run by
 	  &man.pkg.delete.1; as
 	  <literal>pkg-req &dollar;{PKGNAME} DEINSTALL</literal>.</para>
       </sect1>
 
       <sect1 id="porting-plist">
 	<title>Changing <filename>pkg-plist</filename> based on make
 	  variables</title>
 
 	<para>Some ports, particularly the <literal>p5-</literal> ports,
 	  need to change their <filename>pkg-plist</filename> depending on
 	  what options they are configured with (or version of
 	  <literal>perl</literal>, in the case of <literal>p5-</literal>
 	  ports).  To make this easy, any instances in the
 	  <filename>pkg-plist</filename> of <literal>%%OSREL%%</literal>,
 	  <literal>%%PERL_VER%%</literal>, and
 	  <literal>%%PERL_VERSION%%</literal> will be substituted for
 	  appropriately.  The value of <literal>%%OSREL%%</literal> is the
 	  numeric revision of the operating system (e.g.,
 	  <literal>4.9</literal>).  <literal>%%PERL_VERSION%%</literal> is
 	  the full version number of <command>perl</command> (e.g.,
 	  <literal>5.00502</literal>) and <literal>%%PERL_VER%%</literal>
 	  is the <command>perl</command> version number minus
 	  the patchlevel (e.g., <literal>5.005</literal>).  Several other
 	  <literal>%%<replaceable>VARS</replaceable>%%</literal> related to
 	  port's documentation files are described in <link
 	  linkend="dads-documentation">the relevant section</link>.</para>
 
 	<para>If you need to make other substitutions, you can set the
 	  <makevar>PLIST_SUB</makevar> variable with a list of
 	  <literal><replaceable>VAR</replaceable>=<replaceable>VALUE</replaceable></literal>
 	  pairs and instances of
 	  <literal>%%<replaceable>VAR</replaceable>%%</literal> will be
 	  substituted with <replaceable>VALUE</replaceable> in the
 	  <filename>pkg-plist</filename>.</para>
 
 	<para>For instance, if you have a port that installs many files in a
 	  version-specific subdirectory, you can put something like</para>
 
 	<programlisting>OCTAVE_VERSION= 2.0.13
 PLIST_SUB=      OCTAVE_VERSION=${OCTAVE_VERSION}</programlisting>
 
 	<para>in the <filename>Makefile</filename> and use
 	  <literal>%%OCTAVE_VERSION%%</literal> wherever the version shows up
 	  in <filename>pkg-plist</filename>.  That way, when you upgrade the port,
 	  you will not have to change dozens (or in some cases, hundreds) of
 	  lines in the <filename>pkg-plist</filename>.</para>
 
 	<para>This substitution (as well as addition of any <link
 	  linkend="porting-manpages">manual pages</link>) will be done between
 	  the <maketarget>pre-install</maketarget> and
 	  <maketarget>do-install</maketarget> targets, by reading from
 	  <filename><makevar>PLIST</makevar></filename> and writing to
 	  <filename><makevar>TMPPLIST</makevar></filename>
 	  (default:
 	  <filename><makevar>WRKDIR</makevar>/.PLIST.mktmp</filename>).  So if
 	  your port builds <filename><makevar>PLIST</makevar></filename>
 	  on the fly, do so in or
 	  before <maketarget>pre-install</maketarget>.  Also, if your port
 	  needs to edit the resulting file, do so in
 	  <maketarget>post-install</maketarget> to a file named
 	  <filename><makevar>TMPPLIST</makevar></filename>.</para>
 
 	<para>Another possibility to modify port's packing list is based
 	  on setting the variables <makevar>PLIST_FILES</makevar> and
 	  <makevar>PLIST_DIRS</makevar>.  The value of each variable
 	  is regarded as a list of pathnames to
 	  write to <filename><makevar>TMPPLIST</makevar></filename>
 	  along with <filename><makevar>PLIST</makevar></filename>
 	  contents.  Names listed in <makevar>PLIST_FILES</makevar>
 	  and <makevar>PLIST_DIRS</makevar> are subject to
 	  <literal>%%<replaceable>VAR</replaceable>%%</literal>
 	  substitution, as described above.
 	  Except for that, names from <makevar>PLIST_FILES</makevar>
 	  will appear in the final packing list unchanged,
 	  while <literal>@dirrm</literal> will be
 	  prepended to names from <makevar>PLIST_DIRS</makevar>.
 	  To take effect, <makevar>PLIST_FILES</makevar> and
 	  <makevar>PLIST_DIRS</makevar> must be set before
 	  <filename><makevar>TMPPLIST</makevar></filename> is written,
 	  i.e. in <maketarget>pre-install</maketarget> or earlier.</para>
       </sect1>
 
       <sect1 id="pkg-names">
 	<title id="porting-pkgfiles">Changing the names of
 	  <filename>pkg-<replaceable>*</replaceable></filename> files</title>
 
 	<para>All the names of <filename>pkg-<replaceable>*</replaceable></filename> files
 	  are defined using variables so you can change them in your
 	  <filename>Makefile</filename> if need be.  This is especially useful
 	  when you are sharing the same <filename>pkg-<replaceable>*</replaceable></filename> files
 	  among  several ports or have to write to one of the above files (see
 	  <link linkend="porting-wrkdir">writing to places other than
 	  <makevar>WRKDIR</makevar></link> for why it is a bad idea to write
 	  directly into the <filename>pkg-<replaceable>*</replaceable></filename> subdirectory).</para>
 
 	<para>Here is a list of variable names and their default
 	  values.  (<makevar>PKGDIR</makevar> defaults to
 	  <makevar>${MASTERDIR}</makevar>.)</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Variable</entry>
 		<entry>Default value</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><makevar>DESCR</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-descr</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PLIST</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-plist</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PKGINSTALL</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-install</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PKGDEINSTALL</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-deinstall</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PKGREQ</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-req</literal></entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PKGMESSAGE</makevar></entry>
 		<entry><literal>${PKGDIR}/pkg-message</literal></entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<para>Please change these variables rather than overriding
 	  <makevar>PKG_ARGS</makevar>.  If you change
 	  <makevar>PKG_ARGS</makevar>, those files will not correctly be
 	  installed in <filename>/var/db/pkg</filename> upon install from a
 	  port.</para>
       </sect1>
     </chapter>
 
   <chapter id="testing">
     <title>Testing your port</title>
 
       <sect1 id="make-describe">
 	<title>Running <command>make describe</command></title>
 
 	<para>Several of the &os; port maintainance tools, such as
 	  &man.portupgrade.1;, rely on a database called
 	  <filename>/usr/ports/INDEX</filename> which keeps track of such
 	  items as port dependencies.  <filename>INDEX</filename> is created
 	  by the top-level <filename>ports/Makefile</filename> via
 	  <command>make index</command>, which descends into each
 	  port subdirectory and executes <command>make describe</command>
 	  there.  Thus, if <command>make describe</command> fails in any
 	  port, no one can generate <filename>INDEX</filename>, and many
 	  people will quickly become unhappy.</para>
 
 	<note>
 	  <para>It is important to be able to generate this file no
 	  matter what options are present in <filename>make.conf</filename>,
 	  so please avoid doing things such as using <literal>.error</literal>
 	  statements when (for instance) a dependency is not satisfied.</para>
 	</note>
 
 	<example id="dot-error-breaks-index">
 	  <title>How to avoid using <literal>.error</literal></title>
 	  <para>Assume that someone has the line
 	    <programlisting>USE_POINTYHAT=yes</programlisting>
 	    in <filename>make.conf</filename>.  The first of
 	    the next two <filename>Makefile</filename> snippets will
 	    cause <command>make index</command> to fail, while the
 	    second one will not:
 	    <programlisting>.if USE_POINTYHAT
 .error "POINTYHAT is not supported"
 .endif</programlisting>
 	    <programlisting>.if USE_POINTYHAT
 IGNORE=POINTYHAT is not supported
 .endif</programlisting>
 	  </para>
 	</example>
 
 	<para>If <command>make describe</command> produces a string
 	  rather than an error message, you are probably safe.  See
 	  <filename>bsd.port.mk</filename> for the meaning of the
 	  string produced.</para>
 
 	<para>Also note that running a recent version of
 	  <command>portlint</command> (as specified in the next section)
 	  will cause <command>make describe</command> to be run
 	  automatically.</para>
       </sect1>
 
       <sect1 id="testing-portlint">
 	<title>Portlint</title>
 
 	<para>Do check your work with <link
 	    linkend="porting-portlint"><command>portlint</command></link>
 	  before you submit or commit it.  <command>portlint</command>
 	  warns you about many common errors, both functional and
 	  stylistic.  For a new (or repocopied) port,
 	  <command>portlint -A</command> is the most thorough; for an
 	  existing port, <command>portlint -C</command> is sufficient.</para>
 
 	<para>Since <command>portlint</command> uses heuristics to
 	  try to figure out errors, it can produce false positive
 	  warnings.  In addition, occasionally something that is
 	  flagged as a problem really cannot be done in any other
 	  way due to limitations in the ports framework.  When in
 	  doubt, the best thing to do is ask on &a.ports;.</para>
       </sect1>
 
       <sect1 id="porting-prefix">
 	<title><makevar>PREFIX</makevar></title>
 
 	<para>Do try to make your port install relative to
 	  <makevar>PREFIX</makevar>.  (The value of this variable will be set
 	  to <makevar>LOCALBASE</makevar> (default
 	  <filename>/usr/local</filename>), unless
 	  <makevar>USE_X_PREFIX</makevar> or <makevar>USE_IMAKE</makevar> is
 	  set, in which case it will be <makevar>X11BASE</makevar> (default
 	  <filename>/usr/X11R6</filename>).</para>
 
 	<para>Avoiding the hard-coding of <filename>/usr/local</filename> or
 	  <filename>/usr/X11R6</filename> anywhere in the source will make the
 	  port much more flexible and able to cater to the needs of other
 	  sites.  For X ports that use <command>imake</command>, this is
 	  automatic; otherwise, this can often be done by simply replacing the
 	  occurrences of <filename>/usr/local</filename> (or
 	  <filename>/usr/X11R6</filename> for X ports that do not use imake)
 	  in the various <filename>scripts/Makefile</filename>s in the port to read
 	  <makevar>${PREFIX}</makevar>, as this variable is automatically passed
 	  down to every stage of the build and install processes.</para>
 
 	<para>Make sure your application is not installing things in
 	<filename>/usr/local</filename> instead of <makevar>PREFIX</makevar>.
 	A quick test for this is to do this is:</para>
 
 	<screen>&prompt.root; <userinput>make clean; make package PREFIX=/var/tmp/<replaceable>port-name</replaceable></userinput></screen>
 
 	<para>If anything is installed outside of <makevar>PREFIX</makevar>,
 	the package creation process will complain that it
 	cannot find the files.</para>
 
 	<!-- XXX This paragraph is confusing and poorly indented. -->
 	<para>This does not test for the existence of internal references,
 	or correct use of <makevar>LOCALBASE</makevar> for references to
 	files from other ports.  Testing the installation in
 	<filename>/var/tmp/<replaceable>port-name</replaceable></filename>
 	to do that while you have it installed would do that.</para>
 
 	<para>Do not set <makevar>USE_X_PREFIX</makevar> unless your port
 	  truly requires it (i.e., it links against X libs or it needs to
 	  reference files in <makevar>X11BASE</makevar>).</para>
 
 	<para>The variable <makevar>PREFIX</makevar> can be reassigned in your
 	  <filename>Makefile</filename> or in the user's environment.
 	  However, it is strongly discouraged for individual ports to set this
 	  variable explicitly in the <filename>Makefile</filename>s.</para>
 
 	<para>Also, refer to programs/files from other ports with the
 	  variables mentioned above, not explicit pathnames.  For instance, if
 	  your port requires a macro <literal>PAGER</literal> to be the full
 	  pathname of <command>less</command>, use the compiler flag:
 
 	  <programlisting>-DPAGER=\"&dollar;{PREFIX}/bin/less\"</programlisting>
 
 	  or
 
 	  <programlisting>-DPAGER=\"&dollar;{LOCALBASE}/bin/less\"</programlisting>
 
 	  if this is an X port, instead of
 	  <literal>-DPAGER=\"/usr/local/bin/less\"</literal>. This way it will
 	  have a better chance of working if the system administrator has
 	  moved the whole <filename>/usr/local</filename> tree somewhere else.</para>
       </sect1>
   </chapter>
 
     <chapter id="port-upgrading">
       <title>Upgrading</title>
 
       <para>When you notice that a port is out of date compared to the latest
 	version from the original authors, you should first ensure that you
 	have the latest
 	port.  You can find them in the
 	<filename>ports/ports-current</filename> directory of the &os; FTP mirror
 	sites.  However, if you are working with more than a few
 	ports, you will probably find it easier to use
 	<application>CVSup</application> to keep your whole ports collection
 	up-to-date, as described in the
 	<ulink url="&url.books.handbook;/synching.html#CVSUP-CONFIG">Handbook</ulink>.
 	This will have the added benefit of tracking all the ports'
 	dependencies.</para>
 
       <para>The next step is to see if there is an update already pending.
 	To do this, you have two options.  There is a searchable interface
 	to the
 	<ulink url="http://www.FreeBSD.org/cgi/query-pr-summary.cgi?query">
 	FreeBSD Problem Report (PR) database</ulink> (also known as
 	<literal>GNATS</literal>).  Select <literal>ports</literal> in the
 	dropdown, and enter the name of the port.</para>
 
       <para>However, sometimes people forget to put the name of the port
 	into the Synopsis field in an unambiguous fashion.  In that case,
 	you can try the <ulink url="http://portsmon.firepipe.net">
 	FreeBSD Ports Monitoring System</ulink> (also known as
 	<literal>portsmon</literal>).  This system attempts to classify
 	port PRs by portname.  To search for PRs about a particular port,
 	use the <ulink url="http://portsmon.firepipe.net/portoverview.py">
 	Overview of One Port</ulink>.</para>
 
       <para>If there is no pending PR, the next step is to send an email
 	to the port's maintainer, as shown by
 	<command>make maintainer</command>.  That person may
 	already be working on an upgrade, or have a reason to not upgrade the
 	port right now (because of, for example, stability problems of the new
 	version); you would not want to duplicate their work.  Note that
 	unmaintained ports are listed with a maintainer of
 	<literal>ports@FreeBSD.org</literal>, which is just the general
 	ports mailing list, so sending mail there
 	probably will not help in this case.</para>
 
       <para>If the maintainer asks you to do the upgrade or there is
 	no maintainer, then you have a chance to help out &os; by
 	preparing the update yourself!  Please make the changes and save
 	the result of the
 	recursive <command>diff</command> output
 	of the new and old
 	ports directories (e.g., if your modified port directory is
 	called <filename>superedit</filename> and the original is in our tree
 	as <filename>superedit.bak</filename>, then save the result of
 	<command>diff -ruN superedit.bak superedit</command>).  Either
 	unified or context diff is fine, but port committers generally
 	prefer unified diffs.  Note the use of the <literal>-N</literal>
 	option&mdash;this is the accepted way to force diff to properly
 	deal with the case of new files being added or old files being
 	deleted.  Before sending us the diff, please examine the
 	output to make sure all the changes make sense.  To
 	simplify common operations with patch files, you can use
 	<filename>/usr/ports/Tools/scripts/patchtool.py</filename>.
 	Before using it, please read
 	<filename>/usr/ports/Tools/scripts/README.patchtool</filename>.</para>
 
       <para>If the port is unmaintained, and you are actively using
 	it yourself, please consider volunteering to become its
 	maintainer.  &os; has over 2000 ports without maintainers,
 	and this is an area where more volunteers are always needed.
 	(For a detailed description of the responsibilities of maintainers,
 	refer to the
 	<ulink url="&url.books.developers-handbook;/policies.html#POLICIES-MAINTAINER">
 	MAINTAINER on Makefiles</ulink> section.)</para>
 
       <para> The best way to
 	send us the diff is by including it via &man.send-pr.1; (category
 	<literal>ports</literal>).  If you are volunteering to maintain the
 	port,
 	be sure to put <literal>[maintainer update]</literal> at the beginning
 	of your synopsis line and set the <quote>Class</quote> of your PR
 	to <literal>maintainer-update</literal>.  Otherwise, the
 	<quote>Class</quote> of your PR should be
 	<literal>change-request</literal>.  Please mention any added or
 	deleted files in the message, as they have to be explicitly specified
 	to &man.cvs.1; when doing a commit.  If the diff is more than about 20KB,
 	please compress and uuencode it; otherwise, just include it in the PR
 	as is.</para>
 
       <para>Before you &man.send-pr.1;, you should review the
 	<ulink url="&url.articles.problem-reports;/pr-writing.html">
 	Writing the problem report</ulink> section in the Problem
 	Reports article; it contains far more information about how to write
 	useful problem reports.</para>
 
       <important>
 	<para>If your upgrade is motivated by security concerns or a
 	  serious fault in the currently committed port, please notify
 	  the &a.portmgr; to request immediate rebuilding and
 	  redistribution of your port's package.  Unsuspecting users
 	  of &man.pkg.add.1; will otherwise continue to install the
 	  old version via <command>pkg_add -r</command> for several
 	  weeks.</para>
       </important>
 
       <note>
 	<para>Once again, please use &man.diff.1; and not &man.shar.1; to send
 	  updates to existing ports!</para>
       </note>
 
       <para>Now that you have done all that, you will want to read about
 	how to keep up-to-date in <xref linkend="keeping-up">.</para>
 
     </chapter>
 
     <chapter id="security">
       <title>Ports security</title>
 
       <sect1 id="security-intro">
 	<title>Why security is so important</title>
 
 	<para>Bugs are occasionally introduced to the software.
 	  Arguably, the most dangerous of them are those opening
 	  security vulnerabilities.  From the technical viewpoint,
 	  such vulnerabilities are to be closed by exterminating
 	  the bugs that caused them.  However, the policies for
 	  handling mere bugs and security vulnerabilities are
 	  very different.</para>
 
 	<para>A typical small bug affects only those users who have
 	  enabled some combination of options triggering the bug.
 	  The developer will eventually release a patch followed
 	  by a new version of the software, free of the bug, but
 	  the majority of users will not take the trouble of upgrading
 	  immediately because the bug has never vexed them.  A
 	  critical bug that may cause data loss represents a graver
 	  issue.  Nevertheless, prudent users know that a lot of
 	  possible accidents, besides software bugs, are likely to
 	  lead to data loss, and so they make backups of important
 	  data; in addition, a critical bug will be discovered
 	  really soon.</para>
 
 	<para>A security vulnerability is all different.  First,
 	  it may remain unnoticed for years because often it does
 	  not cause software malfunction.  Second, a malicious party
 	  can use it to gain unauthorized access to a vulnerable
 	  system, to destroy or alter sensitive data; and in the
 	  worst case the user will not even notice the harm caused.
 	  Third, exposing a vulnerable system often assists attackers
 	  to break into other systems that could not be compromised
 	  otherwise.  Therefore closing a vulnerability alone is
 	  not enough: the audience should be notified of it in most
 	  clear and comprehensive manner, which will allow to
 	  evaluate the danger and take appropriate actions.</para>
       </sect1>
 
       <sect1 id="security-fix">
 	<title>Fixing security vulnerabilities</title>
 
 	<para>While on the subject of ports and packages, a security
 	  vulnerability may initially appear in the original
 	  distribution or in the port files.  In the former case,
 	  the original software developer is likely to release a
 	  patch or a new version instantly, and you will
 	  only need to update the port promptly with respect to
 	  the author's fix.  If the fix is delayed for some reason,
 	  you should either <link linkend="dads-broken">mark the port as
 	  <makevar>FORBIDDEN</makevar></link>
 	  or introduce a patch file of your own to the port.  In
 	  the case of a vulnerable port, just fix the port as soon as
 	  possible.  In either case, <link linkend="port-upgrading">the
 	  standard procedure for submitting your change</link> should
 	  be followed unless you have rights to commit it directly
 	  to the ports tree.</para>
 
 	<important>
 	  <para>Being a ports committer is not enough to commit to
 	    an arbitrary port.  Remember that ports usually have
 	    maintainers, whom you should respect.</para>
 	</important>
 
 	<para>Please make sure that the port's revision is bumped
 	  as soon as the vulnerability has been closed.
 	  That is how the users who upgrade installed packages
 	  on a regular basis will see they need to run an update.
 	  Besides, a new package will be built and distributed
 	  over FTP and WWW mirrors, replacing the vulnerable one.
 	  <makevar>PORTREVISION</makevar> should be bumped unless
 	  <makevar>PORTVERSION</makevar> has changed in the course
 	  of correcting the vulnerability.  That is you should
 	  bump <makevar>PORTREVISION</makevar> if you have added a
 	  patch file to the port, but you should not if you have updated
 	  the port to the latest software version and thus already
 	  touched <makevar>PORTVERSION</makevar>.  Please refer to the
 	  <link linkend="makefile-naming-revepoch">corresponding section</link>
 	  for more information.</para>
       </sect1>
 
       <sect1 id="security-notify">
 	<title>Keeping the community informed</title>
 
 	<sect2 id="security-notify-vuxml-db">
 	  <title>The VuXML database</title>
 
 	  <para>A very important and urgent step to take as early as
 	    a security vulnerability is discovered is to notify the
 	    community of port users about the jeopardy.  Such
 	    notification serves two purposes.  First, should the danger
 	    be really severe, it will be wise to apply an instant workaround,
 	    e.g., stop the affected network service or even deinstall
 	    the port completely, until the vulnerability is closed.
 	    Second, a lot of users tend to upgrade installed packages
 	    just occasionally.  They will know from the notification
 	    that they <emphasis>must</emphasis> update the package
 	    without delay as soon as a corrected version is available.
 
 	  <para>Given the huge number of ports in the tree,
 	    a security advisory cannot be issued on each incident
 	    without creating a flood and losing the attention of
 	    the audience by the time it comes to really serious
 	    matters.  Therefore security vulnerabilities found in
 	    ports are recorded in <ulink
 	    url="http://vuxml.freebsd.org/">the FreeBSD VuXML
 	    database</ulink>.  The Security Officer Team members
 	    are monitoring it for issues requiring their
 	    intervention.</para>
 
 	  <para>If you have committer rights, you can update the VuXML
 	    database by yourself.  So you will both help the Security
 	    Officer Team and deliver the crucial information to the
 	    community earlier.  However, if you are not a committer,
 	    or you believe you have found an exceptionally severe
 	    vulnerability, or whatever, please do not hesitate to
 	    contact the Security Officer Team directly as described
 	    on the <ulink
 	    url="http://www.freebsd.org/security/#how">FreeBSD
 	    Security Information</ulink> page.</para>
 
 	  <para>All right, you elected the hard way.  As it may be obvious
 	    from its title, the VuXML database is essentially an
 	    XML document.  Its source file <filename>vuln.xml</filename>
 	    is kept right inside the port <filename
 	    role="package">security/vuxml</filename>.  Therefore
 	    the file's full pathname will be
 	    <filename><envar>PORTSDIR</envar>/security/vuxml/vuln.xml</filename>.
 	    Each time you discover a security vulnerability in a
 	    port, please add an entry for it to that file.
 	    Until you are familiar with VuXML, the best thing you can
 	    do is to find an existing entry fitting your case, then copy
 	    it and use as a template.</para>
 	</sect2>
 
 	<sect2 id="security-notify-vuxml-intro">
 	  <title>A short introduction to VuXML</title>
 
 	  <para>The full-blown XML is complex and far beyond the scope of
 	    this book.  However, to gain basic insight on the structure
 	    of a VuXML entry, you need only the notion of tags.  XML
 	    tag names are enclosed in angle brackets.  Each opening
 	    &lt;tag&gt; must have a matching closing &lt;/tag&gt;.
 	    Tags may be nested.  If nesting, the inner tags must be
 	    closed before the outer ones.  There is a hierarchy of
 	    tags, i.e.  more complex rules of nesting them.  Sounds
 	    very similar to HTML, doesn't it?  The major difference
 	    is that XML is e<emphasis>X</emphasis>tensible, i.e. based
 	    on defining custom tags.  Due to its intrinsic structure,
 	    XML puts otherwise amorphous data into shape.  VuXML is
 	    particularly tailored to mark up descriptions of security
 	    vulnerabilities.</para>
 
 	  <para>Now let's consider a realistic VuXML entry:</para>
 
 	  <programlisting>&lt;vuln vid="f4bc80f4-da62-11d8-90ea-0004ac98a7b9"&gt; <co id="co-vx-vid">
   &lt;topic&gt;Several vulnerabilities found in Foo&lt;/topic&gt; <co id="co-vx-top">
   &lt;affects&gt;
     &lt;package&gt;
       &lt;name&gt;foo&lt;/name&gt; <co id="co-vx-nam">
       &lt;name&gt;foo-devel&lt;/name&gt;
       &lt;name&gt;ja-foo&lt;/name&gt;
       &lt;range&gt;&lt;ge&gt;1.6&lt;/ge&gt;&lt;lt&gt;1.9&lt;/lt&gt;&lt;/range&gt; <co id="co-vx-rng">
       &lt;range&gt;&lt;ge&gt;2.*&lt;/ge&gt;&lt;lt&gt;2.4_1&lt;/lt&gt;&lt;/range&gt;
       &lt;range&gt;&lt;eq&gt;3.0b1&lt;/eq&gt;&lt;/range&gt;
     &lt;/package&gt;
     &lt;package&gt;
       &lt;name&gt;openfoo&lt;/name&gt; <co id="co-vx-nm2">
       &lt;range&gt;&lt;lt&gt;1.10_7&lt;/lt&gt;&lt;/range&gt; <co id="co-vx-epo">
       &lt;range&gt;&lt;ge&gt;1.2,1&lt;/ge&gt;&lt;lt&gt;1.3_1,1&lt;/lt&gt;&lt;/range&gt;
     &lt;/package&gt;
   &lt;/affects&gt;
   &lt;description&gt;
     &lt;body xmlns="http://www.w3.org/1999/xhtml"&gt;
       &lt;p&gt;J. Random Hacker reports:&lt;/p&gt; <co id="co-vx-bdy">
       &lt;blockquote
         cite="http://j.r.hacker.com/advisories/1"&gt;
         &lt;p&gt;Several issues in the Foo software may be exploited
           via carefully crafted QUUX requests.  These requests will
           permit the injection of Bar code, mumble theft, and the
           readability of the Foo administrator account.&lt;/p&gt;
       &lt;/blockquote&gt;
     &lt;/body&gt;
   &lt;/description&gt;
   &lt;references&gt; <co id="co-vx-ref">
     &lt;freebsdsa&gt;SA-10:75.foo&lt;/freebsdsa&gt; <co id="co-vx-fsa">
     &lt;freebsdpr&gt;ports/987654&lt;/freebsdpr&gt; <co id="co-vx-fpr">
     &lt;cvename&gt;CAN-2010-0201&lt;/cvename&gt; <co id="co-vx-cve">
     &lt;cvename&gt;CAN-2010-0466&lt;/cvename&gt;
     &lt;bid&gt;96298&lt;/bid&gt; <co id="co-vx-bid">
     &lt;certsa&gt;CA-2010-99&lt;/certsa&gt; <co id="co-vx-cts">
     &lt;certvu&gt;740169&lt;/certvu&gt; <co id="co-vx-ctv">
     &lt;uscertsa&gt;SA10-99A&lt;/uscertsa&gt; <co id="co-vx-ucs">
     &lt;uscertta&gt;SA10-99A&lt;/uscertta&gt; <co id="co-vx-uct">
     &lt;mlist msgid="201075606@hacker.com"&gt;http://marc.theaimsgroup.com/?l=bugtraq&amp;amp;m=203886607825605&lt;/mlist&gt; <co id="co-vx-mls">
     &lt;url&gt;http://j.r.hacker.com/advisories/1&lt;/url&gt; <co id="co-vx-url">
   &lt;/references&gt;
   &lt;dates&gt;
     &lt;discovery&gt;2010-05-25&lt;/discovery&gt; <co id="co-vx-dsc">
     &lt;entry&gt;2010-07-13&lt;/entry&gt; <co id="co-vx-ent">
     &lt;modified&gt;2010-09-17&lt;/entry&gt; <co id="co-vx-mod">
   &lt;/dates&gt;
 &lt;/vuln&gt;</programlisting>
 
 	  <para>The tag names are supposed to be self-descriptive,
 	    so we shall take a closer look only at fields you will need
 	    to fill in by yourself:</para>
 
 	  <calloutlist>
 	    <callout arearefs="co-vx-vid">
 	      <para>This is the top-level tag of a VuXML entry.  It has
 		a mandatory attribute, <literal>vid</literal>,
 		specifying a universally unique identifier (UUID) for
 		this entry (in quotes).  You should generate a UUID
 		for each new VuXML entry (and don't forget to substitute
 		it for the template UUID unless you are writing the
 		entry from scratch).  You can use &man.uuidgen.1; in
 		FreeBSD 5.x, or you may install the port <filename
 		role="package">devel/p5-Data-UUID</filename> and issue
 		the following command:</para>
 
 	      <programlisting>perl -MData::UUID -le 'print lc new Data::UUID-&gt;create_str'</programlisting>
 	    </callout>
 
 	    <callout arearefs="co-vx-top">
 	      <para>This is a one-line description of the issue found.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-nam">
 	      <para>The names of packages affected are listed there.
 		Multiple names can be given since several packages may be
 		based on a single master port or software product.  This
 		may include stable and development branches, localized
 		versions, and slave ports featuring different choices of
 		important build-time configuration options.</para>
 	      
 	      <important>
 		<para>It is your resposibility to find all such related
 		  packages when writing a VuXML entry.  Keep in mind that
 		  <literal>make search name=foo</literal> is your friend.
 		  The primary points to look for are as follows:</para>
 
 		<itemizedlist>
 		  <listitem>
 		    <para>the <filename>foo-devel</filename> variant
 		      for a <filename>foo</filename> port;</para>
 		  </listitem>
 
 		  <listitem>
 		    <para>other variants with a suffix like
 		      <literal>-a4</literal> (for print-related packages),
 		      <literal>-without-gui</literal> (for packages with X
 		      support disabled), or similar;</para>
 		  </listitem>
 
 		  <listitem>
 		    <para><literal>jp-</literal>, <literal>ru-</literal>,
 		      <literal>zh-</literal>, and other possible localized
 		      variants in the corresponding national categories of
 		      the ports collection.</para>
 		  </listitem>
 		</itemizedlist>
 	      </important>
 	    </callout>
 
 	    <callout arearefs="co-vx-rng">
 	      <para>Affected versions of the package(s) are specified
 		there as one or more ranges using a combination of
 		<literal>&lt;lt&gt;</literal>, <literal>&lt;le&gt;</literal>,
 		<literal>&lt;eq&gt;</literal>, <literal>&lt;ge&gt;</literal>,
 		and <literal>&lt;gt&gt;</literal> elements.  The
 		version ranges given should not overlap.</para>
 	      
 	      <para>In a range specification, <literal>*</literal> (asterisk)
 		denotes the smallest version number.  In particular,
 		<literal>2.*</literal> is less than <literal>2.a</literal>.
 		Therefore an asterisk may be used for a range to match all
 		possible <literal>alpha</literal>, <literal>beta</literal>,
 		and <literal>RC</literal> versions.  For instance,
 		<literal>&lt;ge&gt;2.*&lt;/ge&gt;&lt;lt&gt;3.*&lt;/lt&gt;</literal>
 		will selectively match every <literal>2.x</literal> version while
 		<literal>&lt;ge&gt;2.0&lt;/ge&gt;&lt;lt&gt;3.0&lt;/lt&gt;</literal>
 		will obviously not since the latter misses
 		<literal>2.r3</literal> and matches
 		<literal>3.b</literal>.</para>
 
 	      <para>The above example
 		specifies that affected are versions from <literal>1.6</literal>
 		to <literal>1.9</literal> inclusive, versions
 		<literal>2.x</literal> before <literal>2.4_1</literal>,
 		and version <literal>3.0b1</literal>.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-nm2">
 	      <para>Several related package groups (essentially, ports)
 		can be listed in the <literal>&lt;affected&gt;</literal>
 		section.  This can be used if several software products
 		(say FooBar, FreeBar and OpenBar) grow from the same code base
 		and still share its bugs and vulnerabilities.  Note the
 		difference from listing multiple names within a single
 		&lt;package&gt; section.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-epo">
 	      <para>The version ranges should allow for
 		<makevar>PORTEPOCH</makevar> and
 		<makevar>PORTREVISION</makevar> if applicable.
 		Please remember that according to the collation rules,
 		a version with a non-zero <makevar>PORTEPOCH</makevar> is
 		greater than any version without
 		<makevar>PORTEPOCH</makevar>, e.g., <literal>3.0,1</literal>
 		is greater than <literal>3.1</literal> or even than
 		<literal>8.9</literal>.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-bdy">
 	      <para>This is a summary of the issue.
 		XHTML is used in this field.  At least enclosing
 		<literal>&lt;p&gt;</literal> and <literal>&lt;/p&gt;</literal>
 		should appear.  More complex mark-up may be used, but only for
 		the sake of accuracy and clarity:  No eye candy please.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-ref">
 	      <para>This section contains references to relevant documents.
 		As many references as apply are encouraged.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-fsa">
 	      <para>This is a
 		<ulink url="http://www.freebsd.org/security/#adv">FreeBSD
 		security advisory</ulink>.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-fpr">
 	      <para>This is a
 		<ulink url="http://www.freebsd.org/support.html#gnats">FreeBSD
 		problem report</ulink>.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-cve">
 	      <para>This is a <ulink url="http://www.cve.mitre.org/">Mitre
 		CVE</ulink> identifier.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-bid">
 	      <para>This is a
 		<ulink url="http://www.securityfocus.com/bid">SecurityFocus
 		Bug ID</ulink>.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-cts">
 	      <para>This is a
 		<ulink url="http://www.cert.org/">US-CERT</ulink>
 		security advisory.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-ctv">
 	      <para>This is a
 		<ulink url="http://www.cert.org/">US-CERT</ulink>
 		vulnerability note.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-ucs">
 	      <para>This is a
 		<ulink url="http://www.cert.org/">US-CERT</ulink>
 		Cyber Security Alert.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-uct">
 	      <para>This is a
 		<ulink url="http://www.cert.org/">US-CERT</ulink>
 		Technical Cyber Security Alert.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-mls">
 	      <para>This is a URL to an archived posting in a mailing list.
 		The attribute <literal>msgid</literal> is optional and
 		may specify the message ID of the posting.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-url">
 	      <para>This is a generic URL.  It should be used only if none of
 		the other reference categories apply.</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-dsc">
 	      <para>This is the date when the issue was disclosed
 		(<replaceable>YYYY-MM-DD</replaceable>).</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-ent">
 	      <para>This is the date when the entry was added
 		(<replaceable>YYYY-MM-DD</replaceable>).</para>
 	    </callout>
 
 	    <callout arearefs="co-vx-mod">
 	      <para>This is the date when any information in the entry
 		was last modified (<replaceable>YYYY-MM-DD</replaceable>).
 		New entries must not include this field.  It should be added
 		upon editing an existing entry.</para>
 	    </callout>
 	  </calloutlist>
 	</sect2>
 
 	<sect2 id="security-notify-vuxml-testing">
 	  <title>Testing your changes to the VuXML database</title>
 
 	  <para>Assume you just wrote or filled in an entry for a
 	    vulnerability in the package <literal>clamav</literal>
 	    that has been fixed in version <literal>0.65_7</literal>.</para>
 
 	  <para>As a prerequisite, you need to install fresh versions of the
 	    ports <filename role="package">security/portaudit</filename> and
 	    <filename role="package">security/portaudit-db</filename>.</para>
 
 	  <para>First, check whether there already is an entry for this
 	    vulnerability.  If there were such entry, it would match the
 	    previous version of the package,
 	    <literal>0.65_6</literal>:</para>
 
 	  <screen>&prompt.user; <userinput>packaudit</userinput>
 &prompt.user; <userinput>portaudit clamav-0.65_6</userinput></screen>
 
 	  <note>
 	    <para>To run <command>packaudit</command>, you must have
 	      permission to write to its
 	      <filename><makevar>DATABASEDIR</makevar></filename>,
 	      typically <filename>/var/db/portaudit</filename>.</para>
 	  </note>
 
 	  <para>If there is none found, you get the green light to add
 	    a new entry for this vulnerability.  Now you can generate
 	    a brand-new UUID (assume it's
 	    <literal>74a9541d-5d6c-11d8-80e3-0020ed76ef5a</literal>) and
 	    add your new entry to the VuXML database.  Please verify
 	    its syntax after that as follows:</para>
 
 	  <screen>&prompt.user; <userinput>cd ${PORTSDIR}/security/vuxml && make validate</userinput></screen>
 
 	  <note>
 	    <para>You will need at least one of the following packages
 	      installed: <filename role="package">textproc/libxml2</filename>,
 	      <filename role="package">textproc/jade</filename>.</para>
 	  </note>
 
 	  <para>Now rebuild the <command>portaudit</command> database
 	    from the VuXML file:</para>
 
 	  <screen>&prompt.user; <userinput>packaudit</userinput></screen>
 
 	  <para>To verify that the <literal>&lt;affected&gt;</literal>
 	    section of your entry will match correct package(s), issue
 	    the following command:</para>
 
 	  <screen>&prompt.user; <userinput>portaudit -f /usr/ports/INDEX -r 74a9541d-5d6c-11d8-80e3-0020ed76ef5a</userinput></screen>
 
 	  <note>
 	    <para>Please refer to &man.portaudit.1; for better understanding
 	      of the command syntax.</para>
 	  </note>
 
 	  <para>Make sure that your entry produces no spurious matches
 	    in the output.</para>
 
 	  <para>Now check whether the right package versions are matched
 	    by your entry:</para>
 
 	  <screen>&prompt.user; <userinput>portaudit clamav-0.65_6 clamav-0.65_7</userinput>
 Affected package: clamav-0.65_6 (matched by clamav&lt;0.65_7)
 Type of problem: clamav remote denial-of-service.
 Reference: &lt;http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html&gt;
 
 1 problem(s) found.</screen>
 
 	  <para>Obviously, the former version should match while the
 	    latter one should not.</para>
 
 	  <para>Finally, verify whether the web page generated from the
 	    VuXML database looks like expected:</para>
 
 	  <screen>&prompt.user; <userinput>mkdir -p ~/public_html/portaudit</userinput>
 &prompt.user; <userinput>packaudit</userinput>
 &prompt.user; <userinput>lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html</userinput></screen>
 	</sect2>
 
 	<sect2 id="security-notify-noxml">
 	  <title>If VuXML still scares you...</title>
 
 	  <para>As an easy alternative to writing VuXML, you may opt to add
 	    a single line to a different file with much simpler syntax,
 	    <filename><envar>PORTSDIR</envar>/security/portaudit-db/database/portaudit.txt</filename>,
 	    which resides within the port <filename
 	    role="package">security/portaudit-db</filename>, and
 	    send a request for review to the Security Officer Team
 	    as described on the <ulink
 	    url="http://www.freebsd.org/security/#how">FreeBSD
 	    Security Information</ulink> page.</para>
 
 	  <para>A line in that file consists of four fields
 	    separated by <literal>|</literal>, a pipe character.
 	    The first field is a &man.pkg.version.1; pattern
 	    expression matching the vulnerable packages.  The second
 	    field contains URLs to relevant information, separated
 	    by space characters.  The third field is a one-line
 	    description of the issue.  The fourth and last field
 	    is the entry's UUID.</para>
 
 	  <para>You may want take a closer look at existing entries in
 	    <filename>portaudit.txt</filename> before adding your
 	    first line to that file.</para>
 	</sect2>
       </sect1>
     </chapter>
 
     <chapter id="porting-dads">
       <title>Dos and Don'ts</title>
 
       <sect1 id="dads-intro">
 	<title>Introduction</title>
 
       <para>Here is a list of common dos and don'ts that you encounter during
 	the porting process.  You should check your own port against this list,
 	but you can also check ports in the <ulink url="http://www.FreeBSD.org/cgi/query-pr-summary.cgi?query">PR database</ulink> that others have
 	submitted.  Submit any comments on ports you check as described in
 	<ulink url="&url.articles.contributing;/contrib-how.html#CONTRIB-GENERAL">Bug Reports and General
 	  Commentary</ulink>.  Checking ports in the PR database will both make
 	it faster for us to commit them, and prove that you know what you are
 	doing.</para>
       </sect1>
 
       <sect1 id="dads-strip">
 	<title>Stripping Binaries</title>
 
 	<para>Do not strip binaries manually unless you have to.  All binaries
 	  should be stripped, but the <maketarget>INSTALL_PROGRAM</maketarget>
 	  macro will install and strip a binary at the same time (see the next
 	  section).</para>
 
 	<para>If you need to strip a file, but do not wish to use the
 	  <makevar>INSTALL_PROGRAM</makevar> macro,
 	  <makevar>${STRIP_CMD}</makevar> will strip your program.  This is
 	  typically done within the <literal>post-install</literal>
 	  target.  For example:</para>
 
 	<programlisting>post-install:
 	${STRIP_CMD} ${PREFIX}/bin/xdl</programlisting>
 
 	<para>Use the &man.file.1; command on the installed executable to
 	  check whether the binary is stripped or not.  If it does not say
 	  <literal>not stripped</literal>, it is stripped.  Additionally,
 	  &man.strip.1; will not strip a previously stripped program; it
 	  will instead exit cleanly.</para>
       </sect1>
 
       <sect1 id="dads-install">
 	<title>INSTALL_* macros</title>
 
 	<para>Do use the macros provided in <filename>bsd.port.mk</filename>
 	  to ensure correct modes and ownership of files in your own
 	  <maketarget>*-install</maketarget> targets.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><makevar>INSTALL_PROGRAM</makevar> is a command to install
 	      binary executables.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>INSTALL_SCRIPT</makevar> is a command to install
 	      executable scripts.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>INSTALL_DATA</makevar> is a command to install
 	      sharable data.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>INSTALL_MAN</makevar> is a command to install
 	      manpages and other documentation (it does not compress
 	      anything).</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>These are basically the <command>install</command> command with
 	  all the appropriate flags.  See below for an example on how to use
 	  them.</para>
       </sect1>
 
       <sect1 id="porting-wrkdir">
 	<title><makevar>WRKDIR</makevar></title>
 
 	<para>Do not write anything to files outside
 	  <makevar>WRKDIR</makevar>.  <makevar>WRKDIR</makevar> is the only
 	  place that is guaranteed to be writable during the port build (see
 	  <ulink url="&url.books.handbook;/ports-using.html#PORTS-CD">
 	  installing ports from a CDROM</ulink> for an
 	  example of building ports from a read-only tree).  If you need to
 	  modify one of the <filename>pkg-<replaceable>*</replaceable></filename>
 	  files, do so by <link
 	  linkend="porting-pkgfiles">redefining a variable</link>, not by
 	  writing over it.</para>
       </sect1>
 
       <sect1 id="porting-wrkdirprefix">
 	<title><makevar>WRKDIRPREFIX</makevar></title>
 
 	<para>Make sure your port honors <makevar>WRKDIRPREFIX</makevar>.
 	  Most ports do not have to worry about this.  In particular, if you
 	  are referring to a <makevar>WRKDIR</makevar> of another port, note
 	  that the correct location is
 	  <filename><makevar>WRKDIRPREFIX</makevar><makevar>PORTSDIR</makevar>/<replaceable>subdir</replaceable>/<replaceable>name</replaceable>/work</filename> not <filename><makevar>PORTSDIR</makevar>/<replaceable>subdir</replaceable>/<replaceable>name</replaceable>/work</filename> or <filename><makevar>.CURDIR</makevar>/../../<replaceable>subdir</replaceable>/<replaceable>name</replaceable>/work</filename> or some such.</para>
 
 	<para>Also, if you are defining <makevar>WRKDIR</makevar> yourself,
 	  make sure you prepend
 	  <literal>&dollar;{WRKDIRPREFIX}&dollar;{.CURDIR}</literal> in the
 	  front.</para>
       </sect1>
 
       <sect1 id="porting-versions">
 	<title>Differentiating operating systems and OS versions</title>
 
 	<para>You may come across code that needs modifications or conditional
 	  compilation based upon what version of Unix it is running under.  If
 	  you need to make such changes to the code for conditional
 	  compilation, make sure you make the changes as general as possible
 	  so that we can back-port code to older FreeBSD systems and cross-port
 	  to other BSD systems such as 4.4BSD from CSRG, BSD/386, 386BSD,
 	  NetBSD, and OpenBSD.</para>
 
 	<para>The preferred way to tell 4.3BSD/Reno (1990) and newer versions
 	  of the BSD code apart is by using the <literal>BSD</literal> macro
 	  defined in
 	  <ulink url="http://cvsweb.freebsd.org/src/sys/sys/param.h">sys/param.h</ulink>.
 	  Hopefully that
 	  file is already included; if not, add the code:</para>
 
 	<programlisting>#if (defined(__unix__) || defined(unix)) &amp;&amp; !defined(USG)
 #include &lt;sys/param.h&gt;
 #endif</programlisting>
 
 	<para>to the proper place in the <filename>.c</filename> file.  We
 	  believe that every system that defines these two symbols has
 	  <filename>sys/param.h</filename>.  If you find a system that
 	  does not, we would like to know.  Please send mail to the
 	  &a.ports;.</para>
 
 	<para>Another way is to use the GNU Autoconf style of doing
 	  this:</para>
 
 	<programlisting>#ifdef HAVE_SYS_PARAM_H
 #include &lt;sys/param.h&gt;
 #endif</programlisting>
 
 	<para>Do not forget to add <literal>-DHAVE_SYS_PARAM_H</literal> to the
 	  <makevar>CFLAGS</makevar> in the <filename>Makefile</filename> for
 	  this method.</para>
 
 	<para>Once you have <filename>sys/param.h</filename> included, you may
 	  use:</para>
 
 	<programlisting>#if (defined(BSD) &amp;&amp; (BSD &gt;= 199103))</programlisting>
 
 	<para>to detect if the code is being compiled on a 4.3 Net2 code base
 	  or newer (e.g. FreeBSD 1.x, 4.3/Reno, NetBSD 0.9, 386BSD, BSD/386
 	  1.1 and below).</para>
 
 	<para>Use:</para>
 
 	<programlisting>#if (defined(BSD) &amp;&amp; (BSD &gt;= 199306))</programlisting>
 
 	<para>to detect if the code is being compiled on a 4.4 code base or
 	  newer (e.g. FreeBSD 2.x, 4.4, NetBSD 1.0, BSD/386 2.0 or
 	  above).</para>
 
 	<para>The value of the <literal>BSD</literal> macro is
 	  <literal>199506</literal> for the 4.4BSD-Lite2 code base.  This is
 	  stated for informational purposes only.  It should not be used to
 	  distinguish between versions of FreeBSD based only on 4.4-Lite vs.
 	  versions that have merged in changes from 4.4-Lite2.  The
 	  <literal>__FreeBSD__</literal> macro should be used instead.</para>
 
 	<para>Use sparingly:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><literal>__FreeBSD__</literal> is defined in all versions of
 	      FreeBSD.  Use it if the change you are making
 	      <emphasis>only</emphasis> affects FreeBSD.  Porting gotchas like
 	      the use of <literal>sys_errlist[]</literal> vs
 	      <function>strerror()</function> are Berkeley-isms, not FreeBSD
 	      changes.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>In FreeBSD 2.x, <literal>__FreeBSD__</literal> is defined to
 	      be <literal>2</literal>.  In earlier versions, it is
 	      <literal>1</literal>.  Later versions always bump it to match
 	      their major version number.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para>If you need to tell the difference between a FreeBSD 1.x
 	      system and a FreeBSD 2.x or above system, usually the right answer
 	      is to use the <literal>BSD</literal> macros described above.  If
 	      there actually is a FreeBSD specific change (such as special
 	      shared library options when using <command>ld</command>) then it
 	      is OK to use <literal>__FreeBSD__</literal> and <literal>#if
 		__FreeBSD__ &gt; 1</literal> to detect a FreeBSD 2.x and later
 	      system.  If you need more granularity in detecting FreeBSD
 	      systems since 2.0-RELEASE you can use the following:</para>
 
 	    <programlisting>#if __FreeBSD__ &gt;= 2
 #include &lt;osreldate.h&gt;
 #    if __FreeBSD_version &gt;= 199504
 	 /* 2.0.5+ release specific code here */
 #    endif
 #endif</programlisting>
 	  </listitem>
 	</itemizedlist>
 
 	<para>In the hundreds of ports that have been done, there have only
 	  been one or two cases where <literal>__FreeBSD__</literal> should
 	  have been used.  Just because an earlier port screwed up and used it
 	  in the wrong place does not mean you should do so too.</para>
       </sect1>
 
       <sect1 id="freebsd-versions">
 	<title>__FreeBSD_version values</title>
 
 	  <para>Here is a convenient list of
 	    <literal>__FreeBSD_version</literal> values as defined in
 	    <ulink url="http://cvsweb.freebsd.org/src/sys/sys/param.h">sys/param.h</ulink>:</para>
 
 		<table frame="none">
 		  <title>__FreeBSD_version values</title>
 		<tgroup cols="2">
 		<thead>
 		  <row>
 		    <entry>Release</entry>
 		    <entry><literal>__FreeBSD_version</literal></entry>
 		  </row>
 		</thead>
 
 		<tbody>
 		  <row>
 		    <entry>2.0-RELEASE</entry>
 		    <entry>119411</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.1-CURRENT</entry>
 		    <entry>199501, 199503</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.0.5-RELEASE</entry>
 		    <entry>199504</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-CURRENT before 2.1</entry>
 		    <entry>199508</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.1.0-RELEASE</entry>
 		    <entry>199511</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-CURRENT before 2.1.5</entry>
 		    <entry>199512</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.1.5-RELEASE</entry>
 		    <entry>199607</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-CURRENT before 2.1.6</entry>
 		    <entry>199608</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.1.6-RELEASE</entry>
 		    <entry>199612</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.1.7-RELEASE</entry>
 		    <entry>199612</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-RELEASE</entry>
 		    <entry>220000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.1-RELEASE</entry>
 		    <entry>220000 (no change)</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after 2.2.1-RELEASE</entry>
 		    <entry>220000 (no change)</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after texinfo-3.9</entry>
 		    <entry>221001</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after top</entry>
 		    <entry>221002</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.2-RELEASE</entry>
 		    <entry>222000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after 2.2.2-RELEASE</entry>
 		    <entry>222001</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.5-RELEASE</entry>
 		    <entry>225000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after 2.2.5-RELEASE</entry>
 		    <entry>225001</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after ldconfig -R merge</entry>
 		    <entry>225002</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.6-RELEASE</entry>
 		    <entry>226000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.7-RELEASE</entry>
 		    <entry>227000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after 2.2.7-RELEASE</entry>
 		    <entry>227001</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after &man.semctl.2; change</entry>
 		    <entry>227002</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2.8-RELEASE</entry>
 		    <entry>228000</entry>
 		  </row>
 
 		  <row>
 		    <entry>2.2-STABLE after 2.2.8-RELEASE</entry>
 		    <entry>228001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT before &man.mount.2; change</entry>
 		    <entry>300000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT after &man.mount.2; change</entry>
 		    <entry>300001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT after &man.semctl.2; change</entry>
 		    <entry>300002</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT after ioctl arg changes</entry>
 		    <entry>300003</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT after ELF conversion</entry>
 		    <entry>300004</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-RELEASE</entry>
 		    <entry>300005</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-CURRENT after 3.0-RELEASE</entry>
 		    <entry>300006</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.0-STABLE after 3/4 branch</entry>
 		    <entry>300007</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.1-RELEASE</entry>
 		    <entry>310000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.1-STABLE after 3.1-RELEASE</entry>
 		    <entry>310001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.1-STABLE after C++ constructor/destructor order
 		      change</entry>
 		    <entry>310002</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.2-RELEASE</entry>
 		    <entry>320000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.2-STABLE</entry>
 		    <entry>320001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.2-STABLE after binary-incompatible IPFW and
 		      socket changes</entry>
 		    <entry>320002</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.3-RELEASE</entry>
 		    <entry>330000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.3-STABLE</entry>
 		    <entry>330001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.3-STABLE after adding &man.mkstemp.3;
 		      to libc</entry>
 		    <entry>330002</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.4-RELEASE</entry>
 		    <entry>340000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.4-STABLE</entry>
 		    <entry>340001</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.5-RELEASE</entry>
 		    <entry>350000</entry>
 		  </row>
 
 		  <row>
 		    <entry>3.5-STABLE</entry>
 		    <entry>350001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after 3.4 branch</entry>
 		    <entry>400000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after change in dynamic linker
 		      handling</entry>
 		    <entry>400001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after C++ constructor/destructor
 		      order change</entry>
 		    <entry>400002</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after functioning &man.dladdr.3;</entry>
 		    <entry>400003</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after __deregister_frame_info dynamic
 		      linker bug fix (also 4.0-CURRENT after EGCS 1.1.2
 		      integration)
 		    </entry>
 		    <entry>400004</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after &man.suser.9; API change
 		      (also 4.0-CURRENT after newbus)</entry>
 		    <entry>400005</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after cdevsw registration change</entry>
 		    <entry>400006</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the addition of so_cred for
 		      socket level credentials</entry>
 		    <entry>400007</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the addition of a poll syscall
 		      wrapper to libc_r</entry>
 		    <entry>400008</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the change of the kernel's
 		      <literal>dev_t</literal> type to <literal>struct
 		      specinfo</literal> pointer</entry>
 		    <entry>400009</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after fixing a hole
 		      in &man.jail.2;</entry>
 		    <entry>400010</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the <literal>sigset_t</literal>
 		      datatype change</entry>
 		    <entry>400011</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the cutover to the GCC 2.95.2
 		      compiler</entry>
 		    <entry>400012</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after adding pluggable linux-mode
 		      ioctl handlers</entry>
 		    <entry>400013</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after importing OpenSSL</entry>
 		    <entry>400014</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after the C++ ABI change in GCC 2.95.2
 		      from -fvtable-thunks to -fno-vtable-thunks by
 		      default</entry>
 		    <entry>400015</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-CURRENT after importing OpenSSH</entry>
 		    <entry>400016</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-RELEASE</entry>
 		    <entry>400017</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-STABLE after 4.0-RELEASE</entry>
 		    <entry>400018</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-STABLE after the introduction of delayed
 		      checksums.</entry>
 		    <entry>400019</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-STABLE after merging libxpg4 code into
 		      libc.</entry>
 		    <entry>400020</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.0-STABLE after upgrading Binutils to 2.10.0, ELF
 		      branding changes, and tcsh in the base system.</entry>
 		    <entry>400021</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.1-RELEASE</entry>
 		    <entry>410000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.1-STABLE after 4.1-RELEASE</entry>
 		    <entry>410001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.1-STABLE after &man.setproctitle.3; moved from
 		      libutil to libc.</entry>
 		    <entry>410002</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.1.1-RELEASE</entry>
 		    <entry>411000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.1.1-STABLE after 4.1.1-RELEASE</entry>
 		    <entry>411001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.2-RELEASE</entry>
 		    <entry>420000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.2-STABLE after combining libgcc.a and
 		      libgcc_r.a, and associated GCC linkage changes.</entry>
 		    <entry>420001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.3-RELEASE</entry>
 		    <entry>430000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.3-STABLE after wint_t introduction.</entry>
 		    <entry>430001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.3-STABLE after PCI powerstate API merge.</entry>
 		    <entry>430002</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.4-RELEASE</entry>
 		    <entry>440000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.4-STABLE after d_thread_t introduction.</entry>
 		    <entry>440001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.4-STABLE after mount structure changes (affects
 		      filesystem klds).</entry>
 		    <entry>440002</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.4-STABLE after the userland components of smbfs
 		      were imported.</entry>
 		    <entry>440003</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.5-RELEASE</entry>
 		    <entry>450000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.5-STABLE after the usb structure element rename.</entry>
 		    <entry>450001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.5-STABLE after the
 		      <literal>sendmail_enable</literal> &man.rc.conf.5;
 		      variable was made to take the value
 		      <literal>NONE</literal>.</entry>
 		    <entry>450004</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.5-STABLE after moving to XFree86 4 by default
 		      for package builds.</entry>
 		    <entry>450005</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.5-STABLE after accept filtering was fixed so
 		      that is no longer susceptible to an easy DoS.</entry>
 		    <entry>450006</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6-RELEASE</entry>
 		    <entry>460000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6-STABLE &man.sendfile.2; fixed to comply with
 		      documentation, not to count any headers sent against
 		      the amount of data to be sent from the file.</entry>
 		    <entry>460001</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6.2-RELEASE</entry>
 		    <entry>460002</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6-STABLE</entry>
 		    <entry>460100</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6-STABLE after MFC of `sed -i'.</entry>
 		    <entry>460101</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.6-STABLE after MFC of many new pkg_install
 		      features from the HEAD.</entry>
 		    <entry>460102</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.7-RELEASE</entry>
 		    <entry>470000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.7-STABLE</entry>
 		    <entry>470100</entry>
 		  </row>
 
 		  <row>
 		    <entry>Start generated __std{in,out,err}p references rather
 		      than __sF.  This changes std{in,out,err} from a
 		      compile time expression to a runtime one.</entry>
 		    <entry>470101</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.7-STABLE after MFC of mbuf changes to replace
 		       m_aux mbufs by m_tag's</entry>
 		    <entry>470102</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.7-STABLE gets OpenSSL 0.9.7</entry>
 		    <entry>470103</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.8-RELEASE</entry>
 		    <entry>480000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.8-STABLE</entry>
 		    <entry>480100</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.8-STABLE after &man.realpath.3; has been made
 		      thread-safe</entry>
 		    <entry>480101</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.8-STABLE 3ware API changes to twe.</entry>
 		    <entry>480102</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.9-RELEASE</entry>
 		    <entry>490000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.9-STABLE</entry>
 		    <entry>490100</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.9-STABLE after e_sid was added to struct
 		      kinfo_eproc.</entry>
 		    <entry>490101</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.9-STABLE after MFC of libmap functionality
 		      for rtld.</entry>
 		    <entry>490102</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.10-RELEASE</entry>
 		    <entry>491000</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.10-STABLE</entry>
 		    <entry>491100</entry>
 		  </row>
 
 		  <row>
 		    <entry>4.10-STABLE after MFC of revision 20040629 of
 		      the package tools</entry>
 		    <entry>491101</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT</entry>
 		    <entry>500000</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after adding addition ELF header fields,
 		      and changing our ELF binary branding method.</entry>
 		    <entry>500001</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after kld metadata changes.</entry>
 		    <entry>500002</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after buf/bio changes.</entry>
 		    <entry>500003</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after binutils upgrade.</entry>
 		    <entry>500004</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after merging libxpg4 code into
 		      libc and after TASKQ interface introduction.</entry>
 		    <entry>500005</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the addition of AGP
 		      interfaces.</entry>
 		    <entry>500006</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after Perl upgrade to 5.6.0</entry>
 		    <entry>500007</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the update of KAME code to
 		      2000/07 sources.</entry>
 		    <entry>500008</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after ether_ifattach() and
 		      ether_ifdetach() changes.</entry>
 		    <entry>500009</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after changing mtree defaults
 		      back to original variant, adding -L to follow
 		      symlinks.</entry>
 		    <entry>500010</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after kqueue API changed.</entry>
 		    <entry>500011</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after &man.setproctitle.3; moved from
 		      libutil to libc.</entry>
 		    <entry>500012</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the first SMPng commit.</entry>
 		    <entry>500013</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after &lt;sys/select.h&gt; moved to
 		      &lt;sys/selinfo.h&gt;.</entry>
 		    <entry>500014</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after combining libgcc.a and
 		      libgcc_r.a, and associated GCC linkage changes.</entry>
 		    <entry>500015</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after change allowing libc and libc_r
 		      to be linked together, deprecating -pthread
 		      option.</entry>
 		    <entry>500016</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after switch from struct ucred to
 		      struct xucred to stabilize kernel-exported API for
 		      mountd et al.</entry>
 		    <entry>500017</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after addition of CPUTYPE make variable
 		      for controlling CPU-specific optimizations.</entry>
 		    <entry>500018</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after moving machine/ioctl_fd.h to
 		      sys/fdcio.h</entry>
 		    <entry>500019</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after locale names renaming.</entry>
 		    <entry>500020</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after Bzip2 import.
 		    Also signifies removal of S/Key.</entry>
 		    <entry>500021</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after SSE support.</entry>
 		    <entry>500022</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after KSE Milestone 2.</entry>
 		    <entry>500023</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after d_thread_t,
 		      and moving UUCP to ports.</entry>
 		    <entry>500024</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after ABI change for descriptor
 		      and creds passing on 64 bit platforms.</entry>
 		    <entry>500025</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after moving to XFree86 4 by default for
 		      package builds, and after the new libc strnstr() function
 		      was added.</entry>
 		    <entry>500026</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the new libc strcasestr() function
 		      was added.</entry>
 		    <entry>500027</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the userland components of smbfs
 		      were imported.</entry>
 		    <entry>500028</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the new C99 specific-width
 		      integer types were added.</entry>
 		    <entry>(Not incremented.)</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after a change was made in the return
 		      value of &man.sendfile.2;.</entry>
 		    <entry>500029</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the introduction of the
 		      type <literal>fflags_t</literal>, which is the
 		      appropriate size for file flags.</entry>
 		    <entry>500030</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the usb structure element rename.</entry>
 		    <entry>500031</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the introduction of
 		      Perl 5.6.1.</entry>
 		    <entry>500032</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the
 		      <literal>sendmail_enable</literal> &man.rc.conf.5;
 		      variable was made to take the value
 		      <literal>NONE</literal>.</entry>
 		    <entry>500033</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after mtx_init() grew a third argument.</entry>
 		    <entry>500034</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT with Gcc 3.1.</entry>
 		    <entry>500035</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT without Perl in /usr/src</entry>
 		    <entry>500036</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the addition of &man.dlfunc.3;</entry>
 		    <entry>500037</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the types of some struct
 		      sockbuf members were changed and the structure was
 		      reordered.</entry>
 		    <entry>500038</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after GCC 3.2.1 import.
 		      Also after headers stopped using
 		      _BSD_FOO_T_ and started using _FOO_T_DECLARED.
 		      This value can also be used as a conservative
 		      estimate of the start of &man.bzip2.1; package
 		      support.</entry>
 		    <entry>500039</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after various changes to disk functions
 		      were made in the name of removing dependency on disklabel
 		      structure internals.</entry>
 		    <entry>500040</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after the addition of &man.getopt.long.3;
 		      to libc.</entry>
 		    <entry>500041</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after Binutils 2.13 upgrade, which
 		      included new FreeBSD emulation, vec, and output format.
 		      </entry>
 		    <entry>500042</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after adding weak pthread_XXX stubs
 		      to libc, obsoleting libXThrStub.so.  5.0-RELEASE.</entry>
 		    <entry>500043</entry>
 		  </row>
 
 		  <row>
 		    <entry>5.0-CURRENT after branching for RELENG_5_0</entry>
 		    <entry>500100</entry>
 		  </row>
 		  <row>
 		    <entry>&lt;sys/dkstat.h&gt; is empty and should
 		    not be included.</entry>
 		    <entry>500101</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after the d_mmap_t interface
 		      change.</entry>
 		    <entry>500102</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after taskqueue_swi changed to run
 		      without Giant, and taskqueue_swi_giant added to run
 		      with Giant.</entry>
 		    <entry>500103</entry>
 		  </row>
 		  <row>
 		    <entry>cdevsw_add() and cdevsw_remove() no
 		      longer exists.
 		      Appearance of MAJOR_AUTO allocation facility.</entry>
 		    <entry>500104</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after new cdevsw initialization method.</entry>
 		    <entry>500105</entry>
 		  </row>
 		  <row>
 		    <entry>devstat_add_entry() has been replaced by
 		      devstat_new_entry()</entry>
 		    <entry>500106</entry>
 		  </row>
 		  <row>
 		    <entry>Devstat interface change; see sys/sys/param.h 1.149</entry>
 		    <entry>500107</entry>
 		  </row>
 		  <row>
 		    <entry>Token-Ring interface changes.</entry>
 		    <entry>500108</entry>
 		  </row>
 		  <row>
 		    <entry>Addition of vm_paddr_t.</entry>
 		    <entry>500109</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after &man.realpath.3; has been made
 		      thread-safe</entry>
 		    <entry>500110</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after &man.usbhid.3; has been synced with
 		      NetBSD</entry>
 		    <entry>500111</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after new NSS implementation
 		      and addition of POSIX.1 getpw*_r, getgr*_r
 		      functions</entry>
 		    <entry>500112</entry>
 		  </row>
 		  <row>
 		    <entry>5.0-CURRENT after removal of the old rc system.</entry>
 		    <entry>500113</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-RELEASE.</entry>
 		    <entry>501000</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after branching for RELENG_5_1.</entry>
 		    <entry>501100</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after correcting the semantics of
 		      sigtimedwait(2) and sigwaitinfo(2).</entry>
 		    <entry>501101</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after adding the lockfunc and lockfuncarg
 		      fields to &man.bus.dma.tag.create.9;.</entry>
 		    <entry>501102</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after GCC 3.3.1-pre 20030711 snapshot
 		      integration.</entry>
 		    <entry>501103</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT 3ware API changes to twe.</entry>
 		    <entry>501104</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT dynamically-linked /bin and /sbin
 		      support and movement of libraries to /lib.</entry>
 		    <entry>501105</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after adding kernel support for
 		      Coda 6.x.</entry>
 		    <entry>501106</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after 16550 UART constants moved from
 		      <filename>&lt;dev/sio/sioreg.h&gt;</filename> to
 		      <filename>&lt;dev/ic/ns16550.h&gt;</filename>.
 		      Also when libmap functionality was unconditionally
 		      supported by rtld.</entry>
 		    <entry>501107</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after PFIL_HOOKS API update</entry>
 		    <entry>501108</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after adding kiconv(3)</entry>
 		    <entry>501109</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after changing default operations
 			for open and close in cdevsw</entry>
 		    <entry>501110</entry>
 		  </row>
 		  <row>
 		    <entry>5.1-CURRENT after changed layout of cdevsw</entry>
 		    <entry>501111</entry>
 		  </row>
 		  <row>
 		    <entry> 5.1-CURRENT after adding kobj multiple inheritance
 		    </entry>
 		    <entry>501112</entry>
 		  </row>
 		  <row>
 		    <entry> 5.1-CURRENT after the if_xname change in
 			struct ifnet</entry>
 		    <entry>501113</entry>
 		  </row>
 		  <row>
 		    <entry> 5.1-CURRENT after changing /bin and /sbin to
 			be dynamically linked</entry>
 		    <entry>501114</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-RELEASE</entry>
 		    <entry>502000</entry>
 		  </row>
 		  <row>
 		    <entry>5.2.1-RELEASE</entry>
 		    <entry>502010</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after branching for RELENG_5_2</entry>
 		    <entry>502100</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after __cxa_atexit/__cxa_finalize
 			functions were added to libc.</entry>
 		    <entry>502101</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after change of default thread library
 			from libc_r to libpthread.</entry>
 		    <entry>502102</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after device driver API megapatch.
 		    </entry>
 		    <entry>502103</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after getopt_long_only() addition.
 		    </entry>
 		    <entry>502104</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after NULL is made into ((void *)0)
 			for C, creating more warnings.
 		    </entry>
 		    <entry>502105</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after pf is linked to the build and
 			install.
 		    </entry>
 		    <entry>502106</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after time_t is changed to a
 			64-bit value on sparc64.
 		    </entry>
 		    <entry>502107</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after Intel C/C++ compiler support in some headers and execve(2) changes to be more strictly conforming to POSIX.
 		    </entry>
 		    <entry>502108</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the introduction of the
 		      bus_alloc_resource_any API
 		    </entry>
 		    <entry>502109</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the addition of UTF-8 locales
 		    </entry>
 		    <entry>502110</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the removal of the getvfsent(3)
 		      API
 		    </entry>
 		    <entry>502111</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the addition of the .warning
 		      directive for make.</entry>
 		    <entry>502112</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after ttyioctl() was made mandatory
 		      for serial drivers.</entry>
 		    <entry>502113</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after import of the ALTQ framework.
 		    </entry>
 		    <entry>502114</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after changing sema_timedwait(9) to
 		      return 0 on success and a non-zero error code on
 		      failure.
 		    </entry>
 		    <entry>502115</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after changing kernel dev_t to
 		      be pointer to struct cdev *.
 		    </entry>
 		    <entry>502116</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after changing kernel udev_t to dev_t.
 		    </entry>
 		    <entry>502117</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after adding support for CLOCK_VIRTUAL
 		      and CLOCK_PROF to clock_gettime(2) and clock_getres(2).
 		    </entry>
 		    <entry>502118</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after changing network interface
 		      cloning overhaul.
 		    </entry>
 		    <entry>502119</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the update of the package tools
 		      to revision 20040629.
 		    </entry>
 		    <entry>502120</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after marking Bluetooth code as
                       non-i386 specific.
 		    </entry>
 		    <entry>502121</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the introduction of the KDB
 		      debugger framework, the conversion of DDB into a
 		      backend and the introduction of the GDB backend.
 		    </entry>
 		    <entry>502122</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after change to make
 		      VFS_ROOT take a struct
 		      thread argument as does vflush.  Struct kinfo_proc
 		      now has a user data pointer.
 		      The switch of the default X implementation to
 		      <literal>xorg</literal> was also made at this time.
 		    </entry>
 		    <entry>502123</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the change to separate the way
 		      ports rc.d and legacy scripts are started.
 		    </entry>
 		    <entry>502124</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the backout of the
 		      previous change.
 		    </entry>
 		    <entry>502125</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the removal of
 		      kmem_alloc_pageable() and the import of gcc 3.4.2.
 		    </entry>
 		    <entry>502126</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after changing the UMA kernel
 		      API to allow ctors/inits to fail.
 		    </entry>
 		    <entry>502127</entry>
 		  </row>
 		  <row>
 		    <entry>5.2-CURRENT after the change of the
 		      vfs_mount signature as well as global replacement of
 		      PRISON_ROOT with SUSER_ALLOWJAIL for the suser(9)
 		      API.
 		    </entry>
 		    <entry>502128</entry>
 		  </row>
 		  <row>
 		    <entry>5.3-BETA/RC before the pfil API change</entry>
 		    <entry>503000</entry>
 		  </row>
 		  <row>
 		    <entry>5.3-RELEASE</entry>
 		    <entry>503001</entry>
 		  </row>
 		  <row>
 		    <entry>5.3-STABLE after branching for RELENG_5_3</entry>
 		    <entry>503100</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT</entry>
 		    <entry>600000</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after permanently enabling PFIL_HOOKS
 		      in the kernel.
 		    </entry>
 		    <entry>600001</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after initial addition of
 		      ifi_epoch to struct if_data.  Backed out after a
 		      few days.  Do not use this value.
 		    </entry>
 		    <entry>600002</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after the re-addition of the
 		      ifi_epoch member of struct if_data.
 		    </entry>
 		    <entry>600003</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after addition of the struct inpcb
 		      argument to the pfil API.
 		    </entry>
 		    <entry>600004</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after addition of the "-d
 		      DESTDIR" argument to newsyslog.
 		    </entry>
 		    <entry>600005</entry>
 		  </row>
 		  <row>
 		    <entry>6.0-CURRENT after addition of glibc style
 		      &man.strftime.3; padding options.
 		    </entry>
 		    <entry>600006</entry>
 		  </row>
 		</tbody>
 	      </tgroup>
 	    </table>
 
 	<note>
 	  <para>Note that 2.2-STABLE sometimes identifies itself as
 	    <quote>2.2.5-STABLE</quote> after the 2.2.5-RELEASE.  The pattern
 	    used to be year followed by the month, but we decided to change it
 	    to a more straightforward major/minor system starting from 2.2.
 	    This is because the parallel development on several branches made
 	    it infeasible to classify the releases simply by their real
 	    release dates.  If you are making a port now, you do not have to
 	    worry about old -CURRENTs; they are listed here just for your
 	    reference.</para>
 	</note>
       </sect1>
 
       <sect1 id="dads-after-port-mk">
 	<title>Writing something after
 	  <filename>bsd.port.mk</filename></title>
 
 	<para>Do not write anything after the <literal>.include
 	    &lt;bsd.port.mk&gt;</literal> line.  It usually can be avoided by
 	  including <filename>bsd.port.pre.mk</filename> somewhere in the
 	  middle of your <filename>Makefile</filename> and
 	  <filename>bsd.port.post.mk</filename> at the end.</para>
 
 	<note>
 	  <para>You need to include either the
 	    <filename>bsd.port.pre.mk</filename>/<filename>bsd.port.post.mk</filename> pair or
 	    <filename>bsd.port.mk</filename> only; do not mix these two usages.</para>
 	</note>
 
 	<para><filename>bsd.port.pre.mk</filename> only defines a few
 	  variables, which can be used in tests in the
 	  <filename>Makefile</filename>, <filename>bsd.port.post.mk</filename>
 	  defines the rest.</para>
 
 	<para>Here are some important variables defined in
 	  <filename>bsd.port.pre.mk</filename> (this is not the complete list,
 	  please read <filename>bsd.port.mk</filename> for the complete
 	  list).</para>
 
-	<informaltable frame="none">
+	<informaltable frame="none" pgwide="1">
 	  <tgroup cols="2">
 	    <thead>
 	      <row>
 		<entry>Variable</entry>
 		<entry>Description</entry>
 	      </row>
 	    </thead>
 
 	    <tbody>
 	      <row>
 		<entry><makevar>ARCH</makevar></entry>
 		<entry>The architecture as returned by <command>uname
 		    -m</command> (e.g., <literal>i386</literal>)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>OPSYS</makevar></entry>
 		<entry>The operating system type, as returned by
 		  <command>uname -s</command> (e.g.,
 		  <literal>FreeBSD</literal>)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>OSREL</makevar></entry>
 		<entry>The release version of the operating system (e.g.,
 		  <literal>2.1.5</literal> or
 		  <literal>2.2.7</literal>)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>OSVERSION</makevar></entry>
 		<entry>The numeric version of the operating system; the same as
 		  <link
 		    linkend="freebsd-versions"><literal>__FreeBSD_version</literal></link>.</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PORTOBJFORMAT</makevar></entry>
 		<entry>The object format of the system
 		  (<literal>elf</literal> or <literal>aout</literal>;
 		  note that for <quote>modern</quote> versions of FreeBSD,
 		  <literal>aout</literal> is deprecated.)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>LOCALBASE</makevar></entry>
 		<entry>The base of the <quote>local</quote> tree (e.g.,
 		  <literal>/usr/local/</literal>)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>X11BASE</makevar></entry>
 		<entry>The base of the <quote>X11</quote> tree (e.g.,
 		  <literal>/usr/X11R6</literal>)</entry>
 	      </row>
 
 	      <row>
 		<entry><makevar>PREFIX</makevar></entry>
 		<entry>Where the port installs itself (see <link
 		    linkend="porting-prefix">more on
 		    <makevar>PREFIX</makevar></link>).</entry>
 	      </row>
 	    </tbody>
 	  </tgroup>
 	</informaltable>
 
 	<note>
 	  <para>If you have to define the variables
 	    <makevar>USE_IMAKE</makevar>, <makevar>USE_X_PREFIX</makevar>, or
 	    <makevar>MASTERDIR</makevar>, do so before including
 	    <filename>bsd.port.pre.mk</filename>.</para>
 	</note>
 
 	<para>Here are some examples of things you can write after
 	  <filename>bsd.port.pre.mk</filename>:</para>
 
 	<programlisting># no need to compile lang/perl5 if perl5 is already in system
 .if ${OSVERSION} > 300003
 BROKEN= perl is in system
 .endif
 
 # only one shlib version number for ELF
 .if ${PORTOBJFORMAT} == "elf"
 TCL_LIB_FILE=  ${TCL_LIB}.${SHLIB_MAJOR}
 .else
 TCL_LIB_FILE=  ${TCL_LIB}.${SHLIB_MAJOR}.${SHLIB_MINOR}
 .endif
 
 # software already makes link for ELF, but not for a.out
 post-install:
 .if ${PORTOBJFORMAT} == "aout"
        ${LN} -sf liblinpack.so.1.0 ${PREFIX}/lib/liblinpack.so
 .endif</programlisting>
 
 	<para>You did remember to use tab instead of spaces after
 	  <literal>BROKEN=</literal> and
 	  <literal>TCL_LIB_FILE=</literal>, did you not?
 	  <!-- smiley -->:-).</para>
       </sect1>
 
       <sect1 id="dads-documentation">
 	<title>Install additional documentation</title>
 
 	<para>If your software has some documentation other than the standard
 	  man and info pages that you think is useful for the user, install it
 	  under <filename><makevar>PREFIX</makevar>/share/doc</filename>.
 	  This can be done, like the previous item, in the
 	  <maketarget>post-install</maketarget> target.</para>
 
 	<para>Create a new directory for your port.  The directory name should
 	  reflect what the port is.  This usually means
 	  <makevar>PORTNAME</makevar>. However, if you
 	  think the user might want different versions of the port to be
 	  installed at the same time, you can use the whole
 	  <makevar>PKGNAME</makevar>.</para>
 
 	<para>Make the installation dependent on the variable
 	  <makevar>NOPORTDOCS</makevar> so that users can disable it in
 	  <filename>/etc/make.conf</filename>, like this:</para>
 
 	<programlisting>post-install:
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${DOCSDIR}
 	${INSTALL_MAN} ${WRKSRC}/docs/xvdocs.ps ${DOCSDIR}
 .endif</programlisting>
 
 	<para>Here are some handy variables and how they are expanded
 	  by default when used
 	  in the <filename>Makefile</filename>:</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><makevar>DATADIR</makevar> gets expanded to
 	      <filename><makevar>PREFIX</makevar>/share/<makevar>PORTNAME</makevar></filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>DOCSDIR</makevar> gets expanded to
 	      <filename><makevar>PREFIX</makevar>/share/doc/<makevar>PORTNAME</makevar></filename>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>EXAMPLESDIR</makevar> gets expanded to
 	      <filename><makevar>PREFIX</makevar>/share/examples/<makevar>PORTNAME</makevar></filename>.</para>
 	  </listitem>
 	</itemizedlist>
 
 	<para>These variables are exported to <makevar>PLIST_SUB</makevar>.
 	  Their values will appear there as pathnames relative to
 	  <filename><makevar>PREFIX</makevar></filename> if possible.
 	  That is, <filename>share/doc/<makevar>PORTNAME</makevar></filename>
 	  will be substituted for <literal>%%DOCSDIR%%</literal>
 	  in the packing list by default, and so on.
 	  (See more on <filename>pkg-plist</filename> substitution
 	  <link linkend="porting-plist">here</link>.)</para>
 
 	<para>All documentation files and directories installed should
 	  be included in <filename>pkg-plist</filename> with the
 	  <literal>%%PORTDOCS%%</literal> prefix, for example:</para>
 
 	<programlisting>%%PORTDOCS%%%%DOCSDIR%%/AUTHORS
 %%PORTDOCS%%%%DOCSDIR%%/CONTACT
 %%PORTDOCS%%@dirrm %%DOCSDIR%%</programlisting>
 
 	<para>As an alternative to enumerating the documentation files
 	  in <filename>pkg-plist</filename>, a port can set the variable
 	  <makevar>PORTDOCS</makevar> to a list of file names and shell
 	  glob patterns to add to the final packing list.
 	  The names will be relative to <makevar>DOCSDIR</makevar>.
 	  Therefore, a port that utilizes <makevar>PORTDOCS</makevar> and
 	  uses a non-default location for its documentation should set
 	  <makevar>DOCSDIR</makevar> accordingly.
 	  If a directory is listed in <makevar>PORTDOCS</makevar>
 	  or matched by a glob pattern from this variable,
 	  the entire subtree of contained files and directories will be
 	  registered in the final packing list.  <makevar>PORTDOCS</makevar>
 	  should not be set if <makevar>NOPORTDOCS</makevar> is in
 	  effect.  Installing the documentation at <makevar>PORTDOCS</makevar>
 	  as shown above remains up to the port itself.
 	  A typical example of utilizing <makevar>PORTDOCS</makevar>
 	  looks as follows:</para>
 
         <programlisting>.if !defined(NOPORTDOCS)
         PORTDOCS=       *
 .endif</programlisting>
 
 	<note>
 	  <para>You can also use the <filename>pkg-message</filename> file to
 	    display messages upon installation.  See <link
 	    linkend="porting-message">the section on using
 	    <filename>pkg-message</filename></link> for details.
 	    The <filename>pkg-message</filename> file does not need to be
 	    added to <filename>pkg-plist</filename>.</para>
 	</note>
       </sect1>
 
       <sect1 id="dads-subdirs">
 	<title>Subdirectories</title>
 
 	<para>Try to let the port put things in the right subdirectories of
 	  <makevar>PREFIX</makevar>.  Some ports lump everything and put it in
 	  the subdirectory with the port's name, which is incorrect.  Also,
 	  many ports put everything except binaries, header files and manual
 	  pages in the a subdirectory of <filename>lib</filename>, which does
 	  not work well with the BSD paradigm.  Many of the files should be
 	  moved to one of the following: <filename>etc</filename>
 	  (setup/configuration files), <filename>libexec</filename>
 	  (executables started internally), <filename>sbin</filename>
 	  (executables for superusers/managers), <filename>info</filename>
 	  (documentation for info browser) or  <filename>share</filename>
 	  (architecture independent files).  See &man.hier.7; for details;
 	  the rules governing
 	  <filename>/usr</filename> pretty much apply to
 	  <filename>/usr/local</filename> too.  The exception are ports
 	  dealing with USENET <quote>news</quote>.  They may use
 	  <filename><makevar>PREFIX</makevar>/news</filename> as a destination
 	  for their files.</para>
       </sect1>
 
       <sect1 id="porting-cleaning">
 	<title>Cleaning up empty directories</title>
 
 	<para>Do make your ports clean up after themselves when they are
 	  de-installed.  This is usually accomplished by adding
 	  <literal>@dirrm</literal> lines for all directories that are
 	  specifically created by the port.  You need to delete subdirectories
 	  before you can delete parent directories.</para>
 
 	<programlisting> :
 lib/X11/oneko/pixmaps/cat.xpm
 lib/X11/oneko/sounds/cat.au
  :
 @dirrm lib/X11/oneko/pixmaps
 @dirrm lib/X11/oneko/sounds
 @dirrm lib/X11/oneko</programlisting>
 
 	<para>However, sometimes <literal>@dirrm</literal> will give you
 	  errors because other ports also share the same subdirectory.  You
 	  can call <command>rmdir</command> from <literal>@unexec</literal> to
 	  remove only empty directories without warning.</para>
 
 	<programlisting>@unexec rmdir %D/share/doc/gimp 2>/dev/null || true</programlisting>
 
 	<para>This will neither print any error messages nor cause
 	  &man.pkg.delete.1; to exit abnormally even if
 	  <filename><makevar>PREFIX</makevar>/share/doc/gimp</filename> is not
 	  empty due to other ports installing some files in there.</para>
       </sect1>
 
       <sect1 id="dads-uid">
 	<title>UIDs</title>
 
 	<para>If your port requires a certain user to be on the installed
 	  system, let the <filename>pkg-install</filename> script call
 	  <command>pw</command> to create it automatically.  Look at
 	  <filename role="package">net/cvsup-mirror</filename> for an example.</para>
 
 	<para>If your port must use the same user/group ID number when it is
 	  installed as a binary package as when it was compiled, then you must
 	  choose a free UID from 50 to 999 and register it below.  Look at
 	  <filename role="package">japanese/Wnn6</filename> for an example.</para>
 
 	<para>Make sure you do not use a UID already used by the system or
 	  other ports.</para>
 
 	<para>This is the current list of UIDs between 50 and 999.</para>
 
 	<!-- Please keep this list sorted by uid -->
 	<programlisting>bind:*:53:53:Bind Sandbox:/:/sbin/nologin
 majordom:*:54:54:Majordomo Pseudo User:/usr/local/majordomo:/nonexistent
 rdfdb:*:55:55:rdfDB Daemon:/var/db/rdfdb:/bin/sh
 cyrus:*:60:60:the cyrus mail server:/nonexistent:/nonexistent
 gnats:*:61:1:GNATS database owner:/usr/local/share/gnats/gnats-db:/bin/sh
 proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/nonexistent
 uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
 xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent
 pop:*:68:6:Post Office Owner (popper):/nonexistent:/sbin/nologin
 wnn:*:69:7:Wnn:/nonexistent:/nonexistent
 pgsql:*:70:70:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
 oracle:*:71:71::0:0:Oracle:/usr/local/oracle7:/sbin/nologin
 ircd:*:72:72:IRC daemon:/nonexistent:/nonexistent
 ircservices:*:73:73:IRC services:/nonexistent:/nonexistent
 ifmail:*:75:66:Ifmail user:/nonexistent:/nonexistent
 www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
 alias:*:81:81:QMail user:/var/qmail/alias:/nonexistent
 qmaild:*:82:81:QMail user:/var/qmail:/nonexistent
 qmaill:*:83:81:QMail user:/var/qmail:/nonexistent
 qmailp:*:84:81:QMail user:/var/qmail:/nonexistent
 qmailq:*:85:82:QMail user:/var/qmail:/nonexistent
 qmailr:*:86:82:QMail user:/var/qmail:/nonexistent
 qmails:*:87:82:QMail user:/var/qmail:/nonexistent
 mysql:*:88:88:MySQL Daemon:/var/db/mysql:/sbin/nologin
 vpopmail:*:89:89:VPop Mail User:/usr/local/vpopmail:/nonexistent
 firebird:*:90:90:Firebird Database Administrator:/usr/local/firebird:/bin/sh
 mailman:*:91:91:Mailman User:/usr/local/mailman:/sbin/nologin
 gdm:*:92:92:GDM Sandbox:/:/sbin/nologin
 jabber:*:93:93:Jabber Daemon:/nonexistent:/nonexistent
 p4admin:*:94:94:Perforce admin:/usr/local/perforce:/sbin/nologin
 interch:*:95:95:Interchange user:/usr/local/interchange:/sbin/nologin
 squeuer:*:96:96:SQueuer Owner:/nonexistent:/bin/sh
 mud:*:97:97:MUD Owner:/usr/local/share/dgd:/bin/sh
 msql:*:98:98:mSQL-2 pseudo-user:/var/db/msqldb:/bin/sh
 rscsi:*:99:99:Remote SCSI:/usr/local/rscsi:/usr/local/sbin/rscsi
 squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/sbin/nologin
 quagga:*:101:101:Quagga route daemon pseudo user:/usr/local/etc/quagga:/sbin/nologin
 ganglia:*:102:102:Ganglia User:/nonexistent:/sbin/nologin
 sgeadmin:*:103:103:Sun Grid Engine Admin:/nonexistent:/sbin/nologin
 slimserv:*:104:104:Slim Devices SlimServer pseudo-user:/nonexistent:/sbin/nologin
 dnetc:*:105:105:distributed.net client and proxy pseudo-user:/nonexistent:/sbin/nologin
 clamav:*:106:106:Clamav Antivirus:/nonexistent:/sbin/nologin
 cacti:*:107:107:Cacti Sandbox:/nonexistent:/sbin/nologin
 webkit:*:108:108:WebKit Default User:/usr/local/www/webkit:/bin/sh
 quickml:*:109:109:quickml Server:/nonexistent:/sbin/nologin
 fido:*:111:111:Fido System:/usr/local/fido:/bin/sh
 dcc:*:112:112:Distributed Checksum Clearinghouse:/nonexistent:/sbin/nologin
 postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/sbin/nologin
 rbldns:*:153:153:rbldnsd pseudo-user:/nonexistent:/sbin/nologin
 sfs:*:171:171:Self-Certifying File System:/nonexistent:/sbin/nologin
 agk:*:172:172:AquaGateKeeper:/nonexistent:/nonexistent
 moinmoin:*:192:192:MoinMoin User:/nonexistent:/sbin/nologin
 ldap:*:389:389:OpenLDAP Server:/nonexistent:/sbin/nologin
 drweb:*:426:426:Dr.Web Mail Scanner:/nonexistent:/sbin/nologin
 courier:*:465:465:Courier Mail Server:/nonexistent:/sbin/nologin
 qtss:*:554:554:Darwin Streaming Server:/nonexistent:/sbin/nologin
 ircdru:*:555:555:Russian hybrid IRC server:/nonexistent:/bin/sh
 messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
 bopm:*:717:717:Blitzed Open Proxy Monitor:/nonexistent:/bin/sh
 bacula:*:910:910:Bacula Daemon:/var/db/bacula:/sbin/nologin</programlisting>
 
 	<para>This is the current list of reserved GIDs.</para>
 
 	<!-- Please keep this list sorted by uid -->
 	<!-- XXX incomplete! -->
 	<programlisting>bind:*:53:
 rdfdb:*:55:
 cyrus:*:60:
 proxy:*:62:
 authpf:*:63:
 uucp:*:66:
 dialer:*:68:
 network:*:69:
 pgsql:*:70:
 www:*:80:
 qnofiles:*:81:
 qmail:*:82:
 mailman:*:91:
 dcc:*:112:
 postfix:*:125:
 maildrop:*:126:
 rbldns:*:153:
 moinmoin:*:192:
 courier:*:465:
 qtss:*:554:
 ircdru:*:555:
 messagebus:*:556:
 realtime:*:557:
 bopm:*:717:</programlisting>
 
 	<para>Please include a notice when you submit a port (or an upgrade)
 	  that reserves a new UID or GID in this range.  This allows us to
 	  keep the list of reserved IDs up to date.</para>
       </sect1>
 
       <sect1 id="dads-rational">
 	<title>Do things rationally</title>
 
 	<para>The <filename>Makefile</filename> should do things simply and
 	  reasonably.  If you can make it a couple of lines shorter or more
 	  readable, then do so.  Examples include using a make
 	  <literal>.if</literal> construct instead of a shell
 	  <literal>if</literal> construct, not redefining
 	  <maketarget>do-extract</maketarget> if you can redefine
 	  <makevar>EXTRACT*</makevar> instead, and using
 	  <makevar>GNU_CONFIGURE</makevar> instead of <literal>CONFIGURE_ARGS
 	    += --prefix=&dollar;{PREFIX}</literal>.</para>
 
 	<para>If you find yourself having to write a lot
 	  of new code to try to do something, please go back and review
 	  <filename>bsd.port.mk</filename> to see if it contains an
 	  existing implementation of what you are trying to do.  While
 	  hard to read, there are a great many seemingly-hard problems for
 	  which <filename>bsd.port.mk</filename> already provides a
 	  shorthand solution.</para>
       </sect1>
 
       <sect1 id="dads-cc">
 	<title>Respect both <makevar>CC</makevar> and
 	  <makevar>CXX</makevar></title>
 
 	<para>The port should respect both <makevar>CC</makevar>
 	  and <makevar>CXX</makevar> variables.  What we mean by this
 	  is that the port should not set the values of these variables
 	  absolutely, overriding existing values; instead, it should append
 	  whatever values it needs to the existing values.  This is so that
 	  build options that affect all ports can be set globally.</para>
 
 	<para>If the port does not respect these variables,
 	  please add <literal>NO_PACKAGE=ignores either cc or
 	  cxx</literal> to the <filename>Makefile</filename>.</para>
 
 	<para>An example of a <filename>Makefile</filename> respecting
 	  both <makevar>CC</makevar> and <makevar>CXX</makevar>
 	  variables follows.  Note the <makevar>?=</makevar>:</para>
 
 	<programlisting>CC ?= gcc</programlisting>
 	<programlisting>CXX ?= g++</programlisting>
 
 	<para>Here is an example which respects neither
 	  <makevar>CC</makevar> nor <makevar>CXX</makevar>
 	  variables:</para>
 
 	<programlisting>CC = gcc</programlisting>
 	<programlisting>CXX = g++</programlisting>
 
 	<para>Both <makevar>CC</makevar> and <makevar>CFLAGS</makevar>
 	  variables can be defined on FreeBSD systems in
 	  <filename>/etc/make.conf</filename>.  The first example
 	  defines a value if it was not previously set in
 	  <filename>/etc/make.conf</filename>, preserving any
 	  system-wide definitions.  The second example clobbers
 	  anything previously defined.</para>
       </sect1>
 
       <sect1 id="dads-cflags">
 	<title>Respect <makevar>CFLAGS</makevar></title>
 
 	<para>The port should respect the <makevar>CFLAGS</makevar> variable.
 	  What we mean by this is that the port should not set the value of
 	  this variable absolutely, overriding the existing value; instead,
 	  it should append whatever values it needs to the existing value.
 	  This is so that build options that affect all ports can be set
 	  globally.</para>
 
 	<para>If it does not, please add <literal>NO_PACKAGE=ignores
 	    cflags</literal> to the <filename>Makefile</filename>.</para>
 
 	<para>An example of a <filename>Makefile</filename> respecting
 	  the <makevar>CFLAGS</makevar> variable follows.  Note the
 	  <makevar>+=</makevar>:</para>
 
 	<programlisting>CFLAGS += -Wall -Werror</programlisting>
 
 	<para>Here is an example which does not respect the
 	  <makevar>CFLAGS</makevar> variable:</para>
 
 	<programlisting>CFLAGS = -Wall -Werror</programlisting>
 
 	<para>The <makevar>CFLAGS</makevar> variable is defined on
 	  FreeBSD systems in <filename>/etc/make.conf</filename>.  The
 	  first example appends additional flags to the
 	  <makevar>CFLAGS</makevar> variable, preserving any system-wide
 	  definitions.  The second example clobbers anything previously
 	  defined.</para>
 
 	<para>You should remove optimization flags from the third party
 	  <filename>Makefile</filename>s.  System <makevar>CFLAGS</makevar>
 	  contains system-wide optimization flags.  An example from
 	  an unmodified <filename>Makefile</filename>:</para>
 
 	<programlisting>CFLAGS = -O3 -funroll-loops -DHAVE_SOUND</programlisting>
 
 	<para>Using system optimization flags, the
 	  <filename>Makefile</filename> would look similar to the
 	  following example:</para>
 
 	<programlisting>CFLAGS += -DHAVE_SOUND</programlisting>
 
       </sect1>
 
       <sect1 id="dads-config">
 	<title>Configuration files</title>
 
 	<para>If your port requires some configuration files in
 	  <filename><makevar>PREFIX</makevar>/etc</filename>, do
 	  <emphasis>not</emphasis> just install them and list them in
 	  <filename>pkg-plist</filename>.  That will cause
 	  &man.pkg.delete.1; to delete files carefully edited by
 	  the user and a new installation to wipe them out.</para>
 
 	<para>Instead, install sample files with a suffix
 	  (<filename><replaceable>filename</replaceable>.sample</filename>
 	  will work well) and print out a <link
 	    linkend="porting-message">message</link> pointing out that the
 	  user has to copy and edit the file before the software can be made
 	  to work.</para>
       </sect1>
 
       <sect1 id="dads-freedback">
 	<title>Feedback</title>
 
 	<para>Do send applicable changes/patches to the original
 	  author/maintainer for inclusion in next release of the code.  This
 	  will only make your job that much easier for the next
 	  release.</para>
       </sect1>
 
       <sect1 id="dads-readme">
 	<title><filename>README.html</filename></title>
 
 	<para>Do not include the <filename>README.html</filename> file.  This
 	  file is not part of the cvs collection but is generated using the
 	  <command>make readme</command> command.
 	</para>
       </sect1>
 
       <sect1 id="dads-broken">
 	<title>Marking a port <makevar>BROKEN</makevar>, <makevar>FORBIDDEN</makevar>, or otherwise</title>
 
 	<para>Invariably there will come a time when a particular port
 	will contain a security vulnerability, will be radically
 	broken and needs many hours of tender loving care, or is
 	generally obsoleted, but for one reason or another should
 	remain in the tree (and get fixed, right?).  To designate a
 	port as broken, there are three <command>make</command>
 	variables that can be used in a port's
 	<filename>Makefile</filename>.  The value of the following
 	<command>make</command> variables will be the reason that is
 	given back to users for why the port was marked as broken.
 	Please use the correct <command>make</command> variable as
 	each make variable conveys radically different meanings to
 	both users, and to automated systems that parse
 	<filename>Makefile</filename>s.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para><makevar>BROKEN</makevar> is reserved for ports that
 	      do not work and should not be installed by users.  This
 	      will prevent users from installing the port.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>TRYBROKEN</makevar> is used for ports
 	      if you want to attempt a build of a
 	      <makevar>BROKEN</makevar> port.  Ports marked as
 	      <makevar>TRYBROKEN</makevar> will be also built by
 	      <ulink url="http://pointyhat.FreeBSD.org/">the Pointyhat
 	      cluster</ulink>.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>FORBIDDEN</makevar> is used for ports that
 	      do contain a security vulnerability or induce grave
 	      concern regarding the security of a FreeBSD system with
 	      a given port installed (ex: a reputably insecure program
 	      or a program that provides easily exploitable services).
 	      Ports should be marked as <makevar>FORBIDDEN</makevar>
 	      as soon as a particular piece of software has a
 	      vulnerability and there is no released upgrade.  Ideally
 	      ports should be upgraded as soon as possible when a
 	      security vulnerability is discovered so as to reduce the
 	      number of vulnerable FreeBSD hosts (we like being known
 	      for being secure), however sometimes there is a
 	      noticeable time gap between disclosure of a
 	      vulnerability and an updated release of the
 	      vulnerable software.  Do not mark a port
 	      <makevar>FORBIDDEN</makevar> for any reason other than
 	      security.</para>
 	  </listitem>
 
 	  <listitem>
 	    <para><makevar>IGNORE</makevar> is reserved for ports that
 	      should not be built for one reason or another.  Users
 	      and <ulink url="http://pointyhat.FreeBSD.org/">the Pointyhat
 	      cluster</ulink> will not, under any
 	      circumstances, build ports marked as
 	      <makevar>IGNORE</makevar>.  If in doubt, do use
 	      <makevar>IGNORE</makevar> to prevent a port from being
 	      built.</para>
 	  </listitem>
 
 	</itemizedlist>
 
 	<para>Do remember that these variables are to be used as a
 	  last resort if a port is not upgradeable.  Permanently
 	  broken ports should be removed from the tree
 	  entirely.</para>
       </sect1>
 
       <sect1 id="dads-workarounds">
 	<title>Necessary workarounds</title>
 
 	<para>Sometimes it is necessary to work around bugs in
 	  software included with older versions of &os;.</para>
 
 	<itemizedlist>
 	  <listitem>
 	    <para>Some versions of &man.make.1; were broken
 	      on at least 4.8 and 5.0 with respect to handling
 	      comparisons based on <makevar>OSVERSION</makevar>.
 	      This would often lead to failures during
 	      <command>make describe</command> (and thus, the overall
 	      ports <command>make index</command>).  The workaround is
 	      to enclose the conditional comparison in spaces, e.g.:
 	      <programlisting>if ( ${OSVERSION} > 500023 )</programlisting>
 	      Be aware that test-installing a port on 4.9 or 5.2
 	      will <emphasis>not</emphasis> detect this problem.</para>
 	  </listitem>
 
 	</itemizedlist>
 
       </sect1>
 
       <sect1 id="dads-misc">
 	<title>Miscellanea</title>
 
 	<para>The files
 	  <filename>pkg-descr</filename> and <filename>pkg-plist</filename>
 	  should each be double-checked.  If you are reviewing a port and feel
 	  they can be worded better, do so.</para>
 
 	<para>Do not copy more copies of the GNU General Public License into
 	  our system, please.</para>
 
 	<para>Please be careful to note any legal issues! Do not let us
 	  illegally distribute software!</para>
       </sect1>
 
       <sect1 id="dads-stuck">
 	<title>If you are stuck&hellip;</title>
 
 	<para>Do look at existing examples and the
 	  <filename>bsd.port.mk</filename> file before asking us questions!
 	  <!-- smiley --><emphasis>;-)</emphasis></para>
 
 	<para>Do ask us questions if you have any trouble! Do not just beat
 	  your head against a wall! <!-- smiley
 	  --><emphasis>:-)</emphasis></para>
       </sect1>
     </chapter>
 
     <chapter id="porting-samplem">
       <title>A Sample <filename>Makefile</filename></title>
 
       <para>Here is a sample <filename>Makefile</filename> that you can use to
 	create a new port.  Make sure you remove all the extra comments (ones
 	between brackets)!</para>
 
       <para>It is recommended that you follow this format (ordering of
 	variables, empty lines between sections, etc.).  This format is
 	designed so that the most important information is easy to locate.  We
 	recommend that you use <link
 	  linkend="porting-portlint">portlint</link> to check the
 	<filename>Makefile</filename>.</para>
 
       <programlisting>[the header...just to make it easier for us to identify the ports.]
 # New ports collection makefile for:   xdvi
 [the "version required" line is only needed when the PORTVERSION
  variable is not specific enough to describe the port.]
 # Date created:                26 May 1995
 [this is the person who did the original port to FreeBSD, in particular, the
 person who wrote the first version of this Makefile.  Remember, this should
 not be changed when upgrading the port later.]
 # Whom:                        Satoshi Asami &lt;asami@FreeBSD.org&gt;
 #
 # &dollar;FreeBSD&dollar;
 [ ^^^^^^^^^ This will be automatically replaced with RCS ID string by CVS
 when it is committed to our repository.  If upgrading a port, do not alter
 this line back to "&dollar;FreeBSD&dollar;".  CVS deals with it automatically.]
 #
 
 [section to describe the port itself and the master site - PORTNAME
  and PORTVERSION are always first, followed by CATEGORIES,
  and then MASTER_SITES, which can be followed by MASTER_SITE_SUBDIR.
  PKGNAMEPREFIX and PKGNAMESUFFIX, if needed, will be after that.
  Then comes DISTNAME, EXTRACT_SUFX and/or DISTFILES, and then
  EXTRACT_ONLY, as necessary.]
 PORTNAME=      xdvi
 PORTVERSION=   18.2
 CATEGORIES=    print
 [do not forget the trailing slash ("/")!
  if you are not using MASTER_SITE_* macros]
 MASTER_SITES=  ${MASTER_SITE_XCONTRIB}
 MASTER_SITE_SUBDIR= applications
 PKGNAMEPREFIX= ja-
 DISTNAME=      xdvi-pl18
 [set this if the source is not in the standard ".tar.gz" form]
 EXTRACT_SUFX=  .tar.Z
 
 [section for distributed patches -- can be empty]
 PATCH_SITES=   ftp://ftp.sra.co.jp/pub/X11/japanese/
 PATCHFILES=    xdvi-18.patch1.gz xdvi-18.patch2.gz
 
 [maintainer; *mandatory*!  This is the person (preferably with commit
  privileges) whom a user can contact for questions and bug reports - this
  person should be the porter or someone who can forward questions to the
  original porter reasonably promptly.  If you really do not want to have
  your address here, set it to "ports@FreeBSD.org".]
 MAINTAINER=    asami@FreeBSD.org
 COMMENT=       A DVI Previewer for the X Window System
 
 [dependencies -- can be empty]
 RUN_DEPENDS=   gs:${PORTSDIR}/print/ghostscript
 LIB_DEPENDS=   Xpm.5:${PORTSDIR}/graphics/xpm
 
 [this section is for other standard bsd.port.mk variables that do not
  belong to any of the above]
 [If it asks questions during configure, build, install...]
 IS_INTERACTIVE=        yes
 [If it extracts to a directory other than ${DISTNAME}...]
 WRKSRC=                ${WRKDIR}/xdvi-new
 [If the distributed patches were not made relative to ${WRKSRC}, you
  may need to tweak this]
 PATCH_DIST_STRIP=      -p1
 [If it requires a "configure" script generated by GNU autoconf to be run]
 GNU_CONFIGURE= yes
 [If it requires GNU make, not /usr/bin/make, to build...]
 USE_GMAKE=     yes
 [If it is an X application and requires "xmkmf -a" to be run...]
 USE_IMAKE=     yes
 [et cetera.]
 
 [non-standard variables to be used in the rules below]
 MY_FAVORITE_RESPONSE=  "yeah, right"
 
 [then the special rules, in the order they are called]
 pre-fetch:
 	i go fetch something, yeah
 
 post-patch:
 	i need to do something after patch, great
 
 pre-install:
 	and then some more stuff before installing, wow
 
 [and then the epilogue]
 .include &lt;bsd.port.mk&gt;</programlisting>
     </chapter>
 
     <chapter id="porting-autoplist">
       <title>Automated package list creation</title>
 
       <para>First, make sure your port is almost complete, with only
 	<filename>pkg-plist</filename> missing.</para>
 
       <para>Next, create a temporary directory tree into which your port can be
 	installed, and install any dependencies.
 	<replaceable>port-type</replaceable> should be <literal>local</literal>
 	for non-X ports and <literal>x11-4</literal> or <literal>x11</literal>
 	for ports which install into the directory hierarchy of XFree86 4
 	or an earlier XFree86 release, respectively.</para>
 
       <screen>&prompt.root; <userinput>mkdir /var/tmp/<replaceable>port-name</replaceable></userinput>
 &prompt.root; <userinput>mtree -U -f /etc/mtree/BSD.<replaceable>port-type</replaceable>.dist -d -e -p /var/tmp/<replaceable>port-name</replaceable></userinput>
 &prompt.root; <userinput>make depends PREFIX=/var/tmp/<replaceable>port-name</replaceable></userinput></screen>
 
       <para>Store the directory structure in a new file.</para>
 
       <screen>&prompt.root; <userinput>(cd /var/tmp/<replaceable>port-name</replaceable> && find -d * -type d) | sort &gt; OLD-DIRS</userinput></screen>
 
       <para>Create an empty <filename>pkg-plist</filename> file:</para>
 
       <screen>&prompt.root; <userinput>touch pkg-plist</userinput></screen>
 
       <para>If your port honors <makevar>PREFIX</makevar> (which it should)
 	you can then install the port and create the package list.</para>
 
       <screen>&prompt.root; <userinput>make install PREFIX=/var/tmp/<replaceable>port-name</replaceable></userinput>
 &prompt.root; <userinput>(cd /var/tmp/<replaceable>port-name</replaceable> && find -d * \! -type d) | sort &gt; pkg-plist</userinput></screen>
 
       <para>You must also add any newly created directories to the packing
 	list.</para>
 
       <screen>&prompt.root; <userinput>(cd /var/tmp/<replaceable>port-name</replaceable> && find -d * -type d) | sort | comm -13 OLD-DIRS - | sort -r | sed -e 's#^#@dirrm #' &gt;&gt; pkg-plist</userinput></screen>
 
       <para>Finally, you need to tidy up the packing list by hand; it is not
 	<emphasis>all</emphasis> automated.  Manual pages should be listed in
 	the port's <filename>Makefile</filename> under
 	<makevar>MAN<replaceable>n</replaceable></makevar>, and not in the
 	package list.  User configuration files should be removed, or
 	installed as
 	<filename><replaceable>filename</replaceable>.sample</filename>.
 	The <filename>info/dir</filename> file should not be listed
 	and appropriate <filename>install-info</filename> lines should
 	be added as noted in the <link linkend="porting-info">info
 	files</link> section.  Any
 	libraries installed by the port should be listed as specified in the
 	<link linkend="porting-shlibs">shared libraries</link> section.</para>
 
       <para>Alternatively, use the <command>plist</command> script in
 	<filename>/usr/ports/Tools/scripts/</filename> to build the
 	package list automatically.  The first step is the same as
 	above: take the first three lines, that is,
 	<command>mkdir</command>, <command>mtree</command> and
 	<command>make depends</command>.  Then build and install the
 	port:</para>
 
       <screen>&prompt.root; <userinput>make install PREFIX=/var/tmp/<replaceable>port-name</replaceable></userinput></screen>
 
       <para>And let <command>plist</command> create the
 	<filename>pkg-plist</filename> file:</para>
 
       <screen>&prompt.root; <userinput>/usr/ports/Tools/scripts/plist -Md -m /etc/mtree/BSD.<replaceable>port-type</replaceable>.dist /var/tmp/<replaceable>port-name</replaceable> &gt; pkg-plist</userinput></screen>
 
       <para>The packing list still have to tidied up the by hand as
         stated above.</para>
 
     </chapter>
 
     <chapter id="keeping-up">
       <title>Keeping Up</title>
 
       <para>The &os; Ports Collection is constantly changing.  Here is
 	some information on how to keep up.</para>
 
       <sect1>
 	<title>FreshPorts</title>
 
 	<para>One of the easiest ways to learn about updates that have
 	  already been committed is by subscribing to
 	  <ulink url="http://www.FreshPorts.org/">FreshPorts</ulink>.
 	  You can select multiple ports to monitor.  Maintainers are
 	  strongly encouraged to subscribe, because they will receive
 	  notification of not only their own changes, but also any
 	  changes that any other &os; committer has made.  (These are
 	  often necessary to keep up with changes in the underlying
 	  ports framework&mdash;although it would be most polite to
 	  receive an advance heads-up from those committing such changes,
 	  sometimes this is overlooked or just simply impractical.
 	  Also, in some cases, the changes are very minor in nature.
 	  We expect everyone to use their best judgement in these
 	  cases.)</para>
 
 	<para>If you wish to use FreshPorts, all you need is an
 	  account.  If your registered email address is
 	  <literal>@FreeBSD.org</literal>, you'll see the opt-in link on the
 	  right hand side of the webpages.
 	  For those of you who already have a FreshPorts account, but are not
 	  using your <literal>@FreeBSD.org</literal> email address,
 	  just change your email to <literal>@FreeBSD.org</literal>, subscribe,
 	  then change it back again.</para>
 
 	<para>FreshPorts also has
 	  a sanity test feature which automatically tests each commit to the
 	  FreeBSD ports tree.  If subscribed to this service, you will be
 	  notified of any errors which FreshPorts detects during sanity
 	  testing of your commits.</para>
       </sect1>
 
       <sect1>
 	<title>The Web Interface to the Source Repository</title>
 
 	<para>It is possible to browse the files in the source repository by
 	  using a web interface.  Changes that affect the entire port system
 	  are now documented in the
 	  <ulink url="http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/CHANGES">
 	  CHANGES</ulink> file.  Changes that affect individual ports
 	  are now documented in the
 	  <ulink url="http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/UPDATING">
 	  UPDATING</ulink> file.  However, the definitive answer to any
 	  question is undoubtedly to read the source code of <ulink
 	  url="http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/Mk/bsd.port.mk">
 	  bsd.port.mk</ulink>, and associated files.</para>
 
       </sect1>
 
       <sect1>
 	<title>The &os; Ports Mailing List</title>
 
 	<para>If you maintain ports, you should consider following the
 	  &a.ports;.  Important changes to the way ports work will be announced
 	  there, and then committed to <filename>CHANGES</filename>.</para>
 
       </sect1>
 
       <sect1>
 	<title>The &os; Port Building Cluster</title>
 
 	  <para>One of the least-publicized strengths of &os; is that
 	    an entire cluster of machines is dedicated to continually
 	    building the Ports Collection, for each of the major OS
 	    releases and for each Tier-1 architecture.  You can find
 	    the results of these builds at
 	    <ulink url="http://pointyhat.FreeBSD.org/">package building logs
 	    and errors</ulink>.</para>
 
       </sect1>
 
       <sect1>
 	<title>The &os; Port Distfile Survey</title>
 
 	  <para>The build cluster is dedicated to building the latest
 	    release of each port with distfiles that have already been
 	    fetched.  However, as the Internet continually changes,
 	    distfiles can quickly go missing.  The <ulink
 	    url="http://people.FreeBSD.org/~fenner/portsurvey/">FreeBSD
 	    Ports distfiles survey</ulink> attempts to query every
 	    download site for every port to find out if each distfile
 	    is still currently available.  Maintainers are asked to
 	    check this report periodically, not only to speed up the
 	    building process for users, but to help avoid wasting
 	    bandwidth of the sites that volunteer to host all these
 	    distfiles.</para>
 
       </sect1>
 
       <sect1>
 
 	<title>The &os; Ports Monitoring System</title>
 
 	<para>Another handy resource is the
 	  <ulink url="http://portsmon.firepipe.net">
 	  FreeBSD Ports Monitoring System</ulink> (also known as
 	  <literal>portsmon</literal>).  This system comprises a
 	  database that processes information from several sources
 	  and allows its to be browsed via a web interface.  Currently,
 	  the ports Problem Reports (PRs), the error logs from
 	  the build cluster, and individual files from the ports
 	  collection are used.  In the future, this will be expanded
 	  to include the distfile survey, as well as other sources.</para>
 
 	<para>To get started, you can view all information about a
 	  particular port by using the
 	  <ulink url="http://portsmon.firepipe.net/portoverview.py">
 	  Overview of One Port</ulink>.</para>
 
       </sect1>
 
     </chapter>
 </book>
 
 <!--
      Local Variables:
      mode: sgml
      sgml-indent-data: t
      sgml-omittag: nil
      sgml-always-quote-attributes: t
      End:
 -->